Hi, I’m trying to deploy Portworx on openshift in AWS ROSA, and I’m getting this error.
Normal PortworxMonitorImagePullInPrgress 9m24s portworx Portworx image docker.io /portworx/px-essentials:2.7.0 pull and extraction in progress
Warning Unhealthy 2m15s (x76250 over 8d) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
Warning NodeStartFailure 7s (x2956 over 8d) portworx (combined from similar events): Failed to start Portworx: Authentication error: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: 1c7aaa2c-3476-403d-a27f-cc6e9bb1d304
I’m using assume role (STS) AWS account, I’ve tried run it with all px versions (2.6,2.8 and 2.9), I’m using Portworx essentials.
For Red Hat OpenShift on AWS (ROSA):
Modifications must be made to the storage cluster manifest when using Red Hat OpenShift on AWS to maintain compliance with the managed service agreement. It is necessary to make the following edits to the cluster spec file before applying it to create the Portworx Cluster.
- Change the ‘namespace’ Portworx is deployed to from the default (kube-system) to a different namespace. In this validation process, the namespace ‘portworx’ was created and used.
- Add an annotation to prevent the creation of Portworx related objects in the kube-system namespace. The needed annotation is in bold below.
Before applying the manifests take the following steps in the AWS management console.
-
Log into your AWS Console, navigate to the IAM console and attach the Portworx IAM Policy to the Worker Node IAM Role.
-
Navigate to the VPC your ROSA Cluster is in and add 2 Inbound rules to the worker security group. They will be named based on your cluster name and include ‘worker’ in the security group name.
-
Add a rule allowing inbound TCP traffic on ports 17001 - 17022 from your Machine CIDR, 10.123.0.0/16 in this example.
-
Add a rule allowing inbound UDP traffic on port 17002 from your Machine CIDR, 10.123.0.0/16 in this example.
Once these steps are completed, apply the StorageCluster configuration manifest in the OpenShift Portworx Operator Interface to create the Portworx cluster.
Example StorageCluster Yaml for ROSA:kind: StorageCluster
apiVersion: core.libopenstorage.org/v1
metadata:
name: px-cluster-01bd27e1-fa3d-4324-8df3-3d20ee3a6a7a
namespace: portworx #ROSA requires using a different namespace
annotations:
portworx.io/is-openshift: "true"
**portworx.io/portworx-proxy: "false"** #ROSA specific to prevent Proxies in kube-system, do not include "*"
spec:
image: portworx/oci-monitor:2.9.1.1
imagePullPolicy: Always
kvdb:
internal: true
cloudStorage:
provider: aws
deviceSpecs:
- type=gp2,size=150
kvdbDeviceSpec: type=gp2,size=150
secretsProvider: k8s
stork:
enabled: true
args:
webhook-controller: "false"
autopilot:
enabled: true
providers:
- name: default
type: prometheus
params:
url: http://px-prometheus:9090
monitoring:
telemetry:
enabled: true
prometheus:
enabled: true
exportMetrics: true
featureGates:
CSI: "true"
NOTE: This is a Portworx Enterprise deployment. You will need to add the additional info needed to use Essentials.