Single node OCP 4.3 cluster
This howto is a modified version of the CodeReady project. https://github.com/code-ready
Requirements
- Ability to deploy OCP 4.x on libvirt. https://www.zews.org/ocp-4-x-on-libvirt/
Download your pull secret
- Go to the Red Hat OpenShift Cluster Manager and download your pull secret. https://cloud.redhat.com/openshift/install/aws/installer-provisioned
Install YQ
sudo curl -L https://github.com/mikefarah/yq/releases/download/3.3.0/yq_linux_amd64 -o /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
Create a cluster install directory
mkdir ~/cluster-install
cd ~/cluster-install
export INSTALL_DIR=$(pwd)
Create an install-config
openshift-install create install-config
- select and ssh key
- select libvirt
- qemu+tcp://192.168.124.1/system
- tt.testing
- ocp
- copy/paste your pull secret
Set compute nodes to 0
yq write --inplace install-config.yaml compute[0].replicas 0
Create manifests
openshift-install create manifests
Set ingress
- Change ${WC_DOMAIN} to your wildcard domain
yq write --inplace manifests/cluster-ingress-02-config.yml spec[domain] ${WC_DOMAIN}
Set cpu and memory
yq write --inplace openshift/99_openshift-cluster-api_master-machines-0.yaml spec.providerSpec.value[domainMemory] 16384
yq write --inplace openshift/99_openshift-cluster-api_master-machines-0.yaml spec.providerSpec.value[domainVcpu] 8
Set your version for the installer
- In this example I'm installing 4.3.18, change as you see fit
OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE="$(curl -l https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.18/release.txt | sed -n 's/^Pull From: //p')"
export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE
Start the cluster install
openshift-install create cluster
- If you're using an haproxy vm on libvirt change the virtual network for the seconf nic now
Export kubeconfig
export KUBECONFIG=${INSTALL_DIR}/auth/kubeconfig
Note for etcd in 4.4
4.4 has some new protections to keep etcd from running in an unsupported maner. The following patch will disable that protection.
$ oc patch etcd cluster -p='{"spec": {"unsupportedConfigOverrides": {"useUnsupportedUnsafeNonHANonProductionUnstableEtcd": true}}}' --type=merge
Wait for the installer to finish
- Dependig on the speed of your hardware the cluster install may succeed or fail. Eiter way just wait for the cluster to settle.
oc get co
- The cluster operator status should eventually stop progressing.
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE
authentication 4.3.18 True False False 32m
cloud-credential 4.3.18 True False False 67m
cluster-autoscaler 4.3.18 True False False 35m
console 4.3.18 True False False 31m
dns 4.3.18 True False False 61m
image-registry 4.3.18 True False False 35m
ingress 4.3.18 True False False 35m
insights 4.3.18 True False False 39m
kube-apiserver 4.3.18 True False False 60m
kube-controller-manager 4.3.18 True False False 60m
kube-scheduler 4.3.18 True False False 60m
machine-api 4.3.18 True False False 62m
machine-config 4.3.18 True False False 62m
marketplace 4.3.18 True False False 38m
monitoring 4.3.18 True False False 30m
network 4.3.18 True False False 63m
node-tuning 4.3.18 True False False 41m
openshift-apiserver 4.3.18 True False False 35m
openshift-controller-manager 4.3.18 True False False 33m
openshift-samples 4.3.18 True False False 34m
operator-lifecycle-manager 4.3.18 True False False 42m
operator-lifecycle-manager-catalog 4.3.18 True False False 42m
operator-lifecycle-manager-packageserver 4.3.18 True False False 41m
service-ca 4.3.18 True False False 63m
service-catalog-apiserver 4.3.18 True False False 42m
service-catalog-controller-manager 4.3.18 True False False 42m
storage 4.3.18 True False False 39m
Renew the install certs
- You'll need your pull secret you downloaded earlier.
export $OPENSHIFT_PULL_SECRET=/path/to/pull-secret.txt
curl -O https://raw.githubusercontent.com/code-ready/snc/master/kubelet-bootstrap-cred-manager-ds.yaml
yq write --inplace kubelet-bootstrap-cred-manager-ds.yaml spec.template.spec.containers[0].image ${cli_image}
oc apply -f kubelet-bootstrap-cred-manager-ds.yaml
oc delete secrets/csr-signer-signer secrets/csr-signer -n openshift-kube-controller-manager-operator
- Wait for the cluster operators to stop progressing.
watch oc get co
- Remove the 24 hour certs and bootstrap kubeconfig.
- Change "ocp.tt.testing" to match your cluster name and domain that you entered when you ran "openshift-install create install-config"
ssh core@api.ocp.tt.testing -- sudo rm -fr /var/lib/kubelet/pki
ssh core@api.ocp.tt.testing -- sudo rm -fr /var/lib/kubelet/kubeconfig
ssh core@api.ocp.tt.testing -- sudo systemctl restart kubelet
- Check for a "Pending" CSR.
oc get csr
- Approve the pending CSR
oc get csr -oname | xargs oc adm certificate approve
- Delete the kubelet-bootstrap-cred-manager
oc delete daemonset/kubelet-bootstrap-cred-manager -n openshift-machine-config-operator
Scale services down
oc patch clusterversion version --type json -p "$(cat <<- EOF
> - op: add
> path: /spec/overrides
> value:
> - kind: Deployment
> group: apps/v1
> name: etcd-quorum-guard
> namespace: openshift-machine-config-operator
> unmanaged: true
> EOF
> )"
oc scale --replicas=1 deployment/etcd-quorum-guard -n openshift-machine-config-operator
oc scale --replicas=1 ingresscontroller/default -n openshift-ingress-operator
oc scale --replicas=1 deployment.apps/console -n openshift-console
oc scale --replicas=1 deployment.apps/downloads -n openshift-console
oc scale --replicas=1 deployment.apps/oauth-openshift -n openshift-authentication
oc scale --replicas=1 deployment.apps/packageserver -n openshift-operator-lifecycle-manager