Cloud Experts Documentation

Azure

ARO Quickstart

A Quickstart guide to deploying an Azure Red Hat OpenShift cluster. Video Walkthrough If you prefer a more visual medium, you can watch Paul Czarkowskiexternal link (opens in new tab) walk through this quickstart on YouTubeexternal link (opens in new tab) . Prerequisites Azure CLI Obviously you’ll need to have an Azure account to configure the CLI against. MacOS See Azure Docsexternal link (opens in new tab) for alternative install options.

Deploying Advanced Cluster Management and OpenShift Data Foundation for ARO Disaster Recovery

A guide to deploying Advanced Cluster Management (ACM) and OpenShift Data Foundation (ODF) for Azure Red hat OpenShift (ARO) Disaster Recovery Overview VolSync is not supported for ARO in ACM: https://access.redhat.com/articles/7006295 so if you run into issues and file a support ticket, you will receive the information that ARO is not supported. In today’s fast-paced and data-driven world, ensuring the resilience and availability of your applications and data has never been more critical.

ARO - Cross Tenant Provisioning

Summary There may be situations where you want to create an ARO cluster where the organization has a policy which has a central entity that controls things such as encryption keys or networking components. This is desirable in large enterprises due to separation of concerns and limiting areas of control for groups to a small scope. This does present challenges, as those different groups must be able to integrate with one another.

Use Azure Blob storage Container Storage Interface (CSI) driver on an ARO cluster

The Azure Blob Storage Container Storage Interface (CSI) is a CSI compliant driver that can be installed to an Azure Red Hat OpenShift (ARO) cluster to manage the lifecycle of Azure Blob storage. When you use this CSI driver to mount an Azure Blob storage into a pod, it allows you to use blob storage to work with massive amounts of data. You can refer also to the driver’s documentation hereexternal link (opens in new tab) .

Configure a Private ARO cluster with Azure File via a Private Endpoint

There are two way to configure this set up Self provision the storage account and file share (static method) Requires pre-existing storage account and file share Auto provision the storage account and file share (dynamic method) CSI will create the storage account and file share WARNING please note that this approach does not work on FIPS-enabled clusters. This is due to the CIFS protocol being largely non-compliant with FIPS cryptographic requirements.

Configure Red Hat SSO with Azure AD as a Federated Identity Provider

This guide demonstrates how to install and configure Red Hat SSO (Keycloak) into an Azure Red Hat OpenShift (ARO) cluster. It will also also configure the ARO cluster to use the SSO server as a mechanism to login by way of the OIDC protocol. In addition, Red Hat SSO can federate user identities with other identity providers. We will use Azure AD as an additional identity provider to show how this could be done.

Using Azure Container Registry in Private ARO clusters

This guide describes how configure and deploy an Azure Container Registry, limiting the access to the registry and connecting privately from a Private ARO cluster, eliminating exposure from the public internet. You can limit access to the ACR by assigning virtual network private IP addresses to the registry endpoints and using Azure Private Linkexternal link (opens in new tab) . Network traffic between the Private ARO cluster and the registry’s private endpoints traverses the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

What to consider when using Azure AD as IDP?

Author: Ricardo Macedo Martinsexternal link (opens in new tab) May 24, 2023 In this guide, we will discuss key considerations when using Azure Active Directory (AAD) as the Identity Provider (IDP) for your ARO or ROSA cluster. Below are some helpful references: Configure ARO to Use Azure AD Configuring IDP for ROSA, OSD, and ARO Default Access for All Users in Azure Active Directory Once you set up AAD as the IDP for your cluster, it’s important to note that by default, all users in your Azure Active Directory instance will have access to the cluster.

Configure Azure AD as an OIDC identity provider for ARO with cli

The steps to add Azure AD as an identity provider for Azure Red Hat OpenShift (ARO) via cli are: Prerequisites Have Azure cli installed Login to Azure Azure Define needed variables Get oauthCallbackURL Create manifest.json file to configure the Azure Active Directory application Register/create app Add Service Principal for the new app Make Service Principal an Enterprise Application Create the client secret Update the Azure AD application scope permissions Get Tenant ID OpenShift Login to OpenShift as kubeadmin Create an OpenShift secret### Apply OpenShift OpenID authentication Wait for authentication operator to roll out Verify login through Azure Active Directory Last steps Prerequisites Have Azure cli installed Follow the Microsoft instuctions: https://docs.

Red Hat Cost Management for Cloud Services

Adopted from Official Documentation for Cost Management Service Red Hat Cost Management is a software as a service (SaaS) offering available free of charge as part of your Red Hat subscriptions. Cost management helps you monitor and analyze your OpenShift Container Platform and Public cloud costs in order to improve the management of your business. Some capabilities of cost management are : Visualize costs across hybrid cloud infrastructure Track cost trends Map charges to projects and organizations Normalize data and add markups with cost models Generate showback and chargeback information In this document, I will show you how to connect your OpenShift and Cloud provider sources to Cost Management in order to collect cost and usage.

Azure Front Door with ARO ( Azure Red Hat OpenShift )

Securing exposing an Internet facing application with a private ARO Cluster. When you create a cluster on ARO you have several options in making the cluster public or private. With a public cluster you are allowing Internet traffic to the api and *.apps endpoints. With a private cluster you can make either or both the api and .apps endpoints private. How can you allow Internet access to an application running on your private cluster where the .

Setup a VPN Connection into an ARO Cluster with OpenVPN

When you configure an Azure Red Hat OpenShift (ARO) cluster with a private only configuration, you will need connectivity to this private network in order to access your cluster. This guide will show you how to configute a point-to-site VPN connection so you won’t need to setup and configure Jump Boxes. Prerequisites a private ARO Cluster git openssl Create certificates to use for your VPN Connection There are many ways and methods to create certificates for VPN, the guide below is one of the ways that works well.

Using Cluster Logging Forwarder in ARO with Azure Monitor

In Azure Red Hat OpenShift (ARO) you can fairly easily set up cluster logging to an in-cluster Elasticsearch using the OpenShift Elasticsearch Operator and the Cluster Logging Operator, but what if you want to use the Azure native Log Analytics service? There’s a number of ways to do this, for example installing agents onto the VMs (in this case, it would be a DaemonSet with hostvar mounts) but that isn’t ideal in a managed system like ARO.

Azure DevOps with Managed OpenShift

Author: Kevin Collins Last edited: 03/14/2023 Adopted from Hosting an Azure Pipelines Build Agent in OpenShift and Kevin Chung Azure Pipelines OpenShift exampleexternal link (opens in new tab) Azure DevOps is a very popular DevOps tool that has a host of features including the ability for developers to create CI/CD pipelines. In this document, I will show you how to connect your Managed OpenShift Cluster to Azure DevOps end-to-end including running the pipeline build process in the cluster, setting up the OpenShift internal image registry to store the images, and then finally deploy a sample application.

Upgrade a disconnected ARO cluster

Background One of the great features of ARO is that you can create ‘disconnected’ clusters with no connectivity to the Internet. Out of the box, the ARO service mirrors all the code repositories to build OpenShift clusters to Azure Container Registry. This means ARO is built without having to reach out to the Internet as the images to build OpenShift are pulled via the Azure private network. When you upgrade a cluster, OpenShift needs to call out to the Internet to get an upgrade graph to see what options you have to upgrade the cluster.

Helm Chart to set up extra MachineSets on ARO clusters

Please refer to the The Managed OpenShift Black Belt team maintained Helm chart at hereexternal link (opens in new tab) .

Integrating Azure ARC with ARO

This document explain how to integrate ARO cluster with Azure Arc-enabled Kubernetes. When you connect a Kubernetes/OpenShift cluster with Azure Arc, it will: Be represented in Azure Resource Manager with a unique ID Be placed in an Azure subscription and resource group Receive tags just like any otherAzure resource Azure Arc-enabled Kubernetes supports the following scenarios for connected clusters: Connect Kubernetes running outside of Azure for inventory, grouping, and tagging. Deploy applications and apply configuration using GitOps-based configuration management.

Shipping logs and metrics to Azure Blob storage

Azure Red Hat Openshiftexternal link (opens in new tab) clusters have built in metrics and logs that can be viewed by both Administrators and Developers via the OpenShift Console. But there are many reasons you might want to store and view these metrics and logs from outside of the cluster. The OpenShift developers have anticipated this needs and have provided ways to ship both metrics and logs outside of the cluster.

Configure ARO to use Azure AD

This guide demonstrates how to configure Azure AD as the cluster identity provider in Azure Red Hat OpenShift. This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Azure Red Hat OpenShift (ARO) to authenticate using Azure AD. This guide will walk through the following steps: Register a new application in Azure AD for authentication. Configure the application registration in Azure AD to include optional claims in tokens.

Configure Azure AD as an OIDC identity provider for ROSA/OSD

This guide demonstrates how to configure Azure AD as the cluster identity provider in Red Hat OpenShift Service on AWS (ROSA). This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Red Hat OpenShift Service on AWS (ROSA) to authenticate using Azure AD. This guide will walk through the following steps: Register a new application in Azure AD for authentication. Configure the application registration in Azure AD to include optional and group claims in tokens.

Azure Service Operator V1 in ARO

The Azure Service Operator (ASO) provides Custom Resource Definitions (CRDs) for Azure resources that can be used to create, update, and delete Azure services from an OpenShift cluster. This example uses ASO V1, which has now been replaced by ASO V2. ASO V2 does not (as of 5/19/2022) yet have an entry in the OCP OperatorHub, but is functional and should be preferred for use, especially if V1 isn’t already installed on a cluster.

Azure Service Operator V2 in ARO

The Azure Service Operator (ASO) provides Custom Resource Definitions (CRDs) for Azure resources that can be used to create, update, and delete Azure services from an OpenShift cluster. This example uses ASO V2, which is a replacement for ASO V1. Equivalent documentation for ASO V1 can be found here . For new installs, V2 is recommended. MOBB has not tested running them in parallel. Prerequisites Azure CLIexternal link (opens in new tab) An Azure Red Hat OpenShift (ARO) cluster The helm CLI tool Prepare your Azure Account and ARO Cluster Install cert-manager:

Setting up Quay on an ARO cluster via Console

Red Hat Quay setup on ARO (Azure Openshift) A guide to deploying an Azure Red Hat OpenShift Cluster with Red Hat Quay. Author: [Kristopher White x Connor Wooley] Video Walkthrough If you prefer a more visual medium, you can watch [Kristopher White] walk through Quay Registry Storage Setup on YouTubeexternal link (opens in new tab) . Red Hat Quay Setup Backend Storage Setup Login to Azureexternal link (opens in new tab) Search/Click Create Resource Groups

Adding infrastructure nodes to an ARO cluster

This document shows how to set up infrastructure nodes in an ARO cluster and move infrastructure related workloads to them. This can help with larger clusters that have resource contention between user workloads and infrastructure workloads such as Prometheus. Important note: Infrastructure nodes are billed at the same rates as your existing ARO worker nodes. You can find the original (and more detailed) document describing the process for a self-managed OpenShift Container Platform cluster here Prerequisites Azure Red Hat OpenShift cluster Helm CLIexternal link (opens in new tab) Create Infra Nodes We’ll use the MOBB Helm Chart for adding ARO machinesets which parameters for creating infra nodes, it looks up an existing machineset to collect cluster specific settings and then creates a new machineset specific for infra nodes with the same settings.

Apply Azure Policy to Azure Policy

Azure Policyexternal link (opens in new tab) helps to enforce organizational standards and to assess compliance at-scale. Azure Policy supports arc enabled kubernetes clusterexternal link (opens in new tab) with both build-in and custom policies to ensure kubernetes resources are compliant. This article demonstrates how to make Azure Redhat Openshift cluster compliant with azure policy. Prerequisites Azure CLI Openshift CLI Azure Openshift Cluster (ARO Cluster) Deploy Azure Policy Deploy Azure Arc and Enable Azure Policy Add-on az connectedk8s connect -n [Cluster_Name] -g [Resource_Group_Name] az k8s-extension create --cluster-type connectedClusters --cluster-name [Cluster_Name] --resource-group [Resource_Group_Name] --extension-type Microsoft.

Setting up Quay on an ARO cluster via CLI

Pre Requisites An ARO cluster oc cli azure cli Steps Create Azure Resources Create Storage Account az login az group create --name <resource-group> --location <location> az storage account create --name <storage-account> --resource-group <resource-group> \ --location eastus --sku Standard_LRS --kind StorageV2 Create Storage Container az storage account keys list --account-name <storage_account_name> --resource-group <resource_group> --output yaml Note: this command returns a json by default with your keyName and Values, command above specifies yaml

Accessing the Internal Registry from ARO

Kevin Collins 06/28/2022 One of the advantages of using OpenShift is the internal registry that comes with OpenShfit to build, deploy and manage container images locally. By default, access to the registry is limited to the cluster ( by design ) but can be extended to usage outside of the cluster. This guide will go through the steps required to access the OpenShift Registry on an ARO cluster outside of the cluster.

Configure ARO with OpenShift Data Foundation

NOTE: This guide demonstrates how to setup and configure self-managed OpenShift Data Foundation in Internal Mode on an ARO Cluster and test it out. Prerequisites An Azure Red Hat OpenShift cluster ( verion 4.10+ ) kubectl cliexternal link (opens in new tab) oc cli moreutils (sponge) jq Install compute nodes for ODF A best practice for optimal performance is to run ODF on dedicated nodes with a minimum of one per zone.

ARO with Nvidia GPU Workloads

ARO guide to running Nvidia GPU workloads. Prerequisites oc cli jq, moreutils, and gettext package ARO 4.10 If you need to install an ARO cluster, please read our ARO Quick start guide . Please be sure if you’re installing or using an existing ARO cluster that it is 4.10.x or higher. As of OpenShift 4.10, it is no longer necessary to set up entitlements to use the nVidia Operator. This has greatly simplified the setup of the cluster for GPU workloads.

ARO Custom domain with cert-manager and LetsEncrypt

ARO guide to deploying an ARO cluster with custom domain and automating certificate management with cert-manager and letsencrypt certificates to manage the *.apps and api endpoints. Prerequisites az cli (already installed in Azure Cloud Shell) oc cli jq (already installed in Azure Cloud Shell) OpenShift 4.10+ domain name to use (we will create zones for this domain name during this guide) I’m going to be running this setup through Bash on the Azure Cloud Shell.

ARO IBM Cloud Paks 4 Data

A Quickstart guide to deploying an Azure Red Hat OpenShift cluster with IBM Cloud Paks 4 Data. Video Walkthrough If you prefer a more visual medium, you can watch [Kristopher White] walk through this quickstart on YouTubeexternal link (opens in new tab) . Prerequisites Azure CLI Obviously you’ll need to have an Azure account to configure the CLI against. MacOS See Azure Docsexternal link (opens in new tab) for alternative install options.

Trident NetApp operator setup for Azure NetApp files

Note: This guide a simple “happy path” to show the path of least friction to showcasing how to use NetApp files with Azure Red Hat OpenShift. This may not be the best behavior for any system beyond demonstration purposes. Prerequisites An Azure Red Hat OpenShift cluster installed with Service Principal role/credentials. kubectl cliexternal link (opens in new tab) oc cli helm 3 cliexternal link (opens in new tab) Review official trident documentationexternal link (opens in new tab) In this guide, you will need service principal and region details.

Enable the Managed Upgrade Operator in ARO and schedule Upgrades

Prerequisites an Azure Red Hat OpenShift cluster Get Started Run this oc command to enable the Managed Upgrade Operator (MUO) oc patch cluster.aro.openshift.io cluster --patch \ '{"spec":{"operatorflags":{"rh.srep.muo.enabled": "true","rh.srep.muo.managed": "true","rh.srep.muo.deploy.pullspec":"arosvc.azurecr.io/managed-upgrade-operator@sha256:f57615aa690580a12c1e5031ad7ea674ce249c3d0f54e6dc4d070e42a9c9a274"}}}' \ --type=merge Wait a few moments to ensure the Management Upgrade Operator is ready oc -n openshift-managed-upgrade-operator \ get deployment managed-upgrade-operator NAME READY UP-TO-DATE AVAILABLE AGE managed-upgrade-operator 1/1 1 1 2m2s Configure the Managed Upgrade Operator cat << EOF | oc apply -f - apiVersion: v1 kind: ConfigMap metadata: name: managed-upgrade-operator-config namespace: openshift-managed-upgrade-operator data: config.

Adding an additional ingress controller to an ARO cluster

Prerequisites an Azure Red Hat OpenShift cluster a DNS zone that you can easily modify Get Started Create some environment variables DOMAIN=custom.azure.mobb.ninja EMAIL=example@email.com SCRATCH_DIR=/tmp/aro Create a certificate for the ingress controller certbot certonly --manual \ --preferred-challenges=dns \ --email $EMAIL \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --manual-public-ip-logging-ok \ -d "*.$DOMAIN" \ --config-dir "$SCRATCH_DIR/config" \ --work-dir "$SCRATCH_DIR/work" \ --logs-dir "$SCRATCH_DIR/logs" Create a secret for the certificate oc create secret tls custom-tls \ -n openshift-ingress \ --cert=$SCRATCH_DIR/config/live/$DOMAIN/fullchain.

Using Group Sync Operator with Azure Active Directory and ROSA

This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM). For an IDP configuration example, please reference the Configure Azure AD as an OIDC identity provider for ROSA/OSD guide. To set up group synchronization from Azure Active Directory (AD) to ROSA/OSD you must: Define groups and assign users in Azure AD Add the required API permissions to the app registration in Azure AD Install the Group Sync Operator from the OpenShift Operator Hub Create and configure a new Group Sync instance Set a synchronization schedule Test the synchronization process Define groups and assign users in Azure AD To synchronize groups and users with ROSA/OSD they must exist in Azure AD

Configuring IDP for ROSA, OSD and ARO

Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) provide a simple way for the cluster administrator to configure one or more identity providers for their cluster[s] via the OpenShift Cluster Manager (OCM) , while Azure Red Hat OpenShift relies on the internal cluster authentication operatorexternal link (opens in new tab) . The identity providers available for use are: GitHub GitLab Google LDAP OpenID HTPasswd Configuring Specific Identity Providers ARO GitLab Azure AD Azure AD with Group Claims Azure AD via CLI Azure AD with Red Hat SSO ROSA/OSD GitLab Azure AD Azure AD with Group Claims (ROSA Only) Configuring Group Synchronization Using Group Sync Operator with Azure Active Directory and ROSA/OSD Using Group Sync Operator with Okta and ROSA/OSD

Registering an ARO cluster to OpenShift Cluster Manager

Registering an ARO cluster to OpenShift Cluster Manager ARO clusters do not come connected to OpenShift Cluster Manager by default, because Azure would like customers to specifically opt-in to connections / data sent outside of Azure. This is the case with registering to OpenShift cluster manager, which enables a telemetry service in ARO. Prerequisites An Red Hat account. If you have any subscriptions with Red Hat, you will have a Red Hat account.

Azure Key Vault CSI on Azure Red Hat OpenShift

This document is adapted from the Azure Key Vault CSI Walkthroughexternal link (opens in new tab) specifically to run with Azure Red Hat OpenShift (ARO). Prerequisites An ARO cluster The AZ CLI (logged in) The OC CLI (logged in) Helm 3.x CLI Environment Variables Run this command to set some environment variables to use throughout Note if you created the cluster from the instructions linked above these will re-use the same environment variables, or default them to openshift and eastus.

Shipping logs to Azure Log Analytics

This document follows the steps outlined by Microsoft in their documentationexternal link (opens in new tab) Follow docs. Step 4, needs additional command of: az resource list --resource-type Microsoft.RedHatOpenShift/OpenShiftClusters -o json to capture resource ID of ARO cluster as well, needed for export in step 6 bash enable-monitoring.sh --resource-id $azureAroV4ClusterResourceId --workspace-id $logAnalyticsWorkspaceResourceId works successfully can verify pods starting Verify logs flowing with container solutions showing in log analytics workbook? Configure Prometheus metric scraping following steps outlined here: https://docs.

ARO - Considerations for Disaster Recovery

This is a high level overview of disaster recovery options for Azure Red Hat OpenShift. It is not a detailed design, but rather a starting point for a more detailed design. What is Disaster Recovery (DR) Disaster Recovery is an umbrella term that includes the following: Backup (and restore!) Failover (and failback!) High Availability Disaster Avoidence The most important part of Disaster Recovery is the “Recovery”. Whatever your DR plan it must be tested and ideally performed on a semi-regular basis.

Private ARO Cluster with access via JumpHost

A Quickstart guide to deploying a Private Azure Red Hat OpenShift cluster. Once the cluster is running you will need a way to access the private network that ARO is deployed into. Authors: Paul Czarkowskiexternal link (opens in new tab) , Ricardo Macedo Martinsexternal link (opens in new tab) Prerequisites Azure CLI Obviously you’ll need to have an Azure account to configure the CLI against. MacOS See Azure Docsexternal link (opens in new tab) for alternative install options.

Using the Egressip Ipam Operator with a Private ARO Cluster

This guide is only valid for ARO clusters created on version 4.10 or earlier. Clusters created on version 4.11 and later use OVNKubernetes as their Container Network Interface, and egressip-ipam-operator does not support OVNKubernetes. Please see EgressIP as a possible alternative. Prerequisites A private ARO cluster that uses OpenShift SDN as its CNI Deploy the Egressip Ipam Operator Via GUI Log into the ARO cluster’s Console Switch to the Administrator view

Federating System and User metrics to Azure Files in Azure Red Hat OpenShift

By default Azure Red Hat OpenShift (ARO) stores metrics in Ephemeral volumes, and its advised that users do not change this setting. However its not unreasonable to expect that metrics should be persisted for a set amount of time. This guide shows how to set up Thanos to federate both System and User Workload Metrics to a Thanos gateway that stores the metrics in Azure Files and makes them available via a Grafana instance (managed by the Grafana Operator).

Installing Astronomer on a private ARO cluster

see here for public clusters. This assumes you’ve already got a private ARO cluster installed. You could also follow the same instructions to create a public Astronomer, just use a regular DNS zone and skip the private parts. A default 3-node cluster is a bit small for Astronomer, If you have a three node cluster you can increase it by updating the replicas count machinesets in the openshift-machine-api namespace.

Deploying ARO using azurerm Terraform Provider

Overview Infrastructure as Code has become one of the most prevalent ways in which to deploy and install code for good reason, especially on the cloud. This lab will use the popular tool Terraform in order to create a clear repeatable process in which to install an Azure Managed Openshift(ARO) cluster and all the required components. Terraform Terraform is an open-source IaC tool developed by HashiCorp. It provides a consistent and unified language to describe infrastructure across various cloud providers such as AWS, Azure, Google Cloud, and many others.

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.