Creating a cluster using Red Hat OpenShift Service on AWS (ROSA) with STS

• Creating a cluster with STS using the default options
• Creating a cluster with STS using customizations
   

• Enabled ROSA in the AWS Console
• Installed and configured  the AWS, ROSA, and OpenShift CLIs
• Logged in using the CLI

Note: To succcessfully install ROSA 4.10 clusters, use ROSA CLI 1.1.11 or above.

You can create an OpenShift cluster that uses the AWS Security Token Service (STS) through the Red Hat OpenShift Service on AWS CLI (rosa).

Additionally, you can use auto mode to create the required AWS Identity and Access Management (IAM) resources using the current AWS account.

auto mode is used to create the account-wide IAM roles and policies. This includes Operator policies and the OpenID Connect (OIDC) identity provider.

1. First, create the required account-wide roles and policies, including the Operator policies, with: $ rosa create account-roles --mode auto
   1. Note: When using auto mode, you can optionally specify the -y argument to bypass the interactive prompts and automatically confirm operations.
2. Next, you can create a cluster with STS using the defaults. When you use the defaults, the latest stable OpenShift version is installed: $ rosa create cluster --cluster-name <cluster_name> --sts --mode auto
   1. Replace <cluster_name> with the name of your cluster.
3. Check the status of your cluster: $ rosa describe cluster --cluster <cluster_name|cluster_id>
   • It should take 40 minutes for installation and for the State field to change to ready.
   • You can track the progress of the cluster creation by watching the OpenShift installer logs.

You can also customize your installation when using AWS STS to create a cluster. 

When you run rosa create cluster --interactive when creating a cluster, you will see prompts that let you customize your deployment.

There are two rosa CLI modes for deploying a cluster with STS: manual and auto modes.

Only public and AWS PrivateLink clusters are supported with STS. Regular private clusters (non-PrivateLink) are not available for use with STS.

Note: AWS Shared VPCs are not currently supported for ROSA installations.

Note: To successfully install ROSA 4.10 clusters, use ROSA CLI 1.1.11 or above.

1. Create the required account-wide roles and policies, including the Operator policies. Use manual mode to assign roles manually, otherwise, use auto mode: $ rosa create account-roles --mode manual
   1. Generate the IAM policy JSON files in the current working directory and output the aws CLI commands for review.
   2. Note: manual mode generates the aws CLI commands and JSON files needed to create the account-wide roles and policies. After review, you must run the commands manually to create the resources.
2. (Optional) If you are using your own AWS KMS key to encrypt the control plane data volumes and the persistent volumes (PVs) for your applications, add the ARN for the account-wide installer role to your KMS key policy: $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output text > kms-key-policy.json
3. Create a cluster with STS using custom installation options: $ rosa create cluster --interactive --sts
4. Create the cluster-specific Operator IAM roles. Use manual mode to assign roles manually, otherwise, use auto mode: $ rosa create operator-roles --mode manual --cluster <cluster_name|cluster_id>
5. Create the OpenID Connect (OIDC) provider that the cluster Operators use to authenticate: $ rosa create oidc-provider --mode auto --cluster <cluster_name|cluster_id>
6. Check the status of your cluster: $ rosa describe cluster --cluster <cluster_name|cluster_id>
   1. It should take 40 minutes for installation and for the State field to change to ready.
   2. You can track the progress of the cluster creation by watching the OpenShift installer logs.

Good work! Once you’ve created your cluster, you’re ready to access it in the next resource.

• Creating a ROSA cluster with STS
• Troubleshoot with Red Hat support
• Troubleshoot with AWS support