Skip to content

Commit 1d04320

Browse files
jeana-redhatjeana-redhat
committed
OSDOCS-10416: Support cluster migration to Entra Workload ID
1 parent 93df3df commit 1d04320

File tree

4 files changed

+365
-26
lines changed

4 files changed

+365
-26
lines changed

modules/cco-ccoctl-configuring.adoc

Lines changed: 37 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,14 @@
11
// Module included in the following assemblies:
22
//
3+
//Postinstall and update content
4+
// * post_installation_configuration/cluster-tasks.adoc
5+
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
6+
//
37
//Platforms that must use `ccoctl` and update content
48
// * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc
59
// * installing/installing_ibm_powervs/preparing-to-install-on-ibm-power-vs.doc
610
// * installing/installing_alibaba/manually-creating-alibaba-ram.adoc
711
// * installing/installing_nutanix/preparing-to-install-on-nutanix.adoc
8-
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
912
//
1013
// AWS assemblies:
1114
// * installing/installing_aws/installing-aws-customizations.adoc
@@ -34,7 +37,15 @@
3437
// * installing/installing_azure/installing-azure-vnet.adoc
3538
// * installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc
3639

37-
//Platforms that must use `ccoctl` and update content
40+
//Postinstall and update content
41+
ifeval::["{context}" == "post-install-cluster-tasks"]
42+
:postinstall:
43+
endif::[]
44+
ifeval::["{context}" == "preparing-manual-creds-update"]
45+
:update:
46+
endif::[]
47+
48+
//Platforms that must use `ccoctl`
3849
ifeval::["{context}" == "configuring-iam-ibm-cloud"]
3950
:ibm-cloud:
4051
endif::[]
@@ -44,9 +55,6 @@ endif::[]
4455
ifeval::["{context}" == "preparing-to-install-on-nutanix"]
4556
:nutanix:
4657
endif::[]
47-
ifeval::["{context}" == "preparing-manual-creds-update"]
48-
:update:
49-
endif::[]
5058
ifeval::["{context}" == "preparing-to-install-on-ibm-power-vs"]
5159
:ibm-power-vs:
5260
endif::[]
@@ -138,10 +146,15 @@ ifdef::ibm-power-vs[]
138146
The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). To install a cluster on {ibm-power-server-name}, you must set the CCO to `manual` mode as part of the installation process.
139147
endif::ibm-power-vs[]
140148

141-
//Alibaba Cloud uses ccoctl, but creates different kinds of resources than other clouds, so this applies to everyone else. The upgrade procs also have a different intro, so they are excluded here.
142-
ifndef::alibabacloud,update[]
149+
//Alibaba Cloud uses ccoctl, but creates different kinds of resources than other clouds, so this applies to everyone else. The upgrade and postinstall procs also have a different intro, so they are excluded here.
150+
ifndef::alibabacloud,update,postinstall[]
143151
To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (`ccoctl`) binary.
144-
endif::alibabacloud,update[]
152+
endif::alibabacloud,update,postinstall[]
153+
154+
//Intro for the postinstall procs.
155+
ifdef::postinstall[]
156+
To configure an existing cluster to create and manage cloud credentials from outside of the cluster, extract and prepare the Cloud Credential Operator utility (`ccoctl`) binary.
157+
endif::postinstall[]
145158

146159
//Intro for the upgrade procs.
147160
ifdef::update[]
@@ -317,14 +330,19 @@ endif::google-cloud-platform[]
317330
318331
.Procedure
319332

320-
ifndef::update[]
321-
. Obtain the {product-title} release image by running the following command:
333+
. Set a variable for the {product-title} release image by running the following command:
322334
+
323335
[source,terminal]
336+
ifndef::update,postinstall[]
324337
----
325338
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
326339
----
327-
endif::update[]
340+
endif::update,postinstall[]
341+
ifdef::update,postinstall[]
342+
----
343+
$ RELEASE_IMAGE=$(oc get clusterversion -o jsonpath={..desired.image})
344+
----
345+
endif::update,postinstall[]
328346

329347
. Obtain the CCO container image from the {product-title} release image by running the following command:
330348
+
@@ -384,6 +402,14 @@ Flags:
384402
Use "ccoctl [command] --help" for more information about a command.
385403
----
386404

405+
//Postinstall and update content
406+
ifeval::["{context}" == "post-install-cluster-tasks"]
407+
:!postinstall:
408+
endif::[]
409+
ifeval::["{context}" == "preparing-manual-creds-update"]
410+
:!update:
411+
endif::[]
412+
387413
//Platforms that must use `ccoctl` and update content
388414
ifeval::["{context}" == "configuring-iam-ibm-cloud"]
389415
:!ibm-cloud:
@@ -394,9 +420,6 @@ endif::[]
394420
ifeval::["{context}" == "preparing-to-install-on-nutanix"]
395421
:!nutanix:
396422
endif::[]
397-
ifeval::["{context}" == "preparing-manual-creds-update"]
398-
:!update:
399-
endif::[]
400423
ifeval::["{context}" == "preparing-to-install-on-ibm-power-vs"]
401424
:!ibm-power-vs:
402425
endif::[]

modules/cco-ccoctl-install-verifying.adoc

Lines changed: 57 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,46 @@
11
// Module included in the following assemblies:
22
//
33
// * installing/validating-an-installation.adoc
4+
// * post_installation_configuration/cluster-tasks.adoc
45

56
:_mod-docs-content-type: PROCEDURE
67
[id="cco-ccoctl-install-verifying_{context}"]
7-
= Clusters that use short-term credentials: Verifying the credentials configuration
8+
= Verifying that a cluster uses short-term credentials
89

9-
You can verify that your cluster is using short-term security credentials for individual components.
10+
You can verify that a cluster uses short-term security credentials for individual components by checking the Cloud Credential Operator (CCO) configuration and other values in the cluster.
1011

1112
.Prerequisites
1213

1314
* You deployed an {product-title} cluster using the Cloud Credential Operator utility (`ccoctl`) to implement short-term credentials.
1415
1516
* You installed the {oc-first}.
1617
18+
* You are logged in as a user with `cluster-admin` privileges.
1719
1820
.Procedure
1921

20-
. Log in as a user with `cluster-admin` privileges.
22+
* Verify that the CCO is configured to operate in manual mode by running the following command:
23+
+
24+
[source,terminal]
25+
----
26+
$ oc get cloudcredentials cluster \
27+
-o=jsonpath={.spec.credentialsMode}
28+
----
29+
+
30+
The following output confirms that the CCO is operating in manual mode:
31+
+
32+
.Example output
33+
[source,text]
34+
----
35+
Manual
36+
----
2137
22-
. Verify that the cluster does not have `root` credentials by running the following command:
38+
* Verify that the cluster does not have `root` credentials by running the following command:
2339
+
2440
[source,terminal]
2541
----
26-
$ oc get secrets -n kube-system <secret_name>
42+
$ oc get secrets \
43+
-n kube-system <secret_name>
2744
----
2845
+
2946
where `<secret_name>` is the name of the root secret for your cloud provider.
@@ -33,26 +50,26 @@ where `<secret_name>` is the name of the root secret for your cloud provider.
3350
|Platform
3451
|Secret name
3552
36-
|AWS
53+
|{aws-first}
3754
|`aws-creds`
3855

39-
|Azure
56+
|{azure-first}
4057
|`azure-credentials`
4158

42-
|GCP
59+
|{gcp-first}
4360
|`gcp-credentials`
4461

4562
|===
4663
+
47-
An error confirms that the root secret is not present on the cluster. The following example shows the expected output from an AWS cluster:
64+
An error confirms that the root secret is not present on the cluster.
4865
+
49-
.Example output
66+
.Example output for an {aws-short} cluster
5067
[source,text]
5168
----
5269
Error from server (NotFound): secrets "aws-creds" not found
5370
----
5471

55-
. Verify that the components are using short-term security credentials for individual components by running the following command:
72+
* Verify that the components are using short-term security credentials for individual components by running the following command:
5673
+
5774
[source,terminal]
5875
----
@@ -61,4 +78,32 @@ $ oc get authentication cluster \
6178
--template='{ .spec.serviceAccountIssuer }'
6279
----
6380
+
64-
This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object. An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
81+
This command displays the value of the `.spec.serviceAccountIssuer` parameter in the cluster `Authentication` object.
82+
An output of a URL that is associated with your cloud provider indicates that the cluster is using manual mode with short-term credentials that are created and managed from outside of the cluster.
83+
84+
* {azure-short} clusters: Verify that the components are assuming the {azure-short} client ID that is specified in the secret manifests by running the following command:
85+
+
86+
[source,terminal]
87+
----
88+
$ oc get secrets \
89+
-n openshift-image-registry installer-cloud-credentials \
90+
-o jsonpath='{.data}'
91+
----
92+
+
93+
An output that contains the `azure_client_id` and `azure_federated_token_file` felids confirms that the components are assuming the {azure-short} client ID.
94+
95+
* {azure-short} clusters: Verify that the pod identity webhook is running by running the following command:
96+
+
97+
[source,terminal]
98+
----
99+
$ oc get pods \
100+
-n openshift-cloud-credential-operator
101+
----
102+
+
103+
.Example output
104+
[source,text]
105+
----
106+
NAME READY STATUS RESTARTS AGE
107+
cloud-credential-operator-59cf744f78-r8pbq 2/2 Running 2 71m
108+
pod-identity-webhook-548f977b4c-859lz 1/1 Running 1 70m
109+
----

0 commit comments

Comments
 (0)