Simplify certificate management on OpenShift across multiple architectures

Learn efficient certificate management techniques on Red Hat OpenShift using the cert-manager Operator for OpenShift’s multi-architecture support.

This lesson will empower you to deploy your own OpenShift Container Platform on an IBM Power Virtual Server (VS). This step-by-step approach equips you with the practical skills to deploy Red Hat OpenShift and have a fully functional cluster to host your containerized applications up and running by the end of the lesson.

In order to get the full benefit from taking this lesson, you need to:

In this lesson, you will:

  • Provision your IBM Power VS workspace.
  • Install necessary utilities for cluster management.
  • Create a Red Hat OpenShift cluster on your configured Power VS workspace.

Create IBM Power VS workspace

  1. Log into IBM Cloud:

    $ ibmcloud login --sso
  2. Export IBM Cloud API key. If you do not possess an API key, refer to this document for guidance on creating one.

    $ export IBMCLOUD_API_KEY=<api-key>
  3. Create a new resource group. 

    Execute the following command to create a resource group with the name sandbox-rg. Feel free to choose a different name if desired. After creating the resource group, export its ID for use in the subsequent steps:

    $ export RESOURCE_GROUP=sandbox-rg
    $ ibmcloud resource group-create $RESOURCE_GROUP

    The ibmcloud resource groups command can be helpful to get the ID:

    $ export RESOURCE_GROUP_ID=<resource-group-id>
  4. Install or update the power-iaas CLI plug-in to interact with the Power Virtual Server:

    $ ibmcloud plugin install power-iaas
  5. Create a Power Server workspace:

    $ export WORKSPACE_NAME=sandbox-vs-ws
    $ export DATACENTER=dal10


    • WORKSPACE_NAME : The virtual server workspace instance name.

    • DATACENTER : The datacenter where the instance will be hosted. Use ibmcloud pi datacenters command to see possible values.

    Now create it!

    $ ibmcloud pi workspace-create $WORKSPACE_NAME --datacenter $DATACENTER --group $RESOURCE_GROUP_ID --plan public
  6. After creating the workspace, save its GUID as WORKSPACE_ID. Utilize the ibmcloud pi workspaces command for assistance:

    $ export WORKSPACE_ID=<workspace-id>

Download ccoctl, installer, and oc utilities

To install the OpenShift cluster, you'll need to download the following utilities:

  • Cloud Credential Operator (CCO) utility (ccoctl): Used for managing cloud credentials externally from the cluster.
  • OpenShift installation program (openshift-install): This tool is essential for creating cluster components.
  • OpenShift command-line tool (oc): Enables interaction with the created cluster from the command line interface (CLI).

Info alert: If your host machine is of type x86_64, proceed with the provided instructions. If your host operating system and architecture are different, visit the Infrastructure Provider for Power VS page to download the programs compatible with your setup.

  1. Create an assets folder to organize and store all necessary files:

    $ mkdir ~/assets && cd ~/assets
  2. Download and extract the ccoctl binary:

    $ curl -O
    $ tar -xvf ./ccoctl-linux.tar.gz && rm ./ccoctl-linux.tar.gz
  3. Download and extract the openshift-install binary:

    $ curl -O
    $ tar -xvf ./openshift-install-linux-amd64.tar.gz && rm ./openshift-install-linux-amd64.tar.gz
  4. Download and extract the oc binary:

    $ curl -O
    $ tar -xvf ./openshift-client-linux.tar.gz && rm ./openshift-client-linux.tar.gz
  5. Once all downloads are complete, ensure that the assets directory contains four binaries. You can also use the --help command to verify compatibility with your system for each binary:

    $ ls
    ccoctl  kubectl  oc  openshift-install
    $ ./ccoctl --help
    $ ./openshift-install --help

Info alert: For this learning path, we are using OpenShift Container Platform 4.14 as a stable version.

Create cluster installation manifests

We will now use the openshift-install binary to generate the necessary manifests for installing the cluster.

  1. Create cluster-assets directory inside the assets directory to store the files required for cluster installation:

    $ mkdir cluster-assets
  2. Generate the configuration file:

    $ ./openshift-install create install-config --dir ./cluster-assets

    Upon executing this command, provide the following information when prompted:

    ./openshift-install create install-config --dir ./cluster-assets
    ? SSH Public Key /home/sandbox/.ssh/                        <your ssh pub key>
    ? Platform powervs                                                    <select powervs>
    ? IBM Cloud User ID                                   <your ibm cloud id>
    ? Region dal                                                          <power vs workspace region>
    ? Zone dal10                                                          <power vs workspace zone : echo $DATACENTER>
    ? Service Instance abcd123-efgh456-qwer-sdf-864gsj123                 <power vs workspace guid : echo $WORKSPACE_ID>
    ? Resource Group sandbox-rg                                           <power vs workspace resource group : echo $RESOURCE_GROUP>
    ? Base Domain                                             <the base domain to deploy the cluster to>
    ? Cluster Name sandbox-cluster                                        <your cluster name>
    ? Pull Secret *********                                               <your openshift pull secret> 

    After execution, the installation program will store the configuration in the ./cluster-assets/install-config.yaml file.

    You can view the contents by running cat ./cluster-assets/install-config.yaml, which will resemble the following:

    additionalTrustBundlePolicy: Proxyonly
    apiVersion: v1
    - architecture: ppc64le
      hyperthreading: Enabled
      name: worker
      platform: {}
      replicas: 3
      architecture: ppc64le
      hyperthreading: Enabled
      name: master
      platform: {}
      replicas: 3
    credentialsMode: Manual
      creationTimestamp: null
      name: sandbox-cluster
      - cidr:
        hostPrefix: 23
      - cidr:
      networkType: OVNKubernetes
        powervsResourceGroup: sandbox-rg
        region: dal
        serviceInstanceID: abcd123-efgh456-qwer-sdf-864gsj123
        userID: IBMid-1234abcd
        zone: dal10
    publish: External
    pullSecret: '{"auths": ...}'
    sshKey: ssh-ed25519 AAAA...

    By using this configuration, a cluster with 3 master and 3 worker nodes will be generated. If needed, feel free to customize the install-config.yaml file according to your requirements.

  3. Generate the installation manifest files. 

    Now we'll consume the previously created config file to generate the manifests files:

    $ ./openshift-install create manifests --dir ./cluster-assets

    You will notice several files have been generated within the ./cluster-assets directory, and all will be utilized during the cluster installation.

Provide IAM roles

Next in the cluster installation process is providing identity and access management (IAM) roles for IBM Cloud resources, using the ccoctl tool. 

Info alert: This step is required because OpenShift on IBM Power VS currently requires Manual credentialsMode.

  1. Create a cco-assets directory inside the assets directory to store CredentialsRequest custom resources (CRs):

    $ mkdir cco-assets
  2. Get your OpenShift release image from the installer binary:

    $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
  3. Now, run the following command to extract all CredentialsRequest CRs from the RELEASE_IMAGE and store them inside your cco-assets directory:

    $ ./oc adm release extract --cloud=powervs --credentials-requests $RELEASE_IMAGE --to ./cco-assets
  4. Upon extracting all CRs, we'll utilize ccoctl to create service ID API Keys for each CredentialsRequest with designated policies. Subsequently, this process will generate YAML files of secrets inside the manifests directory, granting essential identity and access management for your sandbox-cluster:

    $ ./ccoctl ibmcloud create-service-id --credentials-requests-dir ./cco-assets --name sandbox-cluster --output-dir ./cluster-assets

    Verify that the necessary YAML files have been saved in the cluster-assets/manifests directory. Sample output:

    Saved credentials configuration to: cluster-assets/manifests/openshift-cloud-controller-manager-ibm-cloud-credentials-credentials.yaml
    Saved credentials configuration to: cluster-assets/manifests/openshift-machine-api-powervs-credentials-credentials.yaml
    Saved credentials configuration to: cluster-assets/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
    Saved credentials configuration to: cluster-assets/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
    Saved credentials configuration to: cluster-assets/manifests/openshift-cluster-csi-drivers-ibm-powervs-cloud-credentials-credentials.yaml

These secrets, along with other manifest files, will be applied during cluster creation, ensuring proper access to the required resources.

Deploy the cluster

Congratulations on completing this workflow. Now, just run the command, sit back, and take a moment to relax. Your cluster creation process will be underway, and soon you'll have your OpenShift cluster ready and running on IBM Power Virtual Server.

$ ./openshift-install create cluster --dir ./cluster-assets

After a successful cluster deployment, instructions will be displayed for accessing your cluster, offering a web console link, kubeadmin user credentials, and the kubeconfig file path. Any of these options can be utilized to access the cluster. 

Previous resource
Create multi-architecture images for cross-platform applications
Next resource
Install the cert-manager Operator for OpenShift on IBM Power Virtual Server