Introduction to Red Hat OpenShift Service on AWS (ROSA)

Procedure 1.2. Instructions

1. Open a command-line terminal on your system, and then run the rosa whoami command to confirm that the AWS and Red Hat OpenShift Cluster Manager (OCM) configuration is correct. Verify that the command lists your AWS account, the correct AWS Region, and your Red Hat customer portal account.

   $ rosa whoami
   AWS ARN:                      arn:aws:iam::...:user/user1@example.com-fqppg-admin
   AWS Account ID:               452954386616
   AWS Default Region:           us-east-1
   OCM API:                      https://api.openshift.com
   OCM Account Email:            wlombardo@example.com
   OCM Account ID:               1VhrXTjpDWnt4rfZvdgLj2fEcso
   OCM Account Name:             Wilhelm Lombardo
   OCM Account Username:         wlombardo
   OCM Organization External ID: 15701801
   OCM Organization ID:          1HMOv5QDUifj2g6Si1hyskyv2IP
   OCM Organization Name:        Wilhelm Lombardo

   The credentials in the preceding output are different on your system. Your own credentials are displayed.

2. Run the rosa create account-roles command in automatic mode to create the IAM roles and policies in your AWS account. Add the --yes option to skip confirmation messages. Ignore the warning message about the OpenShift command-line tool not being installed. You install the tool in another exercise in this course.

   $ rosa create account-roles --mode auto --yes
   I: Logged in as 'wlombardo' on 'https://api.openshift.com'
   I: Validating AWS credentials...
   I: AWS credentials are valid!
   I: Validating AWS quota...
   I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html
   I: Verifying whether OpenShift command-line tool is available...
   W: OpenShift command-line tool is not installed.
   Run 'rosa download oc' to download the latest version, then add it to your PATH.
   I: Creating account roles
   I: Creating roles using 'arn:aws:iam::...:user/user1@example.com-fqppg-admin'
   I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-Installer-Role'
   I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-ControlPlane-Role'
   I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-Worker-Role'
   I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::452954386616:role/ManagedOpenShift-Support-Role'
   I: To create an OIDC Config, run the following command:
           rosa create oidc-config
   I: To create a cluster with these roles, run the following command:
           rosa create cluster --sts

3. Create the ROSA cluster.

   1. Start the cluster creation in automatic mode. Add the --cluster-name do120-cluster option to specify the cluster name. Add the --sts option to use the AWS Security Token Service (STS). Add the --yes option to skip confirmation messages. Do not provide any other option so that the cluster creation process uses default values for the other parameters.

      Note

      If the command fails with the "Failed to create instance…​: exceeded max wait time…​" message, then run the command again.

      $ rosa create cluster --mode auto --cluster-name do120-cluster --sts --yes
      ...output omitted...
      I: Preparing to create operator roles.
      I: Creating roles using 'arn:aws:iam::...:user/user1@example.com-fqppg-admin'
      I: Created role 'do120-cluster-p5k3-openshift-cluster-csi-drivers-ebs-cloud-cred' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-cluster-csi-drivers-ebs-cloud-cred'
      I: Created role 'do120-cluster-p5k3-openshift-cloud-network-config-controller-cl' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-cloud-network-config-controller-cl'
      I: Created role 'do120-cluster-p5k3-openshift-machine-api-aws-cloud-credentials' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-machine-api-aws-cloud-credentials'
      I: Created role 'do120-cluster-p5k3-openshift-cloud-credential-operator-cloud-cr' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-cloud-credential-operator-cloud-cr'
      I: Created role 'do120-cluster-p5k3-openshift-image-registry-installer-cloud-cre' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-image-registry-installer-cloud-cre'
      I: Created role 'do120-cluster-p5k3-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam::452954386616:role/do120-cluster-p5k3-openshift-ingress-operator-cloud-credentials'
      I: Preparing to create OIDC Provider.
      I: Creating OIDC provider using 'arn:aws:iam::452954386616:user/user1@example.com-fqppg-admin'
      I: Created OIDC provider with ARN 'arn:aws:iam::452954386616:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/200kf8hp4crqpnn0m8ltem6d48jseadp'
      I: To determine when your cluster is Ready, run 'rosa describe cluster -c do120-cluster'.
      I: To watch your cluster installation logs, run 'rosa logs install -c do120-cluster --watch'.

      Notice that the rosa create cluster command creates IAM roles that are specific to the current cluster. The rosa command uses the cluster name as a prefix for the role names (do120-cluster).

      The command also creates an IAM OpenID Connect (OIDC) identity provider for the OpenShift operators that run inside the cluster, to authenticate with the AWS API.

   2. Run the rosa describe cluster command to retrieve the cluster status.

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      State:                      installing
      ...output omitted...

      It takes around 45 minutes for the cluster creation process to complete. Rerun the rosa describe cluster command repeatedly until it reports a status of ready.

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      State:                      ready
      ...output omitted...

4. Review some AWS resources that the cluster creation process creates.

   1. Log in to the AWS Management Console at https://console.aws.amazon.com/ by using a web browser.

   2. Select the AWS Region for your cluster.

      

      If you do not remember the name of your region, then use the rosa describe cluster command:

      $ rosa describe cluster -c do120-cluster
      ...output omitted...
      Region:                     us-east-1
      ...output omitted...

      The region in the preceding output might be different on your system.

   3. Review the Amazon Virtual Private Cloud (VPC) resource that the cluster creation process creates. To do so, navigate to Services → Networking & Content Delivery → VPC, and then select Virtual private cloud → Your VPCs. A VPC that starts with the name of your cluster, do120-cluster, is displayed.

   4. Select Virtual private cloud → Subnets to review the networks that your cluster is connected to. Two subnets with the do120-cluster prefix are displayed.

   5. List the Amazon Elastic Compute Cloud (EC2) instances that the cluster creation process creates for the OpenShift cluster nodes. To do so, navigate to Services → Compute → EC2, and then select Instances → Instances. Several are displayed. The names of the instances for your cluster have a do120-cluster prefix, and include their cluster role: master, infra, or worker.

      Do not delete your work, because later activities depend on the completion of this exercise.