Skip to main content

Pre-requisites

Preparing Pre-requisites

We will be deploying OCP cluster using IPI method once the following pre-requisites are met. Be sure to make sure all pre-requisites are prepared.

Preparing your HPOC cluster

Do you have enough compute resources?

We have planned enough resources in Nutanix cluster for you to deploy OCP cluster and workloads as well.

For latest OCP resource requirements refer to OpenShift portal here.

At the time of writing this document the following resources are created by OCP IPI installer.

OCP RoleOperating SystemvCPURAMStorage
Master x 3RHCOS816 GB120 GB
Worker x 2RHCOS, RHEL 7.9, or RHEL 8.4416 GB120 GB

Additional space for bootstrap vms (deleted after install) and RHCOS image files are also accounted for.

AHV Networking

We will first find two IPs for OCP api and apps ingress endpoints in our network and add it to the Primary IPAM network blacklist.

  1. Find the CIDR range for your Primary IPAM network either from RX or from your instrutor

    CIDR example for your Nutanix cluster
    10.38.18.192/26

  2. Logon to your UserXX-LinuxToolsVM Terminal in the browser using code-server that you installed in the previous section

  3. Find two unused static IP addresses

    nmap -v -sn 10.x.x.x/x # use Nutanix Cluster's IPAM CIDR
    Sample output - choose the first two consecutive IPs
    Nmap scan report for 10.38.18.219 [host down] 
    Nmap scan report for 10.38.18.220 [host down]
    Nmap scan report for 10.38.18.221
    Host is up (-0.098s latency).

  4. Logon to any CVM in your cluster and execute the following to add chosen static IPs to the Primary IPAM network

    • Username: nutanix
    • Password: your cluster password # Use Lookup Tool to find your CVM/PE Cluster password
    acli net.add_to_ip_blacklist <your-ipam-ahv-network> ip_list=10.38.18.219,10.38.18.220

Add DNS Records

In this section we will add PC, API and APPS Ingress DNS records for lookup by OCP IPI installer.

Your OCP cluster's name becomes a subdomain in your DNS zone ntnxlab.local. All OCP cluster related lookups are located within subdomain.

  • Main domain - ntnxlab.local (this gets created with your HPOC reservation)
    • Sub domain - ocpuserXX.ntnxlab.local (e.g. ocpuser01, ocpuser02, etc, is your OCP cluster's name)

  1. Logon to the AutoAD windows VM

    Username: administrator

    Password: default # Use lookup tool to find the password

  2. We will add the following entries to DNS server using the two consecutive IPs you found in the previous section

    Use your assigned HPOC cluster's IP Addresses

    The IP addresses in the following commands are used as an example. You should use IP address details that belong to your HPOC cluster.

    For information on locating your cluster IP see Lookup website.

    10.38.18.219   api.ocpuserXX.ntnxlab.local
    10.38.18.220   *.apps.ocpuserXX.ntnxlab.local
    10.38.18.201   pc.ntnxlab.local

  3. Open PowerShell ISE as Administrator and create the two A records

    caution

    Create entry for Prism Central (pc) only if it is not present

    Add the API A record - use your own subdomain
    Add-DnsServerResourceRecordA -Name api.<ocpuserXX> -IPv4Address <your API IP> -ZoneName ntnxlab.local -ZoneScope ntnxlab.local
    Add the apps Ingress A record - use your own subdomain
    Add-DnsServerResourceRecordA -Name *.apps.<ocpuserXX> -IPv4Address <your Ingress IP> -ZoneName ntnxlab.local -ZoneScope ntnxlab.local
    Optional - Add the Prism Central A record - if not present
    Add-DnsServerResourceRecordA -Name pc -IPv4Address <your PC IP> -ZoneName ntnxlab.local -ZoneScope ntnxlab.local

  4. Test name resolution for added entries from AutoAD VM

    nslookup api.ocpuser01.ntnxlab.local
    Server: dc.ntnxlab.local
    Address: 10.38.18.203

    Name: api.ocpuser01.ntnxlab.local
    Address: 10.38.18.219 
    nslookup myapp.apps.ocpuser01.ntnxlab.local
    Server: dc.ntnxlab.local
    Address: 10.38.18.203

    Name: myapp.apps.ocpuser01.ntnxlab.local
    Address: 10.38.18.220
    nslookup pc.ntnxlab.local
    Server: dc.ntnxlab.local
    Address: 10.38.18.203

    Name: pc.ntnxlab.local
    Address: 10.38.3.201

  5. Test name resolution for added entries from UserXX-LinuxToolsVM

Downloading OCP Tools

We will need to the OCP tools mentioned in the pre-requisites section to prepare our environment

OCP Tools information

You can get the URLs to download the tools and pull secret from RedHat Console:

Openshift > Clusters > Create Clusters > Datacenter > Nutanix AOS

In this section please using the download links provided is also ok.

  1. Logon to UserXX-LinuxToolsVM

  2. Go to Terminal in VSCode on the browser

  3. Create a folder under your user name from cluster lookup site (if you are in a lab environment)

    Use your user number - for example ocpuser01
    cd $HOME
    mkdir ocpuserXX # e.g. `mkdir ocpuser01` / mkdir ocpuser01
    cd ocpuserXX    # e.g. cd ocpuser01
    curl -O https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz
    curl -O https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-install-linux.tar.gz

  4. Extract the binaries and copy them to /usr/local/bin for pathless access

    tar xvf openshift-install-linux.tar.gz 
    tar xvf openshift-client-linux.tar.gz
    Adding to path
    sudo cp kubectl /usr/local/bin
    sudo cp oc /usr/local/bin
    sudo cp openshift-install /usr/local/bin

  5. Go to the IPI Installer Web Console and click on Copy pull secret button

  6. Now that the pull secret value is in your clipboard, paste the contents string to a pull secret file in the same directory

    vi pull_secret.json

  7. Make sure all the files are in the ocpuserXX directory 

    ls -l
    Directory listing
    -rwxr-xr-x 2 root root 123877776 Aug 29 16:30 kubectl
    -rwxr-xr-x 2 root root 123877776 Aug 29 16:30 oc
    drwxr-x--- 2 root root      4096 Sep 22 06:56 openshift
    -rwxr-xr-x 1 root root 481972224 Sep  1 16:07 openshift-install
    -rw-r--r-- 1 root root      2819 Sep 22 05:27 pull_secret.json

Creating and Installing SSL Certificate on Prism Central

Sharing a Nutanix Cluster?

Only one person needs to do this section for generate and install SSL certificates for Prism Central.

If you are sharing a HPOC for multiple users, then you need to do this section only once. Decide with other participants sharing your cluster before proceeding.

In this section we will do the following:

  • Create a Root CA on your UserXX-LinuxToolsVM
  • Create a Certificate Signing Request (CSR) for Prism Central
  • Sign the CSR using Root CA's private key

All this will be done on the UserXX-LinuxToolsVM.

  1. In VSCode terminal

  2. Install mkcert command

    sudo apt install -y libnss3-tools
    sudo apt install -y mkcert

  3. Create the Root CA certificates

    mkcert --install

    This command would install CA on the UserXX-LinuxToolsVM and add the rootCA.pem public certificate to system trust store

  4. Copy the contents of rootCA.pem public certificate to your present working directory

    cp /home/ubuntu/.local/share/mkcert/rootCA.pem $HOME/ocpuserXX/

  5. Create public and private key certificates for pc.ntnxlab.local

    mkcert pc.ntnxlab.local
    Command output
    mkcert pc.ntnxlab.local
    #
    Created a new certificate valid for the following names 📜
    - "pc.ntnxlab.local"

    The certificate is at "./pc.ntnxlab.local.pem" and the key at "./pc.ntnxlab.local-key.pem"

    It will expire on 30 August 2027

  6. List the contents of the directory to make sure all the certificates are present

    ls -l *.pem | awk '{print $9}'
    Output
    pc.ntnxlab.local.pem                ## Prism Central's public certificate signed by Root CA
    pc.ntnxlab.local-key.pem            ## Prism Central's private key
    rootCA.pem                          ## Root CA's public certificate

  7. cat out the contents of certificate files and copy them to your Mac/PC workstation in separate files

    cat pc.ntnxlab.local.pem
    cat pc.ntnxlab.local-key.pem
    cat rootCA.pem

  8. Create these files on Mac/PC

    • On a Mac, use vi in Terminal or VSCode (if you already have it installed)
    • On Windows PC, use Notepad or VSCode
    Sharing a Nutanix Cluster?

    If you are the certificate admin, share only the rootCA.pem public certificate with the other users so they can use this to create OCP cluster on the same Nutanix Cluster.

  1. Create a hosts file entry on your Mac/PC for Prism Central's IP with the following content:

    sudo vi /etc/hosts
    Hosts file content
    10.x.x.x   pc.ntnxlab.local

  2. Clear Mac/PC DNS Cache

    sudo dscacheutil -flushcache
    sudo killall -HUP mDNSResponder

  3. Logon to Prism Central Web GUI on the Mac/PC using Chrome browser

    https://pc.ntnxlab.local/

  4. Go to Settings > SSL Certificate

  5. Click on Replace Certificate

  6. Select Import Key and Certificate

  7. Click Next

  8. Choose the following:

    Private Key Type - RSA 2048 bit

    Private Key - pc.ntnxlab.local-key.pem

    Public Certificate - pc.ntnxlab.local.pem

    CA Certificate/Chain - rootCA.pem

  9. Click on Import Files

  10. Prism Central GUI will accept the certificate and restart for the changes to take effect.

    You have now successfully installed SSL certificate on Prism Central.

    caution

    Do not proceed to the next steps until Prism Central Certificate is installed without errors.

    Contact your lab instructors if you need help with troubleshooting SSL certificate issues.

Setting up Cloud Credential Operator Utility (CCOCTL)

Setting up of is necessary for Nutanix cluster credentials to be used with OCP cluster.

Refer to Cloud Credential Operator CCO for more information.

  1. In the UserXX-LinuxToolsVM, download and setup ccoctl using the following commands

    cd $HOME/ocpuserXX # e.g. cd $HOME/ocpuser01
    RELEASE_IMAGE=$(openshift-install version | awk '/release image/ {print $3}')
    CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE)
    oc image extract $CCO_IMAGE --file="/usr/bin/ccoctl" -a pull_secret.json
    chmod u+x ccoctl

  2. Make sure the ccoctl file is present 

    ls -lh ccoctl
    Output
    -rwxr----- 1 ubuntu ubuntu Apr 19 00:41 ccoctl

  3. Create a Prism Central credentials file in creds directory

    mkdir creds
    ##
    cat << EOF > creds/pc_credentials.yaml
    credentials:
    - type: basic_auth
      data:
        prismCentral:
          username: "admin"
          password: "PC-PASSWORD"
    EOF

  4. Edit the pc_credentials.yaml file to change your Prism Central password

    vi creds/pc_credentials.yaml

  5. Extract the CredentialsRequests objects for Nutanix Prism Central and store in a credreqs directory

    oc adm release extract --credentials-requests --cloud=nutanix --to=credreqs -a pull_secret.json $RELEASE_IMAGE

  6. Use the ccoctl tool to process the CredentialsRequests objects and generate secret manifest files. These manifests file will be used during OCP cluster Certification

    ./ccoctl nutanix create-shared-secrets --credentials-requests-dir=credreqs --output-dir=. --credentials-source-filepath=creds/pc_credentials.yaml
    Output
    2022/09/29 23:53:36 Saved credentials configuration to: manifests/openshift-machine-api-nutanix-credentials-credentials.yaml

  7. Check the openshift-machine-api-nutanix-credentials-credentials.yaml file to make sure the contents are good using cat

    cat manifests/openshift-machine-api-nutanix-credentials-credentials.yaml
    Your credentials will be different
    apiVersion: v1
    kind: Secret
    metadata:
       name: nutanix-credentials
       namespace: openshift-machine-api
    type: Opaque
    data:
       credentials: W3sidHlwZSI6ImJhc2ljX2F1dGgiLCJkYXRhIjp7InByaXNtQ2VudHJhbCI6eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJ0ZWNoWDIwMjAhIn0sInByaXNtRWxlbWVudHMiOm51bGx9fV0=

Now that we have all pre-requisites completed, let us move on to creating the OCP cluster IPI installation manifest