-
Some deployments would require a Red Hat Customer Portal account that has appropriate subscriptions. This is not required for the playbook themselves.
NoteRed Hat employee subscriptions can be used
-
[Python](https://www.python.org) version 2.7.x (3.x untested and may not work)
-
[Python Boto](http://docs.pythonboto.org) version 2.41 or greater
-
[Git](http://github.com) any version would do.
-
[Ansible](https://github.com/ansible/ansible) version 2.1.2 or greater
-
[awscli bundle](https://s3.amazonaws.com/aws-cli/awscli-bundle.zip) tested with version 1.11.32 Python and the Python dependencies may be installed via your OS' package manager (eg: python2-boto on Fedora/CentOS/RHEL) or via [pip](https://pypi.python.org/pypi/pip). [Python virtualenv](https://pypi.python.org/pypi/virtualenv) can also work.
# Install basic packages
yum install -y wget python python-boto unzip boto3 tmux git
# Another option to configure python boto is:
git clone git://github.com/boto/boto.git
cd boto
python setup.py install
#Install boto3
pip install boto3
#Install pywinrm if you plan to deploy windows VMs
#pip install pywinrm
# Enable epel repositories for Ansible
cd /tmp
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y install `ls *epel*.rpm`
# Install ansible and checked install version (required 2.2.0.0)
yum install -y ansible
ansible --version
## Install aws cli
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /bin/aws
aws --version-
You will need to place your EC2 credentials in the ~/.aws/credentials file:
mkdir ~/.aws cat << EOF >> ~/.aws/credentials [default] aws_access_key_id = AKIAJAAYOURACCESSKEY aws_secret_access_key = rT54UYOURSECRETACCESSKEY EOF
-
Add the SSH Key to the SSH Agent (optional) If your operating system has an SSH agent and you are not using your default configured SSH key, you will need to add the private key you use with your EC2 instances to your SSH agent:
ssh-add <path to key file>
|
Note
|
If you use an SSH config that specifies what keys to use for what hosts this step may not be necessary. |
AWS credentials for the account above must be used with the AWS command line tool (detailed below)
-
An AWS IAM account with the following permissions:
-
Policies can be defined for Users, Groups or Roles
-
Navigate to: AWS Dashboard → Identity & Access Management → Select Users or Groups or Roles → Permissions → Inline Policies → Create Policy → Custom Policy
-
Policy Name: openshift (your preference)
-
Policy Document:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1459269951000", "Effect": "Allow", "Action": [ "cloudformation:*", "iam:*", "route53:*", "elasticloadbalancing:*", "ec2:*", "cloudwatch:*", "autoscaling:*", "s3:*" ], "Resource": [ "*" ] } ] }
-
|
Note
|
Finer-grained permissions are possible, and pull requests are welcome. |
-
A route53 public hosted zone is required for the scripts to create the various DNS entries for the resources it creates. Two DNS entries will be created for workshops:
-
master.guid.domain.tld- a DNS entry pointing to the master -
*.cloudapps.guid.domain.tld- a wildcard DNS entry pointing to the router/infrastructure node
-
-
An EC2 SSH keypair should be created in advance and you should save the key file to your system.
REGION=us-west-1 KEYNAME=ocpworkshop openssl genrsa -out ~/.ssh/${KEYNAME}.pem 2048 openssl rsa -in ~/.ssh/${KEYNAME}.pem -pubout > ~/.ssh/${KEYNAME}.pub chmod 400 ~/.ssh/${KEYNAME}.pub chmod 400 ~/.ssh/${KEYNAME}.pem touch ~/.ssh/config chmod 600 ~/.ssh/config aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`"
CautionKey pairs are created per region, you will need to specify a different keypair for each region or duplicate the keypair into every region. REGIONS="ap-southeast-1 ap-southeast-2 OTHER_REGIONS..." for REGION in `echo ${REGIONS}` ; do aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" done
If you want to deploy on azure you will need the Azure client.
sudo -i rpm --import https://packages.microsoft.com/keys/microsoft.asc cat >> /etc/yum.repos.d/azure-cli.repo <<EOF [azure-cli] name=Azure CLI baseurl=https://packages.microsoft.com/yumrepos/azure-cli enabled=1 gpgcheck=1 gpgkey=https://packages.microsoft.com/keys/microsoft.asc EOF yum check-update yum install -y azure-cli # /!\ careful this will update ansible as well sudo pip install --upgrade pip sudo pip install --upgrade ansible[azure] # as user az login
It’s better to use a service principal instead of your main credentials. Refer to the official documentation.
az ad sp create-for-rbac az login --service-principal -u <user> -p <password-or-cert> --tenant <tenant>
azure_service_principal: "service principal client id" azure_password: "service principal password or cert" azure_tenant: "tenant ID" azure_region: "Azure location, ex: EuropeWest" azure_subscription_id: "Subscription id"