Creating a ROSA cluster in STS mode with custom KMS key

Tip Official Documentation ROSA STS with custom KMS key

This guide will walk you through installing ROSA (Red Hat OpenShift Service on AWS) with a customer-provided KMS key that will be used to encrypt both the root volumes of nodes as well as persistent volumes for mounted EBS claims.

Prerequisites

• AWS CLI
• ROSA CLI v1.1.11 or higher
• OpenShift CLI - rosa download openshift-client

Prepare AWS Account for ROSA

1. Configure the AWS CLI by running the following command

2. You will be required to enter an AWS Access Key ID and an AWS Secret Access Key along with a default region name and output format

   The AWS Access Key ID and AWS Secret Access Key values can be obtained by logging in to the AWS console and creating an Access Key in the Security Credentials section of the IAM dashboard for your user

3. Validate your credentials

   You should receive output similar to the following

   You will need to save the account ID for adding it to your KMS key to define installer role, so take note.

4. If this is a brand new AWS account that has never had a AWS Load Balancer installed in it, you should run the following

5. Set the AWS region you plan to deploy your cluser into. For this example, we will deploy into us-east-2.

Create ROSA Cluster

1. Make sure your ROSA CLI version is at minimum v1.1.11 or higher.

2. Create the ROSA STS Account Roles

   If you have already installed account-roles into your aws account, you can skip this step.

3. Set Environment Variables

4. Using the ROSA CLI, create your cluster.

   While this is an example, feel free to customize this command to best suit your needs.

5. Take note of the role <cluster-name-hash>-openshift-cluster-csi-drivers-ebs-cloud-credential, which is provided at the end of the previous command.

   The full name of the role gets truncated depending on the length of the cluster name. Do not copy and paste from the example above.

Create KMS Key

For this example, we will create a custom KMS key using the AWS CLI. If you would prefer, you could use an existing key instead.

1. Create a customer-managed KMS key

   This command will save the ARN output of this custom key for further steps.

2. Generate the necessary key policy to allow the ROSA STS roles to access the key. Use the below command to populate a sample policy, or create your own.

   Important note 1, if you specify a custom STS role prefix, you will need to update that in the command below.

   Important note 2, adapt the name of the role openshift-cluster-csi-drivers-ebs-cloud-credentials as per captured in previous steps.

3. Apply the newly generated key policy to the custom KMS key.

4. Create the operator roles necessary for the cluster to function.

5. Create the OIDC provider necessary for the cluster to authenticate.

6. Validate that the cluster is now installing. Within 5 minutes, the cluster state should move beyond pending and show installing.

7. Watch the install logs as the cluster installs.

Validate the cluster

Once the cluster has finished installing we can validate our access to the cluster.

1. Create an Admin user

   Run the resulting login statement from output. May take 2-3 minutes before authentication is fully synced

2. Verify the default persistent volumes in the cluster.

   Output:

You should see the StroageClass set to gp3-customer-kms. This is the default StorageClass which is encrypted using the customer-provided key.

Cleanup

1. Delete the ROSA cluster

2. Once the cluster is deleted, delete the cluster’s STS roles.