Configuring Image Registry to use OpenShift Data Foundation

1. Create a Persistent Volume Claim for the Image Registry to use.

1. In the OpenShift Web Console, click Storage → Persistent Volume Claims.
2. Set the Project to openshift-image-registry.
3. Click Create Persistent Volume Claim.
    From the list of available storage classes retrieved above, specify the   Storage Class with the provisioner openshift-storage.cephfs.csi.ceph.com.
   Specify the Persistent Volume Claim Name, for example, ocsregistry.
   Specify an Access Mode of Shared Access (RWX).
   Specify a Size of at least 100 GB.
   Click Create.

Wait until the status of the new Persistent Volume Claim is listed as Bound.

2. Configure the cluster’s Image Registry to use the new Persistent Volume Claim.

1. Click Administration → Custom Resource Definitions.
2. Click the Config custom resource definition associated with the imageregistry.operator.openshift.io group.
3. Click the Instances tab.
4. Beside the cluster instance, click the Action Menu (⋮) → Edit Config.
5. Add the new Persistent Volume Claim as persistent storage for the Image Registry.
   Add the following under spec:, replacing the existing storage: section if necessary.
  storage:
    pvc:
      claim: <new-pvc-name>   For example:
  storage:
    pvc:
      claim: ocs4registry  Click Save

3. Verify that the new configuration is being used.

1. Click Workloads → Pods.
2. Set the Project to openshift-image-registry.
3. Verify that the new image-registry-* pod appears with a status of Running, and that the previous image-registry-* pod terminates.
4. Click the new image-registry-* pod to view pod details.
5. Scroll down to Volumes and verify that the registry-storage volume has a Type that matches your new Persistent Volume Claim, for example, ocsregistry.

Edit the cluster Ingress configuration:

oc edit ingress.config.openshift.io cluster

Set the custom hostname and optionally the serving certificate and key:

apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
  name: cluster
spec:
  componentRoutes:
    - name: console
      namespace: openshift-console
      hostname: <custom_hostname> 
      servingCertKeyPairSecret:
        name: <secret_name> 

Or Apply new Ingress Config

apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
  name: cluster
spec:
  componentRoutes:
    - name: console
      namespace: openshift-console
      hostname: OpenShift.Meaty.Cloud
      servingCertKeyPairSecret:
        name: custom-console-certificate

Example YAML file

apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
  name: cluster

spec:
  componentRoutes:
  - hostname: console.apps.oscp.abc.local
    name: console
    namespace: openshift-console
  domain: apps.oscp.abc.local
  loadBalancer:
    platform:
      type: ""
status:
  componentRoutes:
  - conditions:

    - lastTransitionTime: "2024-03-15T11:24:42Z"
      message: All is well
      reason: AsExpected
      status: "False"
      type: Degraded

https://meatybytes.io/posts/openshift/ocp-features/security/tls/customizing-console

https://docs.openshift.com/container-platform/4.15/web_console/customizing-the-web-console.html#customizing-the-web-console-url_customizing-web-console

A DHCP server unless using static IP addressing.
A base domain name. 

The OpenShift Container Platform cluster’s network must also meet the following requirements:
Connectivity between all cluster nodes
Connectivity for each node to the internet
Access to an NTP server for time synchronization between the cluster nodes

Example DNS zone database

$TTL 1W
@	IN	SOA	ns1.example.com.	root (
			2019070700	; serial
			3H		; refresh (3 hours)
			30M		; retry (30 minutes)
			2W		; expiry (2 weeks)
			1W )		; minimum (1 week)
	IN	NS	ns1.example.com.
	IN	MX 10	smtp.example.com.
;
;
ns1.example.com.		IN	A	192.168.1.1
smtp.example.com.		IN	A	192.168.1.5
;
helper.example.com.		IN	A	192.168.1.5
;
api.ocp4.example.com.		IN	A	192.168.1.5 
api-int.ocp4.example.com.	IN	A	192.168.1.5 
;
*.apps.ocp4.example.com.	IN	A	192.168.1.5 
;
control-plane0.ocp4.example.com.	IN	A	192.168.1.97 
control-plane1.ocp4.example.com.	IN	A	192.168.1.98
control-plane2.ocp4.example.com.	IN	A	192.168.1.99
;
worker0.ocp4.example.com.	IN	A	192.168.1.11 
worker1.ocp4.example.com.	IN	A	192.168.1.7
;
;EOF

1. Provides name resolution for the Kubernetes API. The record refers to the IP address of the API load balancer. ↩︎
2. Provides name resolution for the Kubernetes API. The record refers to the IP address of the API load balancer and is used for internal cluster communications. ↩︎
3. Provides name resolution for the wildcard routes. The record refers to the IP address of the application ingress load balancer. The application ingress load balancer targets the machines that run the Ingress Controller pods. The Ingress Controller pods run on the worker machines by default. ↩︎
4. Provides name resolution for the control plane machines. ↩︎
5. Provides name resolution for the worker machines. ↩︎

Example DNS zone database for reverse records

$$TTL 1W
@	IN	SOA	ns1.example.com.	root (
			2019070700	; serial
			3H		; refresh (3 hours)
			30M		; retry (30 minutes)
			2W		; expiry (2 weeks)
			1W )		; minimum (1 week)
	IN	NS	ns1.example.com.
;
5.1.168.192.in-addr.arpa.	IN	PTR	api.ocp4.example.com. 
5.1.168.192.in-addr.arpa.	IN	PTR	api-int.ocp4.example.com. 
;
97.1.168.192.in-addr.arpa.	IN	PTR	control-plane0.ocp4.example.com. 
98.1.168.192.in-addr.arpa.	IN	PTR	control-plane1.ocp4.example.com.
99.1.168.192.in-addr.arpa.	IN	PTR	control-plane2.ocp4.example.com.
;
11.1.168.192.in-addr.arpa.	IN	PTR	worker0.ocp4.example.com. 
7.1.168.192.in-addr.arpa.	IN	PTR	worker1.ocp4.example.com.
;
;EOF

Confirm that the cluster recognizes the machines:

oc get nodes

Review the pending CSRs and ensure that you see the client requests with the Pending or Approved status for each machine that you added to the cluster:

oc get csr

To approve them individually, run the following command for each valid CSR:

oc adm certificate approve <csr_name>

Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster:

oc get csr

If the remaining CSRs are not approved, and are in the Pending status, approve the CSRs for your cluster machines:

oc adm certificate approve <csr_name>

# To approve all pending CSRs, run the following command:
oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve

After all client and server CSRs have been approved, the machines have the Ready status. Verify this by running the following command:

oc get nodes

disk.EnableUUID TRUE 

Create user and group in AD.

ocp-user: Users with OpenShift access
Any users who should be able to log-in to OpenShift must be members of this group
All of the below mentioned users are in this group
ocp-normal-dev: Normal OpenShift users
Regular users of OpenShift without special permissions
Contains: normaluser1, teamuser1, teamuser2
ocp-fancy-dev: Fancy OpenShift users
Users of OpenShift that are granted some special privileges
Contains: fancyuser1, fancyuser2
ocp-teamed-app: Teamed app users
A group of users that will have access to the same OpenShift Project
Contains: teamuser1, teamuser2

Create a Secret with the bind password.

oc create secret generic ldapuser-secret --from-literal=bindPassword=yourPassword -n openshift-config

Update the cluster OAuth object with the LDAP identity provider.

spec:
  identityProviders:
  - name: ldap
    challenge: false
    login: true
    mappingMethod: claim
    type: LDAP
    ldap:
      attributes:
        id:
        - distinguishedName
        email:
        - userPrincipalName
        name:
        - givenName
        preferredUsername:
        - sAMAccountName
      bindDN: "cn=ldapuser,cn=Users,dc=dcloud,dc=demo,dc=com"
      bindPassword:
        name: ldapuser-secret
      insecure: true
      url: "ldap://ad1.dcloud.demo.com:389/cn=Users,dc=dcloud,dc=demo,dc=com?sAMAccountName?sub?(memberOf=cn=ocp-user,cn=Users,dc=dcloud,dc=demo,dc=com)"
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400