diff --git a/installing/installing_aws/uninstalling-cluster-aws.adoc b/installing/installing_aws/uninstalling-cluster-aws.adoc index 5e777bc8fb..786b04cbf3 100644 --- a/installing/installing_aws/uninstalling-cluster-aws.adoc +++ b/installing/installing_aws/uninstalling-cluster-aws.adoc @@ -8,3 +8,5 @@ toc::[] You can remove a cluster that you deployed to Amazon Web Services (AWS). include::modules/installation-uninstall-clouds.adoc[leveloffset=+1] + +include::modules/cco-ccoctl-deleting-sts-resources.adoc[leveloffset=+1] diff --git a/modules/cco-ccoctl-creating-individually.adoc b/modules/cco-ccoctl-creating-individually.adoc index 2ecbce7d7f..db3f821c33 100644 --- a/modules/cco-ccoctl-creating-individually.adoc +++ b/modules/cco-ccoctl-creating-individually.adoc @@ -41,7 +41,7 @@ $ ccoctl aws create-key-pair 2021/04/13 11:01:03 Copying signing key for use by installer ---- + -Where `serviceaccount-signer.private` and `serviceaccount-signer.public` are the generated key files. +where `serviceaccount-signer.private` and `serviceaccount-signer.public` are the generated key files. + This command also creates a private key that the cluster requires during installation in `/__/tls/bound-service-account-signing-key.key`. @@ -52,7 +52,7 @@ This command also creates a private key that the cluster requires during install $ ccoctl aws create-identity-provider --name=____ --region=____ --public-key-file=____/serviceaccount-signer.public ---- + -Where: +where: + ** `__` is the name used to tag any cloud resources that are created for tracking. ** `__` is the AWS region in which cloud resources will be created. @@ -69,7 +69,7 @@ Where: 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::____:oidc-provider/____-oidc.s3.____.amazonaws.com ---- + -Where `02-openid-configuration` is a discovery document and `03-keys.json` is a JSON web key set file. +where `02-openid-configuration` is a discovery document and `03-keys.json` is a JSON web key set file. + This command also creates a YAML configuration file in `/__/manifests/cluster-authentication-02-config.yaml`. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens. diff --git a/modules/cco-ccoctl-deleting-sts-resources.adoc b/modules/cco-ccoctl-deleting-sts-resources.adoc new file mode 100644 index 0000000000..05a51642b3 --- /dev/null +++ b/modules/cco-ccoctl-deleting-sts-resources.adoc @@ -0,0 +1,51 @@ +// Module included in the following assemblies: +// +// * installing/installing_aws/uninstalling-cluster-aws.adoc + +[id="cco-ccoctl-deleting-sts-resources_{context}"] += Deleting AWS resources with the Cloud Credential Operator utility + +To clean up resources after uninstalling an {product-title} cluster with the Cloud Credential Operator (CCO) in manual mode with STS, you can use the CCO utility (`ccoctl`) to remove the AWS resources that `ccoctl` created during installation. + +.Prerequisites + +* Extract and prepare the `ccoctl` binary. +* Install an {product-title} cluster with the CCO in manual mode with STS. + +.Procedure + +* Delete the AWS resources that `ccoctl` created: ++ +[source,terminal,subs="+quotes"] +---- +$ ccoctl aws delete --name=____ --region=____ +---- ++ +where: ++ +** `__` matches the name used to originally create and tag the cloud resources. +** `__` is the AWS region in which cloud resources will be deleted. ++ +.Example output: ++ +[source,terminal,subs="+quotes"] +---- +2021/04/08 17:50:41 Identity Provider object .well-known/openid-configuration deleted from the bucket ____-oidc +2021/04/08 17:50:42 Identity Provider object keys.json deleted from the bucket ____-oidc +2021/04/08 17:50:43 Identity Provider bucket ____-oidc deleted +2021/04/08 17:51:05 Policy ____-openshift-cloud-credential-operator-cloud-credential-o associated with IAM Role ____-openshift-cloud-credential-operator-cloud-credential-o deleted +2021/04/08 17:51:05 IAM Role ____-openshift-cloud-credential-operator-cloud-credential-o deleted +2021/04/08 17:51:07 Policy ____-openshift-cluster-csi-drivers-ebs-cloud-credentials associated with IAM Role ____-openshift-cluster-csi-drivers-ebs-cloud-credentials deleted +2021/04/08 17:51:07 IAM Role ____-openshift-cluster-csi-drivers-ebs-cloud-credentials deleted +2021/04/08 17:51:08 Policy ____-openshift-image-registry-installer-cloud-credentials associated with IAM Role ____-openshift-image-registry-installer-cloud-credentials deleted +2021/04/08 17:51:08 IAM Role ____-openshift-image-registry-installer-cloud-credentials deleted +2021/04/08 17:51:09 Policy ____-openshift-ingress-operator-cloud-credentials associated with IAM Role ____-openshift-ingress-operator-cloud-credentials deleted +2021/04/08 17:51:10 IAM Role ____-openshift-ingress-operator-cloud-credentials deleted +2021/04/08 17:51:11 Policy ____-openshift-machine-api-aws-cloud-credentials associated with IAM Role ____-openshift-machine-api-aws-cloud-credentials deleted +2021/04/08 17:51:11 IAM Role ____-openshift-machine-api-aws-cloud-credentials deleted +2021/04/08 17:51:39 Identity Provider with ARN arn:aws:iam::____:oidc-provider/____-oidc.s3.____.amazonaws.com deleted +---- + +.Verification + +You can verify that the resources are deleted by querying AWS. For more information, refer to AWS documentation. diff --git a/modules/sts-mode-installing-manual-config.adoc b/modules/sts-mode-installing-manual-config.adoc index 8d2c5c67c9..e31b66c029 100644 --- a/modules/sts-mode-installing-manual-config.adoc +++ b/modules/sts-mode-installing-manual-config.adoc @@ -62,7 +62,7 @@ OPENID_BUCKET_URL="https://.s3..amazonaws.com" } ---- + -Where: +where: *** `` is generated from the public key with: + diff --git a/post_installation_configuration/cluster-tasks.adoc b/post_installation_configuration/cluster-tasks.adoc index 07d001c0ac..e967596f55 100644 --- a/post_installation_configuration/cluster-tasks.adoc +++ b/post_installation_configuration/cluster-tasks.adoc @@ -589,6 +589,7 @@ include::modules/nodes-pods-pod-disruption-configuring.adoc[leveloffset=+2] [id="post-install-rotate-remove-cloud-creds"] == Rotating or removing cloud provider credentials + After installing {product-title}, some organizations require the rotation or removal of the cloud provider credentials that were used during the initial installation. To allow the cluster to use the new credentials, you must update the secrets that the xref:../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator (CCO)] uses to manage cloud provider credentials.