Introduction
During this workshop, you will be working on a cluster that you will create yourself in this step. This cluster will be dedicated to you.
CLI deployment modes
This page will take you through the steps to deploy a ROSA cluster using the ROSA CLI.
There are two modes with which to deploy a ROSA w/STS cluster.
One is automatic, which is quicker and will do most of the work for you.
The other is manual, which will require you to execute some extra commands, but will allow you to inspect the roles and policies being created.
This workshop will use the automatic version.
Deployment flow
The overall flow that we will follow boils down to:
-
rosa create account-roles- This is executed only once per account. Once created this does not need to be executed again for more clusters of the same y-stream version. -
rosa create cluster -
rosa create operator-roles(Manual mode only) -
rosa create oidc-provider(Manual mode only)
For each succeeding cluster in the same account for the same y-stream version, only step 2 is needed (or 2-4 for manual mode).
Deploying a cluster in automatic mode
As mentioned above, if you want the ROSA CLI to automate the creation of the roles and policies to create your cluster quickly, then use this method.
Ensure the ELB service role exists
Make sure that the service role for ELB already exists, otherwise the cluster deployment could fail.
-
Run the following to check for the role and create it if it is missing.
aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing" || aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"Sample Output{ "Role": { "Path": "/aws-service-role/elasticloadbalancing.amazonaws.com/", "RoleName": "AWSServiceRoleForElasticLoadBalancing", "RoleId": "AROA5ZWLJ2BAZWKPE75AN", "Arn": "arn:aws:iam::948540395585:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForEl asticLoadBalancing", "CreateDate": "2019-09-07T14:48:48Z", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticloadbalancing.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Description": "Allows ELB to call AWS services on your behalf.", "MaxSessionDuration": 3600, "RoleLastUsed": { "LastUsedDate": "2023-04-05T18:53:02Z", "Region": "us-east-2" } } }
Create account roles
If this is the first time you are deploying ROSA in this account and have not yet created the account roles, then create the account-wide roles and policies, including Operator policies.
-
Run the following command to create the account-wide roles:
rosa create account-roles --mode auto --yesSample OutputI: Logged in as 'rhpds-cloud' on 'https://api.openshift.com' I: Validating AWS credentials... I: AWS credentials are valid! I: Validating AWS quota... I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html I: Verifying whether OpenShift command-line tool is available... I: Current OpenShift Client Version: 4.12.13 I: Creating account roles I: Creating roles using 'arn:aws:iam::948540395585:user/wkulhane@redhat.com-4fgbq' I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::948540395585:role/ManagedOpenShift-Installer-Role' I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::948540395585:role/ManagedOpenShift-ControlPlane-Role' I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::948540395585:role/ManagedOpenShift-Worker-Role' I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::948540395585:role/ManagedOpenShift-Support-Role' I: To create a cluster with these roles, run the following command: rosa create cluster --sts
Create the cluster
-
Run the following command to create a cluster with all the default options except for the cluster version.
Note that for the cluster name you are using
rosa-${GUID}- the environment variableGUIDhas a unique identifier for your environment that will separate yours from any other ROSA cluster.rosa create cluster \ --cluster-name rosa-${GUID} \ --version 4.15.6 \ --sts \ --mode auto \ --yesThis will also create the required operator roles and OIDC provider. If you want to see all available options for your cluster use the
--helpflag or for interactive mode you can use--interactive.You should see a response like the following:
Sample OutputW: In a future release STS will be the default mode. W: --sts flag won't be necessary if you wish to use STS. W: --non-sts/--mint-mode flag will be necessary if you do not wish to use STS. I: Using arn:aws:iam::948540395585:role/ManagedOpenShift-Installer-Role for the Installer role I: Using arn:aws:iam::948540395585:role/ManagedOpenShift-ControlPlane-Role for the ControlPlane role I: Using arn:aws:iam::948540395585:role/ManagedOpenShift-Worker-Role for the Worker role I: Using arn:aws:iam::948540395585:role/ManagedOpenShift-Support-Role for the Support role I: Creating cluster 'rosa-4fgbq' I: To view a list of clusters and their status, run 'rosa list clusters' [... Output Omitted ...] I: Preparing to create OIDC Provider. I: Creating OIDC provider using 'arn:aws:iam::948540395585:user/wkulhane@redhat.com-4fgbq' I: Created OIDC provider with ARN 'arn:aws:iam::948540395585:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/22uvcd13s0d1p8jt6589b22cp1m3u9j3' I: To determine when your cluster is Ready, run 'rosa describe cluster -c rosa-4fgbq'. I: To watch your cluster installation logs, run 'rosa logs install -c rosa-4fgbq --watch'.Sometimes AWS isn’t quite quick enough creating the prerequisites for the cluster.
Examine the output of the create cluster command carefully. If you get an error
E: Failed to retrieve AWS regions: status is 400, identifier is '400', …simply wait a few seconds and then repeat the command to create the cluster.
Default configuration
The default settings are as follows:
-
3 Control plane nodes, 2 infra nodes, 2 worker nodes
-
See here for more details.
-
No autoscaling
-
-
Region: As configured for the
awsCLI -
Networking IP ranges:
-
Machine CIDR: 10.0.0.0/16
-
Service CIDR: 172.30.0.0/16
-
Pod CIDR: 10.128.0.0/14
-
-
New VPC
-
Default AWS KMS key for encryption.
-
The most recent version of OpenShift available to
rosa -
A single availability zone
-
Public cluster
Check installation status
-
You can run the following command to check the detailed status of the cluster:
rosa describe cluster --cluster rosa-${GUID} -
You can also run the following for an abridged view of the status:
rosa list clustersSample OutputID NAME STATE 22uvcd13s0d1p8jt6589b22cp1m3u9j3 rosa-4fgbq installingYou should notice the state change from “waiting” to “installing” to "ready".
This will take about 40 minutes to run.
-
Once the state changes to “ready” your cluster is now installed.
-
You can follow along the installation by watching your cluster installation logs:
rosa logs install -c rosa-${GUID} --watch -
Once you see the following output in the installation log your cluster has finished the installation and is ready to use:
Sample Output[ ... Output Omitted ...] | time="2023-04-05T20:55:39Z" level=debug msg="Still waiting for the cluster to initialize: Cluster operator authentication is not available" / I: Cluster 'rosa-4fgbq' is now readySometimes it can happen that the connection to your bastion VM drops. In that case simply follow the instructions in the Setup section to ssh back into your bastion VM.
-
Verify that the cluster is now ready:
rosa list clustersSample OutputID NAME STATE 22uvcd13s0d1p8jt6589b22cp1m3u9j3 rosa-4fgbq ready