Search
SupportConsoleDevelopersStart a trialContact

Chapter 1. Preparing to deploy OpenShift Data Foundation

download PDF

When you deploy OpenShift Data Foundation on OpenShift Container Platform using local storage devices, you can create internal cluster resources. This approach internally provisions base services and all applications can access additional storage classes.

Before you begin the deployment of Red Hat OpenShift Data Foundation using local storage, ensure that your resource requirements are met. See requirements for installing OpenShift Data Foundation using local storage devices.

On the external key management system (KMS),

After you have addressed the above, follow these steps in the order given:

  1. Install the Red Hat OpenShift Data Foundation Operator.
  2. Install Local Storage Operator.
  3. Find the available storage devices.
  4. Create the OpenShift Data Foundation cluster service on IBM Z.

1.1. Requirements for installing OpenShift Data Foundation using local storage devices

Node requirements

The cluster must consist of at least three OpenShift Container Platform worker or infrastructure nodes with locally attached-storage devices on each of them.

  • Each of the three selected nodes must have at least one raw block device available. OpenShift Data Foundation uses the one or more available raw block devices.
  • The devices you use must be empty, the disks must not include Physical Volumes (PVs), Volume Groups (VGs), or Logical Volumes (LVs) remaining on the disk.

For more information, see the Resource requirements section in the Planning guide.

1.2. Enabling cluster-wide encryption with KMS using the Token authentication method

You can enable the key value backend path and policy in the vault for token authentication.

Prerequisites

  • Administrator access to the vault.
  • A valid Red Hat OpenShift Data Foundation Advanced subscription. For more information, see the knowledgebase article on OpenShift Data Foundation subscriptions.
  • Carefully, select a unique path name as the backend path that follows the naming convention since you cannot change it later.

Procedure

  1. Enable the Key/Value (KV) backend path in the vault.

    For vault KV secret engine API, version 1: 

    $ vault secrets enable -path=odf kv

    For vault KV secret engine API, version 2: 

    $ vault secrets enable -path=odf kv-v2

  2. Create a policy to restrict the users to perform a write or delete operation on the secret: 

    echo '
path "odf/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts" {
capabilities = ["read"]
}'| vault policy write odf -

  3. Create a token that matches the above policy: 

    $ vault token create -policy=odf -format json
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.