Red Hat OpenShift Deployment on AWS via ROSA Service

Hello everyone, welcome to my article.

In this article, I will cover:

• what's Red Hat OpenShift Service on AWS (ROSA)?
• why ROSA?
• which regions cover ROSA?
• Types of Deployment.
• Prerequisites for deploying a ROSA cluster
• How to deploy the ROSA cluster
• Creating a sample application on Red Hat OpenShift

In today's world of the serverless architecture, there has been a noted shift of customers moving to managed services, thus, we are starting to see customers migrate from self-managed OpenShift Container Platform (OCP) to the newly available Red Hat OpenShift service on AWS (ROSA) in order to take advantage of a managed OpenShift cluster so customers can focus resources where needed for their business.

What's Red Hat OpenShift Service on AWS

Red Hat OpenShift Service on AWS (ROSA) is a managed service deployed and operated on AWS which allows customers to easily and quickly build, deploy and manage Kubernetes applications on a turnkey application platform in AWS cloud. ROSA is a native AWS service, and it can be accessed on-demand from the AWS console, a single AWS bill, fully integrate with other AWS services, and jointly support from AWS and Red Hat.

Why Red Hat OpenShift Service on AWS

With ROSA we help business respond to customer and competitive demands, and accelerate time-to-value via:

• Automated Red Hat OpenShift provisioning for deployment management
• Global Site Reliability Engineering (SRE) expertise with proactive management and operation automation such as upgrades, updates.
• A production-ready turnkey application platform with built-in, and integrated tooling for developers and engineers.

How Business benefits?

ROSA allows you to increase operational efficiency, refocus on innovation, and quickly build, deploy, test applications. Key business benefits of having ROSA includes:

• Jointly operated & supported from AWS and Red Hat, with an integrated support experience and 99.95% uptime service-level agreement (SLA).
• ROSA on-demand with a self-service experience through the AWS console.?
• ROSA is integrated with AWS cloud services such as compute, networking, storage, analytics, database.
• ROSA is backed by a global team of SREs, and our SRE team understands the code, and how it was deployed, configured and monitored.
• You will receive a single bill from AWS for ROSA and other AWS consumption.

ROSA is a fully managed OpenShift service with joint support from AWS and Red Hat. It became generally available on 24th March 2021.It provides two cluster deployment models: ROSA with hosted control planes (ROSA with HCP) and ROSA classic.?

With ROSA with HCP, each cluster has a dedicated control plane that is isolated within Red Hat’s AWS account and managed by Red Hat. With ROSA classic, cluster control plane infrastructure is hosted in the customer’s AWS account.

ROSA with HCP offers a more efficient control plane architecture that helps reduce the AWS infrastructure fees incurred when running ROSA and allows for faster cluster creation times. Both cluster deployment models can be enabled in the AWS ROSA console. You have the choice to select which deployment model you want to use when you provision ROSA clusters using the ROSA CLI.

While ROSA with HCP is a Red Hat Technology Preview feature, ROSA with HCP is available in the following AWS Regions only:

Regions include

Region Name Region

US East (N. Virginia) us-east-1

US East (Ohio) us-east-2

US West (Oregon) us-west-2

Europe (Frankfort) eu-central-1

Europe (Ireland) eu-west-1

Asia Pacific (Jakarta) ap-southeast-3

ROSA Implementation

All ROSA implementations will have three Master nodes in order to cater for cluster quorum and to ensure proper fail-over and resilience of OpenShift. At least two infrastructure nodes to ensure resilience of the OpenShift router layer, which provides end user application access

A collection of AWS Elastic Load Balancers, some of these Load balancers will provide end user access to the application workloads running on OpenShift via the OpenShift router layer, other AWS elastic load balancers will expose endpoints used for cluster administration and management by the SRE teams.

The OpenShift Master nodes cater for API endpoints for cluster administration and management, Controllers, etcd.

The OpenShift infrastructure nodes cater for built- in OpenShift container registry, OpenShift router layer, and monitoring.

ROSA clusters will require AWS VPC subnets per Availability Zone (AZ). For single AZ implementations two subnets will be required ( one public one private) for multi AZ implementations six subnets will be needed (one public and one private per AZ), for private clusters with private link 3 private subnets will be required.

The default cluster config (single AZ)? will deploy a basic ROSA cluster into a single AZ. This will create a new VPC with two subnets (one public and one private) within the same AZ. The OpenShift control plane and data plane i.e Masters, infrastructure, and Workers will all be placed into the same AZ in the private subnet.

This is the simplest implementation and a good way to start playing with ROSA from a developer point of view. This implementation is not recommended for scale, resilience, or production.

For the Demo purpose we will create a single AZ ROSA Cluster.

Instructions

Verify the ROSA prerequisites:

• We need to initially enable the ROSA feature in the AWS account. To get started, enable ROSA to create connections with Red Hat. This connection is required for metering and billing. When you enable ROSA, your account is subscribed to a ROSA listing on AWS Marketplace. To enable it, you must first agree to share your contact information with Red Hat.

IMPORTANT: ROSA doesn't charge fees for enabling the service. By default, ROSA service fees and AWS infrastructure fees are based on hourly usage.

• To use ROSA we may need to increase the service quotas. Service Quotas is an AWS service that you can use to manage your quotas for many AWS services. ROSA has minimum quotas for Amazon EC2, Amazon Virtual Private Cloud (Amazon VPC), Amazon Elastic Block Store (Amazon EBS), and Elastic Load Balancing (ELB) . To use ROSA, your account's service quotas must meet or exceed the quotas that are required to run the service. If your quotas aren't sufficient, you can request a quota increase from the Service Quotas console.

• ROSA uses the Elastic Load Balancing (ELB) service-linked role named AWSServiceRoleForElasticLoadBalancing for the permissions it requires to call Amazon EC2 and Amazon CloudWatch Logs on your behalf. Elastic Load Balancing creates this role for you when you create a load balancer or a target group. If your account doesn't have this role, the role is created for you.

• AWS and Red Hat account linking: Your AWS and Red Hat accounts must be linked so ROSA can provision infrastructure on your AWS account.
• AWS account-wide role creation: ROSA uses AWS Identity and Access Management (IAM) roles to obtain permissions required for ROSA support, installation, control plane, and compute functionality. ROSA roles use temporary, short-term credentials to authenticate through integration with AWS Security Token Service (STS).

After you meet the prerequisites on this page, log in to the Red Hat Hybrid Cloud Console and follow the instructions to link your AWS and Red Hat accounts.

Continue to the Red Hat Console. Login to your Red Hat account with your username and password and the Red hat Console will open.

We have already enabled the ROSA service in our AWS account, so continue with the Download and install of the ROSA and AWS command line tools (CLI) and add it to your PATH.

Install the ROSA CLI and the AWS CLI on your client machine to create the ROSA cluster.

• Download the latest version of the ROSA CLI (rosa) for your operating system from the Downloads page on OpenShift Cluster Manager.
• Extract the ROSA binary.

[root@rosa ~]# ls | grep rosa

rosa-linux.tar.gz

[root@rosa ~]# tar -xvf rosa-linux.tar.gz

rosa

[root@rosa ~]# ls

anaconda-ks.cfg? aws? awscliv2.zip ? rosa? rosa-linux.tar.gz? Templates? Videos        

• Add rosa to your path

[root@rosa ~]# sudo mv rosa /usr/local/bin/ros

[root@rosa ~]#a        

• Verify that ROSA is successfully installed.

[root@rosa ~]# rosa version

1.2.23        

• Install the awscli as well.

[root@rosa ~]# curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip

??% Total? ? % Received % Xferd? Average Speed ? Time? ? Time ? ? Time? Current

?????????????????????????????????Dload? Upload ? Total ? Spent? ? Left? Speed

100 55.3M? 100 55.3M? ? 0 ? ? 0? 4043k? ? ? 0? 0:00:14? 0:00:14 --:--:-- 4812k

[root@rosa ~]# unzip awscliv2.zip 

[root@rosa ~]# sudo ./aws/install

[root@rosa ~]# aws --version

aws-cli/2.12.6 Python/3.11.4 Linux/5.14.0-284.11.1.el9_2.x86_64 exe/x86_64.rhel.9 prompt/off

[root@rosa ~]# aws configure

AWS Access Key ID [****************TMFC]:

AWS Secret Access Key [****************Wjoz]:

Default region name [ap-south-1]:

Default output format [None]:"        

We will now create a service linked role for the ELB. Your AWS account must have a service-linked role set up to allow ROSA to utilize ELB.

• To check if the role exists for your account, run this command in your terminal:

[root@node1 ~]# aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"

{

? ? "Role": {

? ? ? ? "Path": "/aws-service-role/elasticloadbalancing.amazonaws.com/",

? ? ? ? "RoleName": "AWSServiceRoleForElasticLoadBalancing",

? ? ? ? "RoleId": "AROAVXDQCDULPKVDPO34H",

? ? ? ? "Arn": "arn:aws:iam::XXXXXXX7127:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",

? ? ? ? "CreateDate": "2021-01-02T00:39:44+00:00",

? ? ? ? "AssumeRolePolicyDocument": {

? ? ? ? ? ? "Version": "2012-10-17",

? ? ? ? ? ? "Statement": [

? ? ? ? ? ? ? ? {

? ? ? ? ? ? ? ? ? ? "Effect": "Allow",

? ? ? ? ? ? ? ? ? ? "Principal": {

? ? ? ? ? ? ? ? ? ? ? ? "Service": "elasticloadbalancing.amazonaws.com"

? ? ? ? ? ? ? ? ? ? },

? ? ? ? ? ? ? ? ? ? "Action": "sts:AssumeRole"

? ? ? ? ? ? ? ? }

? ? ? ? ? ? ]

? ? ? ? },

? ? ? ? "Description": "Allows ELB to call AWS services on your behalf.",

? ? ? ? "MaxSessionDuration": 3600,

? ? ? ? "RoleLastUsed": {}

? ? }

}        

• If the role doesn't exist, create it by running the following command:

[root@node1 ~]# aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"        

Now login to the ROSA CLI with your Red Hat account token and create AWS account roles and policies,

• To authenticate, run the command:

[root@node1 ~]# rosa login --token="eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhZDUyMjdhMy1iY2ZkLTRjZjAtYTdiNi0zOTk4MzVhMDg1NjYifQ.eyJpYXQiOjE2ODkxOTg2MTgsImp0aSI6ImQyZmM2ZDM2LWI2ODYtNDNhMC04ZmRlLTZiYjY3NDMwM2JiNiIsImlzcyI6Imh0dHBzOi8vc3NvLnJlZGhhdC5jb20vYXV0aC9yZWFsbXMvcmVkaGF0LWV4dGVybmFsIiwiYXVkIjoiaHR0cHM6Ly9zc28ucmVkaGF0LmNvbS9hdXRoL3JlYWxtcy9yZWRoYXQtZXh0ZXJuYWwiLCJzdWIiOiJmOjUyOGQ3NmZmLWY3MDgtNDNlZC04Y2Q1LWZlMTZmNGZlMGNlNjprcmlzaG5oIiwidHlwIjoiT2ZmbGluZSIsImF6cCI6ImNsb3VkLXNlcnZpY2VzIiwibm9uY2UiOiI1OTMxYWNjOS1jZjQ5LTRlZDEtOGI5OC01ZjQ4ZTVkNmZkMzEiLCJzZXNzaW9uX3N0YXRlIjoiNzE2OGVhM2MtNzhmYy00ZDQ4LTk4MGQtZWFmNjUyMzFmNjc5Iiwic2NvcGUiOiJvcGVuaWQgYXBpLmlhbS5zZXJ2aWNlX2FjY291bnRzIGFwaS5pYW0ub3JnYW5pemF0aW9uIG9mZmxpbmVfYWNjZXNzIiwic2lkIjoiNzE2OGVhM2MtNzhmYy00ZDQ4LTk4MGQtZWFmNjUyMzFmNjc5In0.Rnq5JJAo1Ne8WbQBQ76X4X2ceD4q13yuiXgUFIAWS6w"

I: Logged in as 'testaccount' on 'https://api.openshift.com'        

• To create the necessary account-wide roles and policies quickly, use the default auto method that's provided in the ROSA CLI:

[root@node1 ~]# rosa create account-roles --mode aut

I: Logged in as 'testaccount' on 'https://api.openshift.com'

I: Validating AWS credentials...

I: AWS credentials are valid!

I: Validating AWS quota...

I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html

I: Verifying whether OpenShift command-line tool is available...

W: OpenShift command-line tool is not installed.

Run 'rosa download oc' to download the latest version, then add it to your PATH.

I: Creating account roles

I: Creating roles using 'arn:aws:iam::XXXXXXX7127:user/ROSA'

I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::XXXXXXX7127:role/ManagedOpenShift-Installer-Role'

I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::XXXXXXX7127:role/ManagedOpenShift-ControlPlane-Role'

I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::XXXXXXX7127:role/ManagedOpenShift-Worker-Role'

I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::XXXXXXX7127:role/ManagedOpenShift-Support-Role'

I: To create an OIDC Config, run the following command:

? ? ? ? rosa create oidc-config

I: To create a cluster with these roles, run the following command:

? ? ? ? rosa create cluster --sts

[root@node1 ~]# rosa whoami

AWS ARN:? ? ? ? ? ? ? ? ? ? ? arn:aws:iam::XXXXXXX7127:user/ROSA

AWS Account ID: ? ? ? ? ? ? ? XXXXXXX7127

AWS Default Region: ? ? ? ? ? ap-south-1

OCM API:? ? ? ? ? ? ? ? ? ? ? https://api.openshift.com

OCM Account Email:? ? ? ? ? ? [email protected]

OCM Account ID: ? ? ? ? ? ? ? 2XXXXXjOxjwKbd7bn5ILWjb

OCM Account Name: ? ? ? ? ? ? test

OCM Account Username: ? ? ? ? testaccount

OCM Organization External ID: 13696129

OCM Organization ID:? ? ? ? ? 2XXXXXXmMJ3dmv6VLzZhk5LF9F

OCM Organization Name:? ? ? ? testo        

Verify your credentials are valid:

• To verify that credentials are correct, run this command. Here we have created an IAM user ROSA and login with it.

[root@node1 ~]# rosa whoami

AWS ARN:? ? ? ? ? ? ? ? ? ? ? arn:aws:iam::XXXXXXX7127:user/ROSA

AWS Account ID: ? ? ? ? ? ? ? XXXXXXX7127

AWS Default Region: ? ? ? ? ? ap-south-1

OCM API:? ? ? ? ? ? ? ? ? ? ? https://api.openshift.com

OCM Account Email:? ? ? ? ? ? [email protected]

OCM Account ID: ? ? ? ? ? ? ? 2XXXXXjOxjwKbd7bn5ILWjb

OCM Account Name: ? ? ? ? ? ? test

OCM Account Username: ? ? ? ? testaccount

OCM Organization External ID: 13696129

OCM Organization ID:? ? ? ? ? 2XXXXXXmMJ3dmv6VLzZhk5LF9F

OCM Organization Name:? ? ? ? test        

• To verify that your AWS account has enough quota (new window or tab) in the region you will be deploying your cluster, run this command:

[root@node1 ~]# rosa verify quota

I: Validating AWS quota...

I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html        

Now we will deploy the cluster with the CLI. Let's create a cluster with the name hemantcluster. (Cluster name should have 15 letters in lowercase).

• Initialize the ROSA. Here it will create an IAM user named “osdCcsAdmin” default. This user will be used to login if we do not want to enable the AWS STS service.

[root@node1 ~]# rosa init

I: Logged in as 'testaccount' on 'https://api.openshift.com'

I: Validating AWS credentials...

I: AWS credentials are valid!

I: Verifying permissions for non-STS clusters

I: Validating SCP policies...

I: AWS SCP policies ok

I: Validating AWS quota...

I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html

I: Ensuring cluster administrator user 'osdCcsAdmin'...

I: Admin user 'osdCcsAdmin' created successfully!

I: Validating SCP policies for 'osdCcsAdmin'...

I: AWS SCP policies ok

I: Validating cluster creation...

W: Cluster creation failed. If you create a cluster, it should fail with the following error:

required total number of vCPU quota for install is '40': '24' vCPU for control plane nodes, '8' vCPU for infra nodes and '8' vCPU for compute nodes, which exceeds the available vCPU quota of '32'

I: Verifying whether OpenShift command-line tool is available...

W: OpenShift command-line tool is not installed.

Run 'rosa download oc' to download the latest version, then add it to your PATH.        

1. Now we will create the cluster.?

• Cluster name is hemantcluster
• Use of hosted control plane is NO (technology preview)
• Use of AWS STS service is NO, instead we will be using the IAM credentials which are created during rosa initialization.
• We will be choosing OpenShift version as the latest 4.13.4
• You can configure the Instance Metadata Service (IMDS) on each instance so that local code or users must use IMDSv2. Here we are not.
• This is a single AZ cluster deployment.
• Using the region as ap-south-1.
• We can aws PrivateLink cluster option, this provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. Once the cluster is created, this option cannot be changed. Here we are not.
• Give the machine CIDR, service CIDR, pod CIDR.
• We are not using existing VPC, (it requires 2 subnets).
• Selected availability zones as ap-south-1a
• AWS KMS keys (KMS keys) are the primary resource in AWS KMS. You can use a KMS key to encrypt, decrypt, and re-encrypt data. It can also generate data keys that you can use outside of AWS KMS. We are not enabling it.
• Now we will select the instance type: m5.xlarge (default)
• We are not using auto scaling feature as of now.
• We are using compute node as 3. (default 2)
• Host prefix used is 23
• We are not encrypting the ETCD data.
• We enabled the workload monitoring.
• Finally the cluster creation starts. It also provides the command to create same cluster in future.

[root@node1 ~]# rosa create cluster

I: Enabling interactive mode

? Cluster name: hemantcluster

? Technology Preview: Enable the use of Hosted Control Planes

? Deploy cluster with Hosted Control Plane (optional): No

? Use AWS Security Token Service (STS) instead of IAM credentials to deploy your cluster.

? Deploy cluster using AWS STS: No

W: In a future release STS will be the default mode.

W: --sts flag won't be necessary if you wish to use STS.

W: --non-sts/--mint-mode flag will be necessary if you do not wish to use STS.

? OpenShift version: [Use arrows to move, type to filter, ? for more help]

> 4.13.4

? 4.13.3

? 4.13.2

? 4.13.1

? OpenShift version: 4.13.4

? Configure the use of IMDSv2 for ec2 instances, 'optional' or 'required'.

? Configure the use of IMDSv2 for ec2 instances optional/required (optional):

? Tags (optional):

? Multiple availability zones (optional): No

? AWS region: ap-south-1

? Provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. Once the cluster is created, this option cannot be changed.

? PrivateLink cluster (optional): No

? Private cluster (optional): No

? Block of IP addresses used by OpenShift while installing the cluster, for example "10.0.0.0/16".

? Machine CIDR: 10.0.0.0/16

? Service CIDR: 172.30.0.0/16

? Pod CIDR: 10.128.0.0/14

? Install into an existing VPC (optional): No

? Select availability zones (optional): Yes

? Availability zone:? [Use arrows to move, type to filter, ? for more help]

> ap-south-1a

? ap-south-1b

? ap-south-1c

? Availability zone: ap-south-1a

? Enable Customer Managed key (optional): No

? Compute nodes instance type:? [Use arrows to move, type to filter, ? for more help]

? m5a.xlarge

? m5d.metal

? m5.metal

> m5.xlarge

? m6a.12xlarge

? m6a.16xlarge

? m6a.24xlarge

? Compute nodes instance type: m5.xlarge

? Enable autoscaling (optional): No

? Number of worker nodes to provision. Single zone clusters need at least 2 nodes, multizone clusters need at least 3 nodes.

? Compute nodes: 3

? Labels for the default machine pool. Format should be a comma-separated list of 'key=value'. This list will overwrite any modifications made to Node labels on an ongoing basis.

? Default machine pool labels (optional):

? Default machine pool labels (optional):

? Host prefix: 23

? Enable FIPS support (optional): No

? Encrypt etcd data (optional): No

? Disable Workload monitoring (optional): No

I: Creating cluster 'hemantcluster'

I: To create this cluster again in the future, you can run:

? rosa create cluster --cluster-name hemantcluster --region ap-south-1 --version 4.13.4 --replicas 3 --compute-machine-type m5.xlarge --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 --availability-zones ap-south-1a

I: To view a list of clusters and their status, run 'rosa list clusters'

I: Cluster 'hemantcluster' has been created.

I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.




Name: ? ? ? ? ? ? ? ? ? ? ? hemantcluster

ID: ? ? ? ? ? ? ? ? ? ? ? ? 24udtppktr169kmraeq8ai52tfmp1b2q

External ID:

Control Plane:? ? ? ? ? ? ? Customer Hosted

OpenShift Version:

Channel Group:? ? ? ? ? ? ? stable

DNS:? ? ? ? ? ? ? ? ? ? ? ? Not ready

AWS Account:? ? ? ? ? ? ? ? XXXXXXX7127

API URL:

Console URL:

Region: ? ? ? ? ? ? ? ? ? ? ap-south-1

Multi-AZ: ? ? ? ? ? ? ? ? ? false

Nodes:

- Control plane: ? ? ? ? ? 3

- Infra: ? ? ? ? ? ? ? ? ? 2

- Compute: ? ? ? ? ? ? ? ? 3

Network:

- Type:? ? ? ? ? ? ? ? ? ? OVNKubernetes

- Service CIDR:? ? ? ? ? ? 172.30.0.0/16

- Machine CIDR:? ? ? ? ? ? 10.0.0.0/16

- Pod CIDR:? ? ? ? ? ? ? ? 10.128.0.0/14

- Host Prefix: ? ? ? ? ? ? /23

State:? ? ? ? ? ? ? ? ? ? ? pending (Preparing account)

Private:? ? ? ? ? ? ? ? ? ? No

Created:? ? ? ? ? ? ? ? ? ? Jul 12 2023 22:45:02 UTC

Details Page: ? ? ? ? ? ? ? https://console.redhat.com/openshift/details/s/2SUWzbeFDgXRO172WS66fDVuiZS

I: To determine when your cluster is Ready, run 'rosa describe cluster -c hemantcluster'.

I: To watch your cluster installation logs, run 'rosa logs install -c hemantcluster --watch'.        

Finally the cluster started installing on the Openshift Dashboard. The cluster creation should take upwards of 40+ minutes ..

Few commands to check the cluster status:

• To list the cluster.

[root@node1 ~]# rosa list clusters

ID? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? NAME ? ? ? ? ? STATE ? ? ? TOPOLOGY

24udtppktr169kmraeq8ai52tfmp1b2q? hemantcluster? installing? Classic        

• To describe the cluster.

[root@node1 ~]# rosa describe cluster -c hemantcluster

Name: ? ? ? ? ? ? ? ? ? ? ? hemantcluster

ID: ? ? ? ? ? ? ? ? ? ? ? ? 24udtppktr169kmraeq8ai52tfmp1b2q

External ID:? ? ? ? ? ? ? ? 1b00bda8-d867-46fd-83ed-dedb179b8621

Control Plane:? ? ? ? ? ? ? Customer Hosted

OpenShift Version:

Channel Group:? ? ? ? ? ? ? stable

DNS:? ? ? ? ? ? ? ? ? ? ? ? hemantcluster.wqjc.p1.openshiftapps.com

AWS Account:? ? ? ? ? ? ? ? XXXXXXX7127

API URL:

Console URL:

Region: ? ? ? ? ? ? ? ? ? ? ap-south-1

Multi-AZ: ? ? ? ? ? ? ? ? ? false

Nodes:

- Control plane: ? ? ? ? ? 3

- Infra: ? ? ? ? ? ? ? ? ? 2

- Compute: ? ? ? ? ? ? ? ? 3

Network:

- Type:? ? ? ? ? ? ? ? ? ? OVNKubernetes

- Service CIDR:? ? ? ? ? ? 172.30.0.0/16

- Machine CIDR:? ? ? ? ? ? 10.0.0.0/16

- Pod CIDR:? ? ? ? ? ? ? ? 10.128.0.0/14

- Host Prefix: ? ? ? ? ? ? /23

Infra ID: ? ? ? ? ? ? ? ? ? hemantcluster-7rhpz

State:? ? ? ? ? ? ? ? ? ? ? installing (Cluster is installing)

Private:? ? ? ? ? ? ? ? ? ? No

Created:? ? ? ? ? ? ? ? ? ? Jul 12 2023 22:45:02 UTC

Details Page: ? ? ? ? ? ? ? https://console.redhat.com/openshift/details/s/2SUWzbeFDgXRO172WS66fDVuiZS        

• To install the rosa logs to get the real time logs for the installation.

[root@node1 ~]# rosa logs install -c hemantcluster --watch

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? ? }"

time="2023-07-12T22:49:04Z" level=debug

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? + network_interface {"

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? ? ? + delete_on_termination = false"

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? ? ? + device_index? ? ? ? ? = 0"

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? ? ? + network_card_index? ? = 0"

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? ? ? + network_interface_id? = (known after apply)"

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? ? }"

time="2023-07-12T22:49:04Z" level=debug

time="2023-07-12T22:49:04Z" level=debug msg="? ? ? + private_dns_name_options {"        

Finally the cluster is created and is ready.

[root@node1 ~]# rosa describe cluster -c hemantcluster
Name: ? ? ? ? ? ? ? ? ? ? ? hemantcluster
ID: ? ? ? ? ? ? ? ? ? ? ? ? 24udtppktr169kmraeq8ai52tfmp1b2q
External ID:? ? ? ? ? ? ? ? 1b00bda8-d867-46fd-83ed-dedb179b8621
Control Plane:? ? ? ? ? ? ? Customer Hosted
OpenShift Version:? ? ? ? ? 4.13.4
Channel Group:? ? ? ? ? ? ? stable
DNS:? ? ? ? ? ? ? ? ? ? ? ? hemantcluster.wqjc.p1.openshiftapps.com
AWS Account:? ? ? ? ? ? ? ? XXXXXXX7127
API URL:? ? ? ? ? ? ? ? ? ? https://api.hemantcluster.wqjc.p1.openshiftapps.com:6443
Console URL:? ? ? ? ? ? ? ? https://console-openshift-console.apps.hemantcluster.wqjc.p1.openshiftapps.com
Region: ? ? ? ? ? ? ? ? ? ? ap-south-1
Multi-AZ: ? ? ? ? ? ? ? ? ? false
Nodes:
 - Control plane: ? ? ? ? ? 3
 - Infra: ? ? ? ? ? ? ? ? ? 2
 - Compute: ? ? ? ? ? ? ? ? 3
Network:
 - Type:? ? ? ? ? ? ? ? ? ? OVNKubernetes
 - Service CIDR:? ? ? ? ? ? 172.30.0.0/16
 - Machine CIDR:? ? ? ? ? ? 10.0.0.0/16
 - Pod CIDR:? ? ? ? ? ? ? ? 10.128.0.0/14
 - Host Prefix: ? ? ? ? ? ? /23
Infra ID: ? ? ? ? ? ? ? ? ? hemantcluster-7rhpz
State:? ? ? ? ? ? ? ? ? ? ? ready? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? <<<<<<<<<<<<<<<<
Private:? ? ? ? ? ? ? ? ? ? No
Created:? ? ? ? ? ? ? ? ? ? Jul 12 2023 22:45:02 UTC
Details Page: ? ? ? ? ? ? ? https://console.redhat.com/openshift/details/s/2SUWzbeFDgXRO172WS66fDVuiZSr
        

Now we will create a user to login into the cluster. This command will provide the oc login command with the admin username and password along with the API domain.

[root@node1 ~]# rosa create admin -c hemantcluster

I: Admin account has been added to cluster 'hemantcluster'.

I: Please securely store this generated password. If you lose this password you can delete and recreate the cluster admin user.

I: To login, run the following command:

? oc login https://api.hemantcluster.wqjc.p1.openshiftapps.com:6443 --username cluster-admin --password HYuSB-CrVA9-Tguzn-cyBVQ

I: It may take several minutes for this access to become active.        

To use the oc command we first need to install it on the client node. Once the download complete, add it to the PATH and then the command will be ready to use.

[root@node1 ~]# rosa download oc

I: Verifying whether OpenShift command-line tool is available...

W: OpenShift command-line tool is not installed.

Run 'rosa download oc' to download the latest version, then add it to your PATH.

I: Downloading https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz

Downloading... 60 MB complete

I: Successfully downloaded openshift-client-linux.tar.gz

[root@node1 ~]# ls | grep openshift-client-linux.tar.gz

openshift-client-linux.tar.gz

[root@node1 ~]# tar -xvf openshift-client-linux.tar.gz

README.md

oc

kubectl

[root@node1 ~]# sudo mv? oc /usr/local/bin/oc        

Now login with the oc login command into your cluster.

[root@node1 ~]# oc login https://api.hemantcluster.wqjc.p1.openshiftapps.com:6443 --username cluster-admin --password HYuSB-CrVA9-Tguzn-cyBV

Login successful.

You have access to 102 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".

Welcome! See 'oc help' to get started.

[root@node1 ~]# oc get nodes

NAME? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? STATUS ? ROLES? ? ? ? ? ? ? ? ? AGE ? VERSION

ip-10-0-138-142.ap-south-1.compute.internal ? Ready? ? worker ? ? ? ? ? ? ? ? 13h ? v1.26.5+7d22122

ip-10-0-147-201.ap-south-1.compute.internal ? Ready? ? worker ? ? ? ? ? ? ? ? 13h ? v1.26.5+7d22122

ip-10-0-167-46.ap-south-1.compute.internal? ? Ready? ? control-plane,master ? 13h ? v1.26.5+7d22122

ip-10-0-170-191.ap-south-1.compute.internal ? Ready? ? infra,worker ? ? ? ? ? 12h ? v1.26.5+7d22122

ip-10-0-177-18.ap-south-1.compute.internal? ? Ready? ? worker ? ? ? ? ? ? ? ? 13h ? v1.26.5+7d22122

ip-10-0-177-40.ap-south-1.compute.internal? ? Ready? ? control-plane,master ? 13h ? v1.26.5+7d22122

ip-10-0-184-110.ap-south-1.compute.internal ? Ready? ? infra,worker ? ? ? ? ? 12h ? v1.26.5+7d22122

ip-10-0-223-136.ap-south-1.compute.internal ? Ready? ? control-plane,master ? 13h ? v1.26.5+7d22122Q        

From the cluster console UI, click on htpasswd and give the username and password.

Time to deploy a sample app. I used the sample app in our Amazon EKS documentation at https://docs.aws.amazon.com/eks/latest/userguide/load-balancing.html — the nginx image is being pulled from the Amazon ECR public repository and a AWS Classic ELB will be provisioned.

Here is the sample code file, it contains the Deployment and the service YAML code.

apiVersion: apps/v1
kind: Deployment
metadata:
? name: nginx-app
spec:
? replicas: 3
? selector:
? ? matchLabels:
? ? ? app: nginx
? template:
? ? metadata:
? ? ? labels:
? ? ? ? app: nginx
? ? spec:
? ? ? containers:
? ? ? ? - name: nginx
? ? ? ? ? image: public.ecr.aws/nginx/nginx:1.23
? ? ? ? ? ports:
? ? ? ? ? ? - name: tcp
? ? ? ? ? ? ? containerPort: 80




[root@node1 ~]# oc apply -f nginx.yml

deployment.apps/nginx-app created

[root@node1 ~]# oc get deployment

NAME? ? ? ? READY ? UP-TO-DATE ? AVAILABLE ? AGE

nginx-app ? 0/3 ? ? 3? ? ? ? ? ? 0 ? ? ? ? ? 7s

[root@node1 ~]# oc get deployment

NAME? ? ? ? READY ? UP-TO-DATE ? AVAILABLE ? AGE

nginx-app ? 0/3 ? ? 3? ? ? ? ? ? 0 ? ? ? ? ? 11s

[root@node1 ~]# oc get pods

NAME ? ? ? ? ? ? ? ? ? ? ? ? READY ? STATUS? ? RESTARTS ? AGE

nginx-app-78ddc8bc75-bt4fb ? 1/1 ? ? Running ? 0? ? ? ? ? 13s

nginx-app-78ddc8bc75-crplf ? 1/1 ? ? Running ? 0? ? ? ? ? 13s

nginx-app-78ddc8bc75-mxmkp ? 1/1 ? ? Running ? 0? ? ? ? ? 13s

[root@node1 ~]# oc get pods

NAME ? ? ? ? ? ? ? ? ? ? ? ? READY ? STATUS? ? RESTARTS ? AGE

nginx-app-78ddc8bc75-bt4fb ? 1/1 ? ? Running ? 0? ? ? ? ? 15s

nginx-app-78ddc8bc75-crplf ? 1/1 ? ? Running ? 0? ? ? ? ? 15s

nginx-app-78ddc8bc75-mxmkp ? 1/1 ? ? Running ? 0? ? ? ? ? 15s

[root@node1 ~]# oc get deployment

NAME? ? ? ? READY ? UP-TO-DATE ? AVAILABLE ? AGE

nginx-app ? 3/3 ? ? 3? ? ? ? ? ? 3 ? ? ? ? ? 20s        

Once the deployment is ready and the pods start running, we create a service to access the application.

[root@node1 ~]# oc expose deployment/nginx-app

service/nginx-app exposed

[root@node1 ~]# oc get svc/nginx-app

NAME? ? ? ? TYPE? ? ? ? CLUSTER-IP ? ? ? EXTERNAL-IP ? PORT(S) ? AGE

nginx-app ? ClusterIP ? 172.30.200.118 ? <none>? ? ? ? 80/TCP? ? 9s        

This is the service file that is created after exposing the service.

[root@node1 ~]# oc edit svc/nginx-app -o yaml

# Please edit the object below. Lines beginning with a '#' will be ignored,

# and an empty file will abort the edit. If an error occurs while saving this file will be

# reopened with the relevant failures.

apiVersion: v1

kind: Service

metadata:

? creationTimestamp: "2023-07-13T12:30:50Z"

? name: nginx-app

? namespace: default

? resourceVersion: "459019"

? uid: 5bfd1a59-d202-45f4-9d88-556adc86d452

spec:

? clusterIP: 172.30.200.118

? clusterIPs:

? - 172.30.200.118

? internalTrafficPolicy: Cluster

? ipFamilies:

? - IPv4

? ipFamilyPolicy: SingleStack

? ports:

? - port: 80

? ? protocol: TCP

? ? targetPort: 80

? selector:

? ? app: nginx

? sessionAffinity: None

? type: ClusterIP

status:

? loadBalancer: {}        

Now we will create a route to the nginx-app application to access the application on the browser. We are creating the route using the UI.

The route is created in the CLI side as well.

[root@node1 ~]# oc get route -n default

NAME? ? ? ? ? HOST/PORT? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? PATH ? SERVICES? ? PORT ? TERMINATION ? WILDCARD

nginx-route ? nginx-route-default.apps.hemantcluster.wqjc.p1.openshiftapps.com? ? ? ? ? nginx-app ? 80 ? ? ? ? ? ? ? ? ? None        

Now accessing the route, will give the Nginx page on browser.

From the CLI.

[root@node1 ~]# curl nginx-route-default.apps.hemantcluster.wqjc.p1.openshiftapps.com

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

<style>

html { color-scheme: light dark; }

body { width: 35em; margin: 0 auto;

font-family: Tahoma, Verdana, Arial, sans-serif; }

</style>

</head>

<body>

<h1>Welcome to nginx!</h1>

<p>If you see this page, the nginx web server is successfully installed and

working. Further configuration is required.</p>

<p>For online documentation and support please refer to

<a >nginx.org</a>.<br/>

Commercial support is available at

<a >nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>

</body>

</html>        

Please refer to the following documentation for more details:

1. AWS ROSA home page — https://aws.amazon.com/rosa/
2. https://cloud.redhat.com/learning/learn:getting-started-red-hat-openshift-service-aws-rosa/resource/resources:how-deploy-cluster-red-hat-openshift-service-aws-using-cli

?