Introduction to Red Hat OpenShift Service on AWS (ROSA)
This course is now legacy content
This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on Jun 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 4.12, which is the latest version currently available.
Create OpenShift cluster administrator credentials to access a managed cluster by using the OpenShit CLI, OpenShift Web Console, and Kubernetes CLI.
After installation, you cannot access your new OpenShift cluster because the cluster creation process does not create a user account.
For testing purpose, the rosa command can create a user account, named cluster-admin, with administrator privileges.
After testing your cluster, Red Hat recommends that you remove that user account and that you configure instead an identity provider with regular users and administrators, with the minimum necessary privileges to perform their operations.
See the section called “ Configure Developer Self-service for a ROSA Cluster ” for a description on how to configure GitHub as an identity provider for your ROSA cluster.
Note
The Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) and Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise (DO380) courses provide more details on configuring identity providers and granting administrator privileges to users.
Use the rosa create admin command to create the cluster-admin user account:
$rosa create admin --clusterI: Admin account has been added to cluster 'myclustermycluster'. I: Please securely store this generated password. If you lose this password you can delete and recreate the cluster admin user. I: To login, run the following command: oc login https://api.mycluster.myawsdomain:6443 --username cluster-admin --password 2XmXt-2Up7U-oqNTP-2Vw5y I: It may take several minutes for this access to become active.
The command configures your OpenShift cluster to use an HTPasswd identity provider that stores the cluster-admin user credentials.
The command generates a random password and then displays it in the output.
You can log in to your new ROSA cluster by using the OpenShift web console or the OpenShift command-line interface (CLI).
You can retrieve the URL of the OpenShift web console by using the rosa describe cluster command:
$rosa describe cluster -c...output omitted...myclusterConsole URL: https://console-openshift-console.apps....output omitted...mycluster.myawsdomain
Open a web browser and then navigate to that URL.
Select the identity provider and then log in by using the cluster-admin username and the password that the rosa create admin returned.
The Red Hat OpenShift console redirects you to the page.
To install the OpenShift CLI (oc) on your system, retrieve the archive by using the rosa command:
$ rosa download oc
I: Verifying whether OpenShift command-line tool is available...
W: OpenShift command-line tool is not installed.
Run 'rosa download oc' to download the latest version, then add it to your PATH.
I: Downloading https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz
Downloading... 53 MB complete
I: Successfully downloaded openshift-client-linux.tar.gzDepending on your operating system, the archive name might be different.
Extract the archive and then move the oc and kubectl executable files to a standard system directory so that you can run the commands.
The archive includes the kubectl command, which is the Kubernetes CLI.
Because OpenShift is based on Kubernetes, you can use that command to manage your cluster.
However, the oc command provides the same capabilities as the kubectl command and includes additional subcommands to support features specific to OpenShift.
Note
The oc command is also available for download from the Red Hat Hybrid Cloud Console at https://console.redhat.com/openshift/downloads.
You must log in with your Red Hat account to access the console.
After you install the OpenShift CLI, you can use the oc login command that the rosa create admin command displayed when you created the cluster-admin user.
$oc login https://api.mycluster.myawsdomain:6443 \--username cluster-admin --password 2XmXt-2Up7U-oqNTP-2Vw5y...output omitted...
Instead of using a username and a password, you can use an access token to log in to the OpenShift CLI. Moreover, with some external identity providers, using a token is the only available mechanism to log in from the command line.
You generate that token by using the OpenShift web console:
Select → .
Figure 1.11: Generate an access tokenClick and then log in as the
cluster-adminuser.Click and then copy the
oc login --token=…command to the clipboard.
Figure 1.12: Retrieve the tokenPaste the command into a command-line terminal and then run it.
$
oc login --token=sha256~yHyILFVs5YKMll0C-eEorEDISPzK4BkhpUhjOX5X1g0--server=https://api....output omitted...mycluster.myawsdomain:6443
Because the oc and the kubectl commands use the same configuration files, the kubectl command also uses the credentials that you configure by using the oc login command.
You can deploy a simple application to verify that your cluster is running properly.
For example, run the following commands to create the hello-test project, a new application that uses the image quay.io/redhattraining/hello-world-nginx:v1.0, and to expose it to the internet:
$oc new-project hello-test...output omitted... $oc new-app quay.io/redhattraining/hello-world-nginx:v1.0...output omitted... $oc expose service/hello-world-nginx...output omitted... $oc get routesNAME HOST/PORT ... hello-world-nginx hello-world-nginx-hello-test.apps.mycluster.myawsdomain...
Finally, navigate to the http://hello-world-nginx-hello-test.apps.mycluster.myawsdomain URL to verify that the application is working.
Because Red Hat recommends that you configure an identity provider instead of using the cluster-admin user, delete the user after your validation of the OpenShift cluster.
$rosa delete admin --cluster? Are you sure you want to delete cluster-admin user on clustermyclustermycluster?YesI: Admin user 'cluster-admin' has been deleted from cluster 'mycluster'
A following chapter presents how to configure your cluster to use an external identity provider for user authentication.
References
For more information about creating the cluster-admin account, refer to the Accessing a ROSA Cluster chapter in the Red Hat OpenShift Service on AWS 4 Installing, Accessing, and Deleting ROSA Clusters documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/installing_accessing_and_deleting_rosa_clusters/index#rosa-sts-accessing-cluster
For more information about the OpenShift CLI, refer to the OpenShift CLI (oc) chapter in the Red Hat OpenShift Container Platform 4.11 CLI Tools documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html-single/cli_tools/index#openshift-cli-oc
For more information about creating a test application on OpenShift, refer to the Creating and Building an Application Using the CLI chapter in the Red Hat OpenShift Container Platform 4.11 Getting Started documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html-single/getting_started/index#openshift-cli