OpenShift 4.9 Installer for Equinix Metal

Home Page: https://registry.terraform.io/modules/equinix/openshift-on-baremetal/metal/latest

License: Apache License 2.0

HCL 50.30% Shell 41.44% Smarty 8.26%

terraform-module equinix-metal openshift

terraform-equinix-metal-openshift-on-baremetal's Introduction

OpenShift via Terraform on Equinix Metal

This collection of modules will deploy a bare metal OpenShift environment consisting of (1) ephemeral bootstrap node, (3) control plane nodes, and a user-configured count of worker nodes¹ on Equinix Metal. DNS records are automatically configured using Cloudflare, AWS Route53, or Linode DNS.

Install

With your Equinix Metal account, project, and a User API token, you can use Terraform v1+ to install a proof-of-concept demonstration environment for OpenShift on Equinix Metal.

Additional requirements

local-exec provisioners require the use of:

curl (install instructions)
jq (install instructions)

Download this project

To download this project, run the following command:

git clone https://github.com/equinix/terraform-metal-openshift-on-baremetal.git
cd terraform-metal-openshift

Usage

Follow this to configure your Equinix Metal project and collect required parameters.
Follow this to configure your Cloudflare account and collect required parameters.
Obtain an OpenShift Cluster Manager API Token for pullSecret generation.

Configure TF_VARs applicable to your Equinix Metal project, DNS settings, and OpenShift API Token:

export TF_VAR_project_id="kajs886-l59-8488-19910kj"
export TF_VAR_auth_token="lka6702KAmVAP8957Abny01051"

export TF_VAR_cluster_basedomain="domain.com"
export TF_VAR_ocp_cluster_manager_token="eyJhbGc...d8Agva"
export TF_VAR_dns_provider="cloudflare" # aws and linode are also supported
export TF_VAR_dns_options='{"email": "[email protected]", "api_key": "...", "api_token": "..."}' # fields differ by DNS provider

Initialize and validate terraform:

terraform init -upgrade
terraform validate

Provision all resources and start the installation. This process takes between 30 and 50 minutes:
```
terraform apply
```
Cleanup the boostrap node once provisioning and installation is complete by permanently (recommended) or temporarily setting count_bootstrap=0
```
terraform apply -var="count_bootstrap=0"
```
If you need to obtain your kubeadmin credentials at a later time:
```
terraform output
```

Experimental Statement

This repository is Experimental!

¹ As of OpenShift Container Platform 4.5 you can deploy three-node clusters on bare metal. Setting count_compute=0 will support deployment of a 3-node cluster. ↩

terraform-equinix-metal-openshift-on-baremetal's People

Contributors

Stargazers

Watchers

Forkers

liveaverage katanagraph saschagrunert ryanoatz99 bridgecrew-perf4 isabella232 anilpatnaik-tech rawkode agonzalezrh codinja1188 aistudio-federated anishmohanmp

terraform-equinix-metal-openshift-on-baremetal's Issues

Bootstrap issues with 4.9.0 image

Hey, I have the issue that the bootstrap node is not bootable any more. The installations seems to be fine, then it restarts the machine from the iPXE process. Then the reboot got stuck with:

Booting from Hard drive C:
..
error: ../../grub-core/disk/i386/pc/biosdisk.c:498:failure reading sector 0x0
from `cd'.

I tried provisioning multiple facilities (da11, ams6, fra1) without any success.

It also happens that the CoreOS kernel boot screen of grub appears, but then the screen turns black via the out of band console. Pinging the machine is possible but not accessing any service like ssh.

Readme fix needed.

some text fixes needed see in code block:

Duplicate words:
This collection of modules will deploy will deploy

Possibly missing word?
a bare metal [OpenShift] (https://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal.html) Something consisting of

Update to the Equinix TF Provider

The Metal provider is deprecated. Update the module to use the Equinix provider.

The release notes may be used to communicate upgrade in place notes, but this can also be done as a link to the Migration guide. We can provide additional commentary on the process if prompted in Slack or GH.

If not running this from an AWS EC2 instance, it complains with the AWS Provider

When executing on a non-ec2 linux machine, I had to comment out the AWS provider because it was looking for the machine to have AWS roles assigned.

Certify this installer and the Equinix Metal hardware profiles

https://github.com/redhat-openshift-ecosystem/provider-certification-tool/blob/main/docs/user.md

Add Route53 DNS provider

Users may not have domains hosted with Cloudflare. With #2, DNS providers are modularized making it easier for users to try OpenShift on Equinix Metal with their DNS provider of choice.

Route 53 is a popular choice. https://www.openshift.com/blog/deploying-openshift-4.4-on-packet documented a similar effort to this module and used AWS Route 53 as the DNS provider. This module should allow for that option too.

Cluster certificate is not trusted

The generated certificate for external access to the cluster is not trusted.

This may be due to failure reported by provisioners:

module.openshift_install.null_resource.ocp_approve_pending_csrs (remote-exec): error: one or more CSRs must be specified as <name> or -f <filename>
module.openshift_install.null_resource.ocp_approve_pending_csrs (remote-exec): W0225 10:50:20.232961   29397 warnings.go:67] certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
module.openshift_install.null_resource.ocp_approve_pending_csrs (remote-exec): error: one or more CSRs must be specified as <name> or -f <filename>

These provisioner errors do not reappear on subsequent provisions, but the certificate is invalid (bad issuer?):

subject=/CN=*.apps.clustername.example.com
issuer=/CN=ingress-operator@1614149495

I think this may be related to assets/letsencrypt/1_configure_ingresscerts.sh not being called (and requiring Cloudflare credentials). The older CSR records may be a problem too.

To keep this simple, we may need to enable LetsEncrypt (by default) using an HTTP prover instead of DNS.

Originally posted by @displague in #2 (comment)

bastion kubeconfig is not persisted between boots

For operations where the bastion kubeconfig is needed on subsequent bootups, the file should be stored in a permanent location. Currently, this file is stored in /tmp.

/tmp/artifacts/install/auth/kubeconfig

Migrate from RedHatSI/Packet to Equinix Metal

This Terraform module was originally https://github.com/RedHatSI/terraform-packet-openshift.

This fork of the project migrates all Packet references, including Terraform resources, to use Equinix Metal branding and Terraform resources.

This migration also seeks to further modularize components of the module (DNS) and bring other enhancements (dynamic SSH Keys) found in other Equinix Metal modules: https://registry.terraform.io/namespaces/equinix

These goals are inline with RedHatGov/terraform-packet-openshift#46. At the end of this migration, this module will be published to the Terraform Registry.

This issue will not deal with the migration of existing deployments. We can explore that in a new issue, if raised.

remove the dependency lock file

Remove the.teraform.lock.hcl file and add it to .gitignore to be in line with the Equinix terraform module standards

https://github.com/equinix-labs/equinix-labs/blob/7f04358f109e53ddbfcb08ba0cd68b0b7016c227/terraform-module-standards.md?plain=1#L25

equinix / terraform-equinix-metal-openshift-on-baremetal Goto Github PK