Skip to content

GitOps ZTP based installation

GitOps ZTP is an OpenShift cluster deployment method based on the principle of managing the installation settings from a source code repository.

Table of contents

Process description

The DCI process of deploying a cluster using the GitOps ZTP method comprises two stages.

In the first stage, an OpenShift Hub Cluster, running the Advanced Cluster Management (ACM), GitOps and Topology-Aware Lifecycle Manager operators are deployed. This must be a multinode cluster since ACM relies on a redundant PostgreSQL database.

After this, the GitOps operator is connected to a Git repository containing the site configuration (deployment) and policy generator templates (settings and workloads) manifests for the OpenShift Spoke Clusters. On reading and processing these manifests the deployment of any defined spoke clusters is triggered.

These two stages are run through separate DCI jobs that may be pipeline stages.

ZTP ACM Hub Cluster

To support ZTP GitOps based deployments, the ACM Hub Cluster must be provisioned with some operators on top of the Advanced Cluster Management. In particular, the OpenShift GitOps Operator and the Topology Aware Lifecycle Manager is required.

Also, for disconnected environments you may need to have a Git repository served from the restricted network. To help with this, the DCI OpenShift Agent allows you to install a Gitea instance on the hub cluster, so it can be reached both, from the jumpbox and the spoke cluster.

Requirements for the ZTP ACM Hub Cluster

  • A multi-node or compact cluster (minimum 3 control plane nodes).
  • For disconnected environments, a container image registry running from the DMZ may be used to mirror the Gitea image.

Configuration for the ZTP ACM Hub Cluster

Variable Description
dci_operators List of the operators, along with their specific settings, to be installed in the Hub Cluster. This list must included, at minimum, the advanced-cluster-management, the openshift-gitops-operator and the topology-aware-lifecycle manager.
enable_acm The variable must be set to "true" for the dci-openshift-agent to run the ACM hub cluster configuration tasks.
enable_gitea For disconnected environments, set it to "true" to enable the deployment of a Gitea server in the hub cluster so you may push your gitops manifests.
dci_pullsecret_file In disconnected environments, paths to the pull-secret file to authenticate on the Gitea image registry.
dci_local_registry In disconnected environments, base URL to the local registry hosting the Gitea mirrored images.
sg_username The internal Git server user name.
sg_password The internal Git server user password.
sg_email The internal Git server user e-mail address.
sg_repository The name to be given to the internal Git repository.
sg_repo_mirror_url URL to an external reference repository containing the manifests to push (mirror) into the internal Git repository.

Pipeline data for the ZTP ACM Hub Cluster

Make sure the ACM Hub Clusters as described in the ACM documentation includes the following data:

dci_operators:
  - name: advanced-cluster-management
    catalog_source: "redhat-operators"
    namespace: "open-cluster-management"
    operator_group_spec:
      targetNamespaces:
        - "open-cluster-management"
  - name: kubevirt-hyperconverged
    catalog_source: "redhat-operators"
    namespace: openshift-cnv
    starting_csv: kubevirt-hyperconverged-operator.v4.14.3
  - name: openshift-gitops-operator
    catalog_source: redhat-operators
    namespace: openshift-gitops-operator
  - name: topology-aware-lifecycle-manager
    catalog_source: redhat-operators
    namespace: openshift-operators
    operator_group_name: "global-operators"
# Operators to configure
enable_acm: true
# For disconnected environments
#enable_gitea: true
#sg_gitea_image: registry.local:5000/gitea/gitea:latest-rootless
#sg_username: gituser
#sg_password: Git_Ops_1234
#sg_email: gituser@example.com
#sg_repository: gitops
#sg_repo_mirror_url: git@github.com:gituser/gitops.git

Inventory data for the ZTP ACM Hub Cluster

No extra variables are needed in the ACM Hub Cluster inventory.

ZTP spoke cluster

Requirements for the ZTP Spoke Cluster

  • The Spoke Cluster is located in a connected environment.

  • An installed OCP cluster configured with the ACM, GitOps and TALM operators and their dependencies. A default storage class is mandatory to save information about the clusters managed by ACM. This will act as the Hub Cluster.

  • A kubeconfig file to interact with the Hub Cluster.

  • A Git repository accessible from the Hub Cluster, so it can pull the site configuration and policies.

  • The Git repository must have a SSH public key enabled.

  • The private key to the SSH private key enabled in the Git repository.

  • The Git repository must provide credentials to log into the spoke cluster node BMC consoles.

  • Also provide a pull secret file for the Spoke cluster. You can use the pull secret extracted from the Hub cluster for this purpose.

Configuration for the ZTP Spoke Cluster

The following settings must be provided to the SNO Spoke Cluster deployment job.

Variable Required Value Description
install_type yes acm Enables the dci-openshift-agent flow that installs a spoke cluster.
acm_cluster_type yes ztp-spoke Enables the gitops-ztp installation method from all the available ACM based methods.
dci_gitops_sites_repo yes Parameters to the site-config manifest repository.
dci_gitops_policies_repo yes Parameters to the policy generator template manifest repository.
dci_gitops_*_repo.url yes URL to the repository in SSH or HTTP format.
dci_gitops_*_repo.path yes Path to the directory containing the manifests.
dci_gitops_*_repo.branch yes Branch containing your target version of the manifests.
dci_gitops_*_repo.key_path yes If using SSH protocol, local path to the private key file authorized to access the repository.
dci_gitops_*_repo.username yes If using HTTP protocol, user name of an authorized account.
dci_gitops_*_repo.password yes If using HTTP protocol, password for the authorized user name.
dci_gitops_*_repo.known_hosts no (If required) List of the repository SSH fingerprints.

Pipeline example for the ZTP Spoke Cluster

- name: openshift-ztp-spoke
  stage: ztp-spoke
  prev_stages: [acm-hub]
  ansible_playbook: /usr/share/dci-openshift-agent/dci-openshift-agent.yml
  ansible_cfg: /usr/share/dci-openshift-agent/ansible.cfg
  dci_credentials: /etc/dci-openshift-agent/dci_credentials.yml
  configuration: "@QUEUE"
  ansible_inventory: ~/inventories/sno_baremetal-sno1-ztp-spoke-hosts
  ansible_extravars:
    install_type: acm
    acm_cluster_type: ztp-spoke
    dci_tags: [debug, sno, ztp, spoke, baremetal]
    dci_must_gather_images:
      - registry.redhat.io/openshift4/ose-must-gather
    dci_teardown_on_success: false
    acm_vm_external_network: False # False when running on ACM Hubs deployed by Assisted
  topic: OCP-4.15
  components:
    - ocp
  inputs:
    kubeconfig: hub_kubeconfig_path
  outputs:
    kubeconfig: "kubeconfig"

Inventory example for the ZTP Spoke Cluster inventory - SNO running Git over SSH

all:
  hosts:
    localhost:
      ansible_connection: local
  vars:
    cluster: sno1
    domain: spoke.example.lab
    dci_gitops_sites_repo:
      url: git@githost.com:org/spoke-ci-config.git
      path: files/ztp-spoke/sites
      branch: ztp_spoke
      key_path: "/path/to/ssh/private/key"
      known_hosts: "{{ gitops_repo_known_hosts }}"
    dci_gitops_policies_repo:
      url: git@githost.com:org/spoke-ci-config.git
      path: files/ztp-spoke/policies
      branch: ztp_spoke
      key_path: "/path/to/ssh/private/key"
      known_hosts: "{{ gitops_repo_known_hosts }}"
    gitops_repo_known_hosts: |
      github.com ecdsa-sha2-nistp256 ### KEY ###
      github.com ssh-ed25519 ### KEY ###
      github.com ssh-rsa ### KEY ###

Inventory example for the ZTP Spoke Cluster inventory - SNO running Git over HTTP

all:
  hosts:
    localhost:
      ansible_connection: local
  vars:
    cluster: sno1
    domain: spoke.example.lab
    dci_gitops_sites_repo:
      url: git@githost.com:org/spoke-ci-config.git
      path: files/ztp-spoke/sites
      branch: ztp_spoke
      username: ### USERNAME ###
      password: ### PASSWORD ###
    dci_gitops_policies_repo:
      url: git@githost.com:org/spoke-ci-config.git
      path: files/ztp-spoke/policies
      branch: ztp_spoke
      username: ### USERNAME ###
      password: ### PASSWORD ###