1. Documentation
    2. history bug_report picture_as_pdf
×

About image-based deployments for managed single-node OpenShift

When a host preinstalled with single-node OpenShift using an image-based installation arrives at a remote site, a technician can easily reconfigure and deploy the host in a matter of minutes.

For clusters with a hub-and-spoke architecture, to complete the deployment of a preinstalled host, you must first define site-specific configuration resources on the hub cluster for each host. These resources contain configuration information such as the properties of the bare-metal host, authentication details, and other deployment and networking information.

The Image Based Install (IBI) Operator creates a configuration ISO from these resources, and then boots the host with the configuration ISO attached. The host mounts the configuration ISO and runs the reconfiguration process. When the reconfiguration completes, the single-node OpenShift cluster is ready.

You must create distinct configuration resources for each bare-metal host.

See the following high-level steps to deploy a preinstalled host in a cluster with a hub-and-spoke architecture:

  1. Install the IBI Operator on the hub cluster.

  2. Create site-specific configuration resources in the hub cluster for each host.

  3. The IBI Operator creates a configuration ISO from these resources and boots the target host with the configuration ISO attached.

  4. The host mounts the configuration ISO and runs the reconfiguration process. When the reconfiguration completes, the single-node OpenShift cluster is ready.

Alternatively, you can manually deploy a preinstalled host for a cluster without using a hub cluster. You must define an ImageBasedConfig resource and an installation manifest, and provide these as inputs to the openshift-install installation program. For more information, see "Deploying a single-node OpenShift cluster using the openshift-install program".
Additional resources

Installing the Image Based Install Operator

The Image Based Install (IBI) Operator is part of the image-based deployment workflow for preinstalled single-node OpenShift on bare-metal hosts.

The IBI Operator is part of the multicluster engine for Kubernetes Operator from MCE version 2.7.
Prerequisites

  • You logged in as a user with cluster-admin privileges.

  • You deployed a Red Hat Advanced Cluster Management (RHACM) hub cluster or you deployed the multicluster engine for Kubernetes Operator.

  • You reviewed the required versions of software components in the section "Software prerequisites for an image-based installation".

Procedure

  • Set the enabled specification to true for the image-based-install-operator component in the MultiClusterEngine resource by running the following command:

    $ oc patch multiclusterengines.multicluster.openshift.io multiclusterengine --type json \
--patch '[{"op": "add", "path":"/spec/overrides/components/-", "value": {"name":"image-based-install-operator","enabled": true}}]'
Verification

  • Check that the Image Based Install Operator pod is running by running the following command:

    $ oc get pods -A | grep image-based
    Example output
    multicluster-engine             image-based-install-operator-57fb8sc423-bxdj8             2/2     Running     0               5m

Deploying a managed single-node OpenShift cluster using the IBI Operator

Create the site-specific configuration resources in the hub cluster to initiate the image-based deployment of a preinstalled host.

When you create these configuration resources in the hub cluster, the Image Based Install (IBI) Operator generates a configuration ISO and attaches it to the target host to begin the site-specific configuration process. When the configuration process completes, the single-node OpenShift cluster is ready.

For more information about the configuration resources that you must configure in the hub cluster, see "Cluster configuration resources for deploying a preinstalled host".
Prerequisites

  • You preinstalled a host with single-node OpenShift using an image-based installation.

  • You logged in as a user with cluster-admin privileges.

  • You deployed a Red Hat Advanced Cluster Management (RHACM) hub cluster or you deployed the multicluster engine for Kubernetes operator (MCE).

  • You installed the IBI Operator on the hub cluster.

  • You created a pull secret to authenticate pull requests. For more information, see "Using image pull secrets".

Procedure

  1. Create the ibi-ns namespace by running the following command:

    $ oc create namespace ibi-ns

  2. Create the Secret resource for your image registry:

    1. Create a YAML file that defines the Secret resource for your image registry:

      Example secret-image-registry.yaml file
      apiVersion: v1
kind: Secret
metadata:
  name: ibi-image-pull-secret
  namespace: ibi-ns
stringData:
  .dockerconfigjson: <base64-docker-auth-code> (1)
type: kubernetes.io/dockerconfigjson
      1 You must provide base64-encoded credential details. See the "Additional resources" section for more information about using image pull secrets.

    2. Create the Secret resource for your image registry by running the following command:

      $ oc create -f secret-image-registry.yaml

  3. Optional: Configure static networking for the host:

    1. Create a Secret resource containing the static network configuration in nmstate format:

      Example host-network-config-secret.yaml file
      apiVersion: v1
kind: Secret
metadata:
 name: host-network-config-secret (1)
 namespace: ibi-ns
type: Opaque
stringData:
 nmstate: | (2)
  interfaces:
    - name: ens1f0 (3)
      type: ethernet
      state: up
      ipv4:
        enabled: true
        address:
          - ip: 192.168.200.25
            prefix-length: 24
        dhcp: false (4)
      ipv6:
        enabled: false
  dns-resolver:
    config:
      server:
        - 192.168.15.47 (5)
        - 192.168.15.48
  routes:
    config: (6)
      - destination: 0.0.0.0/0
        metric: 150
        next-hop-address: 192.168.200.254
        next-hop-interface: ens1f0
        table-id: 254
      1 Specify the name for the Secret resource.
      2 Define the static network configuration in nmstate format.
      3 Specify the name of the interface on the host. The name of the interface must match the actual NIC name as shown in the operating system. To use your MAC address for NIC matching, set the identifier field to mac-address.
      4 You must specify dhcp: false to ensure nmstate assigns the static IP address to the interface.
      5 Specify one or more DNS servers that the system will use to resolve domain names.
      6 In this example, the default route is configured through the ens1f0 interface to the next hop IP address 192.168.200.254.

  4. Create the BareMetalHost and Secret resources:

    1. Create a YAML file that defines the BareMetalHost and Secret resources:

      Example ibi-bmh.yaml file
      apiVersion: metal3.io/v1alpha1
kind: BareMetalHost
metadata:
  name: ibi-bmh (1)
  namespace: ibi-ns
spec:
  online: false (2)
  bootMACAddress: 00:a5:12:55:62:64 (3)
  bmc:
    address: redfish-virtualmedia+http://192.168.111.1:8000/redfish/v1/Systems/8a5babac-94d0-4c20-b282-50dc3a0a32b5 (4)
    credentialsName: ibi-bmh-bmc-secret (5)
  preprovisioningNetworkDataName: host-network-config-secret (6)
  automatedCleaningMode: disabled (7)
  externallyProvisioned: true (8)
---
apiVersion: v1
kind: Secret
metadata:
  name: ibi-bmh-secret (9)
  namespace: ibi-ns
type: Opaque
data:
  username: <user_name> (10)
  password: <password> (11)
      1 Specify the name for the BareMetalHost resource.
      2 Specify if the host should be online.
      3 Specify the host boot MAC address.
      4 Specify the BMC address. You can only use bare-metal host drivers that support virtual media networking booting, for example redfish-virtualmedia and idrac-virtualmedia.
      5 Specify the name of the bare-metal host Secret resource.
      6 Optional: If you require static network configuration for the host, specify the name of the Secret resource containing the configuration.
      7 You must specify automatedCleaningMode:disabled to prevent the provisioning service from deleting all preinstallation artifacts, such as the seed image, during disk inspection.
      8 You must specify externallyProvisioned: true to enable the host to boot from the preinstalled disk, instead of the configuration ISO.
      9 Specify the name for the Secret resource.
      10 Specify the username.
      11 Specify the password.

    2. Create the BareMetalHost and Secret resources by running the following command:

      $ oc create -f ibi-bmh.yaml

  5. Create the ClusterImageSet resource:

    1. Create a YAML file that defines the ClusterImageSet resource:

      Example ibi-cluster-image-set.yaml file
      apiVersion: hive.openshift.io/v1
kind: ClusterImageSet
metadata:
  name: ibi-img-version-arch (1)
spec:
  releaseImage: ibi.example.com:path/to/release/images:version-arch (2)
      1 Specify the name for the ClusterImageSet resource.
      2 Specify the address for the release image to use for the deployment. If you use a different image registry compared to the image registry used during seed image generation, ensure that the OpenShift Container Platform version for the release image remains the same.

    2. Create the ClusterImageSet resource by running the following command:

      $ oc apply -f ibi-cluster-image-set.yaml

  6. Create the ImageClusterInstall resource:

    1. Create a YAML file that defines the ImageClusterInstall resource:

      Example ibi-image-cluster-install.yaml file
      apiVersion: extensions.hive.openshift.io/v1alpha1
kind: ImageClusterInstall
metadata:
  name: ibi-image-install (1)
  namespace: ibi-ns
spec:
  bareMetalHostRef:
    name: ibi-bmh (2)
    namespace: ibi-ns
  clusterDeploymentRef:
    name: ibi-cluster-deployment (3)
  hostname: ibi-host (4)
  imageSetRef:
    name: ibi-img-version-arch (5)
  machineNetwork: 10.0.0.0/24 (6)
  proxy: (7)
    httpProxy: "http://proxy.example.com:8080"
    #httpsProxy: "http://proxy.example.com:8080"
    #noProxy: "no_proxy.example.com"
      1 Specify the name for the ImageClusterInstall resource.
      2 Specify the BareMetalHost resource that you want to target for the image-based installation.
      3 Specify the name of the ClusterDeployment resource that you want to use for the image-based installation of the target host.
      4 Specify the hostname for the cluster.
      5 Specify the name of the ClusterImageSet resource you used to define the container release images to use for deployment.
      6 Specify the public CIDR (Classless Inter-Domain Routing) of the external network.
      7 Optional: Specify a proxy to use for the cluster deployment.

      If your cluster deployment requires a proxy configuration, you must do the following:

      • Create a seed image from a seed cluster featuring a proxy configuration. The proxy configurations do not have to match.

      • Configure the machineNetwork field in your installation manifest.

    2. Create the ImageClusterInstall resource by running the following command:

      $ oc create -f ibi-image-cluster-install.yaml

  7. Create the ClusterDeployment resource:

    1. Create a YAML file that defines the ClusterDeployment resource:

      Example ibi-cluster-deployment.yaml file
      apiVersion: hive.openshift.io/v1
kind: ClusterDeployment
metadata:
  name: ibi-cluster-deployment (1)
  namespace: ibi-ns (2)
spec:
  baseDomain: example.com (3)
  clusterInstallRef:
    group: extensions.hive.openshift.io
    kind: ImageClusterInstall
    name: ibi-image-install (4)
    version: v1alpha1
  clusterName: ibi-cluster (5)
  platform:
    none: {}
  pullSecretRef:
    name: ibi-image-pull-secret (6)
      1 Specify the name for the ClusterDeployment resource.
      2 Specify the namespace for the ClusterDeployment resource.
      3 Specify the base domain that the cluster should belong to.
      4 Specify the name of the ImageClusterInstall in which you defined the container images to use for the image-based installation of the target host.
      5 Specify a name for the cluster.
      6 Specify the secret to use for pulling images from your image registry.

    2. Create the ClusterDeployment resource by running the following command:

      $ oc apply -f ibi-cluster-deployment.yaml

  8. Create the ManagedCluster resource:

    1. Create a YAML file that defines the ManagedCluster resource:

      Example ibi-managed.yaml file
      apiVersion: cluster.open-cluster-management.io/v1
kind: ManagedCluster
metadata:
  name: sno-ibi (1)
spec:
  hubAcceptsClient: true (2)
      1 Specify the name for the ManagedCluster resource.
      2 Specify true to enable RHACM to mange the cluster.

    2. Create the ManagedCluster resource by running the following command:

      $ oc apply -f ibi-managed.yaml
Verification

  • Check the status of the ImageClusterInstall in the hub cluster to monitor the progress of the target host installation by running the following command:

    $ oc get imageclusterinstall
    Example output
    NAME       REQUIREMENTSMET           COMPLETED                     BAREMETALHOSTREF
target-0   HostValidationSucceeded   ClusterInstallationSucceeded  ibi-bmh

    If the ImageClusterInstall resource is deleted, the IBI Operator reattaches the BareMetalHost resource and reboots the machine.
Additional resources

Cluster configuration resources for deploying a preinstalled host

To complete a deployment for a preinstalled host at a remote site, you must configure the following site-specifc cluster configuration resources in the hub cluster for each bare-metal host.

Table 1. Cluster configuration resources reference
Resource Description

Namespace

Namespace for the managed single-node OpenShift cluster.

BareMetalHost

Describes the physical host and its properties, such as the provisioning and hardware configuration.

Secret for the bare-metal host

Credentials for the host BMC.

Secret for the bare-metal host static network configuration

Optional: Describes static network configuration for the target host.

Secret for the image registry

Credentials for the image registry. The secret for the image registry must be of type kubernetes.io/dockerconfigjson.

ImageClusterInstall

References the bare-metal host, deployment, and image set resources.

ClusterImageSet

Describes the release images to use for the cluster.

ClusterDeployment

Describes networking, authentication, and platform-specific settings.

ManagedCluster

Describes cluster details to enable Red Hat Advanced Cluster Management (RHACM) to register and manage.

ConfigMap

Optional: Describes additional configurations for the cluster deployment, such as adding a bundle of trusted certificates for the host to ensure trusted communications for cluster services.

ImageClusterInstall resource API specifications

The following content describes the API specifications for the ImageClusterInstall resource. This resource is the endpoint for the Image Based Install Operator.

Table 2. Required specifications
Specification Type Description

imageSetRef

string

Specify the name of the ClusterImageSet resource that defines the release images for the deployment.

hostname

string

Specify the hostname for the cluster.

sshKey

string

Specify your SSH key to provide SSH access to the target host.
Table 3. Optional specifications
Specification Type Description

clusterDeploymentRef

string

Specify the name of the ClusterDeployment resource that you want to use for the image-based installation of the target host.

clusterMetadata

string

After the deployment completes, this specification is automatically populated with metadata information about the cluster, including the cluster-admin kubeconfig credentials for logging in to the cluster.

imageDigestSources

string

Specifies the sources or repositories for the release-image content, for example:

imageDigestSources:
  - mirrors:
      - "registry.example.com:5000/ocp4/openshift4"
    source: "quay.io/openshift-release-dev/ocp-release"

extraManifestsRefs

string

Specify a ConfigMap resource containing additional manifests to be applied to the target cluster.

bareMetalHostRef

string

Specify the bareMetalHost resource to use for the cluster deployment

machineNetwork

string

Specify the public CIDR (Classless Inter-Domain Routing) of the external network.

proxy

string

Specifies proxy settings for the cluster, for example:

proxy:
  httpProxy: "http://proxy.example.com:8080"
  httpsProxy: "http://proxy.example.com:8080"
  noProxy: "no_proxy.example.com"

caBundleRef

string

Specify a ConfigMap resource containing the new bundle of trusted certificates for the host.

ConfigMap resources for extra manifests

You can optionally create a ConfigMap resource to define additional manifests in an image-based deployment for managed single-node OpenShift clusters.

After you create the ConfigMap resource, reference it in the ImageClusterInstall resource. During deployment, the IBI Operator includes the extra manifests in the deployment.

Creating a ConfigMap resource to add extra manifests in an image-based deployment

You can use a ConfigMap resource to add extra manifests to the image-based deployment for single-node OpenShift clusters.

The following example adds an single-root I/O virtualization (SR-IOV) network to the deployment.

Prerequisites

  • You preinstalled a host with single-node OpenShift using an image-based installation.

  • You logged in as a user with cluster-admin privileges.

Procedure

  1. Create the SriovNetworkNodePolicy and SriovNetwork resources:

    1. Create a YAML file that defines the resources:

      Example sriov-extra-manifest.yaml file
      apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: "example-sriov-node-policy"
  namespace: openshift-sriov-network-operator
spec:
  deviceType: vfio-pci
  isRdma: false
  nicSelector:
    pfNames: [ens1f0]
  nodeSelector:
    node-role.kubernetes.io/master: ""
  mtu: 1500
  numVfs: 8
  priority: 99
  resourceName: example-sriov-node-policy
---
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
  name: "example-sriov-network"
  namespace: openshift-sriov-network-operator
spec:
  ipam: |-
    {
    }
  linkState: auto
  networkNamespace: sriov-namespace
  resourceName: example-sriov-node-policy
  spoofChk: "on"
  trust: "off"

    2. Create the ConfigMap resource by running the following command:

      $ oc create configmap sr-iov-extra-manifest --from-file=sriov-extra-manifest.yaml -n ibi-ns (1)
      1 Specify the namespace that has the ImageClusterInstall resource.
      Example output
      configmap/sr-iov-extra-manifest created

  2. Reference the ConfigMap resource in the spec.extraManifestsRefs field of the ImageClusterInstall resource:

    #...
  spec:
    extraManifestsRefs:
    - name: sr-iov-extra-manifest
#...

Creating a ConfigMap resource to add a CA bundle in an image-based deployment

You can use a ConfigMap resource to add a certificate authority (CA) bundle to the host to ensure trusted communications for cluster services.

After you create the ConfigMap resource, reference it in the spec.caBundleRef field of the ImageClusterInstall resource.

Prerequisites

  • You preinstalled a host with single-node OpenShift using an image-based installation.

  • You logged in as a user with cluster-admin privileges.

Procedure

  1. Create a CA bundle file such as the following file:

    Example example-ca.crt
    -----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKmjYKJbIyz3MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
...Custom CA certificate bundle...
4WPl0Qb27Sb1xZyAsy1ww6MYb98EovazUSfjYr2EVF6ThcAPu4/sMxUV7He2J6Jd
cA8SMRwpUbz3LXY=
-----END CERTIFICATE-----

  2. Create the ConfigMap object by running the following command:

    $ oc create configmap custom-ca --from-file=example-ca.crt -n ibi-ns (1)
    1 Specify the namespace that has the ImageClusterInstall resource.
    Example output
    configmap/custom-ca created

  3. Reference the ConfigMap resource in the spec.caBundleRef field of the ImageClusterInstall resource:

    #...
  spec:
    caBundleRef:
      name: custom-ca
#...
Additional resources