Merge pull request #52392 from xenolinux/sts-cluster

opayne1 · web-flow · commit 0f6d86fbb75d · 2022-11-23T11:34:46.000-05:00
CFE-652: Installing ALBO on STS cluster
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1076,6 +1076,8 @@ Topics:
     File: understanding-aws-load-balancer-operator
   - Name: Installing the AWS Load Balancer Operator
     File: install-aws-load-balancer-operator
+  - Name: Installing the AWS Load Balancer Operator on Secure Token Service cluster
+    File: installing-albo-sts-cluster  
   - Name: Creating an instance of the AWS Load Balancer Controller
     File: create-instance-aws-load-balancer-controller
   - Name: Serving Multiple Ingresses through a single AWS Load Balancer
diff --git a/modules/bootstrap-aws-load-balancer-operator.adoc b/modules/bootstrap-aws-load-balancer-operator.adoc
@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+// * networking/installing-albo-sts-cluster.adoc
+
+:_content-type: PROCEDURE
+[id="nw-bootstra-albo-on-sts-cluster_{context}"]
+= Bootstrapping AWS Load Balancer Operator on Secure Token Service cluster
+
+.Prerequisites
+
+* You must extract and prepare the `coctl` binary.
+
+.Procedure
+
+. Download the `CredentialsRequest` custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command:
++
+[source,terminal]
+----
+$ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
+----
+
+. Use the `ccoctl` tool to process `CredentialsRequest` objects of the AWS Load Balancer Operator, by running the following command:
++
+[source,terminal]
+----
+$ ccoctl aws create-iam-roles \
+    --name <name> --region=<aws_region> \
+    --credentials-requests-dir=<path-to-credrequests-dir> \
+    --identity-provider-arn <oidc-arn>
+----
+
+. Apply the secrets generated in the manifests directory of your cluster by running the following command:
++
+[source,terminal]
+----
+$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
+----
+
+. Verify that the credentials secret of the AWS Load Balancer Operator is created by running the following command:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator get secret aws-load-balancer-operator --template='{{index .data "credentials"}}' | base64 -d
+----
++
+.Example output
+[source,terminal]
+----
+[default]
+sts_regional_endpoints = regional
+role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-operator
+web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
+----
diff --git a/modules/configuring-albo-on-sts-cluster.adoc b/modules/configuring-albo-on-sts-cluster.adoc
@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+// * networking/installing-albo-sts-cluster.adoc
+
+:_content-type: PROCEDURE
+[id="nw-installing-albo-on-sts-cluster_{context}"]
+= Configuring AWS Load Balancer Operator on Secure Token Service cluster
+
+.Prerequisites
+
+* You must extract and prepare the `coctl` binary.
+
+.Procedure
+
+. The AWS Load Balancer Operator creates the `CredentialsRequest` object in the `openshift-cloud-credential-operator` namespace for each `AWSLoadBalancerController` custom resource (CR). You can extract and save the created `CredentialsRequest` object in a directory by running the following command:
++
+[source,terminal]
+----
+$ oc get credentialsrequest -n openshift-cloud-credential-operator  \
+    aws-load-balancer-controller-<cr-name> -o yaml > <path-to-credrequests-dir>/cr.yaml <1>
+----
+<1> The `aws-load-balancer-controller-<cr-name>` parameter specifies the credential request name created by the AWS Load Balancer Operator. The `cr-name` specifies the name of the AWS Load Balancer Controller instance.
+
+. Use the `ccoctl` tool to process all `CredentialsRequest` objects in the `credrequests` directory by running the following command:
++
+[source,terminal]
+----
+$ ccoctl aws create-iam-roles \
+    --name <name> --region=<aws_region> \
+    --credentials-requests-dir=<path-to-credrequests-dir> \
+    --identity-provider-arn <oidc-arn>
+----
+
+. Apply the secrets generated in manifests directory to your cluster, by running the following command:
++
+[source,terminal]
+----
+$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
+----
+
+. Verify that the `aws-load-balancer-controller` pod is created:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator get pods
+NAME                                                            READY   STATUS    RESTARTS   AGE
+aws-load-balancer-controller-cluster-9b766d6-gg82c              1/1     Running   0          137m
+aws-load-balancer-operator-controller-manager-b55ff68cc-85jzg   2/2     Running   0          3h26m
+----
diff --git a/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc b/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc
@@ -0,0 +1,19 @@
+:_content-type: ASSEMBLY
+[id="albo-sts-cluster"]
+= Installing AWS Load Balancer Operator on Secure Token Service cluster
+include::_attributes/common-attributes.adoc[]
+:context: albo-sts-cluster
+
+toc::[]
+
+You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster.
+
+The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. 
+
+include::modules/bootstrap-aws-load-balancer-operator.adoc[leveloffset=+1]
+
+include::modules/configuring-albo-on-sts-cluster.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+== Additional resources
+* xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#cco-ccoctl-configuring_cco-mode-sts[Configuring the Cloud Credential Operator utility]
