$ export AWS_PAGER=""
$ export ROSA_CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}" | sed 's/-[a-z0-9]\{5\}$//')
$ export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
$ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||')
$ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
$ export SCRATCH="/tmp/${ROSA_CLUSTER_NAME}/alb-operator"
$ mkdir -p ${SCRATCH}
$ echo "Cluster: ${ROSA_CLUSTER_NAME}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
×
教程:ROSA上的AWS负载均衡器操作符
|
此内容由Red Hat专家撰写,但尚未在所有受支持的配置上进行测试。 |
|
AWS负载均衡器操作符创建的负载均衡器不能用于OpenShift路由,并且只能用于不需要OpenShift路由的完整7层功能的单个服务或入口资源。 |
该AWS负载均衡器控制器管理AWS上的Red Hat OpenShift服务(ROSA)集群的AWS弹性负载均衡器。当您创建Kubernetes入口资源时,控制器将配置AWS应用负载均衡器(ALB),并在使用LoadBalancer类型的Kubernetes服务资源时配置AWS网络负载均衡器(NLB)。
与默认的AWS内置负载均衡器提供程序相比,此控制器使用ALB和NLB的先进注释进行开发。一些高级用例包括:
-
使用ALB的原生Kubernetes入口对象
-
将ALB与AWS Web应用防火墙(WAF)服务集成
-
指定自定义NLB源IP范围
-
指定自定义NLB内部IP地址
该AWS负载均衡器操作符用于在ROSA集群中安装、管理和配置aws-load-balancer-controller的实例。
先决条件
|
AWS ALB需要多AZ集群,以及跨三个AZ的三个公共子网,这些子网与集群位于相同的VPC中。这使得ALB不适用于许多PrivateLink集群。AWS NLB没有此限制。 |
-
自备VPC集群
-
AWS CLI
-
OC CLI
环境
-
准备环境变量
AWS VPC和子网
|
此部分仅适用于部署到现有VPC的集群。如果您没有将集群部署到现有VPC,请跳过此部分,然后继续下面的安装部分。 |
-
将以下变量设置为ROSA部署的正确值
$ export VPC_ID=<vpc-id> $ export PUBLIC_SUBNET_IDS=<public-subnets> $ export PRIVATE_SUBNET_IDS=<private-subnets> $ export CLUSTER_NAME=$(oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}") -
使用集群名称为集群的VPC添加标签
$ aws ec2 create-tags --resources ${VPC_ID} --tags Key=kubernetes.io/cluster/${CLUSTER_NAME},Value=owned --region ${REGION} -
为您的公共子网添加标签
$ aws ec2 create-tags \ --resources ${PUBLIC_SUBNET_IDS} \ --tags Key=kubernetes.io/role/elb,Value='' \ --region ${REGION} -
为您的私有子网添加标签
$ aws ec2 create-tags \ --resources "${PRIVATE_SUBNET_IDS}" \ --tags Key=kubernetes.io/role/internal-elb,Value='' \ --region ${REGION}
安装
-
为AWS负载均衡器控制器创建一个AWS IAM策略
该策略来自上游AWS负载均衡器控制器策略,以及在子网上创建标签的权限。操作符需要此权限才能正常运行。
$ oc new-project aws-load-balancer-operator $ POLICY_ARN=$(aws iam list-policies --query \ "Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" \ --output text) $ if [[ -z "${POLICY_ARN}" ]]; then wget -O "${SCRATCH}/load-balancer-operator-policy.json" \ https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \ --output text iam create-policy \ --policy-name aws-load-balancer-operator-policy \ --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json") fi $ echo $POLICY_ARN -
为AWS负载均衡器操作符创建一个AWS IAM信任策略
$ cat <<EOF > "${SCRATCH}/trust-policy.json" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Condition": { "StringEquals" : { "${OIDC_ENDPOINT}:sub": ["system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager", "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"] } }, "Principal": { "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}" }, "Action": "sts:AssumeRoleWithWebIdentity" } ] } EOF -
为AWS负载均衡器操作符创建一个AWS IAM角色
$ ROLE_ARN=$(aws iam create-role --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \ --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \ --query Role.Arn --output text) $ echo $ROLE_ARN $ aws iam attach-role-policy --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \ --policy-arn $POLICY_ARN -
为AWS负载均衡器操作符创建一个密钥,以承担我们新创建的AWS IAM角色
$ cat << EOF | oc apply -f - apiVersion: v1 kind: Secret metadata: name: aws-load-balancer-operator namespace: aws-load-balancer-operator stringData: credentials: | [default] role_arn = $ROLE_ARN web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token EOF -
安装AWS负载均衡器操作符
$ cat << EOF | oc apply -f - apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: aws-load-balancer-operator namespace: aws-load-balancer-operator spec: upgradeStrategy: Default --- apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: aws-load-balancer-operator namespace: aws-load-balancer-operator spec: channel: stable-v1.0 installPlanApproval: Automatic name: aws-load-balancer-operator source: redhat-operators sourceNamespace: openshift-marketplace startingCSV: aws-load-balancer-operator.v1.0.0 EOF -
使用操作符部署AWS负载均衡器控制器的实例
如果在此处遇到错误,请等待一分钟然后重试,这意味着操作符尚未完成安装。
$ cat << EOF | oc apply -f - apiVersion: networking.olm.openshift.io/v1 kind: AWSLoadBalancerController metadata: name: cluster spec: credentials: name: aws-load-balancer-operator EOF -
检查操作符和控制器 Pod 是否都在运行
$ oc -n aws-load-balancer-operator get pods您应该看到以下内容,如果没有,请稍候片刻然后重试
NAME READY STATUS RESTARTS AGE aws-load-balancer-controller-cluster-6ddf658785-pdp5d 1/1 Running 0 99s aws-load-balancer-operator-controller-manager-577d9ffcb9-w6zqn 2/2 Running 0 2m4s
验证部署
-
创建一个新项目
$ oc new-project hello-world -
部署一个hello world应用程序
$ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift -
为AWS ALB配置NodePort服务以连接
$ cat << EOF | oc apply -f - apiVersion: v1 kind: Service metadata: name: hello-openshift-nodeport namespace: hello-world spec: ports: - port: 80 targetPort: 8080 protocol: TCP type: NodePort selector: deployment: hello-openshift EOF -
使用AWS负载均衡器操作符部署AWS ALB
$ cat << EOF | oc apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hello-openshift-alb namespace: hello-world annotations: alb.ingress.kubernetes.io/scheme: internet-facing spec: ingressClassName: alb rules: - http: paths: - path: / pathType: Exact backend: service: name: hello-openshift-nodeport port: number: 80 EOF -
卷曲AWS ALB入口端点以验证hello world应用程序是否可访问
AWS ALB配置需要几分钟。如果您收到显示
curl: (6) Could not resolve host的错误,请稍候片刻然后重试。$ INGRESS=$(oc -n hello-world get ingress hello-openshift-alb \ -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') $ curl "http://${INGRESS}"示例输出Hello OpenShift! -
为您的hello world应用程序部署AWS NLB
$ cat << EOF | oc apply -f - apiVersion: v1 kind: Service metadata: name: hello-openshift-nlb namespace: hello-world annotations: service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing spec: ports: - port: 80 targetPort: 8080 protocol: TCP type: LoadBalancer selector: deployment: hello-openshift EOF -
测试AWS NLB端点
NLB配置需要几分钟。如果您收到显示
curl: (6) Could not resolve host的错误,请稍候片刻然后重试。$ NLB=$(oc -n hello-world get service hello-openshift-nlb \ -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') $ curl "http://${NLB}"示例输出Hello OpenShift!
清理
-
删除hello world应用程序命名空间(以及命名空间中的所有资源)
$ oc delete project hello-world -
删除AWS负载均衡器操作符和AWS IAM角色
$ oc delete subscription aws-load-balancer-operator -n aws-load-balancer-operator $ aws iam detach-role-policy \ --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \ --policy-arn $POLICY_ARN $ aws iam delete-role \ --role-name "${ROSA_CLUSTER_NAME}-alb-operator" -
删除AWS IAM策略
$ aws iam delete-policy --policy-arn $POLICY_ARN