Skip to content

Commit 6b19bd4

Browse files
xenolinuxxenolinux
committed
Adds the procedure to create AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials
1 parent 38810bd commit 6b19bd4

File tree

4 files changed

+79
-4
lines changed

4 files changed

+79
-4
lines changed

modules/bootstrap-aws-load-balancer-operator.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77

88
.Prerequisites
99

10-
* You must extract and prepare the `coctl` binary.
10+
* You must extract and prepare the `ccoctl` binary.
1111
1212
.Procedure
1313

modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
// Module included in the following assemblies:
2+
// * networking/installing-albo-sts-cluster.adoc
3+
4+
:_content-type: PROCEDURE
5+
[id="nw-installing-albo-on-sts-cluster-predefined-credentials_{context}"]
6+
= Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using specific credentials
7+
8+
You can specify the credential secret by using the `spec.credentials` field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined `CredentialsRequest` object of the controller to know which roles are required.
9+
10+
.Prerequisites
11+
12+
* You must extract and prepare the `ccoctl` binary.
13+
14+
.Procedure
15+
16+
. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command:
17+
+
18+
[source,terminal]
19+
----
20+
$ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
21+
----
22+
23+
. Use the `ccoctl` tool to process the `CredentialsRequest` object of the controller:
24+
+
25+
[source,terminal]
26+
----
27+
$ ccoctl aws create-iam-roles \
28+
--name <name> --region=<aws_region> \
29+
--credentials-requests-dir=<path-to-credrequests-dir> \
30+
--identity-provider-arn <oidc-arn>
31+
----
32+
33+
. Apply the secrets to your cluster:
34+
+
35+
[source,terminal]
36+
----
37+
$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
38+
----
39+
40+
. Verify the credentials secret has been created for use by the controller:
41+
+
42+
[source,terminal]
43+
----
44+
$ oc -n aws-load-balancer-operator get secret aws-load-balancer-controller-manual-cluster --template='{{index .data "credentials"}}' | base64 -d
45+
----
46+
+
47+
.Example output
48+
----
49+
[default]
50+
sts_regional_endpoints = regional
51+
role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-controller
52+
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
53+
----
54+
55+
. Create the `AWSLoadBalancerController` resource YAML file, for example, `sample-aws-lb-manual-creds.yaml`, as follows:
56+
+
57+
[source,yaml]
58+
----
59+
apiVersion: networking.olm.openshift.io/v1alpha1
60+
kind: AWSLoadBalancerController <1>
61+
metadata:
62+
name: cluster <2>
63+
spec:
64+
credentials:
65+
name: <secret-name> <3>
66+
----
67+
<1> Defines the `AWSLoadBalancerController` resource.
68+
<2> Defines the AWS Load Balancer Controller instance name. This instance name gets added as a suffix to all related resources.
69+
<3> Specifies the secret name containing AWS credentials that the controller uses.
70+
71+

modules/configuring-albo-on-sts-cluster.adoc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,11 @@
33

44
:_content-type: PROCEDURE
55
[id="nw-installing-albo-on-sts-cluster_{context}"]
6-
= Configuring AWS Load Balancer Operator on Secure Token Service cluster
6+
= Configuring AWS Load Balancer Operator on Secure Token Service cluster by using managed `CredentialsRequest` objects
77

88
.Prerequisites
99

10-
* You must extract and prepare the `coctl` binary.
10+
* You must extract and prepare the `ccoctl` binary.
1111
1212
.Procedure
1313

networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,12 +8,16 @@ toc::[]
88

99
You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster.
1010

11-
The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary.
11+
The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary.
12+
13+
If you do not want to provision credential secret by using the Cloud Credential Operator, you can configure the `AWSLoadBalancerController` instance on the STS cluster by specifying the credential secret in the AWS load Balancer Controller custom resource (CR).
1214

1315
include::modules/bootstrap-aws-load-balancer-operator.adoc[leveloffset=+1]
1416

1517
include::modules/configuring-albo-on-sts-cluster.adoc[leveloffset=+1]
1618

19+
include::modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc[leveloffset=+1]
20+
1721
[role="_additional-resources"]
1822
== Additional resources
1923
* xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#cco-ccoctl-configuring_cco-mode-sts[Configuring the Cloud Credential Operator utility]

0 commit comments

Comments
 (0)