Início
Produtos
Red Hat OpenShift Service on AWS
4
Tutorials
Chapter 11. Tutorial: Using AWS Controllers for Kubernetes on Red Hat OpenShift Service on AWS

Este conteúdo não está disponível no idioma selecionado.

Chapter 11. Tutorial: Using AWS Controllers for Kubernetes on Red Hat OpenShift Service on AWS

AWS Controllers for Kubernetes (ACK) lets you define and use AWS service resources directly from Red Hat OpenShift Service on AWS. With ACK, you can take advantage of AWS-managed services for your applications without needing to define resources outside of the cluster or run services that provide supporting capabilities such as databases or message queues within the cluster.

You can install various ACK Operators directly from OperatorHub. This makes it easy to get started and use the Operators with your applications. This controller is a component of the AWS Controller for Kubernetes project, which is currently in developer preview.

Use this tutorial to deploy the ACK S3 Operator. You can also adapt it for any other ACK Operator in the OperatorHub of your cluster.

11.1. Prerequisites
Copiar o link

A Red Hat OpenShift Service on AWS cluster
A user account with cluster-admin privileges
The OpenShift CLI (oc)
The Amazon Web Services (AWS) CLI (aws)

11.2. Setting up your environment
Copiar o link

Configure the following environment variables, changing the cluster name to suit your cluster:

export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
export REGION=$(rosa describe cluster -c ${ROSA_CLUSTER_NAME} --output json | jq -r .region.id)
export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed  's|^https://||')
export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
export ACK_SERVICE=s3
export ACK_SERVICE_ACCOUNT=ack-${ACK_SERVICE}-controller
export POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3FullAccess
export AWS_PAGER=""
export SCRATCH="/tmp/${ROSA_CLUSTER_NAME}/ack"
mkdir -p ${SCRATCH}

$ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
$ export REGION=$(rosa describe cluster -c ${ROSA_CLUSTER_NAME} --output json | jq -r .region.id)
$ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed  's|^https://||')
$ export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
$ export ACK_SERVICE=s3
$ export ACK_SERVICE_ACCOUNT=ack-${ACK_SERVICE}-controller
$ export POLICY_ARN=arn:aws:iam::aws:policy/AmazonS3FullAccess
$ export AWS_PAGER=""
$ export SCRATCH="/tmp/${ROSA_CLUSTER_NAME}/ack"
$ mkdir -p ${SCRATCH}

Copy to Clipboard

Toggle word wrap

Ensure all fields output correctly before moving to the next section:

echo "Cluster: ${ROSA_CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"

$ echo "Cluster: ${ROSA_CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"

Copy to Clipboard

Toggle word wrap

11.3. Preparing your AWS Account
Copiar o link

Create an AWS Identity Access Management (IAM) trust policy for the ACK Operator:

cat <<EOF > "${SCRATCH}/trust-policy.json"
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Condition": {
   "StringEquals" : {
     "${OIDC_ENDPOINT}:sub": "system:serviceaccount:ack-system:${ACK_SERVICE_ACCOUNT}"
   }
 },
 "Principal": {
   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
 },
 "Action": "sts:AssumeRoleWithWebIdentity"
 }
 ]
}
EOF

$ cat <<EOF > "${SCRATCH}/trust-policy.json"
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Condition": {
   "StringEquals" : {
     "${OIDC_ENDPOINT}:sub": "system:serviceaccount:ack-system:${ACK_SERVICE_ACCOUNT}"
   }
 },
 "Principal": {
   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
 },
 "Action": "sts:AssumeRoleWithWebIdentity"
 }
 ]
}
EOF

Copy to Clipboard

Toggle word wrap

Create an AWS IAM role for the ACK Operator to assume with the AmazonS3FullAccess policy attached:

Note

You can find the recommended policy in each project’s GitHub repository, for example https://github.com/aws-controllers-k8s/s3-controller/blob/main/config/iam/recommended-policy-arn.

ROLE_ARN=$(aws iam create-role --role-name "ack-${ACK_SERVICE}-controller" \
   --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
   --query Role.Arn --output text)
echo $ROLE_ARN
aws iam attach-role-policy --role-name "ack-${ACK_SERVICE}-controller" \
     --policy-arn ${POLICY_ARN}

$ ROLE_ARN=$(aws iam create-role --role-name "ack-${ACK_SERVICE}-controller" \
   --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
   --query Role.Arn --output text)
$ echo $ROLE_ARN

$ aws iam attach-role-policy --role-name "ack-${ACK_SERVICE}-controller" \
     --policy-arn ${POLICY_ARN}

Copy to Clipboard

Toggle word wrap

11.4. Installing the ACK S3 Controller
Copiar o link

Create a project to install the ACK S3 Operator into:
```
oc new-project ack-system
```
```
$ oc new-project ack-system
```
Copy to Clipboard Toggle word wrap

Create a file with the ACK S3 Operator configuration:

Note

ACK_WATCH_NAMESPACE is purposefully left blank so the controller can properly watch all namespaces in the cluster.

cat << EOF  "${SCRATCH}/config.txt"
ACK_ENABLE_DEVELOPMENT_LOGGING=true
ACK_LOG_LEVEL=debug
ACK_WATCH_NAMESPACE=
AWS_REGION=${REGION}
AWS_ENDPOINT_URL=
ACK_RESOURCE_TAGS=${CLUSTER_NAME}
ENABLE_LEADER_ELECTION=true
LEADER_ELECTION_NAMESPACE=
RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS=1
FEATURE_FLAGS=
FEATURE_GATES=
EOF

$ cat << EOF  "${SCRATCH}/config.txt"
ACK_ENABLE_DEVELOPMENT_LOGGING=true
ACK_LOG_LEVEL=debug
ACK_WATCH_NAMESPACE=
AWS_REGION=${REGION}
AWS_ENDPOINT_URL=
ACK_RESOURCE_TAGS=${CLUSTER_NAME}
ENABLE_LEADER_ELECTION=true
LEADER_ELECTION_NAMESPACE=
RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS=1
FEATURE_FLAGS=
FEATURE_GATES=
EOF

Copy to Clipboard

Toggle word wrap

Use the file from the previous step to create a ConfigMap:

oc -n ack-system create configmap \
  --from-env-file=${SCRATCH}/config.txt ack-${ACK_SERVICE}-user-config

$ oc -n ack-system create configmap \
  --from-env-file=${SCRATCH}/config.txt ack-${ACK_SERVICE}-user-config

Copy to Clipboard

Toggle word wrap

Install the ACK S3 Operator from OperatorHub:

cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ack-${ACK_SERVICE}-controller
  namespace: ack-system
spec:
  upgradeStrategy: Default
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ack-${ACK_SERVICE}-controller
  namespace: ack-system
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: ack-${ACK_SERVICE}-controller
  source: community-operators
  sourceNamespace: openshift-marketplace
EOF

$ cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ack-${ACK_SERVICE}-controller
  namespace: ack-system
spec:
  upgradeStrategy: Default
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: ack-${ACK_SERVICE}-controller
  namespace: ack-system
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: ack-${ACK_SERVICE}-controller
  source: community-operators
  sourceNamespace: openshift-marketplace
EOF

Copy to Clipboard

Toggle word wrap

Annotate the ACK S3 Operator service account with the AWS IAM role to assume and restart the deployment:

oc -n ack-system annotate serviceaccount ${ACK_SERVICE_ACCOUNT} \
  eks.amazonaws.com/role-arn=${ROLE_ARN} && \
  oc -n ack-system rollout restart deployment ack-${ACK_SERVICE}-controller

$ oc -n ack-system annotate serviceaccount ${ACK_SERVICE_ACCOUNT} \
  eks.amazonaws.com/role-arn=${ROLE_ARN} && \
  oc -n ack-system rollout restart deployment ack-${ACK_SERVICE}-controller

Copy to Clipboard

Toggle word wrap

Verify that the ACK S3 Operator is running:

oc -n ack-system get pods

$ oc -n ack-system get pods

Copy to Clipboard

Toggle word wrap

Example output

NAME                                 READY   STATUS    RESTARTS   AGE
ack-s3-controller-585f6775db-s4lfz   1/1     Running   0          51s

NAME                                 READY   STATUS    RESTARTS   AGE
ack-s3-controller-585f6775db-s4lfz   1/1     Running   0          51s

Copy to Clipboard

Toggle word wrap

11.5. Validating the deployment
Copiar o link

Deploy an S3 bucket resource:

cat << EOF | oc apply -f -
apiVersion: s3.services.k8s.aws/v1alpha1
kind: Bucket
metadata:
   name: ${CLUSTER-NAME}-bucket
   namespace: ack-system
spec:
   name: ${CLUSTER-NAME}-bucket
EOF

$ cat << EOF | oc apply -f -
apiVersion: s3.services.k8s.aws/v1alpha1
kind: Bucket
metadata:
   name: ${CLUSTER-NAME}-bucket
   namespace: ack-system
spec:
   name: ${CLUSTER-NAME}-bucket
EOF

Copy to Clipboard

Toggle word wrap

Verify the S3 bucket was created in AWS:

aws s3 ls | grep ${CLUSTER_NAME}-bucket

$ aws s3 ls | grep ${CLUSTER_NAME}-bucket

Copy to Clipboard

Toggle word wrap

Example output

2023-10-04 14:51:45 mrmc-test-maz-bucket

2023-10-04 14:51:45 mrmc-test-maz-bucket

Copy to Clipboard

Toggle word wrap

11.6. Cleaning up
Copiar o link

Delete the S3 bucket resource:

oc -n ack-system delete bucket.s3.services.k8s.aws/${CLUSTER-NAME}-bucket

$ oc -n ack-system delete bucket.s3.services.k8s.aws/${CLUSTER-NAME}-bucket

Copy to Clipboard

Toggle word wrap

Delete the ACK S3 Operator and the AWS IAM roles:

oc -n ack-system delete subscription ack-${ACK_SERVICE}-controller
aws iam detach-role-policy \
  --role-name "ack-${ACK_SERVICE}-controller" \
  --policy-arn ${POLICY_ARN}
aws iam delete-role \
  --role-name "ack-${ACK_SERVICE}-controller"

$ oc -n ack-system delete subscription ack-${ACK_SERVICE}-controller
$ aws iam detach-role-policy \
  --role-name "ack-${ACK_SERVICE}-controller" \
  --policy-arn ${POLICY_ARN}
$ aws iam delete-role \
  --role-name "ack-${ACK_SERVICE}-controller"

Copy to Clipboard

Toggle word wrap

Delete the ack-system project:
```
oc delete project ack-system
```
```
$ oc delete project ack-system
```
Copy to Clipboard Toggle word wrap

Voltar ao topo

Este conteúdo não está disponível no idioma selecionado.

Chapter 11. Tutorial: Using AWS Controllers for Kubernetes on Red Hat OpenShift Service on AWS

11.1. Prerequisites
Copiar o link

11.2. Setting up your environment
Copiar o link

11.3. Preparing your AWS Account
Copiar o link

11.4. Installing the ACK S3 Controller
Copiar o link

11.5. Validating the deployment
Copiar o link

11.6. Cleaning up
Copiar o link

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Este conteúdo não está disponível no idioma selecionado.

Chapter 11. Tutorial: Using AWS Controllers for Kubernetes on Red Hat OpenShift Service on AWS

11.1. PrerequisitesCopiar o linkLink copiado para a área de transferência!

11.2. Setting up your environmentCopiar o linkLink copiado para a área de transferência!

11.3. Preparing your AWS AccountCopiar o linkLink copiado para a área de transferência!

11.4. Installing the ACK S3 ControllerCopiar o linkLink copiado para a área de transferência!

11.5. Validating the deploymentCopiar o linkLink copiado para a área de transferência!

11.6. Cleaning upCopiar o linkLink copiado para a área de transferência!

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

11.1. Prerequisites
Copiar o link

11.2. Setting up your environment
Copiar o link

11.3. Preparing your AWS Account
Copiar o link

11.4. Installing the ACK S3 Controller
Copiar o link

11.5. Validating the deployment
Copiar o link

11.6. Cleaning up
Copiar o link