Chapter 1. Preparing to deploy OpenShift Data Foundation

Deploying OpenShift Data Foundation on OpenShift Container Platform using dynamic storage devices provides you with the option to create internal cluster resources. This will result in the internal provisioning of the base services, which helps to make additional storage classes available to applications.

Before you begin the deployment of OpenShift Data Foundation, follow these steps:

Setup a chrony server. See Configuring chrony time service and use knowledgebase solution to create rules allowing all traffic.
Optional: If you want to enable cluster-wide encryption using an external Key Management System (KMS):
- Ensure that a policy with a token exists and the key value backend path in Vault is enabled. See enabled the key value backend path and policy in Vault.
- Ensure that you are using signed certificates on your Vault servers.
Minimum starting node requirements [Technology Preview]
An OpenShift Data Foundation cluster is deployed with minimum configuration when the standard deployment resource requirement is not met. See Resource requirements section in Planning guide.
Regional-DR requirements [Developer Preview]
Disaster Recovery features supported by Red Hat OpenShift Data Foundation require all of the following prerequisites in order to successfully implement a Disaster Recovery solution:
- A valid Red Hat OpenShift Data Foundation Advanced subscription
- A valid Red Hat Advanced Cluster Management for Kubernetes subscription
  For detailed requirements, see Regional-DR requirements and RHACM requirements.

1.1. Enabling key value backend path and policy in Vault

Prerequisites

Administrator access to Vault.
Carefully, choose a unique path name as the backend path that follows the naming convention since it cannot be changed later.

Procedure

Enable the Key/Value (KV) backend path in Vault.
For Vault KV secret engine API, version 1:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
vault secrets enable -path=odf kv
```
```
$ vault secrets enable -path=odf kv
```
For Vault KV secret engine API, version 2:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
vault secrets enable -path=odf kv-v2
```
```
$ vault secrets enable -path=odf kv-v2
```

Create a policy to restrict users to perform a write or delete operation on the secret using the following commands.

Copy to Clipboard Toggle word wrap

echo '
path "odf/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts" {
capabilities = ["read"]
}'| vault policy write odf -

echo '
path "odf/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts" {
capabilities = ["read"]
}'| vault policy write odf -

Create a token matching the above policy.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
vault token create -policy=odf -format json
```
```
$ vault token create -policy=odf -format json
```

Chapter 1. Preparing to deploy OpenShift Data Foundation

1.1. Enabling key value backend path and policy in Vault

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links