This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 7. Installing on Azure Stack Hub
7.1. Preparing to install on Azure Stack Hub
7.1.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You have installed Azure Stack Hub version 2008 or later.
7.1.2. Requirements for installing OpenShift Container Platform on Azure Stack Hub
Before installing OpenShift Container Platform on Microsoft Azure Stack Hub, you must configure an Azure account.
See Configuring an Azure Stack Hub account for details about account configuration, account limits, DNS zone configuration, required roles, and creating service principals.
7.1.3. Choosing a method to install OpenShift Container Platform on Azure Stack Hub
You can install OpenShift Container Platform on installer-provisioned or user-provisioned infrastructure. The default installation type uses installer-provisioned infrastructure, where the installation program provisions the underlying infrastructure for the cluster. You can also install OpenShift Container Platform on infrastructure that you provision. If you do not use infrastructure that the installation program provisions, you must manage and maintain the cluster resources yourself.
See Installation process for more information about installer-provisioned and user-provisioned installation processes.
7.1.3.1. Installing a cluster on installer-provisioned infrastructure
You can install a cluster on Azure Stack Hub infrastructure that is provisioned by the OpenShift Container Platform installation program, by using the following method:
- Installing a cluster on Azure Stack Hub with an installer-provisioned infrastructure: You can install OpenShift Container Platform on Azure Stack Hub infrastructure that is provisioned by the OpenShift Container Platform installation program.
7.1.3.2. Installing a cluster on user-provisioned infrastructure
You can install a cluster on Azure Stack Hub infrastructure that you provision, by using the following method:
- Installing a cluster on Azure Stack Hub using ARM templates: You can install OpenShift Container Platform on Azure Stack Hub by using infrastructure that you provide. You can use the provided Azure Resource Manager (ARM) templates to assist with an installation.
7.1.4. Next steps
7.2. Configuring an Azure Stack Hub account
Before you can install OpenShift Container Platform, you must configure a Microsoft Azure account.
All Azure resources that are available through public endpoints are subject to resource name restrictions, and you cannot create resources that use certain terms. For a list of terms that Azure restricts, see Resolve reserved resource name errors in the Azure documentation.
7.2.1. Azure Stack Hub account limits
The OpenShift Container Platform cluster uses a number of Microsoft Azure Stack Hub components, and the default Quota types in Azure Stack Hub affect your ability to install OpenShift Container Platform clusters.
The following table summarizes the Azure Stack Hub components whose limits can impact your ability to install and run OpenShift Container Platform clusters.
| Component | Number of components required by default | Description | ||||||
|---|---|---|---|---|---|---|---|---|
| vCPU | 56 | A default cluster requires 56 vCPUs, so you must increase the account limit. By default, each cluster creates the following instances: 
 
									Because the bootstrap, control plane, and worker machines use  To deploy more worker nodes, enable autoscaling, deploy large workloads, or use a different instance type, you must further increase the vCPU limit for your account to ensure that your cluster can deploy the machines that you require. | ||||||
| VNet | 1 | Each default cluster requires one Virtual Network (VNet), which contains two subnets. | ||||||
| Network interfaces | 7 | Each default cluster requires seven network interfaces. If you create more machines or your deployed workloads create load balancers, your cluster uses more network interfaces. | ||||||
| Network security groups | 2 | Each cluster creates network security groups for each subnet in the VNet. The default cluster creates network security groups for the control plane and for the compute node subnets: 
 | ||||||
| Network load balancers | 3 | Each cluster creates the following load balancers: 
 
									If your applications create more Kubernetes  | ||||||
| Public IP addresses | 2 | The public load balancer uses a public IP address. The bootstrap machine also uses a public IP address so that you can SSH into the machine to troubleshoot issues during installation. The IP address for the bootstrap node is used only during installation. | ||||||
| Private IP addresses | 7 | The internal load balancer, each of the three control plane machines, and each of the three worker machines each use a private IP address. | 
7.2.2. Configuring a DNS zone in Azure Stack Hub
To successfully install OpenShift Container Platform on Azure Stack Hub, you must create DNS records in an Azure Stack Hub DNS zone. The DNS zone must be authoritative for the domain. To delegate a registrar’s DNS zone to Azure Stack Hub, see Microsoft’s documentation for Azure Stack Hub datacenter DNS integration.
7.2.3. Required Azure Stack Hub roles
Your Microsoft Azure Stack Hub account must have the following roles for the subscription that you use:
- 
							Owner
To set roles on the Azure portal, see the Manage access to resources in Azure Stack Hub with role-based access control in the Microsoft documentation.
7.2.4. Creating a service principal
Because OpenShift Container Platform and its installation program create Microsoft Azure resources by using the Azure Resource Manager, you must create a service principal to represent it.
Prerequisites
- Install or update the Azure CLI.
- Your Azure account has the required roles for the subscription that you use.
Procedure
- Register your environment: - az cloud register -n AzureStackCloud --endpoint-resource-manager <endpoint> - $ az cloud register -n AzureStackCloud --endpoint-resource-manager <endpoint>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the Azure Resource Manager endpoint, `https://management.<region>.<fqdn>/`.
 - See the Microsoft documentation for details. 
- Set the active environment: - az cloud set -n AzureStackCloud - $ az cloud set -n AzureStackCloud- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update your environment configuration to use the specific API version for Azure Stack Hub: - az cloud update --profile 2019-03-01-hybrid - $ az cloud update --profile 2019-03-01-hybrid- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the Azure CLI: - az login - $ az login- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you are in a multitenant environment, you must also supply the tenant ID. 
- If your Azure account uses subscriptions, ensure that you are using the right subscription: - View the list of available accounts and record the - tenantIdvalue for the subscription you want to use for your cluster:- az account list --refresh - $ az account list --refresh- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View your active account details and confirm that the - tenantIdvalue matches the subscription you want to use:- az account show - $ az account show- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Ensure that the value of thetenantIdparameter is the correct subscription ID.
 
- If you are not using the right subscription, change the active subscription: - az account set -s <subscription_id> - $ az account set -s <subscription_id>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the subscription ID.
 
- Verify the subscription ID update: - az account show - $ az account show- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
							Record the tenantIdandidparameter values from the output. You need these values during the OpenShift Container Platform installation.
- Create the service principal for your account: - az ad sp create-for-rbac --role Contributor --name <service_principal> \ --scopes /subscriptions/<subscription_id> - $ az ad sp create-for-rbac --role Contributor --name <service_principal> \- 1 - --scopes /subscriptions/<subscription_id>- 2 - --years <years>- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Record the values of the appIdandpasswordparameters from the previous output. You need these values during OpenShift Container Platform installation.
7.2.5. Next steps
- Install an OpenShift Container Platform cluster: - Installing a cluster quickly on Azure Stack Hub.
- Install an OpenShift Container Platform cluster on Azure Stack Hub with user-provisioned infrastructure by following Installing a cluster on Azure Stack Hub using ARM templates.
 
7.3. Installing a cluster on Azure Stack Hub with an installer-provisioned infrastructure
				In OpenShift Container Platform version 4.10, you can install a cluster on Microsoft Azure Stack Hub with an installer-provisioned infrastructure. However, you must manually configure the install-config.yaml file to specify values that are specific to Azure Stack Hub.
			
					While you can select azure when using the installation program to deploy a cluster using installer-provisioned infrastructure, this option is only supported for the Azure Public Cloud.
				
7.3.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an Azure Stack Hub account to host the cluster.
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
- You verified that you have approximately 16 GB of local disk space. Installing the cluster requires that you download the RHCOS virtual hard disk (VHD) cluster image and upload it to your Azure Stack Hub environment so that it is accessible during deployment. Decompressing the VHD files requires this amount of local disk space.
7.3.2. Internet access for OpenShift Container Platform
In OpenShift Container Platform 4.10, you require access to the internet to install your cluster.
You must have internet access to:
- Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.
- Access Quay.io to obtain the packages that are required to install your cluster.
- Obtain the packages that are required to perform cluster updates.
If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
7.3.3. Generating a key pair for cluster node SSH access
					During an OpenShift Container Platform installation, you can provide an SSH public key to the installation program. The key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.
				
					After the key is passed to the nodes, you can use the key pair to SSH in to the RHCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
				
					If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.
				
Do not skip this procedure in production environments, where disaster recovery and debugging is required.
You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs.
Procedure
- If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command: - ssh-keygen -t ed25519 -N '' -f <path>/<file_name> - $ ssh-keygen -t ed25519 -N '' -f <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name, such as~/.ssh/id_ed25519, of the new SSH key. If you have an existing key pair, ensure your public key is in the your~/.sshdirectory.
 Note- If you plan to install an OpenShift Container Platform cluster that uses FIPS validated or Modules In Process cryptographic libraries on the - x86_64architecture, do not create a key that uses the- ed25519algorithm. Instead, create a key that uses the- rsaor- ecdsaalgorithm.
- View the public SSH key: - cat <path>/<file_name>.pub - $ cat <path>/<file_name>.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, run the following to view the - ~/.ssh/id_ed25519.pubpublic key:- cat ~/.ssh/id_ed25519.pub - $ cat ~/.ssh/id_ed25519.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the - ./openshift-install gathercommand.Note- On some distributions, default SSH private key identities such as - ~/.ssh/id_rsaand- ~/.ssh/id_dsaare managed automatically.- If the - ssh-agentprocess is not already running for your local user, start it as a background task:- eval "$(ssh-agent -s)" - $ eval "$(ssh-agent -s)"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Agent pid 31874 - Agent pid 31874- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. 
 
- Add your SSH private key to the - ssh-agent:- ssh-add <path>/<file_name> - $ ssh-add <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name for your SSH private key, such as~/.ssh/id_ed25519
 - Example output - Identity added: /home/<you>/<path>/<file_name> (<computer_name>) - Identity added: /home/<you>/<path>/<file_name> (<computer_name>)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- When you install OpenShift Container Platform, provide the SSH public key to the installation program.
7.3.4. Uploading the RHCOS cluster image
You must download the RHCOS virtual hard disk (VHD) cluster image and upload it to your Azure Stack Hub environment so that it is accessible during deployment.
Prerequisites
- Configure an Azure account.
Procedure
- Obtain the RHCOS VHD cluster image: - Export the URL of the RHCOS VHD to an environment variable. - export COMPRESSED_VHD_URL=$(openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.artifacts.azurestack.formats."vhd.gz".disk.location') - $ export COMPRESSED_VHD_URL=$(openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.artifacts.azurestack.formats."vhd.gz".disk.location')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download the compressed RHCOS VHD file locally. - curl -O -L ${COMPRESSED_VHD_URL}- $ curl -O -L ${COMPRESSED_VHD_URL}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Decompress the VHD file. Note- The decompressed VHD file is approximately 16 GB, so be sure that your host system has 16 GB of free space available. The VHD file can be deleted once you have uploaded it. 
- 
							Upload the local VHD to the Azure Stack Hub environment, making sure that the blob is publicly available. For example, you can upload the VHD to a blob using the azcli or the web portal.
7.3.5. Obtaining the installation program
Before you install OpenShift Container Platform, download the installation file on a local computer.
Prerequisites
- You have a computer that runs Linux or macOS, with 500 MB of local disk space
Procedure
- Access the Infrastructure Provider page on the OpenShift Cluster Manager site. If you have a Red Hat account, log in with your credentials. If you do not, create an account.
- Select Azure as the cloud provider.
- Navigate to the page for your installation type, download the installation program that corresponds with your host operating system and architecture, and place the file in the directory where you will store the installation configuration files. Important- The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both files are required to delete the cluster. Important- Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OpenShift Container Platform uninstallation procedures for your specific cloud provider. 
- Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command: - tar -xvf openshift-install-linux.tar.gz - $ tar -xvf openshift-install-linux.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download your installation pull secret from the Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
7.3.6. Manually creating the installation configuration file
When installing OpenShift Container Platform on Microsoft Azure Stack Hub, you must manually create your installation configuration file.
Prerequisites
- You have an SSH public key on your local machine to provide to the installation program. The key will be used for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the sample - install-config.yamlfile template that is provided and save it in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.- Make the following modifications: - Specify the required installation parameters.
- 
									Update the platform.azuresection to specify the parameters that are specific to Azure Stack Hub.
- Optional: Update one or more of the default configuration parameters to customize the installation. - For more information about the parameters, see "Installation configuration parameters". 
 
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the next step of the installation process. You must back it up now.
7.3.6.1. Installation configuration parameters
						Before you deploy an OpenShift Container Platform cluster, you provide a customized install-config.yaml installation configuration file that describes the details for your environment.
					
							After installation, you cannot modify these parameters in the install-config.yaml file.
						
7.3.6.1.1. Required configuration parameters
Required installation configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| 
											 | 
											The API version for the  | String | 
| 
											 | 
											The base domain of your cloud provider. The base domain is used to create routes to your OpenShift Container Platform cluster components. The full DNS name for your cluster is a combination of the  | 
											A fully-qualified domain or subdomain name, such as  | 
| 
											 | 
											Kubernetes resource  | Object | 
| 
											 | 
											The name of the cluster. DNS records for the cluster are all subdomains of  | 
											String of lowercase letters, hyphens ( | 
| 
											 | 
											The configuration for the specific platform upon which to perform the installation:  | Object | 
| 
											 | Get a pull secret from the Red Hat OpenShift Cluster Manager to authenticate downloading container images for OpenShift Container Platform components from services such as Quay.io. |  | 
7.3.6.1.2. Network configuration parameters
You can customize your installation configuration based on the requirements of your existing network infrastructure. For example, you can expand the IP address block for the cluster network or provide different IP address blocks than the defaults.
Only IPv4 addresses are supported.
| Parameter | Description | Values | 
|---|---|---|
| 
											 | The configuration for the cluster network. | Object Note 
												You cannot modify parameters specified by the  | 
| 
											 | The cluster network provider Container Network Interface (CNI) plugin to install. | 
											Either  | 
| 
											 | The IP address blocks for pods. 
											The default value is  If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23 | 
| 
											 | 
											Required if you use  An IPv4 network. | 
											An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between  | 
| 
											 | 
											The subnet prefix length to assign to each individual node. For example, if  | A subnet prefix. 
											The default value is  | 
| 
											 | 
											The IP address block for services. The default value is  The OpenShift SDN and OVN-Kubernetes network providers support only a single IP address block for the service network. | An array with an IP address block in CIDR format. For example: networking: serviceNetwork: - 172.30.0.0/16  | 
| 
											 | The IP address blocks for machines. If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking: machineNetwork: - cidr: 10.0.0.0/16  | 
| 
											 | 
											Required if you use  | An IP network block in CIDR notation. 
											For example,  Note 
												Set the  | 
7.3.6.1.3. Optional configuration parameters
Optional installation configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| 
											 | A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle may also be used when a proxy has been configured. | String | 
| 
											 | Enables Linux control groups version 2 (cgroups v2) on specific nodes in your cluster. The OpenShift Container Platform process for enabling cgroups v2 disables all cgroup version 1 controllers and hierarchies. The OpenShift Container Platform cgroups version 2 feature is in Developer Preview and is not supported by Red Hat at this time. | 
											 | 
| 
											 | The configuration for the machines that comprise the compute nodes. | 
											Array of  | 
| 
											 | 
											Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are  | String | 
| 
											 | 
											Whether to enable or disable simultaneous multithreading, or  Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | The number of compute machines, which are also known as worker machines, to provision. | 
											A positive integer greater than or equal to  | 
| 
											 | The configuration for the machines that comprise the control plane. | 
											Array of  | 
| 
											 | 
											Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are  | String | 
| 
											 | 
											Whether to enable or disable simultaneous multithreading, or  Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | The number of control plane machines to provision. | 
											The only supported value is  | 
| 
											 | The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported. Note Not all CCO modes are supported for all cloud providers. For more information on CCO modes, see the Cloud Credential Operator entry in the Cluster Operators reference content. Note 
												If your AWS account has service control policies (SCP) enabled, you must configure the  | 
											 | 
| 
											 | 
											Enable or disable FIPS mode. The default is  Important 
												To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Installing the system in FIPS mode. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the  Note If you are using Azure File storage, you cannot enable FIPS mode. | 
											 | 
| 
											 | Sources and repositories for the release-image content. | 
											Array of objects. Includes a  | 
| 
											 | 
											Required if you use  | String | 
| 
											 | Specify one or more repositories that may also contain the same images. | Array of strings | 
| 
											 | How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes. | 
											 
											Setting this field to  Important 
												If the value of the field is set to  | 
| 
											 | The SSH key or keys to authenticate access your cluster machines. Note 
												For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your  | One or more keys. For example: sshKey: <key1> <key2> <key3>  | 
7.3.6.1.4. Additional Azure Stack Hub configuration parameters
Additional Azure configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| 
											 | The Azure disk size for the VM. | 
											Integer that represents the size of the disk in GB. The default is  | 
| 
											 | Defines the type of disk. | 
											 | 
| 
											 | The Azure disk size for the VM. | 
											Integer that represents the size of the disk in GB. The default is  | 
| 
											 | Defines the type of disk. | 
											 | 
| 
											 | The URL of the Azure Resource Manager endpoint that your Azure Stack Hub operator provides. | String | 
| 
											 | The name of the resource group that contains the DNS zone for your base domain. | 
											String, for example  | 
| 
											 | The name of your Azure Stack Hub local region. | String | 
| 
											 | The name of an already existing resource group to install your cluster to. This resource group must be empty and only used for this specific cluster; the cluster components assume ownership of all resources in the resource group. If you limit the service principal scope of the installation program to this resource group, you must ensure all other resources used by the installation program in your environment have the necessary permissions, such as the public DNS zone and virtual network. Destroying the cluster by using the installation program deletes this resource group. | 
											String, for example  | 
| 
											 | The outbound routing strategy used to connect your cluster to the internet. If you are using user-defined routing, you must have pre-existing networking available where the outbound routing has already been configured prior to installing a cluster. The installation program is not responsible for configuring user-defined routing. | 
											 | 
| 
											 | The name of the Azure cloud environment that is used to configure the Azure SDK with the appropriate Azure API endpoints. | 
											 | 
| 
											 | The URL of a storage blob in the Azure Stack environment that contains an RHCOS VHD. | String, for example, https://vhdsa.blob.example.example.com/vhd/rhcos-410.84.202112040202-0-azurestack.x86_64.vhd | 
7.3.6.2. Sample customized install-config.yaml file for Azure Stack Hub
						You can customize the install-config.yaml file to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually.
- 1 7 9 11 13 16 17 19
- Required.
- 2 5
- If you do not provide these parameters and values, the installation program provides the default value.
- 3
- ThecontrolPlanesection is a single mapping, but thecomputesection is a sequence of mappings. To meet the requirements of the different data structures, the first line of thecomputesection must begin with a hyphen,-, and the first line of thecontrolPlanesection must not. Although both sections currently define a single machine pool, it is possible that future versions of OpenShift Container Platform will support defining multiple compute pools during installation. Only one control plane pool is used.
- 4 6
- You can specify the size of the disk to use in GB. Minimum recommendation for control plane nodes is 1024 GB.
- 8
- The name of the cluster.
- 10
- The Azure Resource Manager endpoint that your Azure Stack Hub operator provides.
- 12
- The name of the resource group that contains the DNS zone for your base domain.
- 14
- The name of your Azure Stack Hub local region.
- 15
- The name of an existing resource group to install your cluster to. If undefined, a new resource group is created for the cluster.
- 18
- The URL of a storage blob in the Azure Stack environment that contains an RHCOS VHD.
- 20
- The pull secret required to authenticate your cluster.
- 21
- Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the Red Hat Enterprise Linux CoreOS (RHCOS) machines that OpenShift Container Platform runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead.ImportantTo enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Installing the system in FIPS mode. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the x86_64architecture.
- 22
- You can optionally provide thesshKeyvalue that you use to access the machines in your cluster.NoteFor production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agentprocess uses.
- 23
- If the Azure Stack Hub environment is using an internal Certificate Authority (CA), adding the CA certificate is required.
7.3.7. Manually manage cloud credentials
The Cloud Credential Operator (CCO) only supports your cloud provider in manual mode. As a result, you must specify the identity and access management (IAM) secrets for your cloud provider.
Procedure
- Generate the manifests by running the following command from the directory that contains the installation program: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- From the directory that contains the installation program, obtain details of the OpenShift Container Platform release image that your - openshift-installbinary is built to use by running the following command:- openshift-install version - $ openshift-install version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 - release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Locate all - CredentialsRequestobjects in this release image that target the cloud you are deploying on by running the following command:- oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 \ --credentials-requests \ --cloud=azure - $ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 \ --credentials-requests \ --cloud=azure- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- The release image includes - CredentialsRequestobjects for Technology Preview features that are enabled by the- TechPreviewNoUpgradefeature set. You can identify these objects by their use of the- release.openshift.io/feature-gate: TechPreviewNoUpgradeannotation.- If you are not using any of these features, do not create secrets for these objects. Creating secrets for Technology Preview features that you are not using can cause the installation to fail.
- If you are using any of these features, you must create secrets for the corresponding objects.
 - To find - CredentialsRequestobjects with the- TechPreviewNoUpgradeannotation, run the following command:- grep "release.openshift.io/feature-gate" * - $ grep "release.openshift.io/feature-gate" *- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade - 0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Important- Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state. 
7.3.8. Configuring the cluster to use an internal CA
					If the Azure Stack Hub environment is using an internal Certificate Authority (CA), update the cluster-proxy-01-config.yaml file to configure the cluster to use the internal CA.
				
Prerequisites
- 
							Create the install-config.yamlfile and specify the certificate trust bundle in.pemformat.
- Create the cluster manifests.
Procedure
- 
							From the directory in which the installation program creates files, go to the manifestsdirectory.
- Add - user-ca-bundleto the- spec.trustedCA.namefield.- Example - cluster-proxy-01-config.yamlfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Optional: Back up the manifests/ cluster-proxy-01-config.yamlfile. The installation program consumes themanifests/directory when you deploy the cluster.
7.3.9. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- Configure an account with the cloud platform that hosts your cluster.
- Obtain the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Change to the directory that contains the installation program and initialize the cluster deployment: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If the cloud provider account that you configured on your host does not have sufficient permissions to deploy the cluster, the installation process stops, and the missing permissions are displayed. - When the cluster deployment completes, directions for accessing your cluster, including a link to its web console and credentials for the - kubeadminuser, display in your terminal.- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The cluster access and credential information also outputs to - <installation_directory>/.openshift_install.logwhen an installation succeeds.Important- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
 Important- You must not delete the installation program or the files that the installation program creates. Both are required to delete the cluster. 
- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending 
7.3.10. Installing the OpenShift CLI by downloading the binary
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.10. Download and install the new version of oc.
					
Installing the OpenShift CLI on Linux
					You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 Linux Client entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
$ oc <command>Installing the OpenShift CLI on Windows
					You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
C:\> oc <command>Installing the OpenShift CLI on macOS
					You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 MacOSX Client entry and save the file.
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
$ oc <command>7.3.11. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the ocCLI.
Procedure
- Export the - kubeadmincredentials:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.3.12. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
7.3.13. Telemetry access for OpenShift Container Platform
In OpenShift Container Platform 4.10, the Telemetry service, which runs by default to provide metrics about cluster health and the success of updates, requires internet access. If your cluster is connected to the internet, Telemetry runs automatically, and your cluster is registered to OpenShift Cluster Manager.
After you confirm that your OpenShift Cluster Manager inventory is correct, either maintained automatically by Telemetry or manually by using OpenShift Cluster Manager, use subscription watch to track your OpenShift Container Platform subscriptions at the account or multi-cluster level.
7.3.14. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can opt out of remote health reporting.
- If necessary, you can remove cloud provider credentials.
7.4. Installing a cluster on Azure Stack Hub with network customizations
In OpenShift Container Platform version 4.10, you can install a cluster with a customized network configuration on infrastructure that the installation program provisions on Azure Stack Hub. By customizing your network configuration, your cluster can coexist with existing IP address allocations in your environment and integrate with existing MTU and VXLAN configurations.
					While you can select azure when using the installation program to deploy a cluster using installer-provisioned infrastructure, this option is only supported for the Azure Public Cloud.
				
7.4.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an Azure Stack Hub account to host the cluster.
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
- You verified that you have approximately 16 GB of local disk space. Installing the cluster requires that you download the RHCOS virtual hard disk (VHD) cluster image and upload it to your Azure Stack Hub environment so that it is accessible during deployment. Decompressing the VHD files requires this amount of local disk space.
7.4.2. Internet access for OpenShift Container Platform
In OpenShift Container Platform 4.10, you require access to the internet to install your cluster.
You must have internet access to:
- Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.
- Access Quay.io to obtain the packages that are required to install your cluster.
- Obtain the packages that are required to perform cluster updates.
If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
7.4.3. Generating a key pair for cluster node SSH access
					During an OpenShift Container Platform installation, you can provide an SSH public key to the installation program. The key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.
				
					After the key is passed to the nodes, you can use the key pair to SSH in to the RHCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
				
					If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.
				
Do not skip this procedure in production environments, where disaster recovery and debugging is required.
You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs.
Procedure
- If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command: - ssh-keygen -t ed25519 -N '' -f <path>/<file_name> - $ ssh-keygen -t ed25519 -N '' -f <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name, such as~/.ssh/id_ed25519, of the new SSH key. If you have an existing key pair, ensure your public key is in the your~/.sshdirectory.
 Note- If you plan to install an OpenShift Container Platform cluster that uses FIPS validated or Modules In Process cryptographic libraries on the - x86_64architecture, do not create a key that uses the- ed25519algorithm. Instead, create a key that uses the- rsaor- ecdsaalgorithm.
- View the public SSH key: - cat <path>/<file_name>.pub - $ cat <path>/<file_name>.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, run the following to view the - ~/.ssh/id_ed25519.pubpublic key:- cat ~/.ssh/id_ed25519.pub - $ cat ~/.ssh/id_ed25519.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the - ./openshift-install gathercommand.Note- On some distributions, default SSH private key identities such as - ~/.ssh/id_rsaand- ~/.ssh/id_dsaare managed automatically.- If the - ssh-agentprocess is not already running for your local user, start it as a background task:- eval "$(ssh-agent -s)" - $ eval "$(ssh-agent -s)"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Agent pid 31874 - Agent pid 31874- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. 
 
- Add your SSH private key to the - ssh-agent:- ssh-add <path>/<file_name> - $ ssh-add <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name for your SSH private key, such as~/.ssh/id_ed25519
 - Example output - Identity added: /home/<you>/<path>/<file_name> (<computer_name>) - Identity added: /home/<you>/<path>/<file_name> (<computer_name>)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- When you install OpenShift Container Platform, provide the SSH public key to the installation program.
7.4.4. Uploading the RHCOS cluster image
You must download the RHCOS virtual hard disk (VHD) cluster image and upload it to your Azure Stack Hub environment so that it is accessible during deployment.
Prerequisites
- Configure an Azure account.
Procedure
- Obtain the RHCOS VHD cluster image: - Export the URL of the RHCOS VHD to an environment variable. - export COMPRESSED_VHD_URL=$(openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.artifacts.azurestack.formats."vhd.gz".disk.location') - $ export COMPRESSED_VHD_URL=$(openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.artifacts.azurestack.formats."vhd.gz".disk.location')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download the compressed RHCOS VHD file locally. - curl -O -L ${COMPRESSED_VHD_URL}- $ curl -O -L ${COMPRESSED_VHD_URL}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Decompress the VHD file. Note- The decompressed VHD file is approximately 16 GB, so be sure that your host system has 16 GB of free space available. The VHD file can be deleted once you have uploaded it. 
- 
							Upload the local VHD to the Azure Stack Hub environment, making sure that the blob is publicly available. For example, you can upload the VHD to a blob using the azcli or the web portal.
7.4.5. Obtaining the installation program
Before you install OpenShift Container Platform, download the installation file on a local computer.
Prerequisites
- You have a computer that runs Linux or macOS, with 500 MB of local disk space
Procedure
- Access the Infrastructure Provider page on the OpenShift Cluster Manager site. If you have a Red Hat account, log in with your credentials. If you do not, create an account.
- Select Azure as the cloud provider.
- Navigate to the page for your installation type, download the installation program that corresponds with your host operating system and architecture, and place the file in the directory where you will store the installation configuration files. Important- The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both files are required to delete the cluster. Important- Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OpenShift Container Platform uninstallation procedures for your specific cloud provider. 
- Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command: - tar -xvf openshift-install-linux.tar.gz - $ tar -xvf openshift-install-linux.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download your installation pull secret from the Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
7.4.6. Manually creating the installation configuration file
When installing OpenShift Container Platform on Microsoft Azure Stack Hub, you must manually create your installation configuration file.
Prerequisites
- You have an SSH public key on your local machine to provide to the installation program. The key will be used for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the sample - install-config.yamlfile template that is provided and save it in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.- Make the following modifications: - Specify the required installation parameters.
- 
									Update the platform.azuresection to specify the parameters that are specific to Azure Stack Hub.
- Optional: Update one or more of the default configuration parameters to customize the installation. - For more information about the parameters, see "Installation configuration parameters". 
 
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the next step of the installation process. You must back it up now.
7.4.6.1. Installation configuration parameters
						Before you deploy an OpenShift Container Platform cluster, you provide a customized install-config.yaml installation configuration file that describes the details for your environment.
					
							After installation, you cannot modify these parameters in the install-config.yaml file.
						
7.4.6.1.1. Required configuration parameters
Required installation configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| 
											 | 
											The API version for the  | String | 
| 
											 | 
											The base domain of your cloud provider. The base domain is used to create routes to your OpenShift Container Platform cluster components. The full DNS name for your cluster is a combination of the  | 
											A fully-qualified domain or subdomain name, such as  | 
| 
											 | 
											Kubernetes resource  | Object | 
| 
											 | 
											The name of the cluster. DNS records for the cluster are all subdomains of  | 
											String of lowercase letters, hyphens ( | 
| 
											 | 
											The configuration for the specific platform upon which to perform the installation:  | Object | 
| 
											 | Get a pull secret from the Red Hat OpenShift Cluster Manager to authenticate downloading container images for OpenShift Container Platform components from services such as Quay.io. |  | 
7.4.6.1.2. Network configuration parameters
You can customize your installation configuration based on the requirements of your existing network infrastructure. For example, you can expand the IP address block for the cluster network or provide different IP address blocks than the defaults.
Only IPv4 addresses are supported.
| Parameter | Description | Values | 
|---|---|---|
| 
											 | The configuration for the cluster network. | Object Note 
												You cannot modify parameters specified by the  | 
| 
											 | The cluster network provider Container Network Interface (CNI) plugin to install. | 
											Either  | 
| 
											 | The IP address blocks for pods. 
											The default value is  If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23 | 
| 
											 | 
											Required if you use  An IPv4 network. | 
											An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between  | 
| 
											 | 
											The subnet prefix length to assign to each individual node. For example, if  | A subnet prefix. 
											The default value is  | 
| 
											 | 
											The IP address block for services. The default value is  The OpenShift SDN and OVN-Kubernetes network providers support only a single IP address block for the service network. | An array with an IP address block in CIDR format. For example: networking: serviceNetwork: - 172.30.0.0/16  | 
| 
											 | The IP address blocks for machines. If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking: machineNetwork: - cidr: 10.0.0.0/16  | 
| 
											 | 
											Required if you use  | An IP network block in CIDR notation. 
											For example,  Note 
												Set the  | 
7.4.6.1.3. Optional configuration parameters
Optional installation configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| 
											 | A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle may also be used when a proxy has been configured. | String | 
| 
											 | Enables Linux control groups version 2 (cgroups v2) on specific nodes in your cluster. The OpenShift Container Platform process for enabling cgroups v2 disables all cgroup version 1 controllers and hierarchies. The OpenShift Container Platform cgroups version 2 feature is in Developer Preview and is not supported by Red Hat at this time. | 
											 | 
| 
											 | The configuration for the machines that comprise the compute nodes. | 
											Array of  | 
| 
											 | 
											Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are  | String | 
| 
											 | 
											Whether to enable or disable simultaneous multithreading, or  Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | The number of compute machines, which are also known as worker machines, to provision. | 
											A positive integer greater than or equal to  | 
| 
											 | The configuration for the machines that comprise the control plane. | 
											Array of  | 
| 
											 | 
											Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are  | String | 
| 
											 | 
											Whether to enable or disable simultaneous multithreading, or  Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | 
											Required if you use  | 
											 | 
| 
											 | The number of control plane machines to provision. | 
											The only supported value is  | 
| 
											 | The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported. Note Not all CCO modes are supported for all cloud providers. For more information on CCO modes, see the Cloud Credential Operator entry in the Cluster Operators reference content. Note 
												If your AWS account has service control policies (SCP) enabled, you must configure the  | 
											 | 
| 
											 | 
											Enable or disable FIPS mode. The default is  Important 
												To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Installing the system in FIPS mode. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the  Note If you are using Azure File storage, you cannot enable FIPS mode. | 
											 | 
| 
											 | Sources and repositories for the release-image content. | 
											Array of objects. Includes a  | 
| 
											 | 
											Required if you use  | String | 
| 
											 | Specify one or more repositories that may also contain the same images. | Array of strings | 
| 
											 | How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes. | 
											 
											Setting this field to  Important 
												If the value of the field is set to  | 
| 
											 | The SSH key or keys to authenticate access your cluster machines. Note 
												For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your  | One or more keys. For example: sshKey: <key1> <key2> <key3>  | 
7.4.6.1.4. Additional Azure Stack Hub configuration parameters
Additional Azure configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| 
											 | The Azure disk size for the VM. | 
											Integer that represents the size of the disk in GB. The default is  | 
| 
											 | Defines the type of disk. | 
											 | 
| 
											 | The Azure disk size for the VM. | 
											Integer that represents the size of the disk in GB. The default is  | 
| 
											 | Defines the type of disk. | 
											 | 
| 
											 | The URL of the Azure Resource Manager endpoint that your Azure Stack Hub operator provides. | String | 
| 
											 | The name of the resource group that contains the DNS zone for your base domain. | 
											String, for example  | 
| 
											 | The name of your Azure Stack Hub local region. | String | 
| 
											 | The name of an already existing resource group to install your cluster to. This resource group must be empty and only used for this specific cluster; the cluster components assume ownership of all resources in the resource group. If you limit the service principal scope of the installation program to this resource group, you must ensure all other resources used by the installation program in your environment have the necessary permissions, such as the public DNS zone and virtual network. Destroying the cluster by using the installation program deletes this resource group. | 
											String, for example  | 
| 
											 | The outbound routing strategy used to connect your cluster to the internet. If you are using user-defined routing, you must have pre-existing networking available where the outbound routing has already been configured prior to installing a cluster. The installation program is not responsible for configuring user-defined routing. | 
											 | 
| 
											 | The name of the Azure cloud environment that is used to configure the Azure SDK with the appropriate Azure API endpoints. | 
											 | 
| 
											 | The URL of a storage blob in the Azure Stack environment that contains an RHCOS VHD. | String, for example, https://vhdsa.blob.example.example.com/vhd/rhcos-410.84.202112040202-0-azurestack.x86_64.vhd | 
7.4.6.2. Sample customized install-config.yaml file for Azure Stack Hub
						You can customize the install-config.yaml file to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually.
- 1 7 9 11 13 16 17 19
- Required.
- 2 5
- If you do not provide these parameters and values, the installation program provides the default value.
- 3
- ThecontrolPlanesection is a single mapping, but thecomputesection is a sequence of mappings. To meet the requirements of the different data structures, the first line of thecomputesection must begin with a hyphen,-, and the first line of thecontrolPlanesection must not. Although both sections currently define a single machine pool, it is possible that future versions of OpenShift Container Platform will support defining multiple compute pools during installation. Only one control plane pool is used.
- 4 6
- You can specify the size of the disk to use in GB. Minimum recommendation for control plane nodes is 1024 GB.
- 8
- The name of the cluster.
- 10
- The Azure Resource Manager endpoint that your Azure Stack Hub operator provides.
- 12
- The name of the resource group that contains the DNS zone for your base domain.
- 14
- The name of your Azure Stack Hub local region.
- 15
- The name of an existing resource group to install your cluster to. If undefined, a new resource group is created for the cluster.
- 18
- The URL of a storage blob in the Azure Stack environment that contains an RHCOS VHD.
- 20
- The pull secret required to authenticate your cluster.
- 21
- Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the Red Hat Enterprise Linux CoreOS (RHCOS) machines that OpenShift Container Platform runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead.ImportantTo enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Installing the system in FIPS mode. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the x86_64architecture.
- 22
- You can optionally provide thesshKeyvalue that you use to access the machines in your cluster.NoteFor production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agentprocess uses.
- 23
- If the Azure Stack Hub environment is using an internal Certificate Authority (CA), adding the CA certificate is required.
7.4.7. Manually manage cloud credentials
The Cloud Credential Operator (CCO) only supports your cloud provider in manual mode. As a result, you must specify the identity and access management (IAM) secrets for your cloud provider.
Procedure
- Generate the manifests by running the following command from the directory that contains the installation program: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- From the directory that contains the installation program, obtain details of the OpenShift Container Platform release image that your - openshift-installbinary is built to use by running the following command:- openshift-install version - $ openshift-install version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 - release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Locate all - CredentialsRequestobjects in this release image that target the cloud you are deploying on by running the following command:- oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 \ --credentials-requests \ --cloud=azure - $ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 \ --credentials-requests \ --cloud=azure- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- The release image includes - CredentialsRequestobjects for Technology Preview features that are enabled by the- TechPreviewNoUpgradefeature set. You can identify these objects by their use of the- release.openshift.io/feature-gate: TechPreviewNoUpgradeannotation.- If you are not using any of these features, do not create secrets for these objects. Creating secrets for Technology Preview features that you are not using can cause the installation to fail.
- If you are using any of these features, you must create secrets for the corresponding objects.
 - To find - CredentialsRequestobjects with the- TechPreviewNoUpgradeannotation, run the following command:- grep "release.openshift.io/feature-gate" * - $ grep "release.openshift.io/feature-gate" *- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade - 0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Important- Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state. 
7.4.8. Configuring the cluster to use an internal CA
					If the Azure Stack Hub environment is using an internal Certificate Authority (CA), update the cluster-proxy-01-config.yaml file to configure the cluster to use the internal CA.
				
Prerequisites
- 
							Create the install-config.yamlfile and specify the certificate trust bundle in.pemformat.
- Create the cluster manifests.
Procedure
- 
							From the directory in which the installation program creates files, go to the manifestsdirectory.
- Add - user-ca-bundleto the- spec.trustedCA.namefield.- Example - cluster-proxy-01-config.yamlfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Optional: Back up the manifests/ cluster-proxy-01-config.yamlfile. The installation program consumes themanifests/directory when you deploy the cluster.
7.4.9. Network configuration phases
There are two phases prior to OpenShift Container Platform installation where you can customize the network configuration.
- Phase 1
- You can customize the following network-related fields in the - install-config.yamlfile before you create the manifest files:- 
										networking.networkType
- 
										networking.clusterNetwork
- 
										networking.serviceNetwork
- networking.machineNetwork- For more information on these fields, refer to Installation configuration parameters. Note- Set the - networking.machineNetworkto match the CIDR that the preferred NIC resides in.Important- The CIDR range - 172.17.0.0/16is reserved by libVirt. You cannot use this range or any range that overlaps with this range for any networks in your cluster.
 
- 
										
- Phase 2
- 
								After creating the manifest files by running openshift-install create manifests, you can define a customized Cluster Network Operator manifest with only the fields you want to modify. You can use the manifest to specify advanced network configuration.
					You cannot override the values specified in phase 1 in the install-config.yaml file during phase 2. However, you can further customize the cluster network provider during phase 2.
				
7.4.10. Specifying advanced network configuration
You can use advanced network configuration for your cluster network provider to integrate your cluster into your existing network environment. You can specify advanced network configuration only before you install the cluster.
Customizing your network configuration by modifying the OpenShift Container Platform manifest files created by the installation program is not supported. Applying a manifest file that you create, as in the following procedure, is supported.
Prerequisites
- 
							You have created the install-config.yamlfile and completed any modifications to it.
Procedure
- Change to the directory that contains the installation program and create the manifests: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <installation_directory>specifies the name of the directory that contains the- install-config.yamlfile for your cluster.
 
- Create a stub manifest file for the advanced network configuration that is named - cluster-network-03-config.ymlin the- <installation_directory>/manifests/directory:- apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec: - apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Specify the advanced network configuration for your cluster in the - cluster-network-03-config.ymlfile, such as in the following examples:- Specify a different VXLAN port for the OpenShift SDN network provider - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Enable IPsec for the OVN-Kubernetes network provider - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Optional: Back up the manifests/cluster-network-03-config.ymlfile. The installation program consumes themanifests/directory when you create the Ignition config files.
7.4.11. Cluster Network Operator configuration
					The configuration for the cluster network is specified as part of the Cluster Network Operator (CNO) configuration and stored in a custom resource (CR) object that is named cluster. The CR specifies the fields for the Network API in the operator.openshift.io API group.
				
					The CNO configuration inherits the following fields during cluster installation from the Network API in the Network.config.openshift.io API group and these fields cannot be changed:
				
- clusterNetwork
- IP address pools from which pod IP addresses are allocated.
- serviceNetwork
- IP address pool for services.
- defaultNetwork.type
- Cluster network provider, such as OpenShift SDN or OVN-Kubernetes.
					You can specify the cluster network provider configuration for your cluster by setting the fields for the defaultNetwork object in the CNO object named cluster.
				
7.4.11.1. Cluster Network Operator configuration object
The fields for the Cluster Network Operator (CNO) are described in the following table:
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | 
										The name of the CNO object. This name is always  | 
| 
										 | 
										 | A list specifying the blocks of IP addresses from which pod IP addresses are allocated and the subnet prefix length assigned to each individual node in the cluster. For example: 
										You can customize this field only in the  | 
| 
										 | 
										 | A block of IP addresses for services. The OpenShift SDN and OVN-Kubernetes Container Network Interface (CNI) network providers support only a single IP address block for the service network. For example: spec: serviceNetwork: - 172.30.0.0/14 
										You can customize this field only in the  | 
| 
										 | 
										 | Configures the Container Network Interface (CNI) cluster network provider for the cluster network. | 
| 
										 | 
										 | The fields for this object specify the kube-proxy configuration. If you are using the OVN-Kubernetes cluster network provider, the kube-proxy configuration has no effect. | 
defaultNetwork object configuration
						The values for the defaultNetwork object are defined in the following table:
					
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | 
										Either  Note OpenShift Container Platform uses the OpenShift SDN Container Network Interface (CNI) cluster network provider by default. | 
| 
										 | 
										 | This object is only valid for the OpenShift SDN cluster network provider. | 
| 
										 | 
										 | This object is only valid for the OVN-Kubernetes cluster network provider. | 
Configuration for the OpenShift SDN CNI cluster network provider
The following table describes the configuration fields for the OpenShift SDN Container Network Interface (CNI) cluster network provider.
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | 
										Configures the network isolation mode for OpenShift SDN. The default value is  
										The values  | 
| 
										 | 
										 | The maximum transmission unit (MTU) for the VXLAN overlay network. This is detected automatically based on the MTU of the primary network interface. You do not normally need to override the detected MTU. If the auto-detected value is not what you expect it to be, confirm that the MTU on the primary network interface on your nodes is correct. You cannot use this option to change the MTU value of the primary network interface on the nodes. 
										If your cluster requires different MTU values for different nodes, you must set this value to  This value cannot be changed after cluster installation. | 
| 
										 | 
										 | 
										The port to use for all VXLAN packets. The default value is  If you are running in a virtualized environment with existing nodes that are part of another VXLAN network, then you might be required to change this. For example, when running an OpenShift SDN overlay on top of VMware NSX-T, you must select an alternate port for the VXLAN, because both SDNs use the same default VXLAN port number. 
										On Amazon Web Services (AWS), you can select an alternate port for the VXLAN between port  | 
Example OpenShift SDN configuration
Configuration for the OVN-Kubernetes CNI cluster network provider
The following table describes the configuration fields for the OVN-Kubernetes CNI cluster network provider.
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | The maximum transmission unit (MTU) for the Geneve (Generic Network Virtualization Encapsulation) overlay network. This is detected automatically based on the MTU of the primary network interface. You do not normally need to override the detected MTU. If the auto-detected value is not what you expect it to be, confirm that the MTU on the primary network interface on your nodes is correct. You cannot use this option to change the MTU value of the primary network interface on the nodes. 
										If your cluster requires different MTU values for different nodes, you must set this value to  | 
| 
										 | 
										 | 
										The port to use for all Geneve packets. The default value is  | 
| 
										 | 
										 | Specify an empty object to enable IPsec encryption. This value cannot be changed after cluster installation. | 
| 
										 | 
										 | Specify a configuration object for customizing network policy audit logging. If unset, the defaults audit log settings are used. | 
| 
										 | 
										 | Optional: Specify a configuration object for customizing how egress traffic is sent to the node gateway. Note While migrating egress traffic, you can expect some disruption to workloads and service traffic until the Cluster Network Operator (CNO) successfully rolls out the changes.  | 
| Field | Type | Description | 
|---|---|---|
| 
										 | integer | 
										The maximum number of messages to generate every second per node. The default value is  | 
| 
										 | integer | 
										The maximum size for the audit log in bytes. The default value is  | 
| 
										 | string | One of the following additional audit log targets: 
 | 
| 
										 | string | 
										The syslog facility, such as  | 
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | 
										Set this field to  
										This field has an interaction with the Open vSwitch hardware offloading feature. If you set this field to  | 
Example OVN-Kubernetes configuration with IPSec enabled
kubeProxyConfig object configuration
						The values for the kubeProxyConfig object are defined in the following table:
					
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | 
										The refresh period for  Note 
											Because of performance improvements introduced in OpenShift Container Platform 4.3 and greater, adjusting the  | 
| 
										 | 
										 | 
										The minimum duration before refreshing  kubeProxyConfig:
  proxyArguments:
    iptables-min-sync-period:
    - 0s | 
7.4.12. Configuring hybrid networking with OVN-Kubernetes
You can configure your cluster to use hybrid networking with OVN-Kubernetes. This allows a hybrid cluster that supports different node networking configurations. For example, this is necessary to run both Linux and Windows nodes in a cluster.
You must configure hybrid networking with OVN-Kubernetes during the installation of your cluster. You cannot switch to hybrid networking after the installation process.
Prerequisites
- 
							You defined OVNKubernetesfor thenetworking.networkTypeparameter in theinstall-config.yamlfile. See the installation documentation for configuring OpenShift Container Platform network customizations on your chosen cloud provider for more information.
Procedure
- Change to the directory that contains the installation program and create the manifests: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <installation_directory>
- 
										Specifies the name of the directory that contains the install-config.yamlfile for your cluster.
 
- Create a stub manifest file for the advanced network configuration that is named - cluster-network-03-config.ymlin the- <installation_directory>/manifests/directory:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <installation_directory>
- 
										Specifies the directory name that contains the manifests/directory for your cluster.
 
- Open the - cluster-network-03-config.ymlfile in an editor and configure OVN-Kubernetes with hybrid networking, such as in the following example:- Specify a hybrid networking configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the CIDR configuration used for nodes on the additional overlay network. ThehybridClusterNetworkCIDR cannot overlap with theclusterNetworkCIDR.
- 2
- Specify a custom VXLAN port for the additional overlay network. This is required for running Windows nodes in a cluster installed on vSphere, and must not be configured for any other cloud provider. The custom port can be any open port excluding the default4789port. For more information on this requirement, see the Microsoft documentation on Pod-to-pod connectivity between hosts is broken.
 Note- Windows Server Long-Term Servicing Channel (LTSC): Windows Server 2019 is not supported on clusters with a custom - hybridOverlayVXLANPortvalue because this Windows server version does not support selecting a custom VXLAN port.
- 
							Save the cluster-network-03-config.ymlfile and quit the text editor.
- 
							Optional: Back up the manifests/cluster-network-03-config.ymlfile. The installation program deletes themanifests/directory when creating the cluster.
For more information on using Linux and Windows nodes in the same cluster, see Understanding Windows container workloads.
7.4.13. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- Configure an account with the cloud platform that hosts your cluster.
- Obtain the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Change to the directory that contains the installation program and initialize the cluster deployment: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If the cloud provider account that you configured on your host does not have sufficient permissions to deploy the cluster, the installation process stops, and the missing permissions are displayed. - When the cluster deployment completes, directions for accessing your cluster, including a link to its web console and credentials for the - kubeadminuser, display in your terminal.- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The cluster access and credential information also outputs to - <installation_directory>/.openshift_install.logwhen an installation succeeds.Important- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
 Important- You must not delete the installation program or the files that the installation program creates. Both are required to delete the cluster. 
- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending 
7.4.14. Installing the OpenShift CLI by downloading the binary
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.10. Download and install the new version of oc.
					
Installing the OpenShift CLI on Linux
					You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 Linux Client entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
$ oc <command>Installing the OpenShift CLI on Windows
					You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
C:\> oc <command>Installing the OpenShift CLI on macOS
					You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 MacOSX Client entry and save the file.
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
$ oc <command>7.4.15. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the ocCLI.
Procedure
- Export the - kubeadmincredentials:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.4.16. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
7.4.17. Telemetry access for OpenShift Container Platform
In OpenShift Container Platform 4.10, the Telemetry service, which runs by default to provide metrics about cluster health and the success of updates, requires internet access. If your cluster is connected to the internet, Telemetry runs automatically, and your cluster is registered to OpenShift Cluster Manager.
After you confirm that your OpenShift Cluster Manager inventory is correct, either maintained automatically by Telemetry or manually by using OpenShift Cluster Manager, use subscription watch to track your OpenShift Container Platform subscriptions at the account or multi-cluster level.
7.4.18. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can opt out of remote health reporting.
- If necessary, you can remove cloud provider credentials.
7.5. Installing a cluster on Azure Stack Hub using ARM templates
In OpenShift Container Platform version 4.10, you can install a cluster on Microsoft Azure Stack Hub by using infrastructure that you provide.
Several Azure Resource Manager (ARM) templates are provided to assist in completing these steps or to help model your own.
The steps for performing a user-provisioned infrastructure installation are provided as an example only. Installing a cluster with infrastructure you provide requires knowledge of the cloud provider and the installation process of OpenShift Container Platform. Several ARM templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods; the templates are just an example.
7.5.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an Azure Stack Hub account to host the cluster.
- 
							You downloaded the Azure CLI and installed it on your computer. See Install the Azure CLI in the Azure documentation. The documentation below was tested using version 2.28.0of the Azure CLI. Azure CLI commands might perform differently based on the version you use.
- If you use a firewall and plan to use the Telemetry service, you configured the firewall to allow the sites that your cluster requires access to. Note- Be sure to also review this site list if you are configuring a proxy. 
7.5.2. Internet access for OpenShift Container Platform
In OpenShift Container Platform 4.10, you require access to the internet to install your cluster.
You must have internet access to:
- Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.
- Access Quay.io to obtain the packages that are required to install your cluster.
- Obtain the packages that are required to perform cluster updates.
If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
7.5.3. Configuring your Azure Stack Hub project
Before you can install OpenShift Container Platform, you must configure an Azure project to host it.
All Azure Stack Hub resources that are available through public endpoints are subject to resource name restrictions, and you cannot create resources that use certain terms. For a list of terms that Azure Stack Hub restricts, see Resolve reserved resource name errors in the Azure documentation.
7.5.3.1. Azure Stack Hub account limits
The OpenShift Container Platform cluster uses a number of Microsoft Azure Stack Hub components, and the default Quota types in Azure Stack Hub affect your ability to install OpenShift Container Platform clusters.
The following table summarizes the Azure Stack Hub components whose limits can impact your ability to install and run OpenShift Container Platform clusters.
| Component | Number of components required by default | Description | ||||||
|---|---|---|---|---|---|---|---|---|
| vCPU | 56 | A default cluster requires 56 vCPUs, so you must increase the account limit. By default, each cluster creates the following instances: 
 
										Because the bootstrap, control plane, and worker machines use  To deploy more worker nodes, enable autoscaling, deploy large workloads, or use a different instance type, you must further increase the vCPU limit for your account to ensure that your cluster can deploy the machines that you require. | ||||||
| VNet | 1 | Each default cluster requires one Virtual Network (VNet), which contains two subnets. | ||||||
| Network interfaces | 7 | Each default cluster requires seven network interfaces. If you create more machines or your deployed workloads create load balancers, your cluster uses more network interfaces. | ||||||
| Network security groups | 2 | Each cluster creates network security groups for each subnet in the VNet. The default cluster creates network security groups for the control plane and for the compute node subnets: 
 | ||||||
| Network load balancers | 3 | Each cluster creates the following load balancers: 
 
										If your applications create more Kubernetes  | ||||||
| Public IP addresses | 2 | The public load balancer uses a public IP address. The bootstrap machine also uses a public IP address so that you can SSH into the machine to troubleshoot issues during installation. The IP address for the bootstrap node is used only during installation. | ||||||
| Private IP addresses | 7 | The internal load balancer, each of the three control plane machines, and each of the three worker machines each use a private IP address. | 
7.5.3.2. Configuring a DNS zone in Azure Stack Hub
To successfully install OpenShift Container Platform on Azure Stack Hub, you must create DNS records in an Azure Stack Hub DNS zone. The DNS zone must be authoritative for the domain. To delegate a registrar’s DNS zone to Azure Stack Hub, see Microsoft’s documentation for Azure Stack Hub datacenter DNS integration.
You can view Azure’s DNS solution by visiting this example for creating DNS zones.
7.5.3.3. Certificate signing requests management
						Because your cluster has limited access to automatic machine management when you use infrastructure that you provision, you must provide a mechanism for approving cluster certificate signing requests (CSRs) after installation. The kube-controller-manager only approves the kubelet client CSRs. The machine-approver cannot guarantee the validity of a serving certificate that is requested by using kubelet credentials because it cannot confirm that the correct machine issued the request. You must determine and implement a method of verifying the validity of the kubelet serving certificate requests and approving them.
					
7.5.3.4. Required Azure Stack Hub roles
Your Microsoft Azure Stack Hub account must have the following roles for the subscription that you use:
- 
								Owner
To set roles on the Azure portal, see the Manage access to resources in Azure Stack Hub with role-based access control in the Microsoft documentation.
7.5.3.5. Creating a service principal
Because OpenShift Container Platform and its installation program create Microsoft Azure resources by using the Azure Resource Manager, you must create a service principal to represent it.
Prerequisites
- Install or update the Azure CLI.
- Your Azure account has the required roles for the subscription that you use.
Procedure
- Register your environment: - az cloud register -n AzureStackCloud --endpoint-resource-manager <endpoint> - $ az cloud register -n AzureStackCloud --endpoint-resource-manager <endpoint>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the Azure Resource Manager endpoint, `https://management.<region>.<fqdn>/`.
 - See the Microsoft documentation for details. 
- Set the active environment: - az cloud set -n AzureStackCloud - $ az cloud set -n AzureStackCloud- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update your environment configuration to use the specific API version for Azure Stack Hub: - az cloud update --profile 2019-03-01-hybrid - $ az cloud update --profile 2019-03-01-hybrid- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the Azure CLI: - az login - $ az login- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you are in a multitenant environment, you must also supply the tenant ID. 
- If your Azure account uses subscriptions, ensure that you are using the right subscription: - View the list of available accounts and record the - tenantIdvalue for the subscription you want to use for your cluster:- az account list --refresh - $ az account list --refresh- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View your active account details and confirm that the - tenantIdvalue matches the subscription you want to use:- az account show - $ az account show- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Ensure that the value of thetenantIdparameter is the correct subscription ID.
 
- If you are not using the right subscription, change the active subscription: - az account set -s <subscription_id> - $ az account set -s <subscription_id>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the subscription ID.
 
- Verify the subscription ID update: - az account show - $ az account show- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
								Record the tenantIdandidparameter values from the output. You need these values during the OpenShift Container Platform installation.
- Create the service principal for your account: - az ad sp create-for-rbac --role Contributor --name <service_principal> \ --scopes /subscriptions/<subscription_id> - $ az ad sp create-for-rbac --role Contributor --name <service_principal> \- 1 - --scopes /subscriptions/<subscription_id>- 2 - --years <years>- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								Record the values of the appIdandpasswordparameters from the previous output. You need these values during OpenShift Container Platform installation.
7.5.4. Obtaining the installation program
Before you install OpenShift Container Platform, download the installation file on a local computer.
Prerequisites
- You have a computer that runs Linux or macOS, with 500 MB of local disk space
Procedure
- Access the Infrastructure Provider page on the OpenShift Cluster Manager site. If you have a Red Hat account, log in with your credentials. If you do not, create an account.
- Select Azure as the cloud provider.
- Navigate to the page for your installation type, download the installation program that corresponds with your host operating system and architecture, and place the file in the directory where you will store the installation configuration files. Important- The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both files are required to delete the cluster. Important- Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OpenShift Container Platform uninstallation procedures for your specific cloud provider. 
- Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command: - tar -xvf openshift-install-linux.tar.gz - $ tar -xvf openshift-install-linux.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download your installation pull secret from the Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
7.5.5. Generating a key pair for cluster node SSH access
					During an OpenShift Container Platform installation, you can provide an SSH public key to the installation program. The key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.
				
					After the key is passed to the nodes, you can use the key pair to SSH in to the RHCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
				
					If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.
				
Do not skip this procedure in production environments, where disaster recovery and debugging is required.
You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs.
Procedure
- If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command: - ssh-keygen -t ed25519 -N '' -f <path>/<file_name> - $ ssh-keygen -t ed25519 -N '' -f <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name, such as~/.ssh/id_ed25519, of the new SSH key. If you have an existing key pair, ensure your public key is in the your~/.sshdirectory.
 Note- If you plan to install an OpenShift Container Platform cluster that uses FIPS validated or Modules In Process cryptographic libraries on the - x86_64architecture, do not create a key that uses the- ed25519algorithm. Instead, create a key that uses the- rsaor- ecdsaalgorithm.
- View the public SSH key: - cat <path>/<file_name>.pub - $ cat <path>/<file_name>.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, run the following to view the - ~/.ssh/id_ed25519.pubpublic key:- cat ~/.ssh/id_ed25519.pub - $ cat ~/.ssh/id_ed25519.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the - ./openshift-install gathercommand.Note- On some distributions, default SSH private key identities such as - ~/.ssh/id_rsaand- ~/.ssh/id_dsaare managed automatically.- If the - ssh-agentprocess is not already running for your local user, start it as a background task:- eval "$(ssh-agent -s)" - $ eval "$(ssh-agent -s)"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Agent pid 31874 - Agent pid 31874- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. 
 
- Add your SSH private key to the - ssh-agent:- ssh-add <path>/<file_name> - $ ssh-add <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name for your SSH private key, such as~/.ssh/id_ed25519
 - Example output - Identity added: /home/<you>/<path>/<file_name> (<computer_name>) - Identity added: /home/<you>/<path>/<file_name> (<computer_name>)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- When you install OpenShift Container Platform, provide the SSH public key to the installation program.
7.5.6. Creating the installation files for Azure Stack Hub
					To install OpenShift Container Platform on Microsoft Azure Stack Hub using user-provisioned infrastructure, you must generate the files that the installation program needs to deploy your cluster and modify them so that the cluster creates only the machines that it will use. You manually create the install-config.yaml file, and then generate and customize the Kubernetes manifests and Ignition config files. You also have the option to first set up a separate var partition during the preparation phases of installation.
				
7.5.6.1. Manually creating the installation configuration file
Prerequisites
- You have an SSH public key on your local machine to provide to the installation program. The key will be used for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the sample - install-config.yamlfile template that is provided and save it in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.- Make the following modifications for Azure Stack Hub: - Set the - replicasparameter to- 0for the- computepool:- compute: - hyperthreading: Enabled name: worker platform: {} replicas: 0- compute: - hyperthreading: Enabled name: worker platform: {} replicas: 0- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Set to0.
 - The compute machines will be provisioned manually later. 
- Update the - platform.azuresection of the- install-config.yamlfile to configure your Azure Stack Hub configuration:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the Azure Resource Manager endpoint of your Azure Stack Hub environment, likehttps://management.local.azurestack.external.
- 2
- Specify the name of the resource group that contains the DNS zone for your base domain.
- 3
- Specify the Azure Stack Hub environment, which is used to configure the Azure SDK with the appropriate Azure API endpoints.
- 4
- Specify the name of your Azure Stack Hub region.
 
 
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the next step of the installation process. You must back it up now.
7.5.6.2. Sample customized install-config.yaml file for Azure Stack Hub
						You can customize the install-config.yaml file to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually.
- 1 3
- ThecontrolPlanesection is a single mapping, but thecomputesection is a sequence of mappings. To meet the requirements of the different data structures, the first line of thecomputesection must begin with a hyphen,-, and the first line of thecontrolPlanesection must not. Only one control plane pool is used.
- 2 4
- You can specify the size of the disk to use in GB. Minimum recommendation for control plane nodes is 1024 GB.
- 5
- Specify the name of the cluster.
- 6
- Specify the Azure Resource Manager endpoint that your Azure Stack Hub operator provides.
- 7
- Specify the name of the resource group that contains the DNS zone for your base domain.
- 8
- Specify the name of your Azure Stack Hub local region.
- 9
- Specify the name of an already existing resource group to install your cluster to. If undefined, a new resource group is created for the cluster.
- 10
- Specify the Azure Stack Hub environment as your target platform.
- 11
- Specify the pull secret required to authenticate your cluster.
- 12
- Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the Red Hat Enterprise Linux CoreOS (RHCOS) machines that OpenShift Container Platform runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead.ImportantTo enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Installing the system in FIPS mode. The use of FIPS validated or Modules In Process cryptographic libraries is only supported on OpenShift Container Platform deployments on the x86_64architecture.
- 13
- If your Azure Stack Hub environment uses an internal certificate authority (CA), add the necessary certificate bundle in.pemformat.
- 14
- You can optionally provide thesshKeyvalue that you use to access the machines in your cluster.NoteFor production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agentprocess uses.
7.5.6.3. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
7.5.6.4. Exporting common variables for ARM templates
You must export a common set of variables that are used with the provided Azure Resource Manager (ARM) templates used to assist in completing a user-provided infrastructure install on Microsoft Azure Stack Hub.
Specific ARM templates can also require additional exported variables, which are detailed in their related procedures.
Prerequisites
- Obtain the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Export common variables found in the - install-config.yamlto be used by the provided ARM templates:- export CLUSTER_NAME=<cluster_name> export AZURE_REGION=<azure_region> export SSH_KEY=<ssh_key> export BASE_DOMAIN=<base_domain> export BASE_DOMAIN_RESOURCE_GROUP=<base_domain_resource_group> - $ export CLUSTER_NAME=<cluster_name>- 1 - $ export AZURE_REGION=<azure_region>- 2 - $ export SSH_KEY=<ssh_key>- 3 - $ export BASE_DOMAIN=<base_domain>- 4 - $ export BASE_DOMAIN_RESOURCE_GROUP=<base_domain_resource_group>- 5 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The value of the.metadata.nameattribute from theinstall-config.yamlfile.
- 2
- The region to deploy the cluster into. This is the value of the.platform.azure.regionattribute from theinstall-config.yamlfile.
- 3
- The SSH RSA public key file as a string. You must enclose the SSH key in quotes since it contains spaces. This is the value of the.sshKeyattribute from theinstall-config.yamlfile.
- 4
- The base domain to deploy the cluster to. The base domain corresponds to the DNS zone that you created for your cluster. This is the value of the.baseDomainattribute from theinstall-config.yamlfile.
- 5
- The resource group where the DNS zone exists. This is the value of the.platform.azure.baseDomainResourceGroupNameattribute from theinstall-config.yamlfile.
 - For example: - export CLUSTER_NAME=test-cluster export AZURE_REGION=centralus export SSH_KEY="ssh-rsa xxx/xxx/xxx= user@email.com" export BASE_DOMAIN=example.com export BASE_DOMAIN_RESOURCE_GROUP=ocp-cluster - $ export CLUSTER_NAME=test-cluster $ export AZURE_REGION=centralus $ export SSH_KEY="ssh-rsa xxx/xxx/xxx= user@email.com" $ export BASE_DOMAIN=example.com $ export BASE_DOMAIN_RESOURCE_GROUP=ocp-cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the kubeadmin credentials: - export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
7.5.6.5. Creating the Kubernetes manifest and Ignition config files
Because you must modify some cluster definition files and manually start the cluster machines, you must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.
The installation configuration file transforms into the Kubernetes manifests. The manifests wrap into the Ignition configuration files, which are later used to configure the cluster machines.
- 
									The Ignition config files that the OpenShift Container Platform installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
Prerequisites
- You obtained the OpenShift Container Platform installation program.
- 
								You created the install-config.yamlinstallation configuration file.
Procedure
- Change to the directory that contains the OpenShift Container Platform installation program and generate the Kubernetes manifests for the cluster: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the installation directory that contains theinstall-config.yamlfile you created.
 
- Remove the Kubernetes manifest files that define the control plane machines: - rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml - $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By removing these files, you prevent the cluster from automatically generating control plane machines. 
- Remove the Kubernetes manifest files that define the worker machines: - rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml - $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Because you create and manage the worker machines yourself, you do not need to initialize these machines. 
- Check that the - mastersSchedulableparameter in the- <installation_directory>/manifests/cluster-scheduler-02-config.ymlKubernetes manifest file is set to- false. This setting prevents pods from being scheduled on the control plane machines:- 
										Open the <installation_directory>/manifests/cluster-scheduler-02-config.ymlfile.
- 
										Locate the mastersSchedulableparameter and ensure that it is set tofalse.
- Save and exit the file.
 
- 
										Open the 
- Optional: If you do not want the Ingress Operator to create DNS records on your behalf, remove the - privateZoneand- publicZonesections from the- <installation_directory>/manifests/cluster-dns-02-config.ymlDNS configuration file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you do so, you must add ingress DNS records manually in a later step. 
- Optional: If your Azure Stack Hub environment uses an internal certificate authority (CA), you must update the - .spec.trustedCA.namefield in the- <installation_directory>/manifests/cluster-proxy-01-config.yamlfile to use- user-ca-bundle:- ... spec: trustedCA: name: user-ca-bundle ...- ... spec: trustedCA: name: user-ca-bundle ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Later, you must update your bootstrap ignition to include the CA. 
- When configuring Azure on user-provisioned infrastructure, you must export some common variables defined in the manifest files to use later in the Azure Resource Manager (ARM) templates: - Export the infrastructure ID by using the following command: - export INFRA_ID=<infra_id> - $ export INFRA_ID=<infra_id>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The OpenShift Container Platform cluster has been assigned an identifier (INFRA_ID) in the form of<cluster_name>-<random_string>. This will be used as the base name for most resources created using the provided ARM templates. This is the value of the.status.infrastructureNameattribute from themanifests/cluster-infrastructure-02-config.ymlfile.
 
- Export the resource group by using the following command: - export RESOURCE_GROUP=<resource_group> - $ export RESOURCE_GROUP=<resource_group>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- All resources created in this Azure deployment exists as part of a resource group. The resource group name is also based on theINFRA_ID, in the form of<cluster_name>-<random_string>-rg. This is the value of the.status.platformStatus.azure.resourceGroupNameattribute from themanifests/cluster-infrastructure-02-config.ymlfile.
 
 
- Manually create your cloud credentials. - From the directory that contains the installation program, obtain details of the OpenShift Container Platform release image that your - openshift-installbinary is built to use:- openshift-install version - $ openshift-install version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 - release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Locate all - CredentialsRequestobjects in this release image that target the cloud you are deploying on:- oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure - $ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject. The format for the secret data varies for each cloud provider.- Sample - secrets.yamlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
							The release image includes CredentialsRequest objects for Technology Preview features that are enabled by the TechPreviewNoUpgrade feature set. You can identify these objects by their use of the release.openshift.io/feature-gate: TechPreviewNoUpgrade annotation.
						
- If you are not using any of these features, do not create secrets for these objects. Creating secrets for Technology Preview features that you are not using can cause the installation to fail.
- If you are using any of these features, you must create secrets for the corresponding objects.
- To find - CredentialsRequestobjects with the- TechPreviewNoUpgradeannotation, run the following command:- grep "release.openshift.io/feature-gate" * - $ grep "release.openshift.io/feature-gate" *- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade - 0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Create a - cco-configmap.yamlfile in the manifests directory with the Cloud Credential Operator (CCO) disabled:- Sample - ConfigMapobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - To create the Ignition configuration files, run the following command from the directory that contains the installation program: - ./openshift-install create ignition-configs --dir <installation_directory> - $ ./openshift-install create ignition-configs --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the same installation directory.
 - Ignition config files are created for the bootstrap, control plane, and compute nodes in the installation directory. The - kubeadmin-passwordand- kubeconfigfiles are created in the- ./<installation_directory>/authdirectory:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
7.5.6.6. Optional: Creating a separate /var partition
It is recommended that disk partitioning for OpenShift Container Platform be left to the installer. However, there are cases where you might want to create separate partitions in a part of the filesystem that you expect to grow.
						OpenShift Container Platform supports the addition of a single partition to attach storage to either the /var partition or a subdirectory of /var. For example:
					
- 
								/var/lib/containers: Holds container-related content that can grow as more images and containers are added to a system.
- 
								/var/lib/etcd: Holds data that you might want to keep separate for purposes such as performance optimization of etcd storage.
- 
								/var: Holds data that you might want to keep separate for purposes such as auditing.
						Storing the contents of a /var directory separately makes it easier to grow storage for those areas as needed and reinstall OpenShift Container Platform at a later date and keep that data intact. With this method, you will not have to pull all your containers again, nor will you have to copy massive log files when you update systems.
					
						Because /var must be in place before a fresh installation of Red Hat Enterprise Linux CoreOS (RHCOS), the following procedure sets up the separate /var partition by creating a machine config manifest that is inserted during the openshift-install preparation phases of an OpenShift Container Platform installation.
					
							If you follow the steps to create a separate /var partition in this procedure, it is not necessary to create the Kubernetes manifest and Ignition config files again as described later in this section.
						
Procedure
- Create a directory to hold the OpenShift Container Platform installation files: - mkdir $HOME/clusterconfig - $ mkdir $HOME/clusterconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run - openshift-installto create a set of files in the- manifestand- openshiftsubdirectories. Answer the system questions as you are prompted:- openshift-install create manifests --dir $HOME/clusterconfig - $ openshift-install create manifests --dir $HOME/clusterconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ? SSH Public Key ... INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials" INFO Consuming Install Config from target directory INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift - ? SSH Public Key ... INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials" INFO Consuming Install Config from target directory INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Confirm that the installation program created manifests in the - clusterconfig/openshiftdirectory:- ls $HOME/clusterconfig/openshift/ - $ ls $HOME/clusterconfig/openshift/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 99_kubeadmin-password-secret.yaml 99_openshift-cluster-api_master-machines-0.yaml 99_openshift-cluster-api_master-machines-1.yaml 99_openshift-cluster-api_master-machines-2.yaml ... - 99_kubeadmin-password-secret.yaml 99_openshift-cluster-api_master-machines-0.yaml 99_openshift-cluster-api_master-machines-1.yaml 99_openshift-cluster-api_master-machines-2.yaml ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a Butane config that configures the additional partition. For example, name the file - $HOME/clusterconfig/98-var-partition.bu, change the disk device name to the name of the storage device on the- workersystems, and set the storage size as appropriate. This example places the- /vardirectory on a separate partition:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The storage device name of the disk that you want to partition.
- 2
- When adding a data partition to the boot disk, a minimum value of 25000 MiB (Mebibytes) is recommended. The root file system is automatically resized to fill all available space up to the specified offset. If no value is specified, or if the specified value is smaller than the recommended minimum, the resulting root file system will be too small, and future reinstalls of RHCOS might overwrite the beginning of the data partition.
- 3
- The size of the data partition in mebibytes.
- 4
- Theprjquotamount option must be enabled for filesystems used for container storage.
 Note- When creating a separate - /varpartition, you cannot use different instance types for worker nodes, if the different instance types do not have the same device name.
- Create a manifest from the Butane config and save it to the - clusterconfig/openshiftdirectory. For example, run the following command:- butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml - $ butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run - openshift-installagain to create Ignition configs from a set of files in the- manifestand- openshiftsubdirectories:- openshift-install create ignition-configs --dir $HOME/clusterconfig ls $HOME/clusterconfig/ - $ openshift-install create ignition-configs --dir $HOME/clusterconfig $ ls $HOME/clusterconfig/ auth bootstrap.ign master.ign metadata.json worker.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Now you can use the Ignition config files as input to the installation procedures to install Red Hat Enterprise Linux CoreOS (RHCOS) systems.
7.5.7. Creating the Azure resource group
You must create a Microsoft Azure resource group. This is used during the installation of your OpenShift Container Platform cluster on Azure Stack Hub.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
Procedure
- Create the resource group in a supported Azure region: - az group create --name ${RESOURCE_GROUP} --location ${AZURE_REGION}- $ az group create --name ${RESOURCE_GROUP} --location ${AZURE_REGION}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.8. Uploading the RHCOS cluster image and bootstrap Ignition config file
The Azure client does not support deployments based on files existing locally. You must copy and store the RHCOS virtual hard disk (VHD) cluster image and bootstrap Ignition config file in a storage container so they are accessible during deployment.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
Procedure
- Create an Azure storage account to store the VHD cluster image: - az storage account create -g ${RESOURCE_GROUP} --location ${AZURE_REGION} --name ${CLUSTER_NAME}sa --kind Storage --sku Standard_LRS- $ az storage account create -g ${RESOURCE_GROUP} --location ${AZURE_REGION} --name ${CLUSTER_NAME}sa --kind Storage --sku Standard_LRS- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Warning- The Azure storage account name must be between 3 and 24 characters in length and use numbers and lower-case letters only. If your - CLUSTER_NAMEvariable does not follow these restrictions, you must manually define the Azure storage account name. For more information on Azure storage account name restrictions, see Resolve errors for storage account names in the Azure documentation.
- Export the storage account key as an environment variable: - export ACCOUNT_KEY=`az storage account keys list -g ${RESOURCE_GROUP} --account-name ${CLUSTER_NAME}sa --query "[0].value" -o tsv`- $ export ACCOUNT_KEY=`az storage account keys list -g ${RESOURCE_GROUP} --account-name ${CLUSTER_NAME}sa --query "[0].value" -o tsv`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the URL of the RHCOS VHD to an environment variable: - export COMPRESSED_VHD_URL=$(openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.artifacts.azurestack.formats."vhd.gz".disk.location') - $ export COMPRESSED_VHD_URL=$(openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.artifacts.azurestack.formats."vhd.gz".disk.location')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- The RHCOS images might not change with every release of OpenShift Container Platform. You must specify an image with the highest version that is less than or equal to the OpenShift Container Platform version that you install. Use the image version that matches your OpenShift Container Platform version if it is available. 
- Create the storage container for the VHD: - az storage container create --name vhd --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY}- $ az storage container create --name vhd --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download the compressed RHCOS VHD file locally: - curl -O -L ${COMPRESSED_VHD_URL}- $ curl -O -L ${COMPRESSED_VHD_URL}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Decompress the VHD file. Note- The decompressed VHD file is approximately 16 GB, so be sure that your host system has 16 GB of free space available. You can delete the VHD file after you upload it. 
- Copy the local VHD to a blob: - az storage blob upload --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c vhd -n "rhcos.vhd" -f rhcos-<rhcos_version>-azurestack.x86_64.vhd- $ az storage blob upload --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c vhd -n "rhcos.vhd" -f rhcos-<rhcos_version>-azurestack.x86_64.vhd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a blob storage container and upload the generated - bootstrap.ignfile:- az storage container create --name files --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY}- $ az storage container create --name files --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - az storage blob upload --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c "files" -f "<installation_directory>/bootstrap.ign" -n "bootstrap.ign"- $ az storage blob upload --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c "files" -f "<installation_directory>/bootstrap.ign" -n "bootstrap.ign"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.9. Example for creating DNS zones
DNS records are required for clusters that use user-provisioned infrastructure. You should choose the DNS strategy that fits your scenario.
For this example, Azure Stack Hub’s datacenter DNS integration is used, so you will create a DNS zone.
The DNS zone is not required to exist in the same resource group as the cluster deployment and might already exist in your organization for the desired base domain. If that is the case, you can skip creating the DNS zone; be sure the installation config you generated earlier reflects that scenario.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
Procedure
- Create the new DNS zone in the resource group exported in the - BASE_DOMAIN_RESOURCE_GROUPenvironment variable:- az network dns zone create -g ${BASE_DOMAIN_RESOURCE_GROUP} -n ${CLUSTER_NAME}.${BASE_DOMAIN}- $ az network dns zone create -g ${BASE_DOMAIN_RESOURCE_GROUP} -n ${CLUSTER_NAME}.${BASE_DOMAIN}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can skip this step if you are using a DNS zone that already exists. 
You can learn more about configuring a DNS zone in Azure Stack Hub by visiting that section.
7.5.10. Creating a VNet in Azure Stack Hub
You must create a virtual network (VNet) in Microsoft Azure Stack Hub for your OpenShift Container Platform cluster to use. You can customize the VNet to meet your requirements. One way to create the VNet is to modify the provided Azure Resource Manager (ARM) template.
If you do not use the provided ARM template to create your Azure Stack Hub infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
Procedure
- 
							Copy the template from the ARM template for the VNet section of this topic and save it as 01_vnet.jsonin your cluster’s installation directory. This template describes the VNet that your cluster requires.
- Create the deployment by using the - azCLI:- az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/01_vnet.json" \ --parameters baseName="${INFRA_ID}"- $ az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/01_vnet.json" \ --parameters baseName="${INFRA_ID}"- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The base name to be used in resource names; this is usually the cluster’s infrastructure ID.
 
7.5.10.1. ARM template for the VNet
You can use the following Azure Resource Manager (ARM) template to deploy the VNet that you need for your OpenShift Container Platform cluster:
Example 7.1. 01_vnet.json ARM template
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/01_vnet.json[]
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/01_vnet.json[]7.5.11. Deploying the RHCOS cluster image for the Azure Stack Hub infrastructure
You must use a valid Red Hat Enterprise Linux CoreOS (RHCOS) image for Microsoft Azure Stack Hub for your OpenShift Container Platform nodes.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
- Store the RHCOS virtual hard disk (VHD) cluster image in an Azure storage container.
- Store the bootstrap Ignition config file in an Azure storage container.
Procedure
- 
							Copy the template from the ARM template for image storage section of this topic and save it as 02_storage.jsonin your cluster’s installation directory. This template describes the image storage that your cluster requires.
- Export the RHCOS VHD blob URL as a variable: - export VHD_BLOB_URL=`az storage blob url --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c vhd -n "rhcos.vhd" -o tsv`- $ export VHD_BLOB_URL=`az storage blob url --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c vhd -n "rhcos.vhd" -o tsv`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Deploy the cluster image: - az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/02_storage.json" \ --parameters vhdBlobURL="${VHD_BLOB_URL}" \ --parameters baseName="${INFRA_ID}"- $ az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/02_storage.json" \ --parameters vhdBlobURL="${VHD_BLOB_URL}" \- 1 - --parameters baseName="${INFRA_ID}"- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.11.1. ARM template for image storage
You can use the following Azure Resource Manager (ARM) template to deploy the stored Red Hat Enterprise Linux CoreOS (RHCOS) image that you need for your OpenShift Container Platform cluster:
Example 7.2. 02_storage.json ARM template
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/02_storage.json[]
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/02_storage.json[]7.5.12. Networking requirements for user-provisioned infrastructure
					All the Red Hat Enterprise Linux CoreOS (RHCOS) machines require networking to be configured in initramfs during boot to fetch their Ignition config files.
				
7.5.12.1. Network connectivity requirements
You must configure the network connectivity between machines to allow OpenShift Container Platform cluster components to communicate. Each machine must be able to resolve the hostnames of all other machines in the cluster.
This section provides details about the ports that are required.
In connected OpenShift Container Platform environments, all nodes are required to have internet access to pull images for platform containers and provide telemetry data to Red Hat.
| Protocol | Port | Description | 
|---|---|---|
| ICMP | N/A | Network reachability tests | 
| TCP | 
										 | Metrics | 
| 
										 | 
										Host level services, including the node exporter on ports  | |
| 
										 | The default ports that Kubernetes reserves | |
| 
										 | openshift-sdn | |
| UDP | 
										 | VXLAN | 
| 
										 | Geneve | |
| 
										 | 
										Host level services, including the node exporter on ports  | |
| 
										 | IPsec IKE packets | |
| 
										 | IPsec NAT-T packets | |
| TCP/UDP | 
										 | Kubernetes node port | 
| ESP | N/A | IPsec Encapsulating Security Payload (ESP) | 
| Protocol | Port | Description | 
|---|---|---|
| TCP | 
										 | Kubernetes API | 
| Protocol | Port | Description | 
|---|---|---|
| TCP | 
										 | etcd server and peer ports | 
7.5.13. Creating networking and load balancing components in Azure Stack Hub
You must configure networking and load balancing in Microsoft Azure Stack Hub for your OpenShift Container Platform cluster to use. One way to create these components is to modify the provided Azure Resource Manager (ARM) template.
Load balancing requires the following DNS records:
- 
							An apiDNS record for the API public load balancer in the DNS zone.
- 
							An api-intDNS record for the API internal load balancer in the DNS zone.
If you do not use the provided ARM template to create your Azure Stack Hub infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
- Create and configure a VNet and associated subnets in Azure Stack Hub.
Procedure
- 
							Copy the template from the ARM template for the network and load balancers section of this topic and save it as 03_infra.jsonin your cluster’s installation directory. This template describes the networking and load balancing objects that your cluster requires.
- Create the deployment by using the - azCLI:- az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/03_infra.json" \ --parameters baseName="${INFRA_ID}"- $ az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/03_infra.json" \ --parameters baseName="${INFRA_ID}"- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The base name to be used in resource names; this is usually the cluster’s infrastructure ID.
 
- Create an - apiDNS record and an- api-intDNS record. When creating the API DNS records, the- ${BASE_DOMAIN_RESOURCE_GROUP}variable must point to the resource group where the DNS zone exists.- Export the following variable: - export PUBLIC_IP=`az network public-ip list -g ${RESOURCE_GROUP} --query "[?name=='${INFRA_ID}-master-pip'] | [0].ipAddress" -o tsv`- $ export PUBLIC_IP=`az network public-ip list -g ${RESOURCE_GROUP} --query "[?name=='${INFRA_ID}-master-pip'] | [0].ipAddress" -o tsv`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the following variable: - export PRIVATE_IP=`az network lb frontend-ip show -g "$RESOURCE_GROUP" --lb-name "${INFRA_ID}-internal" -n internal-lb-ip --query "privateIpAddress" -o tsv`- $ export PRIVATE_IP=`az network lb frontend-ip show -g "$RESOURCE_GROUP" --lb-name "${INFRA_ID}-internal" -n internal-lb-ip --query "privateIpAddress" -o tsv`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - apiDNS record in a new DNS zone:- az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n api -a ${PUBLIC_IP} --ttl 60- $ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n api -a ${PUBLIC_IP} --ttl 60- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you are adding the cluster to an existing DNS zone, you can create the - apiDNS record in it instead:- az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n api.${CLUSTER_NAME} -a ${PUBLIC_IP} --ttl 60- $ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n api.${CLUSTER_NAME} -a ${PUBLIC_IP} --ttl 60- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - api-intDNS record in a new DNS zone:- az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z "${CLUSTER_NAME}.${BASE_DOMAIN}" -n api-int -a ${PRIVATE_IP} --ttl 60- $ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z "${CLUSTER_NAME}.${BASE_DOMAIN}" -n api-int -a ${PRIVATE_IP} --ttl 60- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you are adding the cluster to an existing DNS zone, you can create the - api-intDNS record in it instead:- az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n api-int.${CLUSTER_NAME} -a ${PRIVATE_IP} --ttl 60- $ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n api-int.${CLUSTER_NAME} -a ${PRIVATE_IP} --ttl 60- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
7.5.13.1. ARM template for the network and load balancers
You can use the following Azure Resource Manager (ARM) template to deploy the networking objects and load balancers that you need for your OpenShift Container Platform cluster:
Example 7.3. 03_infra.json ARM template
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/03_infra.json[]
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/03_infra.json[]7.5.14. Creating the bootstrap machine in Azure Stack Hub
You must create the bootstrap machine in Microsoft Azure Stack Hub to use during OpenShift Container Platform cluster initialization. One way to create this machine is to modify the provided Azure Resource Manager (ARM) template.
If you do not use the provided ARM template to create your bootstrap machine, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
- Create and configure a VNet and associated subnets in Azure Stack Hub.
- Create and configure networking and load balancers in Azure Stack Hub.
- Create control plane and compute roles.
Procedure
- 
							Copy the template from the ARM template for the bootstrap machine section of this topic and save it as 04_bootstrap.jsonin your cluster’s installation directory. This template describes the bootstrap machine that your cluster requires.
- Export the bootstrap URL variable: - bootstrap_url_expiry=`date -u -d "10 hours" '+%Y-%m-%dT%H:%MZ'` - $ bootstrap_url_expiry=`date -u -d "10 hours" '+%Y-%m-%dT%H:%MZ'`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - export BOOTSTRAP_URL=`az storage blob generate-sas -c 'files' -n 'bootstrap.ign' --https-only --full-uri --permissions r --expiry $bootstrap_url_expiry --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -o tsv`- $ export BOOTSTRAP_URL=`az storage blob generate-sas -c 'files' -n 'bootstrap.ign' --https-only --full-uri --permissions r --expiry $bootstrap_url_expiry --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -o tsv`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the bootstrap ignition variable: - If your environment uses a public certificate authority (CA), run this command: - export BOOTSTRAP_IGNITION=`jq -rcnM --arg v "3.2.0" --arg url ${BOOTSTRAP_URL} '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n'`- $ export BOOTSTRAP_IGNITION=`jq -rcnM --arg v "3.2.0" --arg url ${BOOTSTRAP_URL} '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n'`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If your environment uses an internal CA, you must add your PEM encoded bundle to the bootstrap ignition stub so that your bootstrap virtual machine can pull the bootstrap ignition from the storage account. Run the following commands, which assume your CA is in a file called - CA.pem:- export CA="data:text/plain;charset=utf-8;base64,$(cat CA.pem |base64 |tr -d '\n')" - $ export CA="data:text/plain;charset=utf-8;base64,$(cat CA.pem |base64 |tr -d '\n')"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - export BOOTSTRAP_IGNITION=`jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" --arg cert "$CA" '{ignition:{version:$v,security:{tls:{certificateAuthorities:[{source:$cert}]}},config:{replace:{source:$url}}}}' | base64 | tr -d '\n'`- $ export BOOTSTRAP_IGNITION=`jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" --arg cert "$CA" '{ignition:{version:$v,security:{tls:{certificateAuthorities:[{source:$cert}]}},config:{replace:{source:$url}}}}' | base64 | tr -d '\n'`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create the deployment by using the - azCLI:- az deployment group create --verbose -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/04_bootstrap.json" \ --parameters bootstrapIgnition="${BOOTSTRAP_IGNITION}" \ --parameters baseName="${INFRA_ID}" \ --parameters diagnosticsStorageAccountName="${CLUSTER_NAME}sa"- $ az deployment group create --verbose -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/04_bootstrap.json" \ --parameters bootstrapIgnition="${BOOTSTRAP_IGNITION}" \- 1 - --parameters baseName="${INFRA_ID}" \- 2 - --parameters diagnosticsStorageAccountName="${CLUSTER_NAME}sa"- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.14.1. ARM template for the bootstrap machine
You can use the following Azure Resource Manager (ARM) template to deploy the bootstrap machine that you need for your OpenShift Container Platform cluster:
Example 7.4. 04_bootstrap.json ARM template
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/04_bootstrap.json[]
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/04_bootstrap.json[]7.5.15. Creating the control plane machines in Azure Stack Hub
You must create the control plane machines in Microsoft Azure Stack Hub for your cluster to use. One way to create these machines is to modify the provided Azure Resource Manager (ARM) template.
If you do not use the provided ARM template to create your control plane machines, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, consider contacting Red Hat support with your installation logs.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
- Create and configure a VNet and associated subnets in Azure Stack Hub.
- Create and configure networking and load balancers in Azure Stack Hub.
- Create control plane and compute roles.
- Create the bootstrap machine.
Procedure
- 
							Copy the template from the ARM template for control plane machines section of this topic and save it as 05_masters.jsonin your cluster’s installation directory. This template describes the control plane machines that your cluster requires.
- Export the following variable needed by the control plane machine deployment: - export MASTER_IGNITION=`cat <installation_directory>/master.ign | base64 | tr -d '\n'` - $ export MASTER_IGNITION=`cat <installation_directory>/master.ign | base64 | tr -d '\n'`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the deployment by using the - azCLI:- az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/05_masters.json" \ --parameters masterIgnition="${MASTER_IGNITION}" \ --parameters baseName="${INFRA_ID}" \ --parameters diagnosticsStorageAccountName="${CLUSTER_NAME}sa"- $ az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/05_masters.json" \ --parameters masterIgnition="${MASTER_IGNITION}" \- 1 - --parameters baseName="${INFRA_ID}" \- 2 - --parameters diagnosticsStorageAccountName="${CLUSTER_NAME}sa"- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.15.1. ARM template for control plane machines
You can use the following Azure Resource Manager (ARM) template to deploy the control plane machines that you need for your OpenShift Container Platform cluster:
Example 7.5. 05_masters.json ARM template
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/05_masters.json[]
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/05_masters.json[]7.5.16. Wait for bootstrap completion and remove bootstrap resources in Azure Stack Hub
After you create all of the required infrastructure in Microsoft Azure Stack Hub, wait for the bootstrap process to complete on the machines that you provisioned by using the Ignition config files that you generated with the installation program.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
- Create and configure a VNet and associated subnets in Azure Stack Hub.
- Create and configure networking and load balancers in Azure Stack Hub.
- Create control plane and compute roles.
- Create the bootstrap machine.
- Create the control plane machines.
Procedure
- Change to the directory that contains the installation program and run the following command: - ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \ --log-level info- $ ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \- 1 - --log-level info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the command exits without a - FATALwarning, your production control plane has initialized.
- Delete the bootstrap resources: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
If you do not delete the bootstrap server, installation may not succeed due to API traffic being routed to the bootstrap server.
7.5.17. Creating additional worker machines in Azure Stack Hub
You can create worker machines in Microsoft Azure Stack Hub for your cluster to use by launching individual instances discretely or by automated processes outside the cluster, such as auto scaling groups. You can also take advantage of the built-in cluster scaling mechanisms and the machine API in OpenShift Container Platform.
					In this example, you manually launch one instance by using the Azure Resource Manager (ARM) template. Additional instances can be launched by including additional resources of type 06_workers.json in the file.
				
If you do not use the provided ARM template to create your control plane machines, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, consider contacting Red Hat support with your installation logs.
Prerequisites
- Configure an Azure account.
- Generate the Ignition config files for your cluster.
- Create and configure a VNet and associated subnets in Azure Stack Hub.
- Create and configure networking and load balancers in Azure Stack Hub.
- Create control plane and compute roles.
- Create the bootstrap machine.
- Create the control plane machines.
Procedure
- 
							Copy the template from the ARM template for worker machines section of this topic and save it as 06_workers.jsonin your cluster’s installation directory. This template describes the worker machines that your cluster requires.
- Export the following variable needed by the worker machine deployment: - export WORKER_IGNITION=`cat <installation_directory>/worker.ign | base64 | tr -d '\n'` - $ export WORKER_IGNITION=`cat <installation_directory>/worker.ign | base64 | tr -d '\n'`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the deployment by using the - azCLI:- az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/06_workers.json" \ --parameters workerIgnition="${WORKER_IGNITION}" \ --parameters baseName="${INFRA_ID}"- $ az deployment group create -g ${RESOURCE_GROUP} \ --template-file "<installation_directory>/06_workers.json" \ --parameters workerIgnition="${WORKER_IGNITION}" \- 1 - --parameters baseName="${INFRA_ID}"- 2 - --parameters diagnosticsStorageAccountName="${CLUSTER_NAME}sa"- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.17.1. ARM template for worker machines
You can use the following Azure Resource Manager (ARM) template to deploy the worker machines that you need for your OpenShift Container Platform cluster:
Example 7.6. 06_workers.json ARM template
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/06_workers.json[]
link:https://raw.githubusercontent.com/openshift/installer/release-4.10/upi/azurestack/06_workers.json[]7.5.18. Installing the OpenShift CLI by downloading the binary
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.10. Download and install the new version of oc.
					
Installing the OpenShift CLI on Linux
					You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 Linux Client entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
$ oc <command>Installing the OpenShift CLI on Windows
					You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
C:\> oc <command>Installing the OpenShift CLI on macOS
					You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
				
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version in the Version drop-down menu.
- Click Download Now next to the OpenShift v4.10 MacOSX Client entry and save the file.
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you install the OpenShift CLI, it is available using the oc command:
				
oc <command>
$ oc <command>7.5.19. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the ocCLI.
Procedure
- Export the - kubeadmincredentials:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.20. Approving the certificate signing requests for your machines
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
Prerequisites
- You added machines to your cluster.
Procedure
- Confirm that the cluster recognizes the machines: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.23.0 master-1 Ready master 63m v1.23.0 master-2 Ready master 64m v1.23.0 - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.23.0 master-1 Ready master 63m v1.23.0 master-2 Ready master 64m v1.23.0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output lists all of the machines that you created. Note- The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. 
- Review the pending CSRs and ensure that you see the client requests with the - Pendingor- Approvedstatus for each machine that you added to the cluster:- oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ... - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, two machines are joining the cluster. You might see more approved CSRs in the list. 
- If the CSRs were not approved, after all of the pending CSRs for the machines you added are in - Pendingstatus, approve the CSRs for your cluster machines:Note- Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the - machine-approverif the Kubelet requests a new certificate with identical parameters.Note- For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the - oc exec,- oc rsh, and- oc logscommands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the- node-bootstrapperservice account in the- system:nodeor- system:admingroups, and confirm the identity of the node.- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Some Operators might not become available until some CSRs are approved. 
 
- Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster: - oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ... - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the remaining CSRs are not approved, and are in the - Pendingstatus, approve the CSRs for your cluster machines:- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- After all client and server CSRs have been approved, the machines have the - Readystatus. Verify this by running the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- It can take a few minutes after approval of the server CSRs for the machines to transition to the - Readystatus.
Additional information
- For more information on CSRs, see Certificate Signing Requests.
7.5.21. Adding the Ingress DNS records
					If you removed the DNS Zone configuration when creating Kubernetes manifests and generating Ignition configs, you must manually create DNS records that point at the Ingress load balancer. You can create either a wildcard *.apps.{baseDomain}. or specific records. You can use A, CNAME, and other records per your requirements.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster on Microsoft Azure Stack Hub by using infrastructure that you provisioned.
- 
							Install the OpenShift CLI (oc).
- Install or update the Azure CLI.
Procedure
- Confirm the Ingress router has created a load balancer and populated the - EXTERNAL-IPfield:- oc -n openshift-ingress get service router-default - $ oc -n openshift-ingress get service router-default- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.20.10 35.130.120.110 80:32288/TCP,443:31215/TCP 20 - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.20.10 35.130.120.110 80:32288/TCP,443:31215/TCP 20- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the Ingress router IP as a variable: - export PUBLIC_IP_ROUTER=`oc -n openshift-ingress get service router-default --no-headers | awk '{print $4}'`- $ export PUBLIC_IP_ROUTER=`oc -n openshift-ingress get service router-default --no-headers | awk '{print $4}'`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a - *.appsrecord to the DNS zone.- If you are adding this cluster to a new DNS zone, run: - az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n *.apps -a ${PUBLIC_IP_ROUTER} --ttl 300- $ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n *.apps -a ${PUBLIC_IP_ROUTER} --ttl 300- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you are adding this cluster to an already existing DNS zone, run: - az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n *.apps.${CLUSTER_NAME} -a ${PUBLIC_IP_ROUTER} --ttl 300- $ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n *.apps.${CLUSTER_NAME} -a ${PUBLIC_IP_ROUTER} --ttl 300- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
If you prefer to add explicit domains instead of using a wildcard, you can create entries for each of the cluster’s current routes:
oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes
$ oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routesExample output
7.5.22. Completing an Azure Stack Hub installation on user-provisioned infrastructure
After you start the OpenShift Container Platform installation on Microsoft Azure Stack Hub user-provisioned infrastructure, you can monitor the cluster events until the cluster is ready.
Prerequisites
- Deploy the bootstrap machine for an OpenShift Container Platform cluster on user-provisioned Azure Stack Hub infrastructure.
- 
							Install the ocCLI and log in.
Procedure
- Complete the cluster installation: - ./openshift-install --dir <installation_directory> wait-for install-complete - $ ./openshift-install --dir <installation_directory> wait-for install-complete- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - INFO Waiting up to 30m0s for the cluster to initialize... - INFO Waiting up to 30m0s for the cluster to initialize...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 Important- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
 
7.6. Uninstalling a cluster on Azure Stack Hub
You can remove a cluster that you deployed to Azure Stack Hub.
7.6.1. Removing a cluster that uses installer-provisioned infrastructure
You can remove a cluster that uses installer-provisioned infrastructure from your cloud.
After uninstallation, check your cloud provider for any resources not removed properly, especially with User Provisioned Infrastructure (UPI) clusters. There might be resources that the installer did not create or that the installer is unable to access.
Prerequisites
- Have a copy of the installation program that you used to deploy the cluster.
- Have the files that the installation program generated when you created your cluster.
While you can uninstall the cluster using the copy of the installation program that was used to deploy it, using OpenShift Container Platform version 4.13 or later is recommended.
The removal of service principals is dependent on the Microsoft Azure AD Graph API. Using version 4.13 or later of the installation program ensures that service principals are removed without the need for manual intervention, if and when Microsoft decides to retire the Azure AD Graph API.
Procedure
- From the directory that contains the installation program on the computer that you used to install the cluster, run the following command: - ./openshift-install destroy cluster \ --dir <installation_directory> --log-level info - $ ./openshift-install destroy cluster \ --dir <installation_directory> --log-level info- 1 - 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You must specify the directory that contains the cluster definition files for your cluster. The installation program requires the - metadata.jsonfile in this directory to delete the cluster.
- 
							Optional: Delete the <installation_directory>directory and the OpenShift Container Platform installation program.