Getting started with Red Hat OpenShift Service on AWS (ROSA)

Learn how to get started on Red Hat® OpenShift® Service on AWS, including how to use AWS Security Token Service (STS) to deploy a cluster.

Learn how to get started on Red Hat® OpenShift® Service on AWS, including how to use AWS Security Token Service (STS) to deploy a cluster.

Deploy a ROSA cluster

1 hr and 30 mins

This resource will take you through the steps to deploy a Red Hat OpenShift® Service on AWS cluster using either the ROSA command line interface (CLI) or the OpenShift® Cluster Manager (OCM) user interface (UI).

What will you learn?

  • How to deploy a ROSA cluster using the ROSA CLI
  • How to deploy a ROSA cluster using the interface

What do you need before starting?

You have two options for deploying your cluster: using the CLI or using the console user interface. Choose one and follow the instructions below. 

Deploying a cluster with the CLI

There are two modes with which to deploy a ROSA with STS cluster. One is automatic, which is quicker and will do the manual work for you. The other is manual, which will require you to execute some extra commands, but will allow you to inspect the roles and policies being created.

This resource will document both options. If you just want to get your cluster created quickly, please use the automatic section, but if you would rather explore the objects being created, then feel free to use manual. This is achieved via the --mode flag in the relevant commands.

Valid options for --mode are:

  • manual: Role and Policy documents will be created and saved in the current directory. You will need to manually run the commands that are provided as the next step. This will allow you to review the policy and roles before creating them.
  • auto: Roles and policies will be created and applied automatically using the current AWS account, instead of having to manually run each command.

For the purposes of this resource, either method will work, though we do recommend auto mode as that is quicker and has less steps.

 

Deployment flow

The overall flow that we will follow boils down to:

  1. rosa create account-roles - This is executed only once per account. Once created this does not need to be executed again for more clusters of the same y-stream version.
  2. rosa create cluster
  3. rosa create operator-roles (Manual mode only)
  4. rosa create oidc-provider (Manual mode only)

For each succeeding cluster in the same account for the same y-stream version, only step 2 is needed (or 2-4 for manual mode).

Automatic mode (recommended)

As mentioned above, if you want the ROSA CLI to automate the creation of the roles and policies to create your cluster quickly, then use this method.

Create account roles

If this is the first time you are deploying ROSA in this account and have not yet created the account roles, then create the account-wide roles and policies, including Operator policies.

Run the following command to create the account-wide roles:

rosa create account-roles --mode auto --yes

You will see an output like the following:

  I: Creating roles using 'arn:aws:iam::000000000000:user/rosa-user'
I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role'
I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role'
I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role'
I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent'
I: To create a cluster with these roles, run the following command:
rosa create cluster --sts

Create the cluster

Run the following command to create a cluster with all the default options:

rosa create cluster --cluster-name <cluster-name> --sts --mode auto --yes

You should see a response like the following:

  ...
I: Creating cluster 'my-rosa-cluster'
I: To view a list of clusters and their status, run 'rosa list clusters'
I: Cluster 'my-rosa-cluster' has been created.
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
I: To determine when your cluster is Ready, run 'rosa describe cluster -c my-rosa-cluster'.
I: To watch your cluster installation logs, run 'rosa logs install -c my-rosa-cluster --watch'.
Name:                       my-rosa-cluster
ID:                         1mlhulb3bo0l54ojd0ji000000000000
External ID:                
OpenShift Version:          
Channel Group:              stable
DNS:                        my-rosa-cluster.ibhp.p1.openshiftapps.com
AWS Account:                000000000000
API URL:                    
Console URL:                
Region:                     us-west-2
Multi-AZ:                   false
Nodes:
 - Master:                  3
 - Infra:                   2
 - Compute:                 2
Network:
 - Service CIDR:            172.30.0.0/16
 - Machine CIDR:            10.0.0.0/16
 - Pod CIDR:                10.128.0.0/14
 - Host Prefix:             /23
STS Role ARN:               arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role
Support Role ARN:           arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role
Instance IAM Roles:
 - Master:                  arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role
 - Worker:                  arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role
Operator IAM Roles:
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-image-registry-installer-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-machine-api-aws-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-cloud-credential-operator-cloud-credential-oper
State:                      waiting (Waiting for OIDC configuration)
Private:                    No
Created:                    Oct 28 2021 20:28:09 UTC
Details Page:               https://console.redhat.com/openshift/details/s/1wupmiQy45xr1nN000000000000
OIDC Endpoint URL:          https://rh-oidc.s3.us-east-1.amazonaws.com/1mlhulb3bo0l54ojd0ji000000000000
...

NOTE: This will also create the required operator roles and OIDC provider. If you want to see all available options for your cluster use the --help flag or for interactive mode you can use --interactive.

The default settings are as follows:

  • 3 Master Nodes, 2 Infra Nodes, 2 Worker Nodes
    • See here for more details.
  • Region: As configured for the AWS CLI
  • Networking IP ranges:
    • Machine CIDR: 10.0.0.0/16
    • Service CIDR: 172.30.0.0/16
    • Pod CIDR: 10.128.0.0/14
  • The most recent version of OpenShift available to rosa
  • A single availability zone
  • Public cluster

Check installation status

You can run the following command to check the detailed status of the cluster:

rosa describe cluster --cluster <cluster-name>

Or you can run the following for an abridged view of the status:

rosa list clusters

You should notice the state change from “waiting” to “installing” to "ready". This will take about 40 minutes to run.

Once the state changes to “ready” your cluster is now installed.

Manual mode

As mentioned above if you want to be able to review the roles and policies created before applying them, you can use this manual method. Though it will require running a few extra commands to create the roles and policies.

In this section we will make use of the --interactive mode so that it will be easier to follow along, though feel free to use the default cluster creation command above if you'd like. See here for a description of the fields in this section.

Create account roles

  1. If this is the first time you are deploying ROSA in this account and have not yet created the account roles, then create the account-wide roles and policies, including Operator policies. This command will create the needed JSON files for the required roles and policies for your account in the current directory. This will also output the aws commands you need to run in order to create these objects.

    Run the following command to create the needed files and output the commands you need to run:

    rosa create account-roles --mode manual

    You will see an output like the following:

      I: All policy files saved to the current directory
    I: Run the following commands to create the account roles and policies:
    
    aws iam create-role \
    --role-name ManagedOpenShift-Worker-Role \
    --assume-role-policy-document file://sts_instance_worker_trust_policy.json \
    --tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_worker
    
    aws iam put-role-policy \
    --role-name ManagedOpenShift-Worker-Role \
    --policy-name ManagedOpenShift-Worker-Role-Policy \
    --policy-document file://sts_instance_worker_permission_policy.json
    
    …
    
  2. If you look at the contents of your current directory you will see the new files created. We will be using the aws CLI to create each of these objects.

      $ ls
    openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json  sts_instance_controlplane_permission_policy.json
    openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json             sts_instance_controlplane_trust_policy.json
    openshift_image_registry_installer_cloud_credentials_policy.json            sts_instance_worker_permission_policy.json
    openshift_ingress_operator_cloud_credentials_policy.json                    sts_instance_worker_trust_policy.json
    openshift_machine_api_aws_cloud_credentials_policy.json                     sts_support_permission_policy.json
    sts_installer_permission_policy.json                                        sts_support_trust_policy.json
    sts_installer_trust_policy.json
    
  3. (Optional) If you'd like, you may open the files to review what you will be creating. For example if we open the sts_installer_permission_policy.json we can see:

      $ cat sts_installer_permission_policy.json
    {
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "autoscaling:DescribeAutoScalingGroups",
            "ec2:AllocateAddress",
            "ec2:AssociateAddress",
            "ec2:AssociateDhcpOptions",
            "ec2:AssociateRouteTable",
            "ec2:AttachInternetGateway",
            "ec2:AttachNetworkInterface",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            [...]
    

    You can also see these contents in the documentation.

  4. Execute the aws commands presented from the above step. You can copy and paste as long as you are in the same directory as the json files created.

Create the cluster

After all the aws commands have been executed successfully run the following command to begin the ROSA cluster creation in interactive mode:

rosa create cluster --interactive --sts

See here for a description of the fields below.

For the purpose of this tutorial please select the following values.

Cluster name: my-rosa-cluster
OpenShift version: <choose version>
External ID (optional): <leave blank>
Operator roles prefix: <accept default>
Multiple availability zones: No
AWS region: <choose region>
PrivateLink cluster: No
Install into an existing VPC: No
Enable Customer Managed key: No
Compute nodes instance type: m5.xlarge
Enable autoscaling: No
Compute nodes: 2
Machine CIDR: <accept default>
Service CIDR: <accept default>
Pod CIDR: <accept default>
Host prefix: <accept default>
Encrypt etcd data (optional): No
Disable Workload monitoring: No

You will see the following response along with the command to create this cluster in the future so that you don’t need to go through the interactive mode again.

  I: Creating cluster 'my-rosa-cluster'
I: To create this cluster again in the future, you can run:
rosa create cluster --cluster-name my-rosa-cluster --role-arn arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role --operator-roles-prefix my-rosa-cluster --region us-west-2 --version 4.8.13 --compute-nodes 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23
I: To view a list of clusters and their status, run 'rosa list clusters'
I: Cluster 'my-rosa-cluster' has been created.
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
Name:                       my-rosa-cluster
ID:                         1t6i760dbum4mqltqh6o000000000000
External ID:                
OpenShift Version:          
Channel Group:              stable
DNS:                        my-rosa-cluster.abcd.p1.openshiftapps.com
AWS Account:                000000000000
API URL:                    
Console URL:                
Region:                     us-west-2
Multi-AZ:                   false
Nodes:
 - Control plane:           3
 - Infra:                   2
 - Compute:                 2
Network:
 - Service CIDR:            172.30.0.0/16
 - Machine CIDR:            10.0.0.0/16
 - Pod CIDR:                10.128.0.0/14
 - Host Prefix:             /23
STS Role ARN:               arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role
Support Role ARN:           arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role
Instance IAM Roles:
 - Control plane:           arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role
 - Worker:                  arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role
Operator IAM Roles:
 - arn:aws:iam::000000000000:role/my-rosa-cluster-w7i6-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-w7i6-openshift-cluster-csi-drivers-ebs-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-w7i6-openshift-cloud-network-config-controller-cloud-cre
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-machine-api-aws-cloud-credentials
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-cloud-credential-operator-cloud-credentia
 - arn:aws:iam::000000000000:role/my-rosa-cluster-openshift-image-registry-installer-cloud-credential
State:                      waiting (Waiting for OIDC configuration)
Private:                    No
Created:                    Jul  1 2022 22:13:50 UTC
Details Page:               https://console.redhat.com/openshift/details/s/2BMQm8xz8Hq5yEN000000000000
OIDC Endpoint URL:          https://rh-oidc.s3.us-east-1.amazonaws.com/1t6i760dbum4mqltqh6o000000000000

I: Run the following commands to continue the cluster creation:

    rosa create operator-roles --cluster my-rosa-cluster
    rosa create oidc-provider --cluster my-rosa-cluster

I: To determine when your cluster is Ready, run 'rosa describe cluster -c my-rosa-cluster'.
I: To watch your cluster installation logs, run 'rosa logs install -c my-rosa-cluster --watch'.

NOTE: The state will stay in “waiting” until the next two steps below are completed.

Create operator roles

We can see at the end of the output from the above step we are told exactly what we need to run next. These roles need to be created once per cluster. To create the roles run the following:

rosa create operator-roles --mode manual --cluster <cluster-name>

Run each of the aws commands presented.

You will see an output like the following with all the commands that need to be executed.

  I: Run the following commands to create the operator roles:

aws iam create-role \
    --role-name my-rosa-cluster-openshift-image-registry-installer-cloud-credentials \
    --assume-role-policy-document file://operator_image_registry_installer_cloud_credentials_policy.json \
    --tags Key=rosa_cluster_id,Value=1mkesci269png3tck000000000000000 Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-image-registry Key=operator_name,Value=installer-cloud-credentials

aws iam attach-role-policy \
    --role-name my-rosa-cluster-openshift-image-registry-installer-cloud-credentials \
    --policy-arn arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden
[...]

Create the OIDC provider

Run the following to create the OIDC provider:

rosa create oidc-provider --mode manual --cluster <cluster-name>

This will display the aws commands that you need to run. Run the commands like below:

I: Run the following commands to create the OIDC provider:

  $ aws iam create-open-id-connect-provider \
--url https://rh-oidc.s3.us-east-1.amazonaws.com/1mkesci269png3tckknhh0rfs2da5fj9 \
--client-id-list openshift sts.amazonaws.com \
--thumbprint-list a9d53002e97e00e043244f3d170d000000000000

$ aws iam create-open-id-connect-provider \
--url https://rh-oidc.s3.us-east-1.amazonaws.com/1mkesci269png3tckknhh0rfs2da5fj9 \
--client-id-list openshift sts.amazonaws.com \
--thumbprint-list a9d53002e97e00e043244f3d170d000000000000

Your cluster will then continue the installation process.

Check installation status

You can run the following command to check the detailed status of the cluster:

rosa describe cluster --cluster <cluster-name>

Or you can run the following for an abridged view of the status:

rosa list clusters

You should notice the state change from “waiting” to “installing” to "ready". This will take about 40 minutes to run.

Once the state changes to “ready” your cluster is now installed.

Obtain the console URL

To get the console URL, run:

rosa describe cluster -c <cluster-name> | grep Console

The cluster has now been successfully deployed.

Deploying a cluster with the UI


Now, we’ll go through the steps to deploy a ROSA cluster using the OCM UI.

Deployment flow


The overall flow that we will follow is below. Step 1 only needs to be performed the first time you are deploying into an AWS account. Step 2 only needs to be performed the first time you are using the user interface. So for each successive cluster of the same y-stream version, you would just create the cluster.

  1. Create the account wide roles and policies
  2. Associate your AWS account with your Red Hat account
    1. Create and link OCM role
    2. Create and link User role
  3. Create the cluster

Create account-wide roles


NOTE: If you already have account roles (possibly from an earlier deployment) then skip this step. You will see that the UI will detect your existing roles after you select an associated AWS account.

If this is the first time you are deploying ROSA in this account and have not yet created the account roles, then create the account-wide roles and policies, including Operator policies.

In your terminal run the following command to create the account-wide roles:

rosa create account-roles --mode auto --yes

You will see an output like the following:

  I: Creating roles using 'arn:aws:iam::000000000000:user/rosa-user'
I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-ControlPlane-Role'
I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Worker-Role'
I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Support-Role'
I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-Installer-Role'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::000000000000:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent'
I: To create a cluster with these roles, run the following command:
rosa create cluster --sts

Associate your AWS account with your Red Hat account

NOTE: If you have already associated AWS accounts that you want to use, please skip this step.

The next step is to tell OCM what is/are your AWS account(s) that you want to use for deploying ROSA into.

Open OCM by visiting https://console.redhat.com/openshift and log in to your Red Hat account.

Click on the "Create Cluster" button.

Then in the ROSA row (about midway down the page, under "Managed services") click on the "Create Cluster" button.

Managed services screen and the “Create cluster” button
Managed services screen and the “Create cluster” button

Check the box stating that you have read and completed all the prerequisites.

Then click the dropbox under "Associated AWS account". You may see that there are no associated accounts. This is expected since we have not associated any AWS accounts yet. Click on the box that says "Associate AWS account."

The box stating that you have read and completed all the prerequisites.
The box stating that you have read and completed all the prerequisites.

A pop up window will open instructing you to download the ROSA CLI, AWS CLI, and to log into your Red Hat account. If you have been following this learning path, we already did this in a previous section, so just click "Next".

Pop-up for downloading CLIs or to click “Next”
Pop-up for downloading CLIs or to click “Next”

On the next page you will see the commands to create the OCM role for the level of permissions that this role will have. You can create:

  • Basic OCM role: Allows OCM to have read-only access to the account in order to check if the roles and policies that are required by ROSA are present before creating a cluster. You will need to manually create the required roles, policies and OIDC provider using the CLI.
  • Admin OCM role: Grants OCM additional permissions in order to create the required roles, policies, and OIDC provider for ROSA. Using this makes the deployment of a ROSA cluster quicker since OCM will be able to create the required resources for you avoiding the need for you to manually create them.

To read more about these roles, please visit the OpenShift Cluster Manager roles and permissions section of the documentation.

For the purposes of this workshop, we'll use the Admin OCM role since we want the simplest and quickest approach.

Create and associate an OCM role

You can copy the command for the Admin OCM role from that window which will launch interactive mode. Or for simplicity switch to your terminal and execute:

rosa create ocm-role --mode auto --admin --yes

  I: Creating ocm role
I: Creating role using 'arn:aws:iam::000000000000:user/rosa-user'
I: Created role 'ManagedOpenShift-OCM-Role-12561000' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-OCM-Role-12561000'
I: Linking OCM role
I: Successfully linked role-arn 'arn:aws:iam::000000000000:role/ManagedOpenShift-OCM-Role-12561000' with organization account '1MpZfntsZeUdjWHg7XRgP000000'

This will create the OCM roles for you and associate them with your Red Hat account.

NOTE: As an alternative, you can define --mode manual if you'd prefer to execute the AWS CLI commands yourself. The AWS commands will be outputted to the CLI and the relevant JSON files will be created in the current directory. Also make sure to link the role as well which is the last command output. Also, if you insist on creating a Basic OCM role, then just remove --admin from the command above.

Then, click "Next".

Create an OCM User role

As defined in the documentation, the user role needs to be created so that the ROSA service can verify your AWS identity. This role has no permissions, and it is only used to create a trust relationship between the installer account and your OCM role resources.

Run the following to create the User Role and to link it to your Red Hat account.

rosa create user-role --mode auto --yes

You will see a response like:

  I: Creating User role
I: Creating ocm user role using 'arn:aws:iam::000000000000:user/rosa-user'
I: Created role 'ManagedOpenShift-User-rosa-user-Role' with ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-User-rosa-user-Role'
I: Linking User role
I: Successfully linked role ARN 'arn:aws:iam::000000000000:role/ManagedOpenShift-User-rosa-user-Role' with account '1rbOQez0z5j1YolInhcXY000000'

Click “Ok.”

Confirm successful association

You will be brought back to the original window in which you should see your AWS account that you associated above in the drop down. If you see your account there, it was successful.

Select the account.

Screen where user selects their account
Screen where user selects their account

You will then see the account role ARNs (created earlier) populated below. Then click “Next”.

 List of populated roles
List of populated roles

Create the cluster

For the purposes of this learning path, make the following selections.

Cluster settings

Details:

  • Cluster name: <pick a name>
  • Version: <select latest version>
  • Region: <select desired region>
  • Availability: Single zone
  • Enable user workload monitoring: leave checked
  • Enable additional etcd encryption: leave unchecked
  • Encrypt persistent volumes with customer keys: leave unchecked

Click "Next".

Machine pool (leave the defaults which are):

  • Compute node instance type: m5.xlarge - 4 vCPU 16 GiB RAM
  • Enable autoscaling: unchecked
  • Compute node count: 2
  • Leave node labels blank

Click "Next".

Networking


Configuration - Leave all default values

Click "Next".

CIDR ranges - Leave all default values

Click "Next".

Cluster roles and policies


For the purposes of this workshop leave "Auto" selected and it will make the cluster deployment process simpler and quicker.

NOTE: If you selected a Basic OCM role earlier you can only use manual mode and you must manually create the operator roles and OIDC provider. See "For Basic OCM roles only" section below after you've completed the "Cluster updates" section and started the cluster creation.

Cluster updates


Leave all the default options.

Review and create


Review the content for the cluster configuration and click "Create cluster".

Monitor installation progress


Stay at the current page to monitor the installation progress.

Monitoring installation progress
Monitoring installation progress

 

For Basic OCM role only

NOTE: If you created an Admin OCM role as directed above please ignore this section since OCM will create the role for you.

Create operator roles


If you created a Basic OCM Role earlier, you will need to manually create 2 more elements before the cluster installation can continue.
Operator roles
OIDC provider

NOTE: To understand what these do, please see the “What is STS?” resource.

There will be a pop up window that will show you the commands to run.

Pop up for creating operator roles and OIDC provider
Pop up for creating operator roles and OIDC provider.

In your terminal, you may run the commands from the window which will launch interactive mode. For simplicity, though, run the following to create the Operator roles:

rosa create operator-roles --mode auto --cluster <cluster-name> --yes

You will see a response like:

  I: Creating roles using 'arn:aws:iam::000000000000:user/rosauser'
I: Created role 'rosacluster-b736-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam::000000000000:role/rosacluster-b736-openshift-ingress-operator-cloud-credentials'
I: Created role 'rosacluster-b736-openshift-cluster-csi-drivers-ebs-cloud-credent' with ARN 'arn:aws:iam::000000000000:role/rosacluster-b736-openshift-cluster-csi-drivers-ebs-cloud-credent'
I: Created role 'rosacluster-b736-openshift-cloud-network-config-controller-cloud' with ARN 'arn:aws:iam::000000000000:role/rosacluster-b736-openshift-cloud-network-config-controller-cloud'
I: Created role 'rosacluster-b736-openshift-machine-api-aws-cloud-credentials' with ARN 'arn:aws:iam::000000000000:role/rosacluster-b736-openshift-machine-api-aws-cloud-credentials'
I: Created role 'rosacluster-b736-openshift-cloud-credential-operator-cloud-crede' with ARN 'arn:aws:iam::000000000000:role/rosacluster-b736-openshift-cloud-credential-operator-cloud-crede'
I: Created role 'rosacluster-b736-openshift-image-registry-installer-cloud-creden' with ARN 'arn:aws:iam::000000000000:role/rosacluster-b736-openshift-image-registry-installer-cloud-creden'

Create OIDC provider

In your terminal run the following to create the Operator roles:

rosa create oidc-provider --mode auto --cluster <cluster-name> --yes

You will see a response like:

  I: Creating OIDC provider using 'arn:aws:iam::000000000000:user/rosauser'
I: Created OIDC provider with ARN 'arn:aws:iam::000000000000:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/1tt4kvrr2kha2rgs8gjfvf0000000000'

You are now ready to move on to the next resource, where you’ll learn how to create an admin user.

This learning path is for operations teams or system administrators

Developers may want to check out developers.redhat.com.

Get started on developers.redhat.com