Before you begin deploying
This tutorial walks through necessary steps required to be performed which enables a user to successfully deploy the architecture.
IAM Permissions
IAM access roles are required to install this deployable architecture and create all the required elements.
You need the following permissions for this deployable architecture:
- Create services from IBM Cloud catalog.
- Create and modify IBM Cloud VPC services, virtual server instances, networks, network prefixes, storage volumes, SSH keys, and security groups of this VPC.
- Create and modify Power® Virtual Server services, virtual server instances, networks, storage volumes, ssh keys of this Power® Virtual Server.
- Create and modify IBM Cloud direct links and IBM Cloud Transit Gateway.
- Access existing Object Storage services.
- The Editor role on the Projects service.
- The Editor and Manager role on the Schematics service.
- The Viewer role on the resource group for the project.
For information about configuring permissions, contact your IBM Cloud account administrator.
Generate API key
The API key is mandatory for the deployment. The API keys can be deleted independently if compromised without interfering with other API keys or even the user. You can create up to 20 API keys.
To create an API key for your user identity in the UI, complete the following steps:
- In the IBM Cloud console, go to Manage > Access (IAM) > API keys.
- Click Create an IBM Cloud API key.
- Enter a name and description for your API key.
- Click Create.
- Then, click Show to display the API key. Or, click Copy to copy and save it for later, or click Download.
Generate a SSH key Pair
This key is used to log in to all virtual server instances that you create.
This step can be skipped if user has already a pair of ssh keys which meet the following requirements:
- Key is of RSA format
- No passphrase (must not be password encrypted)
- SSH public key is currently unused in the target deployment region.
Paste the content of id_rsa.pub key and id_rsa key directly in the field for input variables ssh_public_key and ssh_private_key respectively.
If you do not have existing keys, steps to generate keys is defined below.
SSH Key can be generated by using any method. When generating a key pair, make sure that:
- passphrase is empty (must not be password encrypted)
- Key format is
RSA.
Linux OS
On the command line type, the command ssh-keygen. It places the id_rsa and id_rsa.pub files under /root/.ssh/id_rsa.
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:TUdZn9O6tnwK2lc4m917Cs1KvbyXs2n46yrlE2I1t/I root@ans-jump-box-001
The key's randomart image is:
+---[RSA 3072]----+
| .o. |
| .. .o|
| . . oo|
| o . o o.|
| S . . +..|
| o Boo.|
| . B @*o|
| = @+EB|
| . +o#&*|
+----[SHA256]-----+
Windows OS
You can install MobaXterm application and start a local terminal. On the command line type, the command ssh-keygen. It places the id_rsa
and id_rsa.pub files under /home/mobaxterm/.ssh/
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mobaxterm/.ssh/id_rsa
Your public key has been saved in /home/mobaxterm/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:TUdZn9O6tnwK2lc4m917Cs1KvbyXs2n46yrlE2I1t/I
The key's randomart image is:
+---[RSA 3072]----+
| .o. |
| .. .o|
| . . oo|
| o . o o.|
| S . . +..|
| o Boo.|
| . B @*o|
| = @+EB|
| . +o#&*|
+----[SHA256]-----+
These public and private key values can now be used in the input variables for the Deployable architectures.
Paste the content of id_rsa.pub key and id_rsa key directly in the field for input variables ssh_public_key and ssh_private_keyrespectively.
Reusing existing Secrets Manager Instance (Optional)
The Deployable architecture supports creation of Client to site VPN server optionally. If enabled, the prerequisite for creating a Client to site VPN server is a Server Certificate which can be only read from a Secrets Manager instance.
The automation provides flexibility in:
-
Automatically generating a new VPN server Certificate, creating a new Secrets Manager instance and storing the certificate.
-
Allowing the user to pass the details of existing Secrets Manager instance in the optional parameters field which would override the default configuration of creating a new Secrets Manager instance.
-
To reuse the Secrets Manager instance if you have one, you need the following information:
The Terraform module creates a Secrets Manager instance if you don't already have one.
- Copy the
regionof your Secrets Manager instance by using the IBM Cloud console. - Copy the
GUIDof the instance. You can locate the Secrets Manager GUID in your account from the resource list in the IBM Cloud console as shown in the following screenshot.-
Enter
secretin the product filter. A list of Secrets Manager instances are displayed. -
Click the row to display the details in the sidebar for the Secrets Manager instance that you want to use.
-
Copy the GUID.
Example view of the resource list with Secrets Manager in IBM Cloud console
-
- Copy the
Quickstart OpenShift cost estimation (only required for Quickstart OpenShift Variation)
Due to technical limitations, the cost estimate Projects gives does not include the PowerVS resources deployed. The cost estimate given on the catalog page is accurate for a deployment using default values. This only applies to the Quickstart OpenShift variation.
OpenShift Cluster Base Domain considerations (only required for Quickstart OpenShift Variation)
The cluster domain is only resolved internally by the included IBM Cloud DNS Services. Public deployments with customer provided domains are currently not supported. Therefore, the supported domains are restricted to .test, .example,
and .invalid. Make sure the value used for cluster_base_domain ends with one of those values.
Obtain an OpenShift Pull Secret (only required for Quickstart OpenShift Variation)
To deploy the Quickstart OpenShift variation of Power Virtual Server with VPC landing zone you need a RedHat account so you can obtain an installation Pull Secret from RedHat. Once you have a RedHat account, go to OpenShift Cluster Manager to download your pull secret.
Access the OpenShift Installation Logs (only required for Quickstart OpenShift Variation)
The OpenShift Installation logs are written during the execution of the IPI installer. You may access them to follow along during your deployment or to share them with the support when you encounter an issue.
The logs are located on the network services instance and can only be accessed once the landing zone part of the deployment is complete and the OpenShift deployment part has started. Additionally, ssh access to the network services instance is required. Follow Client to Site VPN or Floating IP on the Jump Host to learn how to access the network services instance.
The logs are located on the network services instance at /root/ocp-powervs-deploy/.openshift_install.log.
Additional background information
- Power Virtual Server service documentation
- Deployable architecture code
- Main dependencies:
- Terraform IBM Module - VPC Landing Zone
- Terraform IBM Module - Power Virtual Server Workspace
- Terraform IBM Module - Power Virtual Server Instance
- Terraform IBM Module - Client to site VPN
- Terraform IBM Module - Secret Manager
- Terraform IBM Module - Secrets Manager Group
- Terraform IBM Module - Private Secret Engine
- Terraform IBM Module - Secrets Manager Private Certificate
- IBM Power Linux SAP ansible galaxy role
- Optional features:
- RedHat OpenShift IPI installer: