You must specify NCP parameters in the Ansible hosts file for NCP to be integrated with OpenShift.

After you specify the following parameters in the Ansible hosts file, installing OpenShift will nstall NCP automatically.

  • openshift_use_nsx=True
  • openshift_use_openshift_sdn=False
  • os_sdn_network_plugin_name='cni'
  • nsx_openshift_cluster_name='ocp-cluster1'

    (Required) This is required because multiple Openshift/Kubernetes clusters can connect to the same NSX Manager.

  • nsx_api_managers=''

    (Required) IP address of NSX Manager. For an NSX Manager cluster, specify comma-separated IP addresses.

  • nsx_tier0_router='MyT0Router'

    (Required) Name or UUID of the tier-0 router that the project's tier-1 routers will connect to.

  • nsx_overlay_transport_zone='my_overlay_tz'

    (Required) Name or UUID of the overlay transport zone that will be used to create logical switches.

  • nsx_container_ip_block='ip_block_for_my_ocp_cluster'

    (Required) Name or UUID of an IP block configured on NSX-T. There will be a subnet per project out of this IP block. These networks will be behind SNAT and not routable.

  • nsx_ovs_uplink_port='ens224'

    (Required) If in HOSTVM mode. NSX-T needs second a vNIC for POD networking on the OCP nodes, different from the management vNIC. It is highly recomended that both vNICs be connected to NSX-T logical switches. The second (non-management) vNIC must be supplied here. For bare meetal, this parameter is not needed.

  • nsx_cni_url='http://myserver/nsx-cni.rpm'

    (Required) Temporary requirement until NCP can bootstrap the nodes. We need to place nsx-cni on an http server.

  • nsx_ovs_url='http://myserver/openvswitch.rpm'
  • nsx_kmod_ovs_url='http://myserver/kmod-openvswitch.rpm'

    (Required) Temporary parameters until NCP can bootstrap the nodes. Can be ignored in bare metal setup.

  • nsx_node_type='HOSTVM'

    (Optional) Defaults to HOSTVM. Set to BAREMETAL if OpenShift is not running in VMs.

  • nsx_k8s_api_ip=

    (Optional) If set, NCP will talk to this IP address, otherwise to Kubernetes service IP.

  • nsx_k8s_api_port=

    (Optional) Default to 443 for Kubernetes service. Set to 8443 if you use it in combination with nsx_k8s_api_ip to specify master node IP.

  • nsx_insecure_ssl=true

    (Optional) Default is true as NSX Manager comes with untrusted certificate. If you have changed the certificate with a trusted one you can set it to false.

  • nsx_api_user='admin'
  • nsx_api_password='super_secret_password'
  • nsx_subnet_prefix=24

    (Optional) Defaults to 24. This is the subnet size that will be dedicated per Openshift project. If the number of PODs exceeds the subnet size a new logical switch with the same subnet size will be added to the project.

  • nsx_use_loadbalancer=true

    (Optional) Defaults to true. Set to false if you do not want to use NSX-T load balancers for OpenShift routes and services of type LoadBalancer.

  • nsx_lb_service_size='SMALL'

    (Optional) Defaults to SMALL. Depending on the NSX Edge size MEDIUM or LARGE is also possible.

  • nsx_no_snat_ip_block='router_ip_block_for_my_ocp_cluster'

    (Optional) If the ncp/no_snat=true annotation is applied on a project or namespace the subnet will be taken from this IP block and there will be no SNAT for it. It is expected to be routable.

  • nsx_external_ip_pool='external_pool_for_snat'

    (Requred) IP pool for SNAT and load balancer if nsx_external_ip_pool_lb is not defined.

  • nsx_external_ip_pool_lb='my_ip_pool_for_lb'

    (Optional) Set this if you want a distinct IP pool for Router and SvcTypeLB.

  • nsx_top_fw_section='top_section'

    (Optional) Kubernetes network policy rules will be translated to NSX-T firewall rules and placed below this section.

  • nsx_bottom_fw_section='bottom_section'

    (Optional) Kubernetes network policy rules will be translated to NSX-T firewall rules and placed above this section.

  • nsx_api_cert='/path/to/cert/nsx.crt'
  • nsx_api_private_key='/path/to/key/nsx.key

    (Optional) If set, nsx_api_user and nsx_api_password will be ignored. The certificate must be uploaded to NSX-T and a Principal Identity user authenticating with this certificate must be manually created.

  • nsx_lb_default_cert='/path/to/cert/nsx.crt'
  • nsx_lb_default_key='/path/to/key/nsx.key

    (Optional) NSX-T load balancer requires a default certificate in order to be able to crate SNIs for TLS based Routes. This certificate will be presented only if there is no Route configured. If not provided, a self-signed certificate will be generated.

Sample Ansible Hosts File



openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'yasen' : 'password'}


# NSX specific configuration



ocp-master.corp.local ansible_ssh_host= openshift_node_group_name='node-config-master'
ocp-node1.corp.local ansible_ssh_host= openshift_node_group_name='node-config-infra'
ocp-node2.corp.local ansible_ssh_host= openshift_node_group_name='node-config-infra'
ocp-node3.corp.local ansible_ssh_host= openshift_node_group_name='node-config-compute'
ocp-node4.corp.local ansible_ssh_host= openshift_node_group_name='node-config-compute'