Install an OpenShift 4 cluster with Calico
Big picture
Install an OpenShift 4 cluster with Calico.
Value
Augments the applicable steps in the OpenShift documentation to install Calico.
How to
Before you begin
-
Ensure that your environment meets the Calico system requirements.
-
Ensure that you have a RedHat account. A RedHat account is required to get the pull secret necessary to provision an OpenShift cluster. Note that the OpenShift installer supports a subset of AWS regions.
-
If installing on AWS, ensure that you have:
- Configured an AWS account appropriate for OpenShift 4
- Set up your AWS credentials
- Generated a local SSH private key and added it to your ssh-agent
Create a configuration file for the OpenShift installer
First, create a staging directory for the installation. This directory will contain the configuration file, along with cluster state files, that OpenShift installer will create:
mkdir openshift-tigera-install && cd openshift-tigera-install
Now run OpenShift installer to create a default configuration file:
openshift-install create install-config
Refer to the OpenShift installer documentation for more information about the installer and any configuration changes required for your platform.
Once the installer has finished, your staging directory will contain the configuration file install-config.yaml
.
Update the configuration file to use Calico
Override the OpenShift networking to use Calico and update the AWS instance types to meet the system requirements:
sed -i 's/\(OpenShiftSDN\|OVNKubernetes\)/Calico/' install-config.yaml
Generate the install manifests
Now generate the Kubernetes manifests using your configuration file:
openshift-install create manifests
Download the Calico manifests for OpenShift and add them to the generated manifests directory:
mkdir calico
wget -qO- https://github.com/projectcalico/calico/releases/download/v3.29.1/ocp.tgz | tar xvz --strip-components=1 -C calico
cp calico/* manifests/
Optionally provide additional configuration
You may want to provide Calico with additional configuration at install-time. For example, BGP configuration or peers. You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation. If you do not need to provide additional configuration, you can skip this section.
To include Calico resources during installation, edit manifests/02-configmap-calico-resources.yaml
to add your own configuration.
If you have a directory with the Calico resources, you can create the file with the command:
oc create configmap -n tigera-operator calico-resources \
--from-file=<resource-directory> --dry-run -o yaml \
manifests/02-configmap-calico-resources.yaml
With recent versions of oc it is necessary to have a kubeconfig configured or add --server='127.0.0.1:443'
even though it is not used.
If you have provided a calico-resources
configmap and the tigera-operator pod fails to come up with Init:CrashLoopBackOff
,
check the output of the init-container with oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources
.
Create the cluster
Start the cluster creation with the following command and wait for it to complete.
openshift-install create cluster
Once the above command is complete, you can verify Calico is installed by verifying the components are available with the following command.
oc get tigerastatus
To get more information, add -o yaml
to the above command.
Optionally integrate with Operator Lifecycle Manager (OLM)
In OpenShift Container Platform, the Operator Lifecycle Manager helps cluster administrators manage the lifecycle of operators in their cluster. Managing the Calico operator with OLM gives administrators a single place to manage operators.
To register the running Calico operator with OLM, first you will need to create an OperatorGroup for the operator:
oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: tigera-operator
namespace: tigera-operator
spec:
targetNamespaces:
- tigera-operator
EOF
Next, you will create a Subscription to the operator. By subscribing to the operator package, the Calico operator will be managed by OLM.
oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: tigera-operator
namespace: tigera-operator
spec:
channel: release-v1.36
installPlanApproval: Manual
name: tigera-operator
source: certified-operators
sourceNamespace: openshift-marketplace
startingCSV: tigera-operator.v1.36.2
EOF
Finally, log in to the OpenShift console, navigate to the Installed Operators section and approve the Install Plan for the operator.
This may trigger the operator deployment and all of its resources (pods, deployments, etc.) to be recreated.
The OpenShift console provides an interface for editing the operator installation, viewing the operator's status, and more.
Next steps
Recommended - Networking
- If you are using the default BGP networking with full-mesh node-to-node peering with no encapsulation, go to Configure BGP peering to get traffic flowing between pods.
- If you are unsure about networking options, or want to implement encapsulation (overlay networking), see Determine best networking option.
Recommended - Security
- Secure Calico component communications
- Secure hosts by installing Calico on hosts
- Secure pods with Calico network policy
- If you are using Calico with Istio service mesh, get started here: Enable application layer policy