You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: reference-architectures/standard-openshift/deploy-arch-ibm-pvs-inf-standard-openshift.md
+20-25Lines changed: 20 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ compliance:
31
31
32
32
The Quickstart OpenShift deployment on Power Virtual Server with a VPC landing zone uses the Red Hat IPI installer to set up an OpenShift cluster. Before the deployment begins, it provisions VPC services and creates a Power Virtual Server workspace, which together form the landing zone used to access and manage the cluster.
33
33
34
-
The number of PowerVS master and worker nodes and their respective compute configurations can be freely configured during deployment. Optionally, Monitoring and Security and Compliance Center Workload Protection can also be configured.
34
+
The number of PowerVS master and worker nodes and their respective compute configurations can be configured during deployment. Optionally, Monitoring and Security and Compliance Center Workload Protection can also be configured.
35
35
36
36
## Architecture diagram
37
37
{: #standard-openshift-architecture-diagram}
@@ -45,8 +45,8 @@ The number of PowerVS master and worker nodes and their respective compute confi
45
45
46
46
IBM Cloud® Power Virtual Servers (PowerVS) is a public cloud offering that an enterprise can use to establish its own private IBM Power computing environment on shared public cloud infrastructure. PowerVS is logically isolated from all other public cloud tenants and infrastructure components, creating a private, secure place on the public cloud. This deployable architecture provides a framework to build a PowerVS offering according to the best practices and requirements from the IBM Cloud.
47
47
48
-
## Components
49
-
{: #standard-openshift-components}
48
+
## Landing Zone Components
49
+
{: #standard-openshift-landing-zone-components}
50
50
51
51
### VPC architecture decisions
52
52
{: #standard-openshift-vpc-components-arch}
@@ -59,6 +59,7 @@ IBM Cloud® Power Virtual Servers (PowerVS) is a public cloud offering that an e
59
59
|* Allow customer to choose operating system from two most widely used commercial Linux operating system offerings \n * Support new OS releases|Linux operating system|Red Hat Enterprise Linux (RHEL)||
60
60
|* Create a virtual server instance as the only management access point to the landscape|Bastion host VPC instance|Create a Linux VPC instance that acts as a bastion host. Configure ACL and security group rules to allow SSH connectivity (port 22). Add a public IP address to the VPC instance. Allow connectivity from a restricted and limited number of public IP addresses. Allow connectivity from IP addresses of the Schematics engine nodes||
61
61
|* Create a virtual server instance that can act as an internet proxy server |Network services VPC instance|Create a Linux VPC instance that can host management components. Preconfigure ACL and security group rules to allow traffic over private networks only.|Configure application load balancer to act as proxy server manually, Modify number of virtual server instances and allowed ports in preset or perform the modifications manually|
62
+
|* Create DNS Service instance as pre-requisite for IPI installer | DNS Service Instance | Create a DNS Service instance and a custom resolver to internally resolve the cluster domain. ||
62
63
|* Ensure financial services compliancy for VPC services \n * Perform network setup of all created services \n * Perform network isolation of all created services \n * Ensure all created services are interconnected |Secure landing zone components|Create a minimum set of required components for a secure landing zone|Create a modified set of required components for a secure landing zone in preset|
63
64
|* Allow customer to optionally enable monitoring in the deployment|IBM Cloud® monitoring instance and Monitoring Host VPC Instance|Optionally, create or import an existing IBM Cloud® monitoring instance (customer provided details) and create and pre-configure the Monitoring Host VPC instance to collect information and send it to the IBM Cloud® monitoring instance.||
64
65
|* Allow customer to optionally enable [Security and Compliance Center Workload Protection](/docs/workload-protection) in the deployment \n * Collect posture management information, enable vulnerability scanning and threat detection|IBM Cloud® Security and Compliance Center Workload Protection and SCC Workload Protection agent on all VPC instances in the deployment.|Optionally, create an IBM Cloud® Security and Compliance Center Workload Protection instance and install and setup the SCC Workload Protection agent on all VPC instances in the deployment (bastion, network services, monitoring hosts).||
@@ -73,17 +74,6 @@ IBM Cloud® Power Virtual Servers (PowerVS) is a public cloud offering that an e
73
74
|* Preload a public SSH key that is injected into every OS deployment|Preloaded SSH public key|Preload customer specified SSH public key||
|* Ensure public internet connectivity from all the instances to be deployed in PowerVS workspace|SQUID proxy|Set up SQUID proxy software on Linux virtual server instance that is running in edge VPC||
82
-
|* Provide shared NFS storage that might be directly attached to all the instances to be deployed in PowerVS workspace| File storage shares in VPC|Use the files storage share service running in VPC. Disk size is specified by the user.||
83
-
|* Provide time synchronization to all instances to be deployed in PowerVS workspace|NTP forwarder|Synchronize time by using public NTP servers. Set up time synchronization on Linux virtual server instance that is running in workload VPC.|By using time synchronization servers directly reachable from PowerVS workspace, NTP forwarder is not required.|
84
-
|* Provide a DNS forwarder to a DNS server not directly reachable from PowerVS workspace (for example, running on-premises or in other isolated environment)|DNS forwarder|Configure DNS forwarder on Linux virtual server instance that is running in edge VPC| By using default IBM Cloud DNS service, DNS forwarder is not needed. Direct domain name resolution is possible.|
@@ -92,17 +82,8 @@ IBM Cloud® Power Virtual Servers (PowerVS) is a public cloud offering that an e
92
82
|* Preload VPN configuration to simplify VPN setup|VPNs|VPN configuration is the responsibility of the customer. Automation creates a client to site VPN server||
93
83
|* Enable floating IP on bastion host to execute deployment|Floating IPs on bastion host in management VPC|Use floating IP on bastion host from IBM Schematics to complete deployment||
94
84
|* Isolate management VSI and allow only a limited number of network connections \n * All other connections from or to management VPC are forbidden|Security group rules for management VSI|Open following ports by default: 22 (for limited number of IPs). \n All ports to PowerVS workspace are open. \n All ports to other VPCs are open.|More ports might be opened in preset or added manually after deployment|
95
-
|* Isolate network services VSI, VPEs and NFSaaS |Security group rules in edge VPC|Separate security groups are created for each component and only certain IPs or Ports are allowed. |More ports might be opened in preset or added manually after deployment|
|* Deploy PowerVS instance for POC or demo purposes \n * Use pre-defined t-shirt sizes with regards to memory, cpu, OS and storage | PowerVS instance | * Attach all required storage filesystems \n * Attach networks for management and backup \n * Connect instance with infrastructure management services like DNS, NTP, NFS | * Allow customer to specify memory, cpu, OS, storage and additional parameters \n * OS configuration is the responsibility of the customer |
|* Isolate network services VSI and VPEs |Security group rules in edge VPC|Separate security groups are created for each component and only certain IPs or Ports are allowed. |More ports might be opened in preset or added manually after deployment|
### Key and password management architecture decisions
108
89
{: #standard-openshift-key-pw}
@@ -112,3 +93,17 @@ IBM Cloud® Power Virtual Servers (PowerVS) is a public cloud offering that an e
112
93
|* Use public/private SSH key to access virtual server instances by using SSH \n * Use SSH proxy to log in to all virtual server instances by using the bastion host \n * Do not store private ssh key on any virtual instances, also not on the bastion host \n * Do not allow any other SSH login methods except the one with specified private/public SSH key pair|Public SSH key - provided by customer. Private SSH key - provided by customer.|Ask customer to specify the keys. Accept the input as secure parameter or as reference to the key stored in IBM Cloud Secure Storage Manager. Do not print SSH keys in any log files. Do not persist private SSH key.||
113
94
|* Use public/private SSH key to access virtual server instances by using SSH \n * Use SSH proxy to log in to all virtual server instances by using the private IPS of instances using a VPN client \n * Do not store private ssh key on any virtual instances \n * Do not allow any other SSH login methods except the one with specified private/public SSH key pair|Public SSH key - provided by customer. Private SSH key - provided by customer.|Ask customer to specify the keys. Accept the input as secure parameter or as reference to the key stored in IBM Cloud Secure Storage Manager. Do not print SSH keys in any log files. Do not persist private SSH key.||
114
95
{: caption="Table 5. Key and passwords management architecture decisions" caption-side="bottom"}
96
+
97
+
## OpenShift Components
98
+
{: #standard-openshift-openshift-components}
99
+
100
+
Once the landing zone components are deployed, this architecture leverages the [RedHat IPI installer](https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/installing_on_ibm_power_virtual_server/index){: external} to create an OpenShift cluster.
101
+
102
+
| Requirement | Component | Choice | Alternative choice |
|* Deploy PowerVS instances for Bootstrap (temporary), Master, and Worker nodes. | PowerVS instances | The customer can specify the number of master and worker nodes and customize their compute profiles. |
105
+
|* Modify the DNS Service instance to correctly resolve the cluster API | DNS Service instance | Add CNAME entries to DNS zone to resolve internal and external cluster APIs. |
106
+
|* Application Load Balancers to establish connectivity to the cluster API. | Three Application Load Balancers | One for internal API, one for external api, and one for the applications deployed in the cluster. |
107
+
|* Use DHCP to dynamically assign IP addresses to the nodes | DHCP Subnet in PowerVS | Machine network dynamically assigns IP addresses to the nodes. |
108
+
|* Modify security groups to allow network traffic to API. | Default Security Group | The default security group is attached to the load balancers and configured so the required network traffic is able to pass. |
Copy file name to clipboardExpand all lines: solutions/standard-openshift/README.md
+42Lines changed: 42 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,3 +1,45 @@
1
+
# IBM Cloud Solution for Power Virtual Server with VPC Landing Zone Quickstart Openshift Variation
2
+
3
+
This example sets up an OpenShift Cluster on PowerVS following infrastructure:
4
+
- A **VPC Infrastructure** with the following components:
5
+
- One VSI for management (jump/bastion)
6
+
- One VSI for network-services configured as squid proxy (using Ansible Galaxy collection roles [ibm.power_linux_sap collection](https://galaxy.ansible.com/ui/repo/published/ibm/power_linux_sap/). This VSI also acts as central ansible execution node.
7
+
- Optional VSI for Monitoring host
8
+
- Optional [Client to site VPN server](https://cloud.ibm.com/docs/vpc?topic=vpc-vpn-client-to-site-overview)
9
+
- Optional [IBM Cloud Security and Compliance Center Workload Protection](https://cloud.ibm.com/docs/workload-protection) and SCC Workload Protection agent configuration on the VSIs in the deployment
10
+
- IBM Cloud Object storage(COS) Virtual Private endpoint gateway(VPE)
11
+
- IBM Cloud Object storage(COS) Instance and buckets
12
+
- VPC flow logs
13
+
- KMS keys
14
+
- Activity tracker
15
+
- Optional Secrets Manager Instance Instance with private certificate.
16
+
17
+
- A local **transit gateway**
18
+
- An IBM Cloud DNS Service Instance
19
+
- An optional IBM Cloud Monitoring Instance
20
+
21
+
- A **Power Virtual Server** workspace with the following features:
22
+
- A DHCP machine subnet to which all nodes are assigned.
23
+
- Attaches the PowerVS workspace to transit gateway.
| Variation | Available on IBM Catalog | Requires Schematics Workspace ID | Creates VPC Landing Zone | Performs VPC VSI OS Config | Creates PowerVS Infrastructure | Creates PowerVS Instance | Creates OpenShift Cluster on PowerVS |
0 commit comments