One Touch Provisioning (OTP) is a powerful pattern that enables seamless end-to-end provisioning of Red Hat OpenShift clusters, their applications, governance, and policies across Public, Private, On-Premises, and Edge Cloud environments - all through code.
- About the Project
- Introduction to Concepts and Technologies
- Getting Started
- Usage
- Roadmap
- Contributing
- License
- Contact
- Acknowledgments
One Touch Provisioning (OTP) is our opinionated implementation of GitOps principles, leveraging cutting-edge tooling to enable seamless platform provisioning with a single command*. This powerful pattern provides:
- Complete cluster and virtual machine provisioning capabilities
- Comprehensive governance and policy management
- Advanced observability for clusters and workloads
- Automated application deployment, including IBM Cloud Paks
Built on the foundation of Red Hat Advanced Cluster Management (RHACM) and OpenShift GitOps (ArgoCD), OTP enables you to define your entire infrastructure as code. By storing OpenShift clusters, applications, governance, and policies in Git repositories, and leveraging RHACM through OpenShift GitOps, you can achieve truly automated end-to-end provisioning.
Key Benefits:
- Fully codified infrastructure
- Repeatable deployments
- Complete auditability
- Reduced operational overhead
Before diving into OTP, it's essential to understand the core concepts and technologies that power this pattern. This knowledge will help you make the most of OTP and understand the reasoning behind our design decisions.
- Red Hat Advanced Cluster Management Hub and Spoke Clusters Concepts
- Git Repositories Context
- Git Repository Organization Strategies
- Minimum OpenShift v4.10+ is required.
Deploy a "vanilla" Red Hat OpenShift cluster using one of these methods:
- Installer Provisioned Infrastructure
- User Provisioned Infrastructure
- Managed OpenShift Offerings
- OpenShift Assisted Installer
- Install the OpenShift
ocCLI (version 4.10+). You can download the binary from:- The Help menu in the OpenShift cluster console
- The OpenShift Mirror website
-
Install the Helm CLI using Homebrew:
brew install helm
-
If you plan to use the SealedSecrets Operator, install the kubeseal CLI:
brew install kubeseal
OTP uses a Polyrepo structure consisting of six specialized Git repositories within the GitOps workflow. Learn more about our repository organization choice here.
-
- Contains ArgoCD Applications for infrastructure, services, policies, clusters, and application layers
- Manages resources for both RHACM Hub and Spoke Clusters
-
Infrastructure GitOps Repository
- Common repository for cluster-wide and infrastructure resources
- Manages namespaces, clusterroles, clusterrolebindings, machinesets, etc.
- Ensures consistent resource deployment across environments
-
- Common repository for shared services
- Manages operator subscriptions, custom resources, and third-party Helm charts
- Typically managed by administrators and DevOps teams
-
- Common repository for governance and security policies
- Manages policies for both Hub and Spoke clusters
- Typically managed by GRC and Security teams
-
- Common repository for OpenShift cluster definitions
- Manages cluster deployment configurations
- Typically managed by Platform Administrators and Operations teams
-
- Common repository for application deployments
- Manages application resources for both Hub and Spoke clusters
- Ensures consistent application deployment across environments
-
Create a new GitHub Organization following the GitHub documentation.
-
Create and clone the repositories in your new GitHub Organization:
GIT_ORG=<new-git-organization> OUTPUT_DIR=<gitops-repos> ./scripts/create-repos.sh
-
(
Optional) For private Git repositories, follow our private repository setup guide. -
Update Git URL and branch references in your
otp-gitopsrepository:GIT_ORG=<GIT_ORG> GIT_BRANCH=master ./scripts/set-git-source.sh
To revert changes:
./scripts/unset-git-source.sh
If you plan to deploy IBM Cloud Pak for Watson AIOps Infrastructure Automation, follow our IBM Entitlement Key setup guide.
Red Hat OpenShift GitOps uses Argo CD for declarative cluster resource management.
-
Install the OpenShift GitOps Operator and create necessary RBAC:
oc apply -k setup/argocd-operator while ! oc wait crd applications.argoproj.io --timeout=-1s --for=condition=Established 2>/dev/null; do sleep 30; done while ! oc wait pod --timeout=-1s --for=condition=Ready -l '!job-name' -n openshift-gitops > /dev/null; do sleep 30; done
-
Create a custom ArgoCD instance with configurable health checks:
oc apply -k setup/argocd-instance while ! oc wait pod --timeout=-1s --for=condition=ContainersReady -l app.kubernetes.io/name=openshift-gitops-otp-server -n openshift-gitops > /dev/null; do sleep 30; done
-
(
Optional) For IBM Cloud ROKS as RHACM Hub Cluster, configure TLS:./scripts/patch-argocd-tls.sh
For AWS, Azure, GCP, vSphere, and Baremetal deployments, run:
./scripts/infra-mod.shThis script:
- Deploys additional nodes for OpenShift Data Foundation (ODF)
- Configures infrastructure nodes for RHACM, Quay, Ingress Controllers, etc.
- Optimizes OpenShift licensing by running components on infrastructure nodes
For IBM Cloud managed OpenShift clusters:
- Deploy OpenShift Data Foundation as an add-on
- Label worker nodes as infrastructure nodes:
node-role.kubernetes.io/infra: ''OTP works best with a secret store like Hashicorp Vault. If you have an existing Vault instance (e.g., IBM Secrets Manager), skip to the External Secrets Operator setup.
-
Enable local Vault deployment by uncommenting in
0-bootstrap\hub\2-services\kustomization.yaml:# Local Hashicorp Vault Instance - argocd/instances/hashicorp-vault.yaml
-
Create the API key secret:
oc create secret generic ibm-secret --from-literal=apiKey='<APIKEY>' -n kube-system -
Update ArgoCD application values in
0-bootstrap\hub\2-services\argocd\instances\external-secrets.yaml
The bootstrap process follows the app of apps pattern.
-
Access the ArgoCD UI:
oc get route -n openshift-gitops openshift-gitops-otp-server -o template --template='https://{{.spec.host}}' # Password not required if using OpenShift as auth provider oc extract secrets/openshift-gitops-otp-cluster --keys=admin.password -n openshift-gitops --to=-
-
Review and customize deployment resources:
0-bootstrap/hub/1-infra/kustomization.yaml 0-bootstrap/hub/2-services/kustomization.yaml 0-bootstrap/hub/3-policies/kustomization.yaml 0-bootstrap/hub/4-clusters/kustomization.yaml 0-bootstrap/hub/5-apps/kustomization.yaml
Note: Changes must be committed to Git before initial bootstrap.
-
Deploy the OpenShift GitOps Bootstrap Application:
oc apply -f 0-bootstrap/hub/bootstrap.yaml
-
Manage deployment order using ArgoCD Sync waves:
Update
0-bootstrap/hub/kustomization.yamlafter Infrastructure, Services, and Policies layers are deployed:resources: - 1-infra/1-infra.yaml - 2-services/2-services.yaml - 3-policies/3-policies.yaml ## Uncomment after above layers complete # - 4-clusters/4-clusters.yaml # - 5-apps/5-apps.yaml
Installation is complete when all ArgoCD Applications sync successfully.
Access the RHACM Hub console through the OpenShift console.
OTP treats Managed (Spoke) Clusters as OpenShift GitOps Applications, enabling:
- Cluster creation and destruction
- Cluster hibernation
- Managed cluster import into RHACM
-
ClusterPools and ClusterClaims
- Simplified lifecycle management for AWS, GCP, and Azure clusters
- Pre-configured cluster templates for consistent deployments
- Automated cluster provisioning through claims
-
ClusterDeployment
- Supports AWS, Azure, GCP, VMWare, On-Premise, Edge, and IBM Cloud
- Configure in
0-bootstrap/hub/4-clusters/kustomization.yaml:
resources: ## ClusterPools - argocd/clusterpools/cicd/aws/aws-cicd-pool/aws-cicd-pool.yaml ## ClusterClaims - argocd/clusterclaims/dev/aws/project-simple.yaml ## ClusterDeployments - argocd/clusters/prod/aws/aws-prod/aws-prod.yaml - argocd/clusters/prod/azure/azure-prod/azure-prod.yaml
- Cloud provider API keys managed through external keystore (Vault)
- External Secrets Operator for automated key management
- Deployment configurations in
Clustersrepository underclusters/deploy/external-secrets/<cloud provider>
OTP provides complete end-to-end deployment of:
- Clusters
- Policies
- Governance
- Applications
For detailed usage examples, see our Documentation
- OTP CLI Tool
- Ansible Automation Integration
- Libvirt Support
- VMWare Support
- HyperShift Integration
- HyperShift with OpenShift Virtualization for Worker Nodes
- IBM Cloud Satellite Integration
- IBM Managed OpenShift Platform Deployment
See our open issues for the complete feature roadmap and known issues.
We welcome contributions to make OTP even better! Your input helps build a stronger open-source community.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Don't forget to star the project! ⭐
Distributed under the Apache 2.0 License. See LICENSE for more information.
Our Team:
- Ben Swinney | @bdgsts | LinkedIn | GitHub
- Cong Nguyen | LinkedIn | GitHub
- Nick Merrett | LinkedIn | GitHub
Project Link: https://github.com/one-touch-provisioning/otp-gitops
OTP stands on the shoulders of giants. We're grateful to these teams and individuals whose work made this pattern possible:
- Cloud Native Toolkit - GitOps Production Deployment Guide
- IBM Garage TSA
- Red Hat Communities of Practice
The reference architecture for this GitOps workflow can be found here.