Prerequisites
Read this before the first build or rebuild.
This is the short checklist for what needs to exist before the automation and manual process make sense.
What You Need On The Operator Workstation
- a local checkout of this repo
awsCLI configured for the target accountansible-corejqrsyncsshand a working SSH keypair- enough local disk to stage the repo, pull secret, and generated artifacts
The repo ships one required Ansible collection in:
requirements.yml
Install it with:
cd <project-root>
ansible-galaxy collection install -r requirements.yml
Current automation also assumes a modern Ansible controller environment. The
live validation work on this repo has been using ansible-core 2.18.
Recommended local validation tools before changing orchestration:
yamllintansible-lintshellcheck
Before pushing orchestration changes, run:
make validate
That validation lane is also what the repo CI runs on pull requests.
What You Need In Public Cloud
- a public-cloud account that can run an unfettered metal instance
- permission to create the tenant and host resources modeled by the CloudFormation stack
- a public IP path to
virt-01 - enough EBS quota for the host root disk and all guest disks
For the current AWS implementation, that means:
- CloudFormation
- EC2
- EBS
- Elastic IP
- key-pair import
Note
The current host-stack default for AdminIngressCidr is 0.0.0.0/0. That
keeps the lab reachable when the operator is coming from a home connection or
any other source IP that can drift unexpectedly. If your admin source is
truly stable, tighten it later.
What You Need From Red Hat
Important
If you do not already have an active Red Hat account with entitlements, the Developer Subscription for Individuals is a zero-cost path to everything listed below. See the setup guide linked above.
- a pull secret file for OpenShift content access
- RHSM credentials:
- activation key plus organization ID, or
- username plus password
- a RHEL 10.1 guest image source:
- a qcow2 cached on
virt-01, or - a direct-download URL used by the automation
- a qcow2 cached on
- a RHEL AMI or equivalent host image source for the metal host
(OPTIONAL) What You Need From Microsoft
Only needed when you plan to enable the optional AD DS / AD CS build.
- Windows Server 2025 evaluation media from the Microsoft Evaluation Center:
- the currently validated path is:
English (United States)ISO download64-bit edition
Place the downloaded ISO on virt-01 at the path expected by the AD build:
/root/images/26100.32230.260111-0550.lt_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
You also need virtio-win.iso staged on virt-01 for the Windows guest
drivers and guest tools:
/root/images/virtio-win.iso
Current documented source for that ISO:
virtio-windriver installation guidance:- direct ISO download referenced there:
Local Secrets And Ignored Files
The main local secret file is:
inventory/group_vars/all/lab_credentials.yml
That file is for local or vaulted values only. Use common sense here:
- keep real secrets out of tracked files
- keep them in ignored local files or a vault workflow
- do not normalize plaintext credentials as a project convention
Typical local content includes:
lab_default_passwordlab_rhsm_activation_keylab_rhsm_organization_id- or the username/password RHSM variant
You also need:
- a local SSH private key that can reach
virt-01 - the matching public key
- a local pull-secret file
The secrets model and Git guardrails are documented in:
Quick Preflight
Before you start a build, the practical checks are:
aws sts get-caller-identity
ansible --version
ansible-galaxy collection list | grep freeipa.ansible_freeipa
test -f inventory/group_vars/all/lab_credentials.yml
test -f ~/pull-secret.txt
test -f ~/.ssh/id_ed25519
You do not need every generated artifact in place before bootstrap. You do need the credentials, key material, and content-access inputs sorted out first.
Where To Go Next
- for the run order: AUTOMATION FLOW
- for the full manual equivalent: MANUAL PROCESS
- for the outer cloud model: IAAS MODEL