Cloud Experts Documentation

Azure Red Hat OpenShift

Microsoft Azure Red Hat OpenShift is a turnkey application platform that provides highly available, fully managed Red Hat OpenShift clusters on demand. Red Hat and Microsoft jointly engineer, manage, and support the platform, allowing organizations to increase operational efficiency, refocus on innovation, and quickly build, deploy and scale applications.

Ansible Automation Platform (AAP) on ARO

Ansible Automation Platform (AAP)external link (opens in new tab) is a popular platform for centralizing and managing an organization’s automation content using Ansible as the engine for writing automation code. Prior to deployment, organizations are faced with the decision “where do I want to host this thing?”. In today’s landscape, there are several options between traditional Virtual Machines, running it on OpenShift, or even running it as a managed offering.

Prerequisites Checklist to Deploy ARO Cluster

Before deploying an ARO cluster, ensure you meet the following prerequisites: Setup Tools Install Azure CLI: Essential for managing Azure resources. Refer to the official documentationexternal link (opens in new tab) Verify Resources Core Quota: Confirm availability of at least 40 coresexternal link (opens in new tab) to create and run an OpenShift Cluster. Permissions RBAC Settings: Ensure you have Contributor and User Access Administrator roles on the cluster resource group.

Deploying Advanced Cluster Management and OpenShift Data Foundation for ARO Disaster Recovery

A guide to deploying Advanced Cluster Management (ACM) and OpenShift Data Foundation (ODF) for Azure Red hat OpenShift (ARO) Disaster Recovery Overview VolSync is not supported for ARO in ACM: https://access.redhat.com/articles/7006295 so if you run into issues and file a support ticket, you will receive the information that ARO is not supported. In today’s fast-paced and data-driven world, ensuring the resilience and availability of your applications and data has never been more critical.

Deploying Private ARO clusters with Custom Domains

Overview By default Azure Red Hat OpenShift uses self-signed certificates for all of the routes created on *.apps.<random>.<location>.aroapp.io. Many companies also seek to leverage the capabilities of Azure Red Hat OpenShift (ARO) to deploy their applications while using their own custom domain. By utilizing ARO’s custom domain feature, companies can ensure hosting their applications under their own domain name. If we choose to specify a custom domain, for example aro.myorg.com, the OpenShift console will be available at a URL such as https://console-openshift-console.

ARO - Cross Tenant Provisioning

Summary There may be situations where you want to create an ARO cluster where the organization has a policy which has a central entity that controls things such as encryption keys or networking components. This is desirable in large enterprises due to separation of concerns and limiting areas of control for groups to a small scope. This does present challenges, as those different groups must be able to integrate with one another.

Use Azure Blob storage Container Storage Interface (CSI) driver on an ARO cluster

The Azure Blob Storage Container Storage Interface (CSI) is a CSI compliant driver that can be installed to an Azure Red Hat OpenShift (ARO) cluster to manage the lifecycle of Azure Blob storage. When you use this CSI driver to mount an Azure Blob storage into a pod, it allows you to use blob storage to work with massive amounts of data. You can refer also to the driver’s documentation hereexternal link (opens in new tab) .

Configure a Private ARO cluster with Azure File via a Private Endpoint

There are two way to configure this set up Self provision the storage account and file share (static method) Requires pre-existing storage account and file share Auto provision the storage account and file share (dynamic method) CSI will create the storage account and file share WARNING please note that this approach does not work on FIPS-enabled clusters. This is due to the CIFS protocol being largely non-compliant with FIPS cryptographic requirements.

Using Azure Container Registry in Private ARO clusters

This guide describes how configure and deploy an Azure Container Registry, limiting the access to the registry and connecting privately from a Private ARO cluster, eliminating exposure from the public internet. You can limit access to the ACR by assigning virtual network private IP addresses to the registry endpoints and using Azure Private Linkexternal link (opens in new tab) . Network traffic between the Private ARO cluster and the registry’s private endpoints traverses the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

Azure Front Door with ARO ( Azure Red Hat OpenShift )

Securing exposing an Internet facing application with a private ARO Cluster. When you create a cluster on ARO you have several options in making the cluster public or private. With a public cluster you are allowing Internet traffic to the api and *.apps endpoints. With a private cluster you can make either or both the api and .apps endpoints private. How can you allow Internet access to an application running on your private cluster where the .

Setup a VPN Connection into an ARO Cluster with OpenVPN

When you configure an Azure Red Hat OpenShift (ARO) cluster with a private only configuration, you will need connectivity to this private network in order to access your cluster. This guide will show you how to configute a point-to-site VPN connection so you won’t need to setup and configure Jump Boxes. Prerequisites a private ARO Cluster git openssl Create certificates to use for your VPN Connection There are many ways and methods to create certificates for VPN, the guide below is one of the ways that works well.

Using Cluster Logging Forwarder in ARO with Azure Monitor (<=4.12)

NOTE: These instructions are now only necessary for clusters on verions less than or equal to 4.12. The OpenShift Cluster Logging Operator supports a simplified configuration with Azure Monitor as of verison 5.9, which is available on clusters of version 4.13 or greater. Ideally, clusters should be ugpraded to keep them in support, so that’s a good first step to consider. If you ultimately still need the older procedure, see the setup document here .

Using Cluster Logging Forwarder in ARO with Azure Monitor (>=4.13)

NOTE: OpenShift Logging 5.9 supports native forwarding to Azure Monitor and Azure Log Analytics, which is available on clusters running OpenShift 4.13 or higher. For clusters running OpenShift 4.12 or earlier, see the legacy setup document here for help with configuration. If you’re running Azure Red Hat OpenShift (ARO), you may want to be able to view and query the logs the platform and your workloads generate in Azure Monitor.

Upgrade a disconnected ARO cluster

Background One of the great features of ARO is that you can create ‘disconnected’ clusters with no connectivity to the Internet. Out of the box, the ARO service mirrors all the code repositories to build OpenShift clusters to Azure Container Registry. This means ARO is built without having to reach out to the Internet as the images to build OpenShift are pulled via the Azure private network. When you upgrade a cluster, OpenShift needs to call out to the Internet to get an upgrade graph to see what options you have to upgrade the cluster.

Helm Chart to set up extra MachineSets on ARO clusters

Please refer to the The Managed OpenShift Black Belt team maintained Helm chart at hereexternal link (opens in new tab) .

Integrating Azure ARC with ARO

This document explain how to integrate ARO cluster with Azure Arc-enabled Kubernetes. When you connect a Kubernetes/OpenShift cluster with Azure Arc, it will: Be represented in Azure Resource Manager with a unique ID Be placed in an Azure subscription and resource group Receive tags just like any otherAzure resource Azure Arc-enabled Kubernetes supports the following scenarios for connected clusters: Connect Kubernetes running outside of Azure for inventory, grouping, and tagging. Deploy applications and apply configuration using GitOps-based configuration management.

Configure a load balancer service to use a static public IP

This guide demonstrates how to create and assign a static public IP address to an OpenShift service in Azure Red Hat OpenShift (ARO). By default, the public IP address assigned to an OpenShift service with a type of LoadBalancer created by an ARO cluster is only valid for the lifespan of that resource. If you delete the OpenShift service, the associated load balancer and IP address are also deleted. If you want to assign a specific IP address or retain an IP address for redeployed OpenShift services, you can create and use a static public IP address.

Shipping logs and metrics to Azure Blob storage

Azure Red Hat Openshiftexternal link (opens in new tab) clusters have built in metrics and logs that can be viewed by both Administrators and Developers via the OpenShift Console. But there are many reasons you might want to store and view these metrics and logs from outside of the cluster. The OpenShift developers have anticipated this needs and have provided ways to ship both metrics and logs outside of the cluster.

Azure Service Operator

Quay on ARO

Adding infrastructure nodes to an ARO cluster

This document shows how to set up infrastructure nodes in an ARO cluster and move infrastructure related workloads to them. This can help with larger clusters that have resource contention between user workloads and infrastructure workloads such as Prometheus. Important note: Infrastructure nodes are billed at the same rates as your existing ARO worker nodes. You can find the original (and more detailed) document describing the process for a self-managed OpenShift Container Platform cluster here Prerequisites Azure Red Hat OpenShift cluster Helm CLIexternal link (opens in new tab) Create Infra Nodes We’ll use the MOBB Helm Chart for adding ARO machinesets which parameters for creating infra nodes, it looks up an existing machineset to collect cluster specific settings and then creates a new machineset specific for infra nodes with the same settings.

Apply Azure Policy to Azure Policy

Azure Policyexternal link (opens in new tab) helps to enforce organizational standards and to assess compliance at-scale. Azure Policy supports arc enabled kubernetes clusterexternal link (opens in new tab) with both build-in and custom policies to ensure kubernetes resources are compliant. This article demonstrates how to make Azure Redhat Openshift cluster compliant with azure policy. Prerequisites Azure CLI Openshift CLI Azure Openshift Cluster (ARO Cluster) Deploy Azure Policy Deploy Azure Arc and Enable Azure Policy Add-on az connectedk8s connect -n [Cluster_Name] -g [Resource_Group_Name] az k8s-extension create --cluster-type connectedClusters --cluster-name [Cluster_Name] --resource-group [Resource_Group_Name] --extension-type Microsoft.

Accessing the Internal Registry from ARO

Kevin Collins 06/28/2022 One of the advantages of using OpenShift is the internal registry that comes with OpenShfit to build, deploy and manage container images locally. By default, access to the registry is limited to the cluster ( by design ) but can be extended to usage outside of the cluster. This guide will go through the steps required to access the OpenShift Registry on an ARO cluster outside of the cluster.

Configure ARO with OpenShift Data Foundation

NOTE: This guide demonstrates how to setup and configure self-managed OpenShift Data Foundation in Internal Mode on an ARO Cluster and test it out. Prerequisites An Azure Red Hat OpenShift cluster ( verion 4.10+ ) kubectl cliexternal link (opens in new tab) oc cli moreutils (sponge) jq Install compute nodes for ODF A best practice for optimal performance is to run ODF on dedicated nodes with a minimum of one per zone.

ARO with Nvidia GPU Workloads

ARO guide to running Nvidia GPU workloads. Prerequisites oc cli jq, moreutils, and gettext package ARO 4.10 If you need to install an ARO cluster, please read our ARO Quick start guide . Please be sure if you’re installing or using an existing ARO cluster that it is 4.10.x or higher. As of OpenShift 4.10, it is no longer necessary to set up entitlements to use the nVidia Operator. This has greatly simplified the setup of the cluster for GPU workloads.

ARO Custom domain with cert-manager and LetsEncrypt

ARO guide to deploying an ARO cluster with custom domain and automating certificate management with cert-manager and letsencrypt certificates to manage the *.apps and api endpoints. Prerequisites az cli (already installed in Azure Cloud Shell) oc cli jq (already installed in Azure Cloud Shell) OpenShift 4.10+ domain name to use (we will create zones for this domain name during this guide) I’m going to be running this setup through Bash on the Azure Cloud Shell.

ARO IBM Cloud Paks 4 Data

A Quickstart guide to deploying an Azure Red Hat OpenShift cluster with IBM Cloud Paks 4 Data. Video Walkthrough If you prefer a more visual medium, you can watch [Kristopher White] walk through this quickstart on YouTubeexternal link (opens in new tab) . Prerequisites Azure CLI Obviously you’ll need to have an Azure account to configure the CLI against. MacOS See Azure Docsexternal link (opens in new tab) for alternative install options.

Trident NetApp operator setup for Azure NetApp files

Note: This guide a simple “happy path” to show the path of least friction to showcasing how to use NetApp files with Azure Red Hat OpenShift. This may not be the best behavior for any system beyond demonstration purposes. Prerequisites An Azure Red Hat OpenShift cluster installed with Service Principal role/credentials. kubectl cliexternal link (opens in new tab) oc cli helm 3 cliexternal link (opens in new tab) Review official trident documentationexternal link (opens in new tab) In this guide, you will need service principal and region details.

Enable the Managed Upgrade Operator in ARO and schedule Upgrades

THIS DOCUMENT IS OUTDATED, please reference the official MUO documentation hereexternal link (opens in new tab) Prerequisites an Azure Red Hat OpenShift cluster Get Started Run this oc command to enable the Managed Upgrade Operator (MUO) oc patch cluster.aro.openshift.io cluster --patch \ '{"spec":{"operatorflags":{"rh.srep.muo.enabled": "true","rh.srep.muo.managed": "true","rh.srep.muo.deploy.pullspec":"arosvc.azurecr.io/managed-upgrade-operator@sha256:f57615aa690580a12c1e5031ad7ea674ce249c3d0f54e6dc4d070e42a9c9a274"}}}' \ --type=merge Wait a few moments to ensure the Management Upgrade Operator is ready oc -n openshift-managed-upgrade-operator \ get deployment managed-upgrade-operator NAME READY UP-TO-DATE AVAILABLE AGE managed-upgrade-operator 1/1 1 1 2m2s Configure the Managed Upgrade Operator

Adding an additional ingress controller to an ARO cluster

Prerequisites an Azure Red Hat OpenShift cluster a DNS zone that you can easily modify Get Started Create some environment variables DOMAIN=custom.azure.mobb.ninja EMAIL=example@email.com SCRATCH_DIR=/tmp/aro Create a certificate for the ingress controller certbot certonly --manual \ --preferred-challenges=dns \ --email $EMAIL \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --manual-public-ip-logging-ok \ -d "*.$DOMAIN" \ --config-dir "$SCRATCH_DIR/config" \ --work-dir "$SCRATCH_DIR/work" \ --logs-dir "$SCRATCH_DIR/logs" Create a secret for the certificate oc create secret tls custom-tls \ -n openshift-ingress \ --cert=$SCRATCH_DIR/config/live/$DOMAIN/fullchain.

Registering an ARO cluster to OpenShift Cluster Manager

Registering an ARO cluster to OpenShift Cluster Manager ARO clusters do not come connected to OpenShift Cluster Manager by default, because Azure would like customers to specifically opt-in to connections / data sent outside of Azure. This is the case with registering to OpenShift cluster manager, which enables a telemetry service in ARO. Prerequisites An Red Hat account. If you have any subscriptions with Red Hat, you will have a Red Hat account.

ARO - Considerations for Disaster Recovery

This is a high level overview of disaster recovery options for Azure Red Hat OpenShift. It is not a detailed design, but rather a starting point for a more detailed design. What is Disaster Recovery (DR) Disaster Recovery is an umbrella term that includes the following: Backup (and restore!) Failover (and failback!) High Availability Disaster Avoidence The most important part of Disaster Recovery is the “Recovery”. Whatever your DR plan it must be tested and ideally performed on a semi-regular basis.

Private ARO Cluster with access via JumpHost

A Quickstart guide to deploying a Private Azure Red Hat OpenShift cluster. Once the cluster is running you will need a way to access the private network that ARO is deployed into. Authors: Paul Czarkowskiexternal link (opens in new tab) , Ricardo Macedo Martinsexternal link (opens in new tab) Prerequisites Azure CLI Obviously you’ll need to have an Azure account to configure the CLI against. MacOS See Azure Docsexternal link (opens in new tab) for alternative install options.

Using the Egressip Ipam Operator with a Private ARO Cluster

This guide is only valid for ARO clusters created on version 4.10 or earlier. Clusters created on version 4.11 and later use OVNKubernetes as their Container Network Interface, and egressip-ipam-operator does not support OVNKubernetes. In addition, please refer hereexternal link (opens in new tab) to create a private ARO cluster without using public IP address. This way, you will be using UserDefinedRouting for egressexternal link (opens in new tab) .

User Workload Monitoring on Azure Red Hat OpenShift

In Azure Red Hat OpenShift (ARO) Monitoring for User Defined Projects is disabled by default. Follow these instructions to enable it. Enabling See docs for more indepth details. Check the cluster-monitoring-config ConfigMap object oc -n openshift-monitoring get configmap cluster-monitoring-config -o yaml Enable User Workload Monitoring by doing one of the following If the data.config.yaml is not {} you should edit it and add the enableUserWorkload: true line manually. oc -n openshift-monitoring edit configmap cluster-monitoring-config Otherwise if its {} then you can run the following command safely.

Federating System and User metrics to Azure Files in Azure Red Hat OpenShift

By default Azure Red Hat OpenShift (ARO) stores metrics in Ephemeral volumes, and its advised that users do not change this setting. However its not unreasonable to expect that metrics should be persisted for a set amount of time. This guide shows how to set up Thanos to federate both System and User Workload Metrics to a Thanos gateway that stores the metrics in Azure Files and makes them available via a Grafana instance (managed by the Grafana Operator).

Installing Astronomer on a private ARO cluster

see here for public clusters. This assumes you’ve already got a private ARO cluster installed. You could also follow the same instructions to create a public Astronomer, just use a regular DNS zone and skip the private parts. A default 3-node cluster is a bit small for Astronomer, If you have a three node cluster you can increase it by updating the replicas count machinesets in the openshift-machine-api namespace.

Deploying ARO using azurerm Terraform Provider

Overview Infrastructure as Code has become one of the most prevalent ways in which to deploy and install code for good reason, especially on the cloud. This lab will use the popular tool Terraform in order to create a clear repeatable process in which to install an Azure Managed Openshift(ARO) cluster and all the required components. Terraform Terraform is an open-source IaC tool developed by HashiCorp. It provides a consistent and unified language to describe infrastructure across various cloud providers such as AWS, Azure, Google Cloud, and many others.

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.