Search

Chapter 3. AWS Load Balancer Operator

download PDF

The AWS Load Balancer Operator (ALBO) is an Operator supported by Red Hat that users can optionally install on SRE-managed Red Hat OpenShift Service on AWS (ROSA) clusters. The ALBO manages the lifecycle of the AWS-managed AWS Load Balancer Controller (ALBC) that provisions AWS Elastic Load Balancing v2 (ELBv2) services for applications running in ROSA clusters.

3.1. Installing an AWS Load Balancer Operator

You can install an AWS Load Balancer Operator (ALBO) if you meet certain requirements.

Prerequisites

  • You have an existing Red Hat OpenShift Service on AWS (ROSA) cluster with bring-your-own-VPC (BYO-VPC) configuration across multiple availability zones (AZ) installed in STS mode.
  • You have access to the cluster as a user with the dedicated-admin role.
  • You have access to modify the VPC and subnets of the created ROSA cluster.
  • You have installed the ROSA CLI (rosa).
  • You have installed the Amazon Web Services (AWS) CLI.
  • You have installed the OpenShift CLI (oc).
  • You are using OpenShift Container Platform (OCP) 4.13 or later.
Important

When installing an ALBO for use with a ROSA cluster in an AWS Local Zone (LZ), you must enable the AWS LZ for the account, and AWS Elastic Load Balancing v2 (ELBv2) services must be available in the AWS LZ.

Procedure

  1. Identify the cluster infrastructure ID and the cluster OpenID Connect (OIDC) DNS by running the following commands:

    1. Identify the ROSA cluster INFRA ID:

      $ rosa describe cluster --cluster=<cluster_name> | grep -i 'Infra ID'

      or

      $ oc get infrastructure cluster -o json | jq -r '.status.infrastructureName'
    2. Identify the ROSA cluster OIDC DNS:

      $ rosa describe cluster --cluster=<cluster_name> | grep -i 'OIDC'

      Save the output from the commands. You will use this information in future steps within this procedure.

  2. Create the AWS IAM policy required for the ALBO:

    1. Log in to the ROSA cluster as a user with the dedicated-admin role and create a new project using the following command:

      $ oc new-project aws-load-balancer-operator
    2. Assign the following trust policy to the newly-created AWS IAM role:

      $ IDP='{Cluster_OIDC_Endpoint}'
      $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}" 1
      $ cat <<EOF > albo-operator-trusted-policy.json
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "Federated": "${IDP_ARN}"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                      "StringEquals": {
                          "${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
                      }
                  }
              }
          ]
      }
      EOF
      1
      Replace '{AWS_AccountNo}' with your AWS account number and '{Cluster_OIDC_Endpoint}' with the OIDC DNS identified earlier in this procedure.
      Important

      Do not include the https portion of the OIDC DNS URL when replacing {Cluster_OIDC_Endpoint} with the OIDC DNS you identified earlier. Only the alphanumeric information that follows the / within the URL is needed.

      For more information on assigning trust policies to AWS IAM roles, see How to use trust policies with IAM roles.

    3. Create and verify the role by using the generated trust policy:

      $ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
      $ OPERATOR_ROLE_ARN=$(aws iam get-role --role-name albo-operator --output json | jq -r '.Role.Arn')
      $ echo $OPERATOR_ROLE_ARN

      For more information on creating AWS IAM roles, see Creating IAM roles.

    4. Attach the operator’s permission policy to the role:

      $ curl -o albo-operator-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/release-1.1/hack/operator-permission-policy.json
      $ aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-albo-operator --policy-document file://albo-operator-permission-policy.json

      For more information on adding AWS IAM permissions to AWS IAM roles, see Adding and removing IAM identity permissions.

    5. Generate the operator’s AWS credentials:

      $ cat <<EOF> albo-operator-aws-credentials.cfg
      [default]
      sts_regional_endpoints = regional
      role_arn = ${OPERATOR_ROLE_ARN}
      web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
      EOF

      For more information about formatting credentials files, see Using manual mode with Amazon Web Services Security Token Service.

    6. Create the operator’s credentials secret with the generated AWS credentials:

      $ oc -n aws-load-balancer-operator create secret generic aws-load-balancer-operator --from-file=credentials=albo-operator-aws-credentials.cfg
  3. Create the AWS IAM policy required for the AWS Load Balancer Controller (ALBC):

    1. Generate a trust policy file for your identity provider. The following example uses OpenID Connect:

      $ IDP='{Cluster_OIDC_Endpoint}'
      $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}"
      $ cat <<EOF > albo-controller-trusted-policy.json
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "Federated": "${IDP_ARN}"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                      "StringEquals": {
                          "${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"
                      }
                  }
              }
          ]
      }
      EOF
    2. Create and verify the role by using the generated trust policy:

      $ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
      $ CONTROLLER_ROLE_ARN=$(aws iam get-role --role-name albo-controller --output json | jq -r '.Role.Arn')
      $ echo $CONTROLLER_ROLE_ARN
    3. Attach the controller’s permission policy to the role:

      $ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json
      $ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
    4. Generate the controller’s AWS credentials:

      $ cat <<EOF > albo-controller-aws-credentials.cfg
      [default]
      sts_regional_endpoints = regional
      role_arn = ${CONTROLLER_ROLE_ARN}
      web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
      EOF
    5. Create the controller’s credentials secret by using the generated AWS credentials:

      $ oc -n aws-load-balancer-operator create secret generic aws-load-balancer-controller-cluster --from-file=credentials=albo-controller-aws-credentials.cfg
  4. Add the tags necessary for subnet discovery:

    1. Add the following {Key: Value} tag to the VPC hosting the ROSA cluster and to all its subnets. Replace {Cluster Infra ID} with the Infra ID specified previously:

      * kubernetes.io/cluster/${Cluster Infra ID}:owned
    2. Add the following ELBv2 {Key: Value} tags to the private subnets and, optionally, to the public subnets:

      • Private subnets: kubernetes.io/role/internal-elb:1
      • Public subnets: kubernetes.io/role/elb:1

        Note

        Internet-facing and internal load balancers will be created within the AZ to which these subnets belong.

        For more information on adding tags to AWS resources, including VPCs and subnets, see Tag your Amazon EC2 resources.

        Important

        ELBv2 resources (such as ALBs and NLBs) created by ALBO do not inherit custom tags set for ROSA clusters. You must set tags separately for these resources.

  5. Create ALBO:

    apiVersion: operators.coreos.com/v1
    kind: OperatorGroup
    metadata:
      name: aws-load-balancer-operator
      namespace: aws-load-balancer-operator
    spec:
      upgradeStrategy: Default
    ---
    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: aws-load-balancer-operator
      namespace: aws-load-balancer-operator
    spec:
      channel: stable-v1.0
      installPlanApproval: Automatic
      name: aws-load-balancer-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
      startingCSV: aws-load-balancer-operator.v1.0.0
  6. Create an AWS ALBC:

    apiVersion: networking.olm.openshift.io/v1
    kind: AWSLoadBalancerController
    metadata:
      name: cluster
    spec:
      subnetTagging: Manual
      credentials:
        name: aws-load-balancer-controller-cluster
    Important

    Because AWS ALBCs do not support creating ALBs associated with both AZs and AWS LZs, ROSA clusters can have ALBs associated exclusively with either AWS LZs or AZs but not both simultaneously.

    For more information regarding AWS ALBC configurations, see the following topics:

Verification

  • Confirm successful installation by running the following commands:

    1. Gather information about pods within the project:

      $ oc get pods -n aws-load-balancer-operator
    2. View the logs within the project:

      $ oc logs -n aws-load-balancer-operator deployment/aws-load-balancer-operator-controller-manager -c manager

      For detailed instructions on verifying that the ELBv2 was created for the application running in the ROSA cluster, see Creating an instance of AWS Load Balancer Controller.

3.2. Uninstalling an AWS Load Balancer Operator

To uninstall an AWS Load Balancer Operator (ALBO) and perform an overall cleanup of the associated resources, perform the following procedure.

Procedure

  1. Clean up the sample application by deleting the Load Balancers created and managed by the ALBO. For more information about deleting Load Balancers, see Delete an Application Load Balancer.
  2. Clean up the AWS VPC tags by removing the VPC tags that were added to the subnets for discovering subnets and for creating Application Load Balancers (ALBs). For more information, see Tag basics.
  3. Clean up ALBO components by deleting both the ALBO and the Application Load Balancer Controller (ALBC). For more information, see Deleting Operators from a cluster.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.