Kubernetes & OpenShift on Power

View Only

Installing OpenShift on IBM Power Virtual Servers with IPI

By Ashwin Hendre posted Tue July 11, 2023 02:56 AM

The Power VS IPI feature is introduced as a Tech Preview with the release of OpenShift 4.13.

In scope

This blog covers creating and destroying a “public” OpenShift cluster i.e., one which is accessible through the internet and the nodes of the cluster can access the internet.

Out of scope

It is also possible to create an OpenShift cluster using IPI on Power VS for

Private scenario: A cluster where DNS, Ingress Controller, and API server are private
Disconnected scenario: A cluster where the nodes do not have access to the internet.

However, these two scenarios are outside the scope of this blog post.

Requirements for installing OpenShift on Power VS with IPI

Purchase a license from try.openshift.com
Create an IBM Cloud service account (optional)
Refer https://www.ibm.com/docs/en/dbaoc?topic=access-creating-managing-service-accounts for details on creating it.
Create a resource group (optional)
Resource group is a logical grouping of resources such that a set of users can be allowed access to that group rather than enabling access to individual resources.
Refer https://cloud.ibm.com/docs/account?topic=account-rgs for steps on creating a resource group.
Create an access group (optional)
An access group allows you to group users and assign required access policies to them based on their role. Refer https://cloud.ibm.com/docs/account?topic=account-groups for details on creating an access group.
Assign permissions to the access group created as a part of the previous step through either of the following approaches (optional)
1. UI (recommended)
  Follow these steps: https://cloud.ibm.com/docs/account?topic=account-groups&interface=ui#access_ag
2. CLI
  ibmcloud iam access-group-policy-create GROUP_NAME {-f, --file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}e.g. ibmcloud iam access-group-policy-create example_group --roles Administrator --service-name sample-service
  This will give example_group Administrator role for all sample-service resources.
Create or reuse an API key associated with the service account
Refer https://cloud.ibm.com/docs/account?topic=account-serviceidapikeys
Create a Power VS Workspace (formerly called service instance)
Create an SSH key pair locally
Create or reuse an IBM Cloud Internet Services instance.
1. Configure CIS to manage the domain you wish to use for your cluster. See https://cloud.ibm.com/docs/cis?topic=cis-getting-started for more info. The installer will add DNS records during installation.
Obtain the openshift-install binary
1. Access the PowerVS IPI installer page on the OpenShift Cluster Manager site. If you have a Red Hat account, log in with your credentials. If you do not, create an account.
2. Download the installation program that corresponds with your host operating system and architecture, and place the file in the directory where you will store the installation configuration files.
3. Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:
  tar -xvf openshift-install-linux.tar.gz
4. Download your installation pull secret from the Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
Move the openshift-install binary to a folder in your $PATH, such as /usr/bin/
Create or reuse a Resource group (optional). Alternatively, you can use the default resource group by specifying “Default” in platform.powervs.powervsResourceGroup in the install-config.yaml
1. This is the resource group with which your Power Virtual Server Workspace was created.
  It is possible that your account admin set a different resource group as the default. Verify the name of the default resource group before continuing.
Generate Cloud Credentials
1. Obtain the ccoctl binary; the general approach is as follows. Additional information can be found in this guide.
  1. Obtain the OpenShift Container Platform release image by running the following command RELEASE_IMAGE=$(openshift-install version | awk '/release image/ {print $3}')
  2. Obtain the CCO container image from the OpenShift Container Platform release image by running the following command
    CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a <path to pull secret file>)
    Ensure that you are using the ccoctl tool in an environment with ppc64le architecture.
  3. Extract the ccoctl binary from the CCO container image within the OpenShift Container Platform release image by running the following command
    oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a <path to pull secret file>
  4. Change the permissions to make ccoctl executable by running the following command
    chmod 775 ccoctl

2. Extract the credentials
  1. mkdir credreqs
  2. oc adm release extract --cloud=powervs --credentials-requests` $RELEASE_IMAGE --to=./credreqs
  3. ccoctl ibmcloud create-service-id --credentials-requests-dir <path-to-directory-with-list-of-credentials-requests> --name <name> --resource-group-name <resource-group-name>
    resource-group-name is optional but recommended.

Note that cluster resources will be charged as per IBM pricing and follows an operational expenditure model.

Installation steps

Create a sub-directory to hold the artifacts the installer creates (install configuration, manifests, metadata, cluster authentication data, etc.)
mkdir ocp-deploy
Create the install configuration
1. openshift-install create install-config --dir=ocp-deployYou will be prompted for several pieces of information required for deploying the cluster
  1. SSH public key
  2. Platform: Select powervs
  3. IBM Cloud User ID
  4. IBM Cloud API Key
  5. Region
    Region where the cluster will be deployed
  6. Zone
    One or more zones contained within the region specified in v.
  7. Base domain
    A domain created using IBM Cloud Internet Services.
  8. Cluster name
  9. Pull secret
    RedHat pull secret
2. Obtain the workspace (formerly called service instance) id
  1. Install IBM cloud CLI by referring https://cloud.ibm.com/docs/cli?topic=cli-install-ibmcloud-cli, selecting the installation method for your operating system
  2. Log in to your IBM cloud account using ibmcloud login
  3. If you’re using Windows, enter ibmcloud resource service-instance <name of the workspace (formerly called service instance)> and note the value in the GUID field of the output
  4. If you’re using Linux or Mac, enter ibmcloud resource service-instance <name of the workspace (formerly called service instance)> | grep -i GUID. Note the id displayed in the output.
3. Edit install-config.yaml to include the workspace’s (formerly called service instance) id.
  1. Open ocp-deploy/install-config.yaml with an editor of your choice.
    e.g. vi ocp-deploy/install-config.yaml
  2. Add a property
    platform.powervs.serviceInstanceID: GUID of the workspace (formerly called service instance) in which cluster nodes will be created.
  3. Add another property
    platform.powervs.powervsResourceGroup: Resource group from requirement #10
Create manifests
Ensure that you back up the install-config.yaml created in the preceding step at a secure location as it contains your pull secret. It can be found in ocp-deploy/install-config.yaml. This step will use and then delete the file.
1. openshift-install create manifests --dir=ocp-deploy
  1. Folder specified must be the same as step II a
  2. Copy the credentials files created in requirement VII into ocp-deploy/manifests
Trigger the installation
1. openshift-install create cluster --dir=ocp-deploy --log-level=debug
2. Folder specified must be the same as step II a and III a.
3. log-level flag is optional but is recommended to be set to debug during manual installation for detailed logs.
Post-installation
1. The output should show how the cluster can be accessed through CLI and GUI.
2. The ocp-deploy folder created in step IV will now contain several useful artifacts, including
  1. .openshift-install.log containing the installation log.
  2. An auth folder containing the kubeconfig to be used to access the cluster through CLI.
  3. metadata.json containing cluster metadata. This file must be preserved for cluster deletion.

Destroying an OpenShift Cluster

Navigate to the folder where the openshift-install binary and the cluster artifact directory are present (here, ocp-deploy).
1. cd <parent path of openshift-install binary and cluster artifact directory>
openshift-install destroy cluster --dir=ocp-deploy --log-level=debug
1. log-level flag is optional but is recommended to be set to debug during manual installation for detailed logs.
Delete the Workspace (optional)
1. Log into cloud.ibm.com
2. Expand the hamburger menu on the top left.
3. Resource list
4. Look for the Workspace which was specified during cluster installation and click the three dots against it.
5. Delete.
Optional: Delete the Cloud credentials
ccoctl ibmcloud delete-service-id --credentials-requests-dir <path-to-directory-with-list-of-credentials-requests> --name <name>