This repository provides AWS CloudFormation templates, a Dockerfile, Bash scripts to deploy a PrivateLink Red Hat OpenShift on AWS (ROSA) cluster using a AWS CodePipeline. Includes security best practices such as use of Secrets Manager, KMS, immutable ECR repository, closed security groups with temporary internet access during installation and routing egress traffic through a separate Egress VPC connected through a Transit Gateway, storage of all installation parameters and logs in CodeBuild etc.

This setup creates 3 private VPCs and subnets for deploying a PrivateLink ROSA cluster following AWS best practices. This is an end-to-end setup resulting in a functional ROSA cluster where a kubernetes application can be readily deployed as shown in these detailed steps . Once deployed, pieces of this code can be used to create home grown automation.

1. An AWS account with Red Hat OpenShift Service on AWS Enabled
2. Increased EC2 quota (at least 100)
3. Increased Elastic Load Balancer quota (at least 50)
4. A Red Hat Account (create one from here)
5. AWS CloudShell or a Linux like shell AWS CLI and jq

1. Set credentials for AWS Account in environment variables

   export AWS_ACCESS_KEY_ID=
   export AWS_SECRET_ACCESS_KEY=
   export AWS_SESSION_TOKEN=
   

2. Copy OpenShift Cluster Manager API Token from here and created a AWS Secrets Manager secret with the name ROSA_TOKEN using the following commands

   export AWS_SECRET_NAME=ROSA_TOKEN
   export ROSA_TOKEN_VALUE=
   aws secretsmanager create-secret \
   --name "${AWS_SECRET_NAME}" \
   --description "OpenShift Cluster Manager API token secret created from https://console.redhat.com/openshift/token , please update upon expiry" \
   --secret-string "${ROSA_TOKEN_VALUE}"
   

3. Set the region for the ROSA cluster and the AWS CodePipeline resources

   aws configure set region <your region, e.g. us-east-2>
   

4. Install by launching the rosa-apg-kick-start.sh script

   cd rosa-apg-start-here
   ./rosa-apg-kick-start.sh 
   

   Note that this will kick off two AWS CodePipelines with names: "ROSA-Install-Pipeline" and "ROSA-Delete-Pipeline". However, these pipelines will wait for an explicit approval to proceed to creating/deleting the cluster respectively. For detailed instructions to run the pipeline for installing and uninstalling ROSA clusters, click here

5. Cleanup by running the rosa-apg-cleanup.sh script (after ensuring that the cluster is deleted)

   cd rosa-apg-start-here
   ./rosa-apg-cleanup.sh 
   

The VPC infrastructure for creating the ROSA cluster has been influenced by this example.

See CONTRIBUTING for more information.

For scanning code:

cd tests
./scans.sh

This library is licensed under the MIT-0 License. See the LICENSE file.