You plan a dedicated machine to install and experiment with the Community Distribution of Kubernetes, maybe even on an rented root server in the wild wild world?
You want to manage your OKD cluster and applications the GitOps way?
It is probably worth the time to read a little further....
Naturally when we do some experiments we can destroy our cluster and bring it in a state we can't fix or recover. From this point of view we should try to keep complex things simple and repeatable. This is what this lab wants to address to.
You can expect a fully virtualized small IT center with everything you need to install a User Provisioned Infrastructure (UPI)
of OKD4 based on KVM.
Additionally you get mostly all you need for a development environment including git, artifact management, private container registry, centralized user registry..... everything pre-configured and tightly integrated.
- Dedicated root server (recommended)
- Internet access*
- Git client
- SSH / VNC client
- Visual Studio Code (optional but highly recommended!)
This project is being developed on a Hetzner machine with the following specs:
- AMD Ryzen 9 3900 12-Core
- 128 GB DDR4 ECC
- 2 x 1,92 TB NVMe SSD
You can do it with less but than you have to tweak some settings and/or strip off some optional services.
*Please Note! NO proxy support in this version! Following soon.
95% of the installation process is copy&paste. No deep Linux or OKD4/Kubernetes skills needed!*
*The missing 5% is a guided CentOS 8.4 Linux installation and using a Firefox to create some tokens.
Watch a animated gif at dropbox and open pandorra's box.
Operatiing system and virtualization:
Automation and provisioning:
Bastion (KVM):
- Centos 8.4
- OKD4 - UPI installation environment:
- OKD4 Registry Mirror
- Fedora CoreOS Mirror
- NTP
- DNS
- DHCP
- TFTP
- Project Quay with Clair
- Podman, Skopeo, Buildah (no Docker!)
- 389 Directory
- GitLab
- Artifactory
Load Balancer (KVM):
OKD4 (KVMs):
- Bootstrap
- 3x Master
- 3x Worker
Terraform/Ansible managed:
- 3x Master and 3x Worker
- Chrony time services configured on all
master
andworker
nodes - Trusted private Project Quay container registry
- Trusted custom Certificate Authority and SSL certificates for Web console, Router, API, LDAP, Project Quay, Podman etc.
- LDAP(s) authorization provider with:
- Administrators:
admin
,lab
in thecluster-admin
role - Team Members:
awesome-admin
,awesome-developer
- Administrators:
- Enabled
Image Pruner
and disabledSamples Operator
Argo CD (GitOps) managed:
- Operators and instances:
- OpenShift Logging
- OpenShift Elastic Search
- Quay Container Security
- Grafana Operator
- Storage:
- Argo Project:
- Tekton:
- Secret Management:
- Container Build:
- Security:
Especially with servers available in the wild wild world some kind of security makes sense!
For this reason:
- A Firewall is running on this lab and only SSH (port 53) is allowed on the external interface.
- Only SSH PubkeyAuthentication is allowed.
- Only necessary services are enabled.
- Except SSH all network services are bound to
localhost
. - Virtual network is not directly reachable from the wild world.
- Visual Studio Code and VNC is only available via SSH tunnel.
If you go the Hetzner path additional security is possible and recommended.
This guide is not about installing and maintaining Linux at the highest possible levels. It's not about being the best of class automation expert and it's a controlled environment with intentionally 99% static settings. But if you know what you do, you can change and expand everything with ease and apply it to your needs. Have fun!
Thanks to all in the Open Source Community and especially to @cgruver for inspiration and help!
OKD-LAB is released under the Apache 2.0 license. See the LICENSE file for details. Some components may be licensed differently - consult individual vendors and repositories for more.