Deploy OKD4 (OpenShift) on Hetzner Cloud using HashiCorp Packer, Terraform, and Ansible.

Hetzner Cloud does not meet the I/O performance and latency requirements for etcd – even when using local SSDs (not Ceph). This may cause issues during the cluster bootstrap phase.

This setup is suitable for small test environments only. Not recommended for production clusters.

By default, a single-node cluster is deployed with the following components:

Additional worker nodes can be added by setting an environment variable before running Terraform:

export TF_VAR_replicas_worker=3  # Example: 3 worker nodes

You can set the desired release version with the OPENSHIFT_RELEASE environment variable.

Example:

export DEPLOYMENT_TYPE=okd # Options: "okd" or "ocp", default is "okd"
export OPENSHIFT_RELEASE=$(make latest_version) # or a fixed version like "4.19.9"

For OCP (Red Hat OpenShift), you will also need a valid pull secret, available from cloud.redhat.com.

1. Build and start the toolbox

   make fetch
   make build
   make run

2. Create install-config.yaml (see example in Configuration)
3. Generate manifests

   make generate_manifests

4. Generate ignition configs

   make generate_ignition

5. Export required environment variables (see example in Configuration)
6. Build Fedora/RedHat CoreOS image using Packer

   make hcloud_image

7. Deploy infrastructure with Terraform (including bootstrap and ignition node)

   make infrastructure BOOTSTRAP=true

8. Wait for bootstrap completion

   make wait_bootstrap

9. Remove bootstrap and ignition node

   make infrastructure

10. Wait for installation to finish

    make wait_completion

11. Approve worker CSRs (if workers are deployed)

    make sign_csr
    sleep 60
    make sign_csr

apiVersion: v1
baseDomain: 'example.com'
metadata:
  name: 'okd4'
compute:
  - hyperthreading: Enabled
    name: worker
    replicas: 0
controlPlane:
  hyperthreading: Enabled
  name: master
  replicas: 1
networking:
  clusterNetworks:
    - cidr: 10.128.0.0/14
      hostPrefix: 23
  networkType: OVNKubernetes
  serviceNetwork:
    - 172.30.0.0/16
machineCIDR: platform:
  none: {}
pullSecret: '{"auths":{"none":{"auth":"none"}}}'
sshKey: ssh-rsa AAAA…<your ssh key here>

# Terraform / DNS
export TF_VAR_dns_domain=okd4.example.com
export TF_VAR_dns_zone_id=YOUR_ZONE_ID

# Hetzner Cloud credentials
export HCLOUD_TOKEN=YOUR_HCLOUD_TOKEN

# Cloudflare credentials
export CLOUDFLARE_EMAIL=user@example.com
export CLOUDFLARE_API_KEY=YOUR_API_KEY

• Nodes are not directly exposed to the internet by default.
• Only the load balancer is public accessible.
• SSH access to nodes will only be possible with additional firewall configuration.

To deploy OCP instead of OKD:

export DEPLOYMENT_TYPE=ocp
export OPENSHIFT_RELEASE=4.19.9 # example version
make fetch build run

You can also choose the latest version from a specific channel:

export OCP_RELEASE_CHANNEL=stable-4.19
export OPENSHIFT_RELEASE=$(make latest_version)
make fetch build run

• I/O performance and latency issues with etcd (see above).
• Components that rely on strong consistency (like etcd) may suffer under heavy load.
• No stability guarantees for large clusters or production use.

slauger