# Openshift
We have to support multiple (but not so many) Openshift/OCP 4.x clusters , deployed at various places and deployed differently, based on some rules/constraints,etc.
What is common is that we need official subscription, and managed centrally, from https://console.redhat.com/openshift (see inventory for credentials and/or internal emails)
## AWS
### deployment
To deploy in AWS, one can use the [adhoc-deploy-ocp-aws](https://github.com/CentOS/ansible-infra-playbooks/blob/master/adhoc-deploy-ocp-aws.yml) playbook.
But you need first to read *all* the [current](https://docs.openshift.com/container-platform/4.11/welcome/index.html) documentation to understand what is needed
Before running the playbook, you'll need :
* Configure [needed Route53](https://docs.openshift.com/container-platform/4.11/installing/installing_aws/installing-aws-account.html#installation-aws-route53_installing-aws-account) public zone for the ocp sub-domain (and have delegation working)
* needed aws access key and secret for [IAM role](https://docs.openshift.com/container-platform/4.11/installing/installing_aws/manually-creating-iam.html) able to create VPC, update route53, deploy EC2 instances , etc (see doc)
* get official subscription/pull secret from https://console.redhat.com/openshift
* prepare your ansible group with all [needed variables](https://github.com/CentOS/ansible-infra-playbooks/blob/master/adhoc-deploy-ocp-aws.yml#L3)
!!! warning
Be sure to review the VPC settings/subnets that openshift-install binary will create once running and ensure no overlap
### management
Depending on the env, the [ocp-admin-node](https://github.com/CentOS/ansible-role-ocp-admin-node) can be used to :
* deploy/replace TLS certificates
* backup etcd nodes data on daily basis
* configure openshift for some settings (see role)
* add/remove projects/groups/namespaces
### authentication
We don't want to use the internal auth but instead rely on FAS/ACO so the first thing can be done is to tie openshift to ipsilon (id.centos.org (or id.stg.centos.org).
This is configured by the `ocp-admin-role` but it needs some variables first, so create the ocp cluster client id at the ipsilon side (admin operation) and then update the ansible invetory for all the `ocp_idp_` variables.
Once applied through the role, openshift will allow to login through FAS/ACO.
Worth knowing that the `ocp_fas_sync` boolean lets you also automatically create projects/groups/namespaces/RBACs for the groups starting with `ocp_fas_group_prefix` (for example for OCP ci, the IPA/FAS groups are all prefixed `ocp-cico-`)
### Storage for PersistentVolumes
OCP deployed on AWS by default can use EBS volumes but it would come with limitation.
So one can use [EFS](https://docs.aws.amazon.com/efs/?icmpid=docs_homepage_storage) as centralized storage solution for PersistentVolumes (and our playbook can use that feature).
!!! warning
if you want to ensure that PVC would use the created PVs on top of EFS, instead of EBS, you *should* disable the `gp2` StorageClass (under Storage/StorageClasses, edit and `storageclass.kubernetes.io/is-default-class: 'false'`)
### Specific ocp CI cluster notes
Here is an an overview of the deployed ocp ci cluster :
Apart from the FAS/auth/EFS volumes, it's worth knowing that :
* we use [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) between the Duffy and OCP VPCs (see ansible inventory for details)
* we use [internal Route53 resolvers](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html) to forward queries to specific name servers
* we use [Site-to-Site VPN](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html) connections between VPCs and on-premises DC (see ansible inventory for ec2gw nodes)
* security group is attached to EFS to allow NFS traffic from OCP nodes (and so worker nodes able to mount NFS PVs)
## Bare-metal (on premises)
### deployment
### management
### authentication
## Virtual Machines (on premises)
### deployment
### management
### authentication