Cookbook for Azure Red Hat OpenShift — ARO
As mentioned in my previous articles, Azure Red Hat OpenShift helps you focus on building your business logic and let Microsoft/Red Hat take care of security patches, compliance standards, daily-maintenance and the cluster’s high-availability.
Before diving deeper into the deployment of Azure Red Hat OpenShift, I suggest checking my previous articles to get better ideas on Azure Red Hat OpenShift, its benefits and drawbacks:
What are we cooking today?
The following architecture is going to be the result of our first ARO deployment.
With a few steps, you can provision an ARO Cluster; After configuring a couple of dependencies in your Subscription, your cluster should be up and running.
Setting up the prerequisites
To be able to build/run your own Azure Red Hat OpenShift ARO cluster, some prerequisites need to be fulfilled first.
In the following steps, I assume you already have an Azure account, Azure AD tenant created and you already created an Azure Subscription.
Azure Login first
Let’s do it; Let’s start by logging into Azure tenant.
Azure CLI is needed for the next steps, so if you did not install AZ-CLI Click here to download and then proceed with the setup.
az loginOnce logged in, the AZ-CLI outputs a list of Subscriptions that you have access. Let’s find your Subscription and then, select the relevant one to you:
az account list -o tableaz account set --subscription <SUBSCRIPTION_ID>
Register Azure providers and features:
Ensure that the following providers and features are well registred within the Subscription you selected.
az feature register --namespace Microsoft.ContainerService -n AROGA
az provider register -n Microsoft.Storage --wait
az provider register -n Microsoft.Compute --wait
az provider register -n Microsoft.Solutions --wait
az provider register -n Microsoft.Network --wait
az provider register -n Microsoft.KeyVault --wait
az provider register -n Microsoft.ContainerService --waitSetting up the Environment variables:
For the sake of simplicity, you can set up & customize these environment variables once, before proceeding with the rest of the instructions.
export TENANT_ID='$(az account show --query tenantId -o tsv)'
export SUBSCRIPTION_ID='$(az account show --query id -o tsv)'
export CLUSTER_NAME=aro-cluster-rg
export LOCATION='westeurope'
export APP_ID='<INSERT YOUR APP-ID>'
export SECRET='<INSERT THE SECRET RELATED TO THE APP-ID>'
export ARO_VNET_PREFIX=10.28.7.0/23
export ARO_SUBNET_PREFIX=10.28.7.0/23Create a ResourceGroup to host the ARO cluster
Create the resource group which will be hosting the ARO Cluster. To do so, use the Azure-CLI, specify the desired ResourceGroup name and the location.
az group create --name $CLUSTER_NAME --location $LOCATIONCreate an Azure AD Service Principal
As OpenShift requires permissions to perform tasks on behalf of the Cluster, a Service Principal (SP) needs to be created and assigned to ARO.
An SP is a security Identity used with automation tools as well as apps. We can define which tasks and scope the SP will be able to perform in Azure.
Let’s create the Service Principal, with the “Contributor” role and with a scope set to the cluster’s Resource Group.
SCOPE = `az group show --name $CLUSTER_NAME --query id`
az ad sp create-for-rbac --name openshift-sp --scopes $SCOPE \
--password <STRONG_PASSWORD>Please make a note of the ServicePrincipal ID and store it in “APP_ID” variable.
Using API Permissions, provide your Service Principal with the least privileges needed to install OpenShift properly.
az role assignment create --assignee $APP_ID --role Contributor
az role assignment create --assignee $APP_ID --role "User Access Administrator"Ensure that “User.Read” and “Directory.ReadAll” are assigned to your ServicePrincipal.
az ad app permission add --id $APP_ID \
--api 00000002-0000-0000-c000-000000000000 \
--api-permissions 5778995a-e1bf-45b8-affa-663a9f3f4d04=Roleaz ad app permission add --id $APP_ID \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Role
Ensure to grant Admin Consent when registering the SP in the Azure or request it from the AzureAD Administrator.
az ad app permission grant --id $APP_ID \
--api 00000002-0000-0000-c000-000000000000
az ad app permission grant --id $APP_ID \
--api 00000003-0000-0000-c000-000000000000Create an Azure AD Security Group
To grant Cluster-Admin access to users, the memberships in the newly created SecurityGroup in Azure AD is synced with the ARO Group called “Osa-customer-admins”.
az ad group create --display-name ARO-AdminSecurityGroupNote! If this is not well defined, no OpenShift Cluster-Admin is going to be assigned.
Assign yourself to this Azure AD SecurityGroup:
USER_OBJECT_ID = `az ad user show --id <YOUR-EMAIL-ADDRESS>`
az ad group member add --group ARO-AdminSecurityGroup \
--member-id $USER_OBJECT_IDCheck whether the member list is updated:
az ad group get-member-groups --group ARO-AdminSecurityGroupReady to fire?
You are now ready to fire up the deployment of the Cluster. The following automates everything for you.
It’s wise to not oversize your worker node resources to avoid getting charged for a resource, not in use. Please check this link for a better overview of the VM Sizes allowed for ARO.
The “az openshift create” command is used to deploy the Cluster, and supports different kinds of options.
Before launching the creation of the Cluster, here is a tip; You can use the following command to find some examples for “az openshift create” ;) and get a better idea on the allowed customizations.
az find "az openshift create"
Make sure to specify the relevant Azure AD tenant, Application registration ID and Secret, the resource group and the location of the Cluster.
az openshift create --resource-group $RESOURCEGROUP_NAME \
--aad-tenant-id $TENANT_ID \
--name $CLUSTER_NAME \
--location $LOCATION
--aad-client-app-id $APP_ID \
--aad-client-app-secret $SECRET \
--customer-admin-group-id $SECGROUP_ID \
--vnet-prefix $ARO_VNET_PREFIX \
--subnet-prefix $ARO_SUBNET_PREFIX \
--compute-count 2The “compute-count” parameter is useful to limit the costs, helpful for experimentation Clusters ;)
Cluster Network Topology
This is the cluster topology you can get from Azure Portal once the Cluster is provisioned.
An easy link for the Network Topology of your Cluster is easily accessible using this link. (You’ll be requested to login to your Azure Subscription).
Post-install in one command or two ;)
Now that you have finished the cluster deployment let’s set the App-Registration Redirect-URI.
Let’s first extract the sign-in URL of the newly built Cluster:
PUBLIC_HOSTNAME=$(az openshift show -n $CLUSTER_NAME \
-g RESOURCEGROUP_NAME --query publicHostname -o tsv)Then update the App-Registration Redirect-URI using the AZ command below:
az ad app update --id $APP_ID \
--reply-urls "https://$PUBLIC_HOSTNAME/oauth2callback/Azure%20AD"The APP_ID variable is previously set as the app-registration objectID.
To the OpenShift Console?
You’re now ready to login to the OpenShift Console. The following command provides you with the URL for web access.
PUBLIC_HOSTNAME=$(az openshift show -n $CLUSTER_NAME \
-g RESOURCEGROUP_NAME --query publicHostname -o tsv)echo "OpenShift Public Hostname: https://$PUBLIC_HOSTNAME"
Bear in mind that ARO is linked to your AzureAD. So use your Azure credentials to log in to the Cluster.
ARO Cluster Monitoring
Azure Red Hat OpenShift is finally integrated and supported today by Azure Monitor for Containers, showing health details on the Cluster side, also on the nodes and containers side.
This is still in Technical Preview, but if you are interested in more details, follow this link.
Deployment Shell script
I share with you below a shell script to get a better understanding of the steps.
Get your hands dirty
Now, you can start playing on the ground and have your hands dirty, connect to the Cluster and create your first project.
I’ve made below a quick link for a well designed-workshop, provided by Microsoft: https://aroworkshop.io
Please, let me have your comments :)
