Cluster infrastructure hosting
If you are looking for a quickstart guide for ROSA Classic, see Red Hat OpenShift Service on AWS quickstart guide. |
Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) offers a more efficient and reliable architecture for creating ROSA clusters. With ROSA with HCP, each cluster has a dedicated control plane that is isolated in a ROSA service account.
Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
Create a ROSA with HCP cluster quickly by using the default options and automatic AWS Identity and Access Management (IAM) resource creation. You can deploy your cluster by using the ROSA CLI (rosa
).
Since it is not possible to upgrade or convert existing ROSA clusters to a hosted control planes architecture, you must creata a new cluster to use ROSA with HCP functionality. |
ROSA with HCP clusters only support AWS Security Token Service (STS) authentication. |
Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) offers a different way to create a managed ROSA cluster. ROSA with HCP offers a reduced-cost solution with focuses on reliability and efficiency. With a focus on efficiency, you can quickly create a new cluster and deploy applications in minutes.
ROSA with HCP requires only a minimum of two nodes making it ideal for smaller projects while still being able to scale to support larger projects and enterprises.
|
Hosted Control Plane | Classic |
---|---|---|
Cluster infrastructure hosting |
ROSA with HCP deploys control plane components, such as etcd, API server, and oauth, that are hosted separately on AWS in a Red Hat-owned and managed account. |
ROSA Classic deploys the control plane components side by side with infrastructure and worker nodes that are hosted together in the customer’s same AWS account. |
Provisioning Time |
Approximately 10 minutes |
Approximately 40 minutes |
Architecture |
|
|
Minimum Amazon EC2 footprint |
One cluster requires a minimum of two nodes |
One cluster requires a minimum of seven nodes |
Deployment |
|
|
Upgrades |
Selectively upgrade control plane and machine pools separately |
Entire cluster is upgraded at one time |
Regional Availability |
|
For AWS Region availability, see Red Hat OpenShift Service on AWS endpoints and quotas in the AWS documentation. |
Compliance |
|
|
For a full list of the supported certificates, see the Compliance section of "Understanding process and security for Red Hat OpenShift Service on AWS".
The procedures in this document use the auto
mode in the ROSA CLI (rosa
) to immediately create the required IAM resources using the current AWS account. The required resources include the account-wide IAM roles and policies, cluster-specific Operator roles and policies, and OpenID Connect (OIDC) identity provider.
Alternatively, you can use manual
mode, which outputs the aws
commands needed to create the IAM resources instead of deploying them automatically. For steps to deploy a ROSA with HCP cluster by using manual
mode or with customizations, see Creating a cluster using customizations.
Ensure that you have completed the AWS prerequisites.
You can quickly create a ROSA with HCP cluster with the AWS Security Token Service (STS) by using the default installation options. The following summary describes the default cluster specifications.
Component | Default specifications | ||
---|---|---|---|
Accounts and roles |
|
||
Cluster settings |
|
||
Encryption |
|
||
Compute node machine pool |
|
||
Networking configuration |
|
||
Classless Inter-Domain Routing (CIDR) ranges |
|
||
Cluster roles and policies |
|
||
Cluster update strategy |
|
To create a ROSA with HCP cluster, you must have the following items:
A configured virtual private cloud (VPC)
Account-wide roles
An OIDC configuration
Operator roles
You must have a Virtual Private Cloud (VPC) to create ROSA with HCP cluster. You can use the following methods to create a VPC:
Create a VPC by using a Terraform template
Manually create the VPC resources in the AWS console
The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use. |
Terraform is a tool that allows you to create various resources using an established template. The following process uses the default options as required to create a ROSA with HCP cluster. For more information about using Terraform, see the additional resources.
You have installed Terraform on your machine.
Open a shell prompt and create a directory for your Terraform files by running the following command:
$ mkdir hypershift-tf
Navigate to the created directory by running the following command:
$ cd hypershift-tf
Download the VPC setup Terraform file by running the following command:
$ curl -s -o setup-vpc.tf https://raw.githubusercontent.com/openshift-cs/OpenShift-Troubleshooting-Templates/master/rosa-hcp-terraform/setup-vpc.tf
After the template has downloaded, initiate the Terraform file by running the following command:
$ terraform init
A message confirming the initialization appears when this process completes.
To build your VPC Terraform plan based off of the downloaded template, run the plan
command. You must include your AWS region. Optionally, you can specify a cluster name.
$ terraform plan -out rosa.plan -var aws_region=<region> [-var cluster_name=<cluster_name>]
You should have a rosa.plan
file in the directory that you created in the first step. Apply this plan file to build your VPC by running the following command:
$ terraform apply rosa.plan
Optional: You can capture the values of the Terraform-provisioned private, public, and machinepool subnet IDs as environment variables to use when creating your ROSA with HCP cluster by running the following commands:
For the private subnet ID:
$ PRIVATE_SUBNET=`terraform output -raw cluster-private-subnet`
For the public subnet ID:
$ PUBLIC_SUBNET=`terraform output -raw cluster-public-subnet`
For the machinepool subnet ID:
$ MACHINEPOOL_SUBNET=`terraform output -raw node-private-subnet`
If you choose to manually create your Virtual Private Cloud (VPC) instead of using Terraform, go to the VPC page in the AWS console. Your VPC must meet the requirements shown in the following table.
Requirement | Details |
---|---|
VPC name |
You need to have the specific VPC name and ID when creating your cluster. |
CIDR range |
Your VPC CIDR range should match your machine CIDR. |
Availability zone |
You need one availability zone for a single zone, and you need three for availability zones for multi-zone. |
Public subnet |
You must have one public subnet with a NAT gateway. |
DNS hostname and resolution |
You must ensure that the DNS hostname and resolution are enabled. |
Before using the ROSA CLI to create Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, create the required account-wide roles and policies, including the Operator policies.
You have completed the AWS prerequisites for ROSA with HCP.
You have available AWS service quotas.
You have enabled the ROSA service in the AWS Console.
You have installed and configured the latest ROSA CLI (rosa
) on your installation host.
To successfully install ROSA with HCP clusters, use the latest version of the ROSA CLI ( |
You have logged in to your Red Hat account by using the ROSA CLI.
If they do not exist in your AWS account, create the required account-wide STS roles and policies by running the following command:
$ rosa create account-roles --force-policy-creation
The --force-policy-creation
parameter updates any existing roles and policies that are present. If no roles and policies are present, the command creates these resources instead.
When using a ROSA with HCP cluster, you must create the OpenID Connect (OIDC) configuration prior to creating your cluster. This configuration is registered to be used with OCM.
You have completed the AWS prerequisites for ROSA with HCP.
You have installed and configured the latest ROSA CLI (rosa
) on your installation host.
To create your OIDC configuration alongside the AWS resources, run the following command:
$ rosa create oidc-config --mode=auto
This command returns the following information.
? Would you like to create a Managed (Red Hat hosted) OIDC Configuration Yes
I: Setting up managed OIDC configuration
I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
rosa create operator-roles --prefix <user-defined> --oidc-config-id 13cdr6b
If you are going to create a Hosted Control Plane cluster please include '--hosted-cp'
I: Creating OIDC provider using 'arn:aws:iam::4540112244:user/userName'
? Create the OIDC provider? Yes
I: Created OIDC provider with ARN 'arn:aws:iam::4540112244:oidc-provider/dvbwgdztaeq9o.cloudfront.net/13cdr6b'
When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for --mode auto
, otherwise you must determine these values based on aws
CLI output for --mode manual
.
You can list the possible OIDC configurations available for your clusters that are associated with your user organization. Run the following command:
$ rosa list oidc-config
ID MANAGED ISSUER URL SECRET ARN
2330dbs0n8m3chkkr25gkkcd8pnj3lk2 true https://dvbwgdztaeq9o.cloudfront.net/2330dbs0n8m3chkkr25gkkcd8pnj3lk2
233hvnrjoqu14jltk6lhbhf2tj11f8un false https://oidc-r7u1.s3.us-east-1.amazonaws.com aws:secretsmanager:us-east-1:242819244:secret:rosa-private-key-oidc-r7u1-tM3MDN
When using a ROSA with HCP cluster, you must create the Operator IAM roles that are required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) deployments. The cluster Operators use the Operator roles to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage, cloud provider credentials, and external access to a cluster.
You have completed the AWS prerequisites for ROSA with HCP.
You have installed and configured the latest ROSA CLI (rosa
) on your installation host.
You created the account-wide AWS roles.
To create your Operator roles, run the following command:
$ rosa create operator-roles --prefix <prefix-name> (1)
--oidc-config-id <oidc-config-id> (2)
--hosted-cp
1 | You must supply a prefix when creating these Operator roles. Failing to do so produces an error. |
2 | This value is the OIDC configuration ID that you created for your ROSA with HCP cluster. |
You must include the --hosted-cp
parameter to create the correct roles for ROSA with HCP clusters. This command returns the following information.
? Role creation mode: auto
? Operator roles prefix: <pre-filled_prefix> (1)
? OIDC Configuration ID: 23soa2bgvpek9kmes9s7os0a39i13qm4 | https://dvbwgdztaeq9o.cloudfront.net/23soa2bgvpek9kmes9s7os0a39i13qm4 (2)
? Create hosted control plane operator roles: Yes
W: More than one Installer role found
? Installer role ARN: arn:aws:iam::4540112244:role/<prefix>-Installer-Role
? Permissions boundary ARN (optional):
I: Reusable OIDC Configuration detected. Validating trusted relationships to operator roles:
I: Creating roles using 'arn:aws:iam::4540112244:user/<userName>'
I: Created role '<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials'
I: Created role '<prefix>-openshift-cloud-network-config-controller-cloud-credenti' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti'
I: Created role '<prefix>-kube-system-kube-controller-manager' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager'
I: Created role '<prefix>-kube-system-capa-controller-manager' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager'
I: Created role '<prefix>-kube-system-control-plane-operator' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator'
I: Created role '<prefix>-kube-system-kms-provider' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider'
I: Created role '<prefix>-openshift-image-registry-installer-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials'
I: Created role '<prefix>-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials'
I: To create a cluster with these roles, run the following command:
rosa create cluster --sts --oidc-config-id 23soa2bgvpek9kmes9s7os0a39i13qm4 --operator-roles-prefix <prefix> --hosted-cp
1 | This field is prefilled with the prefix that you set in the initial creation command. |
2 | This field requires you to select an OIDC configuration that you created for your ROSA with HCP cluster. |
The Operator roles are now created and ready to use for creating your ROSA with HCP cluster.
You can list the Operator roles associated with your ROSA account. Run the following command:
$ rosa list operator-roles
I: Fetching operator roles
ROLE PREFIX AMOUNT IN BUNDLE
<prefix> 8
? Would you like to detail a specific prefix Yes (1)
? Operator Role Prefix: <prefix>
ROLE NAME ROLE ARN VERSION MANAGED
<prefix>-kube-system-capa-controller-manager arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager 4.13 No
<prefix>-kube-system-control-plane-operator arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator 4.13 No
<prefix>-kube-system-kms-provider arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider 4.13 No
<prefix>-kube-system-kube-controller-manager arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager 4.13 No
<prefix>-openshift-cloud-network-config-controller-cloud-credenti arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti 4.13 No
<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials 4.13 No
<prefix>-openshift-image-registry-installer-cloud-credentials arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials 4.13 No
<prefix>-openshift-ingress-operator-cloud-credentials arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials 4.13 No
1 | After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics. |
When using Red Hat OpenShift Service on AWS (ROSA) CLI (rosa
) to create a cluster, you can select the default options to create the cluster quickly.
You have completed the AWS prerequisites for ROSA with HCP.
You have available AWS service quotas.
You have enabled the ROSA service in the AWS Console.
You have installed and configured the latest ROSA CLI (rosa
) on your installation host.
To successfully install ROSA clusters, use the latest version of the ROSA CLI ( |
You have logged in to your Red Hat account by using the ROSA CLI.
You have created an OIDC configuration.
You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.
You can create your ROSA with HCP cluster with one of the following commands.
Create a cluster with a single, initial machine pool, publicly available API, and publicly available Ingress by running the following command:
$ rosa create cluster --cluster-name=<cluster_name> \
--sts --mode=auto --hosted-cp --operator-roles-prefix <operator-role-prefix> \
--oidc-config-id <ID-of-OIDC-configuration> --subnet-ids=<public-subnet-id>,<private-subnet-id>
Create a cluster with a single, initial machine pool, privately available API, and privately available Ingress by running the following command:
$ rosa create cluster --private --cluster-name=<cluster_name> \
--sts --mode=auto --hosted-cp --subnet-ids=<private-subnet-id>
Check the status of your cluster by running the following command:
$ rosa describe cluster --cluster=<cluster_name>
The following State
field changes are listed in the output as the cluster installation progresses:
pending (Preparing account)
installing (DNS setup in progress)
installing
ready
If the installation fails or the |
Track the progress of the cluster creation by watching the Red Hat OpenShift Service on AWS installation program logs. To check the logs, run the following command:
$ rosa logs install --cluster=<cluster_name> --watch (1)
1 | Optional: To watch for new log messages as the installation progresses, use the --watch argument. |
For steps to deploy a ROSA cluster using manual mode, see Creating a cluster using customizations.
For more information about the AWS Identity Access Management (IAM) resources required to deploy Red Hat OpenShift Service on AWS with STS, see About IAM resources for clusters that use STS.
For details about optionally setting an Operator role name prefix, see About custom Operator IAM role prefixes.
For information about the prerequisites to installing ROSA with STS, see AWS prerequisites for ROSA with STS.
For details about using the auto
and manual
modes to create the required STS resources, see Understanding the auto and manual deployment modes.
For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see Creating OpenID Connect (OIDC) identity providers in the AWS documentation.
For more information about troubleshooting ROSA cluster installations, see Troubleshooting installations.
For steps to contact Red Hat Support for assistance, see Getting support for Red Hat OpenShift Service on AWS.