Cloud Experts Documentation

STS

Deploying ROSA in STS mode

Tip The official documentation for installing a ROSA cluster in STS mode can be found here . Quick Introduction by Ryan Niksch (AWS) and Shaozen Ding (Red Hat) on YouTubeexternal link (opens in new tab) STS allows us to deploy ROSA without needing a ROSA admin account, instead it uses roles and policies with Amazon STS (secure token service) to gain access to the AWS resources needed to install and operate the cluster.

Prerequisites Checklist to Deploy ROSA Cluster with STS

Background This is a quick checklist of prerequisites needed to spin up a classic Red Hat OpenShift Service on AWS (ROSA) cluster with STSexternal link (opens in new tab) . Note that this is a high level checklist and your implementation may vary. Before running the installation process, make sure that you deploy this from a machine that has access to: The API services for the cloud to which you provision.

Connect to RDS database with STS from ROSA

The Amazon Web Services Relational Database Service (AWS RDS) can be consumed from Red Hat OpenShift Service on AWS (ROSA) and authenticate to DB with Security Token Service (STS). This is a guide to quickly connect to RDS Database (Postgres engine) from ROSA. Amazon Web Services Relational Database Service Amazon Web Services Relational Database Service (AWS RDS) is a distributed relational database service by Amazon Web Services. It is designed to simplify setup, operation, and scaling of a relational database for use in applications.

Verify Permissions for ROSA STS Deployment

To proceed with the deployment of a ROSA cluster, an account must support the required roles and permissions. AWS Service Control Policies (SCPs) cannot block the API calls made by the installer or operator roles. Details about the IAM resources required for an STS-enabled installation of ROSA can be found here: https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html This guide is validated for ROSA v4.11.X. Prerequisites AWS CLIexternal link (opens in new tab) ROSA CLIexternal link (opens in new tab) v1.

STS OIDC in ROSA : How it works!

If you prefer a more visual medium, you can watch this video on YouTubeexternal link (opens in new tab) . This short video talks about how the STSexternal link (opens in new tab) OIDC flow work in ROSA (Red Hat OpenShift Service on AWS).

Deploying OpenShift API for Data Protection on a ROSA cluster

Prerequisites An STS enabled ROSA cluster Getting Started Create the following environment variables Change the cluster name to match your ROSA cluster and ensure you’re logged into the cluster as an Administrator. Ensure all fields are outputted correctly before moving on. export CLUSTER_NAME=my-cluster export ROSA_CLUSTER_ID=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id) export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id) export OIDC_ENDPOINT=$(oc get authentication.

Extending ROSA STS to include authentication with AWS Services

In this example we will deploy the Amazon Ingress Controller that uses ALBs, and configure it to use STS authentication. Deployment Configure STS Make sure your cluster has the pod identity webhook kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io pod-identity-webhook Download the IAM Policy for the AWS Load Balancer Hooks wget https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json Create AWS Role with inline policy aws iam create-role \ --role-name AWSLoadBalancerController --query Policy.Arn --output text Create AWS Policy and Service Account

Integrating with AWS resources using Pod Identity

Prerequisites ROSA CLI AWS CLI ROSA Cluster with STS

Creating a ROSA cluster with PrivateLink enabled (custom VPC) and STS

This is a combination of the private-link and sts setup documents to show the full picture Prerequisites AWS CLIexternal link (opens in new tab) Rosa CLIexternal link (opens in new tab) v1.1.7 jqexternal link (opens in new tab) AWS Preparation If this is a brand new AWS account that has never had a AWS Load Balancer installed in it, you should run the following aws iam create-service-linked-role --aws-service-name \ "elasticloadbalancing.

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.