Introduction to Red Hat OpenShift Service on AWS (ROSA)

Procedure 1.3. Instructions

1. Verify that your ROSA CLI configuration is correct and that the ROSA cluster is ready.

   1. Open a command-line terminal on your system and then run the rosa whoami command to confirm that the AWS and Red Hat OpenShift Cluster Manager (OCM) configuration is correct. Verify that the command lists your AWS account, the correct AWS region, and your Red Hat customer portal account.

      $ rosa whoami
      AWS ARN:                      arn:aws:iam::...:user/user1@example.com-fqppg-admin
      AWS Account ID:               452954386616
      AWS Default Region:           us-east-1
      OCM API:                      https://api.openshift.com
      OCM Account Email:            wlombardo@example.com
      OCM Account ID:               1VhrXTjpDWnt4rfZvdgLj2fEcso
      OCM Account Name:             Wilhelm Lombardo
      OCM Account Username:         wlombardo
      OCM Organization External ID: 15701801
      OCM Organization ID:          1HMOv5QDUifj2g6Si1hyskyv2IP
      OCM Organization Name:        Wilhelm Lombardo

      The credentials in the preceding output are different on your system. Your own credentials should display.

   2. Run the rosa describe cluster command to confirm that your ROSA cluster named do120-cluster is ready.

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      State:                      ready
      ...output omitted...

2. Create an administrator account so that you can access your cluster. The following command creates the cluster-admin account.

   $ rosa create admin --cluster do120-cluster
   I: Admin account has been added to cluster 'do120-cluster'.
   I: Please securely store this generated password. If you lose this password you can delete and recreate the cluster admin user.
   I: To login, run the following command:
   
      oc login https://api.do120-cluster.jf96.p1.openshiftapps.com:6443
      --username cluster-admin --password 2XmXt-2Up7U-oqNTP-2Vw5y
   
   I: It may take several minutes for this access to become active.

   In the preceding output, the URL and the password in the oc login command are different on your system. Take a note of the password.

3. Log in to the OpenShift web console by using the cluster-admin username and the password that the preceding command has generated.

   1. Run the rosa describe cluster command again to retrieve the URL of the OpenShift web console.

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      Console URL:     https://console-openshift-console.apps.do120-cluster.jf96.p1.openshiftapps.com
      ...output omitted...

      The URL in the preceding output is different on your system.

   2. Open a web browser, navigate to the OpenShift web console URL, click htpasswd, and then log in as the cluster-admin user with the password that the rosa create admin command returned.

      Note

      If a message indicates that the connection is not private or that the certificate is not valid, or if the htpasswd button does not display, then wait five minutes and refresh the page.

   3. The Overview page displays, which confirms that you are connected to the OpenShift web console. Do not log out from the console and do not close the web browser window. You use the console in a different step in this exercise.

4. Install the OpenShift CLI (oc) and the Kubernetes CLI (kubectl) so that you can log in and then manage your OpenShift cluster from the command line.

   1. Use the rosa command to download the archive for your operating system.

      $ rosa download oc
      I: Verifying whether OpenShift command-line tool is available...
      W: OpenShift command-line tool is not installed.
      Run 'rosa download oc' to download the latest version, then add it to your PATH.
      I: Downloading https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz
      Downloading... 53 MB complete
      I: Successfully downloaded openshift-client-linux.tar.gz

      Depending on your operating system, the archive name might be different.

   2. Extract the archive and then move the executable files to a standard system directory so that you can run the commands. For example, on Linux and macOS systems, you can move the oc and kubectl binary files into the /usr/local/bin/ directory:

      $ sudo mv oc kubectl /usr/local/bin/

5. Use the oc command to log in to your ROSA cluster. To do so, you could copy and then paste the oc login command that the rosa create admin command returned in a preceding step. That oc login command uses the --username and the --password options to specify the username and the password.

   You can also use the oc login command with a token so that you do not have to expose your username. In this exercise, you use the OpenShift web console to generate a token and then use it to log in from the command line.

   1. Switch to the OpenShift web console in your web browser. Select cluster-admin → Copy login command.

      

   2. If the log in page displays, then click htpasswd and use the cluster-admin username with the password that the rosa create admin command returned in a preceding step.

   3. Click Display Token and then copy the oc login --token=…​ command to the clipboard.

   4. Paste the command into the command-line terminal and then run it.

      $ oc login --token=sha256~1NofZkVCi3qCBcBJGc6XiOJTK5SDXF2ZYwhAARx5yJg
        --server=https://api.do120-cluster.jf96.p1.openshiftapps.com:6443
      Logged into "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443" as "cluster-admin" using the token provided.
      
      You have access to 99 projects, the list has been suppressed. You can list all projects with 'oc projects'
      
      Using project "default".
      Welcome! See 'oc help' to get started.

      In the preceding command, the token and the URL are different on your system.

6. Create a new OpenShift project and then deploy a test application.

   1. Create the hello-do120 project.

      $ oc new-project hello-do120
      Now using project "hello-do120" on server "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443".
      ...output omitted...

   2. Use the quay.io/redhattraining/hello-world-nginx:v1.0 container image to deploy a NGINX web server with sample content. Ignore the warning message.

      $ oc new-app quay.io/redhattraining/hello-world-nginx:v1.0
      ...output omitted...
      --> Creating resources ...
          imagestream.image.openshift.io "hello-world-nginx" created
      Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "hello-world-nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "hello-world-nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "hello-world-nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "hello-world-nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
          deployment.apps "hello-world-nginx" created
          service "hello-world-nginx" created
      --> Success
          Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
           'oc expose service/hello-world-nginx'
          Run 'oc status' to view your app.

   3. Expose the application to the internet.

      $ oc expose service/hello-world-nginx
      route.route.openshift.io/hello-world-nginx exposed

   4. Retrieve the application URL. To do so, you could use the oc get route command. For demonstration purposes, use the kubectl command instead. The Kubernetes CLI uses the same configuration as the OpenShift CLI. The kubectl command uses the same credentials that you configured when you ran the oc login command.

      $ kubectl get route/hello-world-nginx
      NAME                HOST/PORT  ...
      hello-world-nginx   hello-world-nginx-hello-do120.apps.do120-cluster.jf96.p1.openshiftapps.com ...

      The hostname in the preceding output is different on your system.

   5. Open a web browser and then access the URL from the preceding output in HTTP (without SSL): http://hello-world-nginx-hello-do120.apps.do120-cluster.jf96.p1.openshiftapps.com. A Hello, world message displays. This message confirms that you successfully deployed your application on OpenShift.

7. Clean up your work by deleting the hello-do120 project.

   $ oc delete project hello-do120
   project.project.openshift.io "hello-do120" deleted

8. Log out from the OpenShift CLI and then remove the cluster-admin user. In another exercise you create an identity provider and assign the cluster management role to a user.

   1. Log out from the OpenShift CLI.

      $ oc logout
      Logged "cluster-admin" out on "https://api.do120-cluster.jf96.p1.openshiftapps.com:6443"

   2. Delete the cluster-admin user account.

      $ rosa delete admin --cluster do120-cluster
      ? Are you sure you want to delete cluster-admin user on cluster do120-cluster? Yes
      I: Admin user 'cluster-admin' has been deleted from cluster 'do120-cluster'