FAQs

See the subsequent sections for answers to frequently asked questions about the OpenShift Container Platform accelerator.

1. **What version of OpenShift Container Platform is supported by IBM Cloud Pak® System V2.3.3.0? **

   OpenShift Container Platform V4.4.6.

2. **Where can I learn more about the DNS requirements for accessing the cluster? **

   Add the following wildcard entries to your DNS server to access the OpenShift web console, apps and APIs:

   <helper_node_floating_ip> *.<cluster_name>.<base_domain>
   <helper_node_floating_ip> *.apps.<cluster_name>.<base_domain>
   

   For testing purposes, add these entries to your /etc/hosts to access the OpenShift web console:

   <helper_node_floating_ip> console-openshift-console.apps.<cluster_name>.<base_domain>
   <helper_node_floating_ip> oauth-openshift.apps.<cluster_name>.<base_domain>
   

   Add the following entry to your DNS server or /etc/hosts to access the OpenShift APIs:

   <helper_node_floating_ip> api.<cluster_name>.<base_domain>
   

   To learn more about the OpenShift 4.4.0.0 DNS requirements, see User-provisioned DNS requirements .

3. Where can I learn more about the general install process used for OpenShift Container Platform 4.x on IBM Cloud Pak System?

   OpenShift Container Platform 4.x is deployed using Ansible automation. For more information about the steps, see Installing a cluster on vSphere in a restricted network process in Installing a cluster on vSphere in a restricted network .

4. Can I install a newer version of OpenShift Container Platform 4.x, for example, V4.4?

   Yes, it is possible to install a newer version of OpenShift Container Platform, however, newer versions might not be certified by IBM Cloud Pak System. To install a newer version of OpenShift Container Platform follow these steps:

   1. Mirror a newer version of the OpenShift Container Platform images to your image registry. For the instructions, see Mirroring the OpenShift Container Platform image repository .

      Note:

      • Only V4.4.6 is tested.
      • You can also use podman (not docker) to mirror the contents into a tgz that you can use for a fully offline load of the docker image registry. For more information about using the process, see Airgap/Disconnected Installation .

   2. Download the specific version of the openshift-install-linux-4.x.x.tar.gz and openshift-client-linux-4.x.x.tar.gz CLI from RedHat that you want to install. For more information, see Index of /pub/openshift-v4/clients/ocp .

   3. Go to Catalog > Script Packages. Clone the "OpenShift Helper Node" script package. Download the script package, extract the script package, and add the new openshift-install-linux-4.x.x.tar.gz and openshift-client-linux-4.x.x.tar.gz CLI to the /deps folder. Compress the file and upload it back to your new cloned script package.

   4. From the following Red Hat link, download the specific version of the Red Hat CoreOS image that you want to install - https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/.

   5. Create an image. For the actual steps, see Create an IBM Cloud Pak System image from Red Hat Enterprise Linux CoreOS 4.4.0 OVA.

   6. Clone or modify your accelerator.

   7. Select the new script package that you cloned.

   8. Optionally, update the default value of the OpenShift Version field and update the image to a new Red Hat CoreOS version.

   9. When you deploy the accelerator, enter the new version of OpenShift Container Platform that you want to deploy.

5. Is a Red Hat Satellite Six Shared Service instance required in the same cloud group and environment profile for the OpenShift accelerator instance to deploy successfully?

   Yes, Red Hat Satellite Six Shared Service must be deployed before you deploy OpenShift accelerator in the cloud group or environment profile. The following packages are required and used by the Helper Node only:

   • rhel-7-server-rpms
   • rhel-7-server-extras-rpms

   Note: OpenShift Container Platform 4.x no longer requires OpenShift Container Platform packages on the Red Hat Satellite Server. All OpenShift images are now on the docker private registry.

6. **Can I upload images to the internal image registry after the OpenShift Container Platform install is complete? **

   If you want to access the OpenShift Container Platform 4.x internal image registry from outside the cluster, then manually enable it after installation. For more information about the instructions, see Installing a cluster on vSphere in a restricted network .

7. **Can I modify a disconnected OpenShift Container Platform 4.x cluster installation to connect to standard external sources? **

   During the accelerator deployment of the OpenShift Container Platform 4.x cluster, the "Cloud Pak Docker Private Registry" pull secret is only set up. To update the cluster configuration so as to go to the following OpenShift Container Platform standard external sites, update global cluster pull secret:

   • quay.io
   • registry.connect.redhat.com
   • registry.redhat.io

   Note: For more information about the procedure and prerequisites, see Updating the global cluster pull secret .

   Do the following steps to create the pull secret Json file that still includes "Cloud Pak Docker Private Registry" pull secret:

   1. Download your pull secret from https://cloud.redhat.com/openshift/install/pull-secret.

   2. Run the following command to pull secret that is in text format to Json:

      cat ./pull-secret.text | jq .  > <path>/<pull-secret-file>
      

   3. You must append the "Cloud Pak Docker Private Registry" auth to this new file so that you still have access to it.

   4. To locate the current "Cloud Pak Docker Private Registry", log in to the cluster console and navigate to https://<console_hostame>/k8s/ns/openshift-config/secrets/pull-secret/yaml.

   5. Run the following command to locate the value for data: .dockerconfigjson: and Base64 decode the value:

      echo <value> | base64 --decode   
      

   6. Add the decode value to the end of the pull-secret.json file created in step 2. For similar steps, see Creating a mirror registry for installation in a restricted network .

   7. To update the global pull secret, run the following command:

      oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull-secret-location>
      

8. Can I enable online connectivity for OpenShift Container Platform 4.4 offline installation updates?

   During OpenShift Container Platform 4.4.x installation, the private offline Docker registry pulls the OpenShift Container Platform 4.4.0 installation files. The pull secret only includes the credentials for the private offline registry and Image Content Sources that redirect quay.io calls to the offline registry. You can find this information on the Primary Helper node in the /ocp-helper/artifacts/install-config.yaml file. In the following example, the bold text highlight the components that are used to connect to offline registry:

    apiVersion: v1
    baseDomain: rtp.raleigh.ibm.com
    compute:
    -hyperthreading: Enabled
      name: worker
      replicas: 0
    controlPlane:
      hyperthreading: Enabled
      name: master
      replicas: 3
    metadata:
      name: cps-r81-9-46-123-200
    platform:
      none: {}
    **pullSecret: '{"auths": {"cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443": {"auth": ""}}}'**
    sshKey: 'ssh-rsa 
    AAAAB3NzaC1yc2EAAAADAQABAAACAQDfx0KqNlr6TuBHIXZcDtuigGI4MqGPiF5cvfqxR6XtqVIr... 
    admin@us.ibm.com'
    **additionalTrustBundle: |
      -----BEGIN CERTIFICATE-----
    MIIFNzCCAx+gAwIBAgIJAMVUhyxIwhfNMA0GCSqGSIb3DQEBCwUAMDIxM
    DAuBgNVBAMMJ2Nwcy1yODEtOS00Ni0xMjMtNzIucnRwLnJhbGVpZ2guaWJ
    tLmNvbTAeFw0yMDAzMTcxNDEwMTlaFw0zMDAzMTUxNDEwMTlaMDIxMDAuB
    gNVBAMMJ2Nwcy1yODEt...
      -----END CERTIFICATE-----
    imageContentSources:
    -mirrors:
      -cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443/ocp4/openshift4
      source: quay.io/openshift-release-dev/ocp-release
    -mirrors:
      -cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443/ocp4/openshift4
      source: quay.io/openshift-release-dev/ocp-v4.0-art-dev **
   

   During a traditional (online/connected) installation of OpenShift Container Platform 4.x, the installer provides a full pull secret that include credentials to cloud.openshift.com, quay.io, registry.connect.redhat.com, and registry.redhat.io. For a text version of the installers pull secret, see https://cloud.redhat.com/openshift/install/pull-secret . You must have a valid Red Hat account. Use the following command to covert the Pull secret text file to Json on a Linux system (like the Helper node) that has jq installed:

   cat ./pull-secret.text | jq . > <path>/pull-secret.json 
   

   The following example is an output of a cat command:

       {
    "auths": {
      "cloud.openshift.com": {
         "auth": "bbbbbbFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
          "email": "abc@us.ibm.com"
    },
    "quay.io": {
       "auth": "bbbbbbWZmbWFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
       "email": "abc@us.ibm.com"
    },
    "registry.connect.redhat.com": {
      "auth": "nnnnNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdjaU...",
      "email": "abc@us.ibm.com"
    },
    "registry.redhat.io": {
      "auth": "bbbTFRTndFdFdMNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdlV...",
      "email": "abc@us.ibm.com"
      }
     }
    }
   

   If you want to continue to leverage the offline registry of the previous installation, append the pull secret used in the install-config.yaml to the pull-secret Json file that got created earlier. The following code block is an example of append. Here, the bold text highlight the appended text:

   {
    "auths": {
      "cloud.openshift.com": {
         "auth": "bbbbbbFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
          "email": "abc@us.ibm.com"
    },
    "quay.io": {
       "auth": "bbbbbbWZmbWFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
       "email": "abc@us.ibm.com"
    },
    "registry.connect.redhat.com": {
      "auth": "nnnnNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdjaU...",
      "email": "abc@us.ibm.com"
    },
    "registry.redhat.io": {
      "auth": "bbbTFRTndFdFdMNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdlV...",
      "email": "abc@us.ibm.com"
      }
   

   "cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443": { "auth": ""

      }
     }
   

   Save updated file as pull-secret-2.json.

   Run the following command to update the default global secret, used for the environment, with the saved pull secret Json file:

   oc set data secret/pull-secret -n openshift-config \
   --from-file=.dockerconfigjson=<path>/pull-secret-2.json 
   

   If you want to go to a complete online/connected environment, do the following steps to remove the offline registry mirror configuration that got set up during install:

   1. In the following command, use only the default pull secret Json file that got downloaded directly from Red Hat.

      oc set data secret/pull-secret -n openshift-config \
      --from-file=.dockerconfigjson=<path>/pull-secret.json
      

   2. Run the following oc commands to delete the Image Content source policies that redirect OpenShift Container Platform 4.x quay.io request to local offline registry:

      oc delete ImageContentSourcePolicy image-policy-0
      oc delete ImageContentSourcePolicyimage-policy-1
      

9. **Can I install OpenShift Container Storage on top of OpenShift Container Platform? **

   Yes. In this accelerator version, you can deploy OpenShift Container Platform 4 HA with OpenShift Container Storage accelerator. To know more about how to install OpenShift Container Storage on OpenShift Container Platform, see Installing OpenShift Container Storage on IBM Cloud Pak System .

10. How to upgrade Docker version to 17 or above on primary helper?

For the steps to upgrade, see https://docs.docker.com/engine/install/ .

11. Can I scale master nodes?

You cannot scale beyond the default 3 master nodes both before or after the deployment.

12. How to recover an expired control plane certificate for OpenShift Container Platform 4.3.x cluster that was deployed using accelerator?

To recover an expired control plane certificates for OpenShift Container Platform 4.3.x cluster, see Red Hat solution for recovering expired certificate .