Chapter 2. Getting started with OpenShift Dedicated
Follow this getting started document to quickly create a OpenShift Dedicated cluster, grant user access, deploy your first application, and learn how to scale and delete your cluster.
2.1. Prerequisites
- You reviewed the introduction to OpenShift Dedicated and the documentation on architecture concepts.
- You reviewed the OpenShift Dedicated cloud deployment options.
2.2. Creating an OpenShift Dedicated cluster
You can install OpenShift Dedicated in your own cloud provider account through the Customer Cloud Subscription (CCS) model or in a cloud account that is owned by Red Hat. For more information about the deployment options for OpenShift Dedicated, see Understanding your cloud deployment options.
Choose from one of the following methods to deploy your cluster.
2.2.1. Creating a cluster on GCP using the CCS model
You can install OpenShift Dedicated in your own Google Cloud Platform (GCP) account by using the CCS model. Complete the steps in one of the following sections to deploy OpenShift Dedicated in your own Google Cloud Platform (GCP) account.
- Creating a cluster on AWS: You can install OpenShift Dedicated in your own Amazon Web Services (AWS) account by using the CCS model.
- Red Hat also recommends creating an OpenShift Dedicated cluster deployed on Google Cloud Platform (GCP) in Private cluster mode with Private Service Connect (PSC) to manage and monitor a cluster to avoid all public ingress network traffic. For more information, see Private Service Connect overview.
For installing and interacting with the OpenShift Dedicated cluster deployed on the Google Cloud Platform (GCP) using the Service Account authentication type, see Creating a cluster on GCP with Service Account authentication.
- Red Hat recommends using GCP Workload Identity Federation (WIF) as the authentication type for installing and interacting with the OpenShift Dedicated cluster deployed on Google Cloud Platform (GCP) because it provides enhanced security. For more information, see Creating a cluster on GCP with Workload Identity Federation authentication.
2.2.2. Creating a cluster on AWS using the CCS model
You can install OpenShift Dedicated in your own Amazon Web Services (AWS) account by using the CCS model.
2.2.3. Creating a cluster using a Red Hat cloud account
Complete the steps in one of the following sections to deploy OpenShift Dedicated in a cloud account that is owned by Red Hat:
- Creating a cluster on GCP with a Red Hat cloud account: You can install OpenShift Dedicated in an GCP account that is owned by Red Hat.
- Creating a cluster on AWS: You can install OpenShift Dedicated in an AWS account that is owned by Red Hat.
2.3. Configuring an identity provider
After you have installed OpenShift Dedicated, you must configure your cluster to use an identity provider. You can then add members to your identity provider to grant them access to your cluster.
You can configure different identity provider types for your OpenShift Dedicated cluster. Supported types include GitHub, GitHub Enterprise, GitLab, Google, LDAP, OpenID Connect, and htpasswd identity providers.
The htpasswd identity provider option is included only to enable the creation of a single, static administration user. htpasswd is not supported as a general-use identity provider for OpenShift Dedicated.
The following procedure configures a GitHub identity provider as an example.
Configuring GitHub authentication allows users to log in to OpenShift Dedicated with their GitHub credentials. To prevent anyone with any GitHub user ID from logging in to your OpenShift Dedicated cluster, you must restrict access to only those in specific GitHub organizations or teams.
Prerequisites
- You logged in to OpenShift Cluster Manager.
- You created an OpenShift Dedicated cluster.
- You have a GitHub user account.
- You created a GitHub organization in your GitHub account. For more information, see Creating a new organization from scratch in the GitHub documentation.
- If you are restricting user access to a GitHub team, you have created a team within your GitHub organization. For more information, see Creating a team in the GitHub documentation.
Procedure
- Navigate to OpenShift Cluster Manager and select your cluster.
-
Select Access control
Identity providers. - Select the GitHub identity provider type from the Add identity provider drop-down menu.
- Enter a unique name for the identity provider. The name cannot be changed later.
Register an OAuth application in your GitHub organization by following the steps in the GitHub documentation.
NoteYou must register the OAuth app under your GitHub organization. If you register an OAuth application that is not owned by the organization that contains your cluster users or teams, then user authentication to the cluster will not succeed.
For the homepage URL in your GitHub OAuth app configuration, specify the
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>
portion of the OAuth callback URL that is automatically generated in the Add a GitHub identity provider page on OpenShift Cluster Manager.The following is an example of a homepage URL for a GitHub identity provider:
https://oauth-openshift.apps.openshift-cluster.example.com
For the authorization callback URL in your GitHub OAuth app configuration, specify the full OAuth callback URL that is automatically generated in the Add a GitHub identity provider page on OpenShift Cluster Manager. The full URL has the following syntax:
https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>
- Return to the Edit identity provider: GitHub dialog in OpenShift Cluster Manager and select Claim from the Mapping method drop-down menu.
- Enter the Client ID and Client secret for your GitHub OAuth application. The GitHub page for your OAuth app provides the ID and secret.
Optional: Enter a hostname.
NoteA hostname must be entered when using a hosted instance of GitHub Enterprise.
- Optional: You can specify a certificate authority (CA) file to validate server certificates for a configured GitHub Enterprise URL. Click Browse to locate and attach a CA file to the identity provider.
- Select Use organizations or Use teams to restrict access to a GitHub organization or a GitHub team within an organization.
Enter the name of the organization or team you would like to restrict access to. Click Add more to specify multiple organizations or teams.
NoteSpecified organizations must own an OAuth app that was registered by using the preceding steps. If you specify a team, it must exist within an organization that owns an OAuth app that was registered by using the preceding steps.
Click Add to apply the identity provider configuration.
NoteIt might take approximately two minutes for the identity provider configuration to become active.
Verification
-
After the configuration becomes active, the identity provider is listed under Access control
Identity providers on the OpenShift Cluster Manager page for your cluster.
Additional resources
- For detailed steps to configure each of the supported identity provider types, see Configuring identity providers.
2.4. Granting administrator privileges to a user
After you have configured an identity provider for your cluster and added a user to the identity provider, you can grant dedicated-admin
cluster privileges to the user.
Prerequisites
- You logged in to OpenShift Cluster Manager.
- You created an OpenShift Dedicated cluster.
- You configured an identity provider for your cluster.
Procedure
- Navigate to OpenShift Cluster Manager and select your cluster.
- Click the Access control tab.
- In the Cluster Roles and Access tab, click Add user.
- Enter the user ID of an identity provider user.
-
Click Add user to grant
dedicated-admin
cluster privileges to the user.
Verification
-
After granting the privileges, the user is listed as part of the
dedicated-admins
group under Access controlCluster Roles and Access on the OpenShift Cluster Manager page for your cluster.
Additional resources
2.5. Accessing your cluster
After you have configured your identity providers, users can access the cluster from Red Hat OpenShift Cluster Manager.
Prerequisites
- You logged in to OpenShift Cluster Manager.
- You created an OpenShift Dedicated cluster.
- You configured an identity provider for your cluster.
- You added your user account to the configured identity provider.
Procedure
- From OpenShift Cluster Manager, click on the cluster you want to access.
- Click Open Console.
- Click on your identity provider and provide your credentials to log into the cluster.
- Click Open console to open the web console for your cluster.
- Click on your identity provider and provide your credentials to log in to the cluster. Complete any authorization requests that are presented by your provider.
2.6. Deploying an application from the Developer Catalog
From the OpenShift Dedicated web console, you can deploy a test application from the Developer Catalog and expose it with a route.
Prerequisites
- You logged in to the Red Hat Hybrid Cloud Console.
- You created a OpenShift Dedicated cluster.
- You configured an identity provider for your cluster.
- You added your user account to the configured identity provider.
Procedure
- Go to the Cluster List page in OpenShift Cluster Manager.
- Click the options icon (⋮) next to the cluster you want to view.
- Click Open console.
- Your cluster console opens in a new browser window. Log in to your Red Hat account with your configured identity provider credentials.
-
In the Administrator perspective, select Home
Projects Create Project. - Enter a name for your project and optionally add a Display Name and Description.
- Click Create to create the project.
- Switch to the Developer perspective and select +Add. Verify that the selected Project is the one that you just created.
- In the Developer Catalog dialog, select All services.
-
In the Developer Catalog page, select Languages
JavaScript from the menu. Click Node.js, and then click Create to open the Create Source-to-Image application page.
NoteYou might need to click Clear All Filters to display the Node.js option.
- In the Git section, click Try sample.
- Add a unique name in the Name field. The value will be used to name the associated resources.
- Confirm that Deployment and Create a route are selected.
- Click Create to deploy the application. It will take a few minutes for the pods to deploy.
-
Optional: Check the status of the pods in the Topology pane by selecting your Node.js app and reviewing its sidebar. You must wait for the
nodejs
build to complete and for thenodejs
pod to be in a Running state before continuing. When the deployment is complete, click the route URL for the application, which has a format similar to the following:
https://nodejs-<project>.<cluster_name>.<hash>.<region>.openshiftapps.com/
A new tab in your browser opens with a message similar to the following:
Welcome to your Node.js application on OpenShift
Optional: Delete the application and clean up the resources that you created:
-
In the Administrator perspective, navigate to Home
Projects. - Click the action menu for your project and select Delete Project.
-
In the Administrator perspective, navigate to Home
2.7. Scaling your cluster
You can scale the number of load balancers, the persistent storage capacity, and the node count for your OpenShift Dedicated cluster from OpenShift Cluster Manager.
Prerequisites
- You logged in to OpenShift Cluster Manager.
- You created an OpenShift Dedicated cluster.
Procedure
To scale the number of load balancers or the persistent storage capacity:
- Navigate to OpenShift Cluster Manager and select your cluster.
- Select Edit load balancers and persistent storage from the Actions drop-down menu.
- Select how many Load balancers that you want to scale to.
- Select the Persistent storage capacity that you want to scale to.
- Click Apply. Scaling occurs automatically.
To scale the node count:
- Navigate to OpenShift Cluster Manager and select your cluster.
- Select Edit node count from the Actions drop-down menu.
- Select a Machine pool.
- Select a Node count per zone.
- Click Apply. Scaling occurs automatically.
Verification
- In the Overview tab under the Details heading, you can review the load balancer configuration, persistent storage details, and actual and desired node counts.
Additional resources
- For information about machine pools, see About machine pools.
- For detailed steps to enable autoscaling for compute nodes in your cluster, see About autoscaling nodes on a cluster.
2.8. Revoking administrator privileges from a user
Follow the steps in this section to revoke dedicated-admin
privileges from a user.
Prerequisites
- You logged in to OpenShift Cluster Manager.
- You created an OpenShift Dedicated cluster.
- You have configured a GitHub identity provider for your cluster and added an identity provider user.
-
You granted
dedicated-admin
privileges to a user.
Procedure
- Navigate to OpenShift Cluster Manager and select your cluster.
- Click the Access control tab.
- In the Cluster Roles and Access tab, select next to a user and click Delete.
Verification
-
After revoking the privileges, the user is no longer listed as part of the
dedicated-admins
group under Access controlCluster Roles and Access on the OpenShift Cluster Manager page for your cluster.
2.9. Revoking user access to a cluster
You can revoke cluster access from an identity provider user by removing them from your configured identity provider.
You can configure different types of identity providers for your OpenShift Dedicated cluster. The following example procedure revokes cluster access for a member of a GitHub organization or team that is configured for identity provision to the cluster.
Prerequisites
- You have an OpenShift Dedicated cluster.
- You have a GitHub user account.
- You have configured a GitHub identity provider for your cluster and added an identity provider user.
Procedure
- Navigate to github.com and log in to your GitHub account.
Remove the user from your GitHub organization or team:
- If your identity provider configuration uses a GitHub organization, follow the steps in Removing a member from your organization in the GitHub documentation.
- If your identity provider configuration uses a team within a GitHub organization, follow the steps in Removing organization members from a team in the GitHub documentation.
Verification
- After removing the user from your identity provider, the user cannot authenticate into the cluster.
2.10. Deleting your cluster
You can delete your OpenShift Dedicated cluster in Red Hat OpenShift Cluster Manager.
Prerequisites
- You logged in to OpenShift Cluster Manager.
- You created an OpenShift Dedicated cluster.
Procedure
- From OpenShift Cluster Manager, click on the cluster you want to delete.
- Select Delete cluster from the Actions drop-down menu.
Type the name of the cluster highlighted in bold, then click Delete. Cluster deletion occurs automatically.
NoteIf you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.
2.11. Next steps
2.12. Additional resources
- For information about the end-of-life dates for OpenShift Dedicated versions, see the OpenShift Dedicated update life cycle.
- For more information about deploying OpenShift Dedicated clusters on AWS, see Creating a cluster on AWS.
- For more information about deploying OpenShift Dedicated clusters on GCP, see Creating a cluster on GCP with Service Account authentication and Creating a cluster on GCP with Workload Identity Federation authentication.
- For documentation on upgrading your cluster, see OpenShift Dedicated cluster upgrades.