OpenShift Hive – API driven OpenShift cluster provisioning and management operator

RedHat invited me and my colleague Matt to speak at RedHat OpenShift Commons in London about the API driven OpenShift cluster provisioning and management operator called OpenShift Hive. We have been using OpenShift Hive for the past few months to provision and manage the OpenShift 4 estate across multiple environments. Below the video recording of our talk at OpenShift Commons London:

The Hive operator requires to run on a separate Kubernetes cluster to centrally provision and manage the OpenShift 4 clusters. With Hive you can manage hundreds of cluster deployments and configuration with a single operator. There is nothing required on the OpenShift 4 clusters itself, Hive only requires access to the cluster API:

The ClusterDeployment custom resource is the definition for the cluster specs, similar to the openshift-installer install-config where you define cluster specifications, cloud credential and image pull secrets. Below is an example of the ClusterDeployment manifest:

---
apiVersion: hive.openshift.io/v1
kind: ClusterDeployment
metadata:
  labels:
    controller-tools.k8s.io: "1.0"
  annotations:
    hive.openshift.io/delete-after: "8h"
  name: foo
spec:
  preserveOnDelete: false
  clusterName: foo
  baseDomain: bar.baz
  networking:
    type: OpenshiftSDN
    serviceCIDR: "10.3.0.0/16"
    machineCIDR: "10.0.0.0/16"
    podCIDR: "10.2.0.0/16"
  controlPlane:
    name: master
    replicas: 3
    platform:
      aws:
        type: m4.large
        rootVolume:
          iops: 100 # TODO
          size: 22
          type: gp2
  compute:
  - name: worker
    replicas: 3
    platform:
      aws:
        type: m4.large
        rootVolume:
          iops: 100 # TODO
          size: 22
          type: gp2
  platform:
    aws:
      region: us-east-1
      vpcID: ""
      vpcCIDRBlock: 10.0.0.0/16
  platformSecrets:
    aws:
      credentials:
        name: "foo-aws-creds"
  pullSecret:
    name: "foo-pull-secret"

The SyncSet custom resource is defining the configuration and is able to regularly reconcile the manifests to keep all clusters synchronised. With SyncSets you can apply resources and patches as you see in the example below:

---
apiVersion: hive.openshift.io/v1
kind: SyncSet
metadata:
  name: mygroup
spec:
  clusterDeploymentRefs:
  - name: ClusterName
  resourceApplyMode: Upsert
  resources:
  - apiVersion: user.openshift.io/v1
    kind: Group
    metadata:
      name: mygroup
    users:
    - myuser
  patches:
  - kind: ConfigMap
    apiVersion: v1
    name: foo
    namespace: default
    patch: |-
      { "data": { "foo": "new-bar" } }
    patchType: merge
  secretReferences:
  - source:
      name: ad-bind-password
      namespace: default
    target:
      name: ad-bind-password
      namespace: openshift-config

Depending of the amount of resource and patches you want to apply, a SyncSet can get pretty large and is not very easy to manage. My colleague Matt wrote a SyncSet Generator, please check this Github repository.

In one of my next articles I will go into more detail on how to deploy OpenShift Hive and I’ll provide more examples of how to use ClusterDeployment and SyncSets. In the meantime please check out the OpenShift Hive repository for more details, additionally here are links to the Hive documentation on using Hive and Syncsets.

Read my new article about installing OpenShift Hive.

Please share!


Also published on Medium.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.