Greenfield OCP Deployment
A source-of-truth guide for building a greenfield OpenShift platform with GitOps, automated VM provisioning, DNS, edge, registry, CI, observability, and operational documentation from day one.
135 pages · last reviewed 2026-05-23
Start here →Sections
installation manual134 pages
- 01 MinIO object storage
- 02 PDNS installation
- 03 HAProxy installation
- 04 GitLab installation
- 05 Vault installation
- 06 NetBox installation
- 07 Quay registry
- 08 oc-mirror
- 09 Nexus artifact repository
- 10 Bootstrap artifacts
- 11 Bootstrap VM and install inputs
- 12 Hub cluster installation
- 13 Hub GitOps bootstrap
- 14 Hub LVMS storage
- 15 Hub cert-manager
- 16 Hub External Secrets and Vault auth
- 17 Hub ACM and MCE
- 18 Hub RHACS
- 19 HTPasswd Admin Identity
- 20 Spoke Day-Zero Hardening
- 21 Spoke FIPS And Disk Inventory
- 22 Spoke ODF RAID0 Disk Prep
- 23 Spoke LSO ODF Install
- 24 Spoke ACM Import Pull GitOps
- 25 Spoke cert-manager, ESO, and Vault auth
- 26 Spoke RHACS secured cluster
- 27 Spoke compliance baseline
- 28 Spoke compliance findings triage
- 29 Spoke low-risk compliance config
- 30 Spoke logging and file integrity
- 31 Spoke manual attestation evidence pack
- 32 Spoke master banner MachineConfig hardening
- 33 Spoke logging drainability and GitHub source
- 34 Spoke worker banner MachineConfig hardening
- 35 Spoke ODF NooBaa drainability gate
- 36 Spoke NooBaa primary relocation
- 37 Spoke worker-2 live drain validation
- 38 Spoke worker coredump hardening preflight
- 39 Spoke worker coredump hardening rollout
- 40 Spoke worker coredump compliance evidence
- 41 Spoke worker disable users coredumps preflight
- 42 Spoke worker disable users coredumps rollout
- 43 Spoke worker disable users coredumps compliance evidence
- 44 Spoke worker coredump remaining controls comparison
- 45 Spoke worker sysctl kernel core pattern rollout
- 46 Spoke worker systemd-coredump service mask rollout
- 47 Spoke operator readiness and next selection
- 48 OADP backup preflight
- 49 OADP operator install
- 50 OADP DPA blocker
- 51 Vault replacement start
- 52 Vault replacement allocation
- 53 Vault R1 build
- 54 OADP Vault R1 DPA
- 55 OADP ad hoc backup
- 56 OADP schedules
- 57 OADP scheduled backup validation
- 58 OADP restore validation
- 59 Vault R1 ESO smoke
- 60 Vault R1 RHACS
- 61 Vault DNS readiness
- 62 Vault DNS promotion
- 63 Vault soak cleanup
- 64 Vault platform store cleanup
- 65 OADP post-cleanup scheduled backup validation
- 66 Old Vault retirement readiness
- 67 Old Vault stage 1 retirement cleanup
- 68 Old Vault stage 1 early backup validation
- 69 Old Vault VM power-off
- 70 Old Vault cold-retention soak
- 71 OADP post-Vault-poweroff backup validation
- 72 Old Vault final retention deletion
- 73 Old Vault stale DNS cleanup
- 74 Vault replacement phase closeout
- 75 Hub CIS API/config hardening
- 76 Hub audit log forwarding decision
- 77 Hub audit log forwarding implementation
- 78 Hub NetworkPolicy namespace classification
- 79 Hub NetworkPolicy remediation preflight
- 80 Hub low-risk NetworkPolicy apply
- 81 Hub operator ACM NetworkPolicy design
- 82 Hub lower-risk NetworkPolicy apply
- 83 Hub webhook NetworkPolicy canary
- 84 Hub ACM MCE NetworkPolicy canary
- 85 Hub CIS manual check classification
- 86 Hub CIS manual evidence pack
- 87 Hub RBAC least-privilege inventory
- 88 Hub RBAC exception register design
- 89 Hub system:deployers cleanup preflight
- 90 Hub platform-bootstrap system:deployers canary
- 91 Hub ACM addon metrics Secret-read validation
- 92 Operator readiness and batch execution
- 93 Disconnected catalog hygiene
- 94 Gatekeeper preflight and dry-run design
- 95 Hub Gatekeeper operator-only install
- 96 Spoke Gatekeeper operator-only install
- 97 Hub Gatekeeper operand preflight
- 98 Hub Gatekeeper operand canary
- 99 Hub Gatekeeper rollback drill
- 100 Spoke Gatekeeper operand preflight
- 101 Spoke Gatekeeper live canary rollback
- 102 Spoke Gatekeeper operand image readiness
- 103 Spoke Gatekeeper operand live retry
- 104 Spoke Gatekeeper rollback drill
- 105 Gatekeeper dry-run candidate
- 106 Gatekeeper scoped dry-run canary
- 107 Gatekeeper rollout and policy closeout
- 108 v7 CIS and PCI DSS 4 scanner closure
- 109 v7 BFSI readiness gap analysis
- 110 v7 operator batch model
- 111 Spoke Pipelines operator batch
- 112 Spoke observability foundation operators
- 113 Spoke tracing and mesh operators
- 114 App-platform batch deferral
- 115 hub-dr-v7 warm standby design
- 116 hub-dr-v7 deployment program plan
- 117 hub-dr-v7 install inputs and edge plan
- 118 dl385-2 VM SSH and hosts access
- 119 hub-dr-v7 edge DNS and HAProxy foundation
- 120 hub-dr-v7 VM env and libvirt dry run
- 121 hub-dr-v7 batched execution model
- 122 hub-dr-v7 build and base install
- 123 hub-dr-v7 standby platform foundation and operators
- 124 hub-dr-v7 protection compliance and readiness
- 125 hub-dr-v7 failover rehearsal certification and handoff
- 126 spoke-dr-v7 hot standby program plan
- 127 spoke-dr-v7 ADR and compact hot standby design
- 128 spoke-dc-v7 parity baseline and workload inventory
- 129 spoke-dr-v7 capacity IPAM DNS HAProxy and VM allocation
- 130 spoke-dr-v7 GitOps catalog storage foundation