|
| 1 | +# Using IAM roles in management cluster instead of AWS credentials |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +Sometimes users might want to use IAM roles to deploy management clusters. If the user already has a management cluster which was created using the AWS credentials, CAPA provides a way to use IAM roles instead of using these credentials. |
| 6 | + |
| 7 | +## Pre-requisites |
| 8 | +User has a bootstrap cluster created with AWS credentials. These credentials can be temporary as well. |
| 9 | +To create temporary credentials, please follow [this doc](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html). |
| 10 | + |
| 11 | +We can verify whether this bootstrap cluster is using AWS credentials by checking the `capa-manager-bootstrap-credentials` secret created in `capa-system` namespace: |
| 12 | +```bash |
| 13 | +kubectl get secret -n capa-system capa-manager-bootstrap-credentials -o=jsonpath='{.data.credentials}' | { base64 -d 2>/dev/null || base64 -D; } |
| 14 | +``` |
| 15 | +which will give output similar to below: |
| 16 | +```bash |
| 17 | +[default] |
| 18 | +aws_access_key_id = <your-access-key> |
| 19 | +aws_secret_access_key = <your-secret-access-key> |
| 20 | +region = us-east-1 |
| 21 | + |
| 22 | +aws_session_token = <session-token> |
| 23 | +``` |
| 24 | + |
| 25 | +## Goal |
| 26 | +Create a management cluster which uses instance profiles (IAM roles) attached to EC2 instance. |
| 27 | + |
| 28 | +## Steps for CAPA-managed clusters |
| 29 | +1. Create a workload cluster on existing bootstrap cluster. Refer [quick start guide](https://cluster-api.sigs.k8s.io/user/quick-start.html) for more details. |
| 30 | + Since only control-plane nodes have the required IAM roles attached, CAPA deployment should have the necessary tolerations for master (control-plane) node and node selector for master. |
| 31 | +> **Note:** A cluster with a single control plane node won’t be sufficient here due to the `NoSchedule` taint. |
| 32 | +
|
| 33 | +3. Get the kubeconfig for the new target management cluster(created in previous step) once it is up and running. |
| 34 | +4. Zero the credentials CAPA controller started with, such that target management cluster uses empty credentials and not the previous credentials used to create bootstrap cluster using: |
| 35 | +```bash |
| 36 | +clusterawsadm controller zero-credentials --namespace=capa-system |
| 37 | +``` |
| 38 | +For more details, please refer [zero-credentials doc](https://cluster-api-aws.sigs.k8s.io/clusterawsadm/clusterawsadm_controller_zero-credentials.html). |
| 39 | +5. Rollout and restart on capa-controller-manager deployment using: |
| 40 | +```bash |
| 41 | +clusterawsadm controller rollout-controller --kubeconfig=kubeconfig --namespace=capa-system |
| 42 | +``` |
| 43 | +For more details, please refer [rollout-controller doc](https://cluster-api-aws.sigs.k8s.io/clusterawsadm/clusterawsadm_controller_rollout-controller.html). |
| 44 | +6. Use `clusterctl init` with the new cluster’s kubeconfig to install the provider components. For more details on preparing for init, please refer [clusterctl init doc](https://cluster-api.sigs.k8s.io/clusterctl/commands/init.html). |
| 45 | +7. Use `clusterctl move` to move the Cluster API resources from the bootstrap cluster to the target management cluster. For more details on preparing for move, please refer [clusterctl move doc](https://cluster-api.sigs.k8s.io/clusterctl/commands/move.html). |
| 46 | +8. Once the resources are moved to target management cluster successfully, `capa-manager-bootstrap-credentials` will be created as nil, and hence CAPA controllers will fall back to use the attached instance profiles. |
| 47 | +9. Delete the bootstrap cluster with the AWS credentials. |
0 commit comments