Installation Manual - 11 Bootstrap VM and install inputs

How the greenfield OpenShift bootstrap VM and first install inputs are rendered from source-controlled templates.

This phase prepares the gf-ocp-bootstrap-01 VM and the first OpenShift install input workdir. It does not create the cluster yet.

Source Files

bootstrap/cloud-init/gf-ocp-bootstrap-01.user-data.example.yaml
bootstrap/cloud-init/gf-ocp-bootstrap-01.network-config.example.yaml
scripts/vms/gf-ocp-bootstrap-01.env.example
bootstrap/openshift-install/cluster.env.example
bootstrap/openshift-install/install-config.template.yaml
bootstrap/openshift-install/agent-config.template.yaml
data/openshift-install/v7-baseline.json
scripts/services/bootstrap/install-openshift-tools.sh
scripts/services/bootstrap/build-openshift-pull-secret-from-vault.sh
scripts/services/bootstrap/render-openshift-install-inputs.sh
scripts/services/bootstrap/validate-openshift-install-preflight.sh

The first install baseline pins OpenShift to 4.20.18, uses the Quay-backed release image, enables FIPS, and renders disconnected mirror resources from the committed oc-mirror output.

Bootstrap VM Flow

Prepare cloud-init:

./scripts/gfctl.sh prepare-cloud-init --execute gf-ocp-bootstrap-01

Review the ignored files under:

artifacts/cloud-init/gf-ocp-bootstrap-01/

Keep bootstrap networking MAC-matched in network-config.yaml. The RHEL cloud-init sysconfig renderer accepts the default route as 0.0.0.0/0; using to: default fails first-boot network rendering and leaves the VM without its static IP.

Build the seed ISO:

./scripts/gfctl.sh cloud-init-iso --execute gf-ocp-bootstrap-01

Copy and review the VM env:

cp scripts/vms/gf-ocp-bootstrap-01.env.example \
  scripts/vms/gf-ocp-bootstrap-01.env

Create the VM only after the issue gate is approved:

./scripts/gfctl.sh create-vm --execute scripts/vms/gf-ocp-bootstrap-01.env

Install the pinned tools on the bootstrap VM:

./scripts/gfctl.sh enable-bootstrap-rpm-repos --execute
./scripts/gfctl.sh install-bootstrap-hardening-tools --execute
./scripts/gfctl.sh install-openshift-tools --execute

The preserved RHEL guest image can boot without enabled package repositories. For this bootstrap host, public UBI 9 repositories provide git, podman, skopeo, nmstate, and jq without storing Red Hat credentials. The hardening script temporarily enables EPEL 9 only for fail2ban-server, then removes the repo file. tmux was not available from the approved public UBI repo path or the checked EPEL 9 metadata; leave it out unless a later issue approves a trusted package source.

Install Input Flow

Create an ignored cluster workdir:

install -d artifacts/openshift/spoke-dc-v7
cp bootstrap/openshift-install/cluster.env.example \
  artifacts/openshift/spoke-dc-v7/cluster.env

Edit the cluster env for the actual IP plan, DNS, MAC addresses, root-device hints, and SSH key path.

Build the runtime pull secret from Vault:

export VAULT_ADDR=https://gf-ocp-vault-02.v7.comptech-lab.com:8200
export VAULT_CACERT=/path/to/vault-ca.crt
export VAULT_TOKEN=<redacted>
./scripts/services/bootstrap/build-openshift-pull-secret-from-vault.sh \
  --output artifacts/openshift/spoke-dc-v7/pull-secret.json

The generated installer pull secret adds the ocp_cluster_pull Quay user credential from secret/greenfield/quay/users/ocp_cluster_pull. A normal Quay user is required because the cluster has one credential entry for quay.v7.comptech-lab.com, while release and operator content live in different Quay organizations.

Render install inputs:

./scripts/gfctl.sh render-openshift-install-inputs --execute \
  --env artifacts/openshift/spoke-dc-v7/cluster.env \
  --output-dir artifacts/openshift/spoke-dc-v7

Generated files remain ignored until reviewed:

artifacts/openshift/spoke-dc-v7/install-config.yaml
artifacts/openshift/spoke-dc-v7/agent-config.yaml
artifacts/openshift/spoke-dc-v7/mirror-resources/release-*.yaml
artifacts/openshift/spoke-dc-v7/mirror-resources/operators-*.yaml

Run the disconnected preflight before creating install media:

./scripts/gfctl.sh validate-openshift-install-preflight --execute \
  --env artifacts/openshift/spoke-dc-v7/cluster.env \
  --input-dir artifacts/openshift/spoke-dc-v7

The preflight validates rendered YAML, FIPS, release digest mirrors, Quay release image access, operator catalog image access, and openshift-install-fips agent create cluster-manifests in a temporary copy. It does not create ISO, PXE files, or a cluster.

Gates Before Cluster Creation

  • RHEL base image artifact checksum validation passes.
  • Bootstrap VM SSH and sudo validation passes.
  • oc, kubectl, openshift-install, and oc-mirror report the expected pinned versions.
  • Pull secret authenticates to quay.v7.comptech-lab.com.
  • The pinned 4.20.18 release image resolves from Quay.
  • Operator catalog images resolve from Quay.
  • Rendered install-config.yaml has fips: true.
  • Rendered install-config.yaml has release imageDigestSources pointing at the greenfield Quay release mirrors.
  • Rendered install inputs are reviewed for the actual IP plan, DNS plan, MAC addresses, root-device hints, and cluster name.
  • No generated auth material is staged for Git commit.
  • No ISO, PXE files, or cluster creation commands run before the next explicit issue gate.

Last reviewed: 2026-05-15