Skip to content

Latest commit

 

History

History
136 lines (99 loc) · 5.05 KB

README.md

File metadata and controls

136 lines (99 loc) · 5.05 KB

Deploy with Podman

In this scenario the service and associated components are deployed onto your local host in containers using Podman.

General Requirements

Make sure you have Podman version 3.3+ installed. If you must use an older version of podman, reference the previous documentation and procedure to avoid a podman bug.

Requirements for an HTTP based deployment

Files

No need to clone the whole repo. Use:

Environment Variables

Change IMAGE_SERVICE_BASE_URL and SERVICE_BASE_URL in configmap.yml to match the hostname or IP address of your host. For example if your IP address is 192.168.122.2, then the SERVICE_BASE_URL would be set to http://192.168.122.2:8090. Port 8090 is the assisted-service API that agents will connect to.

Requirements for an HTTPS based deployment

  • Assisted UI supports HTTPS starting from UI version v2.10.0

  • These instructions will secure the following communication paths:

    1. assisted-installer-ui ↔️ assisted-service
    2. User API queries ↔️ assisted-service
    3. assisted-image-service ↔️ assisted-service
    4. discovery agents ↔️ assisted-service
    5. controller pod ↔️ assisted-service

TLS Certificates

Generate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=localhost" -addext 'subjectAltName = IP:127.0.0.1'

Embed to a ConfigMap

Embed both key and certificate in configmap_tls_certs.yml Those will get mounted to assisted-installer-service, assisted-installer-image-service and assisted-installer-ui for encryption.

Files

No need to clone the whole repo. Use:

Environment Variables

Change IMAGE_SERVICE_BASE_URL and SERVICE_BASE_URL in configmap_tls.yml to match the hostname or IP address of your host. For example if your IP address is 192.168.122.2, then the SERVICE_BASE_URL would be set to https://192.168.122.2:8090. Port 8090 is the assisted-service API that agents will connect to.

Additionally, make sure to change the following:

ASSISTED_SERVICE_URL: https://127.0.0.1:8090
HTTPS_CERT_FILE: "/etc/certs/tls.crt" # Need to match certs-configmap-volume mountPath
HTTPS_KEY_FILE: "/etc/certs/tls.key"  # Need to match certs-configmap-volume mountPath
HTTPS_CA_FILE: "/etc/certs/tls.crt"   # Need to match certs-configmap-volume mountPath. Needed if the certificate is not signed by a CA in RHEL's default trust bundle.
ASSISTED_SERVICE_HOST: 127.0.0.1:8090
ASSISTED_SERVICE_SCHEME: https # A must for the UI nginx to be configured with TLS

If you are using a RELEASE_IMAGE hosted on a different registry than quay.io, add the host name to the PUBLIC_CONTAINER_REGISTRIES environment variable. You have an example in okd-configmap.yml.

Optional Configuration

Other environment variables may be set in configmap.yml. For example, custom agent (AGENT_DOCKER_IMAGE), installer (INSTALLER_IMAGE) and controller (CONTROLLER_IMAGE) images can be defined.

Run it

If HTTP based

podman play kube --configmap configmap.yml pod.yml

If HTTPS based

podman play kube --configmap configmap_tls_certs.yml --configmap configmap_tls.yml pod_tls.yml

To preserve data about existing clusters between pod reconfigurations the pod-persistent.yml manifest could be use instead, which creates additional volumes for database and cluster's artifacts:

podman play kube --configmap configmap.yml pod-persistent.yml

If you only want to provision a single cluster at a time, which is a common use case, persistence is not necessary.

The UI will available at: http://<host-ip-address>:8080

Remove it

podman play kube --down pod.yml

OKD configuration

Assisted Service can install OKD clusters using a different set of parameters:

podman play kube --configmap okd-configmap.yml pod.yml

or

make deploy-onprem OKD=true

for developers

Configuration differences are:

  • OS_IMAGES should point to Fedora CoreOS (see Fedora CoreOS Release artifacts)
  • RELEASE_IMAGES lists available OKD versions (see OKD Releases)
  • OKD_RPMS_IMAGE is additional image containing Kubelet/CRI-O RPMs (see example repo)
  • ENABLE_OKD_SUPPORT whether OKD support is enabled. Required to be true so that the service setup necessary RPMs on top of discovery ISO