Preparing the hub cluster for ZTP

    The Red Hat Telco Radio Access Network (RAN) version 4.13 solution has been validated using the following Red Hat software products.

    Installing GitOps ZTP in a disconnected environment

    Use Red Hat Advanced Cluster Management (RHACM), Red Hat OpenShift GitOps, and Topology Aware Lifecycle Manager (TALM) on the hub cluster in the disconnected environment to manage the deployment of multiple managed clusters.

    Prerequisites

    • You have installed the OKD CLI ().

    • You have logged in as a user with cluster-admin privileges.

    • You have configured a disconnected mirror registry for use in the cluster.

      The disconnected mirror registry that you create must contain a version of TALM backup and pre-cache images that matches the version of TALM running in the hub cluster. The spoke cluster must be able to resolve these images in the disconnected mirror registry.

    Procedure

    Additional resources

    Before you begin installing clusters in the disconnected environment with Red Hat Advanced Cluster Management (RHACM), you must first host Fedora CoreOS (FCOS) images for it to use. Use a disconnected mirror to host the FCOS images.

    Prerequisites

    • Deploy and configure an HTTP server to host the FCOS image resources on the network. You must be able to access the HTTP server from your computer, and from the machines that you create.

    The FCOS images might not change with every release of OKD. You must download images with the highest version that is less than or equal to the version that you install. Use the image versions that match your OKD version if they are available. You require ISO and RootFS images to install FCOS on the hosts. FCOS QCOW2 images are not supported for this installation type.

    Procedure

    1. Log in to the mirror host.

    2. Obtain the FCOS ISO and RootFS images from , for example:

      1. Export the required image names and OKD version as environment variables:

        1. $ export ROOTFS_IMAGE_NAME=<rootfs_image_name> (2)
        1. $ export OCP_VERSION=<ocp_version> (3)

      2. Download the required images:

        1. $ sudo wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.13/${OCP_VERSION}/${ISO_IMAGE_NAME} -O /var/www/html/${ISO_IMAGE_NAME}
        1. $ sudo wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.13/${OCP_VERSION}/${ROOTFS_IMAGE_NAME} -O /var/www/html/${ROOTFS_IMAGE_NAME}

    Verification steps

    • Verify that the images downloaded successfully and are being served on the disconnected mirror host, for example:

      1. $ wget http://$(hostname)/${ISO_IMAGE_NAME}

      Example output

      1. Saving to: rhcos-4.13.1-x86_64-live.x86_64.iso
      2. rhcos-4.13.1-x86_64-live.x86_64.iso-  11%[====>    ]  10.01M  4.71MB/s

    Additional resources

    Enabling the assisted service and updating AgentServiceConfig on the hub cluster

    Red Hat Advanced Cluster Management (RHACM) uses the assisted service to deploy OKD clusters. The assisted service is deployed automatically when you enable the MultiClusterHub Operator with Central Infrastructure Management (CIM). When you have enabled CIM on the hub cluster, you then need to update the AgentServiceConfig custom resource (CR) with references to the ISO and RootFS images that are hosted on the mirror registry HTTP server.

    Prerequisites

    Procedure

    1. Update the AgentServiceConfig CR by running the following command:

    2. Add the following entry to the items.spec.osImages field in the CR:

      1. - cpuArchitecture: x86_64
      2.     openshiftVersion: "4.13"
      3.     rootFSUrl: https://<host>/<path>/rhcos-live-rootfs.x86_64.img
      4.     url: https://<mirror-registry>/<path>/rhcos-live.x86_64.iso

      where:

      <host>

      Is the fully qualified domain name (FQDN) for the target mirror registry HTTP server.

      <path>

      Is the path to the image on the target mirror registry.

      Save and quit the editor to apply the changes.

    You can configure the hub cluster to use a disconnected mirror registry for a disconnected environment.

    Prerequisites

    • You have a disconnected hub cluster installation with Red Hat Advanced Cluster Management (RHACM) 2.5 installed.

    • You have hosted the rootfs and iso images on an HTTP server.

    If you enable TLS for the HTTP server, you must confirm the root certificate is signed by an authority trusted by the client and verify the trusted certificate chain between your OKD hub and managed clusters and the HTTP server. Using a server configured with an untrusted certificate prevents the images from being downloaded to the image creation service. Using untrusted HTTPS servers is not supported.

    Procedure

    1. Create a ConfigMap containing the mirror registry config:

      1. apiVersion: v1
      2. metadata:
      3.   name: assisted-installer-mirror-config
      4.   namespace: assisted-installer
      5.   labels:
      6.     app: assisted-service
      7. data:
      8.   ca-bundle.crt: <certificate> (1)
      9.   registries.conf: |  (2)
      10.     unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
      12.     [[registry]]
      13.       location = <mirror_registry_url>  (3)
      14.       insecure = false
      15.       mirror-by-digest-only = true
      1The mirror registry’s certificate used when creating the mirror registry.
      2The configuration file for the mirror registry. The mirror registry configuration adds mirror information to /etc/containers/registries.conf in the Discovery image. The mirror information is stored in the imageContentSources section of the install-config.yaml file when passed to the installation program. The Assisted Service pod running on the HUB cluster fetches the container images from the configured mirror registry.
      3The URL of the mirror registry.

      This updates mirrorRegistryRef in the AgentServiceConfig custom resource, as shown below:

      Example output

      1. apiVersion: agent-install.openshift.io/v1beta1
      2. kind: AgentServiceConfig
      3. metadata:
      4.   name: agent
      6. spec:
      7.   databaseStorage:
      8.     volumeName: <db_pv_name>
      9.     accessModes:
      10.     - ReadWriteOnce
      11.     resources:
      12.       requests:
      13.         storage: <db_storage_size>
      14.   filesystemStorage:
      15.     volumeName: <fs_pv_name>
      16.     accessModes:
      17.     - ReadWriteOnce
      18.     resources:
      19.       requests:
      20.         storage: <fs_storage_size>
      21.   mirrorRegistryRef:
      22.     name: 'assisted-installer-mirror-config'
      23.   osImages:
      24.     - openshiftVersion: <ocp_version>
      25.       rootfs: <rootfs_url> (1)
      26.       url: <iso_url> (1)

    A valid NTP server is required during cluster installation. Ensure that a suitable NTP server is available and can be reached from the installed clusters through the disconnected network.

    Configuring the hub cluster to use unauthenticated registries

    You can configure the hub cluster to use unauthenticated registries. Unauthenticated registries does not require authentication to access and download images.

    Prerequisites

    • You have installed and configured a hub cluster and installed Red Hat Advanced Cluster Management (RHACM) on the hub cluster.

    • You have installed the OpenShift Container Platform CLI (oc).

    • You have logged in as a user with cluster-admin privileges.

    • You have configured an unauthenticated registry for use with the hub cluster.

    Procedure

    1. Add the unauthenticatedRegistries field in the CR:

      1. apiVersion: agent-install.openshift.io/v1beta1
      2. kind: AgentServiceConfig
      3. metadata:
      4.   name: agent
      5. spec:
      6.   unauthenticatedRegistries:
      7.   - example.registry.com
      8.   - example.registry2.com
      9.   ...

      Unauthenticated registries are listed under spec.unauthenticatedRegistries in the AgentServiceConfig resource. Any registry on this list is not required to have an entry in the pull secret used for the spoke cluster installation. assisted-service validates the pull secret by making sure it contains the authentication information for every image registry used for installation.

    Mirror registries are automatically added to the ignore list and do not need to be added under spec.unauthenticatedRegistries. Specifying the PUBLIC_CONTAINER_REGISTRIES environment variable in the ConfigMap overrides the default values with the specified value. The PUBLIC_CONTAINER_REGISTRIES defaults are and registry.svc.ci.openshift.org.

    Verification

    Verify that you can access the newly added registry from the hub cluster by running the following commands:

      1. $ oc debug node/<node_name>

    2. Test access to the unauthenticated registry by running the following command:

      where:

      <unauthenticated_registry>

      Is the new registry, for example, unauthenticated-image-registry.openshift-image-registry.svc:5000.

      Example output

      1. Login Succeeded!

    You can configure the hub cluster with a set of ArgoCD applications that generate the required installation and policy custom resources (CRs) for each site with GitOps Zero Touch Provisioning (ZTP).

    Prerequisites

    • You have a OKD hub cluster with Red Hat Advanced Cluster Management (RHACM) and Red Hat OpenShift GitOps installed.

    • You have extracted the reference deployment from the GitOps ZTP plugin container as described in the “Preparing the GitOps ZTP site configuration repository” section. Extracting the reference deployment creates the out/argocd/deployment directory referenced in the following procedure.

    Procedure

    1. Prepare the ArgoCD pipeline configuration:

      1. Create a Git repository with the directory structure similar to the example directory. For more information, see “Preparing the GitOps ZTP site configuration repository”.

      2. Configure access to the repository using the ArgoCD UI. Under Settings configure the following:

        • Repositories - Add the connection information. The URL must end in .git, for example, and credentials.

        • Certificates - Add the public certificate for the repository, if needed.

      3. Modify the two ArgoCD applications, out/argocd/deployment/clusters-app.yaml and out/argocd/deployment/policies-app.yaml, based on your Git repository:

        • Update the URL to point to the Git repository. The URL ends with .git, for example, [https://repo.example.com/repo.git](https://repo.example.com/repo.git).

        • The targetRevision indicates which Git repository branch to monitor.

        • path specifies the path to the SiteConfig and PolicyGenTemplate CRs, respectively.

    1. To install the GitOps ZTP plugin you must patch the ArgoCD instance in the hub cluster by using the patch file previously extracted into the out/argocd/deployment/ directory. Run the following command:

      1. $ oc patch argocd openshift-gitops \
      2. -n openshift-gitops --type=merge \
      3. --patch-file out/argocd/deployment/argocd-openshift-gitops-patch.json

    2. Apply the pipeline configuration to your hub cluster by using the following command:

      1. $ oc apply -k out/argocd/deployment

    Preparing the GitOps ZTP site configuration repository

    Before you can use the GitOps Zero Touch Provisioning (ZTP) pipeline, you need to prepare the Git repository to host the site configuration data.

    Prerequisites

    • You have configured the hub cluster GitOps applications for generating the required installation and policy custom resources (CRs).

    • You have deployed the managed clusters using GitOps ZTP.

    Procedure

    1. Create a directory structure with separate paths for the SiteConfig and PolicyGenTemplate CRs.

    2. Export the argocd directory from the ztp-site-generate container image using the following commands:

      1. $ podman pull registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.13
      1. $ mkdir -p ./out
      1. $ podman run --log-driver=none --rm registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.13 extract /home/ztp --tar | tar x -C ./out

    3. Check that the out directory contains the following subdirectories:

      • out/extra-manifest contains the source CR files that SiteConfig uses to generate extra manifest configMap.

      • out/source-crs contains the source CR files that PolicyGenTemplate uses to generate the Red Hat Advanced Cluster Management (RHACM) policies.

      • out/argocd/deployment contains patches and YAML files to apply on the hub cluster for use in the next step of this procedure.

      • out/argocd/example contains the examples for SiteConfig and PolicyGenTemplate files that represent the recommended configuration.

    The directory structure under out/argocd/example serves as a reference for the structure and content of your Git repository. The example includes SiteConfig and PolicyGenTemplate reference CRs for single-node, three-node, and standard clusters. Remove references to cluster types that you are not using. The following example describes a set of CRs for a network of single-node clusters:

    Keep SiteConfig and PolicyGenTemplate CRs in separate directories. Both the SiteConfig and PolicyGenTemplate directories must contain a kustomization.yaml file that explicitly includes the files in that directory.

    This directory structure and the kustomization.yaml files must be committed and pushed to your Git repository. The initial push to Git should include the kustomization.yaml files. The SiteConfig (example-sno.yaml) and PolicyGenTemplate (common-ranGen.yaml, group-du-sno*.yaml, and example-sno-site.yaml) files can be omitted and pushed at a later time as required when deploying a site.