Creating a ROSA cluster
Permissions
CAPA controller requires an API token in order to be able to provision ROSA clusters:
-
Visit https://console.redhat.com/openshift/token to retrieve your API authentication token
-
Create a credentials secret within the target namespace with the token to be referenced later by
ROSAControlePlane
kubectl create secret generic rosa-creds-secret \ --from-literal=ocmToken='eyJhbGciOiJIUzI1NiIsI....' \ --from-literal=ocmApiUrl='https://api.openshift.com'
Alternatively, you can edit CAPA controller deployment to provide the credentials:
kubectl edit deployment -n capa-system capa-controller-manager
and add the following environment variables to the manager container:
env: - name: OCM_TOKEN value: "<token>" - name: OCM_API_URL value: "https://api.openshift.com" # or https://api.stage.openshift.com
Prerequisites
Follow the guide here up until Step 3 to install the required tools and setup the prerequisite infrastructure. Once Step 3 is done, you will be ready to proceed with creating a ROSA cluster using cluster-api.
Creating the cluster
-
Prepare the environment:
export OPENSHIFT_VERSION="4.14.5" export AWS_REGION="us-west-2" export AWS_AVAILABILITY_ZONE="us-west-2a" export AWS_ACCOUNT_ID="<account_id>" export AWS_CREATOR_ARN="<user_arn>" # can be retrieved e.g. using `aws sts get-caller-identity` export OIDC_CONFIG_ID="<oidc_id>" # OIDC config id creating previously with `rosa create oidc-config` export ACCOUNT_ROLES_PREFIX="ManagedOpenShift-HCP" # prefix used to create account IAM roles with `rosa create account-roles` export OPERATOR_ROLES_PREFIX="capi-rosa-quickstart" # prefix used to create operator roles with `rosa create operator-roles --prefix <PREFIX_NAME>` # subnet IDs created earlier export PUBLIC_SUBNET_ID="subnet-0b54a1111111111111" export PRIVATE_SUBNET_ID="subnet-05e72222222222222"
-
Render the cluster manifest using the ROSA cluster template:
clusterctl generate cluster <cluster-name> --from templates/cluster-template-rosa.yaml > rosa-capi-cluster.yaml
Note: The AWS role name must be no more than 64 characters in length. Otherwise an error will be returned. Truncate values exceeding 64 characters.
-
If a credentials secret was created earlier, edit
ROSAControlPlane
to reference it:apiVersion: controlplane.cluster.x-k8s.io/v1beta2 kind: ROSAControlPlane metadata: name: "capi-rosa-quickstart-control-plane" spec: credentialsSecretRef: name: rosa-creds-secret ...
-
Provide an AWS identity reference
apiVersion: controlplane.cluster.x-k8s.io/v1beta2 kind: ROSAControlPlane metadata: name: "capi-rosa-quickstart-control-plane" spec: identityRef: kind: <IdentityType> name: <IdentityName> ...
Otherwise, make sure the following
AWSClusterControllerIdentity
singleton exists in your management cluster:apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 kind: AWSClusterControllerIdentity metadata: name: "default" spec: allowedNamespaces: {} # matches all namespaces
see Multi-tenancy for more details
-
Finally apply the manifest to create your Rosa cluster:
kubectl apply -f rosa-capi-cluster.yaml
see ROSAControlPlane CRD Reference for all possible configurations.