Skip to content

danielraq/openshift-container-platform

 
 

Repository files navigation

OpenShift Container Platform Deployment Template

NOTE: Structural change to Repo

The master branch contains the most current release of OpenShift Container Platform with experimental items. This may cause instability but will include new items or enable new configuration options.

We have branches for the stable releases:

  • Release-3.6 (As is; no longer updated)
  • Release-3.7
  • Release-3.9
  • azurestack-release-3.7
  • azurestack-release-3.9

Bookmark aka.ms/OpenShift for future reference.

For OpenShift Origin refer to https://github.com/Microsoft/openshift-origin

OpenShift Container Platform 3.9 with Username / Password authentication for OpenShift

  1. Single master option available
  2. VM types that support Accelerated Networking will automatically have this feature enabled
  3. Custom and existing Vnet
  4. Support cluster with private masters (no public IP on load balancer in front of master nodes)
  5. Support cluster with private router (no public IP on load balancer in front of infra nodes)

This template deploys OpenShift Container Platform with basic username / password for authentication to OpenShift. It includes the following resources:

Resource Properties
Virtual Network
Default
Address prefix: 10.0.0.0/14
Master subnet: 10.1.0.0/16
Node subnet: 10.2.0.0/16
Virtual Network
Custom
Address prefix: Your Choice
Master subnet: Your Choice
Node subnet: Your Choice
Master Load Balancer 1 probe and 1 rule for TCP 443
Infra Load Balancer 2 probes and 2 rules for TCP 80 and TCP 443
Public IP Addresses Bastion Public IP for Bastion Node
OpenShift Master public IP attached to Master Load Balancer (if masters are public)
OpenShift Router public IP attached to Infra Load Balancer (if router is public)
Storage Accounts
Unmanaged Disks
1 Storage Account for Bastion VM
1 Storage Account for Master VMs
1 Storage Account for Infra VMs
2 Storage Accounts for Node VMs
2 Storage Accounts for Diagnostics Logs
1 Storage Account for Private Docker Registry
1 Storage Account for Persistent Volumes
Storage Accounts
Managed Disks
2 Storage Accounts for Diagnostics Logs
1 Storage Account for Private Docker Registry
Network Security Groups 1 Network Security Group for Bastion VM
1 Network Security Group Master VMs
1 Network Security Group for Infra VMs
1 Network Security Group for Node VMs
Availability Sets 1 Availability Set for Master VMs
1 Availability Set for Infra VMs
1 Availability Set for Node VMs
Virtual Machines 1 Bastion Node - Used to Run Ansible Playbook for OpenShift deployment
1, 3 or 5 Master Nodes
1, 2 or 3 Infra Nodes
User-defined number of Nodes (1 to 30)
All VMs include a single attached data disk for Docker thin pool logical volume

Cluster Diagram

READ the instructions in its entirety before deploying!

Additional documentation for deploying OpenShift in Azure can be found here: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/openshift-get-started

This template deploys multiple VMs and requires some pre-work before you can successfully deploy the OpenShift Cluster. If you don't complete the pre-work correctly, you will most likely fail to deploy the cluster using this template. Please read the instructions completely before you proceed.

This template uses the On-Demand Red Hat Enterprise Linux image from the Azure Gallery.

When using the On-Demand image, there is an hourly charge for using this image. At the same time, the instance will be registered to your Red Hat subscription, so you will also be using one of your entitlements. This will lead to "double billing".

If private masters is selected, a static private IP needs to be specified which will be assigned to the front end of the master load balancer. This must be within the CIDR for the master subnet and not already in use. The master DNS name must also be supplied and this needs to map to the static Private IP and will be used to access the console on the master nodes.

If private router is selected, a static private Ip needs to be specified which will be assigned to the front end of the infra load balancer. This must be within the CIDR for the infra subnet and not already in use. customSubDomainType must be set to "custom" and the wildcard DNS name for routing must be provided for defaultSubDomain.

After successful deployment, the Bastion Node is the only node with a public IP that you can ssh into. Even if the master nodes are configured for public access, they are not exposed for ssh access.

Prerequisites

Generate SSH Keys

You'll need to generate an SSH key pair (Public / Private) in order to provision this template. Ensure that you do NOT include a passphrase with the private key.

If you are using a Windows computer, you can download puttygen.exe. You will need to export to OpenSSH (from Conversions menu) to get a valid Private Key for use in the Template.

From a Linux or Mac, you can just use the ssh-keygen command. Once you are finished deploying the cluster, you can always generate new keys that uses a passphrase and replace the original ones used during initial deployment.

Create Key Vault to store SSH Private Key

You will need to create a Key Vault to store your SSH Private Key that will then be used as part of the deployment. This extra work is to provide security around the Private Key - especially since it does not have a passphrase. I recommend creating a Resource Group specifically to store the KeyVault. This way, you can reuse the KeyVault for other deployments and you won't have to create this every time you chose to deploy another OpenShift cluster.

Create Key Vault using Azure CLI 2.0

  1. Create new Resource Group: az group create -n <name> -l <location>
    Ex: az group create -n ResourceGroupName -l 'East US'
  2. Create Key Vault: az keyvault create -n <vault-name> -g <resource-group> -l <location> --enabled-for-template-deployment true
    Ex: az keyvault create -n KeyVaultName -g ResourceGroupName -l 'East US' --enabled-for-template-deployment true
  3. Create Secret: az keyvault secret set --vault-name <vault-name> -n <secret-name> --file <private-key-file-name>
    Ex: az keyvault secret set --vault-name KeyVaultName -n SecretName --file ~/.ssh/id_rsa

Generate Azure Active Directory (AAD) Service Principal

To configure Azure as the Cloud Provider for OpenShift Container Platform, you will need to create an Azure Active Directory Service Principal. The easiest way to perform this task is via the Azure CLI. Below are the steps for doing this.

Assigning permissions to the entire Subscription is the easiest method but does give the Service Principal permissions to all resources in the Subscription. Assigning permissions to only the Resource Group is the most secure as the Service Principal is restricted to only that one Resource Group.

Azure CLI 2.0

  1. Create Service Principal and assign permissions to Subscription
    a. az ad sp create-for-rbac -n <friendly name> --password <password> --role contributor --scopes /subscriptions/<subscription_id>
    Ex: az ad sp create-for-rbac -n openshiftcloudprovider --password Pass@word1 --role contributor --scopes /subscriptions/555a123b-1234-5ccc-defgh-6789abcdef01

  2. Create Service Principal and assign permissions to Resource Group
    a. If you use this option, you must have created the Resource Group first. Be sure you don't create any resources in this Resource Group before deploying the cluster.
    b. az ad sp create-for-rbac -n <friendly name> --password <password> --role contributor --scopes /subscriptions/<subscription_id>/resourceGroups/<Resource Group Name>
    Ex: az ad sp create-for-rbac -n openshiftcloudprovider --password Pass@word1 --role contributor --scopes /subscriptions/555a123b-1234-5ccc-defgh-6789abcdef01/resourceGroups/00000test

  3. Create Service Principal without assigning permissions to Resource Group
    a. If you use this option, you will need to assign permissions to either the Subscription or the newly created Resource Group shortly after you initiate the deployment of the cluster or the post installation scripts will fail when configuring Azure as the Cloud Provider.
    b. az ad sp create-for-rbac -n <friendly name> --password <password> --role contributor --skip-assignment
    Ex: az ad sp create-for-rbac -n openshiftcloudprovider --password Pass@word1 --role contributor --skip-assignment

You will get an output similar to:

{
  "appId": "2c8c6a58-44ac-452e-95d8-a790f6ade583",
  "displayName": "openshiftcloudprovider",
  "name": "http://openshiftcloudprovider",
  "password": "Pass@word1",
  "tenant": "12a345bc-1234-dddd-12ab-34cdef56ab78"
}

The appId is used for the aadClientId parameter.

Red Hat Subscription Access

For security reasons, the method for registering the RHEL system allows the use of an Organization ID and Activation Key as well as a Username and Password. Please know that it is more secure to use the Organization ID and Activation Key.

You can determine your Organization ID by running subscription-manager identity on a registered machine. To create or find your Activation Key, please go here: https://access.redhat.com/management/activation_keys.

You will also need to get the Pool ID that contains your entitlements for OpenShift. You can retrieve this from the Red Hat portal by examining the details of the subscription that has the OpenShift entitlements. Or you can contact your Red Hat administrator to help you.

azuredeploy.Parameters.json File Explained

  1. _artifactsLocation: URL for artifacts (json, scripts, etc.)
  2. masterVmSize: Size of the Master VM. Select from one of the allowed VM sizes listed in the azuredeploy.json file
  3. infraVmSize: Size of the Infra VM. Select from one of the allowed VM sizes listed in the azuredeploy.json file
  4. nodeVmSize: Size of the App Node VM. Select from one of the allowed VM sizes listed in the azuredeploy.json file
  5. cnsVmSize: Size of the CNS Node VM. Select from one of the allowed VM sizes listed in the azuredeploy.json file
  6. storageKind: The type of storage to be used. Value is either "managed" or "unmanaged"
  7. openshiftClusterPrefix: Cluster Prefix used to configure hostnames for all nodes - bastion, master, infra and app nodes. Between 1 and 20 characters
  8. masterInstanceCount: Number of Masters nodes to deploy
  9. infraInstanceCount: Number of infra nodes to deploy
  10. nodeInstanceCount: Number of Nodes to deploy
  11. dataDiskSize: Size of data disk to attach to nodes for Docker volume - valid sizes are 32 GB, 64 GB, 128 GB, 256 GB, 512 GB, 1024 GB, and 2048 GB
  12. adminUsername: Admin username for both OS (VM) login and initial OpenShift user
  13. openshiftPassword: Password for OpenShift user and root user
  14. enableMetrics: Enable Metrics - value is either "true" or "false"
  15. enableLogging: Enable Logging - value is either "true" or "false"
  16. enableCNS: Enable Container Native Storage (CNS) - value is either "true" or "false"
  17. rhsmUsernameOrOrgId: Red Hat Subscription Manager Username or Organization ID. To find your Organization ID, run on registered server: subscription-manager identity.
  18. rhsmPasswordOrActivationKey: Red Hat Subscription Manager Password or Activation Key for your Cloud Access subscription. You can get this from here.
  19. rhsmPoolId: The Red Hat Subscription Manager Pool ID that contains your OpenShift entitlements
  20. sshPublicKey: Copy your SSH Public Key here
  21. keyVaultResourceGroup: The name of the Resource Group that contains the Key Vault
  22. keyVaultName: The name of the Key Vault you created
  23. keyVaultSecret: The Secret Name you used when creating the Secret (that contains the Private Key)
  24. enableAzure: Enable Azure Cloud Provider - value is either "true" or "false"
  25. aadClientId: Azure Active Directory Client ID also known as Application ID for Service Principal
  26. aadClientSecret: Azure Active Directory Client Secret for Service Principal
  27. defaultSubDomainType: This will either be nipio (if you don't have your own domain) or custom if you have your own domain that you would like to use for routing
  28. defaultSubDomain: The wildcard DNS name you would like to use for routing if you selected custom above. If you selected nipio above, you must still enter something here but it will not be used
  29. virtualNetworkNewOrExisting: Select whether to use an existing Virtual Network or create a new Virtual Network. Value is either "existing" or "new"
  30. virtualNetworkResourceGroupName: The name of the Resource Group where the VNet resides. If this parameter is omitted, it will default to RG in which new resources are created
  31. virtualNetworkName: The name of the Virtual Network. Must match the existing name for existing VNet or the name of the new VNet to create if creating a new VNet
  32. masterSubnetName: The name of the Master Subnet
  33. nodeSubnetName: The name of the Node Subnet ** NOTE ** For the next three IP ranges they need to be in CIDR format and be in RFC 1918 (10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12) ** NOTE ** The range just can't put servers in the 10.128.0.0/16 range but it can be a larger subnet that includes them like 10.0.0.0/8
  34. addressPrefixes: IP range for the entire Virtual Network. Default is 10.0.0.0/14
  35. masterSubnetPrefix: Subnet for master, CNS, and infra nodes to be hosted. Needs to have enough IPs to support the number of nodes being deployed. Default is 10.1.0.0/16
  36. nodeSubnetPrefix: Subnet for applicaton nodes. Needs to have enough IPs to support the number of nodes being deployed. Default is 10.2.0.0/16
  37. masterClusterType: Specify whether the cluster uses private or public master nodes - value is either "public" or "private". If private is chosen, the master nodes will not be exposed to the Internet via a public IP. Instead, it will use the private IP specified in the next parameter. The default is public.
  38. masterPrivateClusterIp: If private master nodes is selected, then a private IP address must be specified for use by the internal load balancer for master nodes. This will be a static IP so it must reside within the CIDR block for the master subnet and not already in use. If public master nodes is selected, this value will not be used but must still be specified. The default value is 10.1.0.200
  39. masterPrivateClusterDns: If private master nodes is selected, then a DNS name (FQDN) must be specified. This maps to the private IP address specified in the previous parameter
  40. routerClusterType: Specify whether the cluster uses private or public infra nodes - value is either "public" or "private". If private is chosen, the infra nodes will not be exposed to the Internet via a public IP. Instead, it will use the private IP specified in the next parameter. The default is public.
  41. routerPrivateClusterIp: If private infra nodes is selected, then a private IP address must be specified for use by the internal load balancer for infra nodes. This will be a static IP so it must reside within the CIDR block for the master subnet and not already in use. If public infra nodes is selected, this value will not be used but must still be specified. The default value is 10.1.0.201

Deploy Template

Deploy to Azure using Azure Portal:

Once you have collected all of the prerequisites for the template, you can deploy the template by clicking Deploy to Azure or populating the azuredeploy.parameters.json file and executing Resource Manager deployment commands with PowerShell or the Azure CLI.

Azure CLI 2.0

  1. Create Resource Group: az group create -n <name> -l <location>
    Ex: az group create -n openshift-cluster -l westus
  2. Create Resource Group Deployment: az group deployment create --name <deployment name> --template-file <template_file> --parameters @<parameters_file> --resource-group <resource group name> --nowait
    Ex: az group deployment create --name ocpdeployment --template-file azuredeploy.json --parameters @azuredeploy.parameters.json --resource-group openshift-cluster --no-wait

NOTE

The OpenShift Ansible playbook does take a while to run when using VMs backed by Standard Storage. VMs backed by Premium Storage are faster. If you want Premium Storage, select a DS, Es, or GS series VM. It is highly recommended that Premium storage be used.


If the Azure Cloud Provider is not enabled, then the Service Catalog and Ansible Template Service Broker will not be installed as Service Catalog requires persistent storage.

Be sure to follow the OpenShift instructions to create the necessary DNS entry for the OpenShift Router for access to applications.

A Standard Storage Account is provisioned to provide persistent storage for the integrated OpenShift Registry as Premium Storage does not support storage of anything but VHD files.

TROUBLESHOOTING

If you encounter an error during deployment of the cluster, please view the deployment status. The following Error Codes will help to narrow things down.

  1. Exit Code 3: Your Red Hat Subscription User Name / Password or Organization ID / Activation Key is incorrect
  2. Exit Code 4: Your Red Hat Pool ID is incorrect or there are no entitlements available
  3. Exit Code 5: Unable to provision Docker Thin Pool Volume
  4. Exit Code 99: Configuration playbooks were not downloaded

You can SSH to the Bastion node and from there SSH to each of the nodes in the cluster and fix the issues.

A common cause for the failures related to the node service not starting is the Service Principal did not have proper permissions to the Subscription or the Resource Group. If this is indeed the issue, then assign the correct permissions and manually re-run the script that failed an all subsequent scripts. Be sure to restart the service that failed (e.g. systemctl restart atomic-openshift-node.service) before executing the scripts again.

For further troubleshooting, please SSH into your Bastion node on port 22. You will need to be root (sudo su -) and then navigate to the following directory: /var/lib/waagent/custom-script/download

You should see a folder named '0' and '1'. In each of these folders, you will see two files, stderr and stdout. You can look through these files to determine where the failure occurred.

Post-Deployment Operations

Service Catalog

Service Catalog

If you enable Azure or CNS for storage these scripts will deploy the service catalog as a post deployment option.

Metrics and logging

Metrics

If you deployed Metrics, it will take a few extra minutes deployment to complete. Please be patient.

Once the deployment is complete, log into the OpenShift Web Console and complete an addition configuration step. Go to the openshift-infra project, click on Hawkster metrics route, and accept the SSL exception in your browser.

Logging

If you deployed Logging, it will take a few extra minutes deployment to complete. Please be patient.

Once the deployment is complete, log into the OpenShift Web Console and complete an addition configuration step. Go to the logging project, click on the Kubana route, and accept the SSL exception in your browser.

Creation of additional users

To create additional (non-admin) users in your environment, login to your master server(s) via SSH and run:
htpasswd /etc/origin/master/htpasswd mynewuser

Additional OpenShift Configuration Options

You can configure additional settings per the official (OpenShift Enterprise Documentation).

About

OpenShift Container Platform on Azure

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 76.5%
  • Shell 23.5%