Red Hat OpenShift Bastion node setup

To enable the deployment, a virtual machine (VM) is provisioned to run the Red Hat® OpenShift® installation steps and host an HTTP Server. This VM is known as the bastion node. The bastion node is connected to the Red Hat OpenShift logical switch and the ESG firewall and NAT rules are configured to allow SSH access from the jump-server or remote device.

The bastion node runs Red Hat® Enterprise Linux®, and it is used to host the scripts, files, and tools to provision the bootstrap, control-plane, and compute nodes. After the deployment, it is recommended to keep the bastion node as an administrative node for the cluster.

The bastion node setup consists of the following steps:

Provision a Red Hat VM.
Register the Red Hat VM.
Install NGINX (HTTP Server).
Generate an SSH private key and add it to the agent.

Provisioning a Red Hat VM

Provision a Red Hat VM based on the following specifications. Use the vCenter Server user interface or by using the PowerCLI script that is documented later in this document to provision the VM. Record you NAT address, which is configured in the NSX ESG.

Red Hat VM - provision
VM	IP address	Gateway	Disk (GB)	Memory (GB)	vCPU	NAT address
`bastion`	192.168.133.8	192.168.133.1	50	2	1	10.208.59.197

Use the following table to record your deployment details:

Red Hat VM deployment
Parameter	Example	Your deployment
vCenter Server IP address
vCenter Server user
vCenter Server password
Logical Switch	`OpenShift-LS`
vCenter Server instance data store	`vsanDatastore`
VM name	`bastion`
ISO file name	`rhel-8.x-x86_64-dvd.iso`
IP address	192.168.133.8
Netmask	255.255.255.0
Default gateway	192.168.133.1

Before you begin, create the VM by using the vCenter CLI or the following PowerCLI script.

# Connect to vCenter
connect-VIserver –server <IP_Address> -User <UserName> -Password '<Password>'

# Create VM
$ls = get-nsxtransportzone | get-nsxlogicalswitch OpenShift-LS | Get-NsxBackingPortGroup | Select-Object Name
$ds = get-datastore -Name vsanDatastore
$vm = New-VM -Name bastion -Datastore $ds -DiskGB 50 -DiskStorageFormat Thin -MemoryGB 2 -NumCpu 1 -Notes "OpenShift Bastion node" -NetworkName $ls.name -GuestId rhel8_64Guest

# Connect a CD Drive loaded with the RHEL ISO
New-CDDrive -VM $vm -IsoPath "[vsanDatastore] ISO\rhel-8.x-x86_64-dvd.iso" -StartConnected

#Start the VM
Start-VM -VM $vm

# Disconnect
Disconnect-NsxServer

After the VM starts, connect to the VM by using the web console or remote console and complete the following installation steps. If needed, see the Red Hat Enterprise Linux documentation.

Select the required language.
Set the date and time.
Configure the network and hostname.
Select the installation destination.
Set the root password.
Create a user.

Registering the Red Hat VM

For this step, you require your Red Hat subscription details:

Username
Password
Subscription Pool

After the bastion node is deployed, you are required to register and subscribe it with the Red Hat public repositories. From the jump-host or remote device, SSH to connect to the bastion node. Use the su command to get root privileges and run the following commands after you replace the username, password, and pool with your variables.

export rhel_subscription_username=<email address>
export rhel_subscription_password=<password>
sudo subscription-manager register --username=${rhel_subscription_username} --password=${rhel_subscription_password} --force
subscription-manager refresh
subscription-manager attach --pool=<pool>
subscription-manager repos --disable="*"
subscription-manager repos --enable  rhel-8-server-rpms
subscription-manager repos --enable  rhel-8-server-extras-rpms
subscription-manager repos --enable  rhel-server-rhscl-8-rpms

Installing NGINX (HTTP Server)

The deployment of the Red Hat OpenShift nodes uses Ignition, and this process requires an HTTP Server to be available to download the required configuration. This deployment uses an NGINX instance that runs on the bastion node. To install NGNIX, complete the following steps after you are connected to the bastion node and have root privileges:

Use a text editor such as vi to create the following file vi /etc/yum.repos.d/nginx.repo.

Type i to insert and paste the following information into the file:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/rhel/8/$basearch/
gpgcheck=0
enabled=1

Press Esc to get back to command mode and then type :wq to save the file and exit vi.
Use the yum command to install the NGINX package.
```
yum update
yum install -y nginx
```
Create the default configuration file vi /etc/nginx/conf.d/default.conf.

Type i to insert and paste the following information into the file:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

Press Esc to get back to command mode and then type :wq to save the file and exit vi.

Run the following commands to start NGINX.

systemctl enable nginx
systemctl start nginx

The Linux firewall needs to configured to enable HTTP by using the following firewall-cmd commands:
```
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --reload
```

Generating an SSH private key and add it to the agent

For the Red Hat OpenShift container platform clusters on which you want to perform installation debugging or disaster recovery, you must provide an SSH key that your ssh-agent process uses to the installer.

You can use this key to SSH into the nodes as the user core. When you deploy the cluster, the key is added to the core user’s ~/.ssh/authorized_keys list.

You must use a local key.

Creating the SSH key

In the SSH session on the bastion node, run the following command, which generates a public or private rsa key pair in the directory /root/.ssh:
```
ssh-keygen -f ~/.ssh/id_rsa -t rsa -b 4096 -N ''
```
The private key is /root/.ssh/id_rsa and the public key is /root/.ssh/id_rsa.pub.
Start the ssh-agent process as a background task:
```
eval "$(ssh-agent -s)"
```
Add your SSH private key to the ssh-agent:
```
ssh-add /root/.ssh/id_rsa
```

Downloading the installation tools

For more information about installing Red Hat OpenShift 4.14, see Installing a cluster on vSphere with user-provisioned infrastructure.

For more information about how to access the Red Hat OpenShift user provider infrastructure, see Internet and Telemetry access for Red Hat OpenShift Container Platform.

Before you install the Red Hat OpenShift Container Platform, you need to download a number of files onto the bastion node and then extract them. The following actions are completed:

Download unzip to extract the downloaded files.
Create an installation directory and make it the working directory.
Download the Red Hat OpenShift installation and client tools.
Extract the downloaded bundles.
Move commands to /usr/local/bin for ease of use.
Install Git to download the Red Hat OpenShift installer.
Clone the installer repository to the bastion node.
Download and extract Terraform to the /usr/local/bin directory for ease of use.

These commands are used in the SSH session to the bastion node that has root privileges. Replace 4.x with the current Red Hat OpenShift version, for example, 4.14.

# Download unzip
yum install -y wget unzip

# Create an installation directory and make it the working directory
mkdir -p /opt/ocpinstall
cd /opt/ocpinstall

# Download the OpenShift installer and client tools
wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.x/openshift-client-linux.tar.gz
wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.x/openshift-install-linux.tar.gz

# Extract the downloaded bundles
tar -xvf openshift-client-linux.tar.gz
tar -xvf openshift-install-linux.tar.gz

# Move commands to /usr/local/bin for ease of use
mv kubectl oc openshift-install /usr/local/bin
mv openshift-install /usr/local/bin

# Install git and clone the OpenShift installer
yum install -y git
git clone -b release-4.x https://github.com/openshift/installer

# Download and extract terraform
wget https://releases.hashicorp.com/terraform/0.11.13/terraform_0.11.13_linux_amd64.zip
unzip terraform_0.11.13_linux_amd64.zip
mv terraform /usr/local/bin

The Bastion node is now ready for the steps to install Red Hat OpenShift 4.14, which are described in Red Hat OpenShift 4.14 user provider infrastructure installation.