Red Hat OpenShift Platform on AWS (ROSA) 快速部署上手

事前準備：

開始前，需要先準備以下資訊與要求。

啟用 ROSA

開始配置 AWS 服務前，使用者必須以 IAM 身份(參考文件: Customer Requirements)

登入 AWS 管理控制台，確認當前使用者已啟用 Red Hat OpenShift服務

下載 AWS CLI 與 OpenShift CLI 工具:

URL Dowload

選擇當前環境下載對應CLI ( Command-line interface (CLI) tools)

Command Dowload

下載 AWS/OpenShift CLI 工具，並解壓縮檔案到 /usr/local/bin/ 底下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


# CLI
$ wget -c https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/rosa/latest/rosa-linux.tar.gz -O - | tar -xz
$ mv rosa /usr/local/bin/
$ rosa version
1.1.1

$ wget -c https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.8/openshift-client-linux.tar.gz -O - | tar -xz
$ mv {oc,kubectl} /usr/local/bin/
$ oc version
Client Version: 4.8.2
$ oc version
Client Version: 4.8.10
Server Version: 4.8.12
Kubernetes Version: v1.21.1+d8043e1

創建 Red Hat 帳號 OpenShift 由 Red Hat SaaS 提供，因此您需要創建一個 Red Hat 帳戶。 https://cloud.redhat.com/

透過 ROSA 指令檢查憑證與資源配置

這邊以 Red Hat 部署 ROSA 文件部署為主 (Red Hat OpenShift Service on AWS - Creating a ROSA cluster)

首先，使用 ROSA CLI 檢查 AWS 憑證

1
2
3


$ rosa verify permissions
I: Validating SCP policies...
I: AWS SCP policies ok

第一次登錄時，你會需要一個 Token 來登入你的 Red Hat 帳號

需要創建一組 Red Hat 帳號

確認登入訊息：

1
2


$ rosa login
I: Logged in as '[email protected]' on 'https://api.openshift.com'

配置完成後可以透過 rosa whoami 來檢查你目前所有登錄憑證與狀態

Red Hat 帳號會附帶 OpenShift Cluster Manager (OCM) 資訊與你的 AWS 帳戶顯示。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


$ rosa whoami
AWS Account ID:               xxxxxxxxxxxx
AWS Default Region:           us-west-2
AWS ARN:                      arn:aws:iam::xxxxxxxxxxxx:user/user
OCM API:                      https://api.openshift.com
OCM Account ID:               xxxxxxxxxxxxxxxxxxxxxx
OCM Account Name:             xxxxxx
OCM Account Username:         [email protected]
OCM Account Email:            [email protected]
OCM Organization ID:         xxxxxxxxxxxxxxxxxxxxxx
OCM Organization Name:        Red Hat
OCM Organization External ID: xxxxxxxx

以上檢查沒問題後，接下運行 rosa init 運行指令來確保 ROSA 配置與相關資源狀態沒問題

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


$ rosa init
I: Logged in as '[email protected]' on 'https://api.openshift.com'
I: Validating AWS credentials...
I: AWS credentials are valid!
I: Validating SCP policies...
I: AWS SCP policies ok
I: Validating AWS quota...
I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html
I: Ensuring cluster administrator user 'osdCcsAdmin'...
I: Admin user 'osdCcsAdmin' already exists!
I: Validating SCP policies for 'osdCcsAdmin'...
I: AWS SCP policies ok
I: Validating cluster creation...
I: Cluster creation valid
I: Verifying whether OpenShift command-line tool is available...
I: Current OpenShift Client Version: 4.8.10

需要驗證當前環境，是否已經登入 AWS並確認透過rosa init 來確認 AWS 資源與配置是否能足夠創建 OpenShift

申請 AWS 帳戶配額

在配置 ROSA 時作為預先檢查 $ rosa verify quota --region=${cluster} 叢集名稱。如果您在剛剛部署但未執行任何操作的帳戶上運行它，您將收到錯誤訊息 EC2 quota 配置不足。

1
2
3
4
5


$ rosa verify quota --region=us-west-2
I: Validating AWS quota...
E: Insufficient AWS quotas
E: Service quota is insufficient for the following service quota codes:
- Service ec2 quota code L-1216C47A Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances not valid, expected quota of at least 100, but got 5

這邊需要額外申請 AWS EC2 限制增加配額

需要提供申請需求與相關資訊，才能申請限制配額成功

相關配額資訊參考

以上完成申請後，再次驗證

1
2
3


$ rosa verify quota --region=us-west-2
I: Validating AWS quota...
I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.htm

透過 ROSA 指令快速創建 Red Hat OpenShift

透過 rosa create cluster 開始部署 OpenShift Cluster (部署Cluster 大約需要30-40分鐘)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


$ rosa create cluster --cluster-name=rosacluster
I: Creating cluster 'rosacluster'
I: To view a list of clusters and their status, run 'rosa list clusters'
I: Cluster 'rosacluster' has been created.
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
I: To determine when your cluster is Ready, run 'rosa describe cluster -c newsblogcluster'.
I: To watch your cluster installation logs, run 'rosa logs install -c newsblogcluster --watch'.
Name:                       newsblogcluster
ID:                         XXXXXXXXXXXXXXXXXXXX
External ID:                
OpenShift Version:          
Channel Group:              stable
DNS:                        newsblogcluster.phnh.p1.openshiftapps.com
AWS Account:                123456789012
API URL:                    
Console URL:                
Region:                     xxxxxxxxxxx
Multi-AZ:                   false
Nodes:
 - Master:                  3
 - Infra:                   2
 - Compute:                 2 (m5.xlarge)
Network:
 - Service CIDR:            172.30.0.0/16
 - Machine CIDR:            10.0.0.0/16
 - Pod CIDR:                10.128.0.0/14
 - Host Prefix:             /23
State:                      pending (Preparing account)
Private:                    No
Created:                    xxxxxxxxxxxxxxxx
Details Page:               https://cloud.redhat.com/openshift/details/XXXXXXXXXXXXXXXXXXXX

執行命令後，您可以透過 rosa describe cluster 或 rosa logs install 指令檢查 OpenShift Cluster 狀態。您還可以從 URL 訪問 OpenShift Console 進行確認。

1
2
3
4
5
6
7
8
9


$ rosa create admin -c rosacluster
W: It is recommended to add an identity provider to login to this cluster. See 'rosa create idp --help' for more information.
I: Admin account has been added to cluster 'rosacluster'.
I: Please securely store this generated password. If you lose this password you can delete and recreate the cluster admin user.
I: To login, run the following command:

   oc login https://api.rosacluster.hffh.p1.openshiftapps.com:6443 --username cluster-admin --password fTwWy-rYJJU-wUua7-W3G6Z

I: It may take up to a minute for the account to become active.

1
2
3
4
5
6


$ oc login https://api.rosacluster.hffh.p1.openshiftapps.com:6443 --username cluster-admin --password fTwWy-rYJJU-wUua7-W3G6Z
Login successful.

You have access to 87 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".

1
2
3
4
5
6
7
8
9


$ oc get no
NAME                                         STATUS   ROLES          AGE   VERSION
ip-10-0-153-95.us-west-2.compute.internal    Ready    worker         42m   v1.21.1+d8043e1
ip-10-0-171-119.us-west-2.compute.internal   Ready    infra,worker   17m   v1.21.1+d8043e1
ip-10-0-175-165.us-west-2.compute.internal   Ready    infra,worker   18m   v1.21.1+d8043e1
ip-10-0-202-234.us-west-2.compute.internal   Ready    master         49m   v1.21.1+d8043e1
ip-10-0-239-231.us-west-2.compute.internal   Ready    master         49m   v1.21.1+d8043e1
ip-10-0-242-134.us-west-2.compute.internal   Ready    master         49m   v1.21.1+d8043e1
ip-10-0-252-208.us-west-2.compute.internal   Ready    worker         42m   v1.21.1+d8043e1

刪除 Cluster

rosa delete cluster 可以使用指令刪除使用 ROSA 創建的cluster。順便說一下，集群的刪除在大約 10 分鐘內完成。

1
2
3
4


$ rosa delete cluster --cluster=rosacluster
? Are you sure you want to delete cluster rosacluster? Yes
I: Cluster 'rosacluster' will start uninstalling now
I: To watch your cluster uninstallation logs, run 'rosa logs uninstall -c rosacluster --watch

Reference

rosaworkshop.io