前往小程序,Get更优阅读体验!
立即前往
文档建议反馈控制台
首页
学习
活动
专区
工具
TVP
最新优惠活动
文章/答案/技术大牛
发布
首页
学习
活动
专区
工具
TVP最新优惠活动
返回腾讯云官网
社区首页 >专栏 >11 May 2024 在rosa部署alb和waf

11 May 2024 在rosa部署alb和waf

作者头像
俊采
发布2024-05-16 16:39:57
780
发布2024-05-16 16:39:57
举报
文章被收录于专栏:LEo的网络日志LEo的网络日志

准备环境变量

代码语言:javascript
复制
export AWS_PAGER=""
export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"  | sed 's/-[a-z0-9]\{5\}$//')
export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed  's|^https://||')
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export SCRATCH="/tmp/${CLUSTER_NAME}/alb-waf"
mkdir -p ${SCRATCH}
echo "Cluster: ${CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"

给vpc和subnet添加tag

代码语言:javascript
复制
export VPC_ID=<vpc-id>
export PUBLIC_SUBNET_IDS=<public-subnets>
export PRIVATE_SUBNET_IDS=<private-subnets>

aws ec2 create-tags --resources ${VPC_ID} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value=owned --region ${REGION}
aws ec2 create-tags --resources ${PUBLIC_SUBNET_IDS} --tags Key=kubernetes.io/role/elb,Value='' --region ${REGION}
aws ec2 create-tags --resources ${PRIVATE_SUBNET_IDS} --tags Key=kubernetes.io/role/internal-elb,Value='' --region ${REGION}

aws ec2 create-tags --resources ${PUBLIC_SUBNET_IDS} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value='' --region ${REGION}
aws ec2 create-tags --resources ${PRIVATE_SUBNET_IDS} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value='' --region ${REGION}

创建role和policy

代码语言:javascript
复制
oc new-project aws-load-balancer-operator
POLICY_ARN=$(aws iam list-policies --query \
     "Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" \
     --output text)
if [[ -z "${POLICY_ARN}" ]]; then
    wget -O "${SCRATCH}/load-balancer-operator-policy.json" \
       https://raw.githubusercontent.com/rh-mobb/documentation/main/content/docs/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
     POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
     --output text iam create-policy \
     --policy-name aws-load-balancer-operator-policy \
     --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json")
fi
echo $POLICY_ARN

cat <<EOF > "${SCRATCH}/trust-policy.json"
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Condition": {
   "StringEquals" : {
     "${OIDC_ENDPOINT}:sub": ["system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager", "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"]
   }
 },
 "Principal": {
   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
 },
 "Action": "sts:AssumeRoleWithWebIdentity"
 }
 ]
}
EOF

ROLE_ARN=$(aws iam create-role --role-name "mgt-371ceo-alb-operator" --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" --query Role.Arn --output text)

echo $ROLE_ARN

aws iam attach-role-policy --role-name "mgt-371ceo-alb-operator" --policy-arn $POLICY_ARN
aws iam attach-role-policy --role-name "mgt-371ceo-alb-operator" --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess

cat << EOF | oc apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
stringData:
  credentials: |
    [default]
    role_arn = $ROLE_ARN
    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
EOF

部署aws load balancer operator

代码语言:javascript
复制
cat << EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
spec:
  upgradeStrategy: Default
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
spec:
  channel: stable-v1.0
  installPlanApproval: Automatic
  name: aws-load-balancer-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: aws-load-balancer-operator.v1.0.0
EOF

cat << EOF | oc apply -f -
apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  credentials:
    name: aws-load-balancer-operator
  enabledAddons:
    - AWSWAFv2
EOF

验证部署

代码语言:javascript
复制
$ k get po
NAME                                                             READY   STATUS    RESTARTS   AGE
aws-load-balancer-controller-cluster-58cf55c64c-cqhdq            1/1     Running   0          5m8s
aws-load-balancer-operator-controller-manager-746c4cf4cc-94dcn   2/2     Running   0          5m30s

ref

  • https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-using-alb-and-waf.html LEo at 00:12
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
aws
load
policy
tags
部署

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

aws
load
policy
tags
部署
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
LV.
文章
0
获赞
0
目录
  • 准备环境变量
  • 给vpc和subnet添加tag
  • 创建role和policy
  • 部署aws load balancer operator
  • 验证部署
  • ref
领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2024 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

Copyright © 2013 - 2024 Tencent Cloud.

All Rights Reserved. 腾讯云 版权所有

登录 后参与评论