Import of OpenShift Cluster
Updated
by Michael Delzer
OpenShift Import Requirements
In order to properly import OpenShift or OKD cluster into AgileStacks infrastructure, the following requirements must be met:
- OpenShift or OKD cluster must be provisioned on AWS.
- Cloud Account of selected Environment MUST be the Cloud Account where OpenShift cluster is provisioned, otherwise, AgileStacks automation will not be able to properly import the cluster.
- OpenShift user whose token is used to onboard the cluster MUST have `cluster-admin` role.
- Certain AgileStacks Components, such as ingress controller (Traefik) or TLS certificate manager need access to AWS resources in order to function properly. For example, such resources are (but no limited to) Route53 (for DNS ACME challenges) or Elastic Load Balancer (ELB) (in order to expose Kubernetes services to outside). The following (or less restrictive) AWS IAM policy should be assigned to the instance profile(s) of OpenShift master and worker nodes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage",
"acm:GetCertificate",
"acm:ListCertificates",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"ec2:DescribeVolume*",
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:DescribeInstance*",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DescribeSubnets",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:AuthorizeSecurityGroupIngress",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"s3:*"
],
"Resource": [
"*"
]
}
]
}
```
OpenShift Import using Control Plane
- Select Cluster type OpenShift Cluster.
- Select existing adapter template for OpenShift Cluster or select Create a new one.
- Select Environment which is using the Cloud Account in which your OpenShift cluster is deployed. NOTE: The cloud Account of selected Environment must the same Cloud Account where OpenShift cluster is deployed. Cross-account import of OpenShift clusters is not supported due to limitations of IAM (AWS related cloud limit) and networking. For details how to onboard cloud accounts, see Create a cloud Account
- Enter the name of OpenShift Cluster. This field is required.
- Enter endpoint of the cluster. Must contain hostname and port. Example
shifty.superhub.io:8443. This field is required. In order to get a token, login to the OpenShift Web Console -> in upper right corner click on your username -> clickCopy Login Command. The login command containing cluster hostname and port number will be copied to your clipboard. This field is required. NOTE: OpenShift user whose token is used to onboard the cluster MUST havecluster-adminrole.
- Enter OpenShift session token. In order to get a token go to OpenShift web console -> in upper right corner click on your username -> click
Copy Login Command. The login command containing valid session token will be copied to your clipboard. This field is required. - If self-signed certificate or root CA of your organization was used to provision your OpenShift cluster, then the root CA certificate must be provided in
Certificate of authorityfield. - Select one or more core components.
- Click Import.
