Chapter 2. Deploying OpenShift Data Foundation on Microsoft Azure

Procedure

1. Log in to the OpenShift Web Console.
2. Click Operators OperatorHub.
3. Scroll or type OpenShift Data Foundation into the Filter by keyword box to find the OpenShift Data Foundation Operator.
4. Click Install.

5. Set the following options on the Install Operator page:

   1. Update Channel as stable-4.14.
   2. Installation Mode as A specific namespace on the cluster.
   3. Installed Namespace as Operator recommended namespace openshift-storage. If Namespace openshift-storage does not exist, it is created during the operator installation.

   4. Select Approval Strategy as Automatic or Manual.

      If you select Automatic updates, then the Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without any intervention.

      If you select Manual updates, then the OLM creates an update request. As a cluster administrator, you must then manually approve that update request to update the Operator to a newer version.

   5. Ensure that the Enable option is selected for the Console plugin.
   6. Click Install.

Procedure

1. Enable the Key/Value (KV) backend path in the vault.

   For vault KV secret engine API, version 1:

   Copy to Clipboard Toggle word wrap

   $ vault secrets enable -path=odf kv

   For vault KV secret engine API, version 2:

   Copy to Clipboard Toggle word wrap

   $ vault secrets enable -path=odf kv-v2

2. Create a policy to restrict the users to perform a write or delete operation on the secret:

   Copy to Clipboard Toggle word wrap

   echo '
   path "odf/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
   }
   path "sys/mounts" {
   capabilities = ["read"]
   }'| vault policy write odf -

3. Create a token that matches the above policy:

   Copy to Clipboard Toggle word wrap

   $ vault token create -policy=odf -format json

Procedure

1. Create a service account:

   Copy to Clipboard Toggle word wrap

   $ oc -n openshift-storage create serviceaccount <serviceaccount_name>

   where, <serviceaccount_name> specifies the name of the service account.

   For example:

   Copy to Clipboard Toggle word wrap

   $ oc -n openshift-storage create serviceaccount odf-vault-auth

2. Create clusterrolebindings and clusterroles:

   Copy to Clipboard Toggle word wrap

   $ oc -n openshift-storage create clusterrolebinding vault-tokenreview-binding --clusterrole=system:auth-delegator --serviceaccount=openshift-storage:_<serviceaccount_name>_

   For example:

   Copy to Clipboard Toggle word wrap

   $ oc -n openshift-storage create clusterrolebinding vault-tokenreview-binding --clusterrole=system:auth-delegator --serviceaccount=openshift-storage:odf-vault-auth

3. Create a secret for the serviceaccount token and CA certificate.

   Copy to Clipboard Toggle word wrap

   $ cat <<EOF | oc create -f -
   apiVersion: v1
   kind: Secret
   metadata:
     name: odf-vault-auth-token
     namespace: openshift-storage
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   data: {}
   EOF

   where, <serviceaccount_name> is the service account created in the earlier step.

4. Get the token and the CA certificate from the secret.

   Copy to Clipboard Toggle word wrap

   $ SA_JWT_TOKEN=$(oc -n openshift-storage get secret odf-vault-auth-token -o jsonpath="{.data['token']}" | base64 --decode; echo)
   $ SA_CA_CRT=$(oc -n openshift-storage get secret odf-vault-auth-token -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)

5. Retrieve the OCP cluster endpoint.

   Copy to Clipboard Toggle word wrap

   $ OCP_HOST=$(oc config view --minify --flatten -o jsonpath="{.clusters[0].cluster.server}")

6. Fetch the service account issuer:

   Copy to Clipboard Toggle word wrap

   $ oc proxy &
   $ proxy_pid=$!
   $ issuer="$( curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)"
   $ kill $proxy_pid

7. Use the information collected in the previous step to setup the Kubernetes authentication method in Vault:

   Copy to Clipboard Toggle word wrap

   $ vault auth enable kubernetes

   Copy to Clipboard Toggle word wrap

   $ vault write auth/kubernetes/config \
             token_reviewer_jwt="$SA_JWT_TOKEN" \
             kubernetes_host="$OCP_HOST" \
             kubernetes_ca_cert="$SA_CA_CRT" \
             issuer="$issuer"

   Important

   To configure the Kubernetes authentication method in Vault when the issuer is empty:

   Copy to Clipboard Toggle word wrap

   $ vault write auth/kubernetes/config \
             token_reviewer_jwt="$SA_JWT_TOKEN" \
             kubernetes_host="$OCP_HOST" \
             kubernetes_ca_cert="$SA_CA_CRT"

8. Enable the Key/Value (KV) backend path in Vault.

   For Vault KV secret engine API, version 1:

   Copy to Clipboard Toggle word wrap

   $ vault secrets enable -path=odf kv

   For Vault KV secret engine API, version 2:

   Copy to Clipboard Toggle word wrap

   $ vault secrets enable -path=odf kv-v2

9. Create a policy to restrict the users to perform a write or delete operation on the secret:

   Copy to Clipboard Toggle word wrap

   echo '
   path "odf/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
   }
   path "sys/mounts" {
   capabilities = ["read"]
   }'| vault policy write odf -

10. Generate the roles:

    Copy to Clipboard Toggle word wrap

    $ vault write auth/kubernetes/role/odf-rook-ceph-op \
            bound_service_account_names=rook-ceph-system,rook-ceph-osd,noobaa \
            bound_service_account_namespaces=openshift-storage \
            policies=odf \
            ttl=1440h

    The role odf-rook-ceph-op is later used while you configure the KMS connection details during the creation of the storage system.

    Copy to Clipboard Toggle word wrap

    $ vault write auth/kubernetes/role/odf-rook-ceph-osd \
            bound_service_account_names=rook-ceph-osd \
            bound_service_account_namespaces=openshift-storage \
            policies=odf \
            ttl=1440h

Procedure

1. In the OpenShift Web Console, click Operators Installed Operators to view all the installed operators.

   Ensure that the Project selected is openshift-storage.

2. Click on the OpenShift Data Foundation operator, and then click Create StorageSystem.

3. In the Backing storage page, select the following:

   1. Select Full Deployment for the Deployment type option.
   2. Select the Use an existing StorageClass option.

   3. Select the Storage Class.

      By default, it is set to managed-csi.

   4. Click Next.

4. In the Capacity and nodes page, provide the necessary information:

   1. Select a value for Requested Capacity from the dropdown list. It is set to 2 TiB by default.

      Note

      Once you select the initial storage capacity, cluster expansion is performed only using the selected usable capacity (three times of raw storage).

   2. In the Select Nodes section, select at least three available nodes.

   3. Optional: Select the Taint nodes checkbox to dedicate the selected nodes for OpenShift Data Foundation.

      For cloud platforms with multiple availability zones, ensure that the Nodes are spread across different Locations/availability zones.

      If the nodes selected do not match the OpenShift Data Foundation cluster requirements of an aggregated 30 CPUs and 72 GiB of RAM, a minimal cluster is deployed. For minimum starting node requirements, see the Resource requirements section in the Planning guide.

   4. Optional [Technology preview]: Select the Add replica-1 pool checkbox to deploy OpenShift Data Foundation with a single replica. This avoids redundant data copies and allows resiliency management on the application level.

      Warning

      Enabling this feature creates a single replica pool without data replication, increasing the risk of data loss, data corruption, and potential system instability if your application does not have its own replication.

      Important

      Single replica deployment is a Technology Preview feature. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

      For more information, see Technology Preview Features Support Scope.

   5. Click Next.

5. Optional: In the Security and network page, configure the following based on your requirements:

   1. To enable encryption, select Enable data encryption for block and file storage.

      1. Select either one or both the encryption levels:

         • Cluster-wide encryption

           Encrypts the entire cluster (block and file).

         • StorageClass encryption

           Creates encrypted persistent volume (block only) using encryption enabled storage class.

      2. Optional: Select the Connect to an external key management service checkbox. This is optional for cluster-wide encryption.

         1. From the Key Management Service Provider drop-down list, either select Vault or Thales CipherTrust Manager (using KMIP). If you selected Vault, go to the next step. If you selected Thales CipherTrust Manager (using KMIP), go to step iii.

         2. Select an Authentication Method.

            Using Token authentication method

            • Enter a unique Connection Name, host Address of the Vault server ('https://<hostname or ip>'), Port number and Token.

            • Expand Advanced Settings to enter additional settings and certificate details based on your Vault configuration:

              • Enter the Key Value secret path in Backend Path that is dedicated and unique to OpenShift Data Foundation.
              • Optional: Enter TLS Server Name and Vault Enterprise Namespace.
              • Upload the respective PEM encoded certificate file to provide the CA Certificate, Client Certificate and Client Private Key .
              • Click Save and skip to step iv.

            Using Kubernetes authentication method

            • Enter a unique Vault Connection Name, host Address of the Vault server ('https://<hostname or ip>'), Port number and Role name.

            • Expand Advanced Settings to enter additional settings and certificate details based on your Vault configuration:

              • Enter the Key Value secret path in Backend Path that is dedicated and unique to OpenShift Data Foundation.
              • Optional: Enter TLS Server Name and Authentication Path if applicable.
              • Upload the respective PEM encoded certificate file to provide the CA Certificate, Client Certificate and Client Private Key .
              • Click Save and skip to step iv.

         3. To use Thales CipherTrust Manager (using KMIP) as the KMS provider, follow the steps below:

            1. Enter a unique Connection Name for the Key Management service within the project.

            2. In the Address and Port sections, enter the IP of Thales CipherTrust Manager and the port where the KMIP interface is enabled. For example:

               • Address: 123.34.3.2
               • Port: 5696
            3. Upload the Client Certificate, CA certificate, and Client Private Key.
            4. If StorageClass encryption is enabled, enter the Unique Identifier to be used for encryption and decryption generated above.
            5. The TLS Server field is optional and used when there is no DNS entry for the KMIP endpoint. For example, kmip_all_<port>.ciphertrustmanager.local.
         4. Select a Network.
         5. Click Next.

   2. To enable in-transit encryption, select In-transit encryption.

      1. Select a Network.
      2. Click Next.

6. In the Review and create page, review the configuration details.

   To modify any configuration settings, click Back.

7. Click Create StorageSystem.