Introduction to Red Hat OpenShift Service on AWS (ROSA)

Procedure 1.2. Instructions

1. Open a command-line terminal on your system and then run the rosa whoami command to confirm that the AWS and Red Hat OpenShift Cluster Manager (OCM) configuration is correct. Verify that the command lists your AWS account, the correct AWS region, and your Red Hat customer portal account.

   $ rosa whoami
   AWS ARN:                      arn:aws:iam::...:user/user1@example.com-fqppg-admin
   AWS Account ID:               452954386616
   AWS Default Region:           us-east-1
   OCM API:                      https://api.openshift.com
   OCM Account Email:            wlombardo@example.com
   OCM Account ID:               1VhrXTjpDWnt4rfZvdgLj2fEcso
   OCM Account Name:             Wilhelm Lombardo
   OCM Account Username:         wlombardo
   OCM Organization External ID: 15701801
   OCM Organization ID:          1HMOv5QDUifj2g6Si1hyskyv2IP
   OCM Organization Name:        Wilhelm Lombardo

   The credentials in the preceding output are different on your system. Your own credentials should display.

2. Run the rosa create account-roles command in automatic mode to create the IAM roles and policies in your AWS account. Add the --yes option to skip confirmation messages. Ignore the warning message about the OpenShift command-line tool not installed. You install the tool in another exercise in this course.

   $ rosa create account-roles --mode auto --yes
   I: Logged in as 'wlombardo' on 'https://api.openshift.com'
   I: Validating AWS credentials...
   I: AWS credentials are valid!
   I: Validating AWS quota...
   I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html
   I: Verifying whether OpenShift command-line tool is available...
   W: OpenShift command-line tool is not installed.
   Run 'rosa download oc' to download the latest version, then add it to your PATH.
   I: Creating account roles
   I: Creating roles using 'arn:aws:iam::...:user/user1@example.com-fqppg-admin'
   I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-Installer-Role'
   I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-ControlPlane-Role'
   I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-Worker-Role'
   I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-Support-Role'
   I: To create a cluster with these roles, run the following command:
   rosa create cluster --sts

3. Create the ROSA cluster.

   1. Start the cluster creation in automatic mode. Add the --cluster-name do120-cluster option to specify the cluster name. Add the --sts option to use the AWS Security Token Service (STS). Add the --yes option to skip confirmation messages. Do not provide any other option so that the cluster creation process uses default values for the other parameters.

      Note

      If the command fails with the "Failed to create instance…​: exceeded max wait time…​" message, then run the command again.

      $ rosa create cluster --mode auto --cluster-name do120-cluster --sts --yes
      ...output omitted...
      I: Preparing to create operator roles.
      I: Creating roles using 'arn:aws:iam::...:user/user1@example.com-fqppg-admin'
      I: Created role 'do120-cluster-p5k3-openshift-cloud-network-config-controller-clo' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-cloud-network-config-controller-clo'
      I: Created role 'do120-cluster-p5k3-openshift-machine-api-aws-cloud-credentials' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-machine-api-aws-cloud-credentials'
      I: Created role 'do120-cluster-p5k3-openshift-cloud-credential-operator-cloud-cre' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-cloud-credential-operator-cloud-cre'
      I: Created role 'do120-cluster-p5k3-openshift-image-registry-installer-cloud-cred' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-image-registry-installer-cloud-cred'
      I: Created role 'do120-cluster-p5k3-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-ingress-operator-cloud-credentials'
      I: Created role 'do120-cluster-p5k3-openshift-cluster-csi-drivers-ebs-cloud-crede' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-cluster-csi-drivers-ebs-cloud-crede'
      I: Preparing to create OIDC Provider.
      I: Creating OIDC provider using 'arn:aws:iam::452954386616:user/user1@example.com-fqppg-admin'
      I: Created OIDC provider with ARN 'arn:aws:iam::452954386616:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/200kf8hp4crqpnn0m8ltem6d48jseadp'
      I: To determine when your cluster is Ready, run 'rosa describe cluster -c do120-cluster'.
      I: To watch your cluster installation logs, run 'rosa logs install -c do120-cluster --watch'.

      Notice that the rosa create cluster command creates IAM roles specific to the current cluster. The rosa command uses the cluster name as a prefix for the role names (do120-cluster).

      The command also creates an IAM OpenID Connect (OIDC) identity provider for the OpenShift operators running inside the cluster to authenticate with the AWS API.

   2. Run the rosa describe cluster command to retrieve the cluster status.

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      State:                      installing
      ...output omitted...

      It takes around 45 minutes for the cluster creation process to complete. Rerun the rosa describe cluster command regularly until it reports a status of ready.

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      State:                      ready
      ...output omitted...

4. Review some of the AWS resources that the cluster creation process creates.

   1. Open a web browser and then log in to the AWS Management Console at https://console.aws.amazon.com/.

   2. Select the AWS region for your cluster.

      

   3. Review the AWS Virtual Private Cloud (VPC) resource that the cluster creation process creates. To do so, navigate to Services → Networking & Content Delivery → VPC and then select Virtual private cloud → Your VPCs. A VPC starting by the name of your cluster, do120-cluster, displays.

   4. Select Virtual private cloud → subnets to review the networks that connect your cluster Two subnets with the do120-cluster prefix display.

   5. List the AWS Elastic Compute Cloud (EC2) instances that the cluster creation process creates for the OpenShift cluster nodes. To do so, navigate to Services → Compute → EC2 and then select Instances → Instances. A number of instances displays. The names of the instances for your cluster have a do120-cluster prefix and include their cluster role: master, infra, or worker.