How to test S3 API Compatible buckets used by Lokistack in RHOCP 4
Create the AWS pod
The easiest way to test Loki's permissions is to create a pod within Openshift cluster which can run aws cli commands.
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
-
Take the credentials used by Loki to interact with the Object Bucket by running the command
SECRET_NAME=$(oc get lokistack <LOKISTACK_NAME> -o jsonpath='{.spec.storage.secret.name}') ACCESS_KEY=$(oc get secret $SECRET_NAME -o jsonpath='{.data.access_key_id}' | base64 -d) ACCESS_KEY_SECRET=$(oc get secret $SECRET_NAME -o jsonpath='{.data.access_key_secret}') BUCKET_NAME=$(oc get secret $SECRET_NAME -o jsonpath='{.data.bucketnames}') BUCKET_REGION=$(oc get secret $SECRET_NAME -o jsonpath='{.data.region}') -
Create a Content from docs.aws.amazon.com is not included.credential file with the information retrieved:
$ cat > ~/path/to/your/aws/credentials <<EOL [default] aws_access_key_id = $ACCESS_KEY aws_secret_access_key = $ACCESS_KEY_SECRET region = $BUCKET_NAME [bucket-loki] bucket_name = $BUCKET_NAME bucket_region = $BUCKET_REGION EOL -
Create the configmap containing the AWS credentials for the bucket
$ oc create configmap aws-credentials --from-file=credentials=/path/to/your/aws/credentials
This will create a configmap containing the credential file, ready to be mounted in the AWS pod.
-
Create the AWS pod, create the following manifest and apply it:
apiVersion: v1 kind: Pod metadata: name: awscli-pod spec: containers: - name: awscli image: amazon/aws-cli command: ["sleep", "3600"] volumeMounts: - name: aws-credentials-volume mountPath: /root/.aws/ volumes: - name: aws-credentials-volume configMap: name: aws-credentialsThen, apply the file by running:
$ oc apply -f <FILE_NAME>
Add proxy environment variables (only if a proxy is in use)
In case your cluster is using a proxy, the corresponding environment variables should be set in the pod itself.
- To get the proxy variables value run the following commands:
HTTP_PROXY=$(oc get proxy cluster -o jsonpath='{.spec. httpProxy}')
HTTPS_PROXY=$(oc get proxy cluster -o jsonpath='{.spec. httpsProxy}')
-
Setup these variables directly into the pods env:
$ cat > ~/aws-cli.yaml <<EOL apiVersion: v1 kind: Pod metadata: name: awscli-pod spec: containers: - name: awscli image: amazon/aws-cli command: ["sleep", "3600"] volumeMounts: - name: aws-credentials-volume mountPath: /root/.aws/ envs: - name: HTTP_PROXY value: $HTTP_PROXY - name: HTTPS_PROXY value: $HTTPS_PROXY volumes: - name: aws-credentials-volume configMap: name: aws-credentials
More informations about how AWS CLI uses proxy are contained Content from docs.aws.amazon.com is not included.here.
Connect to the Bucket via AWS CLI and test list, read and write operation
Once the pod is up and running, it can be used to run AWS commanda against the Object bucket.
To do so, run:
$ oc exec awscli-pod -it -- sh
### Once connected into the pod, the available commands to test the permissions are:
## List
$ aws s3 ls s3://your-s3-bucket-name --profile bucket-loki
## Create
$ echo "This is a test file" > test-file.txt
$ aws s3 cp test-file.txt s3://your-s3-bucket-name/
## Get Object
$ aws s3 cp s3://your-s3-bucket-name/test-file.txt ./downloaded-file.txt
## Delete Object
$ aws s3 rm s3://your-s3-bucket-name/test-file.txt