This playbook creates the OpenShift 4 UPI (User provided Infrastructure) on AWS into an existing VPC with existing private and public subnets and DNS Zones.

It is also possible to deploy the API server without exposing it to the Internet, this will require that the host that runs this Ansible playbook can access the VPC subnets.

The Cloudformation templates are based on these: https://github.com/openshift/installer/tree/master/upi/aws/cloudformation

Some information has to be provided. Mainly information about your AWS VPC, your subnets etc. See inventory/group_vars/all

Create an administrative IAM user to perform the install. See https://github.com/openshift/installer/blob/master/docs/user/aws/iam.md

This user can be removed after the installation

To set up a bastion host follow these steps:

Start with a RHEL7 Instance.

Become root and install the needed tools:

sudo -i

subscription-manager repos --enable rhel-7-server-ansible-2.8-rpms

yum install -y ansible

yum install -y \
  https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum -y install \
  python2-boto python2-boto3 python2-simplejson

yum erase -y epel-release

exit

With your own account, create ~/.aws/credentials with the following content, replacing the AWSKEY and AWSSECRETKEY with the right values from AWS.

[default]
aws_access_key_id = AWSKEY
aws_secret_access_key = AWSSECRETKEY

Modify inventory/group_vars/all.

ansible-playbook install-upi.yaml

To delete all AWS resources that were created for an OpenShift cluster, use the same inventory/group_vars/all that was used for the installation. In particular, the clustername has to match. You also need the /tmp/CLUSTERNAME directory that was created by the installation playbook.

ansible-playbook uninstall-upi.yaml

To enable encryption of the EBS volumes attached to the master and worker nodes, the RHCOS AMI needs to be copied before the installation is started. This can be done by running

ansible-playbook create-encrypted-ami.yaml

The playbook uses the AMI ID rhcos_ami from vars.yaml as the source and creates a private AMI that is identical to the source AMI, except that disk encryption is enabled.

install-upi.yaml looks for a private AMI created by create-encrypted-ami.yaml. If none is found, it uses AMI ID rhcos_ami from inventory/group_vars/all.