Chapter 1. Preparing to deploy OpenShift Data Foundation
Deploying OpenShift Data Foundation on OpenShift Container Platform using dynamic storage devices provides you with the option to create internal cluster resources.
Before you begin the deployment of Red Hat OpenShift Data Foundation, follow these steps:
Optional: If you want to enable cluster-wide encryption using the external Key Management System (KMS) HashiCorp Vault, follow these steps:
- Ensure that you have a valid Red Hat OpenShift Data Foundation Advanced subscription. To know how subscriptions for OpenShift Data Foundation work, see knowledgebase article on OpenShift Data Foundation subscriptions.
- When the Token authentication method is selected for encryption then refer to Enabling cluster-wide encryption with the Token authentication using KMS.
- When the Kubernetes authentication method is selected for encryption then refer to Enabling cluster-wide encryption with the Kubernetes authentication using KMS.
- Ensure that you are using signed certificates on your Vault servers.
Optional: If you want to enable cluster-wide encryption using the external Key Management System (KMS) Thales CipherTrust Manager, you must first enable the Key Management Interoperability Protocol (KMIP) and use signed certificates on your server. Follow these steps:
Create a KMIP client if one does not exist. From the user interface, select KMIP
Client Profile Add Profile. -
Add the
CipherTrustusername to the Common Name field during profile creation.
-
Add the
-
Create a token by navigating to KMIP
Registration Token New Registration Token. Copy the token for the next step. -
To register the client, navigate to KMIP
Registered Clients Add Client. Specify the Name. Paste the Registration Token from the previous step, then click Save. - Download the Private Key and Client Certificate by clicking Save Private Key and Save Certificate respectively.
To create a new KMIP interface, navigate to Admin Settings
Interfaces Add Interface. - Select KMIP Key Management Interoperability Protocol and click Next.
- Select a free Port.
- Select Network Interface as all.
- Select Interface Mode as TLS, verify client cert, user name taken from client cert, auth request is optional.
- (Optional) You can enable hard delete to delete both metadata and material when the key is deleted. It is disabled by default.
- Select the CA to be used, and click Save.
- To get the server CA certificate, click on the Action menu (⋮) on the right of the newly created interface, and click Download Certificate.
Optional: If StorageClass encryption is to be enabled during deployment, create a key to act as the Key Encryption Key (KEK):
-
Navigate to Keys
Add Key. - Enter Key Name.
- Set the Algorithm and Size to AES and 256 respectively.
- Enable Create a key in Pre-Active state and set the date and time for activation.
- Ensure that Encrypt and Decrypt are enabled under Key Usage.
- Copy the ID of the newly created Key to be used as the Unique Identifier during deployment.
-
Navigate to Keys
Minimum starting node requirements
An OpenShift Data Foundation cluster is deployed with minimum configuration when the standard deployment resource requirement is not met. See Resource requirements section in the Planning guide.
Disaster recovery requirements [Technology Preview]
Disaster Recovery features supported by Red Hat OpenShift Data Foundation require all of the following prerequisites to successfully implement a disaster recovery solution:
- A valid Red Hat OpenShift Data Foundation Advanced subscription
A valid Red Hat Advanced Cluster Management for Kubernetes subscription
To know how subscriptions for OpenShift Data Foundation work, see knowledgebase article on OpenShift Data Foundation subscriptions.
For detailed requirements, see Configuring OpenShift Data Foundation Disaster Recovery for OpenShift Workloads guide, and Requirements and recommendations section of the Install guide in Red Hat Advanced Cluster Management for Kubernetes documentation.
