Topic validation

[a-mango]

Our first draft of the workshop project is ready. We are waiting for @NicolasGlassey to validate the topic before proceeding any further.

[NicolasGlassey]

@a-mango @GuggisbergSimon @Simeline @SlWa99

Excellent subject. Perfectly in line with the CLD course.

Schema For the diagram, it will be important to mention the ports and protocols and make the link with the different cloud models (SaaS, PaaS, CaaS....).

Backlog As for your backlog, I'm afraid you're thinking too big. Don't forget that the demonstration must last 15 minutes. It will be frustrating for both you and me to have to do a "turbo" demo.

The subject is validated!

[a-mango]

@NicolasGlassey

We need AWS credentials to start configuring our OpenShift cluster on the platform. Would you be able to transfer them over to us ?

In addition, following our discussion last week about the need to install Route53, I'm transferring the following resources to you:

• https://docs.openshift.com/container-platform/4.15/installing/installing_aws/installing-aws-account.html
• https://github.com/openshift/installer/blob/master/docs/user/aws/route53.md
• https://www.redhat.com/en/blog/global-load-balancer-for-openshift-clusters-an-operator-based-approach

Does the global load-balancing approach (described in the last link) seem appropriate for our project?

Regards

[NicolasGlassey]

@a-mango

Thanks for the clarification.

Permission on AWS

• Policy for AWS

I'll start setting it up this evening. Deliverable tomorrow morning at the latest.

I suggest you put the rights on a devteams account so you can also use the console.

Which "old" team do you want the rights to.

Route 53

• DNS on AWS

I take care of that too.

LB Policy https://www.redhat.com/en/blog/global-load-balancer-for-openshift-clusters-an-operator-based-approach

What load distribution policies do you want to put in place?

Knowing that the computing power will certainly not be the same in both environments...

[a-mango]

@NicolasGlassey we'll get the IAM rights on the DEVOPSTEAM07 if you please.

Regarding the LB policy, during normal operation, we'll want a Round-Robin policy. It's the one that makes the most sense for our testing needs since we'll want to make sure that we get (some) requests on both clusters.

If one cluster is not able to serve requests anymore due to high load, the Route53 should pick it up through a health check and send all the traffic over to the other cluster. Will you be able to configure the aforementioned health checks for us provided we forward all the required information ?

Regards

[NicolasGlassey]

@a-mango

aws_iam_openshift_workshop.json

IAM

Your IAM for devopsteam07 has received the permissions specified in the attached file.

You'll notice that I've gone wider than the Redhat tutorial, also to make it easier for you to debug the infra in case of need (describes permissions for example).

I've isolated you in the “london” region. You're on your own. I could provide you with the cost analyses at the end of your experiment to enrich your final presentation. Let me know when you need them,

Route53

Concerning route 53, I still have to study the document. I seem to be missing information such as your Redhat identifier.

[a-mango]

@NicolasGlassey

Thank you for your work on the IAM roles. We'll contact you when we need the cost analysis.

Concerning Route53, although we've now read quite extensively on the topic of global load balancing and cluster high availability, there seems to still be a part of unknown. We are having a tough time finding comprehensible resources that outline the complete setup procedure. We'll keep looking for information, but it seems that this is going to be the workshop's sticky issue.

Shall we get on call or have a chat at the end of next class to discuss it ?

[NicolasGlassey]

@a-mango

I notice that you're not registered for the first session, but the second, which gives us a bit of time.

Give me until Monday evening to dig into the Route 53 issue. The subject is good, I'll be sad to let it go.

I'll get back to you by Tuesday morning at the latest, and we'll see what happens next. Of course, it's possible to simplify the subject or change the approach.

Have a nice weekend !

[NicolasGlassey]

@a-mango

As agreed, I worked on the Route53 configuration. Having said that, I have several classes and students that depend on the “good” health of the “cld.education” domain that I'm giving up on modifying the settings as mentioned here:

Solution. I suggest that you purchase a domain that will allow me to offer you full power over the domain only, so that you don't have to worry about destabilizing “production”.

By adapting the IAM on AWS, I'll be able to give you full rights on this domain only. In other words, make you a route 53 administrator, but only on the domain that will help you run your lab.

Deal? (I can deliver tomorrow)

Studying the subject, I found two sources that should help you:

• aws cli creation of health check within route53
• redhat doc implementing the loadbalancer part with route53

Enjoy the rest of the workshop.

I'm waiting for your go to deliver IAM - Route53.

[a-mango]

@NicolasGlassey

My apologies, I thought I had answered earlier !

Thank you for the documentation. The cloudcorp.tech domain has been registered. We'll configure the domain's DNS server to be managed by Route53 when we'll get the IAM.

Regards

[NicolasGlassey]

@a-mango

Hello,

My concern was that I'd missed your answer. You set the pace, I'm only here to support you.

I've been able to configure your Route53 permissions on AWS.

1) creation of a hosted public zone (obtain the unique identifier of this zone) 2) give you full Route53 Service read permissions to help you with your debugging activities 3) give you full write permissions, but limited to your hosted zone.

I tested the permissions and succeeded in creating record sets in your zone, but it was impossible to modify anything in another zone. So you're pretty well isolated in your zone.

Warning: deleting the zone may result in you losing all write permissions. You'll have to ask me to create it again.

I'll be in touch if you need me.

[SlWa99]

Hello @NicolasGlassey,

We are currently experiencing a problem. When we set up the AWS cluster via red hat Openshift dedicated trial (a free version for 60 days). We need to specify the secret access key (for our AWS account). However, we don't have this information because we don't have access rights. If we want to create a new secret key, we also don't have the right to do this.

Can you please tell us the secret access key or give us the right to create one?

For information, here is what the blocking step looks like on red hat openshift:

As for the AWS access key id, we can view it in our AWS account options (security credentials).

Best regards.

[GuggisbergSimon]

EDIT : This issue has been resolved internally after a miscommunication error, thank you. Unfortunately we created an unneeded hosted zone, openshift_workshop.com, and are unable to delete it, due to permissions. It is safe to delete it as we are working on cloudcorp.tech

Hello @NicolasGlassey, Despite creating a new hosted zone, we are unable to change records in it, thus unable to provision it the public Elastic address as seen on the screenshot (13.41.100.122) The error seems to come from a lack of permissions on our side, more specifically ChangeResourceRecordSets. Could you grant us these ? Best regards.

[NicolasGlassey]

@GuggisbergSimon

You posted an “EDIT” but left the issue with the details. So I don't know if you're still stuck. But, if I understand you correctly, it's the public area belonging to cloudcorp.tech that you're the administrator of.

Action required on my part: delete the openshift_workshop.com zone.

Can you confirm this?

[GuggisbergSimon]

@NicolasGlassey Yes, I left the details for context purposes, what you detailed are the actions needed. Thank you again

[NicolasGlassey]

@SlWa99

AWS account ID : 709024702237

Credentials :

If you go back in the issue history, I was asked to give access to the devopsteam07. This has been done.

I note that this is your “initial” labo team. In other words, you can use the same credentials as for the AWS labs.

Looking at the activity on this account, there was indeed activity that day, which must surely be @GuggisbergSimon .

Let me know !

(coming back tomorrow morning)

[GuggisbergSimon]

Hello @NicolasGlassey There was a slight misunderstanding, trying to clear that up.

We do indeed have all the required permissions on the london zone and the hosted zone cloudcorp.tech for route53, that is well.

But, while following the steps to setup the Openshift cluster on AWS, an infrastructure provider must be picked (as seen here https://console.redhat.com/openshift/install), we opted for Red Hat OpenShift Dedicated Trial. The information required to further proceed are the ones sent by @SlWa99 Saturday. We tried creating a new access key through the AWS interface but got the following error, due to a lack of permissions.

As the only field missing is the Secret Access Key (The other two we know them), Could it be possible to share it to us, or to allow us to have rights to create a new access key, specifically for this part of the project ?

Cheers,

[NicolasGlassey]

@GuggisbergSimon

Your message is very clear.

For my part, I've just re-validated by reading the Redhat documentation. It's the “blue” notice that must be at the root of the permission problem.

So I've just added the two missing permissions to your IAM (applied to both devopsteams).

Let me know if it's still a problem.

[a-mango]

@NicolasGlassey

A quick note that we've updated the scenario to be reflect some design changes made over the last weeks, namely that we'll use RDS instead of a self-hosted DB and that the on-premises "cluster" had to be scaled down to a single node due to hardware limitations (the 96GB of RAM required to provision the infrastructure).

Regards

[GuggisbergSimon]

Hello @NicolasGlassey

There is another issue with the requirements for using Openshift on AWS: The prerequisites are the following:

The step that poses problem is the second one, the IAM user called osdCcsAdmin with the AdministratorAccess policy. As we don't have permissions to create one, could it be done in our stead ?

We also would like to ensure that

• we have the proper rights referenced on this page https://docs.openshift.com/dedicated/osd_planning/aws-ccs.html#ccs-aws-iam_aws-ccs under "Red Hat managed IAM references for AWS" as per required for the first step.
• the Organization service control policy is set up accordingly to the requirements for Customer Cloud Subscriptions as seen on this page: https://docs.openshift.com/dedicated/osd_planning/aws-ccs.html#ccs-aws-customer-requirements_aws-ccs under "Customer requirements"

Those two points to avoid further back and forth,

Thank you and best regards

[NicolasGlassey]

@GuggisbergSimon

Action 01 - add AdministratorAccess Policy to the osdCssAdmin user

Action 02 - Check the SCP

The permissions mentioned correspond to the links exchanged at the start of the project. You have even more permissions. I've targeted the services Redhat needs, limiting them to a region of london where possible.

And the other limitation is the dns public zone reserved for you in Route53.

As I don't use an AWS organization, the last point shouldn't be a problem.

I hope you'll be able to finalize your deployment !

[Simeline]

Bonjour @NicolasGlassey,

Est-ce que la démarche est juste pour répondre au deuxième prérequis ci-dessus () ? Ne devrais-je pas pouvoir avoir accès à la ListPolicies pour ajouter la police AdministratorAccess à l'utilisateur, fraîchement créé, osdCcsAdmin ?

Bien à vous,

[NicolasGlassey]

@Simeline

En lisant la documentation Redhat, j'ai compris qu'il y avait trois utilisateurs.

• l'administrateur AWS (c'est moi)
• le compte (que vous utilisez) pour administrer votre cluster (c'est vous)
• le compte osdCcsAdmin qui semble être l'utilisateur "technique" d'OpenShift (qui lui a pratiquement tous les droits) (OpenShift)

Le compte que vous utilisez a des droits limités et ne dispose pas de l'action "iam:ListPolicies". Cependant j'ai fait le nécessaire juste avant votre question en ajoutant les droits "AdministratorAaccess" à l'utilisateur osdCcsAdmin.

Pour ma part je quitte les écrans jusqu'à demain matin. Vers les 08h00 je viendrai traiter d'éventuelles demandes ici en espérant pouvoir vous aider.

[Simeline]

Merci pour l'explication!

[Simeline]

Bonjour @NicolasGlassey ,

Je me permets de vous contacter car nous rencontrons actuellement un problème de permissions avec AWS lors de l’accès à certaines ressources RDS. En tentant de créer ou de décrire des instances de base de données, nous recevons le message d’erreur suivant :

Il semble que l’utilisateur CLD_DEVOPSTEAM07 n’ait pas les permissions nécessaires pour exécuter l’action rds:DescribeDBInstances.

Je vous remercie par avance pour votre aide.

Bien à vous,

[NicolasGlassey]

@Simeline

I granted you all permissions on RDS (for london region). Try again and let me know !

[a-mango]

@NicolasGlassey

We've completed the cost analysis and return of experience in the README.

Commit