 Good morning, everyone, and welcome again to another OpenShift Commons briefing. Today, we're really pleased to have with us from Microsoft Harold Wong, who is one of the lead cloud architects working with Red Hat on making OpenShift work wonderfully on Azure, and he's going to be regaling us with stories of how to do that and talk through using what they call Quick Start templates. Without any further ado, I'm going to let Harold introduce himself and his topic. If you have questions, ask them in the chat. We're going to let him run through most of his presentation, hopefully without interruption, and then we'll open it up for Q&A afterwards. So go for it, Harold. Thank you. Yes. So real quick, are you able to see my slide as I present it right now? I can see the one that says OpenShift on Azure. Okay. Perfect. So yes, my name is Harold Wong and I am with Microsoft. I am what's called a Cloud Architect or sometimes my title could also be Technical Evangelists. Ultimately, what I do is I work with partners to make sure that their products or to help them get their products working in Microsoft Azure correctly or to put things into the marketplace. Red Hat is one of my big partners that I cover. So there's a lot going on and I've spent a lot of time working on OpenShift over the last year, making sure it runs correctly and installs correctly and as automated of fashion as possible in Azure. So is that a good enough intro, Diane? That's perfect. That's a great way to start. Okay. So then I guess it'll just make sense for me to keep on going. I have a few slides so that I can talk through a few things first, and then I will spend the majority of the time demoing and walking through what it actually takes to install OpenShift on Azure. So if you look at OpenShift, OpenShift has a lot of infrastructure components that are required, right? You need a VM, you need networking components, and so I just wanted to put simply upon a slide, what are some of the core Azure components that will need to be deployed? So you're going to need to deploy your VM so that you can deploy your master nodes and your infrastructure nodes and your application nodes and so forth. So that might be three, it might be 30, it might be 100 VMs, all depending on the size of the cluster you want to deploy. With those VMs, you're going to need to deploy network interface cards and so forth as well. From a networking perspective, you'll need a virtual network, I know I'm going out of order, and on that virtual network, it's essentially a private virtual network in Azure where you create subnets and then you put the VMs on those subnets. Within that for access from the Internet and whatnot, you'll probably need low balancers. So we do have Azure low balancers, and with these low balancers, you will create a probe that will check for the health of a connection, then you'll create low balancing rules using those probes. So if I've got one public IP associated with a low balancer, that's going to low balance three master nodes behind it, I would create a low balancing rule for the console access, port 84, 43, if I'm going to do cockpit, port 90, 90, and whatever else you might need. You can create NAT rules so that you can allow incoming traffic such as SSH. If you want to expose SSH directly to the master nodes, then you would create a NAT rule that says, I want port 2200 to point to port 22 on master node 1 and so forth. You will also need network security groups, which allow you to lock down traffic and say, I only allow certain types of traffic to this set of VMs or this particular subnet. So network security groups allow you to control what type of network traffic is allowed in as well as out from your VMs. Public IP is just an entity that allows you to specify whether you want public IP access to a given VM or to a low balancer or whatnot. So you don't have to assign public IPs to every individual VM, probably don't want to do it, and I'll show you, I don't actually do that. We only do to the low balancer so that you have access to the low balancers for master access or access to the router, which is sitting on the infrastructure node. And then you do need storage. So all of these VMs have OS disks and data disks that are associated with them, and you need to have storage accounts to store all those disks for. I also use Azure storage or for the, sorry, for the Docker registry that we deploy the private registry, I do use Azure storage. So I provision Azure storage for that as well, and then we link it so that you have persistent storage for your registry. All right, so these are just some core components. So I wanted to make sure you understood you still need all of that infrastructure stuff. However you deploy it manually or automatically, it needs to be deployed. And then this is just a quick diagram showing you what I generally deploy using my templates for Azure, right? I've got a master subnet where I throw in my master nodes, I throw in my infrastructure nodes. I also have one VM that acts as the internal low balancer running HA proxy for internal communication with the master nodes. And then I have application nodes that deploy to a node subnet. And you can see I've got two low balancers that I deploy, the ports that are exposed. There's a public IP in front of each one of those. And then the NAT rules or the ports that are open so that you can gain access as appropriate. And then in terms of installing OpenShift, I don't think I need to explain how to install OpenShift. I just put this down so that I can make it clear that installing OpenShift in Azure is really no different than installing OpenShift in your on-prem data center, in AWS, in Google Cloud. It doesn't really matter, right? If you can set up infrastructure somewhere, you can install OpenShift in the exact same manner. So you would install your rel instance, you'd install all the necessary tools, create your config files, and then you run the OpenShift Ansible Playbook. And however long it takes for that to run, 10 minutes, 30 minutes, 40 minutes, depending on how many cluster nodes you deploy, it probably takes a little bit longer than you have your OpenShift cluster up and running. All right, so in the Azure world, you could do things manually, right? I can go in and from the GUI or from the command line, I can go deploy a VM or deploy 30 VMs. And then I can set up all the networking manually. I can set up everything manually, right? And then go run the install of OpenShift. Or you can create what's called ARM templates, where you define the stuff that you want to deploy. You create all the necessary scripts. And in the ARM templates, you say, go run these scripts, and then you answer a few questions and you tell Azure, take this script file or this ARM template file and the parameter answer file that I created and go do your thing. And I walk away and I come back later and it's all done. And that's fully automated. There's a few pre-steps I have to do, but for the most part, it's an automated install. And so what I actually want to do in the rest of this time is walk through beginning to end what it would take to use an existing ARM template. I'm not asking you to go create one. I'm not gonna show you how to create one, but I will show you the templates that I've created, the scripts that are used. And if you want to deploy OpenShift Origin, the very first link will take you to a, what's called the Azure QuickStart template that deploys OpenShift. I am gonna say right now that is not 100% working and it's only deploying Origin 1.3. I have not updated that one. That's in my to-do list. I've been spending more of my time getting OpenShift Container Platform working correctly and fully functional and whatnot. So that is in my own repo and that's the one I'm gonna pretty much walk through. So let me go ahead and break out of the slides. Let me bring up my browser here. And in this very first one, if you, hopefully you can see my screen. All right, give me a second. You're still looking at your slides, so. Oh really? There we go. Okay, I guess it's just a little bit delayed, but hopefully everybody can see my Chrome. And this one is the Azure QuickStart template. You can see only something was updated 14 days ago because I had to correct an error in a script. This one takes a little bit longer because I don't control this repo and every time I make a change to it, I have to go fight somebody internally to say, please merge my change in. So either way, this one I'm hoping to have fully updated in the next week, week and a half to be deploying OpenShift Origin 1.4 with all the core components that I deploy using a container platform. So I'll switch over to this one and you can see I've got almost the same concept. There's a read me. And if you do go look at this, please do take the time to read the instructions fully. And what I'm gonna do right now is walk through what you need to do from the pre-work and then what you need to do from the answer file and how to deploy that and I'll actually start a deployment going. But the key thing is there is this file called azuredeploy.json and there is a azuredeploy.parameters.json which is the parameter or the input file for the azuredeploy.json. So I've got notepad++ on my machine and let me just open up the azuredeploy.json file so I can show you. It's quite a lengthy file based on all the stuff that I deploy but I wanna at least walk through some quick basics on this first. In here you'll see there's a parameter section where I define all the parameters that I accept including VM size. I can even say which ones are the allowed sizes define this size admin username. So I ask for a bunch of different inputs and then I define a bunch of variables that I end up using things that I don't need input for but I build that there are things that are needed like the name of the host. So I create a bashing host, there's a master host nodes, the info host, the low balancer host and so I create names based on some of the parameter inputs that I've asked for. So I define a bunch of different variables that I end up using. Let me scroll down over here and then the key thing is I define all the resources that are going to be created. Here you can see there's a network security group that's created and based on the name this is for the bashing host where I allow only port 22 to connect to it so that I can SSH into it and do troubleshooting and make sure that the install work correctly. I create an NSG for the low balancer host and there's an NSG for the master hosts the info host and so forth. So I define all of the different resources don't worry about understanding all the resources right now just know that I define them. There's documentation that you can read to really understand what all of these resources are but so I create a virtual network I create all the different storage accounts I create a public IP address whether it's a static or a dynamic and I create two that three two that are static one that's dynamic I create these availability sets and then one of the things I wanted to show when I create my virtual machine I know it's very convoluted and complex looking but it doesn't matter what order I create or I define my resources Azure will try to deploy them all in parallel unless you tell it hey this resource depends on this resource existing first. So when you create a virtual machine before the virtual machine can be created you do need to have the NIC created that's gonna be associated with that VM and the storage account so that the OS disks and whatnot can be created. So I define all the resources in any way, shape or order I want and I just define the dependency so that if this resource depends on two other or three other resources it waits for those resources to be completed before it moves on and so deploying all the infrastructure resources straightforward once you understand how to use this template and once again I'm not asking you to create it I've created this one for you so that you can just use it and then after the infrastructure stood up I run scripts so I literally have a couple of scripts and let me go ahead and open up the script file here so that you can just see an example my deploy open shift. So I have a script that essentially sets all the necessary files I need it creates the different YAML files I'm gonna use for the different playbooks I'm gonna run it creates my host file as I need and I know this is a little hard to read but you can see there are different pieces that are being done but this is just your regular host file that you would create for installing open shift. You may not use all of the same parameters I use here but I do build this so that then the Ansible Playbook knows what to do. All right, so enough of that jump back over to the parameters file so this one here is just a parameters file that explains or kinda has here's where you fill in all the inputs, right? The VM, the master VM size or the node VM size and the instance count and I put things in that says like change me, right? These are the things you need to change or set the different values for. So what I did in my little demo one is I pre-filled a bunch of stuff in, right? Like my, the VM size I wanna use the public DNS name I wanna use and by the way, these need to be unique so be very careful what you put in there in terms of their DNS names that get published in DNS. This one, since it's container platform I am asking for the cloud access username and password and a pool ID so that I can authenticate to your Red Hat subscription and then subscribe or register all of the instances and attach to the pool that has open shift and do all the install, right? We put in the public key, I'll explain this resource group thing for Key Vault. Actually I'll explain it now that's so that we can pass in the private key in a secure manner and then if you have a zip.io or if you're gonna use a custom domain like for me, I might use apps.weocd.net and I'd put that in over here and then this one would be changed to custom, right? So let me go over to my shell. If you look at my, does that, if you look at the repo and read through the read me, the read me does say you do need to generate your SSH key pair. So let me just go do that real quick, right? I'm gonna walk through this. So in my directory here, I've got all these little JSON files that I'm gonna use. So I'll do the SSH key gen. I'll just do ID RSA. Very important thing is you cannot use a passphrase. So it will be insecure, but after the deployment, you can go back and replace the key pairs with a more secure one. So I'll just do this. You can see I've got my ID underscore RSA, my ID underscore RSA.pub. So those are my keys. And if I keep reading through, it says, hey, here's how you would go ahead and create the Key Vault, right? And I provide PowerShell steps as well as Azure CLI step. So you do need to install the Azure CLI. If you haven't already done that, I'll give you a link to do that. But let me go ahead and do the Azure login. That does require me to do aka.ms device login. I need to put in this code because of the dual factor authentication mechanism. And then I authenticate here, go back to this piece, and hopefully it will authenticate shortly. And there we go. So now I'm authenticated into my Azure subscription from the CLI. And I am just gonna go ahead and follow these steps, essentially, that say here's how you create the Key Vault to store the key. It's not that difficult. It does require some typing. So I'm gonna do Azure group create. And if you really wanna learn more, you can look up documentation on the Azure CLI commands, but these are the basic ones for creating a resource group. So I'm gonna do Azure group create. Let's see, RG demo West US. And you know what? Let me just make sure I don't already have that. You need to make sure because sometimes I run through the demos and I use the same thing. So I'll create it in the West US data center. Enter here. Guess I should go back to this so you can see the commands I'm typing. The next one is Azure Key Vault create dash U. Let's see, I'll call mine demo Key Vault dash G for the demo group or the resource group, which was RG demo and dash L for location. And I'll do US West. Uh-oh, that's not good. Oh, it is already in use. So let's, that works demo Key Vault one because that also has to be unique. So we'll create a, that's already in use too. Okay, HW demo Key Vault one, how's that? See if that works. Otherwise it's gonna be Diane's Key Vault number one. There we go. So we have HW demo Key Vault one. Live demo, right? This is all live. So let's see, Azure Key Vault, I need to create the secret now. So I'll set the thing based on the HW demo Key Vault one. The secret name, I'll call it Key One. And then I use a file. So in this case, it'll be dot ID underscore RSA. So I'm gonna read in the private key and inject it into that secret. And now I need to do Azure Key Vault set policy. I need to allow this Key Vault to be used for template deployments. So I'm gonna do set policy dash U HW demo Key Vault one and then enabled for template deployment true. And I'll just show you the actual key. So let's do an Azure Key Vault secret show. HW demo, Key Vault one, Key one. And you can see this is the actual key or the secret and that's essentially my private key, right? And actually if we go in now and refresh my browser, you can see my RG demo here. And in there, I've got my HW demo Key Vault one. And in this Key Vault, I've got a secret called Key One. And if I actually click on it, we can even show the secret in the GUI, right? So you can see that it is holding my private key appropriately. So that's the very first step. So the next step is, and I'm not gonna do this, I already have one that's created, but we would go in and edit the Azure deploy parameters file with all the appropriate things like my SSH public key. I would put in my, you know, this thing would be what HW demo Key Vault and so forth, right? So I'm not gonna do that here. Instead, I will just go ahead and go back to my shell. It's clear. And I'm gonna go ahead and initiate a new deployment and deploy that entire infrastructure, right? So I'm gonna do Azure group create. Let's create a new group. I like to put zeros in front. So it comes up to the top. What should I call it? Diane, give me a name so that I can name this resource group. Open shift two, open shift one, something very bland. Open shift one, very bland. And I'll do this in West US. Okay, so now that I've created the resource group, I'm gonna do my deployment. So I'm gonna do an Azure group deployment create. Name for the deployment, I'll call it open shift 3.4. 3.4, resource group is equal to, I don't mistype it. Let file is azuredeploy.json and then the answer file is azuredeploy.parameters.hw.json. I created that one. I'm not gonna show it because it has my passwords and I am not gonna show that. And then I'll do a no wait so that the command prompt comes back immediately. If I typed everything properly, you can see, hey, now it started or it created a deployment. And if I go back to my GUI, it's just easier to show on a demo like this. You can see the resource group, the five zeros dash open shift one. I come over here, you can see that resources are now starting to be deployed, right? All of these network security groups, there's a public IP over here, this thing called availability sets, my virtual network. If I sit here and refresh, you'll see a bunch of other things slowly pop up. If I looked here, you'll see it says deployments and there's one thing deploying right now. If I click over to here, you'll see the deployment name, I called it open shift 3.4. And if I click on it, you'll see the status of everything. And over here, you'll see that there are inputs. So these are all the inputs that I put in, anything that is a security thing like a password, I don't display, right? So that's hidden. And then you can see the status of what's going on. Anything green means those are already completed. So you can see these are storage accounts that were created successfully. It's creating now the VMs. So if I refresh, hopefully, and this will take a little bit of time. So I'm not gonna sit here during the whole course of this and wait for it to complete. Instead, you know how it goes with demos. I've got something in the oven. So last night, I deployed to a resource group called OCP34-G. And you can see similar things. There's a Bastion node, public IP, there's a bunch of network security groups. I've got my deployments and it says succeeded. You can see this one has. This is the one I was showing you in the other one where I called it OpenShift34, same concept. You'll see all the input parameters that were supplied. You'll see all the things here are green. But one thing after it completes that you'll see here, and when the one I just started completes, I'll have it there as well, is I output some key things so that you know how to connect to this instance. So the console URL is this HW master DNSG000.WestUS and so forth, right, port 8443 console. So if I copy that and let's go log in. HW admin and password. By default or as part of the script, I do automatically make this first user a cluster admin. So I see all of the key projects. I can go into default, why I can't get the metrics right now. But you can see that I've got the registry deployed. There's the router deployed. And if I come in and look at the Docker registry and look at the environment variables, what I did as part of the automated deployment is I automatically use Azure storage. So you can see I set the environment variable for registry storage to be Azure. And then there's a account name and an account key so that we can access it. And then I created a folder called registry in there. So if I actually go show this to you real quick in this, I need to find the storage group, this one here. And if you're not familiar with the Azure portal, I know I might be walking a little bit fast, but this is not the time to actually go and give you a full tutorial of the portal. But either way, you can maneuver around in here as well as from the command line. It's just easier to show in a demo, a nice little GUI. So you can see that this storage account had a registry container or folder created. And in there, there's nothing right now. So let me just go ahead and do a quick deployment. I'll just create a new project. We'll call it open shift commons. We'll deploy a quick cake PHP plus my SQL example. And this will take just a few minutes to complete, I hope. And what I wanted to show is once it starts going is we should be able to see the fact that the registry actually is being used over here. So we'll let that run. I'll come back. Let me just open another portal here real quick so I can bounce back and forth between the two screens. Let's just check on the status of this deployment, see how it's doing. All right, so you can see that my VMs were created. It's actually now deploying or running scripts to prep all the nodes and so forth. So things are coming along good. Why don't I take some time right now while we wait for this quick cake, my PHP example to deploy and answer some questions. So there haven't been any questions. So people, if you're in the participants list here, if you'd like to ask questions, just chat, throw it into the chat or I'll unmute you and you can ask directly. You said something interesting to me. Can you do most of this deployment process through the Azure UI as opposed to at the CLI level? Oh yeah, absolutely. So in fact, let me show you in my little GitHub repo, after you read through the instructions, there's this thing that says deploy to Azure. If I click on that, it'll literally take me to my Azure portal, take the contents of that template file and inject it into what's called a template deployment. And now from the GUI, I put in the same, I enter the name of the resource group I wanna create. And the nice thing here is anything where I put like a list of things that you can select from, you just literally select from the list. So here I would do HW master DNS, HW infra DNS, something. For the master count, I can choose one or three. For the node instance count, I can choose one through 30. So I'll do 15, right? For the disk size, I give you three options. I'll choose the 128, there it is. So I can definitely just answer these questions here and hit deploy. So over here, I would say I agree and then hit purchase. It doesn't pop up for the credit card number, no. No, so this one, we assume that you already have an Azure subscription and you're being billed somehow. Yeah, at this point, I think you've got, you've got my information by now. That's interesting. So this is all running off the set of scripts, the JSON file that's in your GitHub repo right now. Correct. Oh. And there are pointers that go back to it. So if I'm looking at my GitHub, just bring this back up. In this azure deploy.json file, which if I come over here, you'll see there's this artifacts location. It points to my GitHub repo under master, which is essentially here. So whenever a script runs, it literally pulls it from this script's directory. Now that seems not that we don't love seeing your name on everything. That seems a little temporary that it's sitting in your directory there. Is there any plan on making these move into a semi-official? Yes, there aren't. So I do have plans to put this into the azure quick start. So remember where I was showing you the one for, for the origin one. So that's in aka. This one is quote unquote, the official stuff, right? The ones that Microsoft, somebody at Microsoft has officially blessed and said it does work, not that we necessarily support it, but it does work. And so this one, I do plan to put my OpenShift container platform templates into the quick start templates as well as updating the OpenShift origin one that I created. This is the one I created as well. It's just that in order, so with all the changes I've been making on my container platform one, it's very hard to get pull requests approved in a timely fashion by this group. Down some familiar, really. Yeah, it does. I've never heard of that before. So the way I do things with that key vault, which is a requirement that the quick start template team put on me anyways to put anything into the quick start template, I need to use this key vault. And because of the key vault usage, the automated testing fails every single time because it can't generate that key vault automatically for the test. So it will fail. And then I have to go ping the person that approves it, explain every single time why it's gonna fail no matter what I do, and they should just approve the merge. And that usually takes a month. And so that's why right now, all of this stuff I'm doing in my repo. And so I'm not the only, I mean, there is a gentleman from Red Hat, right? Mingus has been contributing as well. So it's not just me. No, I know there's some people on the OpenShift online team that are taking the product through. Yeah, and I'm hoping Thomas, Thomas Weiss said he was gonna take a look and hopefully make some recommendations as well and do some PRs. And I pronounced Magnus's name incorrectly, so I apologize. That's funny. So let's see if you've finished spinning up OpenShift. Well, this, oh, it failed. So I must have done something wrong. Oh, you know what I did? My DNS name, I forgot to change it, so it was already in use. But it would not complete just because this normally takes, if I'm especially with 15 agent nodes, it'll probably take about 35 to 45 minutes to complete. So it doesn't happen in 10 minutes. There is a bug right now in the playbook when we install the metrics where it goes through multiple retries before it completes or is successful. So that just adds more time to the deployment. So is that in the Ansible Playbook that the issue is? Yes, and that tidbit of information is from Magnus. He even updated the... It's in the script. He put that in. What's the... Yeah, he did put into the script file that there is a bug that causes it to retry. Where does he specify that? Right here. He does say it may deploy and retry 59 times before it completes on the 60th. So that just adds time because there's a wait period between each retry. Okay. Good to know. Yeah, so let's at least go see if my registry... Oh, there... So remember I deployed that KakeMyPHP app? You can see in the Azure storage account there is the KakePHP MyExample. I just wanted to show that the layers are pulled in and it is stored in the storage account. So if I come back over here, I should be able to pull up that application. Oh, awesome. You're now officially an OpenShift evangelist. No, this is... It's a little more complicated than I thought it was going to be, but I think once you get the scripts, the JSON stuff figured out and you're used to working with that, it's not... It should be pretty smooth, so pretty cool stuff. Yeah, so if you have any questions, feel free to reach out to me. My email address is heraldotwongatmicrosoft.com. And if you have any feedback, you would like to include into this particular repo before it gets into the QuickStart templates. Please let me know as well because I can make those changes way easier now versus in a month. So what we'll probably do is I'll post this on our OpenShift blog and we'll see what we get for feedback on it. That really is, as Steve is saying, very nice to see this running on Azure. And thank you very much for all the work that you've obviously done making it work so smoothly. So we'll hopefully get a few more folks going on this. I know we have one group of folks down in Brazil to get up cloud folks are running on Azure quite happily and hosting a public pause there. So we know this is one of the more viable options for running this OpenShift at scale. So hopefully we'll get some more feedback and the few more people working on this with you and we'll get some more feedback at the Azure, at the OpenShift Commons gathering in Berlin in a couple of weeks too as well. So thank you very much for doing this. Oh, you're very welcome. Yeah, we're getting a lot of customer interest on even on the Microsoft customer side once to deploy OpenShift in Azure. So I've been pinged by a lot of people to make sure my template works correctly. Thanks. Well, now they know who you are, Harold. So watch out, get a lot of feedback pretty fast. So thank you again for taking the time to do this and this video should be posted. If you can send me a couple of links from the different repos, that would be great and we'll get it all up there and get you some more feedback. And hopefully if you're commenting and giving you some issues as well. Perfect, thank you so much.