diff --git a/modules/bootstrap-aws-load-balancer-operator.adoc b/modules/bootstrap-aws-load-balancer-operator.adoc index 66be1bda0b..d8781acd8b 100644 --- a/modules/bootstrap-aws-load-balancer-operator.adoc +++ b/modules/bootstrap-aws-load-balancer-operator.adoc @@ -7,7 +7,7 @@ .Prerequisites -* You must extract and prepare the `coctl` binary. +* You must extract and prepare the `ccoctl` binary. .Procedure diff --git a/modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc b/modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc new file mode 100644 index 0000000000..dc16fc9b66 --- /dev/null +++ b/modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc @@ -0,0 +1,71 @@ +// Module included in the following assemblies: +// * networking/installing-albo-sts-cluster.adoc + +:_content-type: PROCEDURE +[id="nw-installing-albo-on-sts-cluster-predefined-credentials_{context}"] += Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using specific credentials + +You can specify the credential secret by using the `spec.credentials` field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined `CredentialsRequest` object of the controller to know which roles are required. + +.Prerequisites + +* You must extract and prepare the `ccoctl` binary. + +.Procedure + +. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command: ++ +[source,terminal] +---- +$ curl --create-dirs -o /cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml +---- + +. Use the `ccoctl` tool to process the `CredentialsRequest` object of the controller: ++ +[source,terminal] +---- +$ ccoctl aws create-iam-roles \ + --name --region= \ + --credentials-requests-dir= \ + --identity-provider-arn +---- + +. Apply the secrets to your cluster: ++ +[source,terminal] +---- +$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {} +---- + +. Verify the credentials secret has been created for use by the controller: ++ +[source,terminal] +---- +$ oc -n aws-load-balancer-operator get secret aws-load-balancer-controller-manual-cluster --template='{{index .data "credentials"}}' | base64 -d +---- ++ +.Example output +---- +[default] + sts_regional_endpoints = regional + role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-controller + web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token +---- + +. Create the `AWSLoadBalancerController` resource YAML file, for example, `sample-aws-lb-manual-creds.yaml`, as follows: ++ +[source,yaml] +---- +apiVersion: networking.olm.openshift.io/v1alpha1 +kind: AWSLoadBalancerController <1> +metadata: + name: cluster <2> +spec: + credentials: + name: <3> +---- +<1> Defines the `AWSLoadBalancerController` resource. +<2> Defines the AWS Load Balancer Controller instance name. This instance name gets added as a suffix to all related resources. +<3> Specifies the secret name containing AWS credentials that the controller uses. + + diff --git a/modules/configuring-albo-on-sts-cluster.adoc b/modules/configuring-albo-on-sts-cluster.adoc index 9c8270fa05..41e0bfc32f 100644 --- a/modules/configuring-albo-on-sts-cluster.adoc +++ b/modules/configuring-albo-on-sts-cluster.adoc @@ -3,11 +3,11 @@ :_content-type: PROCEDURE [id="nw-installing-albo-on-sts-cluster_{context}"] -= Configuring AWS Load Balancer Operator on Secure Token Service cluster += Configuring AWS Load Balancer Operator on Secure Token Service cluster by using managed `CredentialsRequest` objects .Prerequisites -* You must extract and prepare the `coctl` binary. +* You must extract and prepare the `ccoctl` binary. .Procedure diff --git a/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc b/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc index b310338bf6..8e79421fd8 100644 --- a/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc +++ b/networking/aws_load_balancer_operator/installing-albo-sts-cluster.adoc @@ -8,12 +8,16 @@ toc::[] You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster. -The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. +The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. + +If you do not want to provision credential secret by using the Cloud Credential Operator, you can configure the `AWSLoadBalancerController` instance on the STS cluster by specifying the credential secret in the AWS load Balancer Controller custom resource (CR). include::modules/bootstrap-aws-load-balancer-operator.adoc[leveloffset=+1] include::modules/configuring-albo-on-sts-cluster.adoc[leveloffset=+1] +include::modules/configuring-albo-on-sts-cluster-predefined-credentials.adoc[leveloffset=+1] + [role="_additional-resources"] == Additional resources * xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#cco-ccoctl-configuring_cco-mode-sts[Configuring the Cloud Credential Operator utility]