AWS Load Balancer Operator

This operator is used to install, manage and configure an instance of aws-load-balancer-controller in a OpenShift cluster.

This document describes the design and implementation of the operator in more detail.

Table of contents

1. Prerequisites
   1. IAM Role for STS clusters
   2. VPC and Subnets
2. Installation
   1. STS Clusters
3. Tutorial
4. Local Development
   1. Build the operand image
   2. Running the operator
   3. Running the end-to-end tests
   4. Running the end-to-end tests on an STS cluster
5. Proxy support
6. Versioning

Local Development

Build the operand image

Note: only needed for unmerged changes, all merged changes get published in a public quay.io repository

The operand image must be built first. Clone the OpenShift fork of the operand, build the image and push it to a registry which is accessible from the test cluster.

git clone https://github.com/openshift/aws-load-balancer-controller.git
cd aws-load-balancer-controller
IMG=quay.io/$USER/aws-load-balancer-controller
podman build -t $IMG -f Dockerfile.openshift
podman push $IMG

Running the operator

1. Replace the operand image in the file config/manager/manager.yaml in the environment variable RELATED_IMAGE_CONTROLLER with the image created in the previous step.
2. Build and push the operator image to an image registry.

   export IMG=quay.io/$USER/aws-load-balancer-operator:latest
   make image-build image-push

3. Create the namespace where the operator will be deployed.

   oc create ns aws-load-balancer-operator

4. Deploy the operator

   make deploy

5. The previous step deploys the conversion webhook, which requires TLS verification on the webhook client side. The manifests deployed through the make deploy command do not contain a valid certificate and key. You must provision a valid certificate and key through other tools.
   If you run on OpenShift, you can use a convenience script, hack/add-serving-cert.sh, to enable the service serving certificate feature. Run the hack/add-serving-cert.sh script with the following inputs:

   hack/add-serving-cert.sh --namespace aws-load-balancer-operator --service aws-load-balancer-operator-webhook-service --secret webhook-server-cert --crd awsloadbalancercontrollers.networking.olm.openshift.io

   Note: You may need to wait for the retry of the volume mount in the operator's pod.

Running the end-to-end tests

After the operator has been deployed as described previously you can run the e2e tests with the following command:

make test-e2e

Running the end-to-end tests on an STS cluster

Prerequisites:

• The operator has to be deployed with the prerequisites for the STS cluster.
• The controller's IAM role needs to be created as described in the installation instructions for the STS cluster.
• The test WAFv2 and WAF regional WebACLs need to be created. You can use the following commands:

aws wafv2 create-web-acl --name "echoserver-acl" --scope REGIONAL --default-action '{"Block":{}}'  --visibility-config '{"MetricName":"echoserver","CloudWatchMetricsEnabled": false,"SampledRequestsEnabled":false}'
aws waf-regional create-web-acl --name "echoserverclassicacl" --metric-name "echoserverclassicacl" --default-action '{"Type":"BLOCK"}' --change-token "$(aws waf-regional get-change-token)"

Note: note the ARN and ID of the created ACLs from the output of the commands

Now you can run the e2e test with the following commands:

export ALBO_E2E_PLATFORM=OCPSTS
export ALBO_E2E_CONTROLLER_ROLE_ARN=<controller-iamrole-arn>
export ALBO_E2E_WAFV2_WEBACL_ARN=<wafv2-webacl-arn>
export ALBO_E2E_WAF_WEBACL_ID=<wafregional-webacl-id>
make test-e2e

Proxy support

Configuring egress proxy for AWS Load Balancer Operator