By using the Customer Cloud Subscription (CCS) billing model, you can create an OpenShift Dedicated cluster in an existing
Google Cloud Platform (GCP)
account that you own.
You must meet several prerequisites if you use the CCS model to deploy and manage OpenShift Dedicated into your
GCP
account.
Prerequisites
-
You have configured your GCP account for use with OpenShift Dedicated.
-
You have configured the GCP account quotas and limits that are required to support the desired cluster size.
-
You have created a GCP project.
|
The project name must be 10 characters or less.
|
-
You have enabled the Google Cloud Resource Manager API in your GCP project. For more information about enabling APIs for your project, see the Google Cloud documentation.
-
You have an IAM service account in GCP called osd-ccs-admin
with the following roles attached:
-
You have created a key for your osd-ccs-admin
GCP service account and exported it to a file named osServiceAccount.json
.
|
For more information about creating a key for your GCP service account and exporting it to a JSON file, see Creating service account keys in the Google Cloud documentation.
|
-
Consider having Production Support or higher from GCP.
-
To prevent potential conflicts, consider having no other resources provisioned in the project prior to installing OpenShift Dedicated.
-
If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into.
Procedure
-
Log in to OpenShift Cluster Manager Hybrid Cloud Console and click Create cluster.
-
On the Create an OpenShift cluster page, select Create cluster in the Red Hat OpenShift Dedicated row.
-
Under Billing model, configure the subscription type and infrastructure type:
-
Select a subscription type. For information about OpenShift Dedicated subscription options, see Managing OpenShift Dedicated cluster subscriptions in the OpenShift Cluster Manager documentation.
|
The subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.
|
-
Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own.
-
Click Next.
-
Select Run on Google Cloud Platform.
-
After selecting your cloud provider, review and complete the listed Prerequisites. Select the checkbox to acknowledge that you have read and completed all of the prerequisites.
-
Provide your GCP service account private key in JSON format. You can either click Browse to locate and attach a JSON file or add the details in the Service account JSON field.
-
Click Next to validate your cloud provider account and go to the Cluster details page.
-
On the Cluster details page, provide a name for your cluster and specify the cluster details:
-
Add a Cluster name.
-
Select a cluster version from the Version drop-down menu.
-
Select a cloud provider region from the Region drop-down menu.
-
Select a Single zone or Multi-zone configuration.
-
Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
-
Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.
|
By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
|
-
Optional: Select Encrypt persistent volumes with customer keys if you want to provide your own
encryption keys through the Google Cloud Key Management Service.
The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
|
Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key.
PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.
|
-
Click Next.
-
On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.
|
After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.
|
-
Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.
-
On the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster.
|
If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.
|
-
Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC):
-
Select Install into an existing VPC.
-
If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
-
Click Next.
-
If you opted to install the cluster in an existing
GCP
VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the additional resources for information about Cloud NATs and Google VPCs.
-
If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:
-
Enter a value in at least one of the following fields:
-
Specify a valid HTTP proxy URL.
-
Specify a valid HTTPS proxy URL.
-
In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle.
If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.
|
If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.
|
-
Click Next.
For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.
-
In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.
|
If you are installing into a VPC, the Machine CIDR range must match the VPC subnets.
|
|
CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.
|
-
On the Cluster update strategy page, configure your update preferences:
-
Choose a cluster update method:
-
Select Individual updates if you want to schedule each update individually. This is the default option.
-
Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.
|
You can review the end-of-life dates in the update life cycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.
|
-
Provide administrator approval based on your cluster update method:
-
Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.
-
Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.
-
If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
-
Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.
-
Click Next.
|
In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.
|
-
Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.