Getting started with Red Hat OpenShift Service on AWS in AWS GovCloud

Procedure

1. Navigate to the ROSA GovCloud access request form.
2. Complete the access request form.

3. Click Submit to sign up. You receive a Submission confirmation.

   Red Hat’s confirmed stateside support team contacts you through email for the following information:

   • Admin details to include your organization name, administrator first and surname and administrator email.

   • User authentication option to the FedRAMP Hybrid Cloud Console from one of the following two options:

     • Local group in a Red Hat managed Keycloak instance, where users will be required to setup multifactor authentication (MFA) with an approved device.

       Note

       Only device YubiKEY 5C NFC FIPS currently accepted.

     • Customer managed Identity Provider (IdP), integrated via OpenID Connect (OIDC), where you will need to provide the following:

       • Discovery Endpoint: The IdP’s OIDC discovery URL (typically ending in /.well-known/openid-configuration). This allows Keycloak to automatically fetch most of the IdP’s settings.
       • Client ID and secret: Credentials that allow Keycloak to authenticate with the customer’s IdP.
       • Email domain(s): A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.
       • Essential claim: A specific key-value pair (e.g., "rh-approved": "true") that must be present in a user’s token from the IdP to grant them access. In this configuration, the customer takes on the responsibility for implementing FIPS 140-2 validated MFA.

Procedure

1. Navigate to the Red Hat FedRAMP account management page.
2. Sign in with your current username and password.
3. Under the middle box called Account Security, click Signing In.
4. Under Basic authentication, select Password.

5. Click Update and choose a password that meets the following requirements:

   • Minimum of fifteen (15) characters
   • At least one (1) upper-case letter
   • At least one (1) lower-case letter
   • At least one (1) number
   • At least one (1) special character (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)
6. Confirm your password.
7. Click Submit.

Procedure

1. If you need to create an account, contact fedramp-css@openshiftusgov.com.
2. After you receive access, navigate to the Red Hat GovCloud support portal.
3. Click Create Case and complete the required information.
4. Click Submit.

Procedure

1. Navigate to https://console.openshiftusgov.com/openshift/token.
2. Sign in with your Red Hat FedRAMP account credentials where you will see a screen with your token.
3. Copy your token for the next step.

4. In your terminal:

   1. Run rosa login and paste your copied token to log in to the service.

      $ rosa login --govcloud --token=<TOKEN>

      Note

      Depending on your AWS CLI configuration, you might need to add a government region to the end of the command string, such as --region us-gov-west-1.

   2. Run rosa whoami to confirm all information is correct ensuring that you are using the AWS Gov region and the Red Hat OpenShift Cluster Manager API is “https://api.openshiftusgov.com”..

      $ rosa whoami

      Example output

      AWS ARN:                                 arn:aws-us-gov:iam::00000000000:user/rosa-gov-user
      AWS Account ID:                       00000000000
      AWS Default Region:                 us-gov-east-1
      OCM API:                                   https://api.openshiftusgov.com
      OCM Account Email:                  rosa-gov-user@redhat.com
      OCM Account ID:                       3ZXXXXXXXXXXXXXXXXXXXXXXXXX
      OCM Account Name:                 Rosa Gov
      OCM Account Username:          rosa-gov-user
      OCM Organization External ID:  rosa-gov-user
      OCM Organization ID:                3ZXXXXXXXXXXXXXXXXXXXXXXXXX
      OCM Organization Name:          rosa-gov-user

5. You must create a VPC where Red Hat OpenShift Service on AWS will be deployed. For instructions on setting up a VPC, see Amazon VPC architecture for the AWS PrivateLink use case.

Procedure

1. With AWS PrivateLink, you can create a cluster with a single availability zone (Single-AZ) or many availability zones (Multi-AZ). In either case, your machine’s classless inter-domain routing (CIDR) must match your virtual private cloud’s CIDR. See Requirements for using your own VPC and VPC validation for more information.

   Important

   If you use a firewall, you must configure it so that Red Hat OpenShift Service on AWS can access the sites that it requires to function.

   For more information, see the AWS PrivateLink firewall prerequisites section.

   Note

   If your cluster name is longer than 15 characters, it will contain an automatically generated domain prefix as a sub-domain for your provisioned cluster on *.openshiftapps.com.

   To customize the subdomain, use the --domain-prefix flag. The domain prefix cannot be longer than 15 characters, must be unique, and cannot be changed after cluster creation.

   • To create a Single-AZ cluster:

     $ rosa create cluster --private-link --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id>

   • To create a Multi-AZ cluster:

     $ rosa create cluster --private-link --multi-az --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id1>,<private-subnet-id2>,<private-subnet-id3>

2. Enter the following command to check the status of your cluster. During cluster creation, the State field from the output changesfrom pending to installing, and finally to ready.

   $ rosa describe cluster --cluster=<cluster_name>

   Note

   If installation fails or the State field does not change to ready after 40 minutes, check the installation troubleshooting documentation for more details.

3. Enter the following command to follow the OpenShift installer logs to track the progress of your cluster:

   $ rosa logs install --cluster=<cluster_name> --watch