Creating a ROSA cluster in STS mode
Paul Czarkowski
Last updated 05/31/2022
Tip The official documentation for installing a ROSA cluster in STS mode can be found here.
Quick Introduction by Ryan Niksch (AWS) and Shaozen Ding (Red Hat) on YouTube
STS allows us to deploy ROSA without needing a ROSA admin account, instead it uses roles and policies with Amazon STS (secure token service) to gain access to the AWS resources needed to install and operate the cluster.
This is a summary of the official docs that can be used as a line by line install guide and later used as a basis for automation in your favorite automation tool.
Note that some commands (OIDC for STS) will be hard coded to US-EAST-1, do not be tempted to change these to use $REGION instead or you will fail installation.
Prerequisites
Prepare local environment
set some environment variables
export VERSION=4.10.15 \ ROSA_CLUSTER_NAME=mycluster \ AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text` \ REGION=us-east-2 \ AWS_PAGER=""
Prepare AWS and Red Hat accounts
If this is your first time deploying ROSA you need to do some preparation as described here. Stop just before running
rosa init
we don’t need to do that for STS mode.If this is a brand new AWS account that has never had a AWS Load Balancer installed in it, you should run the following
aws iam create-service-linked-role --aws-service-name \ "elasticloadbalancing.amazonaws.com"
Associate your AWS account
To perform ROSA cluster provisioning tasks, you must create ocm-role and user-role IAM resources in your AWS account and link them to your Red Hat organization.
OCM Role
The first role you will create is the ocm-role which the OpenShift Cluster Manager will use to be able to administer and Create ROSA clusters.If you haven’t already created the ocm-role, you can create and link the role with one command.
rosa create ocm-role
Tip If you have multiple AWS accounts that you want to associate with your Red Hat Organization, you can use the
--profile
option to specify the AWS profile you would like to associate.If you have already created the ocm-role, you can just link the ocm-role to your Red Hat organization.
rosa link ocm-user --role-arm <arn>
Tip You can get your OCM role arn from AWS IAM:
aws iam list-roles | grep OCM
User Role
The second is the user-role that allows OCM to verify that users creating a cluster have access to the current AWS account.If you haven’t already created the user-role, you can create and link the role with one command.
rosa create user-role
Tip If you have multiple AWS accounts that you want to associate with your Red Hat Organization, you can use the
--profile
option to specify the AWS profile you would like to associate.
If you have already created the user-role, you can just link the user-role to your Red Hat organization.rosa link user-role --role-arn <arn>
Tip You can get your User role arn from the ROSA cli:
rosa whoami
look for the
AWS ARN:
field
Deploy ROSA cluster
Make you your ROSA CLI version is correct (v1.2.2 or higher)
rosa version
Run the rosa cli to create your cluster
You can run the command as provided in the ouput of the previous step to deploy in interactive mode.
Add any other arguments to this command to suit your cluster. for example
--private-link
and--subnet-ids=subnet-12345678,subnet-87654321
.rosa create cluster --sts --cluster-name ${ROSA_CLUSTER_NAME} \ --region ${REGION} --version ${VERSION} --mode auto -y
Validate The cluster is now installing
The State should have moved beyond
pending
and showinstalling
orready
.watch "rosa describe cluster -c $ROSA_CLUSTER_NAME"
Watch the install logs
rosa logs install -c $ROSA_CLUSTER_NAME --watch --tail 10
Validate the cluster
Once the cluster has finished installing we can validate we can access it
Create an Admin user
rosa create admin -c $ROSA_CLUSTER_NAME
Wait a few moments and run the
oc login
command it provides.
Cleanup
Delete the ROSA cluster
rosa delete cluster -c $ROSA_CLUSTER_NAME
Clean up the STS roles
Once the cluster is deleted we can delete the STS roles.
> Note you can get the correct commands with the ID filled in from the output of the previous step.
```bash
rosa delete operator-roles -c <id> --yes --mode auto
rosa delete oidc-provider -c <id> --yes --mode auto
```