Advanced Cluster Management Observability on ROSA

This document will take you through deploying ACM Observability on a ROSA cluster. see here for the original documentation.

Prerequisites

• An existing ROSA cluster
• An Advanced Cluster Management (ACM) deployment

Set up environment

1. Set environment variables

   export CLUSTER_NAME=my-cluster
   export S3_BUCKET=$CLUSTER_NAME-acm-observability
   export REGION=us-east-2
   export NAMESPACE=open-cluster-management-observability
   export SA=tbd
   export SCRATCH_DIR=/tmp/scratch
   export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
   export AWS_PAGER=""
   rm -rf $SCRATCH_DIR
   mkdir -p $SCRATCH_DIR
   

Prepare AWS Account

1. Create an S3 bucket

   aws s3 mb s3://$S3_BUCKET
   

2. Create a Policy for access to S3

   cat <<EOF > $SCRATCH_DIR/s3-policy.json
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Statement",
               "Effect": "Allow",
               "Action": [
                   "s3:ListBucket",
                   "s3:GetObject",
                   "s3:DeleteObject",
                   "s3:PutObject",
                   "s3:PutObjectAcl",
                   "s3:CreateBucket",
                   "s3:DeleteBucket"
               ],
               "Resource": [
                   "arn:aws:s3:::$S3_BUCKET/*",
                   "arn:aws:s3:::$S3_BUCKET"
               ]
           }
       ]
   }
   EOF
   

3. Apply the Policy

   S3_POLICY=$(aws iam create-policy --policy-name $CLUSTER_NAME-acm-obs \
     --policy-document file://$SCRATCH_DIR/s3-policy.json \
     --query 'Policy.Arn' --output text)
   echo $S3_POLICY
   

4. Create service account

   aws iam create-user --user-name $CLUSTER_NAME-acm-obs  \
     --query User.Arn --output text
   

5. Attach policy to user

   aws iam attach-user-policy --user-name $CLUSTER_NAME-acm-obs \
     --policy-arn ${S3_POLICY}
   

6. Create Access Keys

   read -r ACCESS_KEY_ID ACCESS_KEY < <(aws iam create-access-key \
     --user-name $CLUSTER_NAME-acm-obs \
     --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output text)
   

ACM Hub

Log into the OpenShift cluster that is running your ACM Hub. We’ll set up Observability here

1. Create a namespace for the observability

   oc new-project $NAMESPACE
   

2. Generate a pull secret (this will check if the pull secret exists, if not, it will create it)

   DOCKER_CONFIG_JSON=`oc extract secret/multiclusterhub-operator-pull-secret -n open-cluster-management --to=-` || \
     DOCKER_CONFIG_JSON=`oc extract secret/pull-secret -n openshift-config --to=-` && \
     oc create secret generic multiclusterhub-operator-pull-secret \
     -n open-cluster-management-observability \
     --from-literal=.dockerconfigjson="$DOCKER_CONFIG_JSON" \
     --type=kubernetes.io/dockerconfigjson
   

3. Create a Secret containing your S3 details

   cat << EOF | kubectl apply -f -
   apiVersion: v1
   kind: Secret
   metadata:
     name: thanos-object-storage
     namespace: open-cluster-management-observability
   type: Opaque
   stringData:
     thanos.yaml: |
       type: s3
       config:
         bucket: $S3_BUCKET
         endpoint: s3.$REGION.amazonaws.com
         signature_version2: false
         access_key: $ACCESS_KEY_ID
         secret_key: $ACCESS_KEY    
   EOF
   

4. Create a CR for MulticlusterHub

   cat << EOF | kubectl apply -f -
   apiVersion: observability.open-cluster-management.io/v1beta2
   kind: MultiClusterObservability
   metadata:
     name: observability
   spec:
     observabilityAddonSpec: {}
     storageConfig:
       metricObjectStorage:
         name: thanos-object-storage
         key: thanos.yaml
   EOF
   

Access ACM Observability

1. Log into Advanced Cluster management and access the new Grafana dashboard