Git Product home page Git Product logo

rosa-sts-terraform's Introduction

Pre-create roles and identity providers for installing ROSA with STS

This project contains terraform config to pre-create IAM roles and identity providers to enable installation of Red Hat OpenShift Service on AWS using Secure Token Service.

Note
 these are tested with ROSA CLI version 1.0.9, and OpenShift 4.7.19

Prerequisite

  1. You should have an AWS sub account under your AWS Organization, and have the means to assume an admin role in this sub account

  2. Red Hat account to access https://console.redhat.com

  3. ROSA command line tool from here โ†’ https://www.openshift.com/products/amazon-openshift/download

  4. Terraform

  5. Some common linux/unix utils: openssl, sed, tail

Steps

  1. Enable ROSA for the sub account if you have not done so

  2. Get a token from https://console.redhat.com/openshift/token/rosa/ to login via ROSA CLI

  3. Clone this repo.

  4. Create roles, etc by invoking terraform

    terraform apply -var aws_account_id=<AWS-sub-account-for-rosa> -var rosa-admin-role=<rosa-admin-role>

  5. If no errors from Terraform, you can install ROSA with the following:

    $ rosa create cluster \
    --cluster-name ${name} \
    --region ${region} \
    --version ${version} \
    --role-arn arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-IAM-Role \
    --support-role-arn arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-Support-Role \
    --master-iam-role arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-ControlPlane-Role \
    --worker-iam-role arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-Worker-Role \
    --operator-iam-roles aws-cloud-credentials,openshift-machine-api,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials \
    --operator-iam-roles cloud-credential-operator-iam-ro-creds,openshift-cloud-credential-operator,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede \
    --operator-iam-roles installer-cloud-credentials,openshift-image-registry,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-image-registry-installer-cloud-creden \
    --operator-iam-roles cloud-credentials,openshift-ingress-operator,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-ingress-operator-cloud-credentials \
    --operator-iam-roles ebs-cloud-credentials,openshift-cluster-csi-drivers,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent

  6. Take note of the cluster ID from the output of the above command

    I: Creating cluster 'rosa-sts'
I: To view a list of clusters and their status, run 'rosa list clusters'
I: Cluster 'rosa-sts' has been created.
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
I: To determine when your cluster is Ready, run 'rosa describe cluster -c rosa-sts'.
I: To watch your cluster installation logs, run 'rosa logs install -c rosa-sts --watch'.
Name:                       rosa-sts
ID:                         <your-rosa-cluster-id> <-- Cluster ID
External ID:
OpenShift Version:

  7. Get the OIDC provider thumbprint with:

    $ thumbprint=$(openssl s_client \
    -servername rh-oidc.s3.us-east-1.amazonaws.com/${cluster_id} \
    -showcerts \
    -connect rh-oidc.s3.us-east-1.amazonaws.com:443 </dev/null 2>&1|
    openssl x509 \
    -fingerprint \
    -noout |
    tail -n1 |
    sed 's/SHA1 Fingerprint=//' |
    sed 's/://g'
  )

  8. re-apply terraform with the cluster id

    terraform apply -var aws_account_id=<AWS-sub-account-for-rosa> -var rosa-admin-role=<rosa-admin-role> -var rosa_cluster_id=<cluster-id> -var rosa_oidc_thumbprint=${thumbprint}

  9. the open-id identity provider should be updated after the above. Confirm by:

    $ aws iam list-open-id-connect-providers
{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam::995786267701:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/<your-rosa-cluster-id>"
        }
    ]
}

  10. cluster installation should begin in a minute or so, you can check progress on https://console.redhat.com or via CLI

    $ rosa logs install -c <your-cluster-name> --watch

  11. ROSA should be installed after around 40 minutes.

rosa-sts-terraform's People

Contributors

naikoob avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.