mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
OSDOCS-16842-3: CQA for NOP-1 AWS Load Balancer Operator (ALBO)
This commit is contained in:
dfitzmau
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
71c3f8803d
commit
9ed034c2f3
@@ -1,14 +1,17 @@
|
||||
// Module included in the following assemblies:
|
||||
// * networking/aws_load_balancer_operator/understanding-aws-load-balancer-operator.adoc
|
||||
|
||||
:_mod-docs-content-type: REFERENCE
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
[id="nw-aws-load-balancer-operator-considerations_{context}"]
|
||||
= AWS Load Balancer Operator considerations
|
||||
|
||||
[role="_abstract"]
|
||||
To ensure a successful deployment, review the limitations of the AWS Load Balancer Operator. Understanding these constraints helps avoid compatibility issues and ensures the Operator meets your architectural requirements before installation.
|
||||
|
||||
Review the following limitations before installing and using the AWS Load Balancer Operator:
|
||||
|
||||
* The IP traffic mode only works on AWS Elastic Kubernetes Service (EKS). The AWS Load Balancer Operator disables the IP traffic mode for the AWS Load Balancer Controller. As a result of disabling the IP traffic mode, the AWS Load Balancer Controller cannot use the pod readiness gate.
|
||||
|
||||
* The AWS Load Balancer Operator adds command-line flags such as `--disable-ingress-class-annotation` and `--disable-ingress-group-name-annotation` to the AWS Load Balancer Controller. Therefore, the AWS Load Balancer Operator does not allow using the `kubernetes.io/ingress.class` and `alb.ingress.kubernetes.io/group.name` annotations in the `Ingress` resource.
|
||||
|
||||
* You have configured the AWS Load Balancer Operator so that the SVC type is `NodePort` (not `LoadBalancer` or `ClusterIP`).
|
||||
* The AWS Load Balancer Operator requires that the service type is `NodePort` and not `LoadBalancer` or `ClusterIP`.
|
||||
|
||||
@@ -3,11 +3,14 @@
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="nw-aws-load-balancer-operator_{context}"]
|
||||
= AWS Load Balancer Operator
|
||||
= Deploying the AWS Load Balancer Operator
|
||||
|
||||
The AWS Load Balancer Operator can tag the public subnets if the `kubernetes.io/role/elb` tag is missing. Also, the AWS Load Balancer Operator detects the following information from the underlying AWS cloud:
|
||||
[role="_abstract"]
|
||||
After you deploy the The AWS Load Balancer Operator, the Operator automatically tags public subnets if the `kubernetes.io/role/elb` tag is missing. The Operator then identifies specific network resources in the underlying AWS cloud to ensure successful cluster integration.
|
||||
|
||||
* The ID of the virtual private cloud (VPC) on which the cluster hosting the Operator is deployed in.
|
||||
The AWS Load Balancer Operator detects the following information from the underlying AWS cloud:
|
||||
|
||||
* The ID of the virtual private cloud (VPC) on which the cluster hosting the Operator is deployed.
|
||||
|
||||
* Public and private subnets of the discovered VPC.
|
||||
|
||||
|
||||
@@ -7,27 +7,25 @@
|
||||
[id="nw-aws-load-balancer-with-outposts_{context}"]
|
||||
= Using the AWS Load Balancer Operator in an AWS VPC cluster extended into an Outpost
|
||||
|
||||
You can configure the AWS Load Balancer Operator to provision an AWS Application Load Balancer in an AWS VPC cluster extended into an Outpost.
|
||||
AWS Outposts does not support AWS Network Load Balancers.
|
||||
As a result, the AWS Load Balancer Operator cannot provision Network Load Balancers in an Outpost.
|
||||
[role="_abstract"]
|
||||
To provision an AWS Application Load Balancer in an AWS VPC cluster extended into an Outpost, configure the AWS Load Balancer Operator. Note that the Operator cannot provision AWS Network Load Balancers because AWS Outposts does not support them.
|
||||
|
||||
You can create an AWS Application Load Balancer either in the cloud subnet or in the Outpost subnet.
|
||||
An Application Load Balancer in the cloud can attach to cloud-based compute nodes and an Application Load Balancer in the Outpost can attach to edge compute nodes.
|
||||
|
||||
An Application Load Balancer in the cloud can attach to cloud-based compute nodes. An Application Load Balancer in the Outpost can attach to edge compute nodes.
|
||||
|
||||
You must annotate Ingress resources with the Outpost subnet or the VPC subnet, but not both.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You have extended an AWS VPC cluster into an Outpost.
|
||||
|
||||
* You have installed the {oc-first}.
|
||||
|
||||
* You have installed the AWS Load Balancer Operator and created the AWS Load Balancer Controller.
|
||||
|
||||
.Procedure
|
||||
|
||||
* Configure the `Ingress` resource to use a specified subnet:
|
||||
+
|
||||
--
|
||||
.Example `Ingress` resource configuration
|
||||
[source,yaml]
|
||||
----
|
||||
@@ -36,7 +34,7 @@ kind: Ingress
|
||||
metadata:
|
||||
name: <application_name>
|
||||
annotations:
|
||||
alb.ingress.kubernetes.io/subnets: <subnet_id> # <1>
|
||||
alb.ingress.kubernetes.io/subnets: <subnet_id>
|
||||
spec:
|
||||
ingressClassName: alb
|
||||
rules:
|
||||
@@ -50,7 +48,8 @@ spec:
|
||||
port:
|
||||
number: 80
|
||||
----
|
||||
<1> Specifies the subnet to use.
|
||||
* To use the Application Load Balancer in an Outpost, specify the Outpost subnet ID.
|
||||
* To use the Application Load Balancer in the cloud, you must specify at least two subnets in different availability zones.
|
||||
--
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<subnet_id>`:: Specifies the subnet to use. To use the Application Load Balancer in an Outpost, specify the Outpost subnet ID. To use the Application Load Balancer in the cloud, you must specify at least two subnets in different availability zones.
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
[id="specifying-role-arn-albo-sts_{context}"]
|
||||
= Configuring the ARN role for the AWS Load Balancer Operator
|
||||
|
||||
You can configure the Amazon Resource Name (ARN) role for the {aws-short} Load Balancer Operator as an environment variable. You can configure the ARN role by using the CLI.
|
||||
[role="_abstract"]
|
||||
To authorize the {aws-short} Load Balancer Operator, configure the Amazon Resource Name (ARN) role as an environment variable by using the CLI. This ensures the Operator has the necessary permissions to manage resources within the cluster.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
@@ -54,10 +55,13 @@ spec:
|
||||
config:
|
||||
env:
|
||||
- name: ROLEARN
|
||||
value: "<albo_role_arn>" <1>
|
||||
value: "<albo_role_arn>"
|
||||
EOF
|
||||
----
|
||||
<1> Specifies the ARN role to be used in the `CredentialsRequest` to provision the {aws-short} credentials for the {aws-short} Load Balancer Operator. An example for `<albo_role_arn>` is `arn:aws:iam::<aws_account_number>:role/albo-operator`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<albo_role_arn>`:: Specifies the ARN role to be used in the `CredentialsRequest` to provision the {aws-short} credentials for the {aws-short} Load Balancer Operator. An example for `<albo_role_arn>` is `arn:aws:iam::<aws_account_number>:role/albo-operator`.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
|
||||
17
modules/the-iam-role-albo-controller.adoc
Normal file
17
modules/the-iam-role-albo-controller.adoc
Normal file
@@ -0,0 +1,17 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * networking/networking_operators/preparing-sts-cluster-for-albo.adoc
|
||||
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
[id="the-iam-role-albo-controller.adoc_{context}"]
|
||||
= The IAM role for the AWS Load Balancer Controller
|
||||
|
||||
[role="_abstract"]
|
||||
To authorize the {aws-short} Load Balancer Controller, configure the `CredentialsRequest` object with a manually provisioned IAM role. This ensures the controller functions correctly by using the specific permissions defined in your manual provisioning process.
|
||||
|
||||
You can create the IAM role by using the following options:
|
||||
|
||||
* Using the Cloud Credential Operator utility (`ccoctl`) and a predefined `CredentialsRequest` object.
|
||||
* Using the {aws-short} CLI and predefined {aws-short} manifests.
|
||||
|
||||
If your environment does not support the `ccoctl` `command.ws-short` CLI, use the {aws-short} CLI.
|
||||
17
modules/the-iam-role-albo-operator.adoc
Normal file
17
modules/the-iam-role-albo-operator.adoc
Normal file
@@ -0,0 +1,17 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * networking/networking_operators/preparing-sts-cluster-for-albo.adoc
|
||||
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
[id="the-iam-role-albo-operator_{context}"]
|
||||
= The IAM role for the AWS Load Balancer Operator
|
||||
|
||||
[role="_abstract"]
|
||||
To install the {aws-first} Load Balancer Operator on a cluster by using {sts-short}, configure an additional Identity and Access Management (IAM) role. This role enables the Operator to interact with subnets and Virtual Private Clouds (VPCs), allowing the Operator to generate the `CredentialsRequest` object required for bootstrapping.
|
||||
|
||||
You can create the IAM role by using the following options:
|
||||
|
||||
* Using the Cloud Credential Operator utility (`ccoctl`) and a predefined `CredentialsRequest` object.
|
||||
* Using the {aws-short} CLI and predefined {aws-short} manifests.
|
||||
|
||||
Use the {aws-short} CLI if your environment does not support the `ccoctl` command.
|
||||
@@ -6,7 +6,8 @@
|
||||
[id="using-aws-cli-create-iam-role-alb-controller_{context}"]
|
||||
= Creating an AWS IAM role for the controller by using the AWS CLI
|
||||
|
||||
You can use the {aws-short} command-line interface to create an {aws-short} IAM role for the {aws-short} Load Balancer Controller. An {aws-short} IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
|
||||
[role="_abstract"]
|
||||
To enable the {aws-short} Load Balancer Controller to interact with subnets and Virtual Private Clouds (VPCs), create an IAM role by using the {aws-short} CLI. This ensures the controller has the specific permissions required to manage network resources within the cluster.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
@@ -25,12 +26,12 @@ $ cat <<EOF > albo-controller-trust-policy.json
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"Federated": "<oidc_arn>" <1>
|
||||
"Federated": "<oidc_arn>"
|
||||
},
|
||||
"Action": "sts:AssumeRoleWithWebIdentity",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" <2>
|
||||
"<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -38,8 +39,11 @@ $ cat <<EOF > albo-controller-trust-policy.json
|
||||
}
|
||||
EOF
|
||||
----
|
||||
<1> Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
<2> Specifies the service account for the {aws-short} Load Balancer Controller. An example of `<cluster_oidc_endpoint>` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<oidc_arn>`:: Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller. An example of `<cluster_oidc_endpoint>` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
|
||||
. Create an {aws-short} IAM role with the generated trust policy by running the following command:
|
||||
+
|
||||
@@ -57,7 +61,10 @@ STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
||||
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager
|
||||
PRINCIPAL arn:aws:iam:<aws_account_number>:oidc-provider/<cluster_oidc_endpoint>
|
||||
----
|
||||
<1> Note the ARN of an {aws-short} IAM role for the {aws-short} Load Balancer Controller, such as `arn:aws:iam::777777777777:role/albo-controller`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<aws_account_number>`:: Specifies the ARN for an {aws-short} IAM role for the {aws-short} Load Balancer Controller, such as `arn:aws:iam::777777777777:role/albo-controller`.
|
||||
|
||||
. Download the permission policy for the {aws-short} Load Balancer Controller by running the following command:
|
||||
+
|
||||
@@ -79,13 +86,17 @@ $ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy
|
||||
[source,yaml]
|
||||
----
|
||||
apiVersion: networking.olm.openshift.io/v1
|
||||
kind: AWSLoadBalancerController <1>
|
||||
kind: AWSLoadBalancerController
|
||||
metadata:
|
||||
name: cluster <2>
|
||||
name: cluster
|
||||
spec:
|
||||
credentialsRequestConfig:
|
||||
stsIAMRoleARN: <albc_role_arn> <3>
|
||||
stsIAMRoleARN: <albc_role_arn>
|
||||
----
|
||||
<1> Defines the `AWSLoadBalancerController` object.
|
||||
<2> Defines the {aws-short} Load Balancer Controller name. All related resources use this instance name as a suffix.
|
||||
<3> Specifies the ARN role for the {aws-short} Load Balancer Controller. The `CredentialsRequest` object uses this ARN role to provision the {aws-short} credentials. An example of `<albc_role_arn>` is `arn:aws:iam::777777777777:role/albo-controller`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`kind`:: Specifies the `AWSLoadBalancerController` object.
|
||||
`metatdata.name`:: Specifies the {aws-short} Load Balancer Controller name. All related resources use this instance name as a suffix.
|
||||
`stsIAMRoleARN`:: Specifies the ARN role for the {aws-short} Load Balancer Controller. The `CredentialsRequest` object uses this ARN role to provision the {aws-short} credentials. An example of `<albc_role_arn>` is `arn:aws:iam::777777777777:role/albo-controller`.
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
[id="using-aws-cli-create-iam-role-alb-operator_{context}"]
|
||||
= Creating an AWS IAM role by using the AWS CLI
|
||||
|
||||
You can use the {aws-short} Command Line Interface to create an IAM role for the {aws-short} Load Balancer Operator. The IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
|
||||
[role="_abstract"]
|
||||
To enable the {aws-short} Load Balancer Operator to interact with subnets and VPCs, create an {aws-short} IAM role by using the {aws-short} CLI. This enables the Operator to access and manage the necessary network resources within the cluster.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
@@ -25,12 +26,12 @@ $ cat <<EOF > albo-operator-trust-policy.json
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"Federated": "<oidc_arn>" <1>
|
||||
"Federated": "<oidc_arn>"
|
||||
},
|
||||
"Action": "sts:AssumeRoleWithWebIdentity",
|
||||
"Condition": {
|
||||
"StringEquals": {
|
||||
"<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" <2>
|
||||
"<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -38,8 +39,11 @@ $ cat <<EOF > albo-operator-trust-policy.json
|
||||
}
|
||||
EOF
|
||||
----
|
||||
<1> Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
<2> Specifies the service account for the {aws-short} Load Balancer Controller. An example of `<cluster_oidc_endpoint>` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<oidc_arn>`:: Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller. An example of `<cluster_oidc_endpoint>` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
|
||||
. Create the IAM role with the generated trust policy by running the following command:
|
||||
+
|
||||
@@ -57,7 +61,10 @@ STATEMENT sts:AssumeRoleWithWebIdentity Allow
|
||||
STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager
|
||||
PRINCIPAL arn:aws:iam:<aws_account_number>:oidc-provider/<cluster_oidc_endpoint>
|
||||
----
|
||||
<1> Note the ARN of the created {aws-short} IAM role that was created for the {aws-short} Load Balancer Operator, such as `arn:aws:iam::777777777777:role/albo-operator`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<aws_account_number>`:: Specifies the ARN of the created {aws-short} IAM role for the {aws-short} Load Balancer Operator, such as `arn:aws:iam::777777777777:role/albo-operator`.
|
||||
|
||||
. Download the permission policy for the {aws-short} Load Balancer Operator by running the following command:
|
||||
+
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
[id="using-ccoctl-create-iam-role-alb-controller_{context}"]
|
||||
= Creating an AWS IAM role for the controller by using the Cloud Credential Operator utility
|
||||
|
||||
You can use the Cloud Credential Operator utility (`ccoctl`) to create an {aws-short} IAM role for the {aws-short} Load Balancer Controller. An {aws-short} IAM role is used to interact with subnets and Virtual Private Clouds (VPCs).
|
||||
[role="_abstract"]
|
||||
To enable the {aws-short} Load Balancer Controller to interact with subnets and VPCs, create an IAM role by using the Cloud Credential Operator utility (`ccoctl`). This utility ensures the controller has the specific permissions required to manage network resources within the cluster.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
@@ -35,11 +36,14 @@ $ ccoctl aws create-iam-roles \
|
||||
.Example output
|
||||
[source,terminal]
|
||||
----
|
||||
2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller created <1>
|
||||
2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller created
|
||||
2023/09/12 11:38:57 Saved credentials configuration to: /home/user/<credentials_requests_dir>/manifests/aws-load-balancer-operator-aws-load-balancer-controller-credentials.yaml
|
||||
2023/09/12 11:38:58 Updated Role policy for Role <name>-aws-load-balancer-operator-aws-load-balancer-controller created
|
||||
----
|
||||
<1> Note the Amazon Resource Name (ARN) of an {aws-short} IAM role that was created for the {aws-short} Load Balancer Controller, such as `arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<name>`:: Specifies the Amazon Resource Name (ARN) for an {aws-short} IAM role that was created for the {aws-short} Load Balancer Controller, such as `arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller`.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
[id="using-ccoctl-create-iam-role-alb-operator_{context}"]
|
||||
= Creating an AWS IAM role by using the Cloud Credential Operator utility
|
||||
|
||||
You can use the Cloud Credential Operator utility (`ccoctl`) to create an {aws-short} IAM role for the {aws-short} Load Balancer Operator. An {aws-short} IAM role interacts with subnets and Virtual Private Clouds (VPCs).
|
||||
[role="_abstract"]
|
||||
To enable the {aws-short} Load Balancer Operator to interact with subnets and VPCs, create an {aws-short} IAM role by using the Cloud Credential Operator utility (`ccoctl`). By doing this task, you can generate the necessary credentials for the operator to function correctly within the cluster environment.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
@@ -35,11 +36,14 @@ $ ccoctl aws create-iam-roles \
|
||||
.Example output
|
||||
[source,terminal]
|
||||
----
|
||||
2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator created <1>
|
||||
2023/09/12 11:38:57 Role arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator created
|
||||
2023/09/12 11:38:57 Saved credentials configuration to: /home/user/<credentials_requests_dir>/manifests/aws-load-balancer-operator-aws-load-balancer-operator-credentials.yaml
|
||||
2023/09/12 11:38:58 Updated Role policy for Role <name>-aws-load-balancer-operator-aws-load-balancer-operator created
|
||||
----
|
||||
<1> Note the Amazon Resource Name (ARN) of an {aws-short} IAM role that was created for the {aws-short} Load Balancer Operator, such as `arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<name>`:: Specifies the Amazon Resource Name (ARN) for an {aws-short} IAM role that was created for the {aws-short} Load Balancer Operator, such as `arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator`.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
|
||||
@@ -6,12 +6,12 @@ include::_attributes/common-attributes.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
You can install the {aws-first} Load Balancer Operator on a cluster that uses the {sts-first}. Follow these steps to prepare your cluster before installing the Operator.
|
||||
[role="_abstract"]
|
||||
To install the {aws-first} Load Balancer Operator on a cluster that uses the {sts-first}, prepare the cluster by configuring the `CredentialsRequest` object. This ensures the Operator can bootstrap the {aws-short} Load Balancer Controller and access the required secrets.
|
||||
|
||||
The {aws-short} Load Balancer Operator relies on the `CredentialsRequest` object to bootstrap the Operator and the {aws-short} Load Balancer Controller. The {aws-short} Load Balancer Operator waits until the required secrets are created and available.
|
||||
The {aws-short} Load Balancer Operator waits until the required secrets are created and available.
|
||||
|
||||
[id="{context}_prerequisites"]
|
||||
== Prerequisites
|
||||
Before you start any {sts-first} procedures, ensure that you meet the following prerequisites:
|
||||
|
||||
* You installed the {oc-first}.
|
||||
|
||||
@@ -26,23 +26,22 @@ $ oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}"
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}" <1>
|
||||
$ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}"
|
||||
----
|
||||
<1> An OIDC DNS example is `\https://rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`{.spec.serviceAccountIssuer}`:: Specifies an OIDC DNS URL. An example URL is `\https://rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`.
|
||||
|
||||
* You logged into the {aws-short} Web Console, navigated to *IAM* -> *Access management* -> *Identity providers*, and located the OIDC Amazon Resource Name (ARN) information. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`.
|
||||
* You logged into the {aws-short} management console, navigated to *IAM* -> *Access management* -> *Identity providers*, and located the OIDC Amazon Resource Name (ARN) information. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`.
|
||||
|
||||
[id="creating-iam-role-albo-operator_{context}"]
|
||||
== Creating an IAM role for the AWS Load Balancer Operator
|
||||
[role="_additional-resources"]
|
||||
.Additional resources
|
||||
|
||||
An additional {aws-first} Identity and Access Management (IAM) role is required to successfully install the {aws-short} Load Balancer Operator on a cluster that uses {sts-short}. The IAM role is required to interact with subnets and Virtual Private Clouds (VPCs). The {aws-short} Load Balancer Operator generates the `CredentialsRequest` object with the IAM role to bootstrap itself.
|
||||
* xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-configuring_installing-aws-customizations[the Cloud Credential Operator utility (`ccoctl`)]
|
||||
|
||||
You can create the IAM role by using the following options:
|
||||
|
||||
* Using xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-configuring_installing-aws-customizations[the Cloud Credential Operator utility (`ccoctl`)] and a predefined `CredentialsRequest` object.
|
||||
* Using the {aws-short} CLI and predefined {aws-short} manifests.
|
||||
|
||||
Use the {aws-short} CLI if your environment does not support the `ccoctl` command.
|
||||
// The IAM role for the AWS Load Balancer Operator
|
||||
include::modules/the-iam-role-albo-operator.adoc[leveloffset=+1]
|
||||
|
||||
// Creating an AWS IAM role by using the Cloud Credential Operator utility
|
||||
include::modules/using-ccoctl-create-iam-role-alb-operator.adoc[leveloffset=+2]
|
||||
@@ -53,17 +52,13 @@ include::modules/using-aws-cli-create-iam-role-alb-operator.adoc[leveloffset=+2]
|
||||
// Configuring the ARN role for the AWS Load Balancer Operator
|
||||
include::modules/specifying-role-arn-albo-sts.adoc[leveloffset=+1]
|
||||
|
||||
[id="creating-iam-role-albo-controller_{context}"]
|
||||
== Creating an IAM role for the AWS Load Balancer Controller
|
||||
// The IAM role for the AWS Load Balancer Controller
|
||||
include::modules/the-iam-role-albo-controller.adoc[leveloffset=+1]
|
||||
|
||||
The `CredentialsRequest` object for the {aws-short} Load Balancer Controller must be set with a manually provisioned IAM role.
|
||||
[role="_additional-resources"]
|
||||
.Additional resources
|
||||
|
||||
You can create the IAM role by using the following options:
|
||||
|
||||
* Using xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-configuring_installing-aws-customizations[the Cloud Credential Operator utility (`ccoctl`)] and a predefined `CredentialsRequest` object.
|
||||
* Using the {aws-short} CLI and predefined {aws-short} manifests.
|
||||
|
||||
Use the {aws-short} CLI if your environment does not support the `ccoctl` command.
|
||||
* xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-configuring_installing-aws-customizations[the Cloud Credential Operator utility (`ccoctl`)]
|
||||
|
||||
// Creating an AWS IAM role for the controller by using the Cloud Credential Operator utility
|
||||
include::modules/using-ccoctl-create-iam-role-alb-controller.adoc[leveloffset=+2]
|
||||
@@ -72,5 +67,7 @@ include::modules/using-ccoctl-create-iam-role-alb-controller.adoc[leveloffset=+2
|
||||
include::modules/using-aws-cli-create-iam-role-alb-controller.adoc[leveloffset=+2]
|
||||
|
||||
[role="_additional-resources"]
|
||||
[id="additional-resources-albo-sts-cluster_{context}"]
|
||||
== Additional resources
|
||||
|
||||
* xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-configuring_installing-aws-customizations[Configuring the Cloud Credential Operator utility]
|
||||
|
||||
@@ -6,7 +6,8 @@ include::_attributes/common-attributes.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
The AWS Load Balancer Operator deploys and manages the AWS Load Balancer Controller. You can install the AWS Load Balancer Operator from the software catalog by using {product-title} web console or CLI.
|
||||
[role="_abstract"]
|
||||
To deploy and manage the AWS Load Balancer Controller, install the AWS Load Balancer Operator from the software catalog by using the {product-title} web console or CLI. You can use the Operator to integrate AWS load balancers directly into your cluster infrastructure.
|
||||
|
||||
include::modules/nw-aws-load-balancer-operator-considerations.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user