diff --git a/installing/installing_aws/installing-aws-china.adoc b/installing/installing_aws/installing-aws-china.adoc index b941fb3e5e..af2857959a 100644 --- a/installing/installing_aws/installing-aws-china.adoc +++ b/installing/installing_aws/installing-aws-china.adoc @@ -40,39 +40,6 @@ include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-china.adoc#cco-ccoctl-creating-at-once_installing-aws-china-region[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-china.adoc#cco-ccoctl-creating-individually_installing-aws-china-region[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing-manual.adoc[leveloffset=+1] [role="_additional-resources"] @@ -94,21 +61,49 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-applying-aws-security-groups.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-china.adoc#cco-ccoctl-install-creating-manifests_installing-aws-china-region[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-china.adoc#manually-create-iam_installing-aws-china-region[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-china.adoc#manually-create-iam_installing-aws-china-region[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-china.adoc#installing-aws-with-short-term-creds_installing-aws-china-region[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-china.adoc#cco-ccoctl-creating-at-once_installing-aws-china-region[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-china.adoc#cco-ccoctl-creating-individually_installing-aws-china-region[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-customizations.adoc b/installing/installing_aws/installing-aws-customizations.adoc index 83daa2366e..2011773361 100644 --- a/installing/installing_aws/installing-aws-customizations.adoc +++ b/installing/installing_aws/installing-aws-customizations.adoc @@ -37,39 +37,6 @@ include::modules/installation-aws-marketplace-subscribe.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-customizations.adoc#cco-ccoctl-creating-at-once_installing-aws-customizations[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-customizations.adoc#cco-ccoctl-creating-individually_installing-aws-customizations[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -91,21 +58,49 @@ include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-customizations.adoc#cco-ccoctl-install-creating-manifests_installing-aws-customizations[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-customizations.adoc#cco-ccoctl-creating-at-once_installing-aws-customizations[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-customizations.adoc#cco-ccoctl-creating-individually_installing-aws-customizations[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-government-region.adoc b/installing/installing_aws/installing-aws-government-region.adoc index b6e319ecbc..11bdcbb9fb 100644 --- a/installing/installing_aws/installing-aws-government-region.adoc +++ b/installing/installing_aws/installing-aws-government-region.adoc @@ -41,39 +41,6 @@ include::modules/installation-aws-marketplace-subscribe.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-government-region.adoc#cco-ccoctl-creating-at-once_installing-aws-government-region[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-government-region.adoc#cco-ccoctl-creating-individually_installing-aws-government-region[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing-manual.adoc[leveloffset=+1] [role="_additional-resources"] @@ -95,21 +62,49 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-applying-aws-security-groups.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-government-region.adoc#cco-ccoctl-install-creating-manifests_installing-aws-government-region[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-government-region.adoc#manually-create-iam_installing-aws-government-region[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-government-region.adoc#manually-create-iam_installing-aws-government-region[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-with-short-term-creds_installing-aws-government-region[Incorporating the Cloud Credential Operator utility manifests]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-government-region.adoc#cco-ccoctl-creating-at-once_installing-aws-government-region[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-government-region.adoc#cco-ccoctl-creating-individually_installing-aws-government-region[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-network-customizations.adoc b/installing/installing_aws/installing-aws-network-customizations.adoc index 27ce84b3ae..40ed1e87a3 100644 --- a/installing/installing_aws/installing-aws-network-customizations.adoc +++ b/installing/installing_aws/installing-aws-network-customizations.adoc @@ -36,39 +36,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#cco-ccoctl-creating-at-once_installing-aws-network-customizations[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#cco-ccoctl-creating-individually_installing-aws-network-customizations[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/nw-network-config.adoc[leveloffset=+1] include::modules/installation-initializing.adoc[leveloffset=+1] @@ -91,21 +58,49 @@ include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#cco-ccoctl-install-creating-manifests_installing-aws-network-customizations[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#manually-create-iam_installing-aws-network-customizations[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#manually-create-iam_installing-aws-network-customizations[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-network-customizations[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#cco-ccoctl-creating-at-once_installing-aws-network-customizations[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#cco-ccoctl-creating-individually_installing-aws-network-customizations[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + // Network Operator specific configuration include::modules/nw-operator-cr.adoc[leveloffset=+1] include::modules/nw-modifying-operator-install-config.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-outposts-remote-workers.adoc b/installing/installing_aws/installing-aws-outposts-remote-workers.adoc index 34f0418145..7fb7ab1ef0 100644 --- a/installing/installing_aws/installing-aws-outposts-remote-workers.adoc +++ b/installing/installing_aws/installing-aws-outposts-remote-workers.adoc @@ -41,39 +41,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#cco-ccoctl-creating-at-once_installing-aws-outposts-remote-workers[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#cco-ccoctl-creating-individually_installing-aws-outposts-remote-workers[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+1] [role="_additional-resources"] @@ -94,21 +61,49 @@ include::modules/installation-applying-aws-security-groups.adoc[leveloffset=+2] include::modules/installation-aws-editing-manifests.adoc[leveloffset=+1] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#cco-ccoctl-install-creating-manifests_installing-aws-outposts-remote-workers[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#manually-create-iam_installing-aws-outposts-remote-workers[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#manually-create-iam_installing-aws-outposts-remote-workers[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#installing-aws-with-short-term-creds_installing-aws-outposts-remote-workers[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#cco-ccoctl-creating-at-once_installing-aws-outposts-remote-workers[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#cco-ccoctl-creating-individually_installing-aws-outposts-remote-workers[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-private.adoc b/installing/installing_aws/installing-aws-private.adoc index 803074e6d5..76705a4ef3 100644 --- a/installing/installing_aws/installing-aws-private.adoc +++ b/installing/installing_aws/installing-aws-private.adoc @@ -34,39 +34,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-private.adoc#cco-ccoctl-creating-at-once_installing-aws-private[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-private.adoc#cco-ccoctl-creating-individually_installing-aws-private[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing-manual.adoc[leveloffset=+1] [role="_additional-resources"] @@ -89,21 +56,49 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-applying-aws-security-groups.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-private.adoc#cco-ccoctl-install-creating-manifests_installing-aws-private[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-private.adoc#manually-create-iam_installing-aws-private[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-private.adoc#manually-create-iam_installing-aws-private[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-private.adoc#installing-aws-with-short-term-creds_installing-aws-private[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-private.adoc#cco-ccoctl-creating-at-once_installing-aws-private[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-private.adoc#cco-ccoctl-creating-individually_installing-aws-private[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-secret-region.adoc b/installing/installing_aws/installing-aws-secret-region.adoc index 8c7ce6b28a..926609adc0 100644 --- a/installing/installing_aws/installing-aws-secret-region.adoc +++ b/installing/installing_aws/installing-aws-secret-region.adoc @@ -44,39 +44,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-secret-region.adoc#cco-ccoctl-creating-at-once_installing-aws-secret-region[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-secret-region.adoc#cco-ccoctl-creating-individually_installing-aws-secret-region[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing-manual.adoc[leveloffset=+1] [role="_additional-resources"] @@ -88,21 +55,49 @@ include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-applying-aws-security-groups.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-secret-region.adoc#cco-ccoctl-install-creating-manifests_installing-aws-secret-region[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-secret-region.adoc#manually-create-iam_installing-aws-secret-region[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-secret-region.adoc#manually-create-iam_installing-aws-secret-region[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-secret-region.adoc#installing-aws-with-short-term-creds_installing-aws-secret-region[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-secret-region.adoc#cco-ccoctl-creating-at-once_installing-aws-secret-region[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-secret-region.adoc#cco-ccoctl-creating-individually_installing-aws-secret-region[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-vpc.adoc b/installing/installing_aws/installing-aws-vpc.adoc index 8441990cf5..fbea0d3286 100644 --- a/installing/installing_aws/installing-aws-vpc.adoc +++ b/installing/installing_aws/installing-aws-vpc.adoc @@ -32,39 +32,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-vpc.adoc#cco-ccoctl-creating-at-once_installing-aws-vpc[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-vpc.adoc#cco-ccoctl-creating-individually_installing-aws-vpc[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -87,21 +54,49 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-applying-aws-security-groups.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-vpc.adoc#cco-ccoctl-install-creating-manifests_installing-aws-vpc[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-vpc.adoc#manually-create-iam_installing-aws-vpc[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-vpc.adoc#manually-create-iam_installing-aws-vpc[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-aws-vpc.adoc#installing-aws-with-short-term-creds_installing-aws-vpc[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-vpc.adoc#cco-ccoctl-creating-at-once_installing-aws-vpc[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-vpc.adoc#cco-ccoctl-creating-individually_installing-aws-vpc[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc b/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc index e1c462bac1..59c02c75c0 100644 --- a/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc +++ b/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc @@ -44,39 +44,6 @@ include::modules/cluster-entitlements.adoc[leveloffset=+1] include::modules/ssh-agent-using.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring an AWS cluster to use short-term credentials -[id="installing-aws-with-short-term-creds_{context}"] -== Optional: Configuring an AWS cluster to use short-term credentials - -To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. - -[NOTE] -==== -To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. -==== - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required AWS resources -[id="sts-mode-create-aws-resources-ccoctl_{context}"] -=== Creating AWS resources with the Cloud Credential Operator utility - -You have the following options when creating AWS resources: - -* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-creating-at-once_installing-restricted-networks-aws-installer-provisioned[Creating AWS resources with a single command]. - -* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-creating-individually_installing-restricted-networks-aws-installer-provisioned[Creating AWS resources individually]. - -//Task part 2a: Creating the required AWS resources all at once -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] - -//Task part 2b: Creating the required AWS resources individually -include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -94,21 +61,49 @@ include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-aws-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in See xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-install-creating-manifests_installing-restricted-networks-aws-installer-provisioned[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-aws-installer-provisioned[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in See xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-aws-installer-provisioned[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-aws-with-short-term-creds_installing-restricted-networks-aws-installer-provisioned[Configuring an AWS cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +=== Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +==== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-creating-at-once_installing-restricted-networks-aws-installer-provisioned[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-creating-individually_installing-restricted-networks-aws-installer-provisioned[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-gcp-customizations.adoc b/installing/installing_gcp/installing-gcp-customizations.adoc index 60d50ded18..91a6f3e7b4 100644 --- a/installing/installing_gcp/installing-gcp-customizations.adoc +++ b/installing/installing_gcp/installing-gcp-customizations.adoc @@ -25,21 +25,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring a GCP cluster to use short-term credentials -[id="installing-gcp-with-short-term-creds_{context}"] -== Optional: Configuring a GCP cluster to use short-term credentials - -To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required GCP resources -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] - include::modules/installing-gcp-user-defined-labels-and-tags.adoc[leveloffset=+1] //Configuring user-defined labels and tags for GCP @@ -48,7 +33,6 @@ include::modules/installing-gcp-cluster-creation.adoc[leveloffset=+2] //Querying user-defined labels and tags for GCP include::modules/installing-gcp-querying-labels-tags-gcp.adoc[leveloffset=+2] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -81,21 +65,36 @@ include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-gcp-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#cco-ccoctl-install-creating-manifests_installing-gcp-customizations[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a GCP cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring a GCP cluster to use short-term credentials +[id="installing-gcp-with-short-term-creds_{context}"] +=== Configuring a GCP cluster to use short-term credentials + +To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required GCP resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-gcp-marketplace.adoc[leveloffset=+1] include::modules/installation-launching-installer.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-gcp-network-customizations.adoc b/installing/installing_gcp/installing-gcp-network-customizations.adoc index 2dba296390..77d58b5671 100644 --- a/installing/installing_gcp/installing-gcp-network-customizations.adoc +++ b/installing/installing_gcp/installing-gcp-network-customizations.adoc @@ -31,21 +31,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring a GCP cluster to use short-term credentials -[id="installing-gcp-with-short-term-creds_{context}"] -== Optional: Configuring a GCP cluster to use short-term credentials - -To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required GCP resources -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -78,21 +63,36 @@ include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-gcp-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-network-customizations.adoc#cco-ccoctl-install-creating-manifests_installing-gcp-network-customizations[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-network-customizations.adoc#manually-create-iam_installing-gcp-network-customizations[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-network-customizations.adoc#manually-create-iam_installing-gcp-network-customizations[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-gcp-network-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-network-customizations[Configuring a GCP cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring a GCP cluster to use short-term credentials +[id="installing-gcp-with-short-term-creds_{context}"] +=== Configuring a GCP cluster to use short-term credentials + +To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required GCP resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + // Network Operator specific configuration include::modules/nw-network-config.adoc[leveloffset=+1] include::modules/nw-modifying-operator-install-config.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-gcp-private.adoc b/installing/installing_gcp/installing-gcp-private.adoc index aba73bdb3f..5edf9bb23e 100644 --- a/installing/installing_gcp/installing-gcp-private.adoc +++ b/installing/installing_gcp/installing-gcp-private.adoc @@ -28,21 +28,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring a GCP cluster to use short-term credentials -[id="installing-gcp-with-short-term-creds_{context}"] -== Optional: Configuring a GCP cluster to use short-term credentials - -To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required GCP resources -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] - include::modules/installation-initializing-manual.adoc[leveloffset=+1] [role="_additional-resources"] @@ -78,21 +63,36 @@ include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset= include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-gcp-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-private.adoc#cco-ccoctl-install-creating-manifests_installing-gcp-private[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-private.adoc#manually-create-iam_installing-gcp-private[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-private.adoc#manually-create-iam_installing-gcp-private[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-with-short-term-creds_installing-gcp-private[Configuring a GCP cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring a GCP cluster to use short-term credentials +[id="installing-gcp-with-short-term-creds_{context}"] +=== Configuring a GCP cluster to use short-term credentials + +To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required GCP resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-gcp-shared-vpc.adoc b/installing/installing_gcp/installing-gcp-shared-vpc.adoc index 2336428c71..7868edffab 100644 --- a/installing/installing_gcp/installing-gcp-shared-vpc.adoc +++ b/installing/installing_gcp/installing-gcp-shared-vpc.adoc @@ -27,21 +27,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring a GCP cluster to use short-term credentials -[id="installing-gcp-with-short-term-creds_{context}"] -== Optional: Configuring a GCP cluster to use short-term credentials - -To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required GCP resources -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] - include::modules/installation-user-infra-generate.adoc[leveloffset=+1] include::modules/installation-initializing-manual.adoc[leveloffset=+2] @@ -58,21 +43,36 @@ include::modules/installation-gcp-shared-vpc-config.adoc[leveloffset=+2] include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-gcp-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-shared-vpc.adoc#cco-ccoctl-install-creating-manifests_installing-gcp-shared-vpc[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-shared-vpc.adoc#manually-create-iam_installing-gcp-shared-vpc[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-shared-vpc.adoc#manually-create-iam_installing-gcp-shared-vpc[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-gcp-shared-vpc.adoc#installing-gcp-with-short-term-creds_installing-gcp-shared-vpc[Configuring a GCP cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring a GCP cluster to use short-term credentials +[id="installing-gcp-with-short-term-creds_{context}"] +=== Configuring a GCP cluster to use short-term credentials + +To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required GCP resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-gcp-vpc.adoc b/installing/installing_gcp/installing-gcp-vpc.adoc index a4502668df..d59bb53178 100644 --- a/installing/installing_gcp/installing-gcp-vpc.adoc +++ b/installing/installing_gcp/installing-gcp-vpc.adoc @@ -24,21 +24,6 @@ include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring a GCP cluster to use short-term credentials -[id="installing-gcp-with-short-term-creds_{context}"] -== Optional: Configuring a GCP cluster to use short-term credentials - -To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required GCP resources -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -74,21 +59,36 @@ include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset= include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-gcp-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-vpc.adoc#cco-ccoctl-install-creating-manifests_installing-gcp-vpc[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-vpc.adoc#manually-create-iam_installing-gcp-vpc[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-gcp-vpc.adoc#manually-create-iam_installing-gcp-vpc[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-gcp-vpc.adoc#installing-gcp-with-short-term-creds_installing-gcp-vpc[Configuring a GCP cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring a GCP cluster to use short-term credentials +[id="installing-gcp-with-short-term-creds_{context}"] +=== Configuring a GCP cluster to use short-term credentials + +To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required GCP resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc b/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc index 315877097e..c5d66766df 100644 --- a/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc +++ b/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc @@ -36,21 +36,6 @@ include::modules/cluster-entitlements.adoc[leveloffset=+1] include::modules/ssh-agent-using.adoc[leveloffset=+1] -//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` -include::modules/cli-installing-cli.adoc[leveloffset=+1] - -//Supertask: Configuring a GCP cluster to use short-term credentials -[id="installing-gcp-with-short-term-creds_{context}"] -== Optional: Configuring a GCP cluster to use short-term credentials - -To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. - -//Task part 1: Configuring the Cloud Credential Operator utility -include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] - -//Task part 2: Creating the required GCP resources -include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] - include::modules/installation-initializing.adoc[leveloffset=+1] [role="_additional-resources"] @@ -80,21 +65,36 @@ include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset= include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + [id="installing-gcp-manual-modes_{context}"] == Alternatives to storing administrator-level secrets in the kube-system project By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: -* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#cco-ccoctl-install-creating-manifests_installing-restricted-networks-gcp-installer-provisioned[Incorporating the Cloud Credential Operator utility manifests]. +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-gcp-installer-provisioned[Manually creating long-term credentials]. -* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-gcp-installer-provisioned[Manually creating long-term credentials]. +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-gcp-with-short-term-creds_installing-restricted-networks-gcp-installer-provisioned[Configuring a GCP cluster to use short-term credentials]. -// Additional steps for the Cloud Credential Operator utility (`ccoctl`) -include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] - -//Manually creating IAM +//Manually creating long-term credentials include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//Supertask: Configuring a GCP cluster to use short-term credentials +[id="installing-gcp-with-short-term-creds_{context}"] +=== Configuring a GCP cluster to use short-term credentials + +To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required GCP resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 3: Incorporating the Cloud Credential Operator utility manifests +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + include::modules/installation-launching-installer.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/modules/cco-ccoctl-install-verifying.adoc b/modules/cco-ccoctl-install-verifying.adoc index d5655307e4..1226e3d410 100644 --- a/modules/cco-ccoctl-install-verifying.adoc +++ b/modules/cco-ccoctl-install-verifying.adoc @@ -10,7 +10,7 @@ You can verify that your cluster is using short-term security credentials for in .Prerequisites -* You deployed an {product-title} cluster using the Cloud Credential Operator utility (`ccoctl`). +* You deployed an {product-title} cluster using the Cloud Credential Operator utility (`ccoctl`) to implement short-term credentials. * You installed the {oc-first}. @@ -26,9 +26,31 @@ You can verify that your cluster is using short-term security credentials for in $ oc get secrets -n kube-system ---- + -where `` is `aws-creds` for AWS or `gcp-credentials` for GCP. +where `` is the name of the root secret for your cloud provider. + -An error confirms that the root secret is not present on the cluster. +[cols=2,options=header] +|=== +|Platform +|Secret name + +|AWS +|`aws-creds` + +|Azure +|`azure-credentials` + +|GCP +|`gcp-credentials` + +|=== ++ +An error confirms that the root secret is not present on the cluster. The following example shows the expected output from an AWS cluster: ++ +.Example output +[source,text] +---- +Error from server (NotFound): secrets "aws-creds" not found +---- . Verify that the components are using short-term security credentials for individual components by running the following command: +