Merge pull request #67219 from kowen-rh/osdocs-7363

Author: sheriff-rh

_topic_maps/_topic_map.yml

@@ -1304,7 +1304,7 @@ Topics:
     File: understanding-aws-load-balancer-operator
   - Name: Installing the AWS Load Balancer Operator
     File: install-aws-load-balancer-operator
-  - Name: Installing the AWS Load Balancer Operator on Security Token Service cluster
+  - Name: Installing the AWS Load Balancer Operator on a Security Token Service cluster
     File: installing-albo-sts-cluster
   - Name: Creating an instance of the AWS Load Balancer Controller
     File: create-instance-aws-load-balancer-controller

modules/aws-installing-an-aws-load-balancer-operator.adoc

@@ -139,7 +139,7 @@ Do not include the `https` portion of the OIDC DNS URL when replacing `{Cluster_
 ====
 +
 For more information on assigning trust policies to AWS IAM roles, see link:https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/[How to use trust policies with IAM roles].
-.. Create and verify the role by using the generated trusted policy:
+.. Create and verify the role by using the generated trust policy:
 +
 [source, terminal]
 ----
@@ -182,7 +182,7 @@ $ oc -n aws-load-balancer-operator create secret generic aws-load-balancer-opera
 ----
 . Create the AWS IAM policy required for the AWS Load Balancer Controller (ALBC):
 +
-.. Generate a trusted policy file for your identity provider. The following example uses OpenID Connect:
+.. Generate a trust policy file for your identity provider. The following example uses OpenID Connect:
 +
 [source,terminal]
 ----
@@ -209,7 +209,7 @@ $ cat <<EOF > albo-controller-trusted-policy.json
 EOF
 ----
 +
-.. Create and verify the role by using the generated trusted policy:
+.. Create and verify the role by using the generated trust policy:
 +
 [source, terminal]
 ----

modules/bootstrap-aws-load-balancer-operator.adoc

@@ -13,10 +13,6 @@ The AWS Load Balancer Operator can tag the public subnets if the `kubernetes.io/
 
 The AWS Load Balancer Operator supports the Kubernetes service resource of type `LoadBalancer` by using Network Load Balancer (NLB) with the `instance` target type only.
 
-.Prerequisites
-
-* You must have the AWS credentials secret. The credentials are used to provide subnet tagging and VPC discovery.
-
 .Procedure
 
 . You can deploy the AWS Load Balancer Operator on demand from the OperatorHub, by creating a `Subscription` object:

modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc

@@ -0,0 +1,65 @@
+// Module included in the following assemblies:
+//
+// * networking/installing-albo-sts-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="specifying-role-arn-albo-sts_{context}"]
+= Specifying the role ARN for the ALB Operator on an STS cluster
+
+The role Amazon Resource Name (ARN) needs to be passed to the AWS Load Balancer (ALB) Operator as an environment variable. You can use the dedicated input box in the OperatorHub web UI or specify it in the `Subscription` resource when installing the Operator by using the OpenShift CLI.
+
+.Prerequisites
+
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. Create the `aws-load-balancer-operator` project by running the following command:
++
+[source,terminal]
+----
+$ oc new-project aws-load-balancer-operator
+----
+
+. Create an `OperatorGroup` for the ALB Operator by running the following command:
++
+[source,terminal]
+----
+$ cat <<EOF | oc apply -f -
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: aws-load-balancer-operator
+  namespace: aws-load-balancer-operator
+spec:
+  targetNamespaces: []
+EOF
+----
+
+. Create a `Subscription` object for the ALB Operator with the role ARN by running the following command:
++
+[source,terminal]
+----
+$ cat <<EOF | oc apply -f -
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: aws-load-balancer-operator
+  namespace: aws-load-balancer-operator
+spec:
+  channel: stable-v1
+  name: aws-load-balancer-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  config:
+    env:
+    - name: ROLEARN
+      value: "<role-arn>" <1>
+EOF
+----
+<1> Specifies the role ARN to be used in the `CredentialsRequest` to provision the AWS credentials for the Operator.
++
+[NOTE]
+====
+The ALB Operator waits until the creation of the required secret before moving to the available state.
+====

modules/configuring-albo-on-sts-cluster.adoc

@@ -0,0 +1,90 @@
+// Module included in the following assemblies:
+//
+// * networking/installing-albo-sts-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="using-aws-cli-create-iam-role-alb-controller_{context}"]
+= Using the AWS CLI to create an IAM role for the Controller
+
+You can use the `aws` command line interface to create an IAM role for the `AWSLoadBalancerController`. The created IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
+
+.Prerequisites
+
+* You must have access to the `aws` command line interface.
+
+.Procedure
+
+. Generate a trust policy file using your identity provider by running the following command:
++
+[source,terminal]
+----
+$ cat <<EOF > albo-controller-trust-policy.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::777777777777:oidc-provider/<oidc-provider-id>" <1>
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "<oidc-provider-id>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" <2>
+                }
+            }
+        }
+    ]
+}
+EOF
+----
+<1> Specifies the ARN of the identity provider.
+<2> Specifies the service account for the `AWSLoadBalancerController`.
+
+. Create the IAM role with the generated trust policy by running the following command:
++
+[source,terminal]
+----
+$ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
+----
++
+.Example output
+[source,terminal]
+----
+ROLE	arn:aws:iam::777777777777:role/albo-controller	2023-08-02T12:13:22Z <1>
+ASSUMEROLEPOLICYDOCUMENT	2012-10-17
+STATEMENT	sts:AssumeRoleWithWebIdentity	Allow
+STRINGEQUALS	system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster
+PRINCIPAL	arn:aws:iam:777777777777:oidc-provider/<oidc-provider-id>
+----
+<1> Note the ARN of the created IAM role.
+
+. Download the permission policy for the `AWSLoadBalancerController` by running the following command:
++
+[source,terminal]
+----
+$ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/assets/iam-policy.json
+----
+
+. Attach the permission policy for the `AWSLoadBalancerController` to the IAM role by running the following command:
++
+[source,terminal]
+----
+$ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
+----
+
+. Create an `AWSLoadBalancerController` resource file named `example-sts-iam-role.yaml` with contents such as the following example:
++
+[source,yaml]
+----
+apiVersion: networking.olm.openshift.io/v1
+kind: AWSLoadBalancerController <1>
+metadata:
+  name: cluster <2>
+spec:
+  credentialsRequestConfig:
+    stsIAMRoleARN: <role-arn> <3>
+----
+<1> Defines the `AWSLoadBalancerController` resource.
+<2> Defines the instance name for the `AWSLoadBalancerController`. All related resources use this instance name as a suffix.
+<3> Specifies the role ARN to be used in a `CredentialsRequest` to provision the AWS credentials for the controller.