Greenfield OCP Deployment
A source-of-truth guide for building a greenfield OpenShift platform with GitOps, automated VM provisioning, DNS, edge, registry, CI, observability, and operational documentation from day one.
106 pages · last reviewed 2026-05-19
Start here →Sections
installation manual105 pages
- 01 MinIO object storage
- 02 PDNS installation
- 03 HAProxy installation
- 04 GitLab installation
- 05 Vault installation
- 06 NetBox installation
- 07 Quay registry
- 08 oc-mirror
- 09 Nexus artifact repository
- 10 Bootstrap artifacts
- 100 Spoke Gatekeeper operand preflight
- 101 Spoke Gatekeeper live canary rollback
- 11 Bootstrap VM and install inputs
- 12 Hub cluster installation
- 13 Hub GitOps bootstrap
- 14 Hub LVMS storage
- 15 Hub cert-manager
- 16 Hub External Secrets and Vault auth
- 17 Hub ACM and MCE
- 18 Hub RHACS
- 19 HTPasswd Admin Identity
- 20 Spoke Day-Zero Hardening
- 21 Spoke FIPS And Disk Inventory
- 22 Spoke ODF RAID0 Disk Prep
- 23 Spoke LSO ODF Install
- 24 Spoke ACM Import Pull GitOps
- 25 Spoke cert-manager, ESO, and Vault auth
- 26 Spoke RHACS secured cluster
- 27 Spoke compliance baseline
- 28 Spoke compliance findings triage
- 29 Spoke low-risk compliance config
- 30 Spoke logging and file integrity
- 31 Spoke manual attestation evidence pack
- 32 Spoke master banner MachineConfig hardening
- 33 Spoke logging drainability and GitHub source
- 34 Spoke worker banner MachineConfig hardening
- 35 Spoke ODF NooBaa drainability gate
- 36 Spoke NooBaa primary relocation
- 37 Spoke worker-2 live drain validation
- 38 Spoke worker coredump hardening preflight
- 39 Spoke worker coredump hardening rollout
- 40 Spoke worker coredump compliance evidence
- 41 Spoke worker disable users coredumps preflight
- 42 Spoke worker disable users coredumps rollout
- 43 Spoke worker disable users coredumps compliance evidence
- 44 Spoke worker coredump remaining controls comparison
- 45 Spoke worker sysctl kernel core pattern rollout
- 46 Spoke worker systemd-coredump service mask rollout
- 47 Spoke operator readiness and next selection
- 48 OADP backup preflight
- 49 OADP operator install
- 50 OADP DPA blocker
- 51 Vault replacement start
- 52 Vault replacement allocation
- 53 Vault R1 build
- 54 OADP Vault R1 DPA
- 55 OADP ad hoc backup
- 56 OADP schedules
- 57 OADP scheduled backup validation
- 58 OADP restore validation
- 59 Vault R1 ESO smoke
- 60 Vault R1 RHACS
- 61 Vault DNS readiness
- 62 Vault DNS promotion
- 63 Vault soak cleanup
- 64 Vault platform store cleanup
- 65 OADP post-cleanup scheduled backup validation
- 66 Old Vault retirement readiness
- 67 Old Vault stage 1 retirement cleanup
- 68 Old Vault stage 1 early backup validation
- 69 Old Vault VM power-off
- 70 Old Vault cold-retention soak
- 71 OADP post-Vault-poweroff backup validation
- 72 Old Vault final retention deletion
- 73 Old Vault stale DNS cleanup
- 74 Vault replacement phase closeout
- 75 Hub CIS API/config hardening
- 76 Hub audit log forwarding decision
- 77 Hub audit log forwarding implementation
- 78 Hub NetworkPolicy namespace classification
- 79 Hub NetworkPolicy remediation preflight
- 80 Hub low-risk NetworkPolicy apply
- 81 Hub operator ACM NetworkPolicy design
- 82 Hub lower-risk NetworkPolicy apply
- 83 Hub webhook NetworkPolicy canary
- 84 Hub ACM MCE NetworkPolicy canary
- 85 Hub CIS manual check classification
- 86 Hub CIS manual evidence pack
- 87 Hub RBAC least-privilege inventory
- 88 Hub RBAC exception register design
- 89 Hub system:deployers cleanup preflight
- 90 Hub platform-bootstrap system:deployers canary
- 91 Hub ACM addon metrics Secret-read validation
- 92 Post-compliance operator readiness selection
- 93 Disconnected catalog hygiene
- 94 Gatekeeper preflight and dry-run design
- 95 Hub Gatekeeper operator-only install
- 96 Spoke Gatekeeper operator-only install
- 97 Hub Gatekeeper operand preflight
- 98 Hub Gatekeeper operand canary
- 99 Hub Gatekeeper rollback drill