"Deploy Openshift Services on AWS"

Deploy and run OpenShift on AWS?

Compare methods for running OpenShift's ready-to-use Kubernetes environment on Amazon's public cloud infrastructure.?

?

OpenShift is?Kubernetes?with batteries included and verified. That is to say, OpenShift is ready to run complex first- and third-party applications and digital workloads as soon as the installation is complete. For example, every?OpenShift?cluster includes a software-defined network provider, a container and source build system and registry, an internet-facing router, and even a system for maintaining and updating cluster components. Contrast this with a cluster provisioned by upstream?kubeadm?or even the more featureful?Kubespray, where adding these and other critical features requires thoughtful and sometimes delicate integration.?

Not only does OpenShift offer a ready-to-use Kubernetes environment for developers and operators once deployed, but deployment itself has also become remarkably simple despite the many parts. This is especially true when deploying a cluster in a public cloud provider like Amazon Web Services (AWS). Gone are the days when—before cluster installation could even begin—operators and infrastructure teams would have to provision hardware and operating systems and carefully configure and patch datacenter networks; now cloud providers handle that for you.?

Though it's still possible to customize OpenShift and its supporting infrastructure to your heart's content, you can meet many use cases with just the defaults, a cloud provider account, and a few well-written commands.?

You can follow along and contribute to the code in GitHub repository.?

Option 1: ROSA: Red Hat OpenShift Service on AWS?

I'll start with the simplest option: Red Hat OpenShift Service on AWS (ROSA). A ROSA cluster includes deployment, configuration, and management of required compute, network, and storage resources in AWS, as well as all the resources and services of an OpenShift Kubernetes cluster. In contrast to the other options below, Red Hat's operations teams fully support ROSA environments—open a ticket, and an expert Red Hat SRE will attend to it quickly.?

Follow along?with the scripts.?

Set up your tools?

The cores of the ROSA lifecycle are the?rosa command-line interface (CLI) tool?and the?OpenShift Cluster Manager?(OCM) service. Get the CLI from the?Downloads?section of the?Red Hat Console?(complimentary account required) or as a direct?download. The source code is in?this GitHub repo. The ROSA CLI invokes?OpenShift Cluster Manager (OCM) services, which provision the required infrastructure.?

You'll need both Red Hat and AWS credentials to enable the?rosa?CLI to provision and connect to resources. Your AWS credentials can be specified as exported?AWS_ACCESS_KEY_ID,?AWS_SECRET_ACCESS_KEY, and?AWS_REGION?environment variables, as?for the AWS CLI.?

To get a token to log in to your Red Hat account, click?View API token?at the bottom of the?Downloads?page (shown in the following screenshots), or follow this?direct link. On that page, click?Load token, then copy the raw token (not the?ocm?command line), and run?rosa login --token="${your_token}". If successful, you will see this message (with your username, of course):?I: Logged in as 'joshgavant' on 'https://api.openshift.com'.?

?

?To verify that you've logged in successfully to both accounts, run?rosa whoami. If the connections are successful, you'll see a list of attributes for each account.?

Tip: To quickly enable autocompletion for?rosa?commands in your current shell session, run?. <(rosa completion).?

?

Create IAM roles?

Next, create and link AWS identity and access management (IAM) roles defining the limited permissions granted to the cluster manager service and Red Hat operations team members. In the recommended AWS?Security Token Service (STS) mode, these roles are applied to short-lived tokens issued to machine and human operators on demand.?

The following commands grant required access to the OCM and its installers. The last command creates roles to act as profiles for the EC2 instances. Several additional roles will be automatically created during installation by specifying?--admin?and?--mode=auto.?

$ rosa create --yes ocm-role --admin --mode=auto --prefix="ManagedOpenShift"?

$ rosa create --yes user-role --mode=auto --prefix="ManagedOpenShift"?

$ rosa create --yes account-roles --mode=auto --prefix="ManagedOpenShift"?

Create the cluster?

Now that your Red Hat account is bound to your AWS account, you can proceed to create your ROSA cluster! Here I'll continue to use the?rosa?CLI; later I'll mention another approach. Run the following command to create a cluster in STS mode:?

$ CLUSTER_NAME=rosa1?

$ rosa create --yes cluster --cluster-name "${CLUSTER_NAME}" --sts --mode=auto --watch?

You can also interactively provide configuration options when you create the cluster by running?rosa create cluster?and answering the prompts.?

Monitor the installation?

By setting the?--watch?flag in the command above, installation logs will stream to stdout, and the command prompt won't return until the installation completes successfully or fails, typically in about 30 minutes. You can also start watching logs anytime with?rosa logs install --cluster ${CLUSTER_NAME} --watch.?

Finally, you can also review logs and other attributes of your new cluster in the?Red Hat Console. Click into it and expand the?Show logs?section to reach a view like the following:?

?

?

Use the cluster?

Once it's ready, the easiest way to begin using your cluster immediately is to create a one-off?cluster-admin?user. Later you can allow users from a specific OpenIDConnect (OIDC) identity provider using?rosa create oidc-provider ...?

## create a cluster-admin user?

$ rosa create --yes admin --cluster "${CLUSTER_NAME}"?

You'll need URLs to reach the API server and web console of your new cluster; get those with?rosa list clusters. Finally, log in to the cluster via the?oc?CLI:?oc login ${api_server_url} --user cluster-admin --password ${admin_password}.?

Create the cluster via the UI?

Instead of using the?rosa?CLI, once you have linked your Red Hat and AWS accounts as described above, you can also create a cluster using a guided graphical wizard in the Console. On the?Clusters page?on the Console, click?Create cluster. On the?Cluster create page, click?Create cluster?next to the ROSA offering.?

?

Your AWS account will be listed by its ID on the wizard's first page. Follow the prompts to configure and install a cluster. ?