_attributes/attributes-openshift-dedicated.adoc :context: rosa-cloud-expert-prereq-checklist
This is a checklist of prerequisites needed to create a {product-title} (ROSA) classic cluster with STS.
|
Note
|
This is a high level checklist and your implementation can vary. |
Before running the installation process, verify that you deploy this from a machine that has access to:
-
The API services for the cloud to which you provision.
-
Access to
api.openshift.comandsso.redhat.com. -
The hosts on the network that you provision.
-
The internet to obtain installation media.
Accounts and CLIs you must install to deploy the cluster.
-
Gather the following details:
-
AWS IAM User
-
AWS Access Key ID
-
AWS Secret Access Key
-
-
Ensure that you have the right permissions as detailed AWS managed IAM policies for ROSA and About IAM resources for ROSA clusters that use STS.
-
See Account for more details.
-
Install from AWS Command Line Interface if you have not already.
-
Configure the CLI:
-
Enter
aws configurein the terminal:$ aws configure -
Enter the AWS Access Key ID and press enter.
-
Enter the AWS Secret Access Key and press enter.
-
Enter the default region you want to deploy into.
-
Enter the output format you want, “table” or “json”.
-
Verify the output by running:
$ aws sts get-caller-identity -
Ensure that the service role for ELB already exists by running:
$ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"-
If it does not exist, run:
$ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
-
-
-
Create a {hybrid-console} account if you have not already.
-
Enable ROSA from your AWS account on the AWS console if you have not already.
-
Install the CLI from Installing the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa or from the OpenShift console AWS console.
-
Enter
rosa loginin a terminal, and this will prompt you to go to the token page through the console:$ rosa login -
Log in with your Red Hat account credentials.
-
Click the Load token button.
-
Copy the token and paste it back into the CLI prompt and press enter.
-
Alternatively, you can copy the full
$ rosa login --token=abc…command and paste that in the terminal:$ rosa login --token=<abc..>
-
-
Verify your credentials by running:
$ rosa whoami -
Ensure you have sufficient quota by running:
$ rosa verify quota-
See Provisioned AWS Infrastructure for more details on AWS services provisioned for ROSA cluster.
-
See Required AWS service quotas for more details on AWS services quota.
-
-
Install from Getting started with the OpenShift CLI or from the OpenShift console Command-line interface (CLI) tools.
-
Verify that the OpenShift CLI has been installed correctly by running:
$ rosa verify openshift-client
Once you have the above prerequisites installed and enabled, proceed to the next steps.
ROSA clusters are hosted in an AWS account within an AWS organizational unit. A service control policy (SCP) is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access.
-
Ensure that your organization’s SCPs are not more restrictive than the roles and policies required by the cluster.
-
Ensure that your SCP is configured to allow the required
aws-marketplace:Subscribepermission when you choose Enable ROSA from the console, and see AWS Organizations service control policy (SCP) is denying required AWS Marketplace permissions for more details. -
When you create a ROSA classic cluster, an associated AWS OpenID Connect (OIDC) identity provider is created.
-
This OIDC provider configuration relies on a public key that is located in the
us-east-1AWS region. -
Customers with AWS SCPs must allow the use of the
us-east-1AWS region, even if these clusters are deployed in a different region.
-
Prerequisites needed from a networking standpoint.
-
Configure your firewall to allow access to the domains and ports listed in AWS firewall prerequisites.
When you create a cluster using an existing non-managed VPC, you can add additional custom security groups during cluster creation. Complete these prerequisites before you create the cluster:
-
Create the custom security groups in AWS before you create the cluster.
-
Associate the custom security groups with the VPC that you are using to create the cluster. Do not associate the custom security groups with any other VPC.
-
You may need to request additional AWS quota for
Security groups per network interface.
For more details see the detailed requirements for Security groups.
-
If you want to use custom DNS, then the ROSA installer must be able to use VPC DNS with default DHCP options so it can resolve hosts locally.
-
To do so, run
aws ec2 describe-dhcp-optionsand see if the VPC is using VPC Resolver:$ aws ec2 describe-dhcp-options
-
-
Otherwise, the upstream DNS will need to forward the cluster scope to this VPC so the cluster can resolve internal IPs and services.
If you choose to deploy a PrivateLink cluster, then be sure to deploy the cluster in the pre-existing BYO VPC:
-
Create a public and private subnet for each AZ that your cluster uses.
-
Alternatively, implement transit gateway for internet and egress with appropriate routes.
-
-
The VPC’s CIDR block must contain the
Networking.MachineCIDRrange, which is the IP address for cluster machines.-
The subnet CIDR blocks must belong to the machine CIDR that you specify.
-
-
Set both
enableDnsHostnamesandenableDnsSupporttotrue.-
That way, the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster internal DNS records.
-
-
Verify route tables by running:
---- $ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc-id>" -----
Ensure that the cluster can egress either through NAT gateway in public subnet or through transit gateway.
-
Ensure whatever UDR you would like to follow is set up.
-
-
You can also configure a cluster-wide proxy during or after install. Configuring a cluster-wide proxy for more details.
|
Note
|
You can install a non-PrivateLink ROSA cluster in a pre-existing BYO VPC. |