How to create a cluster in Red Hat OpenShift Service on AWS with STS

Learn how to set up accounts and clusters with Red Hat® OpenShift® Service on AWS (ROSA) using AWS Security Token Service (STS) to help build container-based applications faster.

Please note, this is the deployment method that Red Hat recommends. For non-STS ROSA deployment, visit this page.

Learn how to set up accounts and clusters with Red Hat® OpenShift® Service on AWS (ROSA) using AWS Security Token Service (STS) to help build container-based applications faster.

Please note, this is the deployment method that Red Hat recommends. For non-STS ROSA deployment, visit this page.

Creating a cluster using Red Hat OpenShift Service on AWS (ROSA) with STS

1 hr

In this section, you’ll use the Red Hat OpenShift Service on AWS CLI (rosa) with the default options to create an OpenShift cluster that uses the AWS Security Token Service (STS).

What will you learn?

  • Creating a cluster with STS using the default options
  • Creating a cluster with STS using customizations
     

What do you need before starting?

Note: To succcessfully install ROSA 4.10 clusters, use ROSA CLI 1.1.11 or above.

Create a cluster with STS using the default options

You can create an OpenShift cluster that uses the AWS Security Token Service (STS) through the Red Hat OpenShift Service on AWS CLI (rosa).

Additionally, you can use auto mode to create the required AWS Identity and Access Management (IAM) resources using the current AWS account.

auto mode is used to create the account-wide IAM roles and policies. This includes Operator policies and the OpenID Connect (OIDC) identity provider.

  1. First, create the required account-wide roles and policies, including the Operator policies, with: $ rosa create account-roles --mode auto
    1. Note: When using auto mode, you can optionally specify the -y argument to bypass the interactive prompts and automatically confirm operations.
  2. Next, you can create a cluster with STS using the defaults. When you use the defaults, the latest stable OpenShift version is installed: $ rosa create cluster --cluster-name <cluster_name> --sts --mode auto
    1. Replace <cluster_name> with the name of your cluster.
  3. Check the status of your cluster: $ rosa describe cluster --cluster <cluster_name|cluster_id>
    • It should take 40 minutes for installation and for the State field to change to ready.
    • You can track the progress of the cluster creation by watching the OpenShift installer logs.

Create a cluster with STS using customizations

You can also customize your installation when using AWS STS to create a cluster. 

When you run rosa create cluster --interactive when creating a cluster, you will see prompts that let you customize your deployment.

There are two rosa CLI modes for deploying a cluster with STS: manual and auto modes.

Only public and AWS PrivateLink clusters are supported with STS. Regular private clusters (non-PrivateLink) are not available for use with STS.

Note: AWS Shared VPCs are not currently supported for ROSA installations.

Note: To successfully install ROSA 4.10 clusters, use ROSA CLI 1.1.11 or above.

  1. Create the required account-wide roles and policies, including the Operator policies. Use manual mode to assign roles manually, otherwise, use auto mode: $ rosa create account-roles --mode manual
    1. Generate the IAM policy JSON files in the current working directory and output the aws CLI commands for review.
    2. Note: manual mode generates the aws CLI commands and JSON files needed to create the account-wide roles and policies. After review, you must run the commands manually to create the resources.
  2. (Optional) If you are using your own AWS KMS key to encrypt the control plane data volumes and the persistent volumes (PVs) for your applications, add the ARN for the account-wide installer role to your KMS key policy: $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output text > kms-key-policy.json
  3. Create a cluster with STS using custom installation options: $ rosa create cluster --interactive --sts
  4. Create the cluster-specific Operator IAM roles. Use manual mode to assign roles manually, otherwise, use auto mode: $ rosa create operator-roles --mode manual --cluster <cluster_name|cluster_id>
  5. Create the OpenID Connect (OIDC) provider that the cluster Operators use to authenticate: $ rosa create oidc-provider --mode auto --cluster <cluster_name|cluster_id>
  6. Check the status of your cluster: $ rosa describe cluster --cluster <cluster_name|cluster_id>
    1. It should take 40 minutes for installation and for the State field to change to ready.
    2. You can track the progress of the cluster creation by watching the OpenShift installer logs.

Good work! Once you’ve created your cluster, you’re ready to access it in the next resource.

This learning path is for operations teams or system administrators

Developers may want to check out Foundations of OpenShift on developers.redhat.com.

Get started on developers.redhat.com