红帽全球峰会第 4 章 创建 AWS-STS 支持的后备存储
Amazon Web Services Security Token Service (AWS STS)是一个 AWS 功能,它是使用简短凭证进行身份验证的方法。创建 AWS-STS 支持的后备存储涉及以下内容:
- 使用脚本创建 AWS 角色,这有助于获取角色会话的临时安全凭证
- 在 AWS STS OpenShift 集群上安装 OpenShift Data Foundation Operator
- 在 AWS STS OpenShift 集群中创建后备存储
4.1. 使用脚本创建 AWS 角色
复制链接链接已复制到粘贴板!
在安装 OpenShift Data Foundation 操作器时,您需要创建一个角色并传递角色 Amazon 资源名称(ARN)。
先决条件
- 使用 AWS STS 配置 Red Hat OpenShift Container Platform 集群。如需更多信息,请参阅配置 AWS 集群以使用短期凭证。
流程
使用与 OpenShift Data Foundation 上多云对象网关(MCG)配置匹配的脚本创建一个 AWS 角色。
以下示例显示了创建角色所需的详情:
{ “Version”: “2012-10-17", “Statement”: [ { “Effect”: “Allow”, “Principal”: { “Federated”: “arn:aws:iam::123456789123:oidc-provider/mybucket-oidc.s3.us-east-2.amazonaws.com” }, “Action”: “sts:AssumeRoleWithWebIdentity”, “Condition”: { “StringEquals”: { “mybucket-oidc.s3.us-east-2.amazonaws.com:sub”: [ “system:serviceaccount:openshift-storage:noobaa”, "system:serviceaccount:openshift-storage:noobaa-core", “system:serviceaccount:openshift-storage:noobaa-endpoint” ] } } } ] }其中
123456789123- 是 AWS 帐户 ID
mybucket- 是存储桶名称(使用公共存储桶配置)
us-east-2- 是 AWS 区域
openshift-storage- 是命名空间名称
示例脚本
#!/bin/bash
set -x
# This is a sample script to help you deploy MCG on AWS STS cluster.
# This script shows how to create role-policy and then create the role in AWS.
# For more information see: https://docs.openshift.com/rosa/authentication/assuming-an-aws-iam-role-for-a-service-account.html
# WARNING: This is a sample script. You need to adjust the variables based on your requirement.
# Variables :
# user variables - REPLACE these variables with your values:
ROLE_NAME="<role-name>" # role name that you pick in your AWS account
NAMESPACE="<namespace>" # namespace name where MCG is running. For OpenShift Data Foundation, it is openshift-storage.
# MCG variables
SERVICE_ACCOUNT_NAME_1="noobaa" # The service account name of deployment operator
SERVICE_ACCOUNT_NAME_2="noobaa-endpoint" # The service account name of deployment endpoint
SERVICE_ACCOUNT_NAME_3="noobaa-core" # The service account name of statefulset core
# AWS variables
# Make sure these values are not empty (AWS_ACCOUNT_ID, OIDC_PROVIDER)
# AWS_ACCOUNT_ID is your AWS account number
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
# If you want to create the role before using the cluster, replace this field too.
# The OIDC provider is in the structure:
# 1) <OIDC-bucket>.s3.<aws-region>.amazonaws.com. for OIDC bucket configurations are in an S3 public bucket
# 2) `<characters>.cloudfront.net` for OIDC bucket configurations in an S3 private bucket with a public CloudFront distribution URL
OIDC_PROVIDER=$(oc get authentication cluster -ojson | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///")
# the permission (S3 full access)
POLICY_ARN_STRINGS="arn:aws:iam::aws:policy/AmazonS3FullAccess"
# Creating the role (with AWS command line interface)
read -r -d '' TRUST_RELATIONSHIP <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": [
"system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_1}",
"system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_2}",
"system:serviceaccount:${NAMESPACE}:${SERVICE_ACCOUNT_NAME_3}"
]
}
}
}
]
}
EOF
echo "${TRUST_RELATIONSHIP}" > trust.json
aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://trust.json --description "role for demo"
while IFS= read -r POLICY_ARN; do
echo -n "Attaching $POLICY_ARN ... "
aws iam attach-role-policy \
--role-name "$ROLE_NAME" \
--policy-arn "${POLICY_ARN}"
echo "ok."
done <<< "$POLICY_ARN_STRINGS"先决条件
- 使用 AWS STS 配置 Red Hat OpenShift Container Platform 集群。如需更多信息,请参阅配置 AWS 集群以使用短期凭证。
- 使用与 OpenID Connect (OIDC)配置匹配的脚本创建 AWS 角色。如需更多信息,请参阅使用 脚本创建 AWS 角色。
流程
从 Operator Hub 安装 OpenShift Data Foundation Operator。
- 在安装过程中,在 ARN Details 字段中添加角色 ARN。
- 确保 Update approval 字段设置为 Manual。
4.1.2. 创建新的 AWS STS 后备存储
复制链接链接已复制到粘贴板!
先决条件
- 使用 AWS STS 配置 Red Hat OpenShift Container Platform 集群。如需更多信息,请参阅配置 AWS 集群以使用短期凭证。
- 使用与 OpenID Connect (OIDC)配置匹配的脚本创建 AWS 角色。如需更多信息,请参阅使用 脚本创建 AWS 角色。
- 安装 OpenShift Data Foundation Operator。如需更多信息,请参阅在 AWS STS OpenShift 集群中安装 OpenShift Data Foundation Operator。
流程
安装多云对象网关(MCG)。
它使用简短凭证安装默认后备存储。
MCG 系统就绪后,您可以使用以下 MCG 命令行界面命令创建更多类型为
aws-sts-s3的后备存储:$ noobaa backingstore create aws-sts-s3 <backingstore-name> --aws-sts-arn=<aws-sts-role-arn> --region=<region> --target-bucket=<target-bucket>其中
- backingstore-name
- 后备存储的名称
- aws-sts-role-arn
- AWS STS 角色 ARN,它将假定角色
- region
- AWS 存储桶区域
- target-bucket
- 云上的目标存储桶名称
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}