Preparation Steps

Obtain RedHat Pull Secret

Use this URL to download your RedHat Pull Secret: https://console.redhat.com/openshift/install/pull-secret

tip

If your organization does not have an existing RedHat account, you can create a RedHat trial account for a temporary OCP deployment (60 days). Instructions here under the expandable section "Obtain a RedHat Trial Account"

Obtain the AWS IAM credentials

If you can use your permanent security credentials for the AWS account, you will need an Access Key ID and Secret Access Key for the deployer to setup an OpenShift cluster on AWS.

Go to https://aws.amazon.com/
Login to the AWS console
Click on your user name at the top right of the screen
Select Security credentials. You can also reach this screen via https://console.aws.amazon.com/iam/home?region=us-east-2#/security_credentials.
If you do not yet have an access key (or you no longer have the associated secret), create an access key
Store your Access Key ID and Secret Access Key in safe place

Configure AWS

Run the following command and then enter your Access Key ID, Secret Access Key, Region, and Output.

aws configure

Redhat pull secret

The Red Hat pull secret must be downloaded from https://console.redhat.com/openshift/downloads#tool-pull-secret. Rename the file from pull-secret.txt to pull_secret.json

Create s3 bucket

BUCKET="Bucket_NAME"
aws s3api create-bucket --bucket $BUCKET --region us-east-1

Create pull-secrets folder in s3 bucket

aws s3api put-object --bucket $BUCKET --key "pull-secets" --region us-east-1

Upload pull-secrets.json to s3bucket/pull-secrets

aws s3 cp pull-secrets.json s3://$BUCKET/pull-secrets/pull-secrets.json

Create AWS KeyPair

The following commands create the KeyPair, outputs the file to the default ssh folder. The second command modifies the permissions of the file.

aws ec2 create-key-pair  --key-name $KEYPAIR_NAME --key-type rsa --key-format pem --query "KeyMaterial" --output text > ~/.ssh/$KEYPAIR_NAME.pem
chmod 400 ~/.ssh/$KEYPAIR_NAME.pem

Preparing the installion files

The default "AvailabilityZones" in clusters.yaml are "us-east-2a,us-east-2b,us-east-2c" but can be changed.
To change which Availability Zones are used, search clusters.yaml for us-east-2a,us-east-2b,us-east-2c and replace with the preferred Availability Zones.
Search clusters.yaml for REPLACE_ME_WITH_SUBNET_ID and replace with a specific subnetID.

Preparing Parameters Override file

Review "parameters-override.yaml", the following changes will need to be made

Add API Key
Add KeyPairName
Add Private Subnets
Add Public Subnets
Add Red Hat Pull Secret s3 location
Add VPC ID
Add Bucket Name for s3 bucket that is being used by Red Hat Pull secret
Add Domain Name
Add Cluster Name
Add CPD External Registry

Deployment Steps

Create OCPInstall Role

Download the OCPInstall_Role.yaml Create the role by running the following command:

aws cloudformation deploy --stack-name OCPInstall-role-1 -template-file OCPInstall_Role.yaml --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here*

Create LambdaExecution Role

Download the LambdaExecutionRole.yaml Create the role by running the following command:

aws cloudformation deploy --stack-name LambdaExecutionRole -template-file LambdaExecutionRole.yaml --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here*

Deply cloudformation template using AWS CLI

Using the OCPInstall role arn, run the following command to start the main cloudformation deployment:

aws cloudformation deploy --stack-name stack-deployment-1 --template-file cluster.yaml --parameter-overrides file://parameters-override.json --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here* --role-arn arn:aws:iam::<ACCOUNT>:role/OCPInstall

Check the AWS Console to see when the cloudformation template has progressed far enough that the bootnode is online.

Using the ssh key from the Key Pair name used in parameters-override.yaml, ssh to the bootnode.

Monitoring

SSM into bootnode

Add AmazonSSMManagedInstanceCore policy to role used to execute the cloudform template and the user/role that will be connecting to the instance.

The cloudform template creates a boot node that will begin executing commands. One set of commands installs, enables, and starts amazon-ssm-agent. It may take up to 20 minutes before this agent comes online in the boot node.

Once the instance has started the ssm agent a connection can be initiated with following command:

aws ssm start-session --target $InstanceID

Once a connection has been opened, you may need to change users to the 'ec2-user'. This can be accomplished with the following commands:

Become root

sudo su

Become ec2-user

su ec2-user

You will now be able to review deployment logs.

Details

#### Fixing aws command in SSM

SSM does not work exactly the same as SSH. If you intend to use any additional commands, such as aws, then you need to do the following:

Check the output of running the aws command, If there is an error message like this:

[47863] Error loading Python lib '/usr/bin/libpython3.11.so.1.0': dlopen: /usr/bin/libpython3.11.so.1.0: cannot open shared object file: No such file or directory

Another possible error message:

$ aws
Python path configuration:
  PYTHONHOME = '/usr/bin'
  PYTHONPATH = (not set)
  program name = '/usr/bin/aws'
  isolated = 0
  environment = 0
  user site = 0
  safe_path = 0
  import site = 0
  is in build tree = 0
  stdlib dir = ''
  sys._base_executable = '/usr/bin/aws'
  sys.base_prefix = ''
  sys.base_exec_prefix = ''
  sys.platlibdir = 'lib'
  sys.executable = '/usr/bin/aws'
  sys.prefix = ''
  sys.exec_prefix = ''
  sys.path = [
    '/usr/bin/base_library.zip',
    '/usr/bin/lib-dynload',
    '/usr/bin',
  ]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'

Current thread 0x00007fed39a06c00 (most recent call first):
  <no Python frame>

You may not have the correct $PATH.

Incorrect $PATH:

$ echo $PATH
/home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/bin:/usr/sbin

How to Correct $PATH:

export PATH="/home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin"

How to persist the change to $PATH:

echo 'export PATH="$HOME/.local/bin:$HOME/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin"' >> .bashrc

Confirm this change works:

$ echo $PATH
/home/ec2-user/.local/bin:/home/ec2-user/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
$ aws

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

aws: error: the following arguments are required: command

Monitor the deployment

Check what folders exist in the ec2-home directory. if "cpd-status" has not been created yet, then wait a few minutes. Once "cpd-status" directory appears, run the following command:

tail -f ~/cpd-status/log/cloud-pak-deployer

This command will show the log file from the cp-deployer process.

Obtain RedHat Pull Secret​

Obtain the AWS IAM credentials​

Configure AWS​

Redhat pull secret​

Create s3 bucket​

Create pull-secrets folder in s3 bucket​

Upload pull-secrets.json to s3bucket/pull-secrets​

Create AWS KeyPair​

Preparing the installion files​

Preparing Parameters Override file​

Deployment Steps​

Create OCPInstall Role​

Create LambdaExecution Role​

Deply cloudformation template using AWS CLI​

Monitoring​

SSM into bootnode​

Monitor the deployment​