openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Merge pull request #75185 from openshift-cherrypick-robot/cherry-pick-74557-to-enterprise-4.16

Browse Source 
[enterprise-4.16] OSDOCS-10187: Add how to delete a ROSA HCP cluster
This commit is contained in:
Michael Peter
2024-04-25 15:03:01 -04:00
committed by GitHub
parent e9f0cc69e8 71a0248c29
commit 6656eff05f
6 changed files with 319 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_topic_maps/_topic_map_rosa.yml
View File

@@ -229,6 +229,8 @@ Topics:
File: rosa-hcp-aws-private-creating-cluster
- Name: Using the Node Tuning Operator on ROSA with HCP
File: rosa-tuning-config
- Name: Deleting a ROSA with HCP cluster
File: rosa-hcp-deleting-cluster
---
Name: Install ROSA Classic clusters
Dir: rosa_install_access_delete_clusters

73
modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc
View File

@@ -1,6 +1,11 @@
// Module included in the following assemblies:
//
// * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
:hcp:
endif::[]
ifeval::["{context}" == "rosa-sts-deleting-cluster"]
:sts:
@@ -10,16 +15,37 @@ endif::[]
[id="rosa-deleting-account-wide-iam-roles-and-policies_{context}"]
= Deleting the account-wide IAM roles and policies
This section provides steps to delete the account-wide IAM roles and policies that you created for ROSA with STS deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the {product-title} (ROSA) with AWS Security Token Services (STS) clusters that depend on them.
This section provides steps to delete the account-wide IAM roles and policies that you created for
ifdef::sts[]
ROSA with STS
endif::sts[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the
ifdef::sts[]
{product-title} (ROSA) with AWS Security Token Services (STS)
endif::sts[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
clusters that depend on them.
[IMPORTANT]
====
The account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the roles if they are not required by other clusters.
The account-wide IAM roles and policies might be used by other
ifdef::sts[]
ROSA clusters
endif::sts[]
ifdef::hcp[]
{product-title}
endif::hcp[]
in the same AWS account. Only remove the roles if they are not required by other clusters.
====
.Prerequisites
* You have installed a ROSA cluster.
* You have account-wide IAM roles that you want to delete.
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
.Procedure
@@ -33,6 +59,7 @@ $ rosa list account-roles
----
+
.Example output
ifdef::sts[]
[source,terminal]
----
I: Fetching account roles
@@ -42,6 +69,17 @@ ManagedOpenShift-Installer-Role Installer arn:aws:iam::<aws_account_id>
ManagedOpenShift-Support-Role Support arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role 4.10
ManagedOpenShift-Worker-Role Worker arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role 4.10
----
endif::sts[]
ifdef::hcp[]
[source,terminal]
----
I: Fetching account roles
ROLE NAME ROLE TYPE ROLE ARN OPENSHIFT VERSION AWS Managed
ManagedOpenShift-HCP-ROSA-Installer-Role Installer arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Installer-Role 4.15 Yes
ManagedOpenShift-HCP-ROSA-Support-Role Support arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Support-Role 4.15 Yes
ManagedOpenShift-HCP-ROSA-Worker-Role Worker arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role 4.15 Yes
----
endif::hcp[]
.. Delete the account-wide roles:
+
[source,terminal]
@@ -52,9 +90,25 @@ $ rosa delete account-roles --prefix <prefix> --mode auto <1>
+
[IMPORTANT]
====
The account-wide IAM roles might be used by other ROSA clusters in the same AWS account. You must only remove the roles if they are not required by other clusters.
The account-wide IAM roles might be used by other ROSA clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
====
+
ifdef::hcp[]
.Example output
[source,terminal]
----
W: There are no classic account roles to be deleted
I: Deleting hosted CP account roles
? Delete the account role 'delete-rosa-HCP-ROSA-Installer-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Installer-Role'
? Delete the account role 'delete-rosa-HCP-ROSA-Support-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Support-Role'
? Delete the account role 'delete-rosa-HCP-ROSA-Worker-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Worker-Role'
I: Successfully deleted the hosted CP account roles
----
endif::hcp[]
+
. Delete the account-wide in-line and Operator policies:
.. Under the *Policies* page in the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console], filter the list of policies by the prefix that you specified when you created the account-wide roles and policies.
+
@@ -67,5 +121,12 @@ If you did not specify a custom prefix when you created the account-wide roles,
+
[IMPORTANT]
====
The account-wide in-line and Operator IAM policies might be used by other ROSA clusters in the same AWS account. You must only remove the roles if they are not required by other clusters.
The account-wide in-line and Operator IAM policies might be used by other
ifdef::sts[]
ROSA clusters
endif::sts[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
in the same AWS account. Only remove the roles if they are not required by other clusters.
====

50
modules/rosa-deleting-sts-iam-resources-account-wide.adoc
View File

@@ -1,18 +1,58 @@
// Module included in the following assemblies:
//
// * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
:hcp:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="rosa-deleting-sts-resources-account-wide_{context}"]
= Deleting the account-wide IAM resources
After you have deleted all {product-title} (ROSA) with AWS Security Token Services (STS) clusters that depend on the account-wide AWS Identity and Access Management (IAM) resources, you can delete the account-wide resources.
After you have deleted all
ifndef::hcp[]
{product-title} (ROSA) with AWS Security Token Services (STS)
endif::hcp[]
ifdef::hcp[]
{hcp-title-first}
endif::hcp[]
clusters that depend on the account-wide AWS Identity and Access Management (IAM) resources, you can delete the account-wide resources.
If you no longer need to install a ROSA with STS cluster by using {cluster-manager-first}, you can also delete the {cluster-manager} and user IAM roles.
If you no longer need to install a
ifndef::hcp[]
ROSA with STS
endif::hcp[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
cluster by using {cluster-manager-first}, you can also delete the {cluster-manager} and user IAM roles.
[IMPORTANT]
====
The account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
The account-wide IAM roles and policies might be used by other
ifndef::hcp[]
ROSA
endif::hcp[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
clusters in the same AWS account. Only remove the resources if they are not required by other clusters.
The {cluster-manager} and user IAM roles are required if you want to install, manage, and delete other ROSA clusters in the same AWS account by using {cluster-manager}. You must only remove the roles if you no longer need to install ROSA clusters in your account by using {cluster-manager}. See the "Additional resources" section for information on repairing your cluster if these roles are removed prior to deletion.
====
The {cluster-manager} and user IAM roles are required if you want to install, manage, and delete other
ifndef::hcp[]
ROSA
endif::hcp[]
ifdef::hcp[]
{product-title}
endif::hcp[]
clusters in the same AWS account by using {cluster-manager}. Only remove the roles if you no longer need to install
ifndef::hcp[]
ROSA
endif::hcp[]
ifdef::hcp[]
{product-title}
endif::hcp[]
clusters in your account by using {cluster-manager}. For more information about repairing your cluster if these roles are removed before deletion, see "Repairing a cluster that cannot be deleted" in _Troubleshooting cluster deployments_.
====

130
modules/rosa-hcp-deleting-cluster.adoc Normal file
View File

@@ -0,0 +1,130 @@
// Module included in the following assemblies:
//
// * rosa_hcp/rosa-hcp-deleting-cluster.adoc
:_mod-docs-content-type: PROCEDURE
[id="rosa-hcp-deleting-cluster_{context}"]
= Deleting a {hcp-title} cluster and the cluster-specific IAM resources
You can delete a {hcp-title} cluster by using the ROSA command line interface (CLI) (`rosa`) or {cluster-manager-first}.
After deleting the cluster, you can clean up the cluster-specific Identity and Access Management (IAM) resources in your AWS account by using the ROSA CLI. The cluster-specific resources include the Operator roles and the OpenID Connect (OIDC) provider.
[NOTE]
====
The cluster deletion must complete before you remove the IAM resources, because the resources are used in the cluster deletion and clean up processes.
====
If add-ons are installed, the cluster deletion takes longer because add-ons are uninstalled before the cluster is deleted. The amount of time depends on the number and size of the add-ons.
.Prerequisites
* You have installed a {hcp-title} cluster.
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
.Procedure
. Get the cluster ID, the Amazon Resource Names (ARNs) for the cluster-specific Operator roles, and the endpoint URL for the OIDC provider by running the following command:
+
[source,terminal]
----
$ rosa describe cluster --cluster=<cluster_name>
----
+
.Example output
[source,terminal]
----
Name: test_cluster
Domain Prefix: test_cluster
Display Name: test_cluster
ID: <cluster_id> <1>
External ID: <external_id>
Control Plane: ROSA Service Hosted
OpenShift Version: 4.15.0
Channel Group: stable
DNS: test_cluster.l3cn.p3.openshiftapps.com
AWS Account: <AWS_id>
AWS Billing Account: <AWS_id>
API URL: https://api.test_cluster.l3cn.p3.openshiftapps.com:443
Console URL:
Region: us-east-1
Availability:
- Control Plane: MultiAZ
- Data Plane: SingleAZ
Nodes:
- Compute (desired): 2
- Compute (current): 0
Network:
- Type: OVNKubernetes
- Service CIDR: 172.30.0.0/16
- Machine CIDR: 10.0.0.0/16
- Pod CIDR: 10.128.0.0/14
- Host Prefix: /23
- Subnets: <subnet_ids>
EC2 Metadata Http Tokens: optional
Role (STS) ARN: arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Installer-Role
Support Role ARN: arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Support-Role
Instance IAM Roles:
- Worker: arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Worker-Role
Operator IAM Roles: <2>
- arn:aws:iam::<AWS_id>:role/test_cluster-openshift-cloud-network-config-controller-cloud-crede
- arn:aws:iam::<AWS_id>:role/test_cluster-openshift-image-registry-installer-cloud-credentials
- arn:aws:iam::<AWS_id>:role/test_cluster-openshift-ingress-operator-cloud-credentials
- arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-kube-controller-manager
- arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-capa-controller-manager
- arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-control-plane-operator
- arn:aws:iam::<AWS_id>:role/hcpcluster-kube-system-kms-provider
- arn:aws:iam::<AWS_id>:role/test_cluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
Managed Policies: Yes
State: ready
Private: No
Created: Apr 16 2024 20:32:06 UTC
User Workload Monitoring: Enabled
Details Page: https://console.redhat.com/openshift/details/s/<cluster_id>
OIDC Endpoint URL: https://oidc.op1.openshiftapps.com/<cluster_id> (Managed) <3>
Audit Log Forwarding: Disabled
External Authentication: Disabled
----
<1> Lists the cluster ID.
<2> Specifies the ARNs for the cluster-specific Operator roles. For example, in the sample output the ARN for the role required by the Machine Config Operator is `arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-machine-api-aws-cloud-credentials`.
<3> Displays the endpoint URL for the cluster-specific OIDC provider.
+
[IMPORTANT]
====
After the cluster is deleted, you need the cluster ID to delete the cluster-specific STS resources using the ROSA CLI.
====
. Delete the cluster by using either the {cluster-manager} or the ROSA CLI (`rosa`):
** To delete the cluster by using the {cluster-manager}:
.. Navigate to the {cluster-manager-url}.
.. Click the Options menu {kebab} next to your cluster and select *Delete cluster*.
.. Type the name of your cluster into the prompt and click *Delete*.
** To delete the cluster using the ROSA CLI:
.. Run the following command, replacing `<cluster_name>` with the name or ID of your cluster:
+
[source,terminal]
----
$ rosa delete cluster --cluster=<cluster_name> --watch
----
+
[IMPORTANT]
====
You must wait for cluster deletion to complete before you remove the Operator roles and the OIDC provider.
====
. Delete the cluster-specific Operator IAM roles by running the following command:
+
[source,terminal]
----
$ rosa delete operator-roles --prefix <operator_role_prefix>
----
. Delete the OIDC provider by running the following command:
+
[source,terminal]
----
$ rosa delete oidc-provider --oidc-config-id <oidc_config_id>
----
//If reusing, porting, or separating this content, make sure to grab the "Troubleshooting" section from the assembly. It could not be included in the module because of xrefs.

47
modules/rosa-unlinking-and-deleting-ocm-and-user-iam-roles.adoc
View File

@@ -1,16 +1,41 @@
// Module included in the following assemblies:
//
// * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
:hcp:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="rosa-unlinking-and-deleting-ocm-and-user-iam-roles_{context}"]
= Unlinking and deleting the {cluster-manager} and user IAM roles
If you installed a {product-title} (ROSA) cluster by using {cluster-manager-first}, you created {cluster-manager} and user Identity and Access Management (IAM) roles and linked them to your Red Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (`rosa`).
When you install a
ifndef::hcp[]
{product-title} (ROSA)
endif::hcp[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
cluster by using {cluster-manager-first}, you also create {cluster-manager} and user Identity and Access Management (IAM) roles that link to your Red Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (`rosa`).
[IMPORTANT]
====
The {cluster-manager} and user IAM roles are required if you want to use {cluster-manager} to install and manage other ROSA clusters in the same AWS account. You must only remove the roles if you no longer need to use {cluster-manager} to install ROSA clusters.
The {cluster-manager} and user IAM roles are required if you want to use {cluster-manager} to install and manage other
ifndef::hcp[]
ROSA clusters
endif::hcp[]
ifdef::hcp[]
{hcp-title}
endif::hcp[]
in the same AWS account. Only remove the roles if you no longer need to use the {cluster-manager} to install
ifndef::hcp[]
ROSA clusters.
endif::hcp[]
ifdef::hcp[]
{hcp-title} clusters.
endif::hcp[]
====
.Prerequisites
@@ -29,6 +54,7 @@ The {cluster-manager} and user IAM roles are required if you want to use {cluste
$ rosa list ocm-roles
----
+
ifndef::hcp[]
.Example output
[source,terminal]
----
@@ -37,13 +63,24 @@ ROLE NAME ROLE ARN
ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> Yes Yes
----
+
.. If your {cluster-manager} IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization:
endif::hcp[]
ifdef::hcp[]
.Example output
[source,terminal]
----
I: Fetching ocm roles
ROLE NAME ROLE ARN LINKED ADMIN AWS Managed
ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> Yes Yes Yes
----
endif::hcp[]
+
.. If your {cluster-manager} IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization by running the following command:
+
[source,terminal]
----
$ rosa unlink ocm-role --role-arn <arn> <1>
----
<1> Replace `<arn>` with the Amazon Resource Name (ARN) for your {cluster-manager} IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format `arn:aws:iam::<aws_account_external_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>`.
<1> Replace `<arn>` with the Amazon Resource Name (ARN) for your {cluster-manager} IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format `arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>`.
+
.Example output
[source,terminal]
@@ -119,4 +156,4 @@ I: Deleting user role
? User role deletion mode: auto <1>
I: Successfully deleted the user role
----
<1> Specifies the deletion mode. You can use `auto` mode to automatically delete the user IAM role. In `manual` mode, the ROSA CLI generates the `aws` command needed to delete the role. `manual` mode enables you to review the details before running the `aws` command manually.
<1> Specifies the deletion mode. You can use `auto` mode to automatically delete the user IAM role. In `manual` mode, the ROSA CLI generates the `aws` command needed to delete the role. `manual` mode enables you to review the details before running the `aws` command manually.

33
rosa_hcp/rosa-hcp-deleting-cluster.adoc Normal file
View File

@@ -0,0 +1,33 @@
:_mod-docs-content-type: ASSEMBLY
include::_attributes/attributes-openshift-dedicated.adoc[]
[id="rosa-hcp-deleting-cluster"]
= Deleting a {hcp-title} cluster
:context: rosa-hcp-deleting-cluster
toc::[]
If you want to delete a {hcp-title-first} cluster, you can use either the {cluster-manager-first} or the ROSA command line interface (CLI) (`rosa`). After deleting your cluster, you can also delete the AWS Identity and Access Management (IAM) resources that are used by the cluster.
include::modules/rosa-hcp-deleting-cluster.adoc[leveloffset=+1]
.Troubleshooting
* If the cluster cannot be deleted because of missing IAM roles, see xref:../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-cluster-deletion_rosa-troubleshooting-cluster-deployments[Repairing a cluster that cannot be deleted].
* If the cluster cannot be deleted for other reasons:
** Ensure that there are no add-ons for your cluster pending in the link:https://console.redhat.com/openshift[Hybrid Cloud Console].
** Ensure that all AWS resources and dependencies have been deleted in the Amazon Web Console.
include::modules/rosa-deleting-sts-iam-resources-account-wide.adoc[leveloffset=+1]
[role="_additional-resources"]
.Additional resources
* xref:../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-cluster-deletion_rosa-troubleshooting-cluster-deployments[Repairing a cluster that cannot be deleted]
include::modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc[leveloffset=+2]
[role="_additional-resources"]
.Additional resources
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for ROSA clusters that use STS]
include::modules/rosa-unlinking-and-deleting-ocm-and-user-iam-roles.adoc[leveloffset=+2]