mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
327 lines
10 KiB
Plaintext
327 lines
10 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/aws-load-balancer-operator.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="aws-installing-an-aws-load-balancer-operator_{context}"]
|
|
= Installing an AWS Load Balancer Operator
|
|
You can install an AWS Load Balancer Operator and an AWS Load Balancer Controller if you meet certain requirements.
|
|
|
|
.Prerequisites
|
|
|
|
* You have an existing {product-title} (ROSA) cluster with bring-your-own-VPC (BYO-VPC) configuration across multiple Availability Zones (AZs) installed in Hosted Control Plane (HCP) mode.
|
|
|
|
* You have access to the cluster as a user with the `dedicated-admin` role.
|
|
* You have access to modify the VPC and subnets of the created ROSA cluster.
|
|
* You have installed the ROSA CLI (`rosa`).
|
|
* You have installed the Amazon Web Services (AWS) CLI.
|
|
ifndef::openshift-rosa-hcp[]
|
|
* You are using {product-title} 4.13 or later.
|
|
endif::openshift-rosa-hcp[]
|
|
|
|
[IMPORTANT]
|
|
====
|
|
When installing an AWS Load Balancer Operator for use with a ROSA cluster in an AWS Local Zone (LZ), you must enable the AWS Local Zone for the account. Additionally, you must ensure that AWS Elastic Load Balancing v2 (ELBv2) services exist in the AWS Local Zone.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
. Identify the cluster infrastructure ID and the cluster OpenID Connect (OIDC) DNS by running the following commands:
|
|
+
|
|
.. Identify the ROSA cluster ID:
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ rosa describe cluster --cluster=<cluster_name> | grep -i 'Infra ID'
|
|
----
|
|
+
|
|
or
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ oc get infrastructure cluster -o json | jq -r '.status.infrastructureName'
|
|
----
|
|
+
|
|
.. Identify the ROSA cluster OIDC DNS by using the following `rosa` CLI command:
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ rosa describe cluster --cluster=<cluster_name> | grep -i OIDC <1>
|
|
----
|
|
<1> An OIDC DNS example is `oidc.op1.openshiftapps.com/28q7fsn54m2jjts3kd556aij4mu9omah`.
|
|
+
|
|
or
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}"
|
|
----
|
|
+
|
|
.. Locate the OIDC Amazon Resource Name (ARN) information on the AWS Web Console by navigating to *IAM* *Access management* *Identity providers*. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`.
|
|
+
|
|
.. Save the output from the commands. You will use this information in future steps within this procedure.
|
|
|
|
. Create the AWS IAM policy required for the AWS Load Balancer Operator by using the AWS CLI.
|
|
+
|
|
.. Log in to the ROSA cluster as a user with the `dedicated-admin` role and create a new project using the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc new-project aws-load-balancer-operator
|
|
----
|
|
+
|
|
.. Assign the following trust policy to the newly-created AWS IAM role:
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ IDP='{Cluster_OIDC_Endpoint}'
|
|
----
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}" <1>
|
|
----
|
|
<1> Replace `{AWS_AccountNo}` with your AWS account number and `{Cluster_OIDC_Endpoint}` with the OIDC DNS identified earlier in this procedure.
|
|
+
|
|
.. Verify that the trust policy was assigned to the AWS IAM role.
|
|
+
|
|
.Example output
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
$ cat <<EOF > albo-operator-trusted-policy.json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Federated": "${IDP_ARN}"
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
----
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
Do not include the `https` portion of the OIDC DNS URL when replacing `{Cluster_OIDC_Endpoint}` with the OIDC DNS you identified earlier. Only the alphanumeric information that follows the `/` within the URL is needed.
|
|
====
|
|
+
|
|
.. Create and verify the role by using the generated trust policy:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ OPERATOR_ROLE_ARN=$(aws iam get-role --role-name albo-operator --output json | jq -r '.Role.Arn')
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ echo $OPERATOR_ROLE_ARN
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
ROLE arn:aws:iam::<aws_account_number>:role/albo-operator 2023-08-02T12:13:22Z
|
|
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
|
|
STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
|
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager
|
|
PRINCIPAL arn:aws:iam:<aws_account_number>:oidc-provider/<oidc_provider_id>
|
|
----
|
|
+
|
|
[NOTE]
|
|
====
|
|
Where `arn` of the AWS IAM role was created for the AWS Load Balancer Operator, such as `arn:aws:iam::777777777777:role/albo-operator`.
|
|
====
|
|
+
|
|
.. Attach the operator's permission policy to the role:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o albo-operator-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/release-1.1/hack/operator-permission-policy.json
|
|
$ aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-albo-operator --policy-document file://albo-operator-permission-policy.json
|
|
----
|
|
|
|
. Create the AWS IAM policy required for the AWS Load Balancer Controller by using the AWS CLI:
|
|
+
|
|
.. Generate a trust policy file for your identity provider. The following example uses OpenID Connect:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ IDP='{Cluster_OIDC_Endpoint}'
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}"
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF > albo-controller-trusted-policy.json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Federated": "${IDP_ARN}"
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
----
|
|
+
|
|
.. Create and verify the role by using the generated trust policy:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
|
|
$ CONTROLLER_ROLE_ARN=$(aws iam get-role --role-name albo-controller --output json | jq -r '.Role.Arn')
|
|
$ echo $CONTROLLER_ROLE_ARN
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
ROLE arn:aws:iam::<aws_account_number>:role/albo-controller 2023-08-02T12:13:22Z
|
|
ASSUMEROLEPOLICYDOCUMENT 2012-10-17
|
|
STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
|
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager
|
|
PRINCIPAL arn:aws:iam:<aws_account_number>:oidc-provider/<oidc_provider_id>
|
|
----
|
|
+
|
|
[NOTE]
|
|
====
|
|
Where `arn` of the AWS IAM role that was created for the AWS Load Balancer Controller, such as `arn:aws:iam::777777777777:role/albo-controller`.
|
|
====
|
|
+
|
|
.. Attach the controller's permission policy to the role:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json
|
|
$ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
|
|
----
|
|
|
|
. For a ROSA with HCP cluster, add the tags necessary for subnet discovery:
|
|
+
|
|
.. Add the following `{Key: Value}` tag to the VPC hosting the ROSA cluster and to all its subnets. Replace `{Cluster Infra ID}` with the Infra ID specified previously:
|
|
+
|
|
[source,terminal,subs="quotes,verbatim"]
|
|
----
|
|
kubernetes.io/cluster/${Cluster Infra ID}:owned
|
|
----
|
|
+
|
|
.. Add the following ELBv2 `{Key: Value}` tags to the private subnets and, optionally, to the public subnets:
|
|
+
|
|
* Private subnets: `kubernetes.io/role/internal-elb:1`
|
|
* Public subnets: `kubernetes.io/role/elb:1`
|
|
+
|
|
[NOTE]
|
|
====
|
|
Internet-facing and internal load balancers will be created within the AWS Availability Zone to which these subnets belong.
|
|
====
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
ELBv2 resources (such as ALBs and NLBs) created by AWS Load Balancer Operator do not inherit custom tags set for ROSA clusters. You must set tags separately for these resources.
|
|
====
|
|
// TODO OSDOCS-11830: Is the above still true?
|
|
|
|
. Create the AWS Load Balancer Operator by completing the following steps:
|
|
+
|
|
.. Create an `OperatorGroup` object by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF | oc apply -f -
|
|
apiVersion: operators.coreos.com/v1
|
|
kind: OperatorGroup
|
|
metadata:
|
|
name: aws-load-balancer-operator
|
|
namespace: aws-load-balancer-operator
|
|
spec:
|
|
targetNamespaces: []
|
|
EOF
|
|
----
|
|
+
|
|
.. Create a `Subscription` object by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat <<EOF | oc apply -f -
|
|
apiVersion: operators.coreos.com/v1alpha1
|
|
kind: Subscription
|
|
metadata:
|
|
name: aws-load-balancer-operator
|
|
namespace: aws-load-balancer-operator
|
|
spec:
|
|
channel: stable-v1
|
|
name: aws-load-balancer-operator
|
|
source: redhat-operators
|
|
sourceNamespace: openshift-marketplace
|
|
config:
|
|
env:
|
|
- name: ROLEARN
|
|
value: "<operator_role_arn>" <1>
|
|
EOF
|
|
----
|
|
<1> Specifies the ARN role for the {aws-short} Load Balancer Operator. The `CredentialsRequest` object uses this ARN role to provision the {aws-short} credentials. An example of `<operator_role_arn>` is `arn:aws:iam::<aws_account_number>:role/albo-operator`.
|
|
|
|
. Create the AWS Load Balancer Controller:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.olm.openshift.io/v1
|
|
kind: AWSLoadBalancerController
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
subnetTagging: Manual
|
|
credentialsRequestConfig:
|
|
stsIAMRoleARN: <controller_role_arn>
|
|
----
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
Because AWS Load Balancer Controllers do not support creating AWS Load Balancers (ALBs) associated with both AWS Availability Zones and AWS Local Zones, ROSA clusters can have ALBs associated exclusively with either AWS Local Zones or AWS Availability Zones but not both simultaneously.
|
|
====
|
|
|
|
.Verification
|
|
|
|
. Confirm a successful installation by running the following commands:
|
|
+
|
|
.. Gather information about pods within the project:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods -n aws-load-balancer-operator
|
|
----
|
|
+
|
|
.. View the logs within the project:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc logs -n aws-load-balancer-operator deployment/aws-load-balancer-operator-controller-manager -c manager
|
|
----
|