Install an OpenShift 4 cluster with Calico VPP

Big picture

Install an OpenShift 4 cluster with Calico VPP.

Value

Augments the applicable steps in the OpenShift documentation to install Calico VPP.

How to

Before you begin

  • Ensure that your environment meets the Calico system requirements except those related to the management of cali*, tunl* and vxlan.calico interfaces.

  • Ensure that you have a RedHat account. A RedHat account is required to get the pull secret necessary to provision an OpenShift cluster.

  • Currently, we only support installing on AWS with OpenShift v4.13 or later, so ensure that you have:

    • Configured an AWS account appropriate for OpenShift 4
    • Set up your AWS credentials
    • Generated a local SSH private key and added it to your ssh-agent

Install an OpenShift 4 cluster with Calico VPP - 图1note

Please note that the OpenShift installer supports only a subset of AWS regions.

Create a configuration file for the OpenShift installer

Create a staging directory for the installation. This directory will contain the configuration file, along with cluster state files, that the OpenShift installer will create:

  1. mkdir openshift-tigera-install && cd openshift-tigera-install

Run the OpenShift installer to create a default configuration file:

  1. openshift-install create install-config

Install an OpenShift 4 cluster with Calico VPP - 图2note

Refer to the OpenShift installer documentation for more information about the installer and any configuration changes required for your platform.

Once the installer has finished, your staging directory will contain the configuration file install-config.yaml.

Update the configuration file to use Calico

Override the OpenShift networking to use Calico and update the AWS instance types to meet the system requirements:

  1. sed -i 's/networkType:.*/networkType: Calico/' install-config.yaml
  2. sed -i 's/platform: {}/platform:\n aws:\n type: m5.4xlarge/' install-config.yaml

Generate the install manifests

Generate the Kubernetes manifests using your configuration file:

  1. openshift-install create manifests

Download the Calico manifests for OpenShift and add them to the generated manifests directory:

  1. mkdir calico
  2. wget -qO- https://github.com/projectcalico/calico/releases/download/v3.27.4/ocp.tgz | tar xvz --strip-components=1 -C calico
  3. cp calico/* manifests/

Download the Calico VPP manifests for OpenShift and add them to the generated manifests directory:

  1. mkdir vpp
  2. cd vpp
  3. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/00-namespace-calico-vpp-dataplane.yaml"
  4. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/01-cr-installation.yaml"
  5. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/03-configmap-calico-vpp-resources.yaml"
  6. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/03-role-calico-vpp-dataplane.yaml"
  7. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/03-rolebinding-calico-vpp-dataplane.yaml"
  8. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/03-serviceaccount-calico-vpp-dataplane.yaml"
  9. curl -O "https://raw.githubusercontent.com/projectcalico/vpp-dataplane/v3.27.0/yaml/platforms/openshift/04-calico-vpp-nohuge.yaml"
  10. cd ..
  11. cp vpp/* manifests/

Make sure that SERVICE_PREFIX in manifests/03-configmap-calico-vpp-resources.yaml matches the service CIDR of the cluster:

  1. SERVICE_CIDR=`grep -A1 serviceNetwork: ./manifests/cluster-config.yaml | tail -n1 | cut -d '-' -f2`
  2. sed -i "s#SERVICE_PREFIX:.*#SERVICE_PREFIX:$SERVICE_CIDR#" ./manifests/03-configmap-calico-vpp-resources.yaml

Optionally provide additional configuration

You may want to provide Calico or the VPP dataplane with additional configuration at install time. For example, BGP configuration or peers. You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation. If you do not need to provide additional configuration, you can skip this section.

To include Calico resources during installation, edit manifests/02-configmap-calico-resources.yaml to add your own configuration.

To customize the configuration of the VPP dataplane, edit manifests/03-configmap-calico-vpp-resources.yaml. For details refer to the Configuration options section of Getting Started.

Install an OpenShift 4 cluster with Calico VPP - 图3note

If you have a directory with the Calico resources, you can create the file with the command:

  1. oc create configmap -n tigera-operator calico-resources \
  2. --from-file=<resource-directory> --dry-run -o yaml \
  3. manifests/02-configmap-calico-resources.yaml

With recent versions of oc it is necessary to have a kubeconfig configured or add --server='127.0.0.1:443' even though it is not used.

Install an OpenShift 4 cluster with Calico VPP - 图4note

If you have provided a calico-resources ConfigMap and the tigera-operator pod fails to come up with Init:CrashLoopBackOff, check the output of the init-container with oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources.

Create the cluster

Start the cluster creation with the following command and wait for it to complete.

  1. openshift-install create cluster

Once the above command is complete, you can verify Calico VPP is installed by verifying the components are available with the following command.

  1. oc get tigerastatus

Optionally integrate with Operator Lifecycle Manager

In OpenShift Container Platform, the Operator Lifecycle Manager (OLM) helps cluster administrators manage the lifecycle of operators in their cluster. Managing the Calico operator with OLM gives administrators a single place to manage operators.

  1. To register the running Calico operator with OLM, first you will need to create an OperatorGroup for the operator:
  1. oc apply -f - <<EOF
  2. apiVersion: operators.coreos.com/v1
  3. kind: OperatorGroup
  4. metadata:
  5. name: tigera-operator
  6. namespace: tigera-operator
  7. spec:
  8. targetNamespaces:
  9. - tigera-operator
  10. EOF
  1. Create a subscription to the operator. By subscribing to the operator package, the Calico operator will be managed by OLM.
  1. oc apply -f - <<EOF
  2. apiVersion: operators.coreos.com/v1alpha1
  3. kind: Subscription
  4. metadata:
  5. name: tigera-operator
  6. namespace: tigera-operator
  7. spec:
  8. channel: release-v1.32
  9. installPlanApproval: Manual
  10. name: tigera-operator
  11. source: certified-operators
  12. sourceNamespace: openshift-marketplace
  13. startingCSV: tigera-operator.v1.32.10
  14. EOF
  1. Log in to the OpenShift console, navigate to the Installed Operators section and approve the install plan for the operator.

Install an OpenShift 4 cluster with Calico VPP - 图5note

This may trigger the operator deployment and all of its resources (pods, deployments, etc.) to be recreated.

The OpenShift console provides an interface for editing the operator installation, viewing the operator’s status, and more.

Next steps

After installing Calico VPP, you can benefit from the features of the VPP dataplane, such as fast IPsec or Wireguard encryption.

Tools

Security