Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Implement zero-touch provisioning for OpenShift with GitOps

July 29, 2025
Alberto Filice
Related topics:
Automation and managementKubernetesSecurityVirtualization
Related products:
Red Hat Advanced Cluster Management for KubernetesRed Hat Ansible Automation PlatformRed Hat OpenShiftRed Hat OpenShift Virtualization

Share:

    Automation and standardization are fundamental for any company. Zero-touch provisioning (ZTP) is one of the key solutions for deploying Red Hat OpenShift on bare metal. In this article, we analyze how ZTP revolutionizes the deployment and provisioning of OpenShift clusters, with particular attention to integration with Red Hat OpenShift Virtualization.

    The value of ZTP

    Day 0: Pre-installation automation

    During the Day 0 phase, before the cluster installation, ZTP allows you to automate the preparation of the infrastructure through ClusterCurator and Red Hat Ansible Automation Platform:

    This approach allows you to:

    • Automatic networking configuration.
    • Bare metal infrastructure preparation.
    • Prerequisites verification.
    • Pre-installation health checks performing.

    Day 1: Automatic deployment

    ZTP transforms the OpenShift deployment process from a manual and error-prone operation into a fully automated process. The main advantages include:

    • Standardization: All clusters are deployed with identical configurations.
    • Repeatability: The process can be infinitely  replicated  with consistent results.
    • Speed: Significant reduction in time-to-market for new clusters.
    • Reliability: Elimination of human errors in the installation process.

    Day 2: Management and scalability

    The true power of ZTP is manifested in the Day 2 phase, where:

    • Scalability: Automatic extension of new nodes to the cluster.
    • Policy management: Centralized implementation of safety and compliance policies.
    • Consistency: Maintenance of consistency across multiple clusters.
    • Automation: Automated updates and patches management.

    GitOps architecture for managing distributed OpenShift edge clusters.

    Figure 1 illustrates a GitOps-based deployment model using a central Hub cluster to manage OpenShift clusters across multiple network far edge sites, which can include varying configurations such as single-node OpenShift, three-node clusters, or standard clusters with multiple control and compute nodes.

    Diagram showing a central hub cluster managing OpenShift clusters (single-node, three-node, or standard) at remote edge sites using GitOps.
    Figure 1: Hub-and-spoke model with single-node, three-node, or standard OpenShift clusters at edge sites, managed via GitOps.

    Policy management

    The Policy Generator is a fundamental tool of Red Hat Advanced Cluster Management for Kubernetes that allows us to define and manage policies in a declarative way. It works as a policy generator that converts YAML definitions into actual Kubernetes policies, simplifying the management of complex configurations across multiple clusters.

    How the PolicyGenerator works

    The PolicyGenerator operates through three main components:

    • PolicySets: Assembling related policies and defining where they should be applied through placement rules.
    • Placements: Determining on which clusters the policies should be applied.
    • Policy definitions: Defining individual policies and their configurations.

    Here is a basic example of how to use it:

    apiVersion: policy.open-cluster-management.io/v1
    kind: PolicyGenerator
    metadata:
      name: policies
    policySets:
    ...
    # array of policySets to define
    policies:
    ...
    # array of policies to define

    Recommended organization policy

    The following folder structure represents a recommended approach for organizing policies, but you can adapt it based on the specific needs of the organization. This organization is designed to scale well following the increase of policies and managed clusters and to improve the maintainability of the released code:

    policies
    ├── Global                                  # Global configurations for all clusters
    │   ├── base-config                        # Essential base configurations
    │   │   ├── policy-chrony.yaml            # Time synchronization
    │   │   ├── policy-custom-ca.yaml         # Custom CA certificates
    │   │   ├── policy-kubelet.yaml           # Kubelet configuration
    │   │   └── policy-ssh-key.yaml           # SSH key management
    │   ├── day2-config                        # Post-installation configurations
    │   │   ├── policy-alertmanager-customrule.yaml    # Alerting rules
    │   │   ├── policy-file-integrity-operator.yaml    # File integrity monitoring
    │   │   ├── policy-ingress-certificate.yaml        # Ingress certificates
    │   │   └── policy-storagecluster.yaml    # Storage configuration
    │   ├── hub-config                         # Hub-specific configurations
    │   │   ├── policy-clusterlogging.yaml    # Centralized logging
    │   │   ├── policy-enable-ceph-toolbox.yaml # Ceph tools
    │   │   └── policy-storagecluster.yaml    # Storage configuration
    │   ├── kustomization.yaml                 # Kustomize file
    │   ├── policy-generator.yaml              # Policy generator
    │   ├── registry                           # Registry configurations
    │   │   └── policy-registry.yaml          # Internal registry policy
    │   ├── secrets-config                     # Secret management
    │   │   ├── policy-external-secrets.yaml  # Integration with external vaults
    │   │   └── policy-secretstore.yaml       # Secret store configuration
    │   ├── security-auth                      # Security and authentication
    │   │   ├── policy-authentication.yaml    # Authentication methods
    │   │   ├── policy-disable-self-provisioner.yaml  # Self-service limitations
    │   │   ├── policy-htpasswd.yaml          # Htpasswd authentication
    │   │   └── policy-remove-kubeadmin.yaml  # Remove default admin
    │   ├── storage                            # Storage configurations
    │   │   ├── enable-multipath.yaml         # Enable multipath
    │   │   └── policy-storagecluster.yaml    # Storage configuration
    │   ├── testing                            # Test policies
    │   │   ├── check-cluster-operator.yaml   # Cluster operator check
    │   │   └── virtualizations                    # Virtualization configurations
    │   │       ├── policy-install-mtv.yaml       # Migration Toolkit for Virtualization
    │   │       ├── policy-install-nmstate.yaml   # Network state management
    │   │       └── policy-install-virtualization.yaml # OpenShift Virtualization
    │   ├── CHANGELOG.md                           # Reference document for changes made
    │   └── README.md                              # General documentation

    This structure offers several advantages:

    • Logical organization:
      • Clear separation between global and specific policies.
      • Easy identification of policies by type and purpose.
      • Support for multi-region organizations.
    • Simplified maintenance:
      • Targeted updates by category.
      • More efficient changes review.
      • Reduced risk of conflicts.
    • Governance and compliance:
      • Policy tracking by region.
      • Simplified configuration audit.
      • Centralized management of security policies.

    The following is an example of a policy-generator.yaml using this structure:

    apiVersion: policy.open-cluster-management.io/v1
    kind: PolicyGenerator
    metadata:
      name: policies
    placementBindingDefaults:
      # Set an explicit placement binding name to use rather than rely on the default.
      name: "placementbinding"
    policyDefaults:
      categories:
        - "CM Configuration Management"
      controls:
        - "CM-2 Baseline Configuration"
      standards:
        - "NIST SP 800-53"
      namespaceSelector:
        include: ["*"]
        exclude: []
      namespace: open-cluster-management-policies
      remediationAction: inform
      complianceType: "musthave"
      severity: low
      pruneObjectBehavior: "None"
      metadataComplianceType: "musthave"
    policySets:
      - name: global
        description: "Global configuration for all managed clusters"
        placement:
          name: "global-placement"
          labelSelector:
            matchExpressions:
              - key: vendor
                operator: In
                values:
                  - OpenShift
        policies:
          - configure-alert-manager
          - enable-registry
          - ingress-certificate
          - install-cert-manager
          - install-external-secrets
          - install-lvm
          - oauth-configuration
          - remove-kubeadmin
          - service-account-aap
          - ocp-tools
          - kubelet-config
          - check-cluster-operator
          - check-job-failed
          - file-integrity
      - name: hub
        description: "Dedicated configurations for the hub cluster"
        placement:
          name: "hub-placement"
          labelSelector:
            matchExpressions:
              - key: cluster-name
                operator: In
                values:
                  - hub
        policies:
          - automation-template
          - install-gitops
      - name: sno
        description: "Dedicated configurations for managed clusters of type sno"
        placement:
          name: "sno-placement"
          labelSelector:
            matchExpressions:
              - key: cluster-name
                operator: NotIn
                values:
                  - sno
        policies:
          - install-smb-operator
    policies:
      - name: configure-alert-manager
        description: "Configures AlertManager for notification management"
        manifests:
          - path: ../policies/alert-manager.yml
        remediationAction: enforce
        categories:
          - "CM Configuration Management"
        controls:
          - "CM-2 Baseline Configuration"
        standards:
          - "NIST SP 800-53"
        severity: low
      - name: install-external-secrets
        description: "Installs and configures External Secrets Operator for secret management"
        manifests:
          - path: ../policies/external-secrets.yml
        remediationAction: enforce
        categories:
          - "CM Configuration Management"
        controls:
          - "CM-2 Baseline Configuration"
        standards:
          - "NIST SP 800-53"
        severity: low
    ...

    This organization allows you to:

    • Maintain a clear separation of responsibilities.
    • Facilitate the addition of new policies.
    • Support multi-tenant management.
    • Simplify the review and approval processes.
    • Improve change traceability.

    Each folder can also contain a README.md that documents:

    • The purpose of the policies in that folder.
    • Dependencies with other policies.
    • Specific requirements for implementation.
    • Testing and validation procedures.

    Each organization should evaluate and adapt this structure based on its specific needs. The main factors to consider:

    • Number of managed clusters.
    • Policy complexity.
    • Compliance requirements.
    • Organizational team structure.

    OpenShift Virtualization and ZTP

    Multi-cluster management

    The integration between ZTP and OpenShift Virtualization brings significant benefits:

    • Provisioning: Ease of installation and preparation of OpenShift clusters.
    • Repeatability: Easily replicate new installations always starting from a well-organized template structure.
    • Homogeneity: ZTP and Red Hat Advanced Cluster Management policies facilitate homogeneity and generalization of configurations applied to OpenShift clusters.

    Best practices for implementation

    Before implementing ZTP and GitOps, it is important to follow a few essential best practices to ensure security, scalability, and ease of management. Here are the main recommendations:

    • GitOps as the single source of truth: All configurations should be versioned and managed through Git.
    • Environment separation: Keep separate environments (dev, test, prod) to avoid mistakes and simplify changes.
    • Secure secret management: Use operators like External Secrets to avoid storing sensitive data in the repository.
    • Automated validation: Integrate automated tests and compliance checks in CI/CD pipelines.
    • Essential documentation: Add brief documentation to configurations to support maintenance.

    Argo CD application example:

    apiVersion: argoproj.io/v1alpha1
    kind: Application
    metadata:
      name: policy
      namespace: openshift-gitops
    spec:
      destination:
        namespace: open-cluster-management-policies
        server: 'https://kubernetes.default.svc'
      project: default
      source:
        path: policies
        repoURL: 'git@github.com:albertofilice/rhacm-policies.git'
        targetRevision: HEAD
      syncPolicy:
        automated:
          selfHeal: true
        syncOptions:
          - CreateNamespace=true
          - Validate=true
          - RespectIgnoreDifferences=true

    Automation with Ansible Automation Platform

    Automating cluster lifecycle operations is essential for consistency and efficiency in large-scale environments. The Ansible Automation Platform enables the orchestration of complex workflows, such as pre- and post-installation tasks, upgrades, and validations, ensuring that every step is repeatable and auditable. Below are some key concepts and examples of how automation can be integrated into the ZTP process.

    Pre-hook and post-hook

    The ClusterCurator allows you to define pre and post installation or upgrade hooks:

    spec:
      install:
        towerAuthSecret: aap-integrations
        prehook:
          - name: Pre-Installation Check
            extra_vars:
              check_network: true
              check_storage: true
        posthook:
          - name: Post-Installation Validation
            extra_vars:
              validate_operators: true
              validate_network: true
      upgrade:
        towerAuthSecret: aap-integrations
        prehook:
          - name: Pre-Upgrade Check
            extra_vars:
              check_network: true
              check_storage: true
        posthook:
          - name: Post-Upgrade Validation
            extra_vars:
              validate_operators: true
              validate_network: true
            type: Job          
    ---
    kind: Secret
    apiVersion: v1
    metadata:
      name: aap-integrations
      namespace: aap
    data:
      host: <base64-encoded-host>
      token: <base64-encoded-token>
    type: Opaque

    Key benefits of the Git-centric approach

    Key benefits include:

    • Versioning and control
      • Changes full tracking.
      • Rollback possibility.
      • Embedded  documentation in the code.
    • Automation and CI/CD
      • Automated deployment pipelines.
      • Configuration testing.
      • Pre-deployment validation.
    • Collaboration and standardization
      • Sharing of best practices
      • Structured review process
      • Facilitated knowledge sharing 

    Day 1 structure and integration with Argo CD

    The Day 1 phase represents the crucial moment of cluster installation. The file structure is organized to manage all aspects of the installation:

    ├── day1-agentclusterinstall.yaml      # Cluster installation configuration
    ├── day1-bmh.yaml                      # Bare Metal Host definition
    ├── day1-clusterdeployment.yaml        # Cluster deployment
    ├── day1-infraenv.yaml                 # Infrastructure environment
    ├── day1-klusterletaddonconfig.yaml    # Managed cluster addon configuration
    ├── day1-managed-cluster-secret.yaml   # Secret for the managed cluster
    ├── day1-managedcluster.yaml           # Managed cluster definition
    ├── day1-namespace.yaml                # Dedicated namespace
    ├── day1-nmstateconfig.yaml            # Network configuration
    ├── day1-oidc-configmap.yaml           # OIDC configuration
    ├── day1-pull-secret.yaml              # Pull secret for images
    ├── day1-reports.md                    # Documentation and reports
    ├── day2-workers/                      # Configurations for adding worker / Infra nodes
    └── kustomization.yaml                 # Kustomize file for resource management

    For management convenience, in this example we preferred to allow the management of worker nodes directly in the installed IPI cluster and not to have them managed by Red Hat Advanced Cluster Management.

    Therefore, in the Day 1 phase, a 3-node cluster will be configured and subsequently expanded through the dedicated ApplicationSet for cluster scaling.

    Automation with Argo CD

    The integration with Argo CD allows to automate the deployment process through ApplicationSet. Two main ApplicationSets manage the process:

    1. Environments ZTP: Manages the initial deployment of clusters
    2. Cluster Scale: Manages the scaling of worker nodes

    ApplicationSet for Day 1:

    kind: ApplicationSet
    metadata:
      name: environments-ztp
      namespace: openshift-gitops
    spec:
      generators:
        - git:
            directories:
              - path: '*'
            repoURL: 'https://github.com/test/ztp-environments.git'
            revision: develop
      # ... existing code ...

    This ApplicationSet:

    • Automatically scans directories in the Git repository
    • Creates an application for each environment found
    • Manages differences by ignoring specific fields to avoid conflicts
    • Implements automated sync policies

    ApplicationSet for scaling:

    apiVersion: argoproj.io/v1alpha1
    kind: ApplicationSet
    metadata:
      name: cluster-scale
      namespace: openshift-gitops
    spec:
      generators:
        - clusters:
            selector:
              matchLabels:
                apps.open-cluster-management.io/acm-cluster: 'true'
      # ... existing code ...

    This ApplicationSet:

    • Selects managed clusters via label
    • Applies scaling configurations from the day2-workers files
    • Supports dynamic scaling of worker nodes

    Structure benefits

    Benefits of this structure include:

    • Complete automation:
      • Automated cluster deployment.
      • Automatic scaling management.
      • Self-healing of configurations.
    • Flexibility:
      • Support for multiple environments.
      • Easy addition of new clusters.
      • Customizable configurations per environment.
    • Maintainability:
      • Clear and organized structure.
      • Separation of responsibilities.
      • Integrated documentation.
    • Security:
      • Secret centralized management.
      • Access control via OIDC.
      • Changes  audit trail.

    Secret management with External Secrets Operator

    Within our ZTP project, we implemented External Secrets Operator (ESO) to securely and centrally manage all secrets necessary for cluster operation. This approach allows to keep the Git repository clean from sensitive data, significantly improving the security of the infrastructure.

    There are several certified products that allow you to integrate secrets via vault. We used a community-supported operator for convenience, but in a production environment, it's always better to use certified and supported products to ensure timely resolution of bugs.

    Types of secrets

    ESO manages various types of critical secrets for cluster operation:

    1. Access credentials:
      • Htpasswd credentials for authentication.
      • Access tokens for registry.
      • Credentials for Bare Metal Host (BMH).
    2. Certificates:
      • Certificates for ingress.
      • Custom CA certificates.
      • Certificates for inter-cluster communication.
    3. System secrets:
      • Pull secret for OpenShift.
      • Secret for communication with Red Hat Advanced Cluster Management.
      • Token for integration with external services.

    Implementation

    Secret management is handled through two main components:

    • SecretStore: Defines the connection to the secret back end (e.g., HashiCorp Vault)
    • ExternalSecret: Defines how to map secrets from the back end to Kubernetes

    Example configuration:

    apiVersion: external-secrets.io/v1beta1
    kind: SecretStore
    metadata:
      name: vault-backend
      namespace: open-cluster-management-policies
    spec:
      provider:
        vault:
          server: "https://vault.example.com"
          path: "secret"
          version: "v2"
          auth:
            kubernetes:
              mountPath: "kubernetes"
              role: "eso-role"
              serviceAccountRef:
                name: "eso-service-account"
    ---
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: htpasswd-secret
      namespace: open-cluster-management-policies
    spec:
      refreshInterval: "1h"
      secretStoreRef:
        name: vault-backend
        kind: SecretStore
      target:
        name: htpasswd-secret
      data:
        - secretKey: htpasswd
          remoteRef:
            key: clusters/htpasswd

    Benefits of this approach

    GitOps provides significant benefits for cluster provisioning, including improved security, maintainability, and scalability. By using version control for infrastructure, it ensures consistency and auditability, making it a powerful solution.

    • Security:
      • No sensitive data in the Git repository.
      • Automatic secret rotation.
      • Centralized audit trail.
      • Granular access control.
    • Maintainability:
      • Centralized secret management.
      • Automatic updates.
      • Reduced risk of hardcoded secrets.
      • Simplified rotation process.
    • Scalability:
      • Support for multiple Vault instances.
      • Efficient management of large quantities of secrets.
      • Easy extension of new secrets.
      • Support for multi-cluster environments.

    Implemented best practices

    Our approach incorporates several key principles to achieve these goals:

    • Environment separation:
      • Separate paths in Vault for each environment.
      • Dedicated namespaces for secrets.
      • Label for tracking secret origin.
    • Lifecycle management:
      • Automatic secret rotation.
      • Secret versioning.
      • Automatic backup of configurations.
    • Monitoring and audit:
      • Logging of secret operations.
      • Alerting for unauthorized access.
      • Periodic reports on usage.

    Integration with the ZTP workflow

    ESO integrates perfectly with the ZTP workflow:

    1. Day 0:
      • Necessary secrets in Vault preparation.
      • Access policies configuration.
      • SecretStore Setup.
    2. Day 1:
      • Automated provisioning during secret  installation.
      • Initial credentials Setup.
      • Certificates Setup.
    3. Day 2:
      • Automated secret rotation.
      • User credentials management.
      • Certificates update.

    Security considerations

    When designing and implementing a secure and scalable OpenShift environment, it is important to consider several key aspects. The following points highlight the most critical considerations to keep in mind to ensure a robust and compliant infrastructure:

    • Secret access:
      • PoLP (principle of least privilege) implementation.
      • Authentication based on service account.
      • All accesses audit logging.
    • Encryption:
      • Encrypted secrets at rest.
      • TLS for communication with Vault.
      • Secret key rotation.
    • Compliance:
      • Compliance with security policies.
      • Tracking of changes.
      • Documentation of procedures.

    Final thoughts

    The implementation of ZTP with a Git-centric approach represents a paradigm shift in the management of OpenShift infrastructure. The combination with OpenShift Virtualization allows to create a robust, scalable and easily manageable ecosystem, significantly reducing time-to-market and operational costs.

    For more information, refer to these resources:

    • Red Hat OpenShift Virtualization
    • Red Hat Advanced Cluster Management for Kubenernetes
    • Cluster Curator Controller
    • External Secrets Operator
    • Clusters at the network far edge

    Related Posts

    • Enable OpenShift Virtualization on Red Hat OpenShift

    • Create software templates for VMs with OpenShift Virtualization

    • Over-provisioning nodes on OpenShift Service on AWS

    • Easily expanding Red Hat OpenShift clusters

    • How to manage a fleet of heterogeneous OpenShift clusters

    Recent Posts

    • Why some agentic AI developers are moving code from Python to Rust

    • Confidential VMs: The core of confidential containers

    • Benchmarking with GuideLLM in air-gapped OpenShift clusters

    • Run Qwen3-Next on vLLM with Red Hat AI: A step-by-step guide

    • How to implement observability with Python and Llama Stack

    What’s up next?

    This concise guide helps VMware administrators efficiently manage virtual machines (VMs) within the powerful OpenShift platform.

    Get the cheat sheet
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue