$ ssh-keygen -t ed25519 -N '' -f <path>/<file_name> (1)
To prepare for installation of an OKD cluster on Azure, complete the following steps:
You have selected a cluster installation method.
You configured an Azure account to host the cluster and determined the tested and validated region to deploy the cluster to.
If you use a firewall, you have configured it to allow the sites that your cluster requires access to.
During an OKD installation, you can provide an SSH public key to the installation program. The key is passed to the Fedora CoreOS (FCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys
list for the core
user on each node, which enables password-less authentication.
After the key is passed to the nodes, you can use the key pair to SSH in to the FCOS nodes as the user core
. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather
command also requires the SSH public key to be in place on the cluster nodes.
Do not skip this procedure in production environments, where disaster recovery and debugging is required. |
You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs. |
On clusters running Fedora CoreOS (FCOS), the SSH keys specified in the Ignition config files are written to the |
If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command:
$ ssh-keygen -t ed25519 -N '' -f <path>/<file_name> (1)
1 | Specify the path and file name, such as ~/.ssh/id_ed25519 , of the new SSH key. If you have an existing key pair, ensure your public key is in the your ~/.ssh directory. |
If you plan to install an OKD cluster that uses the Fedora cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the |
View the public SSH key:
$ cat <path>/<file_name>.pub
For example, run the following to view the ~/.ssh/id_ed25519.pub
public key:
$ cat ~/.ssh/id_ed25519.pub
Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the ./openshift-install gather
command.
On some distributions, default SSH private key identities such as |
If the ssh-agent
process is not already running for your local user, start it as a background task:
$ eval "$(ssh-agent -s)"
Agent pid 31874
If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. |
Add your SSH private key to the ssh-agent
:
$ ssh-add <path>/<file_name> (1)
1 | Specify the path and file name for your SSH private key, such as ~/.ssh/id_ed25519 |
Identity added: /home/<you>/<path>/<file_name> (<computer_name>)
When you install OKD, provide the SSH public key to the installation program.
Before you install OKD, download the installation file on the host you are using for installation.
You have a computer that runs Linux or macOS, with at least 1.2 GB of local disk space.
Download the installation program from https://github.com/openshift/okd/releases.
|
Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:
$ tar -xvf openshift-install-linux.tar.gz
Download your installation pull secret from Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OKD components.
Using a pull secret from Red Hat OpenShift Cluster Manager is not required. You can use a pull secret for another private registry. Or, if you do not need the cluster to pull images from a private registry, you can use {"auths":{"fake":{"auth":"aWQ6cGFzcwo="}}}
as the pull secret when prompted during the installation.
If you do not use the pull secret from Red Hat OpenShift Cluster Manager:
Red Hat Operators are not available.
The Telemetry and Insights operators do not send data to Red Hat.
Content from the Red Hat Ecosystem Catalog Container images registry, such as image streams and Operators, are not available.
You can install the OpenShift cli (oc
) to interact with
OKD
from a command-line interface. You can install oc
on Linux, Windows, or macOS.
If you installed an earlier version of |
You can install the OpenShift cli (oc
) binary on Linux by using the following procedure.
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.tar.gz
.
Unpack the archive:
$ tar xvf <file>
Place the oc
binary in a directory that is on your PATH
.
To check your PATH
, execute the following command:
$ echo $PATH
After you install the OpenShift cli, it is available using the oc
command:
$ oc <command>
You can install the OpenShift cli (oc
) binary on Windows by using the following procedure.
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.zip
.
Unzip the archive with a ZIP program.
Move the oc
binary to a directory that is on your PATH
.
To check your PATH
, open the command prompt and execute the following command:
C:\> path
After you install the OpenShift cli, it is available using the oc
command:
C:\> oc <command>
You can install the OpenShift cli (oc
) binary on macOS by using the following procedure.
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.tar.gz
.
Unpack and unzip the archive.
Move the oc
binary to a directory on your PATH.
To check your PATH
, open a terminal and execute the following command:
$ echo $PATH
Verify your installation by using an oc
command:
$ oc <command>
For more information about the Telemetry service, see About remote health monitoring
The OKD installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.
Set the following environment variables for the Azure resource group by running the following command:
$ export RESOURCEGROUP="<resource_group>" \(1)
LOCATION="<location>" (2)
1 | Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster. |
2 | Specifies the Azure location where you will create the resource group. |
Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command:
$ export KEYVAULT_NAME="<keyvault_name>" \(1)
KEYVAULT_KEY_NAME="<keyvault_key_name>" \(2)
DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>" (3)
1 | Specifies the name of the Azure Key Vault you will create. |
2 | Specifies the name of the encryption key you will create. |
3 | Specifies the name of the disk encryption set you will create. |
Set the environment variable for the ID of your Azure Service Principal by running the following command:
$ export CLUSTER_SP_ID="<service_principal_id>" (1)
1 | Specifies the ID of the service principal you will use for this installation. |
Enable host-level encryption in Azure by running the following commands:
$ az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
$ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
$ az provider register -n Microsoft.Compute
Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command:
$ az group create --name $RESOURCEGROUP --location $LOCATION
Create an Azure key vault by running the following command:
$ az keyvault create -n $KEYVAULT_NAME -g $RESOURCEGROUP -l $LOCATION \
--enable-purge-protection true
Create an encryption key in the key vault by running the following command:
$ az keyvault key create --vault-name $KEYVAULT_NAME -n $KEYVAULT_KEY_NAME \
--protection software
Capture the ID of the key vault by running the following command:
$ KEYVAULT_ID=$(az keyvault show --name $KEYVAULT_NAME --query "[id]" -o tsv)
Capture the key URL in the key vault by running the following command:
$ KEYVAULT_KEY_URL=$(az keyvault key show --vault-name $KEYVAULT_NAME --name \
$KEYVAULT_KEY_NAME --query "[key.kid]" -o tsv)
Create a disk encryption set by running the following command:
$ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \
$RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
Grant the DiskEncryptionSet resource access to the key vault by running the following commands:
$ DES_IDENTITY=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
$RESOURCEGROUP --query "[identity.principalId]" -o tsv)
$ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \
$DES_IDENTITY --key-permissions wrapkey unwrapkey get
Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands:
$ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g \
$RESOURCEGROUP --query "[id]" -o tsv)
$ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \(1)
--scope $DES_RESOURCE_ID -o jsonc
1 | Specifies an Azure role with read permissions to the disk encryption set. You can use the Owner role or a custom role with the necessary permissions. |
Install an OKD cluster:
Install a cluster with customizations on installer-provisioned infrastructure
Install a cluster with network customizations on installer-provisioned infrastructure
Install a cluster into an existing VNet on installer-provisioned infrastructure
Install a private cluster on installer-provisioned infrastructure
Install a cluster into an government region on installer-provisioned infrastructure