Understanding the OCP Install Processes (Part 1)
The install performed for this documentation is based on OCP 4.7.4 (User Provisioned Infrastructure).
During a bare-metal OCP install, a list of manifests/objects is created immediately after running the “open shift install create manifests” command. This directory uses the information from the install-config.yaml, consumes it, and generates these manifests based on that information. The first thing we want to do is analyze the contents of the install directory.
Manifests Directory
04-openshift-machine-config-operator.yaml
This creates the openshift-machine-config-operator namespace
cluster-config.yaml
This creates the configmap in the kube-system namespace called cluster-config-v1 that contains (mostly) the content of the install-config.yaml (minus the pull-secret).
cluster-dns-02-config.yml
This creates the DNS/cluster object (CRD) with the base domain of the OCP cluster.
cluster-infrastructure-02-config.yml
This creates the infrastructure/cluster object. The internal and external API endpoints are defined in this file as well as the infrastructure name. The infrastructure name is mostly used with IPI installs (especially with configuring the VMWare templates).
cluster-ingress-02-config.yml
This creates the ingress/cluster object (CRD) that defines the apps.<cluster>.<basedomain>.
cluster-network-01-crd.yml
This creates the network CRD.
cluster-network-02-config.yml
This defines the pod network and service networks to create the network crd.
cluster-proxy-01-config.yaml
This creates the proxy/cluster object if a proxy server is being used to download OCP images.
cluster-scheduler-02-config.yml
This creates the scheduler/cluster resource. One change that is typically made here is to set the masters to either be scheduleable or not. Making masters scheduleable means that non-master pods are allowed to run on masters.
cvo-overrides.yaml
This is the ClusterVersion/Version object that gets created in the openshift-cluster-version namespace. The channel (4.7) in this case is specified.
etcd-ca-bundle-configmap.yaml
Creates the etcd-ca-signer certificate which is valid for 10 years. This resides as a configmap in the openshift-config namespace called etcd-ca-bundle
Issuer: OU=openshift, CN=etcd-signer
Validity
Not Before: Apr 5 14:07:10 2021 GMT
Subject: OU=openshift, CN=etcd-signer
Not After : Apr 3 14:07:10 2031 GMT
etcd-client-secret.yaml
This creates the etcd-client secret (tls.crt and tls.key) which resides in the openshift-config namespace. This is used as the etcd members want to join cluster.
tls.crt
Issuer: OU=openshift, CN=etcd-signer
Validity
Not Before: Apr 5 14:07:10 2021 GMT
Not After : Apr 3 14:07:10 2031 GMT
Subject: OU=etcd, CN=etcd
etcd-metric-client-secret.yaml
This creates the etcd-metric-client secret (tls.crt and tls.key) which resides in the openshift-config namepsace.
Issuer: OU=openshift, CN=etcd-metric-signer
Validity
Not Before: Apr 5 14:07:11 2021 GMT
Not After : Apr 3 14:07:11 2031 GMT
Subject: OU=etcd-metric, CN=etcd-metric
etcd-metric-serving-ca-configmap.yaml
This creates the etcd-metric-serving-ca configmap which resides in the openshift-config namepsace.
Issuer: OU=openshift, CN=etcd-metric-signer
Validity
Not Before: Apr 5 14:07:11 2021 GMT
Not After : Apr 3 14:07:11 2031 GMT
Subject: OU=openshift, CN=etcd-metric-signer
etcd-metric-signer-secret.yaml
This creates the etcd-metrics signer secret (tls.crt and tls.key) which reside in openshift-config namespace and is called etcd-metric-signer.
Issuer: OU=openshift, CN=etcd-metric-signer
Validity
Not Before: Apr 5 14:07:11 2021 GMT
Not After : Apr 3 14:07:11 2031 GMT
Subject: OU=openshift, CN=etcd-metric-signer
etcd-namespace.yaml
This creates the openshift-etcd namespace.
etcd-service.yaml
This creates the service for etcd in the openshift-etcd namespace to for ports 2379/tcp (etc) and 9979/tcp (etcd-metrics)
etcd-serving-ca-configmap.yaml
This is a configmap called etcd-serving-ca in the openshift-config namespace. It contains the ca-bundle (etcd-signer CA).
Issuer: OU=openshift, CN=etcd-signer
Validity
Not Before: Apr 5 14:07:10 2021 GMT
Not After : Apr 3 14:07:10 2031 GMT
Subject: OU=openshift, CN=etcd-signer
etcd-signer-secret.yaml
This creates the etcd-client secret in the openshift-config namespace.
Issuer: OU=openshift, CN=etcd-signer
Validity
Not Before: Apr 5 14:07:10 2021 GMT
Not After : Apr 3 14:07:10 2031 GMT
Subject: OU=etcd, CN=etcd
kube-cloud-config.yaml
With a bare-metal install, this creates an empty kube-cloud-cfg in tube-system namespace. This will have some information with the various IPI install methods.
kube-system-configmap-root-ca.yaml
This is the Openshift CA cert configmap. It resides in kube-system namespace and is called root-ca.
Issuer: OU=openshift, CN=root-ca
Validity
Not Before: Apr 5 14:07:10 2021 GMT
Not After : Apr 3 14:07:10 2031 GMT
Subject: OU=openshift, CN=root-ca
machine-config-server-tls-secret.yaml
This secret resides in the openshift-machine-config-operator namespace and contains the tls.crt and tls.key for servers to join cluster.
Issuer: OU=openshift, CN=root-ca
Validity
Not Before: Apr 5 14:07:10 2021 GMT
Not After : Apr 3 14:07:11 2031 GMT
Subject: CN=system:machine-config-server
openshift-config-secret-pull-secret.yaml
This is the global pull secret called pull-secret in the openshift-config namespace. It contains the docker config json.
openshift-kubevirt-infra-namespace.yaml
This creates the openshift-kubevirt-infra namespace
Openshift Directory
99_kubeadmin-password-secret.yaml
This secret is called cube-admin and resides in the kube-system namespace. This is the password used to login to either the openshift web console or using the oc command.
99_openshift-cluster-api_master-user-data-secret.yaml
This secret resides in the openshift-machine-api namespace and is called master-user-data. The contents of this secret is the ignition file for master nodes.
99_openshift-cluster-api_worker-user-data-secret.yaml
This secret resides in the openshift-machine-api namespace and is called master-user-data. The contents of this secret is the ignition file for worker nodes.
99_openshift-machineconfig_99-master-ssh.yaml
This MachineConfig injects the SSH key to the master nodes for the core user. It is in the format of an ign file.
99_openshift-machineconfig_99-worker-ssh.yaml
This MachineConfig injects the SSH key to the worker nodes for the core user. It is in the format of an ign file.
openshift-install-manifests.yaml
This creates the configmap called openshift-install-manifests in the openshift-config namespace. Some important parts to this are that it is an user provisioned install and running v4.7.0 of install
Reference/Links