From 5aae8b4436272cd82f0f1646b0f80382d9a58646 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Wed, 5 Jul 2023 14:22:45 +0200 Subject: [PATCH] Refactor Exoscale install instructions to work with Exoscale IAM v3 Note that as of writing, the latest `exo` CLI (v1.71.0) doesn't yet support IAM v3, so we need to fall back to the generated OpenAPI client (`exo x`) to interact with IAM v3. --- .../ROOT/pages/how-tos/exoscale/install.adoc | 62 ++++++++++++++++--- .../exoscale/configure-terraform-secrets.adoc | 2 + 2 files changed, 57 insertions(+), 7 deletions(-) diff --git a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc index 70df3903..a76958b3 100644 --- a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc +++ b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc @@ -33,9 +33,8 @@ include::partial$install/prerequisites.adoc[] * `md5sum` * `virt-edit` * `cpio` -//* Clone of the https://github.com/appuio/terraform-openshift4-exoscale[terraform-openshift4-exoscale] repository -* `exo` >= v1.48.0 https://community.exoscale.com/documentation/tools/exoscale-command-line-interface[Exoscale CLI] -* An unrestricted Exoscale https://community.exoscale.com/documentation/iam/quick-start/#api-keys[API key] +* `exo` >= v1.71.0 https://community.exoscale.com/documentation/tools/exoscale-command-line-interface[Exoscale CLI] +* An Exoscale https://community.exoscale.com/documentation/iam/quick-start/#api-keys[API key] with full permissions * https://community.exoscale.com/documentation/dns/quick-start/#subscribing-to-the-service[DNS subscription] activated in the Exoscale organisation [WARNING] @@ -56,14 +55,63 @@ include::partial$install/vshn-input.adoc[] [#_create_iam_keys] === Create restricted Exoscale IAM keys for the LBs and object storage +[NOTE] +==== +If creating the API key fails, please retry the commands starting from `exoscale_s3_credentials`. +It may take a second or two for the newly created role to be available to reference for an API key. +==== + . Create restricted API key for Exoscale object storage + [source,bash] ---- -exoscale_s3_credentials=$(exo iam access-key create "${CLUSTER_ID}_object_storage" \ - --tag sos -O json) -export EXOSCALE_S3_ACCESSKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.api_key') -export EXOSCALE_S3_SECRETKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.api_secret') +# Create SOS IAM role, if it doesn't exist yet in the organization +sos_iam_role_id=$(exo x list-iam-roles | jq -r '."iam-roles"[] | select(.name=="sos-full-access") | .id') +if [ -z "${sos_iam_role_id}" ]; then +sos_iam_role_id=$(echo '{"name": "sos-full-access", "policy": {"default-service-strategy": "deny", "services": {"sos": {"type": "allow"}}}}' | \ + exo x create-iam-role | jq -r '.reference.id') +fi +# Create access key +exoscale_s3_credentials=$(echo '{"name": "'"${CLUSTER_ID}"'_object_storage", "role-id": "'"${sos_iam_role_id}"'"}' | \ + exo x create-api-key) +export EXOSCALE_S3_ACCESSKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.key') +export EXOSCALE_S3_SECRETKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.secret') +---- + +. Create restricted API key for Floaty ++ +[source,bash] +---- +# Create SOS IAM role if it doesn't exist yet in the organization +floaty_iam_role_id=$(exo x list-iam-roles | jq -r '."iam-roles"[] | select(.name=="floaty") | .id') +if [ -z "${floaty_iam_role_id}" ]; then +cat >floaty-role.json < ./terraform.env EXOSCALE_API_KEY EXOSCALE_API_SECRET +TF_VAR_lb_exoscale_api_key +TF_VAR_lb_exoscale_api_secret TF_VAR_control_vshn_net_token GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL