使用高级群集管理安装
总结 了解如何使用高级群集管理 (ACM) 安装 CN2。
本节中的过程说明如何使用 ACM 安装或导入 CN2 集群。
在继续操作之前,您需要创建一个 ACM 中枢集群。有关如何创建中枢集群的示例,请参阅 创建 ACM 中枢集群 。中枢集群提供 ACM 功能。它不包含任何 CN2 组件。
使用 ACM 使用用户管理的网络进行安装
使用此过程可通过 ACM 启动具有用户管理网络的 OpenShift 集群。用户管理的网络是指为安装显式提供外部负载平衡器的部署。
在开始此过程之前,请确保您已设置 ACM 中枢集群。
- 将中枢群集的 kubeconfig 复制到运行此过程的安装计算机上的默认 kubeconfig 位置 (
~/.kube/config
)。 - 通过设置 SSH 密钥并下载拉取密钥来准备部署。
- 创建用于访问群集中节点的 SSH 密钥。
ssh-keygen
我们将 SSH 密钥保留在其默认位置 ~/.ssh/id_rsa.pub。 - 将映像提取密钥从您的红帽帐户下载到本地计算机上。拉取密钥允许您的安装访问为 OpenShift 组件提供容器映像的服务和注册表。
您可以从 https://console.redhat.com/openshift/downloads 页面下载拉取密钥文件(拉取密钥)。
- 创建用于访问群集中节点的 SSH 密钥。
- 创建将用于托管群集配置的命名空间。
我们将命名空间
mgmt-spoke1
称为 。oc create ns mgmt-spoke1
- 将计划使用的所有 CN2 清单转换为配置映射。
下面是 110-vroutermasters-cr.yaml 清单的 ConfigMap 示例。ConfigMap 结构包含该
data
部分中 110-vroutermasters-cr.yaml 的内容。kind: ConfigMap apiVersion: v1 metadata: name: 110-vroutermasters-cr-yaml namespace: mgmt-spoke1 data: 110-vroutermasters-cr.yaml : | apiVersion: dataplane.juniper.net/v1alpha1 kind: Vrouter metadata: name: contrail-vrouter-masters namespace: contrail spec: agent: default: xmppAuthEnable: false httpServerPort: 18085 sandesh: introspectSslEnable: false common: containers: - image: enterprise-hub.jnpr.net/contrail-container-prod/contrail-vrouter-agent:<release> name: contrail-vrouter-agent - image: enterprise-hub.jnpr.net/contrail-container-prod/contrail-init:<release> name: contrail-watcher - image: enterprise-hub.jnpr.net/contrail-container-prod/contrail-telemetry-exporter:<release> name: contrail-vrouter-telemetry-exporter initContainers: - image: enterprise-hub.jnpr.net/contrail-container-prod/contrail-init:<release> name: contrail-init - image: enterprise-hub.jnpr.net/contrail-container-prod/contrail-cni-init:<release> name: contrail-cni-init
- 首先,创建一个提供配置映射结构的模板文件。
我们将此文件称为 模板。
kind: ConfigMap apiVersion: v1 metadata: name: CHANGEME-yaml namespace: mgmt-spoke1 data: CHANGEME.yaml : |
- 创建以下 bash 脚本,该脚本逐步执行每个 CN2 清单,并基于上述模板生成配置映射。
注意:
此脚本会稍微修改原始 CN2 清单。我们建议您在继续操作之前复制原始清单。
SRC_DIR
,并通过应用模板并追加原始 YAML 文件的内容,为每个清单创建相应的配置映射。该脚本将生成的 ConfigMap 文件DST_DIR
放入目录中。我们将脚本称为 convert-manifests.sh。根据需要修改SRC_DIR
脚本中的 和DST_DIR
变量。确保SRC_DIR
仅包含要使用的 CN2 清单。有关我们提供的 CN2 清单的说明,请参阅 清单 。#!/bin/bash SRC_DIR="/home/cn2/manifests" DST_DIR="/home/cn2/tmp/config-maps" CWD=$PWD cd $SRC_DIR for i in `ls *.yaml` do echo "processing $i" j="${i//.yaml/}" j="${j//_/-/}" sed -i -e 's/^/ /' $i cat $CWD/TEMPLATE | sed "s#CHANGEME#${j}#g" > $DST_DIR/$i cat $i >> $DST_DIR/$i done cd $CWD
chmod +x convert-manifests.sh
- 运行脚本。
./convert-manifests.sh
- 首先,创建一个提供配置映射结构的模板文件。
- 应用配置映射。
从 DST_DIR 目录运行以下命令,在我们的示例中为 /home/cn2/tmp/config-maps 。
for i in *.yaml do oc create -f $i done
- 为托管群集创建并应用清单。
- 创建清单。
下面是具有 3 个控制平面节点和 2 个工作器节点以及与本文档中其他示例一致的子网的清单示例:
-
机器网络 CIDR -
172.16.0.0/24
-
集群网络 CIDR -
10.128.0.0/14
-
服务网络 CIDR -
172.31.0.0/16
apiVersion: v1 kind: Secret metadata: name: assisted-deployment-pull-secret namespace: mgmt-spoke1 stringData: .dockerconfigjson: '<pull-secret>' type: kubernetes.io/dockerconfigjson --- apiVersion: extensions.hive.openshift.io/v1beta1 kind: AgentClusterInstall metadata: name: mgmt-spoke1 namespace: mgmt-spoke1 annotations: agent-install.openshift.io/install-config-overrides: | { "networking": { "networkType": "Contrail" } } spec: manifestsConfigMapRefs: - name: 050-dpdk-machineconfigpool-yaml - name: 051-worker-vfio-pci-yaml - name: 052-kargs-1g-hugepages-yaml - name: 099-disable-offload-master-yaml - name: 099-disable-offload-worker-yaml - name: 100-certificaterequests.cert-manager.io-yaml - name: 100-certificates.cert-manager.io-yaml - name: 100-challenges.acme.cert-manager.io-yaml - name: 100-clusterissuers.cert-manager.io-yaml - name: 100-configplane.juniper.net-apiservers-yaml - name: 100-configplane.juniper.net-apiserverstatuses-yaml - name: 100-configplane.juniper.net-contrailcertificatemanagers-yaml - name: 100-configplane.juniper.net-contrailcertificatemanagerstatuses-yaml - name: 100-configplane.juniper.net-controllers-yaml - name: 100-configplane.juniper.net-controllerstatuses-yaml - name: 100-configplane.juniper.net-kubemanagers-yaml - name: 100-configplane.juniper.net-kubemanagerstatuses-yaml - name: 100-contrailstatus.juniper.net-contrailstatusmonitors-yaml - name: 100-contrailstatus.juniper.net-contrailstatusmonitorstatuses-yaml - name: 100-controlplane.juniper.net-controls-yaml - name: 100-controlplane.juniper.net-controlstatuses-yaml - name: 100-dataplane.juniper.net-vrouters-yaml - name: 100-dataplane.juniper.net-vrouterstatuses-yaml - name: 100-datastore.juniper.net-etcds-yaml - name: 100-datastore.juniper.net-etcdstatuses-yaml - name: 100-issuers.cert-manager.io-yaml - name: 100-k8s.cni.cncf.io-network-attachment-definitions-yaml - name: 100-orders.acme.cert-manager.io-yaml - name: 100-plugins.juniper.net-apstraplugins-yaml - name: 100-plugins.juniper.net-apstrapluginstatuses-yaml - name: 101-contrail-deploy-namespace-yaml - name: 101-contrail-namespace-yaml - name: 101-contrail-system-namespace-yaml - name: 101-namespace-cert-manager-yaml - name: 102-clusterrole-cert-manager-cainjector-yaml - name: 102-clusterrole-cert-manager-controller-approve-cert-manager-io-yaml - name: 102-clusterrole-cert-manager-controller-certificates-yaml - name: 102-clusterrole-cert-manager-controller-certificatesigningrequests-yaml - name: 102-clusterrole-cert-manager-controller-challenges-yaml - name: 102-clusterrole-cert-manager-controller-clusterissuers-yaml - name: 102-clusterrole-cert-manager-controller-ingress-shim-yaml - name: 102-clusterrole-cert-manager-controller-issuers-yaml - name: 102-clusterrole-cert-manager-controller-orders-yaml - name: 102-clusterrole-cert-manager-edit-yaml - name: 102-clusterrole-cert-manager-view-yaml - name: 102-clusterrole-cert-manager-webhook-subjectaccessreviews-yaml - name: 102-clusterrolebinding-cert-manager-cainjector-yaml - name: 102-clusterrolebinding-cert-manager-controller-approve-cert-manager-io-yaml - name: 102-clusterrolebinding-cert-manager-controller-certificates-yaml - name: 102-clusterrolebinding-cert-manager-controller-certificatesigningrequests-yaml - name: 102-clusterrolebinding-cert-manager-controller-challenges-yaml - name: 102-clusterrolebinding-cert-manager-controller-clusterissuers-yaml - name: 102-clusterrolebinding-cert-manager-controller-ingress-shim-yaml - name: 102-clusterrolebinding-cert-manager-controller-issuers-yaml - name: 102-clusterrolebinding-cert-manager-controller-orders-yaml - name: 102-clusterrolebinding-cert-manager-webhook-subjectaccessreviews-yaml - name: 102-cn2-clusterrolebind-yaml - name: 102-cn2-cluterrole-yaml - name: 102-configmap-cert-manager-webhook-yaml - name: 102-contrail-deploy-serviceaccount-yaml - name: 102-contrail-serviceaccount-yaml - name: 102-contrail-system-serviceaccount-yaml - name: 102-mutatingwebhookconfiguration-cert-manager-webhook-yaml - name: 102-role-cert-manager-cainjector-leaderelection-yaml - name: 102-role-cert-manager-leaderelection-yaml - name: 102-role-cert-manager-webhook-dynamic-serving-yaml - name: 102-rolebinding-cert-manager-cainjector-leaderelection-yaml - name: 102-rolebinding-cert-manager-leaderelection-yaml - name: 102-rolebinding-cert-manager-webhook-dynamic-serving-yaml - name: 102-service-cert-manager-webhook-yaml - name: 102-service-cert-manager-yaml - name: 102-serviceaccount-cert-manager-cainjector-yaml - name: 102-serviceaccount-cert-manager-webhook-yaml - name: 102-serviceaccount-cert-manager-yaml - name: 102-validatingwebhookconfiguration-cert-manager-webhook-yaml - name: 103-contrail-clusterrole-yaml - name: 103-contrail-deploy-clusterrole-yaml - name: 103-contrail-system-clusterrole-yaml - name: 103-deployment-cert-manager-cainjector-yaml - name: 103-deployment-cert-manager-webhook-yaml - name: 103-deployment-cert-manager-yaml - name: 104-contrail-clusterrolebinding-yaml - name: 104-contrail-deploy-clusterrolebinding-yaml - name: 104-contrail-system-clusterrolebinding-yaml - name: 104-contrail-system-configmap-yaml - name: 105-contrail-operator-yaml - name: 106-apiserver-cr-yaml - name: 106-contrailcertificatemanager-cr-yaml - name: 106-etcd-cr-yaml - name: 107-controller-cr-yaml - name: 108-kubemanager-cr-yaml - name: 109-controlnode-cr-yaml - name: 110-vroutermasters-cr-yaml - name: 111-vrouternodes-cr-yaml - name: 112-vrouterdpdknodes-cr-yaml - name: 113-contrailstatusmonitor-cr-yaml clusterDeploymentRef: name: mgmt-spoke1 imageSetRef: name: openshift-v4.12 networking: machineNetwork: - cidr: 172.16.0.0/24 clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 serviceNetwork: - 172.31.0.0/16 userManagedNetworking: true provisionRequirements: controlPlaneAgents: 3 workerAgents: 2 sshPublicKey: '<cluster_ssh_key>' --- apiVersion: hive.openshift.io/v1 kind: ClusterDeployment metadata: name: mgmt-spoke1 namespace: mgmt-spoke1 spec: baseDomain: contrail.juniper.net clusterName: mgmt-spoke1 controlPlaneConfig: servingCertificates: {} installed: false clusterInstallRef: group: extensions.hive.openshift.io kind: AgentClusterInstall name: mgmt-spoke1 version: v1beta1 platform: agentBareMetal: agentSelector: matchLabels: cluster-name: mgmt-spoke1 pullSecretRef: name: assisted-deployment-pull-secret --- apiVersion: agent.open-cluster-management.io/v1 kind: KlusterletAddonConfig metadata: name: mgmt-spoke1 namespace: mgmt-spoke1 spec: clusterName: mgmt-spoke1 clusterNamespace: mgmt-spoke1 clusterLabels: cloud: auto-detect vendor: auto-detect applicationManager: enabled: false certPolicyController: enabled: false iamPolicyController: enabled: false policyController: enabled: false searchCollector: enabled: false --- apiVersion: cluster.open-cluster-management.io/v1 kind: ManagedCluster metadata: name: mgmt-spoke1 namespace: mgmt-spoke1 spec: hubAcceptsClient: true --- apiVersion: agent-install.openshift.io/v1beta1 kind: InfraEnv metadata: name: mgmt-spoke1 namespace: mgmt-spoke1 spec: clusterRef: name: mgmt-spoke1 namespace: mgmt-spoke1 sshAuthorizedKey: '<cluster_ssh_key>' agentLabelSelector: matchLabels: cluster-name: mgmt-spoke1 ignitionConfigOverride: '<ignition-config>' pullSecretRef: name: assisted-deployment-pull-secret
-
<pull-secret> 是您之前从红帽下载的拉取密钥文件的内容
-
<cluster_ssh_key> 是您之前创建的 ~/.ssh/id_rsa.pub 文件的内容
-
<ignition-config> 是下面的字符串:
{"ignition_config_override": "{\"ignition\":{\"version\":\"3.1.0\"},\"systemd\":{\"units\":[{\"name\":\"ca-patch.service\",\"enabled\":true,\"contents\":\"[Service]\\nType=oneshot\\nExecStart=/usr/local/bin/ca-patch.sh\\n\\n[Install]\\nWantedBy=multi-user.target\"}]},\"storage\":{\"files\":[{\"path\":\"/usr/local/bin/ca-patch.sh\",\"mode\":720,\"contents\":{\"source\":\"data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc3VjY2Vzcz0wCnVudGlsIFsgJHN1Y2Nlc3MgLWd0IDEgXTsgZG8KICB0bXA9JChta3RlbXApCiAgY2F0IDw8RU9GPiR7dG1wfSB8fCB0cnVlCmRhdGE6CiAgcmVxdWVzdGhlYWRlci1jbGllbnQtY2EtZmlsZTogfAokKHdoaWxlIElGUz0gcmVhZCAtYSBsaW5lOyBkbyBlY2hvICIgICAgJGxpbmUiOyBkb25lIDwgPChjYXQgL2V0Yy9rdWJlcm5ldGVzL2Jvb3RzdHJhcC1zZWNyZXRzL2FnZ3JlZ2F0b3ItY2EuY3J0KSkKRU9GCiAgS1VCRUNPTkZJRz0vZXRjL2t1YmVybmV0ZXMvYm9vdHN0cmFwLXNlY3JldHMva3ViZWNvbmZpZyBrdWJlY3RsIC1uIGt1YmUtc3lzdGVtIHBhdGNoIGNvbmZpZ21hcCBleHRlbnNpb24tYXBpc2VydmVyLWF1dGhlbnRpY2F0aW9uIC0tcGF0Y2gtZmlsZSAke3RtcH0KICBpZiBbWyAkPyAtZXEgMCBdXTsgdGhlbgoJcm0gJHt0bXB9CglzdWNjZXNzPTIKICBmaQogIHJtICR7dG1wfQogIHNsZWVwIDYwCmRvbmUK\"}}]},\"kernelArguments\":{\"shouldExist\":[\"ipv6.disable=1\"]}}"}
此字符串包含一个编码脚本,该脚本使用正确的证书配置扩展 API 服务器。
-
- 应用清单。
oc apply -f mgmt-spoke1.yaml
- 创建清单。
- 获取托管群集节点的 ISO 映像的下载 URL。
oc get infraenv -n mgmt-spoke1 mgmt-spoke1 -o jsonpath={'.status.isoDownloadURL'}
- 下载 ISO 映像。
wget "<download_url>"
- 使用下载的 ISO 映像启动群集节点。
- 使用以下命令监视安装进度。
oc get agentclusterinstall -n mgmt-spoke1 mgmt-spoke1 -o jsonpath={'.status.conditions[-1].message'}
oc get agentclusterinstall -n mgmt-spoke1 mgmt-spoke1 -o jsonpath={'.status.debugInfo.stateInfo'}
将现有 CN2 集群导入 ACM
无论您是导入 CN2 集群还是非 CN2 集群,将集群导入 ACM 的过程都是相同的。
有关如何导入集群的示例,请参阅 将现有集群导入 ACM 。
在开始此过程之前,请确保您已设置 ACM 中枢集群。