README
¶
AWS Load Balancer Operator
This operator is used to install, manage and configure an instance of aws-load-balancer-controller in a OpenShift cluster.
This document describes the design and implementation of the operator in more detail.
Table of contents
Local Development
Build the operand image
Note: only needed for unmerged changes, all merged changes get published in a public quay.io repository
The operand image must be built first. Clone the OpenShift fork of the operand, build the image and push it to a registry which is accessible from the test cluster.
git clone https://github.com/openshift/aws-load-balancer-controller.git
cd aws-load-balancer-controller
IMG=quay.io/$USER/aws-load-balancer-controller
podman build -t $IMG -f Dockerfile.openshift
podman push $IMG
Running the operator
- Replace the operand image in the file
config/manager/manager.yamlin the environment variableRELATED_IMAGE_CONTROLLERwith the image created in the previous step. - Build and push the operator image to an image registry.
export IMG=quay.io/$USER/aws-load-balancer-operator:latest make image-build image-push - Create the namespace where the operator will be deployed.
oc create ns aws-load-balancer-operator - Deploy the operator
make deploy - The previous step deploys the conversion webhook, which requires TLS verification on the webhook client side. The
manifests deployed through the
make deploycommand do not contain a valid certificate and key. You must provision a valid certificate and key through other tools.
If you run on OpenShift, you can use a convenience script,hack/add-serving-cert.sh, to enable the service serving certificate feature. Run thehack/add-serving-cert.shscript with the following inputs:
Note: You may need to wait for the retry of the volume mount in the operator's pod.hack/add-serving-cert.sh --namespace aws-load-balancer-operator --service aws-load-balancer-operator-webhook-service --secret webhook-server-cert --crd awsloadbalancercontrollers.networking.olm.openshift.io
Running the end-to-end tests
After the operator has been deployed as described previously you can run the e2e tests with the following command:
make test-e2e
Running the end-to-end tests on an STS cluster
Prerequisites:
- The operator has to be deployed with the prerequisites for the STS cluster.
- The controller's IAM role needs to be created as described in the installation instructions for the STS cluster.
- The test WAFv2 and WAF regional WebACLs need to be created. You can use the following commands:
aws wafv2 create-web-acl --name "echoserver-acl" --scope REGIONAL --default-action '{"Block":{}}' --visibility-config '{"MetricName":"echoserver","CloudWatchMetricsEnabled": false,"SampledRequestsEnabled":false}'
aws waf-regional create-web-acl --name "echoserverclassicacl" --metric-name "echoserverclassicacl" --default-action '{"Type":"BLOCK"}' --change-token "$(aws waf-regional get-change-token)"
Note: note the ARN and ID of the created ACLs from the output of the commands
Now you can run the e2e test with the following commands:
export ALBO_E2E_PLATFORM=OCPSTS
export ALBO_E2E_CONTROLLER_ROLE_ARN=<controller-iamrole-arn>
export ALBO_E2E_WAFV2_WEBACL_ARN=<wafv2-webacl-arn>
export ALBO_E2E_WAF_WEBACL_ID=<wafregional-webacl-id>
make test-e2e
Proxy support
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
v1
Package v1 contains API Schema definitions for the networking.olm v1 API group +kubebuilder:object:generate=true +groupName=networking.olm.openshift.io
|
Package v1 contains API Schema definitions for the networking.olm v1 API group +kubebuilder:object:generate=true +groupName=networking.olm.openshift.io |
|
cmd
|
|
|
pkg
|
|