Skip to content

Commit

Permalink
Support AWS China install
Browse files Browse the repository at this point in the history
  • Loading branch information
wanghaoran1988 committed Feb 13, 2020
1 parent 4a86556 commit 9ec8883
Showing 1 changed file with 130 additions and 0 deletions.
130 changes: 130 additions & 0 deletions enhancements/installer/ipi-aws-china.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
---
title: ipi-install-aws-china
authors:
- "@wanghaoran1988"
reviewers:
- TBD
approvers:
- TBD
creation-date: 2020-02-14
last-updated: 2020-02-14
status: implementable
---

# IPI install on AWS China

## Release Sign off Checklist

- [ ] Enhancement is `implementable`
- [ ] Design details are appropriately documented from clear requirements
- [ ] Test plan is defined
- [ ] Graduation criteria for dev preview, tech preview, GA
- [ ] User-facing documentation is created in [openshift-docs](https://github.com/openshift/openshift-docs/)

## Summary

We have customers want to install OpenShift on AWS China, but currently
OpenShift installer doesn't show up the AWS China regions `cn-north-1` and `cn-northwest-1`.
These two regions are isolated from other global regions and RHCOS AMI pushed to global cannot
be used in AWS China, [ARNs and api endpoint](https://docs.amazonaws.cn/en_us/aws/latest/userguide/endpoints-arns.html) are different.

Similar to other global regions, we should support these two regions for customer who want deploy
OpenShift on AWS China.

## Motivation

### Goals

* OpenShift installer support IPI install on AWS China Regions.
* CI job executing testings on AWS China regions.

### Non-Goals

* It's not a goal to detail how to request and setup a AWS account in AWS China.
* It's not a goal to detail how to do UPI install.

## Proposal

In order to support install OpenShift on AWS China, we need:

* Setup a public AWS China Account to host RHCOS AMIs.
* Push RHCOS AMIs to AWS China account, and share them to public.
* OpenShift installer support AWS China Regions.
* All OCP components using AWS apis should use AWS China api endpoints.

### User Stories

#### Setup AWS China Account

This comment has been minimized.

Copy link
@dofinn

dofinn Feb 13, 2020

Contributor

We should include info about the business licence requirements.

This comment has been minimized.

Copy link
@wanghaoran1988

wanghaoran1988 Feb 13, 2020

Author Member

It's not a goal to detail how to request and setup a AWS account in AWS China.


The AMIs in global regions are not useable in AWS China regions, we need setup an AWS China Account to host our RHCOS AMIs, so that installer can use them to setup the cluster.

#### Push RHCOS AMIs to AWS China account, and share them to public.

Currently, we have CI jobs push the AMIs to public regions, after the AWS China account setup is ready, we should make our CI job start push our AMIs to AWS China regions, and share them to all accounts in AWS China regions.

#### OpenShift installer support AWS China regions

The OpenShift installer should be able to use the AMIs that pushed to AWS China regions to provision clusters, and use the correct api endpoints and ARNs, Notable difference for AWS China:

* AWS resources ARNs in China regions are prefixed with "arn:arn-cn"
* Ec2 service endpoint is "ec2.amazonaws.com.cn"
* Route53 currently is not GA, we can use api endpoint "route53.amazonaws.com.cn" or "api.route53.cn" in AWS China.

#### Cloud credential operator support AWS China regions

Cloud credential operator will create AWS client and use IAM service to validate the permission for provided AWS credential, to support AWS China, it should use IAM api endpoint "iam.amazonaws.com.cn" for AWS China regions.

#### Ingress operator support AWS China regions

Ingress operator will create ELBs and using route53 service to update related DNS records, to support AWS China, it should use
"route53.amazonaws.com.cn" or "api.route53.cn" api endpoint. And for the resource groups tagging api, it should use "tagging.cn-northwest-1.amazonaws.com.cn"

### Risks and Mitigations

TODO

## Design Details

### Test Plan

Our testing CI should include one AWS China Region, and run the installer and e2e tests in AWS China account.

### Graduation Criteria

This enhancement will follow standard graduation criteria.

##### Dev Preview -> Tech Preview

- Ability to utilize the enhancement end to end
- End user documentation, relative API stability
- Sufficient test coverage
- Gather feedback from users rather than just developers

##### Tech Preview -> GA

- More testing (upgrade, downgrade, scale)
- Sufficient time for feedback
- Available by default

##### Removing a deprecated feature

- Announce deprecation and support policy of the existing feature
- Deprecate the feature

### Upgrade / Downgrade Strategy

Not applicable

### Version Skew Strategy

Not applicable

## Implementation History

## Drawbacks

None

## Alternatives

None

0 comments on commit 9ec8883

Please sign in to comment.