Use this project to set up Red Hat® OpenShift Container Platform 3.11 on IBM Cloud, using Terraform.
Deployment of 'OpenShift Container Platform on IBM Cloud' is divided into separate steps.
-
Step 1: Provision the infrastructure on IBM Cloud
Use Terraform to provision the compute, storage, network, load balancers & IAM resources on IBM Cloud Infrastructure -
Step 2: Deploy OpenShift Container Platform on IBM Cloud
Install OpenShift Container Platform which is done using the Ansible playbooks - available in the https://github.com/openshift/openshift-ansible project. During this phase the router and registry are deployed. -
Step 3: Post deployment activities
Validate the deployment
The following figure illustrates the deployment architecture for the 'OpenShift Container Platform on IBM Cloud'.
-
IBM Cloud account (used to provision resources on IBM Cloud Infrastructure or SoftLayer)
-
RedHat Account with developer subscription
- To get developer subscription, sign up an account on https://www.redhat.com/en . Check your subscription from https://access.redhat.com/management/subscriptions
-
A custom domain needed, get from IBM Cloud or Godaddy or cloudfare.
-
Clone the repo IBM Terraform Openshift
# Clone the repo $ git clone https://github.ibm.com/icp-ap/terraform-ibm-openshift-modified $ cd terraform-ibm-openshift-modified/
-
Generate the private and public key pair which is required to provision the virtual machines in softlayer.(Put the private key inside ~/.ssh/id_rsa).Follow the instruction here to generate ssh key pair
-
Rename
terraform.tfvars.example
toterraform.tfvars
-
Fill in the value for all the variables inside
terraform.tfvars
- ibm_sl_username = "" # Use your IBM Classical Infrastructure account username under IAM
- ibm_sl_api_key = "" # Use your IBM Classical Infrastructure account password under IAM
- datacenter = "sng01" #Use one of SoftLayer Datacenter code
- oreg_auth_user="<>" # Use the redhat developer subscription username
- oreg_auth_password="<>" # Use the redhat developer subscription password
- docker_auth_user="<>" # Create account in https://www.docker.com/ and use the docker account username
- docker_auth_password="<>" # Create account in https://www.docker.com/ and use the docker account password
- quay_auth_user="<>" # Create account in quay.io and use your account username here
- quay_auth_password="<>" # Create account in quay.io and use your account password here
- rhn_username="<>" # Use the redhat developer subscription username
- rhn_password="<>" # Use the redhat developer subscription password
- hostname_prefix="dc-06-Dec" # The hostname you wish to have
- vm_domain="ocp-cloud.com" # Match the name of FQDN in domain name service
- storage_count=3 # The number of storage node, min is 3
- path_to_rpms_at_media_server="http://10.66.216.183/repos/ppa/rhel-7-server-ansible-2.6-rpms/" #base url format in yum repo file. Change to your own media server where you put ocp rpms.
- path_to_ansible_rpms_at_media_server="http://10.66.216.183/repos/ppa/rhel-7-server-ansible-2.6-rpms/" #base url format in yum repo file. Change to your own media server where you put ocp rpms.
- path_to_ose_rpms_at_media_server="http://10.66.216.183/repos/ppa/rhel-7-server-ose-3.11-rpms/" #base url format in yum repo file. Change to your own media server where you put ocp rpms.
-
Update variables.tf file
-
Provision the infrastructure using the following command
$ make infrastructure
Please provide softlayer username , password and ssh public key to proceed.
In this version, the following infrastructure elements are provisioned for OpenShift (as illustrated in the picture)
- Bastion node
- Master node
- Infra node
- App node
- Storage node (if enabled for glusterfs configuration)
- Security groups for these nodes
On successful completion, you will see the following message
...
Apply complete! Resources: 63 added, 0 changed, 0 destroyed.
-
Install the repos and images by running :
$ make rhnregister
This step includes the following:
- Register the nodes to the Red Hat® Network,
To install OpenShift on the cluster, just run:
$ make openshift
This step includes the following:
- Prepare the Master, Infra and App nodes before installing OpenShift
- Finally, install OpenShift Container Platform v3.
using installation procedure described here.
Once the setup is complete, just run:
$ open https://$(terraform output master_public_ip):8443/console
Note: Add IP and Host Entry in /etc/hosts
This figure illustrates the 'Red Hat Openshift Console'
To open a browser to admin console, use the following credentials to login:
Username: admin
Password: test123
-
Login to the master node
$ ssh -t -A root@$(terraform output master_public_ip)
Default project is in use and the core infrastructure components (router etc) are available.
-
Login to openshift client by running
$ oc login https://$(terraform output master_public_ip):8443
Provide username as admin and password as test123 to login to the openshift client.
-
Create new project
$ oc new-project test
-
Deploy the app
$ oc new-app --name=nginx --docker-image=bitnami/nginx
-
Expose the service
$ oc expose svc/nginx
-
Edit the service to use nodePort by changing type as NodePort
$ oc edit svc/nginx
Access the deployed application at
$ oc get routes
{HOST/PORT} get the value from above command Access the deployed application at http${HOST/PORT}
Bring down the openshift cluster by running following
$ make destroy
[Work in Progress]
-
https://github.com/dwmkerr/terraform-aws-openshift - Inspiration for this project
-
https://github.com/ibm-cloud/terraform-provider-ibm - Terraform Provider for IBM Cloud
https://certbot.eff.org/lets-encrypt/osx-other.html
https://www.ibm.com/cloud/blog/secure-apps-on-ibm-cloud-with-wildcard-certificates
# Using this to run letsencrypt
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto certonly --manual
# The program will ask you fews question.
# Ask below example
[root@dc-06-dec-d9fccc1737-bastion certbot]# ./certbot-auto certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.ocp-cloud.com
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for ocp-cloud.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.ocp-cloud.com with the following value:
8e1-XMPNYy3U9YrszbLxoJibIrYXgWAQJ_Xap1IFtCc
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue^[[A
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ocp-cloud.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ocp-cloud.com/privkey.pem
Your cert will expire on 2020-03-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# You will need to update <_acme-challenge> record in the cloud
- Using this tools to validate the dns entry update, dns txt , dns A record https://toolbox.googleapps.com/apps/dig/#TXT/
https://blog.openshift.com/requesting-and-installing-lets-encrypt-certificates-for-openshift-4/
https://www.redpill-linpro.com/sysadvent/2017/12/15/letsencrypt-on-openshift.html
Requesting a certificate
We can now request a certificate from Let’s Encrypt by using:
- certbot certonly --standalone --preferred-challenges http --http-01-port 8080 --http-01-address 127.0.0.1 -m [email protected] -d ocp.example.com
If everything is configured correctly, you end up with a private key and the certificates under /etc/letsencrypt/live/ocp.example.com/:
/etc/letsencrypt/live/ocp.example.com/cert.pem
/etc/letsencrypt/live/ocp.example.com/privkey.pem
/etc/letsencrypt/live/ocp.example.com/chain.pem
/etc/letsencrypt/live/ocp.example.com/fullchain.pem
Certificate used by OpenShift API
- We can now proceed to install and use the certificate from Let’s Encrypt for the OpenShift API. This is done by adding the following to your Ansible inventory file for OpenShift:
openshift_master_named_certificates=[{"certfile":"/etc/letsencrypt/live/ocp.example.com/fullchain.pem","keyfile":"/etc/letsencrypt/live/ocp.example.com/privkey.pem"}]
openshift_master_overwrite_named_certificates=true
# In our context
openshift_master_named_certificates=[{"certfile":"/etc/letsencrypt/live/ocp-cloud.com/fullchain.pem","keyfile":"/etc/letsencrypt/live/ocp-cloud.com/privkey.pem"}]
openshift_master_overwrite_named_certificates=true
# In our context
openshift_master_named_certificates=[{"certfile":"/root/ocp-cloud.com/fullchain.pem","keyfile":"/root/ocp-cloud.com/privkey.pem"}]
openshift_master_overwrite_named_certificates=true
# When you need to have confiure router too,
# follow this https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/configuring_clusters/install-config-certificate-customization
openshift_master_named_certificates=[{"certfile":"/root/ocp-cloud.com/fullchain.pem","keyfile":"/root/ocp-cloud.com/privkey.pem"}]
openshift_hosted_router_certificate={"certfile": "/root/ocp-cloud.com/fullchain.pem", "keyfile": "/root/ocp-cloud.com/privkey.pem", }
openshift_master_overwrite_named_certificates=true
and (re-)running the Ansible playbook to configure OpenShift, thereby installing the named certificate on your masters:
ansible-playbook -i /root/inventory.cfg \
/usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-openshift-ca.yml
- Conclusion: Failed, faced this issue : Volume heketidbstorage is not ready while upgrading Openshift solution: https://access.redhat.com/solutions/3683031
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/config.yml
After this, you should no longer receive any warnings about an unknown certificate authority within your web-browser or from the oc command line interface.