This tutorial outlines deploying a Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) cluster.

With ROSA with HCP, you can decouple the control plane from the data plane. This is a new deployment model for ROSA in which the control plane is hosted in a Red Hat-owned AWS account. The control plane is no longer hosted in your AWS account, reducing your AWS infrastructure expenses. The control plane is dedicated to a single cluster and is highly available. For more information, see the ROSA with HCP documentation.


Before deploying a ROSA with HCP cluster, you must have the following resources:

  • VPC - This is a bring-your-own VPC model, also referred to as BYO-VPC.

  • OIDC - OIDC configuration and an OIDC provider with that specific configuration.

  • ROSA version 1.2.31 or higher

In this tutorial, we will create these resources first. We will also set up some environment variables so that it is easier to run the command to create the ROSA with HCP cluster.

Creating a VPC

  1. First, ensure that your AWS CLI (aws) is configured to use a region where ROSA with HCP is available. To find out which regions are supported run the following command:

    rosa list regions --hosted-cp
  2. Create the VPC. For this tutorial, the following script will create the VPC and its required components for you. It will use the region configured for the aws CLI.

    curl https://raw.githubusercontent.com/openshift-cs/rosaworkshop/master/rosa-workshop/rosa/resources/setup-vpc.sh | bash

    For more about VPC requirements, see the VPC documentation.

  3. The above script outputs two commands. Set the commands as environment variables to make running the create cluster command easier. Copy them from the output and run them as shown:

    export PUBLIC_SUBNET_ID=<public subnet id here>
    export PRIVATE_SUBNET_ID=<private subnet id here>
  4. Confirm that the environment variables are set by running the following command:

    echo "Public Subnet: $PUBLIC_SUBNET_ID"; echo "Private Subnet: $PRIVATE_SUBNET_ID"
    Example output
    Public Subnet: subnet-0faeeeb0000000000
    Private Subnet: subnet-011fe340000000000

Creating your OIDC configuration

In this tutorial, we will use the automatic mode when creating the OIDC configuration. We will also store the OIDC ID as an environment variable for later use. The command uses the ROSA CLI to create your cluster’s unique OIDC configuration.

  • To create the OIDC configuration for this tutorial, run the following command:

    export OIDC_ID=$(rosa create oidc-config --mode auto --managed --yes -o json | jq -r '.id')

Creating additional environment variables

  • Run the following command to set up some environment variables so that it is easier to run the command to create the ROSA with HCP cluster:

    export CLUSTER_NAME=<enter cluster name>
    export REGION=<region VPC was created in>

    Run rosa whoami to find the VPC region.

Creating the cluster

If this is the first time you are deploying ROSA in this account and you have not yet created the account roles, create the account-wide roles and policies, including the Operator policies. Since ROSA uses AWS Security Token Service (STS), this step creates the AWS IAM roles and policies that are needed for ROSA to interact with your account.

  1. Run the following command to create the account-wide roles:

    rosa create account-roles --mode auto --yes
  2. Run the following command to create the cluster:

    rosa create cluster --cluster-name $CLUSTER_NAME \
        --subnet-ids ${PUBLIC_SUBNET_ID},${PRIVATE_SUBNET_ID} \
        --hosted-cp \
        --region $REGION \
        --oidc-config-id $OIDC_ID \
        --sts --mode auto --yes

The cluster is ready and completely usable after about 10 minutes. The cluster will have a control plane across three AWS availability zones in your selected region and create two worker nodes in your AWS account.

Checking the installation status

  1. Run one of the following commands to check the status of the cluster:

    • For a detailed view of the cluster status, run:

      rosa describe cluster --cluster $CLUSTER_NAME
    • For an abridged view of the cluster status, run:

      rosa list clusters
    • To watch the log as it progresses, run:

      rosa logs install --cluster $CLUSTER_NAME --watch
  2. Once the state changes to “ready” your cluster is installed. It might take a few more minutes for the worker nodes to come online.