-
Bug
-
Resolution: Done
-
Critical
-
OADP 1.2.1
-
Incidents & Support
-
False
-
-
False
-
ToDo
-
-
-
Important
-
0
-
Very Likely
-
0
-
Customer Escalated, Customer Facing
-
8
-
None
-
Unset
-
Unknown
-
No
Description of problem:
I'm trying to configure RHACM DR in a ROSA STS environment, backup using OADP from a primary hub cluster and restore on a passive hub cluster. The documentation provides guidance on configuring AWS resources (POLICY_ARN, ROLE_ARN) for backup, but doesn't specify how to adjust for restoring on a different cluster. I did it easily on a non-STS pair of ROSA clusters using a shared IAM user and S3 bucket, but I'm not sure how to configure the POLICY_ARN, ROLE_ARN, and credentials secret on the passive hub with STS, since the ROLE_ARN contains AWS_ACCOUNT_ID, ROSA_CLUSTER_ID, and OIDC_ENDPOINT unique to the cluster, yet need to refer to the S3 cloud storage location used during the backup.
Wes's comments:
https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
It appears that aws iam role's and policies can be tagged w/ multiple servers, but I'm not 100% sure because we've never tried it. Both clusters would have to be created w/ the same aws account.
Required prior to test:
AWS IAM policy and role setup to tag multiple clusters with the same policies and roles. <this is currently under investigation>
Required now:
We currently cover in our testing backing up one cluster and restoring to another cluster. Same workflow for Rosa STS clusters however in this case both clusters need to have the same AWS IAM Role / Policy ARN.
TODO: Add QE test cases for ROSA STS backup from cluster A, restore backup to cluster B
* assume the closed loop case is enough for QE
TODO: Ensure the documentation is updated to speak to the AWS IAM requirements on both clusters. Then proceed to our current doc on the procedure.
* assume this ticket can now be used for documentation
Consultants notes are here: https://docs.google.com/document/d/1MTg1jjb78V_jc-nQLox5T6KA5SJoTZoT_EUlPrGSRVs/edit?usp=sharing
Thank you rhn-support-rkant !
- links to