Skip to content

dcasati/aro-managed-identity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

ARO (Azure Red Hat OpenShift) Managed Identity Deployment

This repository contains a comprehensive script for deploying Azure Red Hat OpenShift (ARO) clusters using managed identities - the Microsoft-recommended approach for ARO deployments.

Overview

The deploy-aro-managed-identity.sh script automates the complete deployment of an ARO cluster with:

  • 9 managed identities for various cluster components
  • Proper Role-Based Access Control (RBAC) assignments
  • Virtual network and subnet configuration
  • Resource provider registration
  • Quota validation

Prerequisites

  • Azure CLI: Version 2.76.0 (see known issues below)
  • jq: JSON processor
  • Azure subscription with appropriate permissions
  • Red Hat pull secret (optional but recommended)

Known Issues

Azure CLI Version Compatibility

IMPORTANT: As of September 2025, there's a known issue with Azure CLI v2.77.0 that causes API version conflicts with ARO preview features.

You must downgrade to Azure CLI v2.76.0 before running this script.

Reference: Red Hat Solution 7130926

How to Downgrade Azure CLI on Debian/Ubuntu Systems

# Check current version
az version

# Check available versions
apt-cache policy azure-cli

# Downgrade to v2.76.0 (adjust package name for your Ubuntu version)
sudo apt-get install azure-cli=2.76.0-1~noble

# Verify the downgrade
az version

Setup Instructions

1. Clone and Prepare

git clone <your-repo-url>
cd infra
chmod +x deploy-aro-managed-identity.sh

2. Get Red Hat Pull Secret (Recommended)

  1. Visit Red Hat OpenShift on Azure (ARO)
  2. Download your pull secret
  3. Save it as pull-secret.txt in the same directory as the script

3. Configure Environment Variables

Set your deployment parameters:

export LOCATION=westus3                    # Azure region
export RESOURCEGROUP=aro-rg-westus3       # Resource group name
export CLUSTER=aro-cluster                 # Cluster name
export CLUSTER_VERSION=4.15.35            # ARO version
export PULL_SECRET_FILE=pull-secret.txt   # Pull secret file path

4. Check Dependencies

./deploy-aro-managed-identity.sh -x check-deps

Usage

Deploy ARO Cluster

./deploy-aro-managed-identity.sh -x install

The script will:

  1. Check dependencies and Azure CLI version
  2. Install ARO preview extension
  3. Register required resource providers
  4. Validate quota requirements (44+ cores needed)
  5. Create resource group
  6. Create virtual network and subnets
  7. Create 9 managed identities
  8. Assign comprehensive RBAC roles
  9. Deploy ARO cluster with managed identities

Deployment time: Approximately 45-55 minutes

Get Cluster Information

./deploy-aro-managed-identity.sh -x show

Clean Up Resources

./deploy-aro-managed-identity.sh -x destroy

What Gets Created

Managed Identities (9 total)

  • aro-cluster - Main cluster identity
  • cloud-controller-manager - Cloud provider integration
  • ingress - Ingress controller
  • machine-api - Node management
  • disk-csi-driver - Disk storage
  • cloud-network-config - Network configuration
  • image-registry - Container image registry
  • file-csi-driver - File storage
  • aro-operator - ARO-specific operations

Network Resources

  • Virtual Network: aro-vnet (10.0.0.0/22)
  • Master Subnet: master (10.0.0.0/23)
  • Worker Subnet: worker (10.0.2.0/23)

RBAC Assignments

The script creates 12+ role assignments including:

  • Cluster identity permissions over other identities
  • Network-level permissions for operators
  • Subnet-level permissions for master/worker access
  • VNet-level permissions for storage components

Access Your Cluster

After successful deployment:

  1. OpenShift Console: Use the URL provided in the output
  2. CLI Access: Use oc login with the API server URL
  3. Credentials: Username and password are displayed by the show command

Troubleshooting

Common Issues

  1. Quota Exceeded: Request quota increase for Standard DSv5 Family vCPUs (44+ cores needed)
  2. Permission Denied: Ensure you have Contributor role on the subscription
  3. Extension Issues: Remove and reinstall the ARO preview extension
  4. API Version Conflicts: Ensure you're using Azure CLI v2.76.0 (not v2.77.0)

Debug Commands

# Check quota
az vm list-usage -l westus3 --query "[?contains(name.value, 'standardDSv5Family')]" -o table

# Check resource providers
az provider list --query "[?contains(namespace, 'RedHat')||contains(namespace, 'Compute')||contains(namespace, 'Storage')]" -o table

# List ARO clusters
az aro list -o table

Architecture

This script implements the managed identity approach which is:

  • More secure than service principals
  • Microsoft recommended for ARO
  • Future-proof for ARO updates
  • Eliminates credential management

Environment Variables Reference

Variable Default Description
LOCATION westus2 Azure region for deployment
RESOURCEGROUP aro-rg Resource group name
CLUSTER cluster ARO cluster name
CLUSTER_VERSION 4.15.35 OpenShift version
PULL_SECRET_FILE pull-secret.txt Red Hat pull secret file

Support

For issues related to:

  • ARO service: Contact Microsoft Azure Support
  • OpenShift: Contact Red Hat Support
  • This script: Open an issue in this repository

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Test thoroughly
  5. Submit a pull request

Last Updated: September 26, 2025 Azure CLI Version: 2.76.0 (required due to v2.77.0 compatibility issues) ARO Extension: 1.0.12 (preview)

About

Deploy Azure Red Hat OpenShift using Managed Identities

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages