About image-based deployments for managed {sno}

When a host preinstalled with single-node OpenShift using an image-based installation arrives at a remote site, a technician can easily reconfigure and deploy the host in a matter of minutes.

For clusters with a hub-and-spoke architecture, to complete the deployment of a preinstalled host, you must first define site-specific configuration resources on the hub cluster for each host. These resources contain configuration information such as the properties of the bare-metal host, authentication details, and other deployment and networking information.

The Image Based Install (IBI) Operator creates a configuration ISO from these resources, and then boots the host with the configuration ISO attached. The host mounts the configuration ISO and runs the reconfiguration process. When the reconfiguration completes, the single-node OpenShift cluster is ready.

Note

You must create distinct configuration resources for each bare-metal host.

See the following high-level steps to deploy a preinstalled host in a cluster with a hub-and-spoke architecture:

Install the IBI Operator on the hub cluster.
Create site-specific configuration resources in the hub cluster for each host.
The IBI Operator creates a configuration ISO from these resources and boots the target host with the configuration ISO attached.
The host mounts the configuration ISO and runs the reconfiguration process. When the reconfiguration completes, the single-node OpenShift cluster is ready.

Note

Alternatively, you can manually deploy a preinstalled host for a cluster without using a hub cluster. You must define an ImageBasedConfig resource and an installation manifest, and provide these as inputs to the openshift-install installation program. For more information, see "Deploying a single-node OpenShift cluster using the openshift-install program".

Additional resources

Deploying a single-node OpenShift cluster using the openshift-install program

Installing the Image Based Install Operator

The Image Based Install (IBI) Operator is part of the image-based deployment workflow for preinstalled single-node OpenShift on bare-metal hosts.

Note

The IBI Operator is part of the multicluster engine for Kubernetes Operator from MCE version 2.7.

Prerequisites

You logged in as a user with cluster-admin privileges.
You deployed a Red Hat Advanced Cluster Management (RHACM) hub cluster or you deployed the multicluster engine for Kubernetes Operator.
You reviewed the required versions of software components in the section "Software prerequisites for an image-based installation".

Procedure

Set the enabled specification to true for the image-based-install-operator component in the MultiClusterEngine resource by running the following command:

$ oc patch multiclusterengines.multicluster.openshift.io multiclusterengine --type json \
--patch '[{"op": "add", "path":"/spec/overrides/components/-", "value": {"name":"image-based-install-operator","enabled": true}}]'

Verification

Check that the Image Based Install Operator pod is running by running the following command:

$ oc get pods -A | grep image-based

Example output

multicluster-engine             image-based-install-operator-57fb8sc423-bxdj8             2/2     Running     0               5m

Deploying a managed single-node OpenShift cluster using the IBI Operator

Create the site-specific configuration resources in the hub cluster to initiate the image-based deployment of a preinstalled host.

When you create these configuration resources in the hub cluster, the Image Based Install (IBI) Operator generates a configuration ISO and attaches it to the target host to begin the site-specific configuration process. When the configuration process completes, the single-node OpenShift cluster is ready.

Note

For more information about the configuration resources that you must configure in the hub cluster, see "Cluster configuration resources for deploying a preinstalled host".

Prerequisites

You preinstalled a host with single-node OpenShift using an image-based installation.
You logged in as a user with cluster-admin privileges.
You deployed a Red Hat Advanced Cluster Management (RHACM) hub cluster or you deployed the multicluster engine for Kubernetes operator (MCE).
You installed the IBI Operator on the hub cluster.
You created a pull secret to authenticate pull requests. For more information, see "Using image pull secrets".

Procedure

Create the ibi-ns namespace by running the following command:
```
$ oc create namespace ibi-ns
```
Create the Secret resource for your image registry:
1. Create a YAML file that defines the Secret resource for your image registry:
  Example secret-image-registry.yaml file
  apiVersion: v1 kind: Secret metadata: name: ibi-image-pull-secret namespace: ibi-ns stringData: .dockerconfigjson: <base64-docker-auth-code> type: kubernetes.io/dockerconfigjson
  1. You must provide base64-encoded credential details. See the "Additional resources" section for more information about using image pull secrets.
2. Create the Secret resource for your image registry by running the following command:
  $ oc create -f secret-image-registry.yaml
Optional: Configure static networking for the host:
1. Create a Secret resource containing the static network configuration in nmstate format:
  Example host-network-config-secret.yaml file
  apiVersion: v1 kind: Secret metadata: name: host-network-config-secret namespace: ibi-ns type: Opaque stringData: nmstate: | interfaces: - name: ens1f0 type: ethernet state: up ipv4: enabled: true address: - ip: 192.168.200.25 prefix-length: 24 dhcp: false ipv6: enabled: false dns-resolver: config: server: - 192.168.15.47 - 192.168.15.48 routes: config: - destination: 0.0.0.0/0 metric: 150 next-hop-address: 192.168.200.254 next-hop-interface: ens1f0 table-id: 254
  1. Specify the name for the Secret resource.
  2. Define the static network configuration in nmstate format.
  3. Specify the name of the interface on the host. The name of the interface must match the actual NIC name as shown in the operating system. To use your MAC address for NIC matching, set the identifier field to mac-address.
  4. You must specify dhcp: false to ensure nmstate assigns the static IP address to the interface.
  5. Specify one or more DNS servers that the system will use to resolve domain names.
  6. In this example, the default route is configured through the ens1f0 interface to the next hop IP address 192.168.200.254.
Create the BareMetalHost and Secret resources:
1. Create a YAML file that defines the BareMetalHost and Secret resources:
  Example ibi-bmh.yaml file
  apiVersion: metal3.io/v1alpha1 kind: BareMetalHost metadata: name: ibi-bmh namespace: ibi-ns spec: online: false bootMACAddress: 00:a5:12:55:62:64 bmc: address: redfish-virtualmedia+http://192.168.111.1:8000/redfish/v1/Systems/8a5babac-94d0-4c20-b282-50dc3a0a32b5 credentialsName: ibi-bmh-bmc-secret preprovisioningNetworkDataName: host-network-config-secret automatedCleaningMode: disabled externallyProvisioned: true --- apiVersion: v1 kind: Secret metadata: name: ibi-bmh-secret namespace: ibi-ns type: Opaque data: username: <user_name> password: <password>
  1. Specify the name for the BareMetalHost resource.
  2. Specify if the host should be online.
  3. Specify the host boot MAC address.
  4. Specify the BMC address. You can only use bare-metal host drivers that support virtual media networking booting, for example redfish-virtualmedia and idrac-virtualmedia.
  5. Specify the name of the bare-metal host Secret resource.
  6. Optional: If you require static network configuration for the host, specify the name of the Secret resource containing the configuration.
  7. You must specify automatedCleaningMode:disabled to prevent the provisioning service from deleting all preinstallation artifacts, such as the seed image, during disk inspection.
  8. You must specify externallyProvisioned: true to enable the host to boot from the preinstalled disk, instead of the configuration ISO.
  9. Specify the name for the Secret resource.
  10. Specify the username.
  11. Specify the password.
2. Create the BareMetalHost and Secret resources by running the following command:
  $ oc create -f ibi-bmh.yaml
Create the ClusterImageSet resource:
1. Create a YAML file that defines the ClusterImageSet resource:
  Example ibi-cluster-image-set.yaml file
  apiVersion: hive.openshift.io/v1 kind: ClusterImageSet metadata: name: ibi-img-version-arch spec: releaseImage: ibi.example.com:path/to/release/images:version-arch
  1. Specify the name for the ClusterImageSet resource.
  2. Specify the address for the release image to use for the deployment. If you use a different image registry compared to the image registry used during seed image generation, ensure that the OpenShift Container Platform version for the release image remains the same.
2. Create the ClusterImageSet resource by running the following command:
  $ oc apply -f ibi-cluster-image-set.yaml
Create the ImageClusterInstall resource:
1. Create a YAML file that defines the ImageClusterInstall resource:
  Example ibi-image-cluster-install.yaml file
  apiVersion: extensions.hive.openshift.io/v1alpha1 kind: ImageClusterInstall metadata: name: ibi-image-install namespace: ibi-ns spec: bareMetalHostRef: name: ibi-bmh namespace: ibi-ns clusterDeploymentRef: name: ibi-cluster-deployment hostname: ibi-host imageSetRef: name: ibi-img-version-arch machineNetworks: - cidr: 10.0.0.0/24 #- cidr: fd01::/64 proxy: httpProxy: "http://proxy.example.com:8080" #httpsProxy: "http://proxy.example.com:8080" #noProxy: "no_proxy.example.com"
  1. Specify the name for the ImageClusterInstall resource.
  2. Specify the BareMetalHost resource that you want to target for the image-based installation.
  3. Specify the name of the ClusterDeployment resource that you want to use for the image-based installation of the target host.
  4. Specify the hostname for the cluster.
  5. Specify the name of the ClusterImageSet resource you used to define the container release images to use for deployment.
  6. Specify the public Classless Inter-Domain Routing (CIDR) of the external network. For dual-stack networking, you can specify both IPv4 and IPv6 CIDRs using a list format. The first CIDR in the list is the primary address family and must match the primary address family of the seed cluster.
  7. Optional: Specify a proxy to use for the cluster deployment.
    Important
    
    If your cluster deployment requires a proxy configuration, you must do the following:
    
    Create a seed image from a seed cluster featuring a proxy configuration. The proxy configurations do not have to match.
    
    Configure the machineNetwork field in your installation manifest.
2. Create the ImageClusterInstall resource by running the following command:
  $ oc create -f ibi-image-cluster-install.yaml
Create the ClusterDeployment resource:
1. Create a YAML file that defines the ClusterDeployment resource:
  Example ibi-cluster-deployment.yaml file
  apiVersion: hive.openshift.io/v1 kind: ClusterDeployment metadata: name: ibi-cluster-deployment namespace: ibi-ns spec: baseDomain: example.com clusterInstallRef: group: extensions.hive.openshift.io kind: ImageClusterInstall name: ibi-image-install version: v1alpha1 clusterName: ibi-cluster platform: none: {} pullSecretRef: name: ibi-image-pull-secret
  1. Specify the name for the ClusterDeployment resource.
  2. Specify the namespace for the ClusterDeployment resource.
  3. Specify the base domain that the cluster should belong to.
  4. Specify the name of the ImageClusterInstall in which you defined the container images to use for the image-based installation of the target host.
  5. Specify a name for the cluster.
  6. Specify the secret to use for pulling images from your image registry.
2. Create the ClusterDeployment resource by running the following command:
  $ oc apply -f ibi-cluster-deployment.yaml
Create the ManagedCluster resource:
1. Create a YAML file that defines the ManagedCluster resource:
  Example ibi-managed.yaml file
  apiVersion: cluster.open-cluster-management.io/v1 kind: ManagedCluster metadata: name: sno-ibi spec: hubAcceptsClient: true
  1. Specify the name for the ManagedCluster resource.
  2. Specify true to enable RHACM to manage the cluster.
2. Create the ManagedCluster resource by running the following command:
  $ oc apply -f ibi-managed.yaml

Verification

Check the status of the ImageClusterInstall in the hub cluster to monitor the progress of the target host installation by running the following command:
```
$ oc get imageclusterinstall
```
Example output
```
NAME       REQUIREMENTSMET           COMPLETED                     BAREMETALHOSTREF
target-0   HostValidationSucceeded   ClusterInstallationSucceeded  ibi-bmh
```
Warning

If the ImageClusterInstall resource is deleted, the IBI Operator reattaches the BareMetalHost resource and reboots the machine.
When the installation completes, you can retrieve the kubeconfig secret to log in to the managed cluster by running the following command:
```
$ oc extract secret/<cluster_name>-admin-kubeconfig -n <cluster_namespace>  --to - > <directory>/<cluster_name>-kubeconfig
```
- <cluster_name> is the name of the cluster.
- <cluster_namespace> is the namespace of the cluster.
- <directory> is the directory in which to create the file.

Additional resources

Cluster configuration resources for deploying a preinstalled host

To complete a deployment for a preinstalled host at a remote site, you must configure the following site-specifc cluster configuration resources in the hub cluster for each bare-metal host.

Table 1. Cluster configuration resources reference
Resource	Description
`Namespace`	Namespace for the managed single-node OpenShift cluster.
`BareMetalHost`	Describes the physical host and its properties, such as the provisioning and hardware configuration.
`Secret` for the bare-metal host	Credentials for the host BMC.
`Secret` for the bare-metal host static network configuration	Optional: Describes static network configuration for the target host.
`Secret` for the image registry	Credentials for the image registry. The secret for the image registry must be of type `kubernetes.io/dockerconfigjson`.
`ImageClusterInstall`	References the bare-metal host, deployment, and image set resources.
`ClusterImageSet`	Describes the release images to use for the cluster.
`ClusterDeployment`	Describes networking, authentication, and platform-specific settings.
`ManagedCluster`	Describes cluster details to enable Red Hat Advanced Cluster Management (RHACM) to register and manage.
`ConfigMap`	Optional: Describes additional configurations for the cluster deployment, such as adding a bundle of trusted certificates for the host to ensure trusted communications for cluster services.

ImageClusterInstall resource API specifications

The following content describes the API specifications for the ImageClusterInstall resource. This resource is the endpoint for the Image Based Install Operator.

Table 2. Required specifications
Specification	Type	Description
`imageSetRef`	`string`	Specify the name of the `ClusterImageSet` resource that defines the release images for the deployment.
`hostname`	`string`	Specify the hostname for the cluster.
`sshKey`	`string`	Specify your SSH key to provide SSH access to the target host.

Table 3. Optional specifications
Specification	Type	Description
`clusterDeploymentRef`	`string`	Specify the name of the `ClusterDeployment` resource that you want to use for the image-based installation of the target host.
`clusterMetadata`	`string`	After the deployment completes, this specification is automatically populated with metadata information about the cluster, including the `cluster-admin` kubeconfig credentials for logging in to the cluster.
`imageDigestSources`	`string`	Specifies the sources or repositories for the release-image content, for example: `imageDigestSources: - mirrors: - "registry.example.com:5000/ocp4/openshift4" source: "quay.io/openshift-release-dev/ocp-release"`
`extraManifestsRefs`	`string`	Specify a `ConfigMap` resource containing additional manifests to be applied to the target cluster.
`bareMetalHostRef`	`string`	Specify the `bareMetalHost` resource to use for the cluster deployment
`machineNetworks`	`string`	Specify the public Classless Inter-Domain Routing (CIDR) of the external network. For dual-stack networking, you can specify both IPv4 and IPv6 CIDRs using a list format. The first CIDR in the list is the primary address family and must match the primary address family of the seed cluster.
`proxy`	`string`	Specifies proxy settings for the cluster, for example: `proxy: httpProxy: "http://proxy.example.com:8080" httpsProxy: "http://proxy.example.com:8080" noProxy: "no_proxy.example.com"`
`caBundleRef`	`string`	Specify a `ConfigMap` resource containing the new bundle of trusted certificates for the host.

ConfigMap resources for extra manifests

You can optionally create a ConfigMap resource to define additional manifests in an image-based deployment for managed single-node OpenShift clusters.

After you create the ConfigMap resource, reference it in the ImageClusterInstall resource. During deployment, the IBI Operator includes the extra manifests in the deployment.

Creating a ConfigMap resource to add extra manifests in an image-based deployment

You can use a ConfigMap resource to add extra manifests to the image-based deployment for single-node OpenShift clusters.

The following example adds an single-root I/O virtualization (SR-IOV) network to the deployment.

Note

Filenames for extra manifests must not exceed 30 characters. Longer filenames might cause deployment failures.

Prerequisites

You preinstalled a host with single-node OpenShift using an image-based installation.
You logged in as a user with cluster-admin privileges.

Procedure

Create the SriovNetworkNodePolicy and SriovNetwork resources:

Create a YAML file that defines the resources:

Example sriov-extra-manifest.yaml file

apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: "example-sriov-node-policy"
  namespace: openshift-sriov-network-operator
spec:
  deviceType: vfio-pci
  isRdma: false
  nicSelector:
    pfNames: [ens1f0]
  nodeSelector:
    node-role.kubernetes.io/master: ""
  mtu: 1500
  numVfs: 8
  priority: 99
  resourceName: example-sriov-node-policy
---
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
  name: "example-sriov-network"
  namespace: openshift-sriov-network-operator
spec:
  ipam: |-
    {
    }
  linkState: auto
  networkNamespace: sriov-namespace
  resourceName: example-sriov-node-policy
  spoofChk: "on"
  trust: "off"

Create the ConfigMap resource by running the following command:
```
$ oc create configmap sr-iov-extra-manifest --from-file=sriov-extra-manifest.yaml -n ibi-ns 
```
1. Specify the namespace that has the ImageClusterInstall resource.
  Example output
  configmap/sr-iov-extra-manifest created
  Note
  
  If you add more than one extra manifest, and the manifests must be applied in a specific order, you must prefix the filenames of the manifests with numbers that represent the required order. For example, 00-namespace.yaml, 01-sriov-extra-manifest.yaml, and so on.

Reference the ConfigMap resource in the spec.extraManifestsRefs field of the ImageClusterInstall resource:
```
#...
  spec:
    extraManifestsRefs:
    - name: sr-iov-extra-manifest
#...
```

Creating a ConfigMap resource to add a CA bundle in an image-based deployment

You can use a ConfigMap resource to add a certificate authority (CA) bundle to the host to ensure trusted communications for cluster services.

After you create the ConfigMap resource, reference it in the spec.caBundleRef field of the ImageClusterInstall resource.

Prerequisites

You preinstalled a host with single-node OpenShift using an image-based installation.
You logged in as a user with cluster-admin privileges.

Procedure

Create a CA bundle file called tls-ca-bundle.pem:

Example tls-ca-bundle.pem file

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKmjYKJbIyz3MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
...Custom CA certificate bundle...
4WPl0Qb27Sb1xZyAsy1ww6MYb98EovazUSfjYr2EVF6ThcAPu4/sMxUV7He2J6Jd
cA8SMRwpUbz3LXY=
-----END CERTIFICATE-----

Create the ConfigMap object by running the following command:
```
$ oc create configmap custom-ca --from-file=tls-ca-bundle.pem -n ibi-ns
```
- custom-ca specifies the name for the ConfigMap resource.
- tls-ca-bundle.pem defines the key for the data entry in the ConfigMap resource. You must include a data entry with the tls-ca-bundle.pem key.
- ibi-ns specifies the namespace that has the ImageClusterInstall resource.
  Example output
  configmap/custom-ca created
Reference the ConfigMap resource in the spec.caBundleRef field of the ImageClusterInstall resource:
```
#...
  spec:
    caBundleRef:
      name: custom-ca
#...
```

Additional resources