-
Utilities. You'll need recent versions of Azure CLI and Golang installed.
-
Check out the codebase
-
If running Linux, ensure you have the systemd-devel RPM installed:
sudo dnf -y install systemd-devel
. -
Ensure that $GOPATH/bin is in your path:
export PATH=$PATH:${GOPATH:-$HOME/go}/bin
. -
Check out the codebase:
go get github.com/openshift/openshift-azure/...
. -
Navigate to the codebase directory:
cd ${GOPATH:-$HOME/go}/src/github.com/openshift/openshift-azure
.
-
-
Azure CLI access. You'll need to be logged into Azure using the CLI.
-
Subscription and Tenant ID. You'll need to know the subscription and tenant IDs of the Azure subscription where your OpenShift nodes will run.
-
Node image. Your Azure subscription will need to contain an OpenShift node Image resource, or to have whitelisted access to the OpenShift node marketplace image.
Before you deploy for the first time in a subscription using whitelisted access to the OpenShift node marketplace image, you will need to enable programmatic deployment of the image.
In the Azure web console, click
Create a resource
. Search forOpenShift Origin 3.10 on Azure (Staged)
and click the result. At the bottom of the resulting screen, clickWant to deploy programmatically? Get started
. ClickEnable
, thenSave
. -
DNS domain. You'll need a DNS domain hosted using Azure DNS in the same subscription. Deploying a cluster will create a dedicated child DNS zone resource for the cluster. It is assumed that the name of the DNS zone resource for the parent DNS domain matches the name of the DNS domain.
-
AAD Application / Service principal. The deployed OpenShift cluster needs a valid AAD application and service principal to call back into the Azure API, and optionally in order to enable AAD authentication. There are a few options here:
-
(Ask your Azure subscription administrator to) precreate a generic AAD application and service principal with secret and grant it Contributor access to the subscription. Record the service principal client ID and secret. Good enough to deploy OpenShift clusters, but AAD authentication won't work.
-
Automatically create an AAD application and service principal. Your Azure user will need Contributor and User Access Administrator roles, and your AAD will need to have Users can register applications enabled.
-
(Ask your Azure subscription administrator to) precreate a specific AAD application and service principal with secret. You can use
hack/aad.sh
to help with this process. For AAD authentication to work, the public hostname of the OpenShift cluster must match the AAD application created. Record the service principal client ID and secret. -
(optional) For AAD Web-UI sign-in integration to work we will need to have second AAD Web-App created, with callback url to OpenShift and right permissions enabled.
hack/aad.sh
can help you to do so.AAD WebApp Flow:
- Create an application (you can use
hack/aad.sh
to create app with right permissions) - Add
$AZURE_AAD_CLIENT_ID
variable with application ID toenv
file. - Create the cluster.
create.sh
script will update your application with required details. This can be done manually with./hack/aad.sh app-update
- Get your application permissions approved by organization administrator. Without approval cluster will start, just login will not work.
- Create an application (you can use
-
Once you have application with approved/granted permissions it can be re-used for all future clusters.
-
Copy the
env.example
file toenv
and edit according to your requirements. Source theenv
file:. ./env
. -
Run
./hack/create.sh $RESOURCEGROUP
to deploy a cluster. -
To inspect pods running on the OpenShift cluster, run
KUBECONFIG=_data/_out/admin.kubeconfig oc get pods -n $RESOURCEGROUP
. -
To ssh into an OpenShift node (vm-infra-0 or vm-compute-0), run
./hack/ssh.sh hostname
. -
Run
./hack/delete.sh $RESOURCEGROUP
to delete the deployed cluster.
A cluster can be accessed via the UI
or CLI
. If it was created using AAD
integration (Pre-requisites 7.iv), you can login using Azure AD. Another option,
which will be deprecated in the future, is htpasswd
. The username that is used
is osadmin
and the password is randomly generated. To get the password execute:
./hack/config.sh get-config $RESOURCEGROUP | jq -r .config.adminPasswd
You can also get the admin kubeconfig with:
./hack/config.sh get-config $RESOURCEGROUP | jq -r .config.adminKubeconfig
Basic OpenShift configuration:
name: openshift
location: eastus
properties:
openShiftVersion: v3.10
publicHostname: openshift.$RESOURCEGROUP.$DNS_DOMAIN
authProfile:
identityProviders:
- name: Azure AAD
provider:
kind: AADIdentityProvider
clientId: $AZURE_AAD_CLIENT_ID
secret: $AZURE_AAD_CLIENT_SECRET
routerProfiles:
- name: default
publicSubdomain: $RESOURCEGROUP.$DNS_DOMAIN
agentPoolProfiles:
- name: master
role: master
count: 3
vmSize: Standard_D2s_v3
osType: Linux
- name: infra
role: infra
count: 1
vmSize: Standard_D2s_v3
osType: Linux
- name: compute
role: compute
count: 1
vmSize: Standard_D2s_v3
osType: Linux
OpenShift with BYO VNET configuration:
name: openshift
location: eastus
properties:
openShiftVersion: v3.10
publicHostname: openshift.$RESOURCEGROUP.$DNS_DOMAIN
authProfile:
identityProviders:
- name: Azure AAD
provider:
kind: AADIdentityProvider
clientId: $AZURE_AAD_CLIENT_ID
secret: $AZURE_AAD_CLIENT_SECRET
routerProfiles:
- name: default
publicSubdomain: $RESOURCEGROUP.$DNS_DOMAIN
agentPoolProfiles:
- name: master
role: master
count: 3
vmSize: Standard_D2s_v3
osType: Linux
vnetSubnetID: /subscriptions/SUB_ID/resourceGroups/RG_NAME/providers/Microsoft.Network/virtualNetworks/VNET_NAME/subnets/SUBNET_NAME
- name: infra
role: infra
count: 1
vmSize: Standard_D2s_v3
osType: Linux
vnetSubnetID: /subscriptions/SUB_ID/resourceGroups/RG_NAME/providers/Microsoft.Network/virtualNetworks/VNET_NAME/subnets/SUBNET_NAME
- name: compute
role: compute
count: 1
vmSize: Standard_D2s_v3
osType: Linux
vnetSubnetID: /subscriptions/SUB_ID/resourceGroups/RG_NAME/providers/Microsoft.Network/virtualNetworks/VNET_NAME/subnets/SUBNET_NAME
You can create BYO VNET and subnet with commands:
az network vnet create -n $VNET_NAME -l $LOCATION -g $RESOURCEGROUP
az network vnet subnet create -n $SUBNET_NAME -g $RESOURCEGROUP --vnet-name $VNET_NAME --address-prefix 10.0.0.0/24