Deploy ROSA with Red Hat Advanced Cluster Management for Kubernetes

In the dynamic world of cloud-native development, efficiently managing Kubernetes clusters across diverse environments is paramount. This blog post dives into a powerful combination: deploying Red Hat OpenShift Service on AWS (ROSA) Hosted Control Planes (HCP) clusters, orchestrated and governed by Red Hat Advanced Cluster Management for Kubernetes (RHACM). This approach offers a compelling suite of benefits, including significant cost reductions by offloading control plane management to Red Hat, accelerated cluster provisioning times, and enhanced operational efficiency through a centralized management plane. By leveraging ROSA HCP with RHACM, organizations can achieve a more streamlined, secure, and scalable Kubernetes footprint on AWS, allowing teams to focus more on innovation and less on infrastructure overhead.

Pre-requisites

1. You will need a a ROSA Cluster (see Deploying ROSA HCP with Terraform if you need help creating one).

2. Log into the ROSA cluster

3. AWS CLI logged into

4. Terraform CLI

5. Git CLI

6. An OCM Service Account ClientID and Client Secret - if you don’t have one, you can create a service account by visiting here

After logging in with the OCM Service Account, make sure to link the ROSA OCM role. To list your OCM roles

and then to link the role run with the ocm role arn:

7. Set environment variables

Install and Configure ACM

1. Deploy the Red Hat Advanced Cluster Management for Kubernetes Operator

2. Create a MultiClusterHub Instance

   Before continuing, wait for the multicluster engine to complete

3. Patch the multiclusterengine to support preview APIs

4. Annotate the multiclusterengine to respect IRSA credentails

Configure AWS Credentails

1. Create a trust policy

2. Create a role with a trust policy for RHACM to use

Configure RHACM to use AWS Roles

1. Annotate the multicluster-engine service account

2. Restart the CAPA Controller Manager Deployment

3. Deploy the AWSClusterControllerIdentity

Configure RHACM to auto-import ROSA Clusters

1. Enable the ClusterImporter feature gates on the ClusterManager

2. Bind the CAPI manager permission to the import controller

3. Get the CA from the hub cluster

4. Apply a config map on the hub cluster

Deploy a new ROSA HCP Cluster

1. Create a namespace for the new cluster and an OCM secret

2. Create OIDC Config for new cluster

3. Create ROSA Operator Roles for new cluster

4. Deploy AWS VPC and Subnets for the cluster

Note: This example deploys ROSA to a single availablility zone but can be easily adopted for multi-zone configuration

For detailed examples please refer to the official docs

5. Shorten Role names to meet AWS limit of 64 characters

6. Create a new cluster

Configure RHACM to Auto-Import ROSA HCP Clusters

While still being logged into the ACM cluster, run the following commands.

1. Create a KlusterletConfig

2. Decode and import the new cluster secret