From ff4d9985038feff5694be05466b56ad0a4b2058e Mon Sep 17 00:00:00 2001 From: Laura Hinson Date: Mon, 18 Nov 2024 16:21:13 -0500 Subject: [PATCH] [OSDOCS-12355: Improvements to docs about creating hosted clusters on AWS --- modules/hcp-aws-create-role-sts-creds.adoc | 6 +- modules/hcp-aws-create-secret-s3.adoc | 69 +++++++++++----------- modules/hcp-cli-console.adoc | 5 ++ modules/hcp-cli-gateway.adoc | 5 ++ modules/hcp-cli-terminal.adoc | 9 ++- 5 files changed, 56 insertions(+), 38 deletions(-) diff --git a/modules/hcp-aws-create-role-sts-creds.adoc b/modules/hcp-aws-create-role-sts-creds.adoc index 38a64a8d1f..bee86cfeee 100644 --- a/modules/hcp-aws-create-role-sts-creds.adoc +++ b/modules/hcp-aws-create-role-sts-creds.adoc @@ -25,7 +25,7 @@ arn:aws:iam::1234567890:user/ + Use this output as the value for `` in the next step. -. Create a JSON file named `trust-relationship.json` that contains the trust relationship configuration for your role. See the following example: +. Create a JSON file that contains the trust relationship configuration for your role. See the following example: + [source,json] ---- @@ -35,7 +35,7 @@ Use this output as the value for `` in the next step. { "Effect": "Allow", "Principal": { - "AWS": <1> + "AWS": "" <1> }, "Action": "sts:AssumeRole" } @@ -54,7 +54,7 @@ $ aws iam create-role \ --query "Role.Arn" ---- <1> Replace `` with the role name, for example, `hcp-cli-role`. -<2> Replace `` with the file name, for example, `assume-role-policy.json`. +<2> Replace `` with the name of the JSON file you created in the previous step. + .Example output [source,terminal] diff --git a/modules/hcp-aws-create-secret-s3.adoc b/modules/hcp-aws-create-secret-s3.adoc index b2d022ea9f..5a07e15fe0 100644 --- a/modules/hcp-aws-create-secret-s3.adoc +++ b/modules/hcp-aws-create-secret-s3.adoc @@ -6,55 +6,59 @@ [id="hcp-aws-create-secret-s3_{context}"] = Creating the {aws-full} S3 bucket and S3 OIDC secret -If you plan to create and manage hosted clusters on {aws-first}, create the S3 bucket and S3 OIDC secret. +Before you can create and manage hosted clusters on {aws-first}, you must create the S3 bucket and S3 OIDC secret. .Procedure -. Create an S3 bucket that has public access to host OIDC discovery documents for your clusters: - -.. To create the bucket in the `us-east-1` region, enter the following code: +. Create an S3 bucket that has public access to host OIDC discovery documents for your clusters by running the following commands: + -[source,bash] +[source,terminal] ---- -aws s3api create-bucket --bucket -aws s3api delete-public-access-block --bucket -echo '{ +$ aws s3api create-bucket --bucket \// <1> + --create-bucket-configuration LocationConstraint= \// <2> + --region <2> +---- ++ +<1> Replace `` with the name of the S3 bucket you are creating. +<2> To create the bucket in a region other than the `us-east-1` region, include this line and replace `` with the region you want to use. To create a bucket in the `us-east-1` region, omit this line. ++ +[source,terminal] +---- +$ aws s3api delete-public-access-block --bucket <1> +---- ++ +<1> Replace `` with the name of the S3 bucket you are creating. ++ +[source,terminal] +---- +$ echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::/*" + "Resource": "arn:aws:s3:::/*" <1> } ] }' | envsubst > policy.json -aws s3api put-bucket-policy --bucket --policy file://policy.json ---- - -.. To create the bucket in a region other than the `us-east-1` region, enter the following code: + -[source,bash] +<1> Replace `` with the name of the S3 bucket you are creating. ++ +[source,terminal] ---- -aws s3api create-bucket --bucket \ - --create-bucket-configuration LocationConstraint= \ - --region -aws s3api delete-public-access-block --bucket -echo '{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": "*", - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::/*" - } - ] -}' | envsubst > policy.json -aws s3api put-bucket-policy --bucket --policy file://policy.json +$ aws s3api put-bucket-policy --bucket --policy file://policy.json <1> ---- ++ +<1> Replace `` with the name of the S3 bucket you are creating. ++ +[NOTE] +==== +If you are using a Mac computer, you must export the bucket name in order for the policy to work. +==== -. Create an OIDC S3 secret named `hypershift-operator-oidc-provider-s3-credentials` for the HyperShift operator. +. Create an OIDC S3 secret named `hypershift-operator-oidc-provider-s3-credentials` for the HyperShift Operator. . Save the secret in the `local-cluster` namespace. @@ -75,7 +79,6 @@ aws s3api put-bucket-policy --bucket --policy file://policy.json | Specifies the region of the S3 bucket. |=== - . To create an {aws-short} secret, run the following command: + [source,terminal] @@ -85,9 +88,9 @@ $ oc create secret generic --from-file=credentials=/.aws/cre + [NOTE] ==== -Disaster recovery backup for the secret is not automatically enabled. Run the following command to add the label that enables the `hypershift-operator-oidc-provider-s3-credentials` secret to be backed up for disaster recovery: +Disaster recovery backup for the secret is not automatically enabled. To add the label that enables the `hypershift-operator-oidc-provider-s3-credentials` secret to be backed up for disaster recovery, run the following command: [source,terminal] ---- $ oc label secret hypershift-operator-oidc-provider-s3-credentials -n local-cluster cluster.open-cluster-management.io/backup=true ---- -==== +==== \ No newline at end of file diff --git a/modules/hcp-cli-console.adoc b/modules/hcp-cli-console.adoc index a87be50d3b..9c1e3de5a9 100644 --- a/modules/hcp-cli-console.adoc +++ b/modules/hcp-cli-console.adoc @@ -34,6 +34,11 @@ $ chmod +x hcp $ sudo mv hcp /usr/local/bin/. ---- +[NOTE] +==== +If you download the CLI on a Mac computer, you might see a warning about the `hcp` binary file. You need to adjust your security settings to allow the binary file to be run. +==== + .Verification * Verify that you see the list of available parameters by running the following command: diff --git a/modules/hcp-cli-gateway.adoc b/modules/hcp-cli-gateway.adoc index db863af124..5fc6872621 100644 --- a/modules/hcp-cli-gateway.adoc +++ b/modules/hcp-cli-gateway.adoc @@ -32,6 +32,11 @@ $ chmod +x hcp $ sudo mv hcp /usr/local/bin/. ---- +[NOTE] +==== +If you download the CLI on a Mac computer, you might see a warning about the `hcp` binary file. You need to adjust your security settings to allow the binary file to be run. +==== + .Verification * Verify that you see the list of available parameters by running the following command: diff --git a/modules/hcp-cli-terminal.adoc b/modules/hcp-cli-terminal.adoc index 867e453d12..aee464dd2d 100644 --- a/modules/hcp-cli-terminal.adoc +++ b/modules/hcp-cli-terminal.adoc @@ -3,9 +3,9 @@ :_mod-docs-content-type: PROCEDURE [id="hcp-cli-terminal_{context}"] -= Installing the {hcp} command-line interface by using the CLI += Installing the {hcp} command-line interface from the terminal -You can install the {hcp} command-line interface (CLI), `hcp`, by using the CLI. +You can install the {hcp} command-line interface (CLI), `hcp`, from the terminal. .Procedure @@ -46,6 +46,11 @@ $ chmod +x hcp $ sudo mv hcp /usr/local/bin/. ---- +[NOTE] +==== +If you download the CLI on a Mac computer, you might see a warning about the `hcp` binary file. You need to adjust your security settings to allow the binary file to be run. +==== + .Verification * Verify that you see the list of available parameters by running the following command: