Creating ROSA with HCP clusters using the default options | Install ROSA with HCP clusters

Overview of the default cluster specifications
ROSA with HCP Prerequisites
Creating a ROSA with HCP cluster using the CLI
Next steps
Additional resources

If you are looking for a quickstart guide for ROSA Classic, see Red Hat OpenShift Service on AWS quickstart guide.

Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) offers a more efficient and reliable architecture for creating Red Hat OpenShift Service on AWS (ROSA) clusters. With ROSA with HCP, each cluster has a dedicated control plane that is isolated in a ROSA service account.

Create a ROSA with HCP cluster quickly by using the default options and automatic AWS Identity and Access Management (IAM) resource creation. You can deploy your cluster by using the ROSA CLI (rosa).

Since it is not possible to upgrade or convert existing ROSA clusters to a hosted control planes architecture, you must create a new cluster to use ROSA with HCP functionality.

ROSA with HCP clusters only support AWS Security Token Service (STS) authentication.

Considerations regarding auto creation mode

The procedures in this document use the auto mode in the ROSA CLI to immediately create the required IAM resources using the current AWS account. The required resources include the account-wide IAM roles and policies, cluster-specific Operator roles and policies, and OpenID Connect (OIDC) identity provider.

Alternatively, you can use manual mode, which outputs the aws commands needed to create the IAM resources instead of deploying them automatically. For steps to deploy a ROSA with HCP cluster by using manual mode or with customizations, see Creating a cluster using customizations.

Next steps

Ensure that you have completed the AWS prerequisites.

edit

Overview of the default cluster specifications

You can quickly create a ROSA with HCP cluster with the AWS Security Token Service (STS) by using the default installation options. The following summary describes the default cluster specifications.

Component Default specifications

Accounts and roles

Default IAM role prefix: ManagedOpenShift
No cluster admin role created

Cluster settings

Default cluster version: Latest
Default AWS region for installations using the ROSA CLI (rosa): Defined by your aws CLI configuration
Default EC2 IMDS endpoints (both v1 and v2) are enabled
Availability: Single zone for the data plane
Monitoring for user-defined projects: Enabled

Encryption

Cloud storage is encrypted at rest
Additional etcd encryption is not enabled
The default AWS Key Management Service (KMS) key is used as the encryption key for persistent data

Compute node machine pool

Compute node instance type: m5.xlarge (4 vCPU 16, GiB RAM)
Compute node count: 2
Autoscaling: Not enabled
No additional node labels

Networking configuration

Cluster privacy: Public
You must have configured your own Virtual Private Cloud (VPC)
No cluster-wide proxy is configured

Classless Inter-Domain Routing (CIDR) ranges

Machine CIDR: 10.0.0.0/16
Service CIDR: 172.30.0.0/16
Pod CIDR: 10.128.0.0/16

Host prefix: /23

When using ROSA with HCP, the static IP address 172.20.0.1 is reserved for the internal Kubernetes API address. The machine, pod, and service CIDRs ranges must not conflict with this IP address.

Cluster roles and policies

Mode used to create the Operator roles and the OpenID Connect (OIDC) provider: auto

For installations that use OpenShift Cluster Manager on the Hybrid Cloud Console, the auto mode requires an admin-privileged OpenShift Cluster Manager role.
Default Operator role prefix: <cluster_name>-<4_digit_random_string>

Cluster update strategy

Individual updates
1 hour grace period for node draining

ROSA with HCP Prerequisites

To create a ROSA with HCP cluster, you must have the following items:

A configured virtual private cloud (VPC)
Account-wide roles
An OIDC configuration
Operator roles

edit

Creating a Virtual Private Cloud for your ROSA with HCP clusters

You must have a Virtual Private Cloud (VPC) to create ROSA with HCP cluster. You can use the following methods to create a VPC:

Create a VPC by using a Terraform template
Manually create the VPC resources in the AWS console

The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use. You should also ensure that when you use this Terraform script it is in the same region that you intend to install your cluster. In these examples, use us-east-2.

Creating a Virtual Private Cloud using Terraform

Terraform is a tool that allows you to create various resources using an established template. The following process uses the default options as required to create a ROSA with HCP cluster. For more information about using Terraform, see the additional resources.

Prerequisites

You have installed Terraform version 1.4.0 or newer on your machine.
You have installed Git on your machine.

Procedure

Open a shell prompt and clone the Terraform VPC repository by running the following command:
```
$ git clone https://github.com/openshift-cs/terraform-vpc-example
```
Navigate to the created directory by running the following command:
```
$ cd terraform-vpc-example
```
Initiate the Terraform file by running the following command:
```
$ terraform init
```
A message confirming the initialization appears when this process completes.
To build your VPC Terraform plan based on the existing Terraform template, run the plan command. You must include your AWS region. You can choose to specify a cluster name. A rosa.tfplan file is added to the hypershift-tf directory after the terraform plan completes. For more detailed options, see the Terraform VPC repository’s README file.
```
$ terraform plan -out rosa.tfplan -var region=<region> [-var cluster_name=<cluster_name>]
```
Apply this plan file to build your VPC by running the following command:
```
$ terraform apply rosa.tfplan
```
Optional: You can capture the values of the Terraform-provisioned private, public, and machinepool subnet IDs as environment variables to use when creating your ROSA with HCP cluster by running the following commands:
```
$ export SUBNET_IDS=$(terraform output -raw cluster-subnets-string)
```

Verification

You can verify that the variables were correctly set with the following command:
```
$ echo $SUBNET_IDS
```
Sample output
```
$ subnet-0a6a57e0f784171aa,subnet-078e84e5b10ecf5b0
```

Additional resources

See the Terraform VPC repository for a detailed list of all options available when customizing the VPC for your needs.

Creating a Virtual Private Cloud manually

If you choose to manually create your Virtual Private Cloud (VPC) instead of using Terraform, go to the VPC page in the AWS console. Your VPC must meet the requirements shown in the following table.

Table 2. Requirements for your VPC
Requirement	Details
VPC name	You need to have the specific VPC name and ID when creating your cluster.
CIDR range	Your VPC CIDR range should match your machine CIDR.
Availability zone	You need one availability zone for a single zone, and you need three for availability zones for multi-zone.
Public subnet	You must have one public subnet with a NAT gateway for public clusters. Private clusters do not need a public subnet.
DNS hostname and resolution	You must ensure that the DNS hostname and resolution are enabled.

Tagging your subnets

Before you can use your VPC to create a ROSA with HCP cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly before you can use these resources. The following table shows how your resources should be tagged as the following:

Resource Key Value

Resource	Key	Value
Public subnet	`kubernetes.io/role/elb`	`1` or no value
Private subnet	`kubernetes.io/role/internal-elb`	`1` or no value

Public subnet

kubernetes.io/role/elb

1 or no value

Private subnet

kubernetes.io/role/internal-elb

1 or no value

You must tag at least one private subnet and, if applicable, and one public subnet.

Prerequisites

You have created a VPC.
You have installed the aws CLI.

Procedure

Verify the tags currently on your subnet by running the following command:

$ aws ec2 describe-tags --filters "Name=resource-id,Values=<subnet-id>"

Example output

TAGS    Name    <subnet-id>    subnet  <prefix>-subnet-public1-us-east-1a

Tag your resources in your terminal by running the following commands:

For public subnets, run:

$ aws ec2 create-tags --resources <public-subnet-id> --tags Key=kubernetes.io/role/elb,Value=1

For private subnets, run:

$ aws ec2 create-tags --resources <private-subnet-id> --tags Key=kubernetes.io/role/internal-elb,Value=1

Verification

Verify that the tag is correctly applied by running the following command:

$ aws ec2 describe-tags --filters "Name=resource-id,Values=<subnet_id>"

Example output

TAGS    Name                    <subnet-id>        subnet  <prefix>-subnet-public1-us-east-1a
TAGS    kubernetes.io/role/elb  <subnet-id>        subnet  1

Additional resources

edit

Creating the account-wide STS roles and policies

Before using the Red Hat OpenShift Service on AWS (ROSA) CLI (rosa) to create Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, create the required account-wide roles and policies, including the Operator policies.

ROSA with HCP clusters require account and Operator roles with AWS managed policies attached. Customer managed policies are not supported. For more information regarding AWS managed policies for ROSA with HCP clusters, see AWS managed policies for ROSA account roles.

Prerequisites

You have completed the AWS prerequisites for ROSA with HCP.
You have available AWS service quotas.
You have enabled the ROSA service in the AWS Console.
You have installed and configured the latest ROSA CLI (rosa) on your installation host.
You have logged in to your Red Hat account by using the ROSA CLI.

Procedure

If they do not exist in your AWS account, create the required account-wide STS roles and attach the policies by running the following command:
```
$ rosa create account-roles --hosted-cp --mode auto --yes
```
- Optional: Set your prefix as an environmental variable by running the following command:
  $ export ACCOUNT_ROLES_PREFIX=<account_role_prefix>
- View the value of the variable by running the following command:
  $ echo $ACCOUNT_ROLES_PREFIX
  Example output
  ManagedOpenShift

For more information regarding AWS managed IAM policies for ROSA, see AWS managed IAM policies for ROSA.

edit

Creating an OpenID Connect configuration

When using a ROSA with HCP cluster, you must create the OpenID Connect (OIDC) configuration prior to creating your cluster. This configuration is registered to be used with OpenShift Cluster Manager.

Prerequisites

You have completed the AWS prerequisites for ROSA with HCP.
You have completed the AWS prerequisites for Red Hat OpenShift Service on AWS.
You have installed and configured the latest Red Hat OpenShift Service on AWS (ROSA) CLI, rosa, on your installation host.

Procedure

To create your OIDC configuration alongside the AWS resources, run the following command:

$ rosa create oidc-config --mode=auto  --yes

This command returns the following information.

Example output

? Would you like to create a Managed (Red Hat hosted) OIDC Configuration Yes
I: Setting up managed OIDC configuration
I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
	rosa create operator-roles --prefix <user-defined> --oidc-config-id 13cdr6b
If you are going to create a Hosted Control Plane cluster please include '--hosted-cp'
I: Creating OIDC provider using 'arn:aws:iam::4540112244:user/userName'
? Create the OIDC provider? Yes
I: Created OIDC provider with ARN 'arn:aws:iam::4540112244:oidc-provider/dvbwgdztaeq9o.cloudfront.net/13cdr6b'

When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for --mode auto, otherwise you must determine these values based on aws CLI output for --mode manual.

Optional: you can save the OIDC configuration ID as a variable to use later. Run the following command to save the variable:
```
$ export OIDC_ID=<oidc_config_id>(1)
```
1 In the example output above, the OIDC configuration ID is 13cdr6b.
View the value of the variable by running the following command:
```
$ echo $OIDC_ID
```
Example output
```
13cdr6b
```

Verification

You can list the possible OIDC configurations available for your clusters that are associated with your user organization. Run the following command:

$ rosa list oidc-config

Example output

ID                                MANAGED  ISSUER URL                                                             SECRET ARN
2330dbs0n8m3chkkr25gkkcd8pnj3lk2  true     https://dvbwgdztaeq9o.cloudfront.net/2330dbs0n8m3chkkr25gkkcd8pnj3lk2
233hvnrjoqu14jltk6lhbhf2tj11f8un  false    https://oidc-r7u1.s3.us-east-1.amazonaws.com                           aws:secretsmanager:us-east-1:242819244:secret:rosa-private-key-oidc-r7u1-tM3MDN

edit

Creating Operator roles and policies

When using a ROSA with HCP cluster, you must create the Operator IAM roles that are required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) deployments. The cluster Operators use the Operator roles to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage, cloud provider credentials, and external access to a cluster.

Prerequisites

You have completed the AWS prerequisites for ROSA with HCP.
You have installed and configured the latest Red Hat OpenShift Service on AWS ROSA CLI (rosa), on your installation host.
You created the account-wide AWS roles.

Procedure

Set your prefix name to an environment variable using the following command:
```
$ export OPERATOR_ROLES_PREFIX=<prefix_name>
```

To create your Operator roles, run the following command:

$ rosa create operator-roles --hosted-cp --prefix=$OPERATOR_ROLES_PREFIX --oidc-config-id=$OIDC_ID --installer-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ACCOUNT_ROLES_PREFIX}-HCP-ROSA-Installer-Role

The following breakdown provides options for the Operator role creation.

$ rosa create operator-roles --hosted-cp
	--prefix=$OPERATOR_ROLES_PREFIX (1)
	--oidc-config-id=$OIDC_ID (2)
	--installer-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ACCOUNT_ROLES_PREFIX}-HCP-ROSA-Installer-Role (3)

1	You must supply a prefix when creating these Operator roles. Failing to do so produces an error. See the Additional resources of this section for information on the Operator prefix.
2	This value is the OIDC configuration ID that you created for your ROSA with HCP cluster.
3	This value is the installer role ARN that you created when you created the ROSA account roles.

You must include the --hosted-cp parameter to create the correct roles for ROSA with HCP clusters. This command returns the following information.

Sample output

? Role creation mode: auto
? Operator roles prefix: <pre-filled_prefix> (1)
? OIDC Configuration ID: 23soa2bgvpek9kmes9s7os0a39i13qm4 | https://dvbwgdztaeq9o.cloudfront.net/23soa2bgvpek9kmes9s7os0a39i13qm4 (2)
? Create hosted control plane operator roles: Yes
W: More than one Installer role found
? Installer role ARN: arn:aws:iam::4540112244:role/<prefix>-HCP-ROSA-Installer-Role
? Permissions boundary ARN (optional):
I: Reusable OIDC Configuration detected. Validating trusted relationships to operator roles:
I: Creating roles using 'arn:aws:iam::4540112244:user/<userName>'
I: Created role '<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials'
I: Created role '<prefix>-openshift-cloud-network-config-controller-cloud-credenti' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti'
I: Created role '<prefix>-kube-system-kube-controller-manager' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager'
I: Created role '<prefix>-kube-system-capa-controller-manager' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager'
I: Created role '<prefix>-kube-system-control-plane-operator' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator'
I: Created role '<prefix>-kube-system-kms-provider' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider'
I: Created role '<prefix>-openshift-image-registry-installer-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials'
I: Created role '<prefix>-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials'
I: To create a cluster with these roles, run the following command:
	rosa create cluster --sts --oidc-config-id 23soa2bgvpek9kmes9s7os0a39i13qm4 --operator-roles-prefix <prefix> --hosted-cp

1	This field is prepopulated with the prefix that you set in the initial creation command.
2	This field requires you to select an OIDC configuration that you created for your ROSA with HCP cluster.

The Operator roles are now created and ready to use for creating your ROSA with HCP cluster.

Verification

You can list the Operator roles associated with your ROSA account. Run the following command:

$ rosa list operator-roles

Sample output

I: Fetching operator roles
ROLE PREFIX  AMOUNT IN BUNDLE
<prefix>      8
? Would you like to detail a specific prefix Yes (1)
? Operator Role Prefix: <prefix>
ROLE NAME                                                         ROLE ARN                                                                                         VERSION  MANAGED
<prefix>-kube-system-capa-controller-manager                       arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager                       4.13     No
<prefix>-kube-system-control-plane-operator                        arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator                        4.13     No
<prefix>-kube-system-kms-provider                                  arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider                                  4.13     No
<prefix>-kube-system-kube-controller-manager                       arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager                       4.13     No
<prefix>-openshift-cloud-network-config-controller-cloud-credenti  arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti  4.13     No
<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials       arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials       4.13     No
<prefix>-openshift-image-registry-installer-cloud-credentials      arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials      4.13     No
<prefix>-openshift-ingress-operator-cloud-credentials              arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials              4.13     No

1	After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics.

Additional resources

See About custom Operator IAM role prefixes for information on the Operator prefixes.

edit

Creating a ROSA with HCP cluster using the CLI

When using the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa, to create a cluster, you can select the default options to create the cluster quickly.

Prerequisites

You have completed the AWS prerequisites for ROSA with HCP.
You have available AWS service quotas.
You have enabled the ROSA service in the AWS Console.
You have installed and configured the latest ROSA CLI (rosa) on your installation host. Run rosa version to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
You have logged in to your Red Hat account by using the ROSA CLI.
You have created an OIDC configuration.
You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.

Procedure

Use one of the following commands to create your ROSA with HCP cluster:

When creating a ROSA with HCP cluster, the default machine Classless Inter-Domain Routing (CIDR) is 10.0.0.0/16. If this does not correspond to the CIDR range for your VPC subnets, add --machine-cidr <address_block> to the following commands. To learn more about the default CIDR ranges for Red Hat OpenShift Service on AWS, see CIDR range definitions.

If you did not set environmental variables, run the following command:

$ rosa create cluster --cluster-name=<cluster_name> \ (1)
    --mode=auto --hosted-cp [--private] \ (2)
    --operator-roles-prefix <operator-role-prefix> \ (3)
    --oidc-config-id <id-of-oidc-configuration> \
    --subnet-ids=<public-subnet-id>,<private-subnet-id>

1	Specify the name of your cluster. If your cluster name is longer than 15 characters, it will contain an autogenerated domain prefix as a subdomain for your provisioned cluster on openshiftapps.com. To customize the subdomain, use the `--domain-prefix` flag. The domain prefix cannot be longer than 15 characters, must be unique, and cannot be changed after cluster creation.
2	Optional: The `--private` argument is used to create private ROSA with HCP clusters. If you use this argument, ensure that you only use your private subnet ID for `--subnet-ids`.
3	By default, the cluster-specific Operator role names are prefixed with the cluster name and a random 4-digit hash. You can optionally specify a custom prefix to replace `<cluster_name>-<hash>` in the role names. The prefix is applied when you create the cluster-specific Operator IAM roles. For information about the prefix, see About custom Operator IAM role prefixes.

If you specified custom ARN paths when you created the associated account-wide roles, the custom path is automatically detected. The custom path is applied to the cluster-specific Operator roles when you create them in a later step.

If you set the environmental variables, create a cluster with a single, initial machine pool, using either a publicly or privately available API, and a publicly or privately available Ingress by running the following command:
```
$ rosa create cluster --private --cluster-name=<cluster_name> \
  --mode=auto --hosted-cp --operator-roles-prefix=$OPERATOR_ROLES_PREFIX \
  --oidc-config-id=$ODIC_CONFIG --subnet-ids=$SUBNET_IDS
```
If you set the environmental variables, create a cluster with a single, initial machine pool, a publicly available API, and a publicly available Ingress by running the following command:
```
$ rosa create cluster --cluster-name=<cluster_name> --mode=auto --hosted-cp --operator-roles-prefix=$OPERATOR_ROLES_PREFIX --oidc-config-id=$ODIC_CONFIG --subnet-ids=$SUBNET_IDS
```

Check the status of your cluster by running the following command:

$ rosa describe cluster --cluster=<cluster_name>

The following State field changes are listed in the output as the cluster installation progresses:

pending (Preparing account)
installing (DNS setup in progress)
installing

ready

If the installation fails or the State field does not change to ready after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see Troubleshooting installations. For steps to contact Red Hat Support for assistance, see Getting support for Red Hat OpenShift Service on AWS.

Track the progress of the cluster creation by watching the Red Hat OpenShift Service on AWS installation program logs. To check the logs, run the following command:
```
$ rosa logs install --cluster=<cluster_name> --watch \ (1)
```
1 Optional: To watch for new log messages as the installation progresses, use the --watch argument.

Next steps

Accessing a ROSA cluster

Additional resources

For steps to deploy a ROSA cluster using manual mode, see Creating a cluster using customizations.
For more information about the AWS Identity Access Management (IAM) resources required to deploy Red Hat OpenShift Service on AWS with STS, see About IAM resources for clusters that use STS.
See Additional custom security groups for information about security group requirements.
For details about optionally setting an Operator role name prefix, see About custom Operator IAM role prefixes.
For information about the prerequisites to installing ROSA with STS, see AWS prerequisites for ROSA with STS.
For details about using the auto and manual modes to create the required STS resources, see Understanding the auto and manual deployment modes.
For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see Creating OpenID Connect (OIDC) identity providers in the AWS documentation.
For more information about troubleshooting ROSA cluster installations, see Troubleshooting installations.
For steps to contact Red Hat Support for assistance, see Getting support for Red Hat OpenShift Service on AWS.