Containers, Kubernetes, OpenShift on Power

 View Only

Installing OpenShift on IBM Power Virtual Servers with IPI

By Ashwin Hendre posted Tue July 11, 2023 02:56 AM

  

Installer Provisioned Infrastructure method can be used to deploy an OpenShift cluster on IBM PowerVS.

In scope 

This blog post covers creating and destroying a “public” OpenShift cluster i.e., one which is accessible through the internet and the nodes of the cluster can access the internet. 

Out of scope 

It is also possible to create an OpenShift cluster using IPI on Power VS for 

  1. Private scenario: A cluster where DNS, Ingress Controller, and API server are private
  2. Disconnected scenario: A cluster where the nodes do not have access to the internet. 

However, these two scenarios are outside the scope of this blog post. 

Requirements for installing OpenShift on Power VS with IPI 

  1. Create an IBM Cloud account.
  2. Create an IBM Cloud service account (optional)
    Refer https://www.ibm.com/docs/en/dbaoc?topic=access-creating-managing-service-accounts for details on creating it.
  3. Create a resource group (optional)
    Resource group is a logical grouping of resources such that a set of users can be allowed access to that group rather than enabling access to individual resources.
    Refer https://cloud.ibm.com/docs/account?topic=account-rgs for steps on creating a resource group.
    It is possible that your account admin set a different resource group as the default. Verify the name of the default resource group before continuing.
  4. Create an access group (optional)
    An access group allows you to group users and assign required access policies to them based on their role. Refer https://cloud.ibm.com/docs/account?topic=account-groups for details on creating an access group.
    Refer https://docs.openshift.com/container-platform/4.15/installing/installing_ibm_powervs/installing-ibm-cloud-account-power-vs.html#pre-requisite-permissions-ibm-cloud_installing-ibm-cloud-account-power-vs for information on roles and their respective permissions.
  5. Assign permissions to the access group created as a part of the previous step through either of the following approaches (optional)
    1. UI (recommended)
      Follow these steps: https://cloud.ibm.com/docs/account?topic=account-groups&interface=ui#access_ag
    2. CLI
      ibmcloud iam access-group-policy-create GROUP_NAME {-f, --file @JSON_FILE | --roles ROLE_NAME1,ROLE_NAME2... [--service-name SERVICE_NAME] [--service-instance SERVICE_INSTANCE] [--region REGION] [--resource-type RESOURCE_TYPE] [--resource RESOURCE] [--resource-group-name RESOURCE_GROUP_NAME] [--resource-group-id RESOURCE_GROUP_ID]}
      e.g. ibmcloud iam access-group-policy-create example_group --roles Administrator --service-name sample-service
      This will give example_group Administrator role for all sample-service resources.
  6. Create or reuse an API key associated with the service account
    Refer https://cloud.ibm.com/docs/account?topic=account-serviceidapikeys
  7. Create an SSH key pair locally
  8. Create or reuse an IBM Cloud Internet Services instance.
    1. Configure CIS to manage the domain you wish to use for your cluster. See https://cloud.ibm.com/docs/cis?topic=cis-getting-started for more info. The installer will add DNS records during installation.
  9. Obtain the openshift-install binary
    1. Access the PowerVS IPI installer page on the OpenShift Cluster Manager site. If you have a Red Hat account, log in with your credentials. If you do not, create an account.
    2. Download the installation program that corresponds with your host operating system and architecture, and place the file in the directory where you will store the installation configuration files.
      Make sure you download the openshift-install archive for the architecture of the system you're using for deployment. For example, if you're using an x86_64 VM to carry out deployment, the package may be named openshift-client-linux-amd64-4.15.x.tar.gz.
    3. Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:  tar -xvf openshift-install-linux.tar.gz
    4. Download your installation pull secret from the Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
  10. Move the openshift-install binary to a folder in your $PATH, such as /usr/bin/
  11. Generate Cloud Credentials by using the ccoctl.sh script and referring to the associated documentation, or follow the manual procedure detailed in steps 11.1 and 11.2 below.
    1. Obtain the ccoctl binary; the general approach is as follows. Additional information can be found in this guide.
      1. Obtain the OpenShift Container Platform release image by running the following command RELEASE_IMAGE=$(openshift-install version | awk '/release image/ {print $3}')
      2. Obtain the CCO container image from the OpenShift Container Platform release image by running the following command
        CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a <path to pull secret file>)
        Ensure that you are using the ccoctl tool in an environment with ppc64le architecture.
      3. Extract the ccoctl binary from the CCO container image within the OpenShift Container Platform release image by running the following command: oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a <path to pull secret file>
      4. Change the permissions to make ccoctl executable by running the following command 
        chmod 775 ccoctl
    2. Extract the credentials
      1. mkdir credreqs
      2. oc adm release extract --cloud=powervs --credentials-requests $RELEASE_IMAGE --to=./credreqs
      3. ccoctl ibmcloud create-service-id --credentials-requests-dir <path-to-directory-with-list-of-credentials-requests> --name <name> --resource-group-name <resource-group-name>
        resource-group-name is optional but recommended.

     Note that cluster resources will be charged as per IBM pricing and follows an operational expenditure model. 

    Installation steps 

    1. Create a sub-directory to hold the artifacts the installer creates (install configuration, manifests, metadata, cluster authentication data, etc.)
      mkdir ocp-deploy
    2. Create the install configuration
      1. openshift-install create install-config --dir=ocp-deploy
        Folder specified must be the same as the above step.
        You will be prompted for several pieces of information required for deploying the cluster
        1. SSH public key
        2. Platform: Select powervs
        3. IBM Cloud User ID
        4. IBM Cloud API Key
        5. Region
          Region where the cluster will be deployed
        6. Zone
          One or more zones contained within the region specified in v.
        7. Base domain
          A domain created using IBM Cloud Internet Services.
        8. Cluster name
        9. Pull secret
          RedHat pull secret
      2. If you don’t have an existing workspace or don’t want to use it for cluster deployment, skip steps c and d.
      3. Obtain the workspace (formerly called service instance) GUID.  
        1. Install IBM cloud CLI by referring https://cloud.ibm.com/docs/cli?topic=cli-install-ibmcloud-cli, selecting the installation method for your operating system
        2. Log in to your IBM cloud account using ibmcloud login
        3. If you’re using Windows, enter ibmcloud resource service-instance <name of the workspace (formerly called service instance)> and note the value in the GUID field of the output
        4. If you’re using Linux or Mac, enter ibmcloud resource service-instance <name of the workspace (formerly called service instance)> | grep -i GUID. Note the id displayed in the output.
      4. Edit install-config.yaml to include the workspace’s (formerly called service instance) GUID.
        1. Open ocp-deploy/install-config.yaml with an editor of your choice.
          e.g. vi ocp-deploy/install-config.yaml
        2. Add a property  
          platform.powervs.serviceInstanceGUID: GUID of the workspace (formerly called service instance) in which cluster nodes will be created.
      5. If you wish to reuse the created install-config.yaml for future deployments, back it up at a securely as it contains your pull secret. The following steps will delete the install-config.yaml
    3. Create manifests
      1. openshift-install create manifests --dir=ocp-deploy
        1. Folder specified must be the same as step 1 above.
      2. Copy the credentials files created in requirement 11 into ocp-deploy/manifests
    4. Trigger the installation
      1. openshift-install create cluster --dir=ocp-deploy --log-level=debug
      2. Folder specified must be the same as step 1 above.
        1. The log-level flag is optional but is recommended to be set to debug during manual installation for detailed logs.
    5. Post-installation
      1. The output should show how the cluster can be accessed through CLI and GUI.
      2. The ocp-deploy folder created in step 1 will now contain several useful artifacts, including
        1. .openshift-install.log containing the installation log.
        2. An auth folder containing the kubeconfig to be used to access the cluster through CLI.
        3. metadata.json containing cluster metadata.
      3. Retain the folder created in the above step as the metadata.json file in it is required to delete the cluster.
    6. A support license can be purchased from try.openshift.com after the cluster is installed. 

    Destroying an OpenShift Cluster 

    1. Navigate to the folder where the openshift-install binary and the cluster artifact directory are present (here, ocp-deploy).
      1. cd <parent path of openshift-install binary and cluster artifact directory>
    2. openshift-install destroy cluster --dir=ocp-deploy --log-level=debug
      The log-level flag is optional but is recommended to be set to debug during manual installation for detailed logs.
    3. Optional: Delete the Workspace
      1. Log into cloud.ibm.com
      2. Expand the hamburger menu on the top left.
      3. Resource list
      4. Look for the Workspace which was specified during cluster installation and click the three dots against it.
      5. Delete
    4. Optional: Delete the Cloud credentials
      ccoctl ibmcloud delete-service-id --credentials-requests-dir <path-to-directory-with-list-of-credentials-requests> --name <name>

     

    Permalink