Step by Step guide to install OpenShift 4.10 on GCP | UPI (User Provisioned Infrastructure) method

Thanks Vishvranjan! Much appreciated! :)

Thanks Srinath! At this time, I do not have anything planned for IPI, as I am focusing on some other topics. But you might expect one in the future, you never know. ;)

@@hamzamandviwala can you show us Networking section in install-config.yaml mine is failing at that
networking:

clusterNetwork:

- cidr: 10.1.10.0/24

hostPrefix: 24

machineNetwork:

- cidr: 10.0.20.0/24

networkType: OpenShiftSDN

serviceNetwork:

- 172.30.0.0/16
networking:
clusterNetwork:
- cidr: 10.1.10.0/24
hostPrefix: 24
machineNetwork:
- cidr: 10.0.20.0/24
networkType: OpenShiftSDN
serviceNetwork:
- 172.30.0.0/16

@Srinath - seems your comment was not published, and was held for review automatically. I just realised it today and published it. You can refer the GitHub link ( github.com/Hamza-Mandviwala/OCP4.10.3-install-GCP-UPI ) that demonstrates this project and use the 'sample-install-config.yaml' file .
Would you be able to share the exact error message you are seeing?
From the information that you have provided, I feel the below points need to be checked:
1. The 'machineNetwork' cidr range of 10.0.20.0/24 is probably incorrect. If you are following the video, then this range is set to 10.1.0.0/16, and this needs to be exactly the same as your actual GCP network range.
2. The 'clusterNetwork' cidr range should be something else e.g 10.128.0.0/14 as it will be the IP addresses assigned on the OpenShift cluster level. Advisable to ensure it does not overlap your GCP network range.
PS : Apologies for this delay, as I was unaware of this comment pending for review. I hope the above information helps. :)

Hello,
As of now, I don't have any plans to create a step-bystep UPI installation guide for on-premises scenario, however, there are many online sources for UPI on-prem scenarios which should help you with the same.
Per my understanding, in an on-prem scenario, you would have to give more attention to the proper configuration of the loadbalancers and DNS - merely because all configuration is done by yourself, and is prone to errors.
Unlike this case of OCP on GCP, in an on-prem env, you have complete control over the way you configure the networking (including but not limited to firewall rules, subnets, and IP addresses).
Also, generally in an on-premise environment, the coreos images are stored in a local http server and pulled from there, unlike here where we store it first in a bucket and then use it.
More or less, the flow of deployment would be almost the same as described in this video.

Hi Ariadna, you might want to confirm if step 37 was executed successfully.
Run 'oc get nodes' command to see if the worker node objects are created. Also, from the GCP compute engine UI page, ensure the 2 worker node objects are created within GCP. At times, limited resource availaility within a given region prevent the worker nodes from even being created in the first place.
The output of step 37 should tell you if succeeded/failed and also give a reasonable explanation for the same.

@@hamzamandviwala the problem persists. I checked that 2 compute engines were created but oc get nodes only shows master nodes. any suggestions? region is us-central1

Hey Ross - The bastion host is merely an entry point for us to get into the cluster and be able to access the OpenShift Console UI & manage the cluster, because this implementation does not have a public DNS for the cluster.
To answer your question, all *.apps traffic does not have to go through the bastion host. Basically it is only routed through the worker plane internal load balancer, and all of the *.apps traffic would only be accessible from within the cluster (i.e within the GCP Network).
But, say you had an Nginx deployment exposed internally as "nginx.apps..", and this entry were to be added into your /etc/hosts (Linux/Mac) pointing to the bastion host public IP, in this case, yes, the traffic would flow from your Local machine to the bastion host, then to the worker plane load balancer and then finally enter the OpenShift cluster.
Sorry for the really long explanation, hope it answers your question. :)

@@hamzamandviwala yes, so no workloads can be accessed outside the VPC except through bastion host. But services within the same VPC should go through the ocp load balancer correct?

That's correct Ross.

​@@hamzamandviwala Hey Hamza, I am wondering if it's possible to keep your architecture but expose the HTTP endpoints of master and worker nodes but no SSH. Instead of create haproxy in the bastion host. Can we just use an external lb and external public DNS zone? But keep the machines private.

Hey Ross, if I understand correctly, you mean to simply be able to access the cluster over the internet, while keeping the machines private. This seems to closely mimic the implementation of a public OpenShift Cluster, while our goal here is that of a private cluster. Although what you mentioned seems to be an interesting use case of a later requirement of exposing a private cluster publicly. A few pointers I'd take into account here:
1. At install time, we specified 'publish: Internal' in the install-config.yaml file. So I suppose the necessary Public DNS record sets might need to be created manually. There might also be some additional changes to be made.
2. We also made changes to the default Ingress controller config(cluster-ingress-default-ingresscontroller.yaml). So there might be some additional changes required that allows publishing app traffic externally. In my opinion, this may involve creating an external LB for the worker plane traffic.
Regarding ssh'ing into the machines, please note that the machines are private anyway as they do not have a public IP. To avoid ssh'ing in the given setup, you might just want to rotate the ssh key on the bastion host, as the public key is already embedded into the machines at install time.
And lastly, I suppose an internal LB would still be required for load balancing the internal traffic within the cluster itself. To accommodate your scenario, you might want create an additional external LB with the relevant health checks, and use it in combination with the public DNS. This way I suppose you could achieve your use case. I haven't tried this yet, but worth experimenting! ;)

Hello,
I am no python expert, but I suppose it must be edited within the 06_worker.py file under the networkInterfaces parameter. I just committed a recent change to my repo that helps deploy workers with multiple interfaces, for which I had to made a change inside the 06_worker.py file and add an additional property to the 06_worker.yaml file. Trying to apply a similar logic to your requirement.
Sorry for the delay in my response, you might have probably figured out a way to achieve your requirement. If so, feel free to share it with us ! ;)

Hi Joy, it looks like the object "ocp4-pr98z-infra" was already created. Try to delete the object using "gcloud deployment-manager deployments delete ocp4-pr98z-infra" command and then try executing step 24 again.
Note : I've seen this happening in scenarios of reattempting the same command or repeating the whole exercise. In such cases, always try to remove the gcloud objects (like Loadbalancers, instance groups, routers etc) that you had created in your previous attempts else you can run into such issues.
Hope this helps!

@@hamzamandviwala Thanks so much let me try again.

Hey,
SSH keys for the Bastion VM needs to be added from the UI at the VM creation stage. You should be able to see 'Advanced Options' > Then 'Security' > then click on 'Manage Access' > this should show the '+ADD ITEM' option where you can add the ssh public key.
Hope this helps! :)

Hey Eugene - Per my experience, OpenShift 4.10.x requires 3 master nodes at minimum to spin up successfully. To my knowledge, this requirement has been enforced from OpenShift 4.7.x onwards. You might want to try the same installation procedure with versions 4.6 or 4.5 for example if you wish to implement a 1 master & 1 worker cluster.
Do ensure you edit the install-config.yaml file with the correct replica counts for Master & Worker nodes, and also ensure the correct replica count is set in the cluster-ingress-default-ingresscontroller.yaml file.

Hi Nrs,
I am doing well, hoping you are well too.
The daily activities of an OpenShift (Or Kubernetes admin) involve but are not limited to:
1. Application Deployment - Usually these are integrated with Build pipelines for production clusters.
2. Cluster Backup - I've seen administrators performing daily/weekly backups of their clusters.
3. Troubleshooting any issues - Organizations usually leverage official support to troubleshoot any issues they face during daily ops of their clusters like complete cluster outages, application pod failures, pods crashing in a loop, Ingress connectivity issues, users unable to login or perform certain activities etc.
4. Cluster upgrades - This may not be a daily activity, but maybe a weekly/monthly activity to patch their nodes of any recent releases, and this involves lot of administrative efforts.
5. Application Updates - Often your applications require updates, and this happens with the release of new images. Deploying this new image ensuring no downtime through various deployment strategies like Blue-Green for example.
6. Integrating build pipelines - OpenShift offers the functionality of configuring Builds using source code repositories like GitHub. This allows seamless deployment of an application into the cluster when any changes are made to the source code.
7. Working closely with developers to understand their requirements and help facilitate that requirement within the infrastructure.
These are just a few of the many activities that any Kubernetes/OpenShift cluster administrator performs on a daily basis.
Hope this answers your question! :)

@@hamzamandviwala I'm doing well too. Thanks a lot for your kind response, helps me to understand much.

Hi @hassanhussein9820 - Not sure which step you are getting stuck at. But it often takes sometime for the node to init and startup. What exactly is the error message? You might also want to inspect the firewall rules to ensure traffic is allowed. Also, I hope you are ssh'ing from your bastion node to the bootstrap node.
Have the steps 31 and 32 been executed completely and successfully?

Hi Nrs,
Thank you so much!
It completely depends upon an organization's requirement as to if they prefer UPI or IPI.
IPI is very easy to deploy, manage, update and even roll back. RedHat in fact offers managed OpenShift service on top of public clouds like AWS, Azure, and GCP. You can consider that as one type of an IPI way of installing.
Whereas UPI on the other hand provides more flexibility over your cluster. Here you get to separately manage your cloud resources like load balancers, DNS, networks etc. UPI most importantly gives the flexibility your specific infra configuration that might not be available at times with IPI.
Also, a plus with UPI, is that you are aware of which exactly underlying infra cloud resources are in place, so your life becomes easier when maintenance is due. You know where to look into at the time of troubleshooting.
So basically, companies have their preferences and evaluate all possible ways to understand what best suits their needs, and opt for the best one.
I hope this answers your question! :)

@@hamzamandviwala Thank you so much for the response Hamza. Yes, understood about that with your explanation.
I could see in Redhat openshift documentation for all the latest versions (4.x) are with UPI way of installation, this method replaced Ansible playbooks in 4.x or we still use playbooks in the recent versions?
Because I don't see of installing Openshift using Ansible playbooks in the Redhat documentation for the recent versions.
Thanks in advance!

That is correct Nrs. So the Ansible way of installing OpenShift was there until version 3.x, but from 4.x onwards, RedHat changed the entire architecture of OpenShift itself, and no more makes use of Ansible, but instead the RedHat CoreOS & the ignition config files.
It is now making use of cluster operators as the foundation that deploys the OpenShift components, and all of this is taken care in a seamless way by the use of the RedHat CoreOS and the ignition config files.
Also, you could run the OpenShift versions 3.x on any OS if I recall correctly. I had once deployed it on CentOS 7, whereas 4.x will only run on RedHat CoreOS.

@@hamzamandviwala Got it. Thanks a lot Hamza for clear insight.

Hi Siva, I personally haven’t tried single node deployment, but to my knowledge, the installation does not go through completely if you use the number of masters as 1. This I believe is applicable to versions 4.7 and above.
Regarding Azure, I’d advice referring the official RedHat documentation, as there are some additional Azure specific objects( like service principles and Managed Identity for example) that need to be created.

Hi Naresh, I haven't got the chance to work on AWS UPI installation of OpenShift handson!

@@hamzamandviwala Okay, thanks.