IPI PowerVS with FIPS mode

IPI with FIPS mode creates certificates that are FIPS compliant and makes sure the Nodes/Operators are using the proper cryptographic profiles.

  1. Confirm your host is in FIPS Mode and a RHEL9 equivalent stream.
fips-mode-setup --check

Note, you must reboot after enabling fips or this binary will not function.

  1. Download the oc
# curl -O https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp-dev-preview/4.18.0-ec.2/openshift-client-linux-ppc64le-rhel9.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   44 32.4M   44 14.3M    0     0  14.1M      0  0:00:02  0:00:01  0:00:01 1100 32.4M  100 32.4M    0     0  17.0M      0  0:00:01  0:00:01 --:--:-- 17.0M
  1. Extract the binary files
# tar xvf openshift-client-linux-ppc64le-rhel9.tar.gz
oc
kubectl
README.md

You can optionally move the oc and kubectl files to /usr/local/bin/

  1. Download the ccoctl
# curl -O https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp-dev-preview/4.18.0-ec.2/ccoctl-linux-rhel9.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   44 32.4M   44 14.3M    0     0  14.1M      0  0:00:02  0:00:01  0:00:01 1100 32.4M  100 32.4M    0     0  17.0M      0  0:00:01  0:00:01 --:--:-- 17.0M
  1. Extract the ccoctl binary file
# tar xvf ccoctl-linux-rhel9.tar.gz ccoctl
ccoctl
  1. Change the permissions to make ccoctl executable by running the following command:
# chmod 755 ccoctl
  1. Copy over your pull-secret.txt

  2. Get the Credentials Request pull spec from the release image https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp-dev-preview/4.18.0-ec.2/release.txt

Pull From: quay.io/openshift-release-dev/ocp-release@sha256:6507d5a101294c670a283f5b56c5595fb1212bd6946b2c3fee01de2ef661625f
  1. Create the Credential Requests using the PullSpec
# mkdir -p credreqs
# oc adm release extract --cloud=powervs --credentials-requests quay.io/openshift-release-dev/ocp-release@sha256:6507d5a101294c670a283f5b56c5595fb1212bd6946b2c3fee01de2ef661625f --to=./credreqs -a pull-secret.txt
...
Extracted release payload created at 2024-10-02T21:38:57Z
  1. Verify the credreqs are created. You should see files created:
# ls credreqs/
0000_26_cloud-controller-manager-operator_15_credentialsrequest-powervs.yaml
0000_30_cluster-api_01_credentials-request.yaml
0000_30_machine-api-operator_00_credentials-request.yaml
0000_50_cluster-image-registry-operator_01-registry-credentials-request-powervs.yaml
0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml
0000_50_cluster-storage-operator_03_credentials_request_powervs.yaml
  1. Create the Credentials
# export IBMCLOUD_API_KEY=<your ibmcloud apikey>
# ./ccoctl ibmcloud create-service-id --credentials-requests-dir ./credreqs --name fips-svc --resource-group-name ocp-dev-resource-group
2024/11/01 08:22:12 Saved credentials configuration to: /root/install/t/manifests/openshift-cloud-controller-manager-ibm-cloud-credentials-credentials.yaml
2024/11/01 08:22:12 Saved credentials configuration to: /root/install/t/manifests/openshift-machine-api-powervs-credentials-credentials.yaml
2024/11/01 08:22:12 Saved credentials configuration to: /root/install/t/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2024/11/01 08:22:12 Saved credentials configuration to: /root/install/t/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
2024/11/01 08:22:12 Saved credentials configuration to: /root/install/t/manifests/openshift-cluster-csi-drivers-ibm-powervs-cloud-credentials-credentials.yaml
  1. Download the latest installer
curl -O https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp-dev-preview/4.18.0-ec.2/openshift-install-rhel9-ppc64le.tar.gz

Note, with a FIPS host, you’ll want to use rhel9 as it supports FIPS https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp-dev-preview/4.18.0-ec.2/openshift-client-linux-ppc64le-rhel9.tar.gz

  1. Unarchive openshift-install-rhel9-ppc64le.tar.gz

  2. Create the install-config.yaml using openshift-install-fips create install-config per https://developer.ibm.com/tutorials/awb-deploy-ocp-on-power-vs-ipi/

  3. Edit install-config.yaml and add a new line at the end fips: true

[root@fips-ocp-7219-bastion-0 t]# mkdir -p 20241031c
[root@fips-ocp-7219-bastion-0 t]# cp install-config.yaml-old 20241031c/install-config.yaml
  1. Create the manifests openshift-install-fips create manifests
# openshift-install-fips create manifests
WARNING Release Image Architecture not detected. Release Image Architecture is unknown
INFO Consuming Install Config from target directory
INFO Adding clusters...
INFO Manifests created in: cluster-api, manifests and openshift
  1. Copy the cred reqs into the right folder and confirm they are present
# cp credreqs/manifests/openshift-*yaml 20241031c/openshift/
# ls openshift/
99_feature-gate.yaml                                            99_openshift-machineconfig_99-master-ssh.yaml
99_kubeadmin-password-secret.yaml                               99_openshift-machineconfig_99-worker-fips.yaml
99_openshift-cluster-api_master-machines-0.yaml                 99_openshift-machineconfig_99-worker-multipath.yaml
99_openshift-cluster-api_master-machines-1.yaml                 99_openshift-machineconfig_99-worker-ssh.yaml
99_openshift-cluster-api_master-machines-2.yaml                 openshift-cloud-controller-manager-ibm-cloud-credentials-credentials.yaml
99_openshift-cluster-api_master-user-data-secret.yaml           openshift-cluster-csi-drivers-ibm-powervs-cloud-credentials-credentials.yaml
99_openshift-cluster-api_worker-machineset-0.yaml               openshift-config-secret-pull-secret.yaml
99_openshift-cluster-api_worker-user-data-secret.yaml           openshift-image-registry-installer-cloud-credentials-credentials.yaml
99_openshift-machine-api_master-control-plane-machine-set.yaml  openshift-ingress-operator-cloud-credentials-credentials.yaml
99_openshift-machineconfig_99-master-fips.yaml                  openshift-install-manifests.yaml
99_openshift-machineconfig_99-master-multipath.yaml             openshift-machine-api-powervs-credentials-credentials.yaml
  1. Create the cluster BASE_DOMAIN=powervs-openshift-ipi.cis.ibm.net RELEASE_ARCHITECTURE="ppc64le" openshift-install-fips create cluster
INFO Creating infrastructure resources...
INFO Started local control plane with envtest
INFO Stored kubeconfig for envtest in: /root/install/t/20241031c/.clusterapi_output/envtest.kubeconfig
INFO Running process: Cluster API with args [-v=2 --diagnostics-address=0 --health-addr=127.0.0.1:45201 --webhook-port=40159 --webhook-cert-dir=/tmp/envtest-serving-certs-1721884268 --kubeconfig=/root/install/t/20241031c/.clusterapi_output/envtest.kubeconfig]
INFO Running process: ibmcloud infrastructure provider with args [--provider-id-fmt=v2 --v=5 --health-addr=127.0.0.1:37207 --webhook-port=35963 --webhook-cert-dir=/tmp/envtest-serving-certs-3500602992 --kubeconfig=/root/install/t/20241031c/.clusterapi_output/envtest.kubeconfig]
INFO Creating infra manifests...
INFO Created manifest *v1.Namespace, namespace= name=openshift-cluster-api-guests
INFO Created manifest *v1beta1.Cluster, namespace=openshift-cluster-api-guests name=fips-fd4f6
INFO Created manifest *v1beta2.IBMPowerVSCluster, namespace=openshift-cluster-api-guests name=fips-fd4f6
INFO Created manifest *v1beta2.IBMPowerVSImage, namespace=openshift-cluster-api-guests name=rhcos-fips-fd4f6
INFO Done creating infra manifests
INFO Creating kubeconfig entry for capi cluster fips-fd4f6
INFO Waiting up to 30m0s (until 9:06AM EDT) for network infrastructure to become ready...
INFO Network infrastructure is ready
INFO Created manifest *v1beta2.IBMPowerVSMachine, namespace=openshift-cluster-api-guests name=fips-fd4f6-bootstrap
INFO Created manifest *v1beta2.IBMPowerVSMachine, namespace=openshift-cluster-api-guests name=fips-fd4f6-master-0
INFO Created manifest *v1beta2.IBMPowerVSMachine, namespace=openshift-cluster-api-guests name=fips-fd4f6-master-1
INFO Created manifest *v1beta2.IBMPowerVSMachine, namespace=openshift-cluster-api-guests name=fips-fd4f6-master-2
INFO Created manifest *v1beta1.Machine, namespace=openshift-cluster-api-guests name=fips-fd4f6-bootstrap
INFO Created manifest *v1beta1.Machine, namespace=openshift-cluster-api-guests name=fips-fd4f6-master-0
INFO Created manifest *v1beta1.Machine, namespace=openshift-cluster-api-guests name=fips-fd4f6-master-1
INFO Created manifest *v1beta1.Machine, namespace=openshift-cluster-api-guests name=fips-fd4f6-master-2
INFO Created manifest *v1.Secret, namespace=openshift-cluster-api-guests name=fips-fd4f6-bootstrap
INFO Created manifest *v1.Secret, namespace=openshift-cluster-api-guests name=fips-fd4f6-master
INFO Waiting up to 15m0s (until 9:02AM EDT) for machines [fips-fd4f6-bootstrap fips-fd4f6-master-0 fips-fd4f6-master-1 fips-fd4f6-master-2] to provision...
INFO Control-plane machines are ready
INFO Cluster API resources have been created. Waiting for cluster to become ready...
INFO Consuming Cluster API Manifests from target directory
INFO Consuming Cluster API Machine Manifests from target directory
INFO Waiting up to 20m0s (until 9:21AM EDT) for the Kubernetes API at https://api.fips.powervs-openshift-ipi.cis.ibm.net:6443...
INFO API v1.31.1 up
INFO Waiting up to 45m0s (until 9:47AM EDT) for bootstrapping to complete...
INFO Destroying the bootstrap resources...
INFO Waiting up to 5m0s for bootstrap machine deletion openshift-cluster-api-guests/fips-fd4f6-bootstrap...
INFO Shutting down local Cluster API controllers...
INFO Stopped controller: Cluster API
INFO Stopped controller: ibmcloud infrastructure provider
INFO Shutting down local Cluster API control plane...
INFO Local Cluster API system has completed operations
INFO no post-destroy requirements for the powervs provider
INFO Finished destroying bootstrap resources
INFO Waiting up to 40m0s (until 10:16AM EDT) for the cluster at https://api.fips.powervs-openshift-ipi.cis.ibm.net:6443 to initialize...

If you have any doubts, you can start a second terminal session and use the kubeconfig to verify access:

# oc --kubeconfig=auth/kubeconfig get nodes
NAME                      STATUS   ROLES                  AGE     VERSION
fips-fd4f6-master-0       Ready    control-plane,master   41m     v1.31.1
fips-fd4f6-master-1       Ready    control-plane,master   41m     v1.31.1
fips-fd4f6-master-2       Ready    control-plane,master   41m     v1.31.1
fips-fd4f6-worker-srwf2   Ready    worker                 7m37s   v1.31.1
fips-fd4f6-worker-tc28p   Ready    worker                 7m13s   v1.31.1
fips-fd4f6-worker-vrlrq   Ready    worker                 7m12s   v1.31.1

You can also check oc --kubeconfig=auth/kubeconfig get co

19. When it’s complete you can login and use your fips enabled cluster


Posted

in

,

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.