Seth Jennings sjenning

## install-aws-cluster.sh
#!/bin/bash

set -eux

export AWS_PROFILE=openshift-dev
export AWS_DEFAULT_REGION=us-west-1

CLUSTER_NAME=aws
mkdir -p $HOME/clusters
cd $HOME/clusters

## ocp-aws-iam-pod-identity.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sjenning
                / ocp-aws-iam-pod-identity.md
            
            
              Last active
              February 18, 2020 20:13
            
              
                OCP AWS IAM Pod Identity
              
          
    References


https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
https://github.com/aws/amazon-eks-pod-identity-webhook/
https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
https://github.com/openshift/api/blob/master/config/v1/types_authentication.go#L54-L58
https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/bound-sa-tokens.md
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md
https://docs.google.com/document/d/1XcOsEv4jO9P1QQHn-tOnC80oMyCm85hGA6LqHRfjTgo/edit


## create-oidc-provider.sh
#!/bin/bash

set -xe

export S3_BUCKET=sjenning-oidc-provider
export AWS_REGION=us-west-1

# Extract the serviceaccount keypair from cluster
PRIV_KEY="sa-signer.key"
PKCS_KEY="sa-signer-pkcs8.pub"

## disconnected-operators.md

      
              1 file
            
          
              1 fork
            
          
              1 comment
            
          
              2 stars
            
          
                sjenning
                / disconnected-operators.md
            
            
              Last active
              November 16, 2020 21:37
            
              
                disconnected-operators
              
          
    References


https://docs.openshift.com/container-platform/4.3/operators/olm-restricted-networks.html
docs bug to add procedure for creating the CatalogSource manually https://bugzilla.redhat.com/show_bug.cgi?id=1796464

Notes


using oc from 4.4 as 4.3 apparently has a bug in the oc adm catalog command(s)

Procedure

Disable the default catalog sources

oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'


## Dockerfile
FROM registry.redhat.io/openshift4/ose-operator-registry:v4.2.1
COPY manifests manifests
RUN /bin/initializer -o ./bundles.db
EXPOSE 50051
ENTRYPOINT ["/bin/registry-server"]
CMD ["--database", "bundles.db"]

## govcloud-cluster-install.md

      
              1 file
            
          
              1 fork
            
          
              1 comment
            
          
              6 stars
            
          
                sjenning
                / govcloud-cluster-install.md
            
            
              Last active
              July 26, 2021 13:04
            
          
    This the procedure for generating ignition configs for govcloud using th 4.3 installer (which actively thwarts attempts to do this)
Create install-config.yaml

apiVersion: v1
baseDomain: sjennings.me
# disconnected install requires local mirror
# oc adm release mirror
imageContentSources:
- mirrors:


## extract-ignition-filesystem.py
#!/usr/bin/env python3

import json
import os
import sys
import base64

ign_file = open(sys.argv[1])
ign_json = json.load(ign_file)
ign_file.close()

## minimum-iam-privileges.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                sjenning
                / minimum-iam-privileges.md
            
            
              Last active
              October 28, 2020 07:55
            
              
                Minimum AWS IAM Privileges for OCP4
              
          
    Permissions needed for install (IPI)
https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go#L32-L214
Below is documented what is required to operate for the UPI case (untested and not verified)
image-registry user

needed for integrated registry

  
## custom_local_settings
# cat horizon/custom_local_settings
LAUNCH_INSTANCE_DEFAULTS = {
    "create_volume": False,
}
SESSION_TIMEOUT = 86400

## release-images.txt
# updated 10/11/18
# oc get is origin-v4.0 -n openshift -o yaml | grep tag: | cut -f6 -d' '

ansible
artifacts
aws-machine-controllers
base
catalog
cli
cluster-autoscaler
	#!/bin/bash

	set -eux

	export AWS_PROFILE=openshift-dev
	export AWS_DEFAULT_REGION=us-west-1

	CLUSTER_NAME=aws
	mkdir -p $HOME/clusters
	cd $HOME/clusters
	#!/bin/bash

	set -xe

	export S3_BUCKET=sjenning-oidc-provider
	export AWS_REGION=us-west-1

	# Extract the serviceaccount keypair from cluster
	PRIV_KEY="sa-signer.key"
	PKCS_KEY="sa-signer-pkcs8.pub"
	FROM registry.redhat.io/openshift4/ose-operator-registry:v4.2.1
	COPY manifests manifests
	RUN /bin/initializer -o ./bundles.db
	EXPOSE 50051
	ENTRYPOINT ["/bin/registry-server"]
	CMD ["--database", "bundles.db"]
	#!/usr/bin/env python3

	import json
	import os
	import sys
	import base64

	ign_file = open(sys.argv[1])
	ign_json = json.load(ign_file)
	ign_file.close()
	# cat horizon/custom_local_settings
	LAUNCH_INSTANCE_DEFAULTS = {
	"create_volume": False,
	}
	SESSION_TIMEOUT = 86400
	# updated 10/11/18
	# oc get is origin-v4.0 -n openshift -o yaml \| grep tag: \| cut -f6 -d' '

	ansible
	artifacts
	aws-machine-controllers
	base
	catalog
	cli
	cluster-autoscaler