Creating a ROSA cluster

Permissions

CAPA controller requires an API token in order to be able to provision ROSA clusters:

  1. Visit https://console.redhat.com/openshift/token to retrieve your API authentication token

  2. Create a credentials secret within the target namespace with the token to be referenced later by ROSAControlePlane

    kubectl create secret generic rosa-creds-secret \
      --from-literal=ocmToken='eyJhbGciOiJIUzI1NiIsI....' \
      --from-literal=ocmApiUrl='https://api.openshift.com' 
    

    Alternatively, you can edit CAPA controller deployment to provide the credentials:

    kubectl edit deployment -n capa-system capa-controller-manager
    

    and add the following environment variables to the manager container:

      env:
      - name: OCM_TOKEN
        value: "<token>"
      - name: OCM_API_URL
        value: "https://api.openshift.com" # or https://api.stage.openshift.com
    

Prerequisites

Follow the guide here up until Step 3 to install the required tools and setup the prerequisite infrastructure. Once Step 3 is done, you will be ready to proceed with creating a ROSA cluster using cluster-api.

Creating the cluster

  1. Prepare the environment:

    export OPENSHIFT_VERSION="4.14.5"
    export AWS_REGION="us-west-2"
    export AWS_AVAILABILITY_ZONE="us-west-2a"
    export AWS_ACCOUNT_ID="<account_id>"
    export AWS_CREATOR_ARN="<user_arn>" # can be retrieved e.g. using `aws sts get-caller-identity`
    
    export OIDC_CONFIG_ID="<oidc_id>" # OIDC config id creating previously with `rosa create oidc-config`
    export ACCOUNT_ROLES_PREFIX="ManagedOpenShift-HCP" # prefix used to create account IAM roles with `rosa create account-roles`
    export OPERATOR_ROLES_PREFIX="capi-rosa-quickstart"  # prefix used to create operator roles with `rosa create operator-roles --prefix <PREFIX_NAME>`
    
    # subnet IDs created earlier
    export PUBLIC_SUBNET_ID="subnet-0b54a1111111111111"   
    export PRIVATE_SUBNET_ID="subnet-05e72222222222222"
    
  2. Render the cluster manifest using the ROSA cluster template:

    clusterctl generate cluster <cluster-name> --from templates/cluster-template-rosa.yaml > rosa-capi-cluster.yaml
    

Note: The AWS role name must be no more than 64 characters in length. Otherwise an error will be returned. Truncate values exceeding 64 characters.

  1. If a credentials secret was created earlier, edit ROSAControlPlane to reference it:

    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
    kind: ROSAControlPlane
    metadata:
      name: "capi-rosa-quickstart-control-plane"
    spec:
      credentialsSecretRef:
        name: rosa-creds-secret
    ...
    
  2. Provide an AWS identity reference

    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
    kind: ROSAControlPlane
    metadata:
      name: "capi-rosa-quickstart-control-plane"
    spec:
      identityRef:
        kind: <IdentityType>
        name: <IdentityName>
    ...
    

    Otherwise, make sure the following AWSClusterControllerIdentity singleton exists in your management cluster:

    apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
    kind: AWSClusterControllerIdentity
    metadata:
      name: "default"
    spec:
      allowedNamespaces: {}  # matches all namespaces
    

    see Multi-tenancy for more details

  3. Finally apply the manifest to create your Rosa cluster:

    kubectl apply -f rosa-capi-cluster.yaml
    

see ROSAControlPlane CRD Reference for all possible configurations.