11 May 2024 在rosa部署alb和waf

2024-05-16 16:39:57 浏览数 (3)

准备环境变量

代码语言:javascript复制
export AWS_PAGER=""
export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]{5}$//')
export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed  's|^https://||')
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export SCRATCH="/tmp/${CLUSTER_NAME}/alb-waf"
mkdir -p ${SCRATCH}
echo "Cluster: ${CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"

给vpc和subnet添加tag

代码语言:javascript复制
export VPC_ID=<vpc-id>
export PUBLIC_SUBNET_IDS=<public-subnets>
export PRIVATE_SUBNET_IDS=<private-subnets>

aws ec2 create-tags --resources ${VPC_ID} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value=owned --region ${REGION}
aws ec2 create-tags --resources ${PUBLIC_SUBNET_IDS} --tags Key=kubernetes.io/role/elb,Value='' --region ${REGION}
aws ec2 create-tags --resources ${PRIVATE_SUBNET_IDS} --tags Key=kubernetes.io/role/internal-elb,Value='' --region ${REGION}

aws ec2 create-tags --resources ${PUBLIC_SUBNET_IDS} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value='' --region ${REGION}
aws ec2 create-tags --resources ${PRIVATE_SUBNET_IDS} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value='' --region ${REGION}

创建role和policy

代码语言:javascript复制
oc new-project aws-load-balancer-operator
POLICY_ARN=$(aws iam list-policies --query 
     "Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" 
     --output text)
if [[ -z "${POLICY_ARN}" ]]; then
    wget -O "${SCRATCH}/load-balancer-operator-policy.json" 
       https://raw.githubusercontent.com/rh-mobb/documentation/main/content/docs/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
     POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn 
     --output text iam create-policy 
     --policy-name aws-load-balancer-operator-policy 
     --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json")
fi
echo $POLICY_ARN

cat <<EOF > "${SCRATCH}/trust-policy.json"
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Condition": {
   "StringEquals" : {
     "${OIDC_ENDPOINT}:sub": ["system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager", "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"]
   }
 },
 "Principal": {
   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
 },
 "Action": "sts:AssumeRoleWithWebIdentity"
 }
 ]
}
EOF

ROLE_ARN=$(aws iam create-role --role-name "mgt-371ceo-alb-operator" --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" --query Role.Arn --output text)

echo $ROLE_ARN

aws iam attach-role-policy --role-name "mgt-371ceo-alb-operator" --policy-arn $POLICY_ARN
aws iam attach-role-policy --role-name "mgt-371ceo-alb-operator" --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess

cat << EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
stringData:
  credentials: |
    [default]
    role_arn = $ROLE_ARN
    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
EOF

部署aws load balancer operator

代码语言:javascript复制
cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
spec:
  upgradeStrategy: Default
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
spec:
  channel: stable-v1.0
  installPlanApproval: Automatic
  name: aws-load-balancer-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: aws-load-balancer-operator.v1.0.0
EOF

cat << EOF | oc apply -f -
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  credentials:
    name: aws-load-balancer-operator
  enabledAddons:
    - AWSWAFv2
EOF

验证部署

代码语言:javascript复制
$ k get po
NAME                                                             READY   STATUS    RESTARTS   AGE
aws-load-balancer-controller-cluster-58cf55c64c-cqhdq            1/1     Running   0          5m8s
aws-load-balancer-operator-controller-manager-746c4cf4cc-94dcn   2/2     Running   0          5m30s

ref

  • https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-using-alb-and-waf.html LEo at 00:12

1 人点赞