Chapter 2. Installation configuration
2.1. Installation methods for different platforms
You can perform different types of installations on different platforms.
AWS | Azure | GCP | OpenStack | Bare metal | vSphere | IBM Z | |
---|---|---|---|---|---|---|---|
Default | |||||||
Custom | |||||||
Network Operator |
AWS | Azure | GCP | OpenStack | Bare metal | vSphere | IBM Z | |
---|---|---|---|---|---|---|---|
Custom | |||||||
Network Operator | |||||||
Restricted network |
2.2. Creating a mirror registry for installation in a restricted network
Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions.
You must have access to the internet to obtain the necessary container images. In this procedure, you place the mirror registry on a mirror host that has access to both your network and the internet. If you do not have access to a mirror host, use the method that best fits your restrictions to bring the contents of the mirror registry into your restricted network.
2.2.1. About the mirror registry
You can mirror the contents of the OpenShift Container Platform registry and the images that are required to generate the installation program.
The mirror registry is a key component that is required to complete an installation in a restricted network. You can create this mirror on a bastion host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.
Because of the way that OpenShift Container Platform verifies integrity for the release payload, the image references in your local registry are identical to the ones that are hosted by Red Hat on Quay.io. During the bootstrapping process of installation, the images must have the same digests no matter which repository they are pulled from. To ensure that the release payload is identical, you mirror the images to your local repository.
2.2.2. Preparing the mirror host
Before you create the mirror registry, you must prepare the mirror host.
2.2.2.1. Installing the CLI
You can install the OpenShift CLI (oc
) in order to interact with OpenShift Container Platform from a command-line interface. You can install oc
on Linux, Windows, or macOS.
If you installed an earlier version of oc
, you cannot use it to complete all of the commands in OpenShift Container Platform 4.2. Download and install the new version of oc
.
2.2.2.1.1. Installing the CLI on Linux
You can install the OpenShift CLI (oc
) binary on Linux by using the following procedure.
Procedure
- Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
- Select your infrastructure provider, and, if applicable, your installation type.
- In the Command-line interface section, select Linux from the drop-down menu and click Download command-line tools.
Unpack the archive:
$ tar xvzf <file>
Place the
oc
binary in a directory that is on yourPATH
.To check your
PATH
, execute the following command:$ echo $PATH
After you install the CLI, it is available using the oc
command:
$ oc <command>
2.2.2.1.2. Installing the CLI on Windows
You can install the OpenShift CLI (oc
) binary on Windows by using the following procedure.
Procedure
- Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
- Select your infrastructure provider, and, if applicable, your installation type.
- In the Command-line interface section, select Windows from the drop-down menu and click Download command-line tools.
- Unzip the archive with a ZIP program.
Move the
oc
binary to a directory that is on yourPATH
.To check your
PATH
, open the command prompt and execute the following command:C:\> path
After you install the CLI, it is available using the oc
command:
C:\> oc <command>
2.2.2.1.3. Installing the CLI on macOS
You can install the OpenShift CLI (oc
) binary on macOS by using the following procedure.
Procedure
- Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
- Select your infrastructure provider, and, if applicable, your installation type.
- In the Command-line interface section, select MacOS from the drop-down menu and click Download command-line tools.
- Unpack and unzip the archive.
Move the
oc
binary to a directory on your PATH.To check your
PATH
, open a terminal and execute the following command:$ echo $PATH
After you install the CLI, it is available using the oc
command:
$ oc <command>
2.2.3. Creating a mirror registry
Create a registry to host the mirrored content that you require for installing OpenShift Container Platform.
For installation in a restricted network, you can place the mirror registry on a host that can be accessed from both the your network and the internet. If you do not have access to such a host, use the method that best fits your restrictions to bring the contents of the mirror registry into your restricted network.
The following procedure creates a simple registry that stores data in the /opt/registry
folder and runs in a podman
container. You can use a different registry solution, such as Red Hat Quay. Review the following procedure to ensure that your registry functions correctly.
Prerequisites
- You have a Red Hat Enterprise Linux (RHEL) server on your network to use as the registry host.
- The registry host can access the internet.
Procedure
On the mirror host, take the following actions:
Install the required packages:
# yum -y install podman httpd-tools
The
podman
package provides the container package that you run the registry in. Thehttpd-tools
package provides thehtpasswd
utility, which you use to create users.Create folders for the registry:
# mkdir -p /opt/registry/{auth,certs,data}
These folders are mounted inside the registry container.
Provide a certificate for the registry. If you do not have an existing, trusted certificate authority, you can generate a self-signed certificate:
$ cd /opt/registry/certs # openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
At the prompts, provide the required values for the certificate:
Country Name (2 letter code)
Specify the two-letter ISO country code for your location. See the ISO 3166 country codes standard.
State or Province Name (full name)
Enter the full name of your state or province.
Locality Name (eg, city)
Enter the name of your city.
Organization Name (eg, company)
Enter your company name.
Organizational Unit Name (eg, section)
Enter your department name.
Common Name (eg, your name or your server’s hostname)
Enter the host name for the registry host. Ensure that your hostname is in DNS and that it resolves to the expected IP address.
Email Address
Enter your email address. For more information, see the req description in the OpenSSL documentation.
Generate a user name and a password for your registry that uses the
bcrpt
format:# htpasswd -bBc /opt/registry/auth/htpasswd <user_name> <password> 1
- 1
- Replace
<user_name>
and<password>
with a user name and a password.
Create the
mirror-registry
container to host your registry:# podman run --name mirror-registry -p <local_registry_host_port>:5000 \ 1 -v /opt/registry/data:/var/lib/registry:z \ -v /opt/registry/auth:/auth:z \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /opt/registry/certs:/certs:z \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true \ -d docker.io/library/registry:2
- 1
- For
<local_registry_host_port>
, specify the port that your mirror registry uses to serve content.
Open the required ports for your registry:
# firewall-cmd --add-port=<local_registry_host_port>/tcp --zone=internal --permanent 1 # firewall-cmd --add-port=<local_registry_host_port>/tcp --zone=public --permanent 2 # firewall-cmd --reload
Add the self-signed certificate to your list of trusted certificates:
# cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust
You must trust your certificate to log in to your registry during the mirror process.
Confirm that the registry is available:
$ curl -u <user_name>:<password> -k https://<local_registry_host_name>:<local_registry_host_port>/v2/_catalog 1 {"repositories":[]}
- 1
- For
<user_name>
and<password>
, specify the user name and password for your registry. For<local_registry_host_name>
, specify the registry domain name that you specified in your certificate, such asregistry.example.com
. For<local_registry_host_port>
, specify the port that your mirror registry uses to serve content.
If the command output displays an empty repository, your registry is available.
2.2.4. Adding the registry to your pull secret
Modify your the pull secret for your OpenShift Container Platform cluster to describe your local registry before you install an OpenShift Container Platform cluster in a restricted network.
Prerequisites
- You configured a mirror registry to use in your restricted network.
Procedure
Complete the following steps on the mirror host:
-
Download your
registry.redhat.io
pull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site. Generate the base64-encoded user name and password or token for your mirror registry:
$ echo -n '<user_name>:<password>' | base64 -w0 1 BGVtbYk3ZHAtqXs=
- 1
- For
<user_name>
and<password>
, specify the user name and password that you configured for your registry.
Make a copy of your pull secret in JSON format:
$ cat ./pull-secret.text | jq . > <path>/<pull-secret-file>1
- 1
- Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.
The contents of the file resemble the following example:
{ "auths": { "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } }
Edit the new file and add a section that describes your registry to it:
"auths": { ... "<mirror_registry>": { 1 "auth": "<credentials>", 2 "email": "you@example.com" }, ...
The file resembles the following example:
{ "auths": { "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "<mirror_registry>": { "auth": "<credentials>", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } }
2.2.5. Mirroring the OpenShift Container Platform image repository
Mirror the OpenShift Container Platform image repository to use during cluster installation or upgrade.
Prerequisites
- You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
- You downloaded the pull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site and modified it to include authentication to your mirror repository.
Procedure
Complete the following steps on a host that can access both quay.io and your mirror registry:
- Review the OpenShift Container Platform downloads page to determine the version of OpenShift Container Platform that you want to install.
Set the required environment variables:
$ export OCP_RELEASE=<release_version> 1 $ export LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' 2 $ export LOCAL_REPOSITORY='<repository_name>' 3 $ export PRODUCT_REPO='openshift-release-dev' 4 $ export LOCAL_SECRET_JSON='<path_to_pull_secret>' 5 $ export RELEASE_NAME="ocp-release" 6
- 1
- For
<release_version>
, specify the version number of OpenShift Container Platform to install, such as4.2.0
. - 2
- For
<local_registry_host_name>
, specify the registry domain name for your mirror repository, and for<local_registry_host_port>
, specify the port that it serves content on. - 3
- For
<repository_name>
, specify the name of the repository to create in your registry, such asocp4/openshift4
. - 4
- The repository to mirror. For a production release, you must specify
openshift-release-dev
. - 5
- For
<path_to_pull_secret>
, specify the absolute path to and file name of the pull secret for your mirror registry that you created. - 6
- The release mirror. For a production release, you must specify
ocp-release
.
Mirror the repository:
$ oc adm -a ${LOCAL_SECRET_JSON} release mirror \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
This command pulls the release information as a digest, and its output includes the
imageContentSources
data that you require when you install your cluster.-
Record the entire
imageContentSources
section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSources
section to theinstall-config.yaml
file during installation. To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:
$ oc adm -a ${LOCAL_SECRET_JSON} release extract --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
ImportantTo ensure that you use the correct images for the version of OpenShift Container Platform that you selected, you must extract the installation program from the mirrored content.
You must perform this step on a machine with an active internet connection.
2.2.6. Using Samples Operator imagestreams with alternate or mirrored registries
Most imagestreams in the OpenShift namespace managed by the Samples Operator point to images located in the Red Hat registry at registry.redhat.io. Mirroring will not apply to these imagestreams.
The jenkins
, jenkins-agent-maven
, and jenkins-agent-nodejs
imagestreams come from the install payload and are managed by the Samples Operator, so no further mirroring procedures are needed for those imagestreams.
Setting the samplesRegistry
field in the Sample Operator configuration file to registry.redhat.io is redundant because it is already directed to registry.redhat.io for everything but Jenkins images and imagestreams. It also breaks the installation payload for Jenkins imagestreams.
The Samples Operator prevents the use of the following registries for the Jenkins imagestreams:
The cli
, installer
, must-gather
, and tests
imagestreams, while part of the install payload, are not managed by the Samples Operator. These are not addressed in this procedure.
Prerequisites
-
Access to the cluster as a user with the
cluster-admin
role. - Create a pull secret for your mirror registry.
Procedure
Access the images of a specific imagestream to mirror, for example:
$ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io
Mirror images from registry.redhat.io associated with any imagestreams you need in the restricted network environment into one of the defined mirrors, for example:
$ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest
Add the required trusted CAs for the mirror in the cluster’s image configuration object:
$ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
Update the
samplesRegistry
field in the Samples Operator configuration object to contain thehostname
portion of the mirror location defined in the mirror configuration:$ oc get configs.samples.operator.openshift.io -n openshift-cluster-samples-operator
NoteThis is required because the imagestream import process does not use the mirror or search mechanism at this time.
Add any imagestreams that are not mirrored into the
skippedImagestreams
field of the Samples Operator configuration object. Or if you do not want to support any of the sample imagestreams, set the Samples Operator toRemoved
in the Samples Operator configuration object.NoteAny unmirrored imagestreams that are not skipped, or if the Samples Operator is not changed to
Removed
, will result in the Samples Operator reporting aDegraded
status two hours after the imagestream imports start failing.Many of the templates in the OpenShift namespace reference the imagestreams. So using
Removed
to purge both the imagestreams and templates will eliminate the possibility of attempts to use them if they are not functional because of any missing imagestreams.
Next steps
- Install a cluster on infrastructure that you provision in your restricted nework, such as on VMware vSphere, bare metal, or Amazon Web Services.
2.3. Available cluster customizations
You complete most of the cluster configuration and customization after you deploy your OpenShift Container Platform cluster. A number of configuration resources are available.
If you install your cluster on IBM Z, not all features and functions are available. See the release notes for details.
You modify the configuration resources to configure the major features of the cluster, such as the image registry, networking configuration, image build behavior, and the identity provider.
For current documentation of the settings that you control by using these resources, use the oc explain
command, for example oc explain builds --api-version=config.openshift.io/v1
2.3.1. Cluster configuration resources
All cluster configuration resources are globally scoped (not namespaced) and named cluster
.
Resource name | Description |
---|---|
apiserver.config.openshift.io | Provides api-server configuration such as certificates and certificate authorities. |
authentication.config.openshift.io | Controls the identity providerand authentication configuration for the cluster. |
build.config.openshift.io | Controls default and enforced configuration for all builds on the cluster. |
console.config.openshift.io | Configures the behavior of the web console interface, including the logout behavior. |
featuregate.config.openshift.io | Enables FeatureGates so that you can use Tech Preview features. |
image.config.openshift.io | Configures how specific image registries should be treated (allowed, disallowed, insecure, CA details). |
ingress.config.openshift.io | Configuration details related to routing such as the default domain for routes. |
oauth.config.openshift.io | Configures identity providers and other behavior related to internal OAuth server flows. |
project.config.openshift.io | Configures how projects are created including the project template. |
proxy.config.openshift.io | Defines proxies to be used by components needing external network access. Note: not all components currently consume this value. |
scheduler.config.openshift.io | Configures scheduler behavior such as policies and default nodeselectors. |
2.3.2. Operator configuration resources
These configuration resources are cluster-scoped instances, named cluster
, which control the behavior of a specific component as owned by a particular operator.
Resource name | Description |
---|---|
console.operator.openshift.io | Controls console appearance such as branding customizations |
config.imageregistry.operator.openshift.io | Configures internal image registry settings such as public routing, log levels, proxy settings, resource constraints, replica counts, and storage type. |
config.samples.operator.openshift.io | Configures the Samples Operator to control which example imagestreams and templates are installed on the cluster. |
2.3.3. Additional configuration resources
These configuration resources represent a single instance of a particular component. In some cases, you can request multiple instances by creating multiple instances of the resource. In other cases, the Operator can use only a specific resource instance name in a specific namespace. Reference the component-specific documentation for details on how and when you can create additional resource instances.
Resource name | Instance name | Namespace | Description |
---|---|---|---|
alertmanager.monitoring.coreos.com | main | openshift-monitoring | Controls the alertmanager deployment parameters. |
ingresscontroller.operator.openshift.io | default | openshift-ingress-operator | Configures Ingress Operator behavior such as domain, number of replicas, certificates, and controller placement. |
2.3.4. Informational Resources
You use these resources to retrieve information about the cluster. Do not edit these resources directly.
Resource name | Instance name | Description |
---|---|---|
clusterversion.config.openshift.io | version | In OpenShift Container Platform 4.2, you must not customize the ClusterVersion resource for production clusters. Instead, follow the process to update a cluster. |
dns.config.openshift.io | cluster | You cannot modify the DNS settings for your cluster. You can view the DNS Operator status. |
infrastructure.config.openshift.io | cluster | Configuration details allowing the cluster to interact with its cloud provider. |
network.config.openshift.io | cluster | You cannot modify your cluster networking after installation. To customize your network, follow the process to customize networking during installation. |
2.4. Configuring your firewall
If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.
2.4.1. Configuring your firewall for OpenShift Container Platform
Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.
Procedure
Whitelist the following registry URLs:
URL Function registry.redhat.io
Provides core container images
quay.io
Provides core container images
sso.redhat.com
The
https://cloud.redhat.com/openshift
site uses authentication fromsso.redhat.com
- Whitelist any site that provides resources for a language or framework that your builds require.
If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
URL Function cert-api.access.redhat.com
Required for Telemetry
api.access.redhat.com
Required for Telemetry
infogw.api.openshift.com
Required for Telemetry
Required for Telemetry and for
insights-operator
If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
Cloud URL Function AWS
*.amazonaws.com
Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
GCP
*.googleapis.com
Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.
accounts.google.com
Required to access your GCP account.
Azure
management.azure.com
Required to access Azure services and resources. Review the Azure REST API Reference in the Azure documentation to determine the endpoints to allow for your APIs.
Whitelist the following URLs:
URL Function mirror.openshift.com
Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
storage.googleapis.com/openshift-release
A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
*.apps.<cluster_name>.<base_domain>
Required to access the default cluster routes unless you set an ingress wildcard during installation.
quay-registry.s3.amazonaws.com
Required to access Quay image content in AWS.
api.openshift.com
Required to check if updates are available for the cluster.
art-rhcos-ci.s3.amazonaws.com
Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.
api.openshift.com
Required for your cluster token.
cloud.redhat.com/openshift
Required for your cluster token.