Menu Close

Chapter 1. Preparing to deploy OpenShift Data Foundation

Deploying OpenShift Data Foundation on OpenShift Container Platform using dynamic storage devices provides you with the option to create internal cluster resources.

Before you begin the deployment of Red Hat OpenShift Data Foundation, follow these steps:

  1. For Red Hat Enterprise Linux based hosts for worker nodes, enable file system access for containers on Red Hat Enterprise Linux based nodes.

    Note

    Skip this step for Red Hat Enterprise Linux CoreOS (RHCOS).

  2. Optional: If you want to enable cluster-wide encryption using an external Key Management System (KMS):

  3. Minimum starting node requirements [Technology Preview]

    An OpenShift Data Foundation cluster is deployed with minimum configuration when the standard deployment resource requirement is not met. See Resource requirements section in the Planning guide.

  4. Regional-DR requirements [Developer Preview]

    Disaster Recovery features supported by Red Hat OpenShift Data Foundation require all of the following prerequisites in order to successfully implement a Disaster Recovery solution:

    • A valid Red Hat OpenShift Data Foundation Advanced subscription
    • A valid Red Hat Advanced Cluster Management for Kubernetes subscription

      For detailed requirements, see Regional-DR requirements and RHACM requirements.

1.1. Enabling file system access for containers on Red Hat Enterprise Linux based nodes

Deploying OpenShift Data Foundation on an OpenShift Container Platform with worker nodes on a Red Hat Enterprise Linux base in a user provisioned infrastructure (UPI) does not automatically provide container access to the underlying Ceph file system.

Note

Skip this step for hosts based on Red Hat Enterprise Linux CoreOS (RHCOS).

Procedure

  1. Log in to the Red Hat Enterprise Linux based node and open a terminal.
  2. For each node in your cluster:

    1. Verify that the node has access to the rhel-7-server-extras-rpms repository.

      # subscription-manager repos --list-enabled | grep rhel-7-server

      If you do not see both rhel-7-server-rpms and rhel-7-server-extras-rpms in the output, or if there is no output, run the following commands to enable each repository:

      # subscription-manager repos --enable=rhel-7-server-rpms
      # subscription-manager repos --enable=rhel-7-server-extras-rpms
    2. Install the required packages.

      # yum install -y policycoreutils container-selinux
    3. Persistently enable container use of the Ceph file system in SELinux.

      # setsebool -P container_use_cephfs on

1.2. Enabling key value backend path and policy in Vault

Prerequisites

  • Administrator access to Vault.
  • Carefully, choose a unique path name as the backend path that follows the naming convention since it cannot be changed later.

Procedure

  1. Enable the Key/Value (KV) backend path in Vault.

    For Vault KV secret engine API, version 1:

    $ vault secrets enable -path=odf kv

    For Vault KV secret engine API, version 2:

    $ vault secrets enable -path=odf kv-v2
  2. Create a policy to restrict users to perform a write or delete operation on the secret using the following commands.

    echo '
    path "odf/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }
    path "sys/mounts" {
    capabilities = ["read"]
    }'| vault policy write odf -
  3. Create a token matching the above policy.

    $ vault token create -policy=odf -format json