OpenShift 文档正在迁移,很快将只在 docs.redhat.com(所有 Red Hat 产品文档的所在地)提供。立即体验 新的文档体验
  1. 文档
    2. history bug_report picture_as_pdf
×

教程:详细的 CLI 指南

编辑

本教程概述了使用 ROSA CLI 部署 ROSA 集群的详细步骤。

编辑

CLI 部署模式

有两种模式可以部署 ROSA 集群。一种是自动模式,速度更快,可以为您完成手动工作。另一种是手动模式,需要您运行额外的命令,并允许您检查正在创建的角色和策略。本教程记录了这两种选项。

如果您想快速创建集群,请使用自动选项。如果您想浏览正在创建的角色和策略,请使用手动选项。

使用相关命令中的--mode标志选择部署模式。

--mode的有效选项为

  • manual角色和策略将在当前目录中创建和保存。您必须手动运行提供的命令作为下一步。此选项允许您在创建策略和角色之前进行审查。

  • auto角色和策略将使用当前 AWS 账户自动创建和应用。

您可以为此教程使用任何部署方法。auto模式更快,步骤更少。

部署工作流程

整体部署工作流程遵循以下步骤

  1. rosa create account-roles - 此命令每个账户只执行一次。创建后,无需为相同 y 流版本的更多集群再次创建账户角色。

  2. rosa create cluster

  3. rosa create operator-roles - 仅限手动模式。

  4. rosa create oidc-provider - 仅限手动模式。

对于相同账户中相同 y 流版本的每个附加集群,自动模式只需要步骤 2。手动模式需要步骤 2 到 4。

自动模式

如果您希望 ROSA CLI 自动创建角色和策略以快速创建集群,请使用此方法。

创建账户角色

如果这是您首次在此账户中部署 ROSA,并且您尚未创建账户角色,则创建账户范围的角色和策略,包括 Operator 策略。

运行以下命令以创建账户范围的角色

rosa create account-roles --mode auto --yes
示例输出
I: Creating roles using 'arn:aws:iam::000000000000:user/rosa-user'
I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role'
I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role'
I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role'
I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent'
I: To create a cluster with these roles, run the following command:
    rosa create cluster --sts

创建集群

运行以下命令以使用所有默认选项创建集群

rosa create cluster --cluster-name <cluster-name> --sts --mode auto --yes

这还将创建所需的 Operator 角色和 OIDC 提供程序。如果您想查看集群的所有可用选项,请使用--help标志或--interactive标志进入交互模式。
示例输入
$ rosa create cluster --cluster-name my-rosa-cluster --sts --mode auto --yes
示例输出
I: Creating cluster 'my-rosa-cluster'
I: To view a list of clusters and their status, run 'rosa list clusters'
I: Cluster 'my-rosa-cluster' has been created.
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
I: To determine when your cluster is Ready, run 'rosa describe cluster -c my-rosa-cluster'.
I: To watch your cluster installation logs, run 'rosa logs install -c my-rosa-cluster --watch'.
Name:                       my-rosa-cluster
ID:                         1mlhulb3bo0l54ojd0ji000000000000
External ID:
OpenShift Version:
Channel Group:              stable
DNS:                        my-rosa-cluster.ibhp.p1.openshiftapps.com
AWS Account:                000000000000
API URL:
Console URL:
Region:                     us-west-2
Multi-AZ:                   false
Nodes:
- Master:                  3
- Infra:                   2
- Compute:                 2
Network:
- Service CIDR:            172.30.0.0/16
- Machine CIDR:            10.0.0.0/16
- Pod CIDR:                10.128.0.0/14
- Host Prefix:             /23
STS Role ARN:               arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role
Support Role ARN:           arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role
Instance IAM Roles:
- Master:                  arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role
- Worker:                  arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role
Operator IAM Roles:
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-image-registry-installer-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-ingress-operator-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-machine-api-aws-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-cloud-credential-operator-cloud-credential-oper
State:                      waiting (Waiting for OIDC configuration)
Private:                    No
Created:                    Oct 28 2021 20:28:09 UTC
Details Page:               https://console.redhat.com/openshift/details/s/1wupmiQy45xr1nN000000000000
OIDC Endpoint URL:          https://rh-oidc.s3.us-east-1.amazonaws.com/1mlhulb3bo0l54ojd0ji000000000000

默认配置

默认设置如下

  • 节点

    • 3 个控制平面节点

    • 2 个基础设施节点

    • 2 个工作节点

    • 无自动缩放

    • 有关更多详细信息,请参阅ec2 实例的相关文档。

  • 区域:根据aws CLI 配置

  • 网络 IP 范围

    • 机器 CIDR:10.0.0.0/16

    • 服务 CIDR:172.30.0.0/16

    • Pod CIDR:10.128.0.0/14

  • 新的 VPC

  • 默认 AWS KMS 密钥用于加密

  • rosa 可用的最新版 OpenShift

  • 单个可用区

  • 公共集群

检查安装状态

  1. 运行以下命令之一以检查集群的状态

    • 要详细查看状态,请运行

      rosa describe cluster --cluster <cluster-name>

    • 要简略查看状态,请运行

      rosa list clusters

  2. 集群状态将从“等待”变为“安装中”,然后变为“就绪”。这大约需要 40 分钟。

  3. 状态变为“就绪”后,您的集群即已安装。

手动模式

如果您想在将角色和策略应用于集群之前对其进行查看,请使用手动方法。此方法需要运行一些额外的命令来创建角色和策略。

本节使用--interactive模式。有关本节中字段的说明,请参阅交互模式文档。

创建账户角色

  1. 如果这是您**第一次**在此账户中部署 ROSA,并且您**尚未**创建账户角色,请创建账户范围的角色和策略,包括 Operator 策略。该命令会在当前目录中为您的账户创建所需角色和策略的 JSON 文件。它还会输出您需要运行以创建这些对象的aws CLI 命令。

    运行以下命令以创建所需的文件并输出其他命令

    rosa create account-roles --mode manual
    示例输出
    I: All policy files saved to the current directory
I: Run the following commands to create the account roles and policies:
aws iam create-role \
--role-name ManagedOpenShift-Worker-Role \
--assume-role-policy-document file://sts_instance_worker_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_worker
aws iam put-role-policy \
--role-name ManagedOpenShift-Worker-Role \
--policy-name ManagedOpenShift-Worker-Role-Policy \
--policy-document file://sts_instance_worker_permission_policy.json

  2. 检查当前目录的内容以查看新文件。使用aws CLI 创建每个对象。

    示例输出
    $ ls
openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json
sts_instance_controlplane_permission_policy.json
openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json        sts_instance_controlplane_trust_policy.json
openshift_image_registry_installer_cloud_credentials_policy.json          sts_instance_worker_permission_policy.json
openshift_ingress_operator_cloud_credentials_policy.json                 sts_instance_worker_trust_policy.json
openshift_machine_api_aws_cloud_credentials_policy.json                   sts_support_permission_policy.json
sts_installer_permission_policy.json                                      sts_support_trust_policy.json
sts_installer_trust_policy.json

  3. **可选:**打开文件以查看您将要创建的内容。例如,打开sts_installer_permission_policy.json将显示

    示例输出
    $ cat sts_installer_permission_policy.json
        {
        "Version": "2012-10-17",
        "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                [...]

    您也可以在关于 ROSA 集群的 IAM 资源文档中查看内容。

  4. 运行步骤 1 中列出的aws命令。如果您在与创建的 JSON 文件相同的目录中,可以复制并粘贴。

创建集群

  1. 成功执行aws命令后,运行以下命令以在交互模式下开始创建 ROSA 集群

    rosa create cluster --interactive --sts

    有关字段的说明,请参阅ROSA 文档

  2. 在本教程中,请复制并输入以下值

    Cluster name: my-rosa-cluster
OpenShift version: <choose version>
External ID (optional): <leave blank>
Operator roles prefix: <accept default>
Multiple availability zones: No
AWS region: <choose region>
PrivateLink cluster: No
Install into an existing VPC: No
Enable Customer Managed key: No
Compute nodes instance type: m5.xlarge
Enable autoscaling: No
Compute nodes: 2
Machine CIDR: <accept default>
Service CIDR: <accept default>
Pod CIDR: <accept default>
Host prefix: <accept default>
Encrypt etcd data (optional): No
Disable Workload monitoring: No
    示例输出
    I: Creating cluster 'my-rosa-cluster'
I: To create this cluster again in the future, you can run:
rosa create cluster --cluster-name my-rosa-cluster --role-arn arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role --operator-roles-prefix my-rosa-cluster --region us-west-2 --version 4.8.13 --compute-nodes 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23
I: To view a list of clusters and their status, run 'rosa list clusters'
I: Cluster 'my-rosa-cluster' has been created.
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
Name:                       my-rosa-cluster
ID:                         1t6i760dbum4mqltqh6o000000000000
External ID:
OpenShift Version:
Channel Group:              stable
DNS:                        my-rosa-cluster.abcd.p1.openshiftapps.com
AWS Account:                000000000000
API URL:
Console URL:
Region:                     us-west-2
Multi-AZ:                   false
Nodes:
- Control plane:           3
- Infra:                   2
- Compute:                 2
Network:
- Service CIDR:            172.30.0.0/16
- Machine CIDR:            10.0.0.0/16
- Pod CIDR:                10.128.0.0/14
- Host Prefix:             /23
STS Role ARN:               arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role
Support Role ARN:           arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role
Instance IAM Roles:
- Control plane:           arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role
- Worker:                  arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role
Operator IAM Roles:
- arn:aws:iam::000000000000:role/my-rosa-cluster-w7i6-openshift-ingress-operator-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-w7i6-openshift-cluster-csi-drivers-ebs-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-w7i6-openshift-cloud-network-config-controller-cloud-cre
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-machine-api-aws-cloud-credentials
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-cloud-credential-operator-cloud-credentia
- arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-image-registry-installer-cloud-credential
State:                      waiting (Waiting for OIDC configuration)
Private:                    No
Created:                    Jul  1 2022 22:13:50 UTC
Details Page:               https://console.redhat.com/openshift/details/s/2BMQm8xz8Hq5yEN000000000000
OIDC Endpoint URL:          https://rh-oidc.s3.us-east-1.amazonaws.com/1t6i760dbum4mqltqh6o000000000000
I: Run the following commands to continue the cluster creation:
rosa create operator-roles --cluster my-rosa-cluster
rosa create oidc-provider --cluster my-rosa-cluster
I: To determine when your cluster is Ready, run 'rosa describe cluster -c my-rosa-cluster'.
I: To watch your cluster installation logs, run 'rosa logs install -c my-rosa-cluster --watch'.

    在完成接下来的两个步骤之前,集群状态将保持为“等待”。

创建 Operator 角色

  1. 上述步骤输出接下来要运行的命令。这些角色需要为**每个**集群创建**一次**。要创建角色,请运行以下命令

    rosa create operator-roles --mode manual --cluster <cluster-name>
    示例输出
    I: Run the following commands to create the operator roles:
    aws iam create-role \
        --role-name my-rosa-cluster-openshift-image-registry-installer-cloud-credentials \
        --assume-role-policy-document file://operator_image_registry_installer_cloud_credentials_policy.json \
        --tags Key=rosa_cluster_id,Value=1mkesci269png3tck000000000000000 Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-image-registry Key=operator_name,Value=installer-cloud-credentials

    aws iam attach-role-policy \
        --role-name my-rosa-cluster-openshift-image-registry-installer-cloud-credentials \
        --policy-arn arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden
    [...]

  2. 运行每个aws命令。

创建 OIDC 提供程序

  1. 运行以下命令以创建 OIDC 提供程序

    rosa create oidc-provider --mode manual --cluster <cluster-name>

  2. 这将显示您需要运行的aws命令。

    示例输出
    I: Run the following commands to create the OIDC provider:
$ aws iam create-open-id-connect-provider \
--url https://rh-oidc.s3.us-east-1.amazonaws.com/1mkesci269png3tckknhh0rfs2da5fj9 \
--client-id-list openshift sts.amazonaws.com \
--thumbprint-list a9d53002e97e00e043244f3d170d000000000000

$ aws iam create-open-id-connect-provider \
--url https://rh-oidc.s3.us-east-1.amazonaws.com/1mkesci269png3tckknhh0rfs2da5fj9 \
--client-id-list openshift sts.amazonaws.com \
--thumbprint-list a9d53002e97e00e043244f3d170d000000000000

  3. 您的集群现在将继续安装过程。

检查安装状态

  1. 运行以下命令之一以检查集群的状态

    • 要详细查看状态,请运行

      rosa describe cluster --cluster <cluster-name>

    • 要简略查看状态,请运行

      rosa list clusters

  2. 集群状态将从“等待”变为“安装中”,然后变为“就绪”。这大约需要 40 分钟。

  3. 状态变为“就绪”后,您的集群即已安装。

获取 Red Hat Hybrid Cloud 控制台 URL

  • 要获取 Hybrid Cloud 控制台 URL,请运行以下命令

    rosa describe cluster -c <cluster-name> | grep Console

集群现已成功部署。下一个教程将介绍如何创建管理员用户,以便立即使用集群。