You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After you delete a shared-VPC cluster, three DNS records will not be removed from the private hosted zone. If you make any subsequent install attempts by using the same values, installation errors will occur.
25
-
26
-
This issue might also manifest when shared-VPC networking prerequisites are not correctly configured. See this article for more information link:https://access.redhat.com/articles/7031016[on this limitation].
. From the AWS account that centrally manages your VPC, create or modify a VPC to your specifications in the link:https://us-east-1.console.aws.amazon.com/vpc/[VPC section of the AWS console]. This AWS account will be the *VPC-owning AWS account*.
14
+
. Create or modify a VPC to your specifications in the link:https://us-east-1.console.aws.amazon.com/vpc/[VPC section of the AWS console].
14
15
+
15
-
. Create a custom policy file to allow for necessary Shared VPC permissions that uses the name `SharedVPCPolicy`:
16
+
. Create a custom policy file to allow for necessary shared VPC permissions that uses the name `SharedVPCPolicy`:
16
17
+
17
18
[source,terminal]
18
19
----
@@ -75,15 +76,15 @@ EOF
75
76
----
76
77
+
77
78
--
78
-
<1> The principal will be scoped down later in this process after the *cluster-creating AWS account* user has created the necessary cluster roles. On creation, you must create a root user placeholder by using the *cluster-creator's AWS Account* ID as `arn:aws:iam::{Account}:root`.
79
+
<1> The principal will be scoped down after the *Cluster Creator* creates the necessary cluster roles. On creation, you must create a root user placeholder by using the *Cluster Creator's* AWS account ID as `arn:aws:iam::{Account}:root`.
79
80
--
80
81
+
81
82
. Create the IAM role:
82
83
+
83
84
[source,terminal]
84
85
----
85
86
$ aws iam create-role --role-name <role_name> \ <1>
<1> Replace _<role_name>_ with the name of the role you created.
103
-
<2> Replace _<AWS_account_ID>_ with the *VPC-owning AWS account* ID.
104
+
<2> Replace _<AWS_account_ID>_ with the *VPC Owner's*AWS account ID.
104
105
--
105
106
+
106
-
. In the link:https://us-east-1.console.aws.amazon.com/ram/[Resource Access Manager of the AWS console], create a Resource Share that shares the previously created public and private subnets to the *cluster-creating AWS account* ID.
107
+
. In the link:https://us-east-1.console.aws.amazon.com/ram/[Resource Access Manager of the AWS console], create a resource share that shares the previously created public and private subnets with the *Cluster Creator's*AWS account ID.
107
108
108
-
After you create the Resource Share, notify the *cluster-creating AWS account* user to reserve an `openshiftapps.com` DNS domain and create Operator roles to continue configuration.
109
+
. After you create the resource share, provide the `SharedVPCRole` ARN to the *Cluster Creator* to continue configuration.
Copy file name to clipboardexpand all lines: modules/rosa-sharing-vpc-dns-and-roles.adoc
+20-15
Original file line number
Diff line number
Diff line change
@@ -3,17 +3,18 @@
3
3
// * networking/rosa-shared-vpc-config.adoc
4
4
:_content-type: PROCEDURE
5
5
[id="rosa-sharing-vpc-dns-and-roles_{context}"]
6
-
= Creating your DNS and cluster creation roles
6
+
= Step Two - Cluster Creator: Reserving your DNS and creating cluster operator roles
7
7
8
-
After the *VPC-owning AWS account* user creates a virtual private cloud, subnets, and an IAM role for sharing the VPC resources, the *cluster-creating AWS account* user must reserve an `openshiftapps.com` DNS domain and create Operator roles to communicate back to the *VPC-owning AWS account*.
8
+
After the *VPC Owner*creates a virtual private cloud, subnets, and an IAM role for sharing the VPC resources, reserve an `openshiftapps.com` DNS domain and create Operator roles to communicate back to the *VPC Owner*.
* You have the ARN for the IAM role that is used to share your VPC.
12
+
13
+
* You have the `SharedVPCRole`ARN for the IAM role from the *VPC Owner*.
13
14
14
15
.Procedure
15
16
16
-
. The cluster creator reserves an `openshiftapps.com` DNS domain with the following command:
17
+
. Reserve an `openshiftapps.com` DNS domain with the following command:
17
18
+
18
19
[source,terminal]
19
20
----
@@ -27,21 +28,24 @@ The command creates a reserved `openshiftapps.com` DNS domain.
27
28
I: DNS domain '14eo.p1.openshiftapps.com' has been created.
28
29
I: To view all DNS domains, run 'rosa list dns-domains'
29
30
----
30
-
. After creating the DNS domain, the *cluster-creating AWS account* user needs to create an OIDC configuration. Review this article for more information link:https://access.redhat.com/articles/7031018[on the ODIC configuration process]. The following command produces the OIDC config ID that you need:
31
+
. Create an OIDC configuration.
32
+
+
33
+
Review this article for more information on the link:https://access.redhat.com/articles/7031018[OIDC configuration process]. The following command produces the OIDC configuration ID that you need:
31
34
+
32
35
[source,terminal]
33
36
----
34
37
$ rosa create oidc-config
35
38
----
36
39
+
37
-
You receive confirmation that the command created an OIDC configuration.
40
+
You receive confirmation that the command created an OIDC configuration:
38
41
+
39
42
[source,terminal]
40
43
----
41
44
I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
42
45
rosa create operator-roles --prefix <user-defined> --oidc-config-id 25tu67hq45rto1am3slpf5lq6jargg
43
46
----
44
-
. After the OIDC configuration is created, create the Operator roles by entering the following command:
47
+
48
+
. Create the Operator roles by entering the following command:
The Installer account role and the shared VPC role must have a one-to-one relationship. If you want to create multiple shared VPC roles, you should create one set of account roles per shared VPC role.
64
68
====
65
69
66
-
After you create the Operator roles, share the full domain name, which is created with `<intended_cluster_name>.<created_dns_domain>`, your _Ingress Operator Cloud Credentials_ and _Installer_roles' ARN with the *VPC-owning AWS account* user.
67
-
68
-
This information resembles these examples:
69
-
70
+
. After you create the Operator roles, share the full domain name, which is created with `<intended_cluster_name>.<reserved_dns_domain>`, your _Ingress Operator Cloud Credentials_role's ARN, and your _Installer_role's ARN with the *VPC Owner* to continue configuration.
Copy file name to clipboardexpand all lines: modules/rosa-sharing-vpc-hosted-zones.adoc
+13-6
Original file line number
Diff line number
Diff line change
@@ -3,13 +3,20 @@
3
3
// * networking/rosa-shared-vpc-config.adoc
4
4
:_content-type: PROCEDURE
5
5
[id="rosa-sharing-vpc-hosted-zones_{context}"]
6
-
= Updating the shared VPC role and creating hosted zones
6
+
= Step Three - VPC Owner: Updating the shared VPC role and creating hosted zones
7
7
8
-
After the *cluster-creating AWS account* user provides the DNS domain and the IAM roles, *the VPC-owning AWS account* user must create a private hosted zone and update the trust policy on the IAM role that was created for sharing the VPC.
8
+
After the *Cluster Creator* provides the DNS domain and the IAM roles, create a private hosted zone and update the trust policy on the IAM role that was created for sharing the VPC.
* You have the full domain name from the *Cluster Creator*.
14
+
* You have the _Ingress Operator Cloud Credentials_ role's ARN from the *Cluster Creator*.
15
+
* You have the _Installer_ role's ARN from the *Cluster Creator*.
9
16
10
17
.Procedure
11
18
12
-
. The *VPC-owning AWS account* user who owns the VPC must update the VPC sharing IAM role and add the _Installer_ and _Ingress Operator Cloud Credentials_ roles to the principal section of the trust policy.
19
+
. Update the VPC sharing IAM role and add the _Installer_ and _Ingress Operator Cloud Credentials_ roles to the principal section of the trust policy.
13
20
+
14
21
[source,terminal]
15
22
----
@@ -30,8 +37,8 @@ After the *cluster-creating AWS account* user provides the DNS domain and the IA
30
37
]
31
38
}
32
39
----
33
-
. After updating the trust policy, the *VPC-owning AWS account* user creates a private hosted zone in the link:https://us-east-1.console.aws.amazon.com/route53/v2/[Route 53 section of the AWS console]. In the hosted zone configuration, the domain name is `<cluster-name>.<dns_domain>`. The private hosted zone must be associated with the created VPC.
34
-
. After the hosted zone is created and associated with the VPC, provide the following to the *cluster-creating AWS account* user:
40
+
. Create a private hosted zone in the link:https://us-east-1.console.aws.amazon.com/route53/v2/[Route 53 section of the AWS console]. In the hosted zone configuration, the domain name is `<cluster-name>.openshiftapps.com`. The private hosted zone must be associated with the created VPC.
41
+
. After the hosted zone is created and associated with the VPC, provide the following to the *Cluster Creator* to continue configuration:
= Configuring a shared virtual private cloud for ROSA clusters
3
+
= Configuring a shared VPC for ROSA clusters
4
4
:context: rosa-shared-vpc-config
5
5
6
6
toc::[]
7
7
8
-
You can create {product-title} clusters in shared, centrally-managed AWS virtual private clouds (VPCs). This process requires two separate AWS accounts that belong to the same AWS organization. One account functions as the VPC owner while the other account creates the cluster in this VPC.
8
+
You can create {product-title}
9
+
ifdef::openshift-rosa[]
10
+
(ROSA)
11
+
endif::openshift-rosa[]
12
+
clusters in shared, centrally-managed AWS virtual private clouds (VPCs).
9
13
10
-
.Prerequisites
11
-
* You installed the ROSA CLI (`rosa`) 1.2.26 or later.
12
-
* You created all of the required ROSA account roles for creating a cluster.
14
+
[NOTE]
15
+
====
16
+
This process requires *two separate* AWS accounts that belong to the same AWS organization. One account functions as the VPC-owning AWS account (*VPC Owner*), while the other account creates the cluster in the cluster-creating AWS account (*Cluster Creator*).
* You have an AWS account with the proper permissions to create roles and share resources.
14
-
* You are using an AWS account to create your cluster ("*cluster-creating AWS account*") that is separate from the AWS account that creates your VPC ("*VPC-owning AWS account*").
22
+
* The *Cluster Creator's* AWS accountis separate from the *VPC Owner's* AWS account.
15
23
* Both AWS accounts belong to the same AWS organization.
16
24
* You enabled resource sharing from the management account for your organization.
17
25
* You have access to the link:https://signin.aws.amazon.com[AWS console].
18
26
27
+
.Prerequisites for the *Cluster Creator*
28
+
* You installed the link:https://console.redhat.com/openshift/downloads#tool-rosa[ROSA CLI (`rosa`)] 1.2.26 or later.
29
+
* You created all of the required xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-sts-creating-a-cluster-quickly[ROSA account roles] for creating a cluster.
30
+
* The *Cluster Creator's* AWS account is separate from the *VPC Owner's* AWS account.
31
+
* Both AWS accounts belong to the same AWS organization.
32
+
19
33
[NOTE]
20
34
====
21
-
Installing a cluster in a shared VPC is supported only for OpenShift 4.13.9 and later.
35
+
Installing a cluster in a shared VPC is supported only for OpenShift 4.12.34 and later, 4.13.10 and later, and all future 4.y-streams.
0 commit comments