openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/albo-installation.adoc

217 lines
6.3 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * networking/networking_operators/aws-load-balancer-operator.adoc
:_mod-docs-content-type: PROCEDURE
[id="aws-load-balancer-operator-installation_{context}"]
= Installing the AWS Load Balancer Operator
[role="_abstract"]
You can install the AWS Load Balancer Operator by using the {oc-first}. Use the same terminal session you used in _Setting up your environment to install the AWS Load Balancer Operator_ to make use of the environment variables.
.Procedure
. Create a new project within your cluster for the AWS Load Balancer Operator:
+
[source,terminal]
----
$ oc new-project aws-load-balancer-operator
----
. Create an AWS IAM policy for the AWS Load Balancer Operator.
+
.. Download the appropriate IAM policy:
+
----
$ curl -o ${SCRATCH}/operator-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/refs/heads/main/hack/operator-permission-policy.json
----
+
.. Create the permission policy for the Operator:
+
[source,terminal]
----
$ aws iam create-policy \
--policy-name aws-load-balancer-operator-policy \
--policy-document file://${SCRATCH}/operator-permission-policy.json \
--region ${REGION}
----
+
Take note of the Operator policy ARN in the output. This is referred to as the `$OPERATOR_POLICY_ARN` for the remainder of this process.
. Create an AWS IAM role for the AWS Load Balancer Operator:
+
.. Create the trust policy for the Operator role:
+
[source,terminal,subs="quotes,verbatim"]
----
$ cat <<EOF > "${SCRATCH}/operator-trust-policy.json"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Condition": {
"StringEquals" : {
"${OIDC_ENDPOINT}:sub": ["system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager", "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"]
}
},
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}
EOF
----
+
.. Create the Operator role using the trust policy:
+
[source,terminal]
----
$ aws iam create-role --role-name "${CLUSTER_NAME}-alb-operator" \
--assume-role-policy-document "file://${SCRATCH}/operator-trust-policy.json"
----
+
Take note of the Operator role ARN in the output. This is referred to as the `$OPERATOR_ROLE_ARN` for the remainder of this process.
+
.. Associate the Operator role and policy:
+
[source,terminal]
----
$ aws iam attach-role-policy --role-name "${CLUSTER_NAME}-alb-operator" \
--policy-arn $OPERATOR_POLICY_ARN
----
. Install the AWS Load Balancer Operator by creating an `OperatorGroup` and a `Subscription`:
+
[source,terminal,subs="quotes,verbatim"]
----
$ cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: aws-load-balancer-operator
namespace: aws-load-balancer-operator
spec:
targetNamespaces: []
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: aws-load-balancer-operator
namespace: aws-load-balancer-operator
spec:
channel: stable-v1
name: aws-load-balancer-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
config:
env:
- name: ROLEARN
value: "${OPERATOR_ROLE_ARN}"
EOF
----
. Create an AWS IAM policy for the AWS Load Balancer Controller.
+
.. Download the appropriate IAM policy:
+
[source,terminal]
----
$ curl -o ${SCRATCH}/controller-permission-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.12.0/docs/install/iam_policy.json
----
+
.. Create the permission policy for the Controller:
+
[source,terminal]
----
$ aws iam create-policy \
--region ${REGION} \
--policy-name aws-load-balancer-controller-policy \
--policy-document file://${SCRATCH}/controller-permission-policy.json
----
+
Take note of the Controller policy ARN in the output. This is referred to as the `$CONTROLLER_POLICY_ARN` for the remainder of this process.
. Create an AWS IAM role for the AWS Load Balancer Controller:
+
.. Create the trust policy for the Controller role:
+
[source,terminal]
----
$ cat <<EOF > ${SCRATCH}/controller-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_ENDPOINT}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"
}
}
}
]
}
EOF
----
+
.. Create the Controller role using the trust policy:
+
[source,terminal]
----
CONTROLLER_ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-albo-controller" \ --assume-role-policy-document "file://${SCRATCH}/controller-trust-policy.json" \ --query Role.Arn --output text) echo ${CONTROLLER_ROLE_ARN}
----
+
Take note of the Controller role ARN in the output. This is referred to as the `$CONTROLLER_ROLE_ARN` for the remainder of this process.
+
.. Associate the Controller role and policy:
+
[source,terminal]
----
$ aws iam attach-role-policy \
--role-name "${CLUSTER_NAME}-albo-controller" \
--policy-arn ${CONTROLLER_POLICY_ARN}
----
. Deploy an instance of the AWS Load Balancer Controller:
+
[source,terminal]
----
$ cat << EOF | oc apply -f -
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
name: cluster
spec:
credentialsRequestConfig:
stsIAMRoleARN: ${CONTROLLER_ROLE_ARN}
EOF
----
+
[NOTE]
====
If you get an error here, wait a minute and try again. This situation happens because the Operator has not completed installation yet.
====
. Confirm that the Operator and Controller pods are both running:
+
[source,terminal]
----
$ oc -n aws-load-balancer-operator get pods
----
+
If you do not see output similar to the following, wait a few moments and retry.
+
.Example output
[source,terminal]
----
NAME READY STATUS RESTARTS AGE
aws-load-balancer-controller-cluster-6ddf658785-pdp5d 1/1 Running 0 99s
aws-load-balancer-operator-controller-manager-577d9ffcb9-w6zqn 2/2 Running 0 2m4s
----
View Git Blame Copy Permalink