In this scenario the service and associated components are deployed onto your local host in containers using Podman.
Make sure you have Podman version 3.3+ installed. If you must use an older version of podman, reference the previous documentation and procedure to avoid a podman bug.
No need to clone the whole repo. Use:
Change IMAGE_SERVICE_BASE_URL and SERVICE_BASE_URL in
configmap.yml to match the hostname or IP address of your
host. For example if your IP address is 192.168.122.2, then the
SERVICE_BASE_URL would be set to http://192.168.122.2:8090. Port 8090 is
the assisted-service API that agents will connect to.
-
Assisted UI supports HTTPS starting from UI version v2.10.0
-
These instructions will secure the following communication paths:
- assisted-installer-ui
↔️ assisted-service - User API queries
↔️ assisted-service - assisted-image-service
↔️ assisted-service - discovery agents
↔️ assisted-service - controller pod
↔️ assisted-service
- assisted-installer-ui
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=localhost" -addext 'subjectAltName = IP:127.0.0.1'Embed both key and certificate in configmap_tls_certs.yml
Those will get mounted to assisted-installer-service, assisted-installer-image-service and assisted-installer-ui for encryption.
No need to clone the whole repo. Use:
Change IMAGE_SERVICE_BASE_URL and SERVICE_BASE_URL in
configmap_tls.yml to match the hostname or IP address of your
host. For example if your IP address is 192.168.122.2, then the
SERVICE_BASE_URL would be set to https://192.168.122.2:8090. Port 8090 is
the assisted-service API that agents will connect to.
Additionally, make sure to change the following:
ASSISTED_SERVICE_URL: https://127.0.0.1:8090
HTTPS_CERT_FILE: "/etc/certs/tls.crt" # Need to match certs-configmap-volume mountPath
HTTPS_KEY_FILE: "/etc/certs/tls.key" # Need to match certs-configmap-volume mountPath
HTTPS_CA_FILE: "/etc/certs/tls.crt" # Need to match certs-configmap-volume mountPath. Needed if the certificate is not signed by a CA in RHEL's default trust bundle.
ASSISTED_SERVICE_HOST: 127.0.0.1:8090
ASSISTED_SERVICE_SCHEME: https # A must for the UI nginx to be configured with TLSIf you are using a RELEASE_IMAGE hosted on a different registry than quay.io, add
the host name to the PUBLIC_CONTAINER_REGISTRIES environment variable. You have an
example in okd-configmap.yml.
Other environment variables may be set in configmap.yml. For example, custom
agent (AGENT_DOCKER_IMAGE), installer (INSTALLER_IMAGE) and controller
(CONTROLLER_IMAGE) images can be defined.
podman play kube --configmap configmap.yml pod.ymlpodman play kube --configmap configmap_tls_certs.yml --configmap configmap_tls.yml pod_tls.ymlTo preserve data about existing clusters between pod reconfigurations the
pod-persistent.yml manifest could be use instead, which creates additional
volumes for database and cluster's artifacts:
podman play kube --configmap configmap.yml pod-persistent.ymlIf you only want to provision a single cluster at a time, which is a common use case, persistence is not necessary.
The UI will available at: http://<host-ip-address>:8080
podman play kube --down pod.ymlAssisted Service can install OKD clusters using a different set of parameters:
podman play kube --configmap okd-configmap.yml pod.ymlor
make deploy-onprem OKD=truefor developers
Configuration differences are:
OS_IMAGESshould point to Fedora CoreOS (see Fedora CoreOS Release artifacts)RELEASE_IMAGESlists available OKD versions (see OKD Releases)OKD_RPMS_IMAGEis additional image containing Kubelet/CRI-O RPMs (see example repo)ENABLE_OKD_SUPPORTwhether OKD support is enabled. Required to betrueso that the service setup necessary RPMs on top of discovery ISO