OSDOCS-11830 Split Networking content for ROSA with HCP #88279
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
/test all |
openshift-ci
bot
added
the
size/M
|
🤖 Tue Jun 03 09:22:55 - Prow CI generated the docs preview: |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
594734d to
967e87d
Compare
openshift-ci
bot
added
size/L
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
2 times, most recently
from
d420027 to
4037186
Compare
|
/test all |
| * For troubleshooting routes with externally managed certificates, check the {product-title} router pod logs for errors, see xref:../../support/troubleshooting/investigating-pod-issues.adoc[Investigating pod issues]. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.XrefContainsAnchorID: The xref is missing an anchor ID.
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
4037186 to
14951d8
Compare
|
/test all |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
14951d8 to
93aa8de
Compare
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
3 times, most recently
from
755a062 to
7f1540c
Compare
|
/test all |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
7f1540c to
5842b2e
Compare
|
/test all |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
5842b2e to
99917d2
Compare
openshift-merge-robot
added
the
needs-rebase
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
99917d2 to
412d771
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/test all |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
2 times, most recently
from
3efb15e to
0855f95
Compare
|
/test all |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
84d5fac to
c52a497
Compare
openshift-ci
bot
added
size/XXL
|
/test all |
1 similar comment
|
/test all |
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
c52a497 to
ca5c547
Compare
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
ca5c547 to
cd8b108
Compare
|
/test all |
laubai
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc
Outdated
Show resolved
Hide resolved
| @@ -93,12 +112,12 @@ $ aws ec2 create-tags \ | |||
| --region ${REGION} | |||
There was a problem hiding this comment.
This command fails with the above Variable:
An error occurred (InvalidID) when calling the CreateTags operation: The ID 'subnet-09731120e976e8580 subnet-0c18738ade8ebe7e7 subnet-06b27cfc96002f754' is not valid
This will only happen for customers using Z shell (zsh) instead of Bourne Again Shell (bash), but zsh is the default for any Macbook user which could cause some confusion for a lot of people following this guide. Unfortunately, there's not a clean answer for this. We have three options:
- Make a big highlight warning saying that the user must use the
bashshell - Turn this section into a little bash script that we ask the customer to create and then run rather than putting the commands into the shell directly (I think this is the simplest)
- Rewrite the commands to try and be shell agnostic (this is also tricky)
If we go with option 2, then we'd change this section to be:
Create a small script to tag your subnets:
cat <<EOF > "${SCRATCH}/tag-subnets.sh"
#!/bin/bash
aws ec2 create-tags \
--resources ${PUBLIC_SUBNET_IDS} \
--tags Key=kubernetes.io/role/elb,Value='' \
--region ${REGION}
aws ec2 create-tags \
--resources ${PRIVATE_SUBNET_IDS} \
--tags Key=kubernetes.io/role/internal-elb,Value='' \
--region ${REGION}
EOF
Execute the script. The reason for this step is due to differences in bash versus zsh
bash ${SCRATCH}/tag-subnets.sh
There was a problem hiding this comment.
Agree option 2 makes sense here but I think for the most part we do assume a Bash shell for better and worse; will check with the rest of the openshift team re. execution environment.
Alternatively, could we recommend something generic like "If you use a zsh terminal instead of a bash terminal, prefix all commands in this doc with bash to ensure the appropriate environment is used"?
| @@ -93,12 +112,12 @@ $ aws ec2 create-tags \ | |||
| --region ${REGION} | |||
| ---- | |||
|
|
|||
| . Add a tag to your private subnets: | |||
| . Tag your private subnets to allow changes by internal elastic load balancing roles: | |||
There was a problem hiding this comment.
If we go with the script option above then this bit can go too
| --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json") | ||
| fi | ||
| $ echo $POLICY_ARN | ||
| $ aws iam create-policy \ |
There was a problem hiding this comment.
I recommend putting back the check on the POLICY_ARN to see if it exists first. If the policy already exists, the new command will fail and subsequent commands will then fail. This will work:
OPERATOR_POLICY_ARN =$(aws iam list-policies --query \
"Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" \
--output text)
if [[ -z "${OPERATOR_POLICY_ARN}" ]]; then
OPERATOR_POLICY_ARN =$(aws iam create-policy \
--query Policy.Arn --output text \
--policy-name aws-load-balancer-operator-policy \
--policy-document file://${SCRATCH}/operator-permission-policy.json \
--region ${REGION})
fi
echo $OPERATOR_POLICY_ARN
There was a problem hiding this comment.
I removed this initially because the output didn't ever seem to let the create-policy command succeed, and it didn't tell you anything about a failure - whereas if you just run the create-policy command and it fails, it at least provides you with an error message that you can use for further troubleshooting.
@andyrepton Would it make sense to check for an existing policy up front and tell the user to edit an existing policy if it exists? e.g. "NOTE: If the policy already exists, review and edit the existing policy to include the appropriate permissions. For more information, see Edit IAM policies in the AWS documentation.
There was a problem hiding this comment.
This is why we have the echo there at the end, if the command fails then it'll return something other than the ARN. Would it be ok to add a note saying to confirm the ARN looks correct before proceeding?
| ---- | ||
| + | ||
| . Create a secret for the AWS Load Balancer Operator to assume our newly created AWS IAM role: | ||
| Take note of the Operator role ARN in the output. This is referred to as the `$OPERATOR_ROLE_ARN` for the remainder of this process. |
There was a problem hiding this comment.
I recommend explicitly setting the OPERATOR_ROLE_ARN here, either via something like this:
Export the OPERATOR_ROLE_ARN variable:
export OPERATOR_ROLE_ARN=$your_role_arn
Or in the create role command like was originally there:
OPERATOR_ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-alb-operator" \
--assume-role-policy-document "file://${SCRATCH}/operator-trust-policy.json" \
--query Role.Arn --output text)
echo ${OPERATOR_ROLE_ARN}
Otherwise the user may proceed to installing the operator later without ever checking that this variable was set and being confused as to why it isn't working
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift | ||
| $ aws iam create-policy \ | ||
| --region "$REGION" \ |
There was a problem hiding this comment.
Recommend changing to ${REGION} to be consistent with the rest of the document
modules/albo-installation.adoc
Outdated
| $ aws iam create-policy \ | ||
| --region "$REGION" \ | ||
| --policy-name aws-load-balancer-controller-policy \ | ||
| --policy-document file://${SCRATCH}controller-permission-policy.json |
There was a problem hiding this comment.
This is missing a /, which causes it to fail. I also recommend the same as above, and setting the CONTROLLER_POLICY_ARN to be the output of the command. Suggested edit:
CONTROLLER_POLICY_ARN=$(aws iam list-policies --query \
"Policies[?PolicyName=='aws-load-balancer-controller-policy'].{ARN:Arn}" \
--output text)
if [[ -z "${CONTROLLER_POLICY_ARN}" ]]; then
CONTROLLER_POLICY_ARN=$(aws iam create-policy \
--query Policy.Arn --output text \
--policy-name aws-load-balancer-controller-policy \
--policy-document file://${SCRATCH}/controller-permission-policy.json \
--region ${REGION})
fi
echo ${CONTROLLER_POLICY_ARN}
There was a problem hiding this comment.
I suspect this depends on whether you've set a fully qualified path for ${SCRATCH} or not, will see if I or another writer can re-test
[EDIT] Oh wait you mean after the SCRATCH env var not before it - on it!
| port: | ||
| number: 80 | ||
| EOF | ||
| $ aws iam create-role --role-name ${CLUSTER_NAME}-albo-controller \ |
There was a problem hiding this comment.
Same as above, missing the / on the document file. Suggested change to be consistent with above:
CONTROLLER_ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-albo-controller" \
--assume-role-policy-document "file://${SCRATCH}/controller-trust-policy.json" \
--query Role.Arn --output text)
echo ${CONTROLLER_ROLE_ARN}
| { | ||
| "Effect": "Allow", | ||
| "Principal": { | ||
| "Federated": "${OIDC_ARN}" |
There was a problem hiding this comment.
OIDC_ARN has not been set in this document. To keep consistency set it the same way as above. Correct line:
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
laubai
force-pushed
the
osdocs-11830-hcp-networking-split
branch
from
cd8b108 to
1b9b084
Compare
|
@laubai: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Version(s): 4.17+
Issue:
https://issues.redhat.com/browse/OSDOCS-11830
Link to docs preview:
QE review: