diff --git a/content/rosa/hcp-private-nlb/_index.md b/content/rosa/hcp-private-nlb/_index.md index eef59e853..470216b00 100644 --- a/content/rosa/hcp-private-nlb/_index.md +++ b/content/rosa/hcp-private-nlb/_index.md @@ -4,6 +4,7 @@ title: Securely exposing an application on a private ROSA cluser with an AWS Net tags: ["ROSA", "ROSA HCP"] authors: - Kevin Collins + - Daniel Axelrod --- ## Overview @@ -116,14 +117,6 @@ rosa describe cluster -c kmc-private -o json | jq -r '.api.url' ```bash oc create secret tls $CERT_NAME --key=config/live/${DOMAIN}/privkey.pem --cert=config/live/${DOMAIN}/fullchain.pem -n openshift-ingress ``` -### Add Domain certificates to AWS ACM - -When we create a listener for the public load balancer, we will add a certificate to the listener. Adding a certificate to an AWS Network Load Balancer listener enables encrypted, authenticated connections, enhancing security and compliance by protecting data in transit. - -```bash - export CERT_ARN=$(aws acm import-certificate --certificate fileb://config/live/${DOMAIN}/cert.pem --private-key fileb://config/live/${DOMAIN}/privkey.pem --certificate-chain fileb://config/live/${DOMAIN}/fullchain.pem --region us-east-1 | jq -r '.CertificateArn' ) - echo $CERT_ARN -``` ### Create an additional IngressController @@ -174,31 +167,23 @@ spec: EOF ``` -Get the newly created Network Load Balancer hostname and IP addresses +### Find the hostname and IP addresses of the newly created NLB -> if using a jump host of 'oc' command run this command there. -```bash -NLB_HOSTNAME=$(oc get service -n openshift-ingress router-${INGRESS_NAME} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') -echo $NLB_HOSTNAME -``` +Wait a few minutes for the new IngressController to finish provisioning its Network Load Balancer. -Copy the output of the above command to a new environment variable on your workstation +AWS guarantees that the listner IP addresses of Network Load Balancers will not change for the lifetime of the Load Balancer. -Example: -```bash -export NLB_HOST_NAME=a0df2223a72244f78806ff46230e2dd6-516fc9d40188cfa3.elb.us-east-1.amazonaws.com -``` +To find the IP addresses of those listeners, we need to [search for network interfaces whose description field has a suffix of the NLB's ARN](https://repost.aws/knowledge-center/elb-find-load-balancer-ip). -Wait a few minutes for the load balancer to be provisioned and run these commands. If they don't return with IP addresses, just wait a while and run then again. +> if using a jump host of 'oc' command run this command there. ```bash -export NLB_IP_1=$(nslookup $NLB_HOSTNAME | grep Address | sed -n 2p | cut -d ' ' -f 2) - -echo $NLB_IP_1 - -export NLB_IP_2=$(nslookup $NLB_HOSTNAME | grep Address | sed -n 3p | cut -d ' ' -f 2) - -echo $NLB_IP_2 +NLB_HOSTNAME=$(oc get svc -n openshift-ingress router-$INGRESS_NAME -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +echo $NLB_HOSTNAME +NLB_ARN=$(aws elbv2 describe-load-balancers --query "LoadBalancers[?DNSName == '$NLB_HOSTNAME'].LoadBalancerArn" --output text) +NLB_ARN_SUFFIX=$(echo $NLB_ARN | sed 's/.*loadbalancer\///') +NLB_LISTENER_IPS=$(aws ec2 describe-network-interfaces --filters Name=description,Values="ELB $NLB_ARN_SUFFIX" --query 'NetworkInterfaces[*].PrivateIpAddresses[*].PrivateIpAddress' --output text) +echo $NLB_LISTENER_IPS ``` ## Update DNS records @@ -229,7 +214,9 @@ echo $TARGET_GROUP_ARN Register the targets for the AWS Network Load Balancer that was created when we added the second IngressController ```bash -aws elbv2 register-targets --target-group-arn $TARGET_GROUP_ARN --targets Id=$NLB_IP_1,Port=443,AvailabilityZone=all Id=$NLB_IP_2,Port=443,AvailabilityZone=all +while IFS=' ' read -r ip || [[ -n $ip ]]; do + aws elbv2 register-targets --target-group-arn $TARGET_GROUP_ARN --targets ID=$ip,Port=443 +done < <(printf '%s' "$NLB_LISTENER_IPS") ``` Create a security group for the public load balancer