Create a Azure RedHat OpenShift (ARO) cluster
In this tutorial, you will install Red Hat OpenShift on Azure (called ARO). You will install the resource group, virtual network, and ARO. Then you will connect to the cluster using the oc commands.
The following illustration shows the networking traffic routing of the default ARO installation.
Features
Important distinctions of ARO:
- Red Hat, billed by Microsoft.
- Supported by Red Hat and Mircosoft.
- Prometheus comes pre-installed and configured for Azure Red Hat OpenShift 4.x clusters.
IMPORTANT:
- Check OpenShift version supported by ARO to be sure it is compatible with your use case.
- Check with your ATL to see if customers can use their IBM ELA for this installation or whether it is fully billed through Microsoft ELA.
Set up
You will need:
On Linux you can use:
Or on Mac (or Linux or WSL2 with Brew) use:
You will need Azure CLI version 2.6.0 or greater. Check using az --version
- jq. Use
sudo apt-get install -y jq. To check to see if it is installed usewhich oc - oc CLI (Use either the Cloud Native Toolkit)
curl -sL shell.cloudnativetoolkit.dev | bash -Or use the following:
cd ~
wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz
mkdir openshift
tar -zxvf openshift-client-linux.tar.gz -C openshift
echo 'export PATH=$PATH:~/openshift' >> ~/.bashrc && source ~/.bashrc
which oc
IMPORTANT: You will also need:
- To create a resource group and resources, you must have either permissions for that scope. For example, to create the OCP cluster, you will need permissions on the resource group or subscription containing it:
- Contributor and User Access Administrator permissions, or
- Owner permissions, either directly on the virtual network
- Sufficient Azure Active Directory permissions (either a member user of the tenant, or a guest user assigned with role Application administrator) for the tooling to create an application and service principal on your behalf for the cluster.}
-
Permission to request help requests so that you can:
- Increase the default number of cores to 40 vCPUs (for the minimum installation). An off-the-shelf Azure subscription limits the number of vCPUs to 10 (for your protection). Submit a help request in your Subscriptions | Usage + Quotas panel for the region you want to deploy to, as shown in the following illustration:
Set environment variables
az login
az account subscription list
## select a subscription from the list and enter it on the next line
SUBSCRIPTION_ID="dcafb2cf-5c3b-49d0-969f-82dd18c4e466"
LOCATION="north central us"
RESOURCEGROUP="aro-nc-aro-project-1"
CLUSTER="cluster"
VNET_NAME="vnet-nc-aro-project-1"
Create ARO
Follow instructions from Tutorial: Create an Azure Red Hat OpenShift 4 cluster
az account set --subscription $SUBSCRIPTION_ID
az vm list-usage -l $LOCATION \
--query "[?contains(name.value, 'standardDSv3Family')]" \
-o table
Responds with:
CurrentValue Limit LocalName
-------------- ------- --------------------------
0 10 Standard DSv3 Family vCPUs
In the preceding case, you will need to file an help incident to request to increase your quota to 40. You will need access to 40 vCPUs.
# you will need to only do this once for your CLI
az provider register -n Microsoft.RedHatOpenShift --wait
az provider register -n Microsoft.Compute --wait
az provider register -n Microsoft.Storage --wait
az provider register -n Microsoft.Authorization --wait
Get pull secret
- Navigate to your Red Hat OpenShift cluster manager portal and log in.
- Click Download pull secret and download a pull secret to be used with your ARO cluster.
Configure public DNS zone in Azure
Configure a DNS zone and ensure you delegate it to registrar. You can use Azure App service Domain or external internet domain registrar like GoDaddy. This is a critical step as the OpenShift installer tries to connect to OpenShift cluster using the DNS names that are created dynamically. Installation will fail if the DNS hostname are not resolved automatically.
IMPORTANT: By default, OpenShift uses self-signed certificates for all of the routes created on custom domains *.apps.example.com.
You can use an App Service Doman (provided by Microsoft) for your testing purposes.
Create resource group and virtual network
az group create \
--name $RESOURCEGROUP \
--location $LOCATION
## virtual network
az network vnet create \
--resource-group $RESOURCEGROUP \
--name $VNET_NAME \
--address-prefixes 10.0.0.0/22
# control plane node subnet
az network vnet subnet create \
--resource-group $RESOURCEGROUP \
--vnet-name $VNET_NAME \
--name master-subnet \
--address-prefixes 10.0.0.0/23 \
--service-endpoints Microsoft.ContainerRegistry
az network vnet subnet create \
--resource-group $RESOURCEGROUP \
--vnet-name aro-vnet \
--name worker-subnet \
--address-prefixes 10.0.2.0/23 \
--service-endpoints Microsoft.ContainerRegistry
## disable private endpoints on control plane subnet
az network vnet subnet update \
--name master-subnet \
--resource-group $RESOURCEGROUP \
--vnet-name $VNET_NAME \
--disable-private-link-service-network-policies true
NOTE: When you see the following error.
Deployment failed. Correlation ID: 8d4dd186-abf4-48ad-b071-c7a66aa635c8. Resource quota of cores exceeded. Maximum allowed: 10, Current in use: 0, Additional requested: 36.
Create cluster
You will need the Azure for Redhat Openshift provider installed for the following command to work. In the following case, I am using the smaller VMs for my worker nodes.
az aro create \
--resource-group $RESOURCEGROUP \
--name $CLUSTER \
--vnet $VNET_NAME \
--master-subnet master-subnet \
--worker-subnet worker-subnet \
--master-vm-size Standard_D8s_v3 \
--worker-vm-size Standard_F4s_v2 \
--pull-secret @/mnt/c/Users/6J1943897/Downloads/pull-secret.txt
For more information on the parameters available, see az aro create command line reference.
Connect to ARO
Follow the instructions in the second section: Tutorial: Connect to an Azure Red Hat OpenShift 4 cluster
Get the URL to the OpenShift console
az aro show \
--name $CLUSTER \
--resource-group $RESOURCEGROUP \
--query "consoleProfile.url" -o tsv
Connect to OpenShift server
To connect to the OpenShift server, use:
APISERVER=$(az aro show -g $RESOURCEGROUP -n $CLUSTER --query apiserverProfile.url -o tsv)
## Replace <kubeadmin password> with the password you just retrieved.
oc login $APISERVER -u kubeadmin -p <kubeadmin password>
Delete cluster
To delete the cluster, use:
Security considerations
- Active Directory integration
- Control egress traffic for your Azure Red Hat OpenShift (ARO) cluster (preview)
Configure StorageClass for RWX
For use with Cloud Paks and customer applications, you will want to dynamically provision ReadWriteMany (RWX) storage, which provides that your storage volume can be mounted as read-write by many nodes.
You can use either OpenShift Container Platform storage (OCS) or OpenShift Data Foundation (ODF) Operators or set Azure Files for your StorageClass.
NOTE: OpenShift Container Storage (OCS) has been updated to OpenShift Data Foundation (ODF) starting with version OCP 4.9. For more information, see either:
- OpenShift Container Platform storage overview
- Deploying OpenShift Data Foundation on Azure Red Hat OpenShift.
OR if you prefer, you can set up Azure Files as your StorageClass. See Create an Azure Files StorageClass on Azure Red Hat OpenShift 4.
Advanced reference
Next steps
Learn more about how to incorporate ARO into an existing Azure architecture. See Control egress traffic for your Azure Red Hat OpenShift (ARO) cluster (preview) and how to incorporate Azure AD identities into OpenShift, see Configure Azure Active Directory authentication for an Azure Red Hat OpenShift 4 cluster (CLI)
The following illustration shows how ARO can be configured inside a customer firewall.
