This repository contains a comprehensive script for deploying Azure Red Hat OpenShift (ARO) clusters using managed identities - the Microsoft-recommended approach for ARO deployments.
The deploy-aro-managed-identity.sh script automates the complete deployment of an ARO cluster with:
- 9 managed identities for various cluster components
- Proper Role-Based Access Control (RBAC) assignments
- Virtual network and subnet configuration
- Resource provider registration
- Quota validation
- Azure CLI: Version 2.76.0 (see known issues below)
- jq: JSON processor
- Azure subscription with appropriate permissions
- Red Hat pull secret (optional but recommended)
IMPORTANT: As of September 2025, there's a known issue with Azure CLI v2.77.0 that causes API version conflicts with ARO preview features.
You must downgrade to Azure CLI v2.76.0 before running this script.
Reference: Red Hat Solution 7130926
# Check current version
az version
# Check available versions
apt-cache policy azure-cli
# Downgrade to v2.76.0 (adjust package name for your Ubuntu version)
sudo apt-get install azure-cli=2.76.0-1~noble
# Verify the downgrade
az versiongit clone <your-repo-url>
cd infra
chmod +x deploy-aro-managed-identity.sh- Visit Red Hat OpenShift on Azure (ARO)
- Download your pull secret
- Save it as
pull-secret.txtin the same directory as the script
Set your deployment parameters:
export LOCATION=westus3 # Azure region
export RESOURCEGROUP=aro-rg-westus3 # Resource group name
export CLUSTER=aro-cluster # Cluster name
export CLUSTER_VERSION=4.15.35 # ARO version
export PULL_SECRET_FILE=pull-secret.txt # Pull secret file path./deploy-aro-managed-identity.sh -x check-deps./deploy-aro-managed-identity.sh -x installThe script will:
- Check dependencies and Azure CLI version
- Install ARO preview extension
- Register required resource providers
- Validate quota requirements (44+ cores needed)
- Create resource group
- Create virtual network and subnets
- Create 9 managed identities
- Assign comprehensive RBAC roles
- Deploy ARO cluster with managed identities
Deployment time: Approximately 45-55 minutes
./deploy-aro-managed-identity.sh -x show./deploy-aro-managed-identity.sh -x destroyaro-cluster- Main cluster identitycloud-controller-manager- Cloud provider integrationingress- Ingress controllermachine-api- Node managementdisk-csi-driver- Disk storagecloud-network-config- Network configurationimage-registry- Container image registryfile-csi-driver- File storagearo-operator- ARO-specific operations
- Virtual Network:
aro-vnet(10.0.0.0/22) - Master Subnet:
master(10.0.0.0/23) - Worker Subnet:
worker(10.0.2.0/23)
The script creates 12+ role assignments including:
- Cluster identity permissions over other identities
- Network-level permissions for operators
- Subnet-level permissions for master/worker access
- VNet-level permissions for storage components
After successful deployment:
- OpenShift Console: Use the URL provided in the output
- CLI Access: Use
oc loginwith the API server URL - Credentials: Username and password are displayed by the
showcommand
- Quota Exceeded: Request quota increase for Standard DSv5 Family vCPUs (44+ cores needed)
- Permission Denied: Ensure you have Contributor role on the subscription
- Extension Issues: Remove and reinstall the ARO preview extension
- API Version Conflicts: Ensure you're using Azure CLI v2.76.0 (not v2.77.0)
# Check quota
az vm list-usage -l westus3 --query "[?contains(name.value, 'standardDSv5Family')]" -o table
# Check resource providers
az provider list --query "[?contains(namespace, 'RedHat')||contains(namespace, 'Compute')||contains(namespace, 'Storage')]" -o table
# List ARO clusters
az aro list -o tableThis script implements the managed identity approach which is:
- More secure than service principals
- Microsoft recommended for ARO
- Future-proof for ARO updates
- Eliminates credential management
| Variable | Default | Description |
|---|---|---|
LOCATION |
westus2 |
Azure region for deployment |
RESOURCEGROUP |
aro-rg |
Resource group name |
CLUSTER |
cluster |
ARO cluster name |
CLUSTER_VERSION |
4.15.35 |
OpenShift version |
PULL_SECRET_FILE |
pull-secret.txt |
Red Hat pull secret file |
For issues related to:
- ARO service: Contact Microsoft Azure Support
- OpenShift: Contact Red Hat Support
- This script: Open an issue in this repository
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
Last Updated: September 26, 2025 Azure CLI Version: 2.76.0 (required due to v2.77.0 compatibility issues) ARO Extension: 1.0.12 (preview)