Bug 1301669

Summary: [DOCS] AWS persistent storage config needs updating
Product: OpenShift Container Platform Reporter: Jason DeTiberus <jdetiber>
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED DUPLICATE QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.1.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-30 23:30:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jason DeTiberus 2016-01-25 16:15:37 UTC 
Document URL: https://docs.openshift.com/enterprise/3.1/install_config/configuring_aws.html#exporting-key-value-access-pairs

Section Number and Name:
exporting-key-value-access-pairs 

Describe the issue: 
Exported env variables in the user environment will not be picked up by daemons running under systemd.

Suggestions for improvement: 
Users will need to either provide the values in the relevant configuration file, or provision the instances with an IAM Instance Profile granting the correct permissions needed.

For configuring masters:
  - /etc/sysconfig/atomic-openshift-master for single master or pacemaker based HA
  - /etc/sysconfig/atomic-openshift-master-api and /etc/sysconfig/atomic-openshift-master-controllers for native HA

For configuring nodes: /etc/sysconfig/atomic-openshift-node


We also need to document the proper IAM permissions (both for using an Instance Profile or providing credentials).

I use the following cloudformation resource snippet for testing (based off of the ones used by the upstream kubernetes installer):
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": { "Service": [ "ec2.amazonaws.com" ] },
              "Action": [ "sts:AssumeRole" ]
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "demo-node-1",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "ec2:Describe*",
                  "Resource": "*"
                }
              ]
            }
          },
          {
            "PolicyName": "demo-node-2",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "ec2:AttachVolume",
                  "Resource": "*"
                }
              ]
            }
          },
          {
            "PolicyName": "demo-node-3",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "ec2:DetachVolume",
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "MasterPolicy": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Principal": { "Service": [ "ec2.amazonaws.com" ] },
              "Action": [ "sts:AssumeRole" ]
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "demo-master-1",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "ec2:*",
                  "Resource": "*"
                }
              ]
            }
          },
          {
            "PolicyName": "demo-master-2",
            "PolicyDocument": {
              "Version" : "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "elasticloadbalancing:*",
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    },
    "MasterInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Roles": [ { "Ref": "MasterPolicy" } ]
      }
    },
    "NodeInstanceProfile": {
      "Type": "AWS::IAM::InstanceProfile",
      "Properties": {
        "Roles": [ { "Ref": "NodePolicy" } ]
      }
    },

The actual permissions needed should be validated by Engineering, since I'm not sure how much of the native cloud provider functionality we expose, especially on the master side.
Comment 1 Jason DeTiberus 2016-01-25 16:16:49 UTC 
We also need to mention that the nodeName value of the node (set by openshift_hostname) must match the metadata provided private-dns-name value in order for the cloud integration to work.
Comment 2 Vikram Goyal 2017-12-30 23:30:31 UTC 

*** This bug has been marked as a duplicate of bug 1452816 ***