Creating a ROSA cluster with PrivateLink enabled
Prerequisites
Create VPC and Subnets
The following instructions use the AWS CLI to create the necessary networking to deploy a PrivateLink ROSA cluster into a Single AZ and are intended to be a guide. Ideally you would use an Automation tool like Ansible or Terraform to manage your VPCs.
When creating subnets, make sure that subnet(s) are created to an availability zone that has ROSA instances types available. If AZ is not “forced”, subnet is created to random AZ in the region. Force the AZ using --availability-zone argument in create-subnet command.
Use rosa list instance-types to list ROSA instance types and check available types availability in AZ with the following
As an example, you cannot install ROSA to us-east-1e AZ, but us-east-1b works fine.
Option 1 - VPC with a private subnet and AWS Site-to-Site VPN access.
Todo
Option 2 - VPC with public and private subnets and AWS Site-to-Site VPN access
Todo
Option 3 - VPC with public and private subnets (NAT)
This will create both a Private and Public subnet. All cluster resources will live in the private subnet, the public subnet only exists to NAT the egress traffic to the Internet.
Set a Cluster name
Create a VPC to install a ROSA cluster into
Create a Public Subnet for the cluster to NAT egress traffic out of
Create a Private Subnet for the cluster machines to live in
Create an Internet Gateway for NAT egress traffic
Create a Route Table for NAT egress traffic
Create a NAT Gateway for the Private network
Create a Route Table for the Private subnet to the NAT
Deploy ROSA
Create ROSA cluster in the private subnet
Test Connectivity
Create an Instance to use as a jump host
TODO: CLI instructions
Through the GUI:
Navigate to the EC2 console and launch a new instance
Select the AMI for your instance, if you don’t have a standard, the Amazon Linux 2 AMI works just fine
Choose your instance type, the t2.micro/free tier is sufficient for our needs, and click Next: Configure Instance Details
Change the Network settings to setup this host inside your private-link VPC
Change the Subnet setting to use the private-link-public subnet
Change Auto-assign Public IP to Enable
Default settings for Storage and Tags are OK, if you do not need to change them for your own reasons, select 6. Configure Security Group from the top navigation or click through using the Next buttons
If you already have a security group created to allow access from your computer to AWS, choose Select an existing security group and choose that group from the list and skip to Review and Launch. Otherwise, select Create a new security group and continue.
To allow access only from your current public IP, change the Source heading to use My IP
Click Review and Launch, verify all settings are correct and follow the standard AWS instructions for finalizing the setup and selecting/creating the security keys.
Once launched, open the instance summary for the jump host instance and note the public IP address.
Create a ROSA admin user and save the login command for use later
Note the DNS name of your private cluster, use the
rosa describecommand if needed
update /etc/hosts to point the openshift domains to localhost. Use the DNS of your openshift cluster as described in the previous step in place of
$YOUR_OPENSHIFT_DNSbelowSSH to that instance, tunneling traffic for the appropriate hostnames. Be sure to use your new/existing private key, the OpenShift DNS for
$YOUR_OPENSHIFT_DNSand your jump host IP for$YOUR_EC2_IPLog into the cluster using oc login command from the create admin command above. ex.
Check that you can access the Console by opening the console url in your browser.
Cleanup
Delete ROSA
Delete AWS resources
