AWS Load Balancer Operator | Networking | Red Hat OpenShift Service on AWS

Installing an AWS Load Balancer Operator
Uninstalling an AWS Load Balancer Operator

The AWS Load Balancer Operator (ALBO) is an Operator supported by Red Hat that users can optionally install on SRE-managed Red Hat OpenShift Service on AWS (ROSA) clusters. The ALBO manages the lifecycle of the AWS-managed AWS Load Balancer Controller (ALBC) that provisions AWS Elastic Load Balancing v2 (ELBv2) services for applications running in ROSA clusters.

Installing an AWS Load Balancer Operator

You can install an AWS Load Balancer Operator (ALBO) if you meet certain requirements.

Prerequisites

You have an existing Red Hat OpenShift Service on AWS (ROSA) cluster with bring-your-own-VPC (BYO-VPC) configuration across multiple availability zones (AZ) installed in STS mode.
You have access to the cluster as a user with the dedicated-admin role.
You have access to modify the VPC and subnets of the created ROSA cluster.
You have installed the ROSA CLI (rosa).
You have installed the Amazon Web Services (AWS) CLI.
You have installed the OpenShift CLI (oc).
You are using OpenShift Container Platform (OCP) 4.13 or later.

When installing an ALBO for use with a ROSA cluster in an AWS Local Zone (LZ), you must enable the AWS LZ for the account, and AWS Elastic Load Balancing v2 (ELBv2) services must be available in the AWS LZ.

Procedure

Identify the cluster infrastructure ID and the cluster OpenID Connect (OIDC) DNS by running the following commands:
1. Identify the ROSA cluster INFRA ID:
  $ rosa describe cluster --cluster=<cluster_name> | grep -i 'Infra ID'
  or
  $ oc get infrastructure cluster -o json | jq -r '.status.infrastructureName'
2. Identify the ROSA cluster OIDC DNS:
  $ rosa describe cluster --cluster=<cluster_name> | grep -i 'OIDC'
  
  Save the output from the commands. You will use this information in future steps within this procedure.

Create the AWS IAM policy required for the ALBO:

Log in to the ROSA cluster as a user with the dedicated-admin role and create a new project using the following command:
```
$ oc new-project aws-load-balancer-operator
```

Assign the following trust policy to the newly-created AWS IAM role:

$ IDP='{Cluster_OIDC_Endpoint}'
$ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}" (1)
$ cat <<EOF > albo-operator-trusted-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "${IDP_ARN}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
                }
            }
        }
    ]
}
EOF

1	Replace '{AWS_AccountNo}' with your AWS account number and '{Cluster_OIDC_Endpoint}' with the OIDC DNS identified earlier in this procedure.

Do not include the https portion of the OIDC DNS URL when replacing {Cluster_OIDC_Endpoint} with the OIDC DNS you identified earlier. Only the alphanumeric information that follows the / within the URL is needed.

For more information on assigning trust policies to AWS IAM roles, see How to use trust policies with IAM roles.

Create and verify the role by using the generated trusted policy:

$ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
$ OPERATOR_ROLE_ARN=$(aws iam get-role --role-name albo-operator --output json | jq -r '.Role.Arn')
$ echo $OPERATOR_ROLE_ARN

For more information on creating AWS IAM roles, see Creating IAM roles.

Attach the operator’s permission policy to the role:

$ curl -o albo-operator-permission-policy.json https://raw.githubusercontent.com/alebedev87/aws-load-balancer-operator/aws-cli-commands-for-sts/hack/operator-permission-policy.json
aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-albo-operator --policy-document file://albo-operator-permission-policy.json

For more information on adding AWS IAM permissions to AWS IAM roles, see Adding and removing IAM identity permissions.

Generate the operator’s AWS credentials:

$ cat <<EOF> albo-operator-aws-credentials.cfg
[default]
sts_regional_endpoints = regional
role_arn = ${OPERATOR_ROLE_ARN}
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
EOF

For more information about formatting credentials files, see Using manual mode with Amazon Web Services Security Token Service.

Create the operator’s credentials secret with the generated AWS credentials:

$ oc -n aws-load-balancer-operator create secret generic aws-load-balancer-operator --from-file=credentials=albo-operator-aws-credentials.cfg

Create the AWS IAM policy required for the AWS Load Balancer Controller (ALBC):

Generate a trusted policy file for your identity provider. The following example uses OpenID Connect:

$ IDP='{Cluster_OIDC_Endpoint}'
$ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}"
$ cat <<EOF > albo-controller-trusted-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "${IDP_ARN}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"
                }
            }
        }
    ]
}
EOF

Create and verify the role by using the generated trusted policy:

$ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
$ CONTROLLER_ROLE_ARN=$(aws iam get-role --role-name albo-controller --output json | jq -r '.Role.Arn')
$ echo $CONTROLLER_ROLE_ARN

Attach the controller’s permission policy to the role:

$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json
aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json

Generate the controller’s AWS credentials:

$ cat <<EOF > albo-controller-aws-credentials.cfg
[default]
sts_regional_endpoints = regional
role_arn = ${CONTROLLER_ROLE_ARN}
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
EOF

Create the controller’s credentials secret by using the generated AWS credentials:

$ oc -n aws-load-balancer-operator create secret generic aws-load-balancer-controller-cluster --from-file=credentials=albo-controller-aws-credentials.cfg

Add the tags necessary for subnet discovery:
1. Add the following {Key: Value} tag to the VPC hosting the ROSA cluster. Replace {Cluster Infra ID} with the Infra ID specified previously:
  * kubernetes.io/cluster/${Cluster Infra ID}:owned
2. Add the following ELBv2 {Key: Value} tags to the private subnets and, optionally, to the public subnets:
  - Private subnets: kubernetes.io/role/internal-elb:1
  - Public subnets: kubernetes.io/role/elb:1
    
    Internet-facing and internal load balancers will be created within the AZ to which these subnets belong.
    
    For more information on adding tags to AWS resources, including VPCs and subnets, see Tag your Amazon EC2 resources.
    
    ELBv2 resources (such as ALBs and NLBs) created by ALBO do not inherit custom tags set for ROSA clusters. You must set tags separately for these resources.

Create ALBO:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
spec:
  upgradeStrategy: Default
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: aws-load-balancer-operator
  namespace: aws-load-balancer-operator
spec:
  channel: stable-v1.0
  installPlanApproval: Automatic
  name: aws-load-balancer-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: aws-load-balancer-operator.v1.0.0

Create an AWS ALBC:

apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController
metadata:
  name: cluster
spec:
  subnetTagging: Manual
  credentials:
    name: aws-load-balancer-controller-cluster

Because AWS ALBCs do not support creating ALBs associated with both AZs and AWS LZs, ROSA clusters can have ALBs associated exclusively with either AWS LZs or AZs but not both simultaneously.

For more information regarding AWS ALBC configurations, see the following topics:

Verification

Confirm successful installation by running the following commands:
1. Gather information about pods within the project:
  $ oc get pods -n aws-load-balancer-operator
2. View the logs within the project:
  $ oc logs -n aws-load-balancer-operator deployment/aws-load-balancer-operator-controller-manager -c manager
  For detailed instructions on verifying that the ELBv2 was created for the application running in the ROSA cluster, see Creating an instance of AWS Load Balancer Controller.

Uninstalling an AWS Load Balancer Operator

To uninstall an AWS Load Balancer Operator (ALBO) and perform an overall cleanup of the associated resources, perform the following procedure.

Procedure

Clean up the sample application by deleting the Load Balancers created and managed by the ALBO. For more information about deleting Load Balancers, see Delete an Application Load Balancer.
Clean up the AWS VPC tags by removing the VPC tags that were added to the subnets for discovering subnets and for creating Application Load Balancers (ALBs). For more information, see Tag basics.
Clean up ALBO components by deleting both the ALBO and the Application Load Balancer Controller (ALBC). For more information, see Deleting Operators from a cluster.