Deploy OKD4 (OpenShift) on Hetzner Cloud using Hashicorp Packer, Terraform and Ansible.

The Hetzner Cloud does not fulfill the I/O performance/latency requirements for etcd - even when using local SSDs (instead of ceph storage). This could result in different problems during the cluster bootstrap. You could check the I/O performance via etcdctl check perf.

Because of that OpenShift on hcloud is only suitable for small test environments. Please do not use it for production clusters.

The deployment defaults to a single node cluster.

• 1x Master Node (CX41)
• 1x Loadbalancer (LB11)
• 1x Bootstrap Node (CX41) - deleted after cluster bootstrap
• 1x Ignition Node (CX11) - deleted after cluster bootstrap

To ensure that the we have a proper build environment, we create a toolbox container first.

make fetch
make build

If you do not want to build the container by your own, it is also available on quay.io.

Use the following command to start the container.

make run

All the following commands will be executed inside the container.

Set a target version of use the targets latest_version to fetch the latest available version.

export OPENSHIFT_RELEASE=$(make latest_version)

---
apiVersion: v1
baseDomain: 'example.com'
metadata:
  name: 'okd4'
compute:
- hyperthreading: Enabled
  name: worker
  replicas: 0
controlPlane:
  hyperthreading: Enabled
  name: master
  replicas: 1
networking:
  clusterNetworks:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
  machineCIDR:
platform:
  none: {}
pullSecret: '{"auths":{"none":{"auth": "none"}}}'
sshKey: ssh-rsa AABBCC... Some_Service_User

make generate_manifests

make generate_ignition

# terraform variables
export TF_VAR_dns_domain=okd4.example.com
export TF_VAR_dns_zone_id=14758f1afd44c09b7992073ccf00b43d

# credentials for hcloud
export HCLOUD_TOKEN=14758f1afd44c09b7992073ccf00b43d14758f1afd44c09b7992073ccf00b43d

# credentials for cloudflare
export [email protected]
export CLOUDFLARE_API_KEY=14758f1afd44c09b7992073ccf00b43d

Build a Fedora CoreOS hcloud image with Packer and embed the hcloud user data source (http://169.254.169.254/hetzner/v1/userdata).

make hcloud_image

make infrastructure BOOTSTRAP=true

make wait_bootstrap

make infrastructure

make wait_completion

CSRs of the master nodes get signed by the bootstrap node automaticaly during the cluster bootstrap. CSRs from worker nodes must be signed manually.

make sign_csr
sleep 60
make sign_csr

This step is not necessary if you set replicas_worker to zero.

It's also possible OCP (with RedHat CoreOS) instead of OKD. Just export DEPLOYMENT_TYPE=ocp. For example:

export DEPLOYMENT_TYPE=ocp
export OPENSHIFT_RELEASE=4.6.35
make fetch build run

You can also select the latest version from a specific channel via:

export OCP_RELEASE_CHANNEL=stable-4.11
export OPENSHIFT_RELEASE=$(make latest_version)
make fetch build run

To setup OCP a pull secret in your install-config.yaml is necessary, which could be obtained from cloud.redhat.com.

As the Terraform module from Hetzer is currently unable to produce applied rules that contain hosts you deploy at the same time, you have to deploy them afterwards.

In order to do that, you should visit your Hetzner Web Console and apply the okd-master firewall rule to all hosts with the label okd.io/master: true, the okd-base to the label okd.io/node: true and okd-ingress to all nodes with the okd.io/ingress: true label. Since terraform will ignore firewall changes, this should not interfere with your existing state.

Note: This will keep hosts pingable, but isolate them complete from the internet, making the cluster only reachable through the load balancer. If you require direct SSH access, you can add another rule, that you apply nodes that allows access to port 22.

Checkout this issue to get details about how to obtain an API token for the Cloudflare API.

• slauger