In our previous post we discussed the business case for using Red Hat Quay as our container registry and Red Hat Clair to scan the images in Quay for known security vulnerabilities. We then configured AWS resources that are required to support Quay and Clair running in an Openshift cluster deployed in AWS public cloud infrastructure. 

In this, part 2 of our three part series, we will deploy our Openshift cluster on AWS. Openshift is Red Hat’s Kubernetes based container platform. Openshift gives us the ability to utilize the inherent security and scalability of containers with the management capabilities of Kubernetes. Red Hat Openshift includes a whole ecosystem of partners and vendors to provide immediate value in the form of operators and container images. These may provide additional controls and management to Openshift itself or may provide applications and services that can be run as Openshift containers. 

 

Series Overview

In Part 1 of this series. We prepared the resources required to install Openshift as a public cluster on the AWS Public cloud infrastructure including resources required to deploy Quay and Clair on that Openshift cluster. 

Part 2 of this series takes you through the steps required to install Openshift as a public cluster in AWS. A public Openshift cluster has internet accessible resources. Installing in AWS provides us the resources to lock down our Openshift environment to limit access to just the systems we specify. 

Part 3 of the series takes you through the steps required to deploy Quay Container Registry and the Clair security scanner in our Openshift Cluster running on AWS public cloud. 

 

Preparing for the Openshift Container Platform(OCP) cluster installation

The Openshift cluster installation will be done from your local workstation or laptop.

The local user account name used in the examples is "usera" with a home directory of /home/usera

You will need a user account on the Red Hat customer portal. (access.redhat.com) "yourname@redhat.com" is used as an example in the following steps.

Your Red Hat user account will be used to create and download a pull secret.

################### NOTE ###################

Use your own sshKey, AWS Access Key ID, AWS Secret Access Key, Base Domain, and Red Hat pullSecret.

The examples listed in the steps below WILL NOT WORK!!!

################# END NOTE ##################

Open a terminal session on your RHEL workstation or laptop

1. Create a directory to hold AWS and OCP related downloads: 

[usera@local-workstation ~]$ mkdir -p ~/aws-ocp/Downloads

2. Change directories to the directory you created for AWS and OCP related downloads:

[usera@local-workstation ~]$ cd ~/aws-ocp/Downloads

3. Download the OCP Installer, pull-secret, and OCP cli tools from the Red Hat website into the directory you created for AWS and OCP related downloads:

https://cloud.redhat.com/openshift/install/aws/installer-provisioned

4. Download the AWS Command Line Interface (CLI) tools:

[usera@local-workstation Downloads]$ curl \

https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip \

-o awscliv2.zip

5. If you don't already have one, create an SSH key pair:

[usera@local-workstation Downloads]$ ssh-keygen -t rsa -b 4096 -N '' \ -f ~/.ssh/id_rsa

6. Start the ssh-agent process as a background task:

[usera@local-workstation Downloads]$ eval "$(ssh-agent -s)"

7. Add your SSH private key to the ssh-agent:

[usera@local-workstation Downloads]$ ssh-add ~/.ssh/id_rsa

8. We will be creating an installation configuration yaml file in a later step. The OCP installer consumes this file during the installation. I find it helpful to have a copy of this file if I want to review the installation configuration after the installation completes. I also like to isolate the configuration files for Quay and post installation OCP files. I create specific directories to hold and isolate the files we will be using later in this series. Make the directories for the AWS-OCP installation components:

[usera@local-workstation Downloads]$ mkdir ~/aws-ocp/src; \

mkdir ~/aws-ocp/install; \

mkdir ~/aws-ocp/quay; \

mkdir ~/aws-ocp/ocp

9. Change directories to the main AWS-OCP directory:

[usera@local-workstation ~]$ cd ~/aws-ocp

10. Unzip the AWS CLI tools:

[usera@local-workstation aws-ocp]$ unzip \

~/aws-ocp/Downloads/awscliv2.zip

11. Install the AWS CLI tools:

[usera@local-workstation aws-ocp]$ sudo aws/install

12. Configure the default values for the installation of OCP in the AWS environment:

[usera@local-workstation aws-ocp]$ aws configure

Input the correct values for your AWS account!

AWS Access Key ID [None]: ANKIYOURACCESSKEYHEREVES2W

AWS Secret Access Key [None]: A1IqkYourSecretKeyHere/%bksiujrXYZpdq

Default region name [None]: us-east-1

Default output format [None]: json

13. Change to the OCP downloads directory:

[usera@local-workstation ~]$ cd ~/aws-ocp/Downloads

14. Unzip the OCP CLI tools:

[usera@local-workstation Downloads]$ gunzip \

openshift-client-linux.tar.gz

15. Change to the OCP main directory:

[usera@local-workstation Downloads]$ cd ~/aws-ocp/ocp

16. Untar the OCP CLI tools:

[usera@local-workstation ocp]$ tar xvf \

../Downloads/openshift-client-linux.tar

17. Copy the OCP CLI tool commands to a directory in your PATH:

[usera@local-workstation ocp]$ sudo cp oc /usr/bin

[usera@local-workstation ocp]$ sudo cp kube* /usr/bin

18. Unzip the OCP installer:

[usera@local-workstation ocp]$ gunzip \

../Downloads/openshift-install-linux.tar.gz

19. Change to the OCP installation directory and untar the installer:

[usera@local-workstation ocp]$ cd ../install

[usera@local-workstation install]$ tar xvf \

../Downloads/openshift-install-linux.tar

20. Create the OCP installation configuration yaml file:

[usera@local-workstation install]$ ./openshift-install  create \

install-config --dir . --log-level=debug

Enter the correct responses for your AWS account!

? SSH Public Key /home/usera/.ssh/id_rsa.pub

? Platform aws

INFO Credentials loaded from the "default" profile in file "/home/usera/.aws/credentials"

? Region us-east-1

? Base Domain youropenshiftdoaminname.com

? Cluster Name ocp-quay

? Pull Secret [? for help] {"auths":{"cloud.openshift.com":{"auth":"bb8c3por2d2thisisNOTthepullsecretyouarelookingfor\USEYOUROWN\mkay\ZXJyZWRoYXRjb20xZHNwb2g3cHl0dmJwamloZm1pbmV0Y2kxcWw6RDM1TlhPTTBLSTJVV1o0OUc4SVMwUUFUS0JFTzBSV0FGVkFSTElEMVIwRE5VNTZEQldRVEM4V1BUSzFZSFJBVg==","email":"yourname@client.com"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K2VhcmNoZXJyZWRoYXRjb20xZHNwb2g3cHl0dmJwamloZm1pbmV0Y2kxcWw6RDM1TlhPTTBLSTJVV1o0OUc4SVMwUUFUS0JFTzBSV0FGVkFSTElEMVIwRE5VNTZEQldRVEM4V1BUSzFZSFJBVg==","email":"yourname@redhat.com"},"registry.connect.redhat.com":{"auth":"NTI0XlKOS5VavN9DvzDDrs5UWMOckkivvxRepAb82FUxyN5GSfw6iIXucLIMRTkpYRQ3WpnI91cnvBv7cggtBSX+o4D3bgr+HdbPwceGdM013i0DJy/zrAwzk8PIT2Cp1iyq9xwc0mkHH2/YT+tKeXSMoMhptw2BrxgtBa/ZKCs6mZLt8naJXQyh02OTORpXbCNxQ46/RmT5MtQOkgns/BiA3ACYJPCnRSt4dZzWBvEaON/e7kA3KZatt73+oR7j0gjcHhFfDIb20FGjDvsZeuEwMTHIsismyk9unitIdoNOTLiketobedisintegratedE3UB3ngSDHwit9P9Gc2zs1mKzEifc5ykj2GVyroYisdWit2/WyerPOfzBXOu8oI6hjLVuoSSzfnsKBuasbGOnR+qdjMvwEtqadzBJoMCEUerq1jvumenMCFTdWimPQrUTgHvJUQDCj2Boa+sgV5qfZ3oabCoHLFrGXvEAoAvDPJJz0nu+GOJwAL1Uz6Sl9WagugA5fbHgkOjZUoVQJ/ev+y6pmpiNfYy9YUj0JSJKB6fIR6dmlkJDEUmaEe9PyR2O6EMeyeSeaKayEEEWhyEMOhYouESSeeeeeeVcemsP3yim8mprehW6RFA2ZFpxN25teXN2cGIyYlo0djdFUERfLWk2MGpTWkxoX3U2YW8yM1QwaXIweXVjQQ==","email":"yourname@redhat.com"},"registry.redhat.io":{"auth":"NTI0MjY5MDh8dWhjLTFkc3BPSDdweXRWQlBKSWhmTUluZVRDSTFxTDpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVNV1kzWmprek4yVmxPV00wWXpjMVlqTTVOVEJpWlRJek1EZzRNVGhtTXlKOS5VanNJN0ktUTJ2ZUZkVl9SeWdnUHQ1MU1vTC1tY0xlTXNVeHNCY1B2eW9WRy0zRS1aZkFNOG5SY29WbUJWbzNuN2ZZc0dFTFhQMUtpSnlLTUJocmZQNEJPQmQybHhXajdqdFVfZmkxMmFZeGpXUVF2UFpubWkwQXNhWUFhdzJvQTE2bXBDekFvd2tMV0Y0U1dhSmpxcFdaVE1rX0NDdEo5dkFzdDdxc3ExSmFrLUVaZmFMjY5MDh8dWhjLTFkc3BPSDdweXRWQlBKSWhmTUluZVRDSTFxTDpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVNV1kzWmprek4yVmxPV00wWXpjMVlqTTVOVEJpWlRJekiGLUYglhgvUYfYUgyhfytgUVUYUVUYTFuydu1EZzRNVGhtTjdmSUZDR0Y5Tm05MnlJQzNjYk00WmN6ei1sUmNjQkFlOW5LWkw2dnpLcU9wN0V5M1dKcXJDU0Q0Y1RyN29ISmhkU0ZsaHNkYVhmeXh4cnRpLUYzY2xCekFtSVJaYUVFVERRWU4weDl5alF6RXhmSDJFdFhFS19BWlhTZDI2ZjlrdGhmcmtaakozSHBjdDJmWldvaHpzdjl3eW5sQTk5VE9fQ2lUUHprNENKRVR0RnpMWDV0VEZwWWhTYWMtcGcyX21nSjNFSzJMWm5qNVRLQmphakVOY2tpT0dfaVJUNjB2eFhWLTFpb0Qycjl6dHNkcFoyVUk4OTNpU3VVUGllWjFHeWJWTFlLOGI1SlFzSXBkakctVVNHOTY1bHh5Z2RNRm9CRVNJSnNhMUx5ekhqcjRESUNHUVVzZFdDOUZPSTZtaVJRNGZhVDN4a1VfUHNqQWtwMjhldFBoZkVhS0haeGlhd2QzVmVGS0JDd1RZQXQ1NGsxRVA2ZFpxN25teXN2cGIyYlo0djdFUERfipsiicbUYFVDUVUYGo726388tohvSTX==","email":"yourname@client.com"}}}

21. Copy the original install-config.yaml file to the src directory:

[usera@local-workstation install]$ cp install-config.yaml \

../src/install-config.yaml.orig

22. Modify install-config.yaml for your environment Remember that yaml files are extremely sensitive to the indentation of each line and never use “tabs”:

[usera@local-workstation install]$ vi install-config.yaml

apiVersion: v1

baseDomain: youropenshiftdoaminname.com

controlPlane:

  hyperthreading: Enabled

  name: master

  platform:

    aws:

      zones:

        - us-east-1a

        - us-east-1b

        - us-east-1c

      rootVolume:

        iops: 4000

        size: 500

        type: io1

      type: m5.xlarge

  replicas: 3

compute:

- hyperthreading: Enabled

  name: worker

  platform:

    aws:

      zones:

        - us-east-1a

        - us-east-1b

        - us-east-1c

      rootVolume:

          iops: 2000

          size: 500

          type: io1

      type: t3.xlarge

  replicas: 3

metadata:

  creationTimestamp: null

  name: ocp-quay

networking:

  clusterNetwork:

    - cidr: 10.128.0.0/14

      hostPrefix: 23

  machineNetwork:

    - cidr: 172.24.0.0/21

  networkType: OpenShiftSDN

  serviceNetwork:

    - 172.30.0.0/16

platform:

  aws:

    region: us-east-1

    userTags:

      Environment: PROD

      Component: Quay

publish: External

pullSecret: '{"auths":{"cloud.openshift.com":{"auth":"bb8c3por2d2thisisNOTthepullsecretyouarelookingfor\USEYOUROWN\mkay\oZXJyZWRoYXRjb20xZHNwb2g3cHl0dmJwamloZm1pbmV0Y2kxcWw6RDM1TlhPTTBLSTJVV1o0OUc4SVMwUUFUS0JFTzBSV0FGVkFSTElEMVIwRE5VNTZEQldRVEM4V1BUSzFZSFJBVg==","email":"yourname@client.com"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K2VhcmNoZXJyZWRoYXRjb20xZHNwb2g3cHl0dmJwamloZm1pbmV0Y2kxcWw6RDM1TlhPTTBLSTJVV1o0OUc4SVMwUUFUS0JFTzBSV0FGVkFSTElEMVIwRE5VNTZEQldRVEM4V1BUSzFZSFJBVg==","email":"yourname@client.com"},"registry.connect.redhat.com":{"auth":"NTI0XlKOS5VavN9DvzDDrs5UWMOckkivvxRepAb82FUxyN5GSfw6iIXucLIMRTkpYRQ3WpnI91cnvBv7cggtBSX+o4D3bgr+HdbPwceGdM013i0DJy/zrAwzk8PIT2Cp1iyq9xwc0mkHH2/YT+tKeXSMoMhptw2BrxgtBa/ZKCs6mZLt8naJXQyh02OTORpXbCNxQ46/RmT5MtQOkgns/BiA3ACYJPCnRSt4dZzWBvEaON/e7kA3KZatt73+oR7j0gjcHhFfDIb20FGjDvsZeuEwMTHIsismyk9unitIdoNOTLiketobedisintegratedE3UB3ngSDHwit9P9Gc2zs1mKzEifc5ykj2GVyroYisdWit2/WyerPOfzBXOu8oI6hjLVuoSSzfnsKBuasbGOnR+qdjMvwEtqadzBJoMCEUerq1jvumenMCFTdWimPQrUTgHvJUQDCj2Boa+sgV5qfZ3oabCoHLFrGXvEAoAvDPJJz0nu+GOJwAL1Uz6Sl9WagugA5fbHgkOjZUoVQJ/ev+y6pmpiNfYy9YUj0JSJKB6fIR6dmlkJDEUmaEe9PyR2O6EMeyeSeaKayEEEWhyEMOhYouESSeeeeeeVcemsP3yim8mprehW6RFA2ZFpxN25teXN2cGIyYlo0djdFUERfLWk2MGpTWkxoX3U2YW8yM1QwaXIweXVjQQ==","email":"yourname@redhat.com"},"registry.redhat.io":{"auth":"HTI0MjY5MDh8dWhjLTFkc3BPSDdweXRWQlBKSWhmTUluZVRDSTFxTDpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVNV1kzWmprek4yVmxPV00wWXpjMVlqrTVOVEJpWlRJek1EZzRNVGhtTXlKOS5VanNJN0ktUTJ2ZUZkVl9SeWdnUHQ1MU1vrC1tY0xlTXNVeHNCY1B2eW9WRy0zRS1aZkFNOG5SY29WbUJWbzNuN2ZZc0dFTFhQyMUtpSnlLTUJocmZQNEJPQmQybHhXajdqdFVfZmkxMmFZeGpXUVF2UFpubWkwQXNPhWUFhdzJvQTE2bXBDekFvd2tMV0Y0U1dhSmpxcFdaVE1rX0NDdEo5dkFzdDdxc3oxSmFrLUVaZmFMjY5MDh8dWhjLTFkc3BPSDdweXRWQlBKSWhmTUluZVRDSTFxTDpteUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVNV1kzWmprek4yVmxPV00tWXpjMVlqTTVOVEJpWlRJek1EZzRNVGhtTjdmSUZDR0Y5Tm05MnlJQzNjYk00WmNeei1sUmNjQkFlOW5LWkw2dnpLcU9wN0V5M1dKcXJDU0Q0Y1RyN29ISmhkU0ZsaHNrYVhmeXh4cnRpLUYzY2xCekFtSVJaYUVFVERRWU4weDl5alF6RXhmSDJFdFhFS19iWlhTZDI2ZjlrdGhmcmtaakozSHBjdDJmWldvaHpzdjl3eW5sQTk5VE9fQ2lUUHpsNENKRVR0RnpMWDV0VEZwWWhTYWMtcGcyX21nSjNFSzJMWm5qNVRLQmphakVOY2tdT0dfaVJUNjB2eFhWLTFpb0Qycjl6dHNkcFoyVUk4OTNpU3VVUGllWjFHeWJWTFleOGI1SlFzSXBkakctVVNHOTY1bHh5Z2RNRm9CRVNJSnNhMUx5ekhqcjRESUNHUVVaZFdDOUZPSTZtaVJRNGZhVDN4a1VfUHNqQWtwMjhldFBoZkVhS0haeGlhd2QzVmVdS0JDd1RZQXQ1NGsxRVA2ZFpxN25teXN2cGIyYlo0djdFUERfipsiicbUYFVDUVUYGo726388tohvSTX==","email":"yourname@client.com"}}}'

sshKey: |

  ssh-rsa MMMMMYYSHHRONADOWOPDOWOPDIDDYWOPDO/DuDezDDrs5UWMOckkivvxRepAb82FUxyN5GSfw6iIXucLIMRTkpYRQ3WpnI91cnvBv7cggtBSX+o4D3bgr+HdbPwceGdM013i0DJy/zrAwzk8PIT2Cp1iyq9xwc0mkHH2/YT+tKeXSMoMhptw2BrxgtBa/ZKCs6mZLt8naJXQyh02OTORpXbCNxQ46/RmT5MtQOkgns/BiA3ACYJPCnRSt4dZzWBvEaON/e7kA3KZatt73+oR7j0gjcHhFfDIb20FGjDvsZeuEwMTHIsismyk9unitIdoNOTLiketobedisintegratedE3UB3ngSDHwit9P9Gc2zs1mKzEifc5ykj2GVyroYisdWit2/WyerPOfzBXOu8oI6hjLVuoSSzfnsKBuasbGOnR+qdjMvwEtqadzBJoMCEUerq1jvumenMCFTdWimPQrUTgHvJUQDCj2Boa+sgV5qfZ3oabCoHLFrGXvEAoAvDPJJz0nu+GOJwAL1Uz6Sl9WagugA5fbHgkOjZUoVQJ/ev+y6pmpiNfYy9YUj0JSJKB6fIR6dmlkJDEUmaEe9PyR2O/EMeyeSeaKayEEEWhyEMOhYouESSeeeeVcemsP3yim8mprehW6RFwE9haUCsVQw/q1KTx== usera@bastionhost.yourdoamin.com

23. Copy the modified install-config.yaml file to the src directory:

[usera@local-workstation install]$ cp install-config.yaml \

../src/install-config.yaml.modified

24. Create the OCP cluster:

[usera@local-workstation install]$ ./openshift-install create \

cluster --dir . --log-level=debug

Look for output similar to the following:

INFO Install complete!

INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/usera/aws-ocp/ocp/install/auth/kubeconfig'

INFO Access the OpenShift web-console here: https://console-openshift-console.apps.ocp-quay.your.aws.rt53.dns.domain.client.com

INFO Login to the console with user: "kubeadmin", and password: "Janew-password-KsEkk-DTtYL"

DEBUG Time elapsed per stage:

DEBUG     Infrastructure: 6m30s

DEBUG Bootstrap Complete: 8m8s

DEBUG                API: 52s

DEBUG  Bootstrap Destroy: 48s

DEBUG  Cluster Operators: 13m25s

INFO Time elapsed: 29m1s

Record the kubeadmin password as we will use it to log into the Openshift cluster webUI in part 3 of this series.

Conclusion

You have completed part 2 of this series and have successfully deployed an Openshift cluster on AWS. With the completion of part 2, the next step is to deploy the Quay and Clair in the Openshift cluster.

About the Author

Eric Archer is a Senior Red Hat Consultant for Stone Door Group, a Hybrid Cloud and DevOps consulting company that helps enterprises successfully complete digital transformation projects. Stone Door Group offers rapid adoption of Red Hat Hybrid Cloud technologies with their OpenShift Container Platform Accelerator. To speak to Eric, drop us a line at letsdothis@stonedoorgroup.com

About Stone Door Group

Stone Door Group is a Hybrid Cloud and DevOps consulting company that delivers successful digital transformation projects in the private and public sectors. Stone Door Group is a team of leading experts in Hybrid Cloud and DevOps technologies. To speak with Eric and our team, send us an email at letsdothis@stonedoorgroup.com.