Introduction to Red Hat OpenShift Service on AWS (ROSA)
Create an internet-accessible ROSA cluster by using the CLI.
In the previous section, you learned how to configure your workstation and the cloud provider before creating a Red Hat OpenShift on AWS (ROSA) cluster.
In this section, you learn what cloud resources you must prepare before attempting to create a cluster. You create a ROSA cluster, and explore the resources that the cluster is composed of, such as virtual machines, disks, and load balancers.
Although you can use the Red Hat OpenShift Cluster Manager web interface to create the cloud resources and to create ROSA clusters, this section describes only the creation steps by using the command-line interface.
The ROSA cluster creation process creates Amazon Web Services (AWS) resources in your AWS account, such as Amazon Elastic Compute Cloud (EC2) instances for OpenShift cluster nodes.
ROSA relies on specific Identity and Access Management (IAM) roles and policies to grant the cluster creation process rights to create the resources. As a consequence, before you can create ROSA clusters, you must create these IAM resources.
From a command-line terminal, ensure that you used the aws configure and rosa login commands to log in to your AWS account and your Red Hat account.
Then, run the rosa create account-roles command to create the IAM resources.
In automatic mode, the command uses the AWS API to create the roles and policies in your AWS account.
Use the --mode auto option to activate that mode.
The --yes option skips the confirmation messages before creating the resources.
$rosa create account-roles --mode auto --yes...output omitted... I: Creating account roles I: Creating roles using 'arn:aws:iam::...:user/user1@example.com-fqppg-admin' I:Created role 'ManagedOpenShift-Installer-Role'... I:Created role 'ManagedOpenShift-ControlPlane-Role'... I:Created role 'ManagedOpenShift-Worker-Role'... I:Created role 'ManagedOpenShift-Support-Role'... I: To create a cluster with these roles, run the following command: rosa create cluster --sts
In manual mode, the rosa create account-roles command generates the roles and policies in files on your local system, but does not create them in AWS.
This method is useful if your IAM user does not have enough permissions to create the IAM resources in the AWS account.
You can send the files to your AWS administrators to apply them in the AWS account.
Use the --mode manual option to activate that mode.
$ rosa create account-roles --mode manual
...output omitted...
I: Creating account roles
I: All policy files saved to the current directory
I: Run the following commands to create the account roles and policies:
aws iam create-role \
--role-name ManagedOpenShift-Installer-Role \
--assume-role-policy-document file://sts_installer_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.12 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer Key=red-hat-managed,Value=true
aws iam create-policy \
--policy-name ManagedOpenShift-Installer-Role-Policy \
--policy-document file://sts_installer_permission_policy.json --tags Key=rosa_openshift_version,Value=4.12 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer Key=red-hat-managed,Value=true
aws iam attach-role-policy \
--role-name ManagedOpenShift-Installer-Role \
--policy-arn arn:aws:iam::452954386616:policy/ManagedOpenShift-Installer-Role-Policy
...output omitted...If you do not provide the --mode option, then the command interactively asks for the mode to use.
After preparing the cloud environment, you are ready to create a ROSA cluster.
From a command-line terminal, run the rosa create cluster command to initiate the creation of your ROSA cluster.
The command triggers the cluster creation and then exits.
It does not wait for the installation to complete.
Instead, the cluster creation process runs unattended on AWS.
By default, the rosa create cluster command runs in interactive mode.
You need to specify only the cluster name, and you can accept the default values that the command suggests for the other parameters.
Note
ROSA also uses your chosen cluster name for building some URLs.
For example, if your cluster name is mycluster, then the cluster creation process creates a similar URL to https://api. for API access, and mycluster.sqwq.p1.openshiftapps.com:6443https://console-openshift-console.apps. for the web console.mycluster.sqwq.p1.openshiftapps.com/
$rosa create clusterI: Enabling interactive mode ? Cluster name:? Deploy cluster using AWS STS:myclusterYesW: In a future release STS will be the default mode. W: --sts flag won't be necessary if you wish to use STS. W: --non-sts/--mint-mode flag will be necessary if you do not wish to use STS. ? OpenShift version:4.12.14I: Using arn:...:role/ManagedOpenShift-Installer-Role for the Installer role I: Using arn:...:role/ManagedOpenShift-ControlPlane-Role for the ControlPlane role I: Using arn:...:role/ManagedOpenShift-Worker-Role for the Worker role I: Using arn:...:role/ManagedOpenShift-Support-Role for the Support role ? External ID (optional):<Enter>? Operator roles prefix:mycluster-p5k3? Multiple availability zones (optional):
No? AWS region:us-east-1? PrivateLink cluster (optional):No...output omitted... I: Creating cluster 'mycluster' I: To create this cluster again in the future, you can run:rosa create cluster --cluster-name
mycluster--sts --role-arn arn:aws:iam::452954386616:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::452954386616:role/ManagedOpenShift-Support-Role --controlplane-iam-role arn:aws:iam::452954386616:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::452954386616:role/ManagedOpenShift-Worker-Role --operator-roles-prefixmycluster-p5k3--region us-east-1 --version 4.12.14 --compute-nodes 2 --compute-machine-type m5.xlarge --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 I: To view a list of clusters and their status, run 'rosa list clusters' I: Cluster 'mycluster' has been created. I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information. ...output omitted... I: Run the following commands to continue the cluster creation:rosa create operator-roles --cluster
myclusterrosa create oidc-provider --clustermyclusterI: To determine when your cluster is Ready, run 'rosa describe cluster -cmycluster'. I: To watch your cluster installation logs, run 'rosa logs install -cmycluster--watch'. $
| Each ROSA cluster that you create requires specific IAM resources for some OpenShift operators to access the AWS infrastructure.
By default, ROSA prefixes the name of these IAM resources with the name of the cluster, |
| The output displays the command that you can run to re-create the cluster without interaction. You can use that command as a model to automate creating your future ROSA clusters. |
| The cluster creation process is waiting for you to create additional IAM resources. |
You can also run the command in automatic mode by adding the --mode auto --sts options.
In that mode, the command uses default parameter values and automatically creates the additional IAM resources.
You can overwrite a parameter by specifying its value as a command-line option.
For example, use the --compute-nodes 3 option for creating three compute nodes instead of two by default.
Run the rosa create cluster --help command to list the available options.
Each ROSA cluster that you create requires some specific IAM resources. Some OpenShift operators that run inside the ROSA cluster use these resources to interact with the infrastructure platform. For example, when the cluster load increases, the cluster autoscaler instructs the OpenShift Machine API Operator to create a compute node. The OpenShift Machine API Operator uses the AWS API to deploy an additional EC2 instance for that new compute node.
The output from the rosa create cluster command lists the commands that you must run to create these IAM resources.
The cluster creation process that runs unattended on AWS waits for them.
The process monitors the IAM resources, and then automatically continues when it detects that you created them.
The rosa create operator-roles command uses the AWS API to create the IAM roles for the OpenShift operators:
$rosa create operator-roles --cluster...output omitted... I:myclusterCreated role '...mycluster-p5k3-openshift-machine-api-aws-cloud-credentials'
Notice that the command uses the name of the cluster as a prefix for the IAM roles.
For the OpenShift operators to use the AWS API, they must first authenticate with AWS.
For that authentication, you create an IAM OpenID Connect (OIDC) identity provider by using the rosa create oidc-provider command.
The cluster creation process configures the OpenShift operators to authenticate against that IAM identity provider.
$ rosa create oidc-provider --cluster mycluster
...output omitted...Note
The IAM identity provider is dedicated to the OpenShift operators. It enables these OpenShift operators to authenticate against the AWS API so that they can interact with the AWS infrastructure.
This identity provider is not used to authenticate your users for accessing the OpenShift web console, the OpenShift CLI, or the Kubernetes API. Another chapter in the course describes how to configure your ROSA cluster for client authentication with an external identity provider.
The unattended creation process that runs on AWS automatically continues after you run the two rosa create commands.
Because the cluster creation process runs unattended on AWS, use the rosa describe cluster command to monitor its progress.
You must add the --cluster (or cluster_name-c ) option to specify the cluster to query.cluster_name
$rosa describe cluster --cluster...output omitted...myclusterState: installing...output omitted...
The rosa describe cluster command reports a ready status when the creation completes.
Creating a cluster takes about 45 minutes to complete.
$rosa describe cluster --cluster...output omitted...myclusterState: ready...output omitted...
ROSA builds your OpenShift clusters by using AWS resources. To help you to identify these resources, ROSA prefixes their names with the cluster name.
From a command-line terminal, use the aws command to list the ROSA cluster resources.
For example, you can list the EC2 instances by running the aws ec2 describe-instances command.
All the EC2 resources that the ROSA cluster creation process creates have a name that starts with the cluster name.
ROSA also adds a Name tag to these resources, which is useful for filtering purposes.
For example, you can limit the output to only the instances with a name that starts with mycluster--filters option.
$ aws ec2 describe-instances --filters "Name=tag:Name,Values=mycluster*"To list the Amazon Virtual Private Cloud (VPC) resources for your cluster, run the following command:
$ aws ec2 describe-vpcs --filters "Name=tag:Name,Values=mycluster*"To list the subnets for your cluster, run the following command:
$ aws ec2 describe-subnets --filters "Name=tag:Name,Values=mycluster*"To list the network Amazon Elastic Load Balancing (ELB) resources, run the aws elbv2 describe-load-balancers command.
Because the command returns all the load balancers, you must inspect the list to consider only the related load balancers for your cluster.
$ aws elbv2 describe-load-balancersYou can use other aws subcommands to inspect the other AWS resources for your cluster.
For more details, run the aws help command.
You can also list the AWS resources for your ROSA cluster from the AWS Management Console at https://console.aws.amazon.com/.
Important
When you use the AWS Management Console, be sure to select the correct region for your ROSA cluster. Otherwise, you might not find the AWS resources that you are looking for.
The AWS Management Console organizes the resources into AWS services:
To list the EC2 instances, navigate to → → and then select → .
Figure 1.11: Access the EC2 serviceTo list the VPC resources, navigate to → → and then select → .
To list the subnets inside the VPC, select → .
To list the ELB resources, navigate to → → and then select → .
After creation, the ROSA cluster does not provide a user account that you can use to start deploying applications. The following sections present how you can create an initial user account to test your new cluster, and how to configure your cluster to use an external identity provider for user authentication.
References
For more information about creating a ROSA cluster, refer to the Creating a Cluster Using Customizations section in the Creating a ROSA Cluster with STS Using Customizations chapter in the Red Hat OpenShift Service on AWS 4 Installing, Accessing, and Deleting ROSA Clusters documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/installing_accessing_and_deleting_rosa_clusters/index#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations
For more information about the required IAM roles, refer to the About IAM Resources for ROSA Clusters that Use STS chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-sts-about-iam-resources