class: center, middle # OpenShift on Google Cloud Platform ### Peter Schiffer #### [github.com/pschiffe/ocp-on-gcp](https://github.com/pschiffe/ocp-on-gcp) --- # Agenda * What? * Why? * How? --- # What? Highly available production quality OpenShift Container Platform architecture that leverages native infrastructure of cloud provider. --- # Cloud Providers * OpenStack * Google Cloud Platform (GCP) * Amazon Web Services (AWS) * Microsoft Azure * VMware --- # Why? --- background-image: url(img/ocp-on-gcp-arch.svg) ??? Who will provision the infrastructure? --- # How? Provide Reference Architecture: https://blog.openshift.com/openshift-container-platform-reference-architecture-implementation-guides/ Code: https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture --- # New Agenda! 1. Provision the infrastructure 1. Deploy OpenShift 1. Configure OpenShift / Post-install tasks --- class: center, middle # Provision the infrastructure --- ## Google Cloud DNS * Provides DNS service * https://cloud.google.com/dns/ ## Google Cloud Virtual Network * Provides virtual networking * Single network * Traffic controlled by firewall rules * Both ingress and egress * Using tags * https://cloud.google.com/virtual-network/ --- ## Google Cloud Storage * Provides object storage used by Image Registry * https://cloud.google.com/storage/ ## Google Compute Engine * Provides virtual machines * https://cloud.google.com/compute/ --- # Google Compute Engine --- ### Custom images * Google provides RHEL images, but with limited subscription (no OpenShift) * We use official RHEL 7 KVM image, registered by customer to his subscription * https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images ### Bastion instance * Only host with publicly accessible SSH * SSH proxy for accessing other hosts * Runs deployment of OpenShift with Ansible --- ### Instance templates * Pre-define machine type, image, disks * https://cloud.google.com/compute/docs/instance-templates ### Instance groups * Manage group of identical instances as a single entity * Support autoscaling, load balancing, rolling updates.. * https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-managed-instances --- ### Load Balancing * Is hard * https://cloud.google.com/load-balancing/  --- #### HTTP(S) Load Balancing * Does not support WebSocket * https://cloud.google.com/compute/docs/load-balancing/http/ #### SSL proxy * Used for external master HTTPS access * https://cloud.google.com/compute/docs/load-balancing/tcp-ssl/ --- #### Network Load Balancing * For internal master access and for external router access * https://cloud.google.com/compute/docs/load-balancing/network/ #### Internal Load Balancing * New * https://cloud.google.com/compute/docs/load-balancing/internal/ --- ### SSL proxy * Forwarding rule * IP address * Target proxy * Certificate * Backend service * Instance group * Instance ### Network Load Balancing * Forwarding rule * IP address * Target pool * Instance group * Instance --- ### + * Global resources * Regional resources * Zonal resources * and Health checks --- class: center, middle # Deploy OpenShift --- ## Advanced installation with Ansible * Dynamic inventory for GCE * https://docs.openshift.com/container-platform/latest/install_config/install/advanced_install.html --- class: center, middle # Configure OpenShift / Post-install tasks --- ## With Ansible * GCE specific configuration * Fine tune firewall on some hosts * Directory quota * Deploy registry * Deployment validation --- class: center, middle # Wanna try? --- ## Prerequisites * Google account * Red Hat account * RHEL and OpenShift subscriptions Setup gcloud utility: ```bash sudo yum -y install curl python which tar qemu-img \ openssl gettext git curl https://sdk.cloud.google.com | bash exec -l $SHELL gcloud components install beta gcloud init ``` --- ## Deploy ```bash git clone https://github.com/openshift/openshift-ansible-contrib.git cd openshift-ansible-contrib/reference-architecture/gce-cli cp config.sh.example config.sh vi config.sh ./gcloud.sh # Bonus: tired of it? ./gcloud.sh --revert ``` --- ## config.sh.example ```bash ### CONFIG ### # Path to a RHEL image on local machine, downloaded from Red Hat Customer Portal RHEL_IMAGE_PATH="${HOME}/Downloads/rhel-guest-image-7.3-35.x86_64.qcow2" DELETE_IMAGE=true # Username and password for Red Hat Customer Portal RH_USERNAME='user@example.com' RH_PASSWORD='xxx' # Pool ID which shall be used to register the pre-registered image RH_POOL_ID='xxx' # Project ID and zone settings for Google Cloud GCLOUD_PROJECT='project-1' GCLOUD_ZONE='us-central1-a' ``` --- ## config.sh.example II ```bash # DNS domain which will be configured in Google Cloud DNS DNS_DOMAIN='ocp.example.com' # Name of the DNS zone in the Google Cloud DNS. If empty, it will be created DNS_DOMAIN_NAME='ocp-example-com' # DNS name for the Master service MASTER_DNS_NAME="master.${DNS_DOMAIN}" # Internal DNS name for the Master service INTERNAL_MASTER_DNS_NAME="internal-master.${DNS_DOMAIN}" # Domain name for the OpenShift applications OCP_APPS_DNS_NAME="apps.${DNS_DOMAIN}" # Paths on the local system for the certificate files. If empty, self-signed # certificate will be generated MASTER_HTTPS_CERT_FILE="${HOME}/master.${DNS_DOMAIN}.pem" MASTER_HTTPS_KEY_FILE="${HOME}/master.${DNS_DOMAIN}.key" # OpenShift Identity providers. This is Google oauth example (hosted_domain is optional and restricts login to users only from the specified domain) OCP_IDENTITY_PROVIDERS='[ {"name": "google", "kind": "GoogleIdentityProvider", "login": "true", "challenge": "false", "mapping_method": "claim", "client_id": "xxx-yyy.apps.googleusercontent.com", "client_secret": "zzz", "hosted_domain": "example.com"} ]' ``` --- class: center, middle # Questions?