ok, so this is to install a openshift 4.x cluster in aws?

I am not sure it's going to be possible to do this in the shared fedora account. The OpenShift installer uses tons of permissions and creates a bunch of things, including managing it's own roles and tags, which would not interact well with all the other groups using this.

Perhaps we should look at a seperate account for this?

I believe we'd be able to manage the cluster ourselves (unless you really want to do it on your own).

Sadly, I have no idea what is the existing AWS setup, so can't comment there - separate account makes sense to me.

@kevin is the whole process documented somewhere?
I think there is more unclarity about what we can actually expect. Eg. who creates the account and sets it up, how billing is managed, etc... Thanks!

So, let me explain what we have and how it's setup and then ask you all a few questions. :)

We have a aws account (1) that amazon has setup for fedora as a community account. This means that amazon picks up the billing for it, and expects us to use it for Fedora related items that help us, but also help them (having up to date/close mirrors for fedora aws users, etc). Access to this account uses our ipsilon SAML2 idp and fas groups or specific users and tokens (for automation). We create a aws-foo group in fas (so users can be added/removed there) and users login and get a aws 'role'. Each role (and user) has a policy setup that allows them access to specific services they need (like ec2 and/or s3). For ec2, everyone can create and manage untagged instances, but once they tag them with their fedora group/role only that group/role can manage those instances. For s3, permissions are by per bucket name. So, a group gets a bucket and only they can manage that bucket.

The OpenShift installer expects to have * permissions. It sets up it's own Roles and Users and... well, everything. I would be very afraid that it would step on our local perms and policies and mess up all the other groups using this account. You can see the perms it needs at: https://docs.openshift.com/container-platform/4.1/installing/installing_aws/installing-aws-account.html
So, I am not very much in favor of slapping an openshift cluster on top of our existing groups.

Some questions:

• Do you need your own cluster? Or could you share with others?

• Do you need to manage your own cluster, or if someone else managed it, it would be ok?

• Do you need 3.x or 4.x or doesn't matter?

• Who pointed you at us for aws resources? (I'm not mad at anyone, just want to make sure we explain what we have and how it's setup for those suggesting it's use)

Sending over the details after today's call for Testing Farm:

FAS accounts:

• mvadkert
• happz

Plus we need one automation user for us, feel free to use name like fedora-ci-testing-farm.

As discussed we will start with one group aws-fedora-ci

@bookwar @ttomecek please add your FAS accounts and "automation user" requirements.

I also need to know what services you want to use... ec2 and eks? or any others?

@kevin testing-farm needs ec2, eks and s3 (for image import)

Sorry for the long delay here.

• I have created the aws-fedora-ci group in fas with mvadkert as owner, please add whoever needs it.
• I have setup policies for ec2/s3/eks for the ci role/user
• I have created a fedora-ci-testing-farm user. @mvadkert can you send me your gpg key and I can send you the access token.
• Make sure when adding ec2 instances to immediately tag them with 'FedoraGroup' 'ci' so only your group can manage them.
• I left eks permissions pretty open, but it looks like once you setup things I can restrict it to your cluster. Please let me know when thats setup so I can do so.
• You can login to the web interface with the saml2 link at https://docs.pagure.org/infra-docs/sysadmin-guide/sops/aws-access.html

I'll leave this open for now to make sure you have access you need and that we get you the token for the user.

@mvadkert do you have everything you need ? if so can we close that ticket ?

Meh, already 18 days I planned to test this, sorry for the delay also. Will test this today and report back ASAP

@kevin @cverna unfortunately it does not work. I am getting:

Your request included an invalid SAML response. To logout, click here

when redirected to AWS after a successful login.

I recorded a video about it:

Oops. I missed a step here. ;(

Can you try again now?

@kevin seems I am still seeing the same thing :(

/me retrying few times

I tried an incognito browser, I see the same problem as recorded in the video ...

I am now able to login, I was able to provision EC2 instances and I can edit aws-fedora-ci group.

Not working spot instances are tracked here: https://pagure.io/fedora-infrastructure/issue/8407

Dedicated instances work well!

I think this ticket is done

Great. Enjoy!