Creating a ROSA cluster


CAPA controller requires an API token in order to be able to provision ROSA clusters:

  1. Visit to retrieve your API authentication token

  2. Create a credentials secret within the target namespace with the token to be referenced later by ROSAControlePlane

    kubectl create secret generic rosa-creds-secret \
      --from-literal=ocmToken='eyJhbGciOiJIUzI1NiIsI....' \

    Alternatively, you can edit CAPA controller deployment to provide the credentials:

    kubectl edit deployment -n capa-system capa-controller-manager

    and add the following environment variables to the manager container:

      - name: OCM_TOKEN
        value: "<token>"
      - name: OCM_API_URL
        value: "" # or


Follow the guide here up until Step 3 to install the required tools and setup the prerequisite infrastructure. Once Step 3 is done, you will be ready to proceed with creating a ROSA cluster using cluster-api.

Creating the cluster

  1. Prepare the environment:

    export OPENSHIFT_VERSION="4.14.5"
    export AWS_REGION="us-west-2"
    export AWS_AVAILABILITY_ZONE="us-west-2a"
    export AWS_ACCOUNT_ID="<account_id>"
    export AWS_CREATOR_ARN="<user_arn>" # can be retrieved e.g. using `aws sts get-caller-identity`
    export OIDC_CONFIG_ID="<oidc_id>" # OIDC config id creating previously with `rosa create oidc-config`
    export ACCOUNT_ROLES_PREFIX="ManagedOpenShift-HCP" # prefix used to create account IAM roles with `rosa create account-roles`
    export OPERATOR_ROLES_PREFIX="capi-rosa-quickstart"  # prefix used to create operator roles with `rosa create operator-roles --prefix <PREFIX_NAME>`
    # subnet IDs created earlier
    export PUBLIC_SUBNET_ID="subnet-0b54a1111111111111"   
    export PRIVATE_SUBNET_ID="subnet-05e72222222222222"
  2. Render the cluster manifest using the ROSA cluster template:

    clusterctl generate cluster <cluster-name> --from templates/cluster-template-rosa.yaml > rosa-capi-cluster.yaml

Note: The AWS role name must be no more than 64 characters in length. Otherwise an error will be returned. Truncate values exceeding 64 characters.

  1. If a credentials secret was created earlier, edit ROSAControlPlane to reference it:

    kind: ROSAControlPlane
      name: "capi-rosa-quickstart-control-plane"
        name: rosa-creds-secret
  2. Provide an AWS identity reference

    kind: ROSAControlPlane
      name: "capi-rosa-quickstart-control-plane"
        kind: <IdentityType>
        name: <IdentityName>

    Otherwise, make sure the following AWSClusterControllerIdentity singleton exists in your management cluster:

    kind: AWSClusterControllerIdentity
      name: "default"
      allowedNamespaces: {}  # matches all namespaces

    see Multi-tenancy for more details

  3. Finally apply the manifest to create your Rosa cluster:

    kubectl apply -f rosa-capi-cluster.yaml

see ROSAControlPlane CRD Reference for all possible configurations.