1. Documentation
    2. history bug_report picture_as_pdf
×

Tutorial: ROSA with HCP activation and account linking

edit

This tutorial describes the process for activating Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) and linking to an AWS account, before deploying the first cluster.

If you have received a private offer for the product, make sure to proceed according to the instructions provided with the private offer before following this tutorial. The private offer is designed either for a case when the product is already activated, which replaces an active subscription, or for first time activations.
edit

Prerequisites

  • Make sure to log into the Red Hat account that you plan to associate with the AWS account where you have activated ROSA with HCP in previous steps.

  • Only a single AWS account that will be used for service billing can be associated with a Red Hat account. Typically an organizational AWS account that has other AWS accounts, such as developer accounts, linked would be the one that is to be billed, rather than individual AWS end user accounts.

  • Red Hat accounts belonging to the same Red Hat organization will be linked with the same AWS account. Therefore, you can manage who has access to creating ROSA with HCP clusters on the Red Hat organization account level.

Subscription enablement and AWS account setup

  1. Activate the ROSA with HCP product at the AWS console page by clicking the Get started button:

    rosa get started

    If you have activated ROSA before but did not complete the process, you can click the button and complete the account linking as described in the following steps.

  2. Confirm that you want your contact information to be shared with Red Hat and enable the service:

    rosa enable 2

    • You will not be charged by enabling the service in this step. The connection is made for billing and metering that will take place only after you deploy your first cluster. This could take a few minutes.

  3. After the process is completed, you will see a confirmation:

    rosa prereq enable 3

  4. Other sections on this verification page show the status of additional prerequisites. In case any of these prerequisites are not met, a respective message is shown. Here is an example of insufficient quotas in the selected region:

    rosa service quota 4

    1. Click the Increase service quotas button or use the Learn more link to get more information about the about how to manage service quotas. In the case of insufficient quotas, note that quotas are region-specific. You can use the region switcher in the upper right corner of the web console to re-run the quota check for any region you are interested in and then submit service quota increase requests as needed.

  5. If all the prerequisites are met, the page will look like this:

    rosa prereq 5

    The ELB service-linked role is created for you automatically. You can click any of the small Info blue links to get contextual help and resources.

AWS and Red Hat account and subscription linking

  1. Click the orange Continue to Red Hat button to proceed with account linking:

    rosa continue rh 6

  2. If you are not already logged in to your Red Hat account in your current browser’s session, you will be asked to log in to your account:

    rosa login rh account 7

    • You can also register for a new Red Hat account or reset your password on this page.

    • Make sure to log into the Red Hat account that you plan to associate with the AWS account where you have activated ROSA with HCP in previous steps.

    • Only a single AWS account that will be used for service billing can be associated with a Red Hat account. Typically an organizational AWS account that has other AWS accounts, such as developer accounts, linked would be the one that is to be billed, rather than individual AWS end user accounts.

    • Red Hat accounts belonging to the same Red Hat organization will be linked with the same AWS account. Therefore, you can manage who has access to creating ROSA with HCP clusters on the Red Hat organization account level.

  3. Complete the Red Hat account linking after reviewing the terms and conditions:

    This step is available only if the logged-in Red Hat account, or the Red Hat organization managing the Red Hat account, was not linked to an AWS account before.
    rosa rh account connection 8

    Both the Red Hat and AWS account numbers are shown on this screen.

  4. Click the Connect accounts button if you agree with the service terms.

    If this is the first time you are using the Red Hat Hybrid Cloud Console, you will be asked to agree with the general managed services terms and conditions before being able to create the first ROSA cluster:

    rosa terms conditions 9

    Additional terms that need to be reviewed and accepted will be shown after clicking the View Terms and Conditions button:

    rosa terms conditions 9 5

    Submit your agreement once you have reviewed any additional terms when prompted at this time.

  5. The Hybrid Cloud Console provides a confirmation that AWS prerequisites were completed and lists the first steps needed for cluster deployment:

    rosa cluster create 10

  6. The following steps pertain to technical deployment of the cluster:

    rosa deploy 11

    • It is possible that these steps will be performed on a different machine than where the service enablement and account linking were completed.

    • As mentioned previously, any Red Hat account belonging to the Red Hat organization that was linked with the AWS account that activated the ROSA service will have access to creating a cluster and will be able to select the billing AWS account that was linked under this Red Hat organization previously.

      The last section of this page shows cluster deployment options, either using the rosa CLI or through the web console:

      rosa cli ui 12

    • The following steps describe cluster deployment using the rosa CLI.

    • If you are interested in deployment using the web console only, you can skip to the ROSA with HCP cluster deployment using the web console section. However, note that the rosa CLI is required for certain tasks, such as creating the account roles. If you are deploying ROSA for the first time, follow this the CLI steps until running the rosa whoami command, before skipping to the web console deployment steps.

ROSA with HCP cluster deployment using the CLI

  1. Click the Download the ROSA CLI button to download the ROSA command line interface (CLI) for your operating system and set it up as described in the Help with ROSA CLI setup.

    Make sure that you have the most recent AWS CLI installed. See Instructions to install the AWS CLI for more information.

  2. After the previous steps are completed, you can verify that both CLI are available by running the rosa version. This command shows an update notification if you are using an older version and aws –version commands in your terminal.

  3. The prerequisite for creating a ROSA with HCP cluster is to log in using the rosa cli by the personalized command with your unique token shown under step 2.1. To authenticate, run this command on the web console. Use the copy button for easy copy and pasting of the command with full token into your terminal:

    rosa token 13

    Do not share your unique token.

  4. The final prerequisite before your first cluster deployment is making sure the necessary account-wide roles and policies are created. The rosa CLI can help with that by using the command shown under step 2.2. To create the necessary account-wide roles and policies quickly… on the web console. The alternative to that is manual creation of these roles and policies.

  5. After logging in, creating the account roles, and verifying your identity using the rosa whoami command, your terminal will look similar to this:

    rosa whoami 14

  6. Initiate the cluster deployment using the presented command. You can click the copy button again and paste the command in your terminal:

    rosa cli 15

  7. To use a custom AWS profile, one of the non-default profiles specified in your ~/.aws/credentials, you can add the –profile <profile_name> selector to the rosa create cluster command so that the command looks like rosa create cluster –profile stage. If no AWS CLI profile is specified using this option, the default AWS CLI profile will determine the AWS infrastructure profile into which the cluster is deployed. The billing AWS profile is selected in one of the following steps.

  8. After entering a cluster name, you will be asked whether to use the hosted control plane. Select yes:

    rosa create cli 16

  9. When deploying a ROSA with HCP cluster, the billing AWS account needs to be specified:

    rosa create cli billing 17

    • Only AWS accounts that were linked to the Red Hat organization that is currently used will be shown.

    • The specified AWS account will be charged for using the ROSA service, regardless of whether the infrastructure AWS account is linked to it in the same AWS organization.

    • You can see an indicator of whether the ROSA contract is enabled for a given AWS billing account or not.

    • To select an AWS account that does not have the contract enabled, refer to the first few steps in this tutorial to enable the contract and allow the service charging, which is required for a successful cluster deployment.

  10. In the following steps, you will specify technical details of the cluster that is to be deployed:

    rosa cli details 18

ROSA with HCP cluster deployment using the web console

  1. A cluster can be created using the web console by selecting the second option in the bottom section of the introductory Set up ROSA page:

    rosa deploy ui 19

  2. The first step when creating a ROSA cluster using the web console is the control plane selection. Make sure the Hosted option is selected before clicking the Next button:

    rosa deploy ui hcp 20

  3. The next step Accounts and roles allows you specifying the infrastructure AWS account, into which the the ROSA cluster will be deployed and where the resources will be consumed and managed:

    rosa ui account 21

    • Click the How to associate a new AWS account, if you don not see the account into which you want to deploy the ROSA cluster for detailed information on how to create or link account roles for this association.

    • The rosa CLI is used for this.

    • If you are using multiple AWS accounts and have their profiles configured for the AWS CLI, you can use the --profile selector to specify the AWS profile when working with the rosa CLI commands.

  4. The billing AWS account is selected in the immediately following section:

    rosa ui billing 22

    • Only AWS accounts that were linked to the Red Hat organization that is currently used will be shown.

    • The specified AWS account will be charged for using the ROSA service, regardless of whether the infrastructure AWS account is linked to it in the same AWS organization.

    • You can see an indicator whether the ROSA contract is enabled for a given AWS billing account or not.

    • In case you would like to use an AWS account that does not have a contract enabled yet, you can either use the Connect ROSA to a new AWS billing account to reach the ROSA AWS console page, where you can activate it after logging in using the respective AWS account by following steps described earlier in this tutorial, or ask the administrator of the AWS account to do that for you.

The following steps past the billing AWS account selection are beyond the scope of this tutorial.

Additional resources