kameshsampath/rosa-fruits-app

Demo to show How to access native cloud service (AWS DynamoDB) from OpenShift using STS

ROSA Fruits Application

A simple REST API that uses AWS DynomoDB as its data store. The application is intended to demonstrate how to integrate the AWS Native Services from an OpenShift cluster deployed via ROSA.

Pre-Requisites

• AWS Account with permissions to:

  • Create IAM Role

  • Create IAM Policy

  • Create OIDC Provider

• AWS CLI

• OpenShift Client(oc)

• Git

• HTTPie

• jq

• Java 11

Download Project Sources

git clone https://github.com/kameshsampath/rosa-fruits-app
export DEMO_HOME="$PWD"
export AWS_REGION="us-west-2"

ROSA Cluster Setup

rosa create cluster --cluster-name="my-rosa-cluster"

The command above will create the ROSA cluster in your default AWS region, type rosa --help for more information.

AWS Preparation

DynamoDB

Connect to the AWS DynamoDB service and run the following commands to create the table:

var params = {
    TableName: 'QuarkusFruits',
    KeySchema: [{ AttributeName: 'fruitName', KeyType: 'HASH' }],
    AttributeDefinitions: [{  AttributeName: 'fruitName', AttributeType: 'S', }],
    ProvisionedThroughput: { ReadCapacityUnits: 1, WriteCapacityUnits: 1, }
};

dynamodb.createTable(params, function(err, data) {
if (err) ppJson(err);
else ppJson(data);

});

IAM

As prerequisite for this demo, it’s required to setup few AWS resources,

• IAM Policy ROSADemosPolicy which will restrict the OpenShift SA to allow only DynamoDB Operations

• IAM Role ROSADemosRole that will attached to the OpenShift SA

• IAM OpenId Connect Provider that will be used by OpenShift to authenticate the SA token

The $DEMO_HOME/setup/hack.sh will set all the aforementioned resources using Ansible, for the Ansible to setup the resources, you need to

Setup KUBECONFIG variable, this variable will be used in the Ansible Container to connect to the OpenShift Cluster.

mkdir -p "$DEMO_HOME/.kube/config"
export KUBECONFIG="$DEMO_HOME/.kube/config"

Now Login into the OpenShift ROSA cluster as a user with ClusterAdmin privileges:

oc login --token=<token> --server<your api server>

To create the AWS resources, its required to provide AWS credentials to Ansible:

• Copy $DEMO_HOME/setup/env/passwords.example to $DEMO_HOME/setup/env/passwords

• Update the $DEMO_HOME/setup/env/passwords with your AWS Access and Secret Keys.

Note	The setup/.kube and setup/env/passwords file are excluded by Git

Important

The parameters used for the Ansible playbook are set in $DEMO_HOME/setup/env/extravars file. For detailed description of the parameters, default value and its description check Ansible Role ROSA Demos

$DEMO_HOME/setup/hack.sh

Set environment variable $ROSA_DEMO_ROLE_ARN

export ROSA_DEMO_ROLE_ARN=$(aws iam get-role --role-name ROSADemosRole | jq -r '.Role.Arn')

Packaging and Deploying to OpenShift

The application uses Eclipse JKube maven plugin to build and deploy the Java Application to OpenShift.

Create the OpenShift project

oc new-project rosa-demos

Build and Deploy the application

./mvnw -Popenshift -Daws.role.arn=$ROSA_DEMO_ROLE_ARN \
  -Daws.region=$AWS_REGION clean package

Testing Application

The AWS IAM role allows accessing the application only from rosa-demos workspace and as rosa-demo-sa,

Get the Route:

export APP_URL="http://$(oc get route rosa-fruits-app -n rosa-demos -ojsonpath='{.spec.host}')"

Application UI

Open the $APP_URL in your browser. The UI will allow you to list, add and delete fruits.

[NOTE]: The List will display an error if you are not authorized to access the APP :)

Using Swagger UI

You can access the Swagger UI from "http://$APP_URL/swagger-ui" and perform the REST operations.

The following REST URI end points are available:

GET Methods

Lists all fruit e.g. http $APP_URL/api/fruit/apple $APP_URL/api/fruit/{name} - Get a fruit by its name e.g. http $APP_URL/api/fruit/apple

POST Methods

Adds a fruit, takes a JSON payload { "name": "apple", "season": "fall" } e.g. http POST $APP_URL/api/fruit name=apple season=fall

DELETE Methods

Delete a fruit by its name e.g. http DELETE $APP_URL/api/fruit/apple

Verify IAM

To make sure the IAM works, try deploying the application a different namespace, for e.g. demos

oc new-project demos
./mvnw -Daws.role.arn=$ROSA_DEMO_ROLE_ARN \
  -Daws.region=$AWS_REGION clean package

Now when you try any of the API methods above, you should get HTTP 403 as the IAM policy controls the Service Account (rosa-demo-sa) and its namespace.

Development

Start the local DynamoDB server

docker compose up -d $DEMO_HOME/docker-compose.yml

Access the local DynamoDB server using http://localhost:8000/shell, and run the following command to create the table:

var params = {
    TableName: 'QuarkusFruits',
    KeySchema: [{ AttributeName: 'fruitName', KeyType: 'HASH' }],
    AttributeDefinitions: [{  AttributeName: 'fruitName', AttributeType: 'S', }],
    ProvisionedThroughput: { ReadCapacityUnits: 1, WriteCapacityUnits: 1, }
};

dynamodb.createTable(params, function(err, data) {
    if (err) ppJson(err);
    else ppJson(data);

});

Now start Quarkus Application in dev mode

./mvnw clean compile -Daws.region='us-west-2' quarkus:dev

The UI source code is located in $DEMO_HOME/src/main/frontend, which is a React app.

Cleanup

To clean the deployments and related resources run:

./mvnw -Daws.role.arn=$ROSA_DEMO_ROLE_ARN \
  -Daws.region=$AWS_REGION oc:undeploy

To clean the AWS Resources, update the rollback variable in "$DEMO_HOME/setup/project/playbook.yml" to be True and then run:

$DEMO_HOME/setup/hack.sh

Powered by

This project uses Quarkus, the Supersonic Subatomic Java Framework. If you want to learn more about Quarkus, please visit its website: https://quarkus.io/ .