This repository provides AWS CloudFormation templates, a Dockerfile, Bash scripts to deploy a PrivateLink Red Hat OpenShift on AWS (ROSA) cluster using a AWS CodePipeline. Includes security best practices such as use of Secrets Manager, KMS, immutable ECR repository, closed security groups with temporary internet access during installation and routing egress traffic through a separate Egress VPC connected through a Transit Gateway, storage of all installation parameters and logs in CodeBuild etc.
This setup creates 3 private VPCs and subnets for deploying a PrivateLink ROSA cluster following AWS best practices. This is an end-to-end setup resulting in a functional ROSA cluster where a kubernetes application can be readily deployed as shown in these detailed steps . Once deployed, pieces of this code can be used to create home grown automation.
- An AWS account with Red Hat OpenShift Service on AWS Enabled
- Increased EC2 quota (at least 100)
- Increased Elastic Load Balancer quota (at least 50)
- A Red Hat Account (create one from here)
- AWS CloudShell or a Linux like shell AWS CLI and jq
-
Set credentials for AWS Account in environment variables
export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY= export AWS_SESSION_TOKEN=
-
Copy OpenShift Cluster Manager API Token from here and created a AWS Secrets Manager secret with the name
ROSA_TOKEN
using the following commandsexport AWS_SECRET_NAME=ROSA_TOKEN export ROSA_TOKEN_VALUE= aws secretsmanager create-secret \ --name "${AWS_SECRET_NAME}" \ --description "OpenShift Cluster Manager API token secret created from https://console.redhat.com/openshift/token , please update upon expiry" \ --secret-string "${ROSA_TOKEN_VALUE}"
-
Set the region for the ROSA cluster and the AWS CodePipeline resources
aws configure set region <your region, e.g. us-east-2>
-
Install by launching the rosa-apg-kick-start.sh script
cd rosa-apg-start-here ./rosa-apg-kick-start.sh
Note that this will kick off two AWS CodePipelines with names: "ROSA-Install-Pipeline" and "ROSA-Delete-Pipeline". However, these pipelines will wait for an explicit approval to proceed to creating/deleting the cluster respectively. For detailed instructions to run the pipeline for installing and uninstalling ROSA clusters, click here
-
Cleanup by running the rosa-apg-cleanup.sh script (after ensuring that the cluster is deleted)
cd rosa-apg-start-here ./rosa-apg-cleanup.sh
The VPC infrastructure for creating the ROSA cluster has been influenced by this example.
See CONTRIBUTING for more information.
For scanning code:
cd tests
./scans.sh
This library is licensed under the MIT-0 License. See the LICENSE file.