diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 4dff9f882d..7a7827c689 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -199,8 +199,6 @@ Topics: File: preparing-to-install-on-azure - Name: Configuring an Azure account File: installing-azure-account - - Name: Manually creating long-term credentials for Azure - File: manually-creating-iam-azure - Name: Enabling user-managed encryption on Azure File: enabling-user-managed-encryption-azure - Name: Installing a cluster quickly on Azure diff --git a/installing/installing_azure/manually-creating-iam-azure.adoc b/_unused_topics/manually-creating-iam-azure.adoc similarity index 100% rename from installing/installing_azure/manually-creating-iam-azure.adoc rename to _unused_topics/manually-creating-iam-azure.adoc diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc index d5b1c69a62..92d88bd843 100644 --- a/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc +++ b/authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc @@ -28,7 +28,7 @@ An AWS, global Azure, or GCP cluster that uses manual mode might be configured t * xref:../../installing/installing_alibaba/manually-creating-alibaba-ram.adoc#manually-creating-alibaba-ram[Manually creating RAM resources for Alibaba Cloud] * xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials for AWS] -* xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Manually creating long-term credentials for Azure] +* xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Manually creating long-term credentials for Azure] * xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for GCP] * xref:../../installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc#configuring-iam-ibm-cloud[Configuring IAM for IBM Cloud] * xref:../../installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc#manually-create-iam-nutanix_installing-nutanix-installer-provisioned[Configuring IAM for Nutanix] diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc index 959776f962..140df1c142 100644 --- a/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc +++ b/authentication/managing_cloud_provider_credentials/cco-mode-passthrough.adoc @@ -29,7 +29,7 @@ To locate the `CredentialsRequest` CRs that are required, see xref:../../install === Microsoft Azure permissions The credential you provide for passthrough mode in Azure must have all the requested permissions for all `CredentialsRequest` CRs that are required by the version of {product-title} you are running or installing. -To locate the `CredentialsRequest` CRs that are required, see xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Manually creating long-term credentials for Azure]. +To locate the `CredentialsRequest` CRs that are required, see xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Manually creating long-term credentials for Azure]. [id="passthrough-mode-permissions-gcp"] === Google Cloud Platform (GCP) permissions @@ -81,7 +81,7 @@ include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] [id="passthrough-mode-maintenance"] == Passthrough mode credential maintenance -If `CredentialsRequest` CRs change over time as the cluster is upgraded, you must manually update the passthrough mode credential to meet the requirements. To avoid credentials issues during an upgrade, check the `CredentialsRequest` CRs in the release image for the new version of {product-title} before upgrading. To locate the `CredentialsRequest` CRs that are required for your cloud provider, see _Manually creating long-term credentials_ for xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[GCP]. +If `CredentialsRequest` CRs change over time as the cluster is upgraded, you must manually update the passthrough mode credential to meet the requirements. To avoid credentials issues during an upgrade, check the `CredentialsRequest` CRs in the release image for the new version of {product-title} before upgrading. To locate the `CredentialsRequest` CRs that are required for your cloud provider, see _Manually creating long-term credentials_ for xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[AWS], xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Azure], or xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[GCP]. //Rotating cloud provider credentials manually include::modules/manually-rotating-cloud-creds.adoc[leveloffset=+2] @@ -96,11 +96,11 @@ When using passthrough mode, each component has the same permissions used by all After installation, you can reduce the permissions on your credential to only those that are required to run the cluster, as defined by the `CredentialsRequest` CRs in the release image for the version of {product-title} that you are using. -To locate the `CredentialsRequest` CRs that are required for AWS, Azure, or GCP and learn how to change the permissions the CCO uses, see _Manually creating long-term credentials_ for xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[GCP]. +To locate the `CredentialsRequest` CRs that are required for AWS, Azure, or GCP and learn how to change the permissions the CCO uses, see _Manually creating long-term credentials_ for xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[AWS], xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Azure], or xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[GCP]. [role="_additional-resources"] == Additional resources * xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials for AWS] -* xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Manually creating long-term credentials for Azure] +* xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Manually creating long-term credentials for Azure] * xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for GCP] diff --git a/authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc b/authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc index 8044866c69..54e9491aa1 100644 --- a/authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc +++ b/authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc @@ -84,7 +84,7 @@ In manual mode with Azure AD Workload Identity, the individual {product-title} c [role="_additional-resources"] .Additional resources -//* xr\ef:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials] +* xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials] //Azure AD Workload Identity authentication process (placeholder) //include::modules/cco-short-term-creds-auth-flow-azure.adoc[leveloffset=+2] @@ -101,5 +101,5 @@ include::modules/cco-short-term-creds-component-permissions-azure.adoc[leveloffs * xref:../../installing/installing_aws/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an AWS cluster to use short-term credentials] * xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a GCP cluster to use short-term credentials] -//* xr\ef:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials] +* xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring a global Microsoft Azure cluster to use short-term credentials] * xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#preparing-manual-creds-update[Preparing to update a cluster with manually maintained credentials] \ No newline at end of file diff --git a/installing/installing_azure/installing-azure-account.adoc b/installing/installing_azure/installing-azure-account.adoc index 037ea38f24..80838f587b 100644 --- a/installing/installing_azure/installing-azure-account.adoc +++ b/installing/installing_azure/installing-azure-account.adoc @@ -39,7 +39,7 @@ include::modules/installation-creating-azure-service-principal.adoc[leveloffset= [role="_additional-resources"] .Additional resources -* For more information about CCO modes, see xref:../../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator-modes[About the Cloud Credential Operator]. +* xref:../../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator-modes[About the Cloud Credential Operator] include::modules/installation-azure-marketplace.adoc[leveloffset=+1] diff --git a/installing/installing_azure/installing-azure-customizations.adoc b/installing/installing_azure/installing-azure-customizations.adoc index e94ffde046..3e09eb5169 100644 --- a/installing/installing_azure/installing-azure-customizations.adoc +++ b/installing/installing_azure/installing-azure-customizations.adoc @@ -18,7 +18,6 @@ parameters in the `install-config.yaml` file before you install the cluster. * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to. * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. * If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption]. include::modules/cluster-entitlements.adoc[leveloffset=+1] @@ -59,10 +58,38 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] * For more details about Accelerated Networking, see xref:../../machine_management/creating_machinesets/creating-machineset-azure.adoc#machineset-azure-accelerated-networking_creating-machineset-azure[Accelerated Networking for Microsoft Azure VMs]. -include::modules/installation-launching-installer.adoc[leveloffset=+1] - +//Installing the OpenShift CLI by downloading the binary: Moved up to precede manual cred (short and long) steps, which require the use of `oc` include::modules/cli-installing-cli.adoc[leveloffset=+1] +[id="installing-azure-manual-modes_{context}"] +== Alternatives to storing administrator-level secrets in the kube-system project + +By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: + +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Manually creating long-term credentials]. + +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-customizations[Configuring an Azure cluster to use short-term credentials]. + +//Manually creating long-term credentials +include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] + +//Supertask: Configuring an Azure cluster to use short-term credentials +[id="installing-azure-with-short-term-creds_{context}"] +=== Configuring an Azure cluster to use short-term credentials + +To install a cluster that uses Azure AD Workload Identity, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required Azure resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +// Additional steps for the Cloud Credential Operator utility (`ccoctl`) +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] [role="_additional-resources"] diff --git a/installing/installing_azure/installing-azure-government-region.adoc b/installing/installing_azure/installing-azure-government-region.adoc index f15b8b114b..6a641e6c95 100644 --- a/installing/installing_azure/installing-azure-government-region.adoc +++ b/installing/installing_azure/installing-azure-government-region.adoc @@ -17,7 +17,7 @@ cluster. * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated government region to deploy the cluster to. * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[manually create and maintain long-term credentials]. * If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption]. include::modules/installation-azure-about-government-region.adoc[leveloffset=+1] diff --git a/installing/installing_azure/installing-azure-network-customizations.adoc b/installing/installing_azure/installing-azure-network-customizations.adoc index e8f84f4a41..bc5bdd4ae1 100644 --- a/installing/installing_azure/installing-azure-network-customizations.adoc +++ b/installing/installing_azure/installing-azure-network-customizations.adoc @@ -22,7 +22,6 @@ cluster. * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to. * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. Manual mode can also be used in environments where the cloud IAM APIs are not reachable. * If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption]. include::modules/cluster-entitlements.adoc[leveloffset=+1] @@ -69,10 +68,38 @@ For more information on using Linux and Windows nodes in the same cluster, see x * For more details about Accelerated Networking, see xref:../../machine_management/creating_machinesets/creating-machineset-azure.adoc#machineset-azure-accelerated-networking_creating-machineset-azure[Accelerated Networking for Microsoft Azure VMs]. -include::modules/installation-launching-installer.adoc[leveloffset=+1] - +//Installing the OpenShift CLI by downloading the binary: Moved up to precede manual cred (short and long) steps, which require the use of `oc` include::modules/cli-installing-cli.adoc[leveloffset=+1] +[id="installing-azure-manual-modes_{context}"] +== Alternatives to storing administrator-level secrets in the kube-system project + +By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: + +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_azure/installing-azure-network-customizations.adoc#manually-create-iam_installing-azure-network-customizations[Manually creating long-term credentials]. + +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_azure/installing-azure-network-customizations.adoc#installing-azure-with-short-term-creds_installing-azure-network-customizations[Configuring an Azure cluster to use short-term credentials]. + +//Manually creating long-term credentials +include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] + +//Supertask: Configuring an Azure cluster to use short-term credentials +[id="installing-azure-with-short-term-creds_{context}"] +=== Configuring an Azure cluster to use short-term credentials + +To install a cluster that uses Azure AD Workload Identity, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required Azure resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +// Additional steps for the Cloud Credential Operator utility (`ccoctl`) +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] [role="_additional-resources"] diff --git a/installing/installing_azure/installing-azure-private.adoc b/installing/installing_azure/installing-azure-private.adoc index 93cec221b4..fdc64bf492 100644 --- a/installing/installing_azure/installing-azure-private.adoc +++ b/installing/installing_azure/installing-azure-private.adoc @@ -14,7 +14,6 @@ In {product-title} version {product-version}, you can install a private cluster * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to. * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. * If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption]. include::modules/private-clusters-default.adoc[leveloffset=+1] @@ -57,10 +56,38 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] * For more details about Accelerated Networking, see xref:../../machine_management/creating_machinesets/creating-machineset-azure.adoc#machineset-azure-accelerated-networking_creating-machineset-azure[Accelerated Networking for Microsoft Azure VMs]. -include::modules/installation-launching-installer.adoc[leveloffset=+1] - +//Installing the OpenShift CLI by downloading the binary: Moved up to precede manual cred (short and long) steps, which require the use of `oc` include::modules/cli-installing-cli.adoc[leveloffset=+1] +[id="installing-azure-manual-modes_{context}"] +== Alternatives to storing administrator-level secrets in the kube-system project + +By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: + +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_azure/installing-azure-private.adoc#manually-create-iam_installing-azure-private[Manually creating long-term credentials]. + +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_azure/installing-azure-private.adoc#installing-azure-with-short-term-creds_installing-azure-private[Configuring an Azure cluster to use short-term credentials]. + +//Manually creating long-term credentials +include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] + +//Supertask: Configuring an Azure cluster to use short-term credentials +[id="installing-azure-with-short-term-creds_{context}"] +=== Configuring an Azure cluster to use short-term credentials + +To install a cluster that uses Azure AD Workload Identity, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required Azure resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +// Additional steps for the Cloud Credential Operator utility (`ccoctl`) +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] [role="_additional-resources"] diff --git a/installing/installing_azure/installing-azure-user-infra.adoc b/installing/installing_azure/installing-azure-user-infra.adoc index 9fce726790..956382f232 100644 --- a/installing/installing_azure/installing-azure-user-infra.adoc +++ b/installing/installing_azure/installing-azure-user-infra.adoc @@ -23,7 +23,7 @@ The steps for performing a user-provisioned infrastructure installation are prov * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster. * You downloaded the Azure CLI and installed it on your computer. See link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest[Install the Azure CLI] in the Azure documentation. The documentation below was last tested using version `2.38.0` of the Azure CLI. Azure CLI commands might perform differently based on the version you use. * If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[manually create and maintain long-term credentials]. + [NOTE] ==== diff --git a/installing/installing_azure/installing-azure-vnet.adoc b/installing/installing_azure/installing-azure-vnet.adoc index 0a9eb87e23..8b5a4fc738 100644 --- a/installing/installing_azure/installing-azure-vnet.adoc +++ b/installing/installing_azure/installing-azure-vnet.adoc @@ -14,7 +14,6 @@ In {product-title} version {product-version}, you can install a cluster into an * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to. * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. * If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption]. include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1] @@ -51,11 +50,37 @@ include::modules/installation-configure-proxy.adoc[leveloffset=+2] * For more details about Accelerated Networking, see xref:../../machine_management/creating_machinesets/creating-machineset-azure.adoc#machineset-azure-accelerated-networking_creating-machineset-azure[Accelerated Networking for Microsoft Azure VMs]. -include::modules/installation-launching-installer.adoc[leveloffset=+1] - +//Installing the OpenShift CLI by downloading the binary: Moved up to precede manual cred (short and long) steps, which require the use of `oc` include::modules/cli-installing-cli.adoc[leveloffset=+1] -include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] +[id="installing-azure-manual-modes_{context}"] +== Alternatives to storing administrator-level secrets in the kube-system project + +By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: + +* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_azure/installing-azure-vnet.adoc#manually-create-iam_installing-azure-vnet[Manually creating long-term credentials]. + +* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_azure/installing-azure-vnet.adoc#installing-azure-with-short-term-creds_installing-azure-vnet[Configuring an Azure cluster to use short-term credentials]. + +//Manually creating long-term credentials +include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] + +//Supertask: Configuring an Azure cluster to use short-term credentials +[id="installing-azure-with-short-term-creds_{context}"] +=== Configuring an Azure cluster to use short-term credentials + +To install a cluster that uses Azure AD Workload Identity, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster. + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3] + +//Task part 2: Creating the required Azure resources +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +// Additional steps for the Cloud Credential Operator utility (`ccoctl`) +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources diff --git a/installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc b/installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc index 3558780816..30659fddc8 100644 --- a/installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc +++ b/installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc @@ -29,7 +29,7 @@ Because the installation media is on the mirror host, you can use that computer ** The VNet contains the mirror registry ** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-system namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials]. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[manually create and maintain long-term credentials]. * If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption]. include::modules/installation-about-restricted-network.adoc[leveloffset=+1] diff --git a/installing/installing_azure/preparing-to-install-on-azure.adoc b/installing/installing_azure/preparing-to-install-on-azure.adoc index b22662bdf6..29e53b24cc 100644 --- a/installing/installing_azure/preparing-to-install-on-azure.adoc +++ b/installing/installing_azure/preparing-to-install-on-azure.adoc @@ -17,7 +17,7 @@ toc::[] Before installing {product-title} on Microsoft Azure, you must configure an Azure account. See xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[Configuring an Azure account] for details about account configuration, account limits, public DNS zone configuration, required roles, creating service principals, and supported Azure regions. -If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, see xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[Manually creating long-term credentials for Azure] for other options. +If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, see xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-manual-modes_installing-azure-customizations[Alternatives to storing administrator-level secrets in the kube-system project] for other options. [id="choosing-an-method-to-install-ocp-on-azure"] == Choosing a method to install {product-title} on Azure diff --git a/installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc b/installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc index 3141ac26b1..68adfb8caf 100644 --- a/installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc +++ b/installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc @@ -83,7 +83,7 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev [role="_additional-resources"] .Additional resources -* xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-create-iam_manually-creating-iam-azure[Manually creating long-term credentials] +* xref:../../installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc#manually-create-iam_installing-azure-stack-hub-default[Manually manage cloud credentials] include::modules/installation-disk-partitioning-upi-templates.adoc[leveloffset=+2] diff --git a/installing/installing_gcp/installing-gcp-user-infra-vpc.adoc b/installing/installing_gcp/installing-gcp-user-infra-vpc.adoc index 6583edac85..92d7bd6e03 100644 --- a/installing/installing_gcp/installing-gcp-user-infra-vpc.adoc +++ b/installing/installing_gcp/installing-gcp-user-infra-vpc.adoc @@ -25,7 +25,7 @@ The steps for performing a user-provisioned infrastructure installation are prov * You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[manually create and maintain IAM credentials]. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[manually create and maintain long-term credentials]. + [NOTE] ==== diff --git a/installing/installing_gcp/installing-gcp-user-infra.adoc b/installing/installing_gcp/installing-gcp-user-infra.adoc index 65764bdf6f..d308164063 100644 --- a/installing/installing_gcp/installing-gcp-user-infra.adoc +++ b/installing/installing_gcp/installing-gcp-user-infra.adoc @@ -21,7 +21,7 @@ The steps for performing a user-provisioned infrastructure installation are prov * You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. * You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. * If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[manually create and maintain IAM credentials]. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[manually create and maintain long-term credentials]. + [NOTE] ==== diff --git a/installing/installing_gcp/installing-restricted-networks-gcp.adoc b/installing/installing_gcp/installing-restricted-networks-gcp.adoc index dbdd264e89..b40589ada3 100644 --- a/installing/installing_gcp/installing-restricted-networks-gcp.adoc +++ b/installing/installing_gcp/installing-restricted-networks-gcp.adoc @@ -32,7 +32,7 @@ The steps for performing a user-provisioned infrastructure installation are prov Because the installation media is on the mirror host, you can use that computer to complete all installation steps. ==== * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. While you might need to grant access to more sites, you must grant access to `*.googleapis.com` and `accounts.google.com`. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[manually create and maintain IAM credentials]. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[manually create and maintain long-term credentials]. include::modules/installation-about-restricted-network.adoc[leveloffset=+1] diff --git a/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc b/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc index 25155e01b4..d178faaf7e 100644 --- a/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc +++ b/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc @@ -1,11 +1,7 @@ // Module included in the following assemblies: // -// * installing/installing_azure/manually-creating-iam-azure.adoc // * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc -ifeval::["{context}" == "manually-creating-iam-azure"] -:azure: -endif::[] ifeval::["{context}" == "configuring-iam-ibm-cloud"] :ibm-cloud: endif::[] @@ -15,21 +11,12 @@ endif::[] The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the `credentialsMode` parameter in the `install-config.yaml` file. -ifdef::azure[] -If you prefer not to store an administrator-level credential secret in the cluster `kube-system` project, you can set the `credentialsMode` parameter for the CCO to `Manual` when installing {product-title} and manage your cloud credentials manually. - -Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them. -endif::azure[] - ifdef::ibm-cloud[] Storing an administrator-level credential secret in the cluster `kube-system` project is not supported for IBM Cloud; therefore, you must set the `credentialsMode` parameter for the CCO to `Manual` when installing {product-title} and manage your cloud credentials manually. Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them. endif::ibm-cloud[] -ifeval::["{context}" == "manually-creating-iam-azure"] -:!azure: -endif::[] ifeval::["{context}" == "configuring-iam-ibm-cloud"] :!ibm-cloud: endif::[] diff --git a/modules/cco-ccoctl-configuring.adoc b/modules/cco-ccoctl-configuring.adoc index 837b325d03..f7dc5eb3dd 100644 --- a/modules/cco-ccoctl-configuring.adoc +++ b/modules/cco-ccoctl-configuring.adoc @@ -26,6 +26,13 @@ // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-shared-vpc.adoc // * installing/installing_gcp/installing-gcp-private.adoc +// +// Azure assemblies +// * installing/installing_azure/installing-azure-customizations.adoc +// * installing/installing_azure/installing-azure-government-region.adoc +// * installing/installing_azure/installing-azure-network-customizations.adoc +// * installing/installing_azure/installing-azure-private.adoc +// * installing/installing_azure/installing-azure-vnet.adoc //Platforms that must use `ccoctl` and update content ifeval::["{context}" == "configuring-iam-ibm-cloud"] @@ -96,6 +103,23 @@ ifeval::["{context}" == "installing-gcp-private"] :google-cloud-platform: endif::[] +//global Azure install assemblies +ifeval::["{context}" == "installing-azure-customizations"] +:azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-government-region"] +:azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-network-customizations"] +:azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-private"] +:azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-vnet"] +:azure-workload-id: +endif::[] + :_content-type: PROCEDURE [id="cco-ccoctl-configuring_{context}"] ifndef::update[= Configuring the Cloud Credential Operator utility] @@ -213,6 +237,40 @@ These additional permissions support the use of the `--create-private-s3-bucket` ==== endif::aws-sts[] +//Azure permissions needed when running ccoctl during install. +ifdef::azure-workload-id[] +* You have created a global Microsoft Azure account for the `ccoctl` utility to use with the following permissions: ++ +.Required Azure permissions +[%collapsible] +==== +* Microsoft.Resources/subscriptions/resourceGroups/read +* Microsoft.Resources/subscriptions/resourceGroups/write +* Microsoft.Resources/subscriptions/resourceGroups/delete +* Microsoft.Authorization/roleAssignments/read +* Microsoft.Authorization/roleAssignments/delete +* Microsoft.Authorization/roleAssignments/write +* Microsoft.Authorization/roleDefinitions/read +* Microsoft.Authorization/roleDefinitions/write +* Microsoft.Authorization/roleDefinitions/delete +* Microsoft.Storage/storageAccounts/listkeys/action +* Microsoft.Storage/storageAccounts/delete +* Microsoft.Storage/storageAccounts/read +* Microsoft.Storage/storageAccounts/write +* Microsoft.Storage/storageAccounts/blobServices/containers/write +* Microsoft.Storage/storageAccounts/blobServices/containers/delete +* Microsoft.Storage/storageAccounts/blobServices/containers/read +* Microsoft.ManagedIdentity/userAssignedIdentities/delete +* Microsoft.ManagedIdentity/userAssignedIdentities/read +* Microsoft.ManagedIdentity/userAssignedIdentities/write +* Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read +* Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write +* Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete +* Microsoft.Storage/register/action +* Microsoft.ManagedIdentity/register/action +==== +endif::azure-workload-id[] + .Procedure ifndef::update[] @@ -350,3 +408,20 @@ endif::[] ifeval::["{context}" == "installing-gcp-private"] :!google-cloud-platform: endif::[] + +//global Azure install assemblies +ifeval::["{context}" == "installing-azure-customizations"] +:!azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-government-region"] +:!azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-network-customizations"] +:!azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-private"] +:!azure-workload-id: +endif::[] +ifeval::["{context}" == "installing-azure-vnet"] +:!azure-workload-id: +endif::[] \ No newline at end of file diff --git a/modules/cco-ccoctl-creating-at-once.adoc b/modules/cco-ccoctl-creating-at-once.adoc index 9d190af930..914fae19ef 100644 --- a/modules/cco-ccoctl-creating-at-once.adoc +++ b/modules/cco-ccoctl-creating-at-once.adoc @@ -174,13 +174,13 @@ $ oc adm release extract \ --install-config=/install-config.yaml \// <2> --to= <3> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the location of the `install-config.yaml` file. <3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. + [NOTE] ==== -This command can take a few moments to run. +This command might take a few moments to run. ==== ifdef::aws-sts,google-cloud-platform,azure-workload-id[] diff --git a/modules/cco-ccoctl-creating-individually.adoc b/modules/cco-ccoctl-creating-individually.adoc index fd139b2880..faacb95183 100644 --- a/modules/cco-ccoctl-creating-individually.adoc +++ b/modules/cco-ccoctl-creating-individually.adoc @@ -33,7 +33,7 @@ Some `ccoctl` commands make AWS API calls to create or modify AWS resources. You .Procedure -. Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster: +. Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: + [source,terminal] ---- @@ -53,7 +53,7 @@ where `serviceaccount-signer.private` and `serviceaccount-signer.public` are the + This command also creates a private key that the cluster requires during installation in `//tls/bound-service-account-signing-key.key`. -. Create an OpenID Connect identity provider and S3 bucket on AWS: +. Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: + [source,terminal] ---- @@ -100,7 +100,7 @@ $ oc adm release extract \ --install-config=/install-config.yaml \// <2> --to= <3> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the location of the `install-config.yaml` file. <3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. diff --git a/modules/cco-ccoctl-deleting-sts-resources.adoc b/modules/cco-ccoctl-deleting-sts-resources.adoc index b098e29579..e23dbf35d4 100644 --- a/modules/cco-ccoctl-deleting-sts-resources.adoc +++ b/modules/cco-ccoctl-deleting-sts-resources.adoc @@ -2,6 +2,7 @@ // // * installing/installing_aws/uninstalling-cluster-aws.adoc // * installing/installing_gcp/uninstalling-cluster-gcp.adoc +// * installing/installing_azure/uninstalling-cluster-azure.adoc ifeval::["{context}" == "uninstall-cluster-aws"] :cp-first: Amazon Web Services @@ -53,7 +54,7 @@ $ oc adm release extract \ --included \// <1> --to= <2> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. . Delete the {cp} resources that `ccoctl` created by running the following command: @@ -66,16 +67,22 @@ endif::aws-sts,azure-workload-id[] ---- $ ccoctl {cp-name} delete \ --name= \// <1> -ifdef::aws-sts,azure-workload-id[ --region=<{cp-name}_region> <2>] +ifdef::aws-sts[ --region=<{cp-name}_region> <2>] ifdef::gcp-workload-id[] --project=<{cp-name}_project_id> \// <2> --credentials-requests-dir= endif::gcp-workload-id[] +ifdef::azure-workload-id[] + --region=<{cp-name}_region> \// <2> + --subscription-id=<{cp-name}_subscription_id> \// <3> + --delete-oidc-resource-group +endif::azure-workload-id[] ---- + <1> `` matches the name that was originally used to create and tag the cloud resources. ifdef::aws-sts,azure-workload-id[<2> `<{cp-name}_region>` is the {cp} region in which to delete cloud resources.] ifdef::gcp-workload-id[<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources.] +ifdef::azure-workload-id[<3> `<{cp-name}_subscription_id>` is the {cp} subscription ID for which to delete cloud resources.] ifdef::aws-sts[] + .Example output diff --git a/modules/cco-ccoctl-install-creating-manifests.adoc b/modules/cco-ccoctl-install-creating-manifests.adoc index 8157fbb0da..49ddb336e3 100644 --- a/modules/cco-ccoctl-install-creating-manifests.adoc +++ b/modules/cco-ccoctl-install-creating-manifests.adoc @@ -19,6 +19,13 @@ // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-shared-vpc.adoc // * installing/installing_gcp/installing-gcp-private.adoc +// +// Azure assemblies +// * installing/installing_azure/installing-azure-customizations.adoc +// * installing/installing_azure/installing-azure-government-region.adoc +// * installing/installing_azure/installing-azure-network-customizations.adoc +// * installing/installing_azure/installing-azure-private.adoc +// * installing/installing_azure/installing-azure-vnet.adoc :_content-type: PROCEDURE [id="cco-ccoctl-install-creating-manifests_{context}"] diff --git a/modules/installation-aws-config-yaml.adoc b/modules/installation-aws-config-yaml.adoc index c41401b58a..e281661d00 100644 --- a/modules/installation-aws-config-yaml.adoc +++ b/modules/installation-aws-config-yaml.adoc @@ -313,15 +313,6 @@ ifdef::gov,secret,china[] <1> Required. endif::gov,secret,china[] <2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode. By default, the CCO uses the root credentials in the `kube-system` namespace to dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the "About the Cloud Credential Operator" section in the _Authentication and authorization_ guide. -+ -[IMPORTANT] -==== -Setting this parameter to `Manual` enables alternatives to storing administrator-level secrets in the `kube-system` project, which require additional configuration steps: - -* Using the CCO utility (`ccoctl`) to implement short-term, limited-privilege security credentials for individual components. For more information, see _Configuring an AWS cluster to use short-term credentials_. - -* Managing cloud credentials manually. For more information, see _Manually creating long-term credentials_. -==== <3> If you do not provide these parameters and values, the installation program provides the default value. <4> The `controlPlane` section is a single mapping, but the `compute` section is a diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index f6b0c497bf..c4f5046be8 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -516,16 +516,8 @@ endif::ibm-power-vs[] |`credentialsMode` |The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported. -ifdef::gcp[If you are installing on GCP into a shared virtual private cloud (VPC), `credentialsMode` must be set to `Passthrough` or `Manual`.] -[NOTE] -==== -If your AWS account has service control policies (SCP) enabled, you must configure the `credentialsMode` parameter to `Mint`, `Passthrough`, or `Manual`. -==== -|`Mint`, `Passthrough`, `Manual` or an empty string (`""`). -[NOTE] -==== -Not all CCO modes are supported for all cloud providers. For more information about CCO modes, see the _Managing cloud provider credentials_ entry in the _Authentication and authorization_ content. -==== +|`Mint`, `Passthrough`, `Manual` or an empty string (`""`). ^[1]^ + ifndef::openshift-origin,ibm-power-vs[] |`fips` |Enable or disable FIPS mode. The default is `false` (disabled). If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead. @@ -593,6 +585,23 @@ sshKey: ``` |==== +[.small] +-- +1. Not all CCO modes are supported for all cloud providers. For more information about CCO modes, see the "Managing cloud provider credentials" entry in the _Authentication and authorization_ content. ++ +ifdef::aws,gcp[] +[NOTE] +==== +ifdef::aws[If your AWS account has service control policies (SCP) enabled, you must configure the `credentialsMode` parameter to `Mint`, `Passthrough`, or `Manual`.] +ifdef::gcp[If you are installing on GCP into a shared virtual private cloud (VPC), `credentialsMode` must be set to `Passthrough` or `Manual`.] +==== ++ +endif::aws,gcp[] +[IMPORTANT] +==== +ifdef::aws,gcp,azure[Setting this parameter to `Manual` enables alternatives to storing administrator-level secrets in the `kube-system` project, which require additional configuration steps. For more information, see "Alternatives to storing administrator-level secrets in the kube-system project".] +==== +-- ifdef::ibm-power-vs[] [NOTE] diff --git a/modules/installation-gcp-config-yaml.adoc b/modules/installation-gcp-config-yaml.adoc index ad2b96a98f..47523f76d0 100644 --- a/modules/installation-gcp-config-yaml.adoc +++ b/modules/installation-gcp-config-yaml.adoc @@ -192,15 +192,6 @@ endif::restricted[] ---- <1> Required. The installation program prompts you for this value. <2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode. By default, the CCO uses the root credentials in the `kube-system` namespace to dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the "About the Cloud Credential Operator" section in the _Authentication and authorization_ guide. -+ -[IMPORTANT] -==== -Setting this parameter to `Manual` enables alternatives to storing administrator-level secrets in the `kube-system` project, which require additional configuration steps: - -* Using the CCO utility (`ccoctl`) to implement short-term, limited-privilege security credentials for individual components. For more information, see _Configuring a GCP cluster to use short-term credentials_. - -* Managing cloud credentials manually. For more information, see _Manually creating long-term credentials_. -==== <3> If you do not provide these parameters and values, the installation program provides the default value. <4> The `controlPlane` section is a single mapping, but the `compute` section is a sequence of mappings. To meet the requirements of the different data structures, the first line of the `compute` section must begin with a hyphen, `-`, and the first line of the `controlPlane` section must not. Only one control plane pool is used. <5> Whether to enable or disable simultaneous multithreading, or `hyperthreading`. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores. You can disable it by setting the parameter value to `Disabled`. If you disable simultaneous multithreading in some cluster machines, you must disable it in all cluster machines. diff --git a/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc b/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc index 96ccced651..406660c64d 100644 --- a/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc +++ b/modules/installation-user-infra-generate-k8s-manifest-ignition.adoc @@ -382,7 +382,7 @@ $ oc adm release extract \ --install-config=/install-config.yaml \// <2> --to= <3> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the location of the `install-config.yaml` file. <3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. + diff --git a/modules/manually-configure-iam-nutanix.adoc b/modules/manually-configure-iam-nutanix.adoc index 1fd1ad561c..764e7787b6 100644 --- a/modules/manually-configure-iam-nutanix.adoc +++ b/modules/manually-configure-iam-nutanix.adoc @@ -55,7 +55,7 @@ $ oc adm release extract \ --install-config=/install-config.yaml \// <2> --to= <3> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the location of the `install-config.yaml` file. <3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. + diff --git a/modules/manually-create-iam-ibm-cloud.adoc b/modules/manually-create-iam-ibm-cloud.adoc index 74acbb1a43..dc720335b5 100644 --- a/modules/manually-create-iam-ibm-cloud.adoc +++ b/modules/manually-create-iam-ibm-cloud.adoc @@ -93,7 +93,7 @@ $ oc adm release extract \ --install-config=/install-config.yaml \// <2> --to= <3> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the location of the `install-config.yaml` file. <3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. + diff --git a/modules/manually-create-identity-access-management.adoc b/modules/manually-create-identity-access-management.adoc index 71ff870a75..0f4dff561b 100644 --- a/modules/manually-create-identity-access-management.adoc +++ b/modules/manually-create-identity-access-management.adoc @@ -1,6 +1,5 @@ // Module included in the following assemblies: // -// * installing/installing_azure/manually-creating-iam-azure.adoc // * installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc // * installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc // @@ -23,6 +22,13 @@ // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-shared-vpc.adoc // * installing/installing_gcp/installing-gcp-private.adoc +// +// Azure assemblies +// * installing/installing_azure/installing-azure-customizations.adoc +// * installing/installing_azure/installing-azure-government-region.adoc +// * installing/installing_azure/installing-azure-network-customizations.adoc +// * installing/installing_azure/installing-azure-private.adoc +// * installing/installing_azure/installing-azure-vnet.adoc //Platforms that must manually create IAM ifeval::["{context}" == "installing-azure-stack-hub-default"] @@ -102,8 +108,24 @@ ifeval::["{context}" == "installing-gcp-private"] :cco-multi-mode: endif::[] -//Azure will also be moved as part of work on `ccoctl` support for Azure -ifeval::["{context}" == "manually-creating-iam-azure"] +//global Azure install assemblies +ifeval::["{context}" == "installing-azure-customizations"] +:azure: +:cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-government-region"] +:azure: +:cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-network-customizations"] +:azure: +:cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-private"] +:azure: +:cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-vnet"] :azure: :cco-multi-mode: endif::[] @@ -171,7 +193,7 @@ $ oc adm release extract \ --install-config=/install-config.yaml \// <2> --to= <3> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. <2> Specify the location of the `install-config.yaml` file. <3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. + @@ -183,7 +205,7 @@ This command creates a YAML file for each `CredentialsRequest` object. apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: - name: + name: namespace: openshift-cloud-credential-operator ... spec: @@ -222,7 +244,7 @@ endif::google-cloud-platform[] apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: - name: + name: namespace: openshift-cloud-credential-operator ... spec: @@ -251,8 +273,8 @@ ifdef::gcp[] endif::gcp[] ... secretRef: - name: - namespace: + name: + namespace: ... ---- + @@ -262,8 +284,8 @@ endif::gcp[] apiVersion: v1 kind: Secret metadata: - name: - namespace: + name: + namespace: ifdef::aws[] data: aws_access_key_id: @@ -372,4 +394,26 @@ endif::[] ifeval::["{context}" == "manually-creating-iam-azure"] :!azure: :!cco-multi-mode: +endif::[] + +//global Azure install assemblies +ifeval::["{context}" == "installing-azure-customizations"] +:!azure: +:!cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-government-region"] +:!azure: +:!cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-network-customizations"] +:!azure: +:!cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-private"] +:!azure: +:!cco-multi-mode: +endif::[] +ifeval::["{context}" == "installing-azure-vnet"] +:!azure: +:!cco-multi-mode: endif::[] \ No newline at end of file diff --git a/modules/manually-maintained-credentials-upgrade-extract.adoc b/modules/manually-maintained-credentials-upgrade-extract.adoc index adcc5a7431..62d4b374de 100644 --- a/modules/manually-maintained-credentials-upgrade-extract.adoc +++ b/modules/manually-maintained-credentials-upgrade-extract.adoc @@ -60,7 +60,7 @@ $ oc adm release extract \ --included \// <1> --to= <2> ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requries for the target release. +<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires for the target release. <2> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. + This command creates a YAML file for each `CredentialsRequest` object. diff --git a/updating/preparing_for_updates/preparing-manual-creds-update.adoc b/updating/preparing_for_updates/preparing-manual-creds-update.adoc index b3b9581d54..ce335ef47f 100644 --- a/updating/preparing_for_updates/preparing-manual-creds-update.adoc +++ b/updating/preparing_for_updates/preparing-manual-creds-update.adoc @@ -61,6 +61,10 @@ include::modules/cco-ccoctl-upgrading.adoc[leveloffset=+1] include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources +* xref:../../installing/installing_aws/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials for AWS] +* xref:../../installing/installing_azure/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[Manually creating long-term credentials for Azure] +* xref:../../installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc#manually-create-iam_installing-azure-stack-hub-default[Manually creating long-term credentials for Azure Stack Hub] +* xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for GCP] * xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#cco-manual-upgrade-annotation_preparing-manual-creds-update[Indicating that the cluster is ready to upgrade] //Indicating that the cluster is ready to upgrade