Introduction to Red Hat OpenShift Service on AWS (ROSA)
This course is now legacy content
This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on Jun 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 4.12, which is the latest version currently available.
Create an internet-accessible ROSA cluster by using the CLI.
In the previous section you learned how to configure your workstation and the cloud provider before creating a Red Hat OpenShift on AWS (ROSA) cluster.
In this section, you learn what cloud resources you need to prepare before attempting to create a cluster and you finally create a ROSA cluster and explore the resources that compose the cluster, such as virtual machines, disks, and load balancers.
Although you can use the Red Hat OpenShift Cluster Manager web interface to create the cloud resources and to create ROSA clusters, this section only describes the creation steps by using the command-line interface.
The ROSA cluster creation process creates Amazon Web Services (AWS) resources in your AWS account, such as Amazon Elastic Compute Cloud (EC2) instances for OpenShift cluster nodes.
ROSA relies on specific Identity and Access Management (IAM) roles and policies to grant the cluster creation process rights to create the resources. As a consequence, before you can create ROSA clusters, you must create these IAM resources.
From a command-line terminal, ensure that you used the aws configure and rosa login commands to log in to your AWS account and your Red Hat account.
Then, run the rosa create account-roles command to create the IAM resources.
In automatic mode, the command uses the AWS API to create the roles and policies in your AWS account.
Use the --mode auto option to activate that mode.
The --yes option skips the confirmation messages before creating the resources.
$rosa create account-roles --mode auto --yes...output omitted... I: Creating account roles I: Creating roles using 'arn:aws:iam::...:user/user1@example.com-fqppg-admin' I:Created role 'ManagedOpenShift-Installer-Role'... I:Created role 'ManagedOpenShift-ControlPlane-Role'... I:Created role 'ManagedOpenShift-Worker-Role'... I:Created role 'ManagedOpenShift-Support-Role'... I: To create a cluster with these roles, run the following command: rosa create cluster --sts
In manual mode, the rosa create account-roles command generates the roles and policies in files on your local system but does not create them in AWS.
This method is useful if your IAM user does not have sufficient permissions to create the IAM resources in the AWS account.
You can send the files to your AWS administrators so that they can apply them in the AWS account.
Use the --mode manual option to activate that mode.
$ rosa create account-roles --mode manual
...output omitted...
I: Creating account roles
I: All policy files saved to the current directory
I: Run the following commands to create the account roles and policies:
aws iam create-role \
--role-name ManagedOpenShift-Installer-Role \
--assume-role-policy-document file://sts_installer_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.11 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer Key=red-hat-managed,Value=true
aws iam create-policy \
--policy-name ManagedOpenShift-Installer-Role-Policy \
--policy-document file://sts_installer_permission_policy.json --tags Key=rosa_openshift_version,Value=4.11 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer Key=red-hat-managed,Value=true
aws iam attach-role-policy \
--role-name ManagedOpenShift-Installer-Role \
--policy-arn arn:aws:iam::452954386616:policy/ManagedOpenShift-Installer-Role-Policy
...output omitted...If you do not provide the --mode option, then the command interactively asks for the mode you want to use.
After preparing the cloud environment, you are ready to create a ROSA cluster.
From a command-line terminal, run the rosa create cluster command to initiate the creation of your ROSA cluster.
The command triggers the cluster creation and then exits.
It does not wait for the installation to complete.
Instead, the cluster creation process runs unattended on AWS.
By default, the rosa create cluster command runs in interactive mode.
You only need to specify the cluster name and you can accept the default values that the command suggests for the other parameters.
Note
ROSA also uses the cluster name you choose for building some URLs.
For example, if your cluster name is mycluster, then the cluster creation process creates a URL similar to https://api.mycluster.sqwq.p1.openshiftapps.com:6443 for API access, and https://console-openshift-console.apps.mycluster.sqwq.p1.openshiftapps.com/ for the web console.
$rosa create clusterI: Enabling interactive mode ? Cluster name:? Deploy cluster using AWS STS:myclusterYes? OpenShift version:4.11.13I: Using arn:...:role/ManagedOpenShift-Installer-Role for the Installer role I: Using arn:...:role/ManagedOpenShift-ControlPlane-Role for the ControlPlane role I: Using arn:...:role/ManagedOpenShift-Worker-Role for the Worker role I: Using arn:...:role/ManagedOpenShift-Support-Role for the Support role ? External ID (optional):<Enter>? Operator roles prefix:mycluster-p5k3? Multiple availability zones (optional):
No? AWS region:us-east-1? PrivateLink cluster (optional):No...output omitted... I: Creating cluster 'mycluster' I: To create this cluster again in the future, you can run:rosa create cluster --cluster-name
mycluster--sts --role-arn arn:aws:iam::452954386616:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::452954386616:role/ManagedOpenShift-Support-Role --controlplane-iam-role arn:aws:iam::452954386616:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::452954386616:role/ManagedOpenShift-Worker-Role --operator-roles-prefixmycluster-p5k3--region us-east-1 --version 4.11.13 --compute-nodes 2 --compute-machine-type m5.xlarge --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 I: To view a list of clusters and their status, run 'rosa list clusters' I: Cluster 'mycluster' has been created. I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information. ...output omitted... I: Run the following commands to continue the cluster creation:rosa create operator-roles --cluster
myclusterrosa create oidc-provider --clustermyclusterI: To determine when your cluster is Ready, run 'rosa describe cluster -cmycluster'. I: To watch your cluster installation logs, run 'rosa logs install -cmycluster--watch'. $
| Each ROSA cluster you create requires specific IAM resources for some OpenShift operators to access the AWS infrastructure.
By default, ROSA prefixes the name of these IAM resources with the name of the cluster, |
| The output displays the command that you can run to recreate the cluster without interaction. You can use that command as a model to automate the creation of your future ROSA clusters. |
| The cluster creation process is waiting for you to create additional IAM resources. |
You can also run the command in automatic mode by adding the --mode auto --sts options.
In that mode, the command uses default parameter values and automatically creates the additional IAM resources.
You can overwrite a parameter by specifying its value as a command-line option.
For example, use the --compute-nodes 3 option for creating three compute nodes instead of two by default.
Run the rosa create cluster --help command to list the available options.
Each ROSA cluster you create requires some specific IAM resources. Some OpenShift operators running inside the ROSA cluster use these resources to interact with the infrastructure platform. For example, when the cluster load increases, the cluster autoscaler instructs the OpenShift Machine API Operator to create a new compute node. The OpenShift Machine API Operator uses the AWS API to deploy an additional EC2 instance for that new compute node.
The output from the rosa create cluster command lists the commands that you have to run to create these IAM resources.
The cluster creation process that runs unattended on AWS waits for them.
The process monitors the IAM resources and then automatically continues when it detects that you have created them.
The rosa create operator-roles command uses the AWS API to create the IAM roles for the OpenShift operators:
$rosa create operator-roles --cluster...output omitted... I:myclusterCreated role '...mycluster-p5k3-openshift-machine-api-aws-cloud-credentials'
Notice that the command uses the name of the cluster as a prefix for the IAM roles.
For the OpenShift operators to use the AWS API, they first need to authenticate with AWS.
To perform that authentication, you create an IAM OpenID Connect (OIDC) identity provider by using the rosa create oidc-provider command.
The cluster creation process configures the OpenShift operators to authenticate against that IAM identity provider.
$ rosa create oidc-provider --cluster mycluster
...output omitted...Note
The IAM identity provider is dedicated to the OpenShift operators. It allows these OpenShift operators to authenticate against the AWS API so that they can interact with the AWS infrastructure.
This identity provider is not used to authenticate your users for accessing to the OpenShift web console, the OpenShift command-line interface (CLI), or the Kubernetes API. Another chapter in the course describes how to configure your ROSA cluster for client authentication with an external identity provider.
The unattended creation process running on AWS automatically continues after you have run the two rosa create commands.
Because the cluster creation process runs unattended on AWS, use the rosa describe cluster command to monitor its progress.
You must add the -c option to specify the cluster to query.cluster_name
$rosa describe cluster -c...output omitted...myclusterState: installing...output omitted...
The rosa describe cluster command reports a status of ready when the creation completes.
Creating a cluster takes around 45 minutes to complete.
$rosa describe cluster -c...output omitted...myclusterState: ready...output omitted...
ROSA builds your OpenShift clusters by using AWS resources. To help you identify these resources, ROSA prefixes their names with the cluster name.
From a command-line terminal, use the aws command to list the ROSA cluster resources.
For example, you can list the EC2 instances by running the aws ec2 describe-instances command.
All the EC2 resources that the ROSA cluster creation process creates have a name that starts with the cluster name.
ROSA also adds a Name tag to these resources, which is useful for filtering purposes.
For example, you can limit the output to only the instances with a name that starts with mycluster--filters option.
$ aws ec2 describe-instances --filters "Name=tag:Name,Values=mycluster*"To list the Amazon Virtual Private Cloud (VPC) resources for your cluster, run the following command:
$ aws ec2 describe-vpcs --filters "Name=tag:Name,Values=mycluster*"To list the subnets for your cluster, run the following command:
$ aws ec2 describe-subnets --filters "Name=tag:Name,Values=mycluster*"To list the network Amazon Elastic Load Balancing (ELB) resources, run the aws elbv2 describe-load-balancers command.
Because the command returns all the load balancers, you have to inspect the list to only consider the load balancers related to your cluster.
$ aws elbv2 describe-load-balancersYou can use other aws subcommands to inspect the other AWS resources for your cluster.
Run the aws help command for more details.
You can also list the AWS resources for your ROSA cluster from the AWS Management Console at https://console.aws.amazon.com/.
Important
When you use the AWS Management Console, ensure to select the correct region for your ROSA cluster. Otherwise, you might not find the AWS resources you are looking for.
The AWS Management Console organizes the resources into AWS services:
To list the EC2 instances, navigate to → → and then select → .
Figure 1.9: Access the EC2 serviceTo list the VPC resources, navigate to → → and then select → .
To list the subnets inside the VPC, select → .
To list the ELB resources, navigate to → → and then select → .
Just after creation, the ROSA cluster does not provide a user account that you can use to start deploying applications. The following sections present how you can create an initial user account to test your new cluster and how to configure your cluster to use an external identity provider for user authentication.
References
For more information about creating a ROSA cluster, refer to the Creating a Cluster Using Customizations section in the Creating a ROSA Cluster with STS Using Customizations chapter in the Red Hat OpenShift Service on AWS 4 Installing, Accessing, and Deleting ROSA Clusters documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/installing_accessing_and_deleting_rosa_clusters/index#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations
For more information about the required IAM roles, refer to the About IAM Resources for ROSA Clusters that Use STS chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-sts-about-iam-resources