AWS RDS

A simple REST API that uses AWS RDS as its data store.

At end of this chapter you will be able to:

Setup AWS RDS PostgreSQL
Use the ROSADemosRole with OpenShift SA
Deploy the FruitsApp Java Application
Check and verify only authorized OpenShift SA is able peform CRUD on PostgreSQL table fruitsapp

Pre-Requisites

Ensure that you have completed the following before running the exercises of this chapter:

ROSA Cluster Setup
All steps in AWS IAM is completed

Setup RDS PostgreSQL

Navigate to the tutorial folder:

cd $TUTORIAL_HOME/rds

Ensure you are on the right OpenShift project rosa-demos:

oc project -q

Connect to RDS PostgreSQL

TODO

Build Service UI

Do this only if you have not already build it or made some changes to UI

All the demos use demonstrates the integration with simple Fruits REST API,to play with API the demos provides ReactJS UI.

The following section details how build UI to make it available for the other demo applications to use it as part of respective packaging.

Navigate to tutorial home folder

cd $TUTORIAL_HOME

Run maven commands to build and install UI artifacts to local repo:

./mvnw -N install(1)
./mvnw -Pbuild-ui clean install(2)

1	Install the projects to the local maven repo
2	Install the UI to the local maven repo, it will be used by the Quarkus and SpringBoot project packaging

Build Service

The Fruits API Java Application can be deployed as Quarkus or Spring Boot. The following section details on how to deploy them.

Set Environment

Let’s ensure if all the required environment variables are setup correctly

export AWS_REGION='<your aws_region value>'(1)

1	The AWS region to use

export ROSA_DEMO_ROLE_ARN=$(aws iam get-role --role-name --output json ROSADemosRole | jq -r '.Role.Arn')(1)

1	The AWS Role ARN for the `ROSADemosRole` IAM role

export RDS_HOST=$(aws rds describe-db-instances --output json | jq -r '.DBInstances[0].Endpoint.Address')(1)

1	The RDS PostgreSQL endpoint address

export RDS_PORT=$(aws rds describe-db-instances --output json | jq -r '.DBInstances[0].Endpoint.Port')(1)

1	The RDS PostgreSQL Port

export RDS_DATABASE="fruitsdb"(1)

1	The RDS Database which is fruitsdb

Quarkus
SpringBoot

./mvnw --projects=quarkus -Popenshift \
  -Daws.region=$AWS_REGION \
  -Daws.role.arn=$ROSA_DEMO_ROLE_ARN \
  -Drds.host=$RDS_HOST \
  -Drds.port=$RDS_PORT \
  -Drds.db=$RDS_DATABASE \
  clean package

./mvnw --projects=springboot -Popenshift \
  -Daws.region=$AWS_REGION \
  -Daws.role.arn=$ROSA_DEMO_ROLE_ARN \
  -Drds.host=$RDS_HOST \
  -Drds.port=$RDS_PORT \
  -Drds.db=$RDS_DATABASE \
  clean package

Check Application Deployments

Once the maven build completes successfully you can check the status of the application deployment:

oc get deploy -n rosa-demos

Based on which variant of Application you deployed Quarkus or SpringBoot you should see an output as shown below. Assuming the Quarkus variant deployed:

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
db-adminer                1/1     1            1           19h
pgsql-client              1/1     1            1           14h
rosa-fruits-app-quarkus   1/1     1            1           4h48m

You can also verify the same via ROSA OpenShift Web Console by navigating to rosa-demos project

Check Application Deployments

The AWS IAM role allows accessing the application only from rosa-demos workspace and as rosa-demo-sa,

Get the Route:

export APP_URL="http://$(oc get route rosa-fruits-app -n rosa-demos -ojsonpath='{.spec.host}')"

Application UI

Open the $APP_URL in your browser. The UI will allow you to list, add and delete fruits.

The List will display an error if you are not authorized to access the APP :)

Using Swagger UI

You can access the Swagger UI from http://$APP_URL/swagger-ui and perform the REST operations.

The following REST URI end points are available:

Lists all fruit

e.g.

http $APP_URL/api/fruit/apple

$APP_URL/api/fruit/{name} - Get a fruit by its name

e.g.

---
http $APP_URL/api/fruit/apple
----

Adds a fruit, takes a JSON payload

{
"name": "apple",
"season": "fall"
}

e.g.

---
http POST $APP_URL/api/fruit name=apple season=fall
----

Delete a fruit by its name

e.g.

http DELETE $APP_URL/api/fruit/apple

Verify Access

To make sure the IAM works, try deploying the application a different namespace, for e.g. demos

oc new-project demos

Now do the Quarkus or SpringBoot deployment on the demos namespace.

Check the logs of the rosa-fruits-app-[quarkus|springboot] using stern

Assuming I deployed the rosa-fruits-app-quarkus,

stern rosa-fruits-app

You should notice errors on the log, something similar to,

...
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Not authorized to perform sts:AssumeRoleWithWebIdentity (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 8b16ef26-5bf7-4c45-9ec5-75e92470e486; Proxy: null)
...

As the OpenShift SA from demos namespace does not have authorization, the Pod Identity Webhook has not injected the AWS_ROLE_ARN environment variable inside the pod, resulting in the error.