Install Calico on an OpenShift HCP cluster
Big picture
Install Calico on an OpenShift Hosted Control Planes (HCP) cluster.
Value
Provides steps to install Calico in OpenShift Hosted Control Planes (HCP) clusters using the HyperShift middleware, augmenting the steps in the HyperShift documentation where appropriate.
How to
Before you begin
-
Ensure that your environment meets the Calico system requirements.
-
Ensure that you have a RedHat account. A RedHat account is required to get the pull secret necessary to provision an OpenShift cluster. Note that the OpenShift installer supports a subset of AWS regions.
-
If installing on AWS, ensure that you have:
- Configured an AWS account appropriate for OpenShift 4
- Set up your AWS credentials
- Generated a local SSH private key and added it to your ssh-agent
-
Install the HyperShift CLI and fulfill all the other Prerequisites from the HyperShift documentation.
Create the hosting cluster
Deploy an OpenShift cluster with Calico. This will be the hosting cluster with control-plane nodes for all hosted clusters you deploy with the steps below. Set up your KUBECONFIG
environment variable to your hosting cluster's kubeconfig file:
export KUBECONFIG=/path/to/kubeconfig
Install the HyperShift operator in the hosting cluster
Follow the steps from the HyperShift documentation to Install the HyperShift Operator.
Create a hosted cluster
Create a hosted cluster with Calico by going through the following steps (slightly modified from the HyperShift docs).
- Create a HostedCluster and set its HostedCluster.spec.networking.networkType to Other:
Make sure to adjust the variables for the command below to the correct values for your cluster, credentials and environment.
HOSTED_CLUSTER_NAME=my-os-hosted-cluster
REGION=us-west-2
BASE_DOMAIN=www.example.com
AWS_CREDS="$HOME/.aws/credentials"
PULL_SECRET="$HOME/.secrets/redhat-pull-secret.txt"
hypershift create cluster aws \
--name $HOSTED_CLUSTER_NAME \
--node-pool-replicas=3 \
--base-domain $BASE_DOMAIN \
--pull-secret $PULL_SECRET \
--aws-creds $AWS_CREDS \
--region $REGION \
--generate-ssh \
--network-type Other
If your hosted cluster is having authorization problems with your Red Hat pull secret (unauthorized: authentication required
in the HyperShift operator pod logs), make sure it is using a stable release image for the OpenShift Container Platform (OCP).
You can find them in [https://amd64.ocp.releases.ci.openshift.org], for example --release-image quay.io/openshift-release-dev/ocp-release:4.16.4-x86_64
There is currently an issue with the HyperShift middleware that will result in the hosted cluster installation not progressing due to a missing OVNSbDb
service. Patch the hosted cluster resource in order to add it:
HOSTED_CLUSTER_NAME=my-os-hosted-cluster
CLUSTER_NS="clusters"
oc patch -n ${CLUSTER_NS} hostedcluster ${HOSTED_CLUSTER_NAME} --type='json' -p '[{"op": "add", "path": "/spec/services/-", "value": {"service":"OVNSbDb","servicePublishingStrategy": {"type": "Route"}}}]'
Once the hosted cluster is up, use the hypershift
CLI tool to generate the kubeconfig
file:
hypershift create kubeconfig > hosted_kubeconfig && export KUBECONFIG=$(pwd)/hosted_kubeconfig
Then, copy the aws-creds
secret from the hosting cluster to the hosted cluster. Run this using the hosting cluster kubeconfig to extract the secret to a yaml
file:
oc get secrets --kubeconfig /path/to/hosting/kubeconfig -n kube-system aws-creds -o yaml > aws-creds.yaml
Then import it in the hosted cluster:
oc apply --kubeconfig /path/to/hosted/kubeconfig -f aws-creds.yaml
There is no need to specify the --kubeconfig
CLI argument if the hosted cluster's kubeconfig file is configured as the KUBECONFIG
environment variable in your shell.
Download the Calico install manifests
Now download and apply the Calico manifests according to the HyperShift docs.
Download the Calico manifests for OpenShift:
mkdir calico
wget -qO- https://github.com/projectcalico/calico/releases/download/v3.29.1/ocp.tgz | tar xvz --strip-components=1 -C calico
Optionally provide additional configuration
You may want to provide Calico with additional configuration at install-time. For example, BGP configuration or peers. You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation. If you do not need to provide additional configuration, you can skip this section.
To include Calico resources during installation, edit calico/02-configmap-calico-resources.yaml
to add your own configuration.
If you have a directory with the Calico resources, you can create the file with the command:
oc create configmap -n tigera-operator calico-resources \
--from-file=<resource-directory> --dry-run -o yaml \
calico/02-configmap-calico-resources.yaml
With recent versions of oc it is necessary to have a kubeconfig configured or add --server='127.0.0.1:443'
even though it is not used.
If you have provided a calico-resources
configmap and the tigera-operator pod fails to come up with Init:CrashLoopBackOff
,
check the output of the init-container with oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources
.
Apply the Calico install manifests
Apply the install manifests paying attention to the required order:
cd calico/
ls *crd*.yaml | xargs -n1 oc apply -f
ls 00* | xargs -n1 oc apply -f
ls 01* | xargs -n1 oc apply -f
ls 02* | xargs -n1 oc apply -f
Once the above commands are complete, you can verify Calico is installed by verifying the components are available with the following command.
oc get tigerastatus
To get more information, add -o yaml
to the above command.
Next steps
Recommended - Networking
- If you are using the default BGP networking with full-mesh node-to-node peering with no encapsulation, go to Configure BGP peering to get traffic flowing between pods.
- If you are unsure about networking options, or want to implement encapsulation (overlay networking), see Determine best networking option.
Recommended - Security
- Secure Calico component communications
- Secure hosts by installing Calico on hosts
- Secure pods with Calico network policy
- If you are using Calico with Istio service mesh, get started here: Enable application layer policy