OSDOCS-13051: Porting the ALBO book from OCP to ROSA and ROSA classic

Author: EricPonvelle

cli_reference/index.adoc

@@ -62,7 +62,6 @@ using the terminal. Unlike the web console, it allows the user to work directly
 
 * xref:../cli_reference/osdk/cli-osdk-install.adoc#cli-osdk-install[Operator SDK]: The Operator SDK, a component of the Operator Framework, provides a CLI tool that Operator developers can use to build, test, and deploy an Operator from the terminal. It simplifies the process of building Kubernetes-native applications, which can require deep, application-specific operational knowledge.
 
-
-ifdef::openshift-rosa[]
+ifdef::openshift-rosa,openshift-rosa-hcp[]
 * xref:../cli_reference/rosa_cli/rosa-get-started-cli.adoc#rosa-get-started-cli[ROSA CLI (`rosa`)]: Use the `rosa` CLI to create, update, manage, and delete ROSA clusters and resources.
-endif::openshift-rosa[]
+endif::openshift-rosa,openshift-rosa-hcp[]

modules/albo-deleting.adoc

@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+:_mod-docs-content-type: PROCEDURE
+[id="aws-load-balancer-operator-deleting_{context}"]
+= Deleting the example AWS Load Balancer Operator installation
+
+. Delete the hello world application namespace (and all the resources in the namespace):
++
+[source,terminal]
+----
+$ oc delete project hello-world
+----
++
+. Delete the AWS Load Balancer Operator and the AWS IAM roles:
++
+[source,terminal]
+----
+$ oc delete subscription aws-load-balancer-operator -n aws-load-balancer-operator
+$ aws iam detach-role-policy \
+  --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+  --policy-arn $POLICY_ARN
+$ aws iam delete-role \
+  --role-name "${ROSA_CLUSTER_NAME}-alb-operator"
+----
++
+. Delete the AWS IAM policy:
++
+[source,terminal]
+----
+$ aws iam delete-policy --policy-arn $POLICY_ARN
+----

modules/albo-installation.adoc

@@ -0,0 +1,288 @@
+// Module included in the following assemblies:
+//
+:_mod-docs-content-type: PROCEDURE
+[id="aws-load-balancer-operator-installation_{context}"]
+= Installing the AWS Load Balancer Operator
+
+After setting up your environment with your cluster, you can install the AWS Load Balancer Operator using the CLI.
+
+.Procedure
+. Create a new project within your cluster for the AWS Load Balancer Operator:
++
+[source,terminal]
+----
+$ oc new-project aws-load-balancer-operator
+----
+
+. Create an AWS IAM policy for the AWS Load Balancer Controller:
++
+[NOTE]
+====
+You can find the AWS IAM policy from link:https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json[the upstream AWS Load Balancer Controller policy]. This policy includes all of the permissions you needed by the Operator to function.
+====
++
+[source,terminal]
+----
+$ POLICY_ARN=$(aws iam list-policies --query \
+      "Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" \
+      --output text)
+$ if [[ -z "${POLICY_ARN}" ]]; then
+     wget -O "${SCRATCH}/load-balancer-operator-policy.json" \
+        https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
+     POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
+     --output text iam create-policy \
+     --policy-name aws-load-balancer-operator-policy \
+     --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json")
+fi
+$ echo $POLICY_ARN
+----
++
+. Create an AWS IAM trust policy for AWS Load Balancer Operator:
++
+[source,terminal]
+----
+$ cat <<EOF > "${SCRATCH}/trust-policy.json"
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Condition": {
+   "StringEquals" : {
+     "${OIDC_ENDPOINT}:sub": ["system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager", "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"]
+   }
+ },
+ "Principal": {
+   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
+ },
+ "Action": "sts:AssumeRoleWithWebIdentity"
+ }
+ ]
+}
+EOF
+----
++
+. Create an AWS IAM role for the AWS Load Balancer Operator:
++
+[source,terminal]
+----
+$ ROLE_ARN=$(aws iam create-role --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+   --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
+   --query Role.Arn --output text)
+$ echo $ROLE_ARN
+
+$ aws iam attach-role-policy --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+     --policy-arn $POLICY_ARN
+----
++
+. Create a secret for the AWS Load Balancer Operator to assume our newly created AWS IAM role:
++
+[source,terminal]
+----
+$ cat << EOF | oc apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aws-load-balancer-operator
+  namespace: aws-load-balancer-operator
+stringData:
+  credentials: |
+    [default]
+    role_arn = $ROLE_ARN
+    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
+EOF
+----
++
+. Install the AWS Load Balancer Operator:
++
+[source,terminal]
+----
+$ cat << EOF | oc apply -f -
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: aws-load-balancer-operator
+  namespace: aws-load-balancer-operator
+spec:
+  upgradeStrategy: Default
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: aws-load-balancer-operator
+  namespace: aws-load-balancer-operator
+spec:
+  channel: stable-v1.0
+  installPlanApproval: Automatic
+  name: aws-load-balancer-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  startingCSV: aws-load-balancer-operator.v1.0.0
+EOF
+----
++
+. Deploy an instance of the AWS Load Balancer Controller using the Operator:
++
+[NOTE]
+====
+If you get an error here wait a minute and try again, it means the Operator has not completed installing yet.
+====
++
+[source,terminal]
+----
+$ cat << EOF | oc apply -f -
+apiVersion: networking.olm.openshift.io/v1
+kind: AWSLoadBalancerController
+metadata:
+  name: cluster
+spec:
+  credentials:
+    name: aws-load-balancer-operator
+EOF
+----
++
+. Check the that the Operator and controller pods are both running:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator get pods
+----
++
+You should see the following, if not wait a moment and retry:
++
+[source,terminal]
+----
+NAME                                                             READY   STATUS    RESTARTS   AGE
+aws-load-balancer-controller-cluster-6ddf658785-pdp5d            1/1     Running   0          99s
+aws-load-balancer-operator-controller-manager-577d9ffcb9-w6zqn   2/2     Running   0          2m4s
+----
+
+[id="aws-load-balancer-operator-validating-the-deployment_{context}"]
+== Validating the deployment
+
+. Create a new project:
++
+[source,terminal]
+----
+$ oc new-project hello-world
+----
++
+. Deploy a hello world application:
++
+[source,terminal]
+----
+$ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift
+----
++
+. Configure a NodePort service for the AWS ALB to connect to:
++
+[source,terminal]
+----
+$ cat << EOF | oc apply -f -
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-openshift-nodeport
+  namespace: hello-world
+spec:
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+  type: NodePort
+  selector:
+    deployment: hello-openshift
+EOF
+----
++
+. Deploy an AWS ALB using the AWS Load Balancer Operator:
++
+[source,terminal]
+----
+$ cat << EOF | oc apply -f -
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello-openshift-alb
+  namespace: hello-world
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+spec:
+  ingressClassName: alb
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Exact
+            backend:
+              service:
+                name: hello-openshift-nodeport
+                port:
+                  number: 80
+EOF
+----
++
+. Curl the AWS ALB Ingress endpoint to verify the hello world application is accessible:
++
+[NOTE]
+====
+AWS ALB provisioning takes a few minutes. If you receive an error that says `curl: (6) Could not resolve host`, please wait and try again.
+====
++
+[source,termnial]
+----
+$ INGRESS=$(oc -n hello-world get ingress hello-openshift-alb \
+    -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+$ curl "http://${INGRESS}"
+----
++
+.Example output
+[source,text]
+----
+Hello OpenShift!
+----
+
+. Deploy an AWS NLB for your hello world application:
++
+[source,terminal]
+----
+$ cat << EOF | oc apply -f -
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-openshift-nlb
+  namespace: hello-world
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: external
+    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+spec:
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+  type: LoadBalancer
+  selector:
+    deployment: hello-openshift
+EOF
+----
++
+. Test the AWS NLB endpoint:
++
+[NOTE]
+====
+NLB provisioning takes a few minutes. If you receive an error that says `curl: (6) Could not resolve host`, please wait and try again.
+====
++
+[source,terminal]
+----
+$ NLB=$(oc -n hello-world get service hello-openshift-nlb \
+  -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+$ curl "http://${NLB}"
+----
++
+.Example output
+[source,text]
+----
+Hello OpenShift!
+----