You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc
+30-3Lines changed: 30 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,6 @@ Because the installation media is on the mirror host, you can use that computer
29
29
** The VNet contains the mirror registry
30
30
** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere
31
31
* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
32
-
* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[manually create and maintain long-term credentials].
33
32
* If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption].
== Alternatives to storing administrator-level secrets in the kube-system project
68
+
69
+
By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:
70
+
71
+
* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-azure-installer-provisioned[Manually creating long-term credentials].
72
+
73
+
* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc#installing-azure-with-short-term-creds_installing-restricted-networks-azure-installer-provisioned[Configuring an Azure cluster to use short-term credentials].
=== Configuring an Azure cluster to use short-term credentials
81
+
82
+
To install a cluster that uses Azure AD Workload Identity, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster.
83
+
84
+
//Task part 1: Configuring the Cloud Credential Operator utility
. If you used the `ccoctl` utility to create a new Azure resource group instead of using an existing resource group, modify the `resourceGroupName` parameter in the `install-config.yaml` as shown:
78
+
+
79
+
.Sample configuration file snippet
80
+
[source,yaml]
81
+
----
82
+
apiVersion: v1
83
+
baseDomain: example.com
84
+
# ...
85
+
platform:
86
+
azure:
87
+
resourceGroupName: <azure_infra_name> # <1>
88
+
# ...
89
+
----
90
+
<1> This value must match the user-defined name for Azure resources that was specified with the `--name` argument of the `ccoctl azure create-all` command.
91
+
endif::azure-workload-id[]
92
+
55
93
. If you have not previously created installation manifest files, do so by running the following command:
0 commit comments