From 8615fedb30f4bd6d117b875a47c1146b0b478370 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Dec 05 2022 13:57:12 +0000 Subject: Added note about openshift/ocp in aws world Signed-off-by: Fabian Arrotin --- diff --git a/docs/img/duffy-aws.drawio.png b/docs/img/duffy-aws.drawio.png new file mode 100644 index 0000000..39c103a Binary files /dev/null and b/docs/img/duffy-aws.drawio.png differ diff --git a/docs/infra/openshift.md b/docs/infra/openshift.md new file mode 100644 index 0000000..ff08eea --- /dev/null +++ b/docs/infra/openshift.md @@ -0,0 +1,78 @@ +# Openshift + +We have to support multiple (but not so many) Openshift/OCP 4.x clusters , deployed at various places and deployed differently, based on some rules/constraints,etc. + +What is common is that we need official subscription, and managed centrally, from https://console.redhat.com/openshift (see inventory for credentials and/or internal emails) + +## AWS +### deployment + +To deploy in AWS, one can use the [adhoc-deploy-ocp-aws](https://github.com/CentOS/ansible-infra-playbooks/blob/master/adhoc-deploy-ocp-aws.yml) playbook. +But you need first to read *all* the [current](https://docs.openshift.com/container-platform/4.11/welcome/index.html) documentation to understand what is needed +Before running the playbook, you'll need : + + * Configure [needed Route53](https://docs.openshift.com/container-platform/4.11/installing/installing_aws/installing-aws-account.html#installation-aws-route53_installing-aws-account) public zone for the ocp sub-domain (and have delegation working) + * needed aws access key and secret for [IAM role](https://docs.openshift.com/container-platform/4.11/installing/installing_aws/manually-creating-iam.html) able to create VPC, update route53, deploy EC2 instances , etc (see doc) + * get official subscription/pull secret from https://console.redhat.com/openshift + * prepare your ansible group with all [needed variables](https://github.com/CentOS/ansible-infra-playbooks/blob/master/adhoc-deploy-ocp-aws.yml#L3) + +!!! warning + Be sure to review the VPC settings/subnets that openshift-install binary will create once running and ensure no overlap + +### management + +Depending on the env, the [ocp-admin-node](https://github.com/CentOS/ansible-role-ocp-admin-node) can be used to : + + * deploy/replace TLS certificates + * backup etcd nodes data on daily basis + * configure openshift for some settings (see role) + * add/remove projects/groups/namespaces + + +### authentication + +We don't want to use the internal auth but instead rely on FAS/ACO so the first thing can be done is to tie openshift to ipsilon (id.centos.org (or id.stg.centos.org). + +This is configured by the `ocp-admin-role` but it needs some variables first, so create the ocp cluster client id at the ipsilon side (admin operation) and then update the ansible invetory for all the `ocp_idp_` variables. + +Once applied through the role, openshift will allow to login through FAS/ACO. +Worth knowing that the `ocp_fas_sync` boolean lets you also automatically create projects/groups/namespaces/RBACs for the groups starting with `ocp_fas_group_prefix` (for example for OCP ci, the IPA/FAS groups are all prefixed `ocp-cico-`) + +### Storage for PersistentVolumes + +OCP deployed on AWS by default can use EBS volumes but it would come with limitation. +So one can use [EFS](https://docs.aws.amazon.com/efs/?icmpid=docs_homepage_storage) as centralized storage solution for PersistentVolumes (and our playbook can use that feature). + +!!! warning + if you want to ensure that PVC would use the created PVs on top of EFS, instead of EBS, you *should* disable the `gp2` StorageClass (under Storage/StorageClasses, edit and `storageclass.kubernetes.io/is-default-class: 'false'`) + + +### Specific ocp CI cluster notes + +Here is an an overview of the deployed ocp ci cluster : + + +![CI Infra overview](/img/duffy-aws.drawio.png) + +Apart from the FAS/auth/EFS volumes, it's worth knowing that : + + * we use [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) between the Duffy and OCP VPCs (see ansible inventory for details) + * we use [internal Route53 resolvers](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html) to forward queries to specific name servers + * we use [Site-to-Site VPN](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html) connections between VPCs and on-premises DC (see ansible inventory for ec2gw nodes) + * security group is attached to EFS to allow NFS traffic from OCP nodes (and so worker nodes able to mount NFS PVs) + +## Bare-metal (on premises) +### deployment + +### management + +### authentication + + +## Virtual Machines (on premises) + +### deployment + +### management + +### authentication diff --git a/docs/security/tls.md b/docs/security/tls.md index 1dab93f..4a2926f 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -257,5 +257,5 @@ ansible-playbook-stream playbooks/role-haproxy.yml --tags "tls,pki" ``` !!! note - Fedora Infra team is responsiblef for `mirrors.centos.org` one, as it's hosted on their infra. In the past we were generating/renewing cert but it seems now [automated](https://pagure.io/fedora-infrastructure/issue/10829) + Fedora Infra team is responsible for `mirrors.centos.org` one, as it's hosted on their infra. In the past we were generating/renewing cert but it seems now [automated](https://pagure.io/fedora-infrastructure/issue/10829) diff --git a/mkdocs.yml b/mkdocs.yml index 5adabb0..b54a712 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -92,6 +92,7 @@ nav: - infra/mirrorlists.md - infra/sponsors.md - infra/centos-ci.md + - infra/openshift.md - infra/monitoring.md - infra/team.md - infra/backup.md