openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/manually-create-iam-ibm-cloud.adoc

213 lines
7.4 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * installing/installing_ibm_cloud/installing-ibm-cloud-customizations.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-network-customizations.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-vpc.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-private.adoc
// * installing/installing_ibm_powervs/installing-ibm-power-vs-customizations.adoc
// * installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc
// * installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc
// * installing/installing_ibm_powervs/installing-ibm-powervs-vpc.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-restricted.adoc
ifeval::["{context}" == "installing-ibm-cloud-customizations"]
:ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-vpc"]
:ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-private"]
:ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-power-vs-customizations"]
:ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-ibm-power-vs-private-cluster"]
:ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-power-vs"]
:ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-ibm-powervs-vpc"]
:ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-restricted"]
:ibm-vpc:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="manually-create-iam-ibm-cloud_{context}"]
= Manually creating IAM
Installing the cluster requires that the Cloud Credential Operator (CCO) operate in manual mode. While the installation program configures the CCO for manual mode, you must specify the identity and access management secrets for you cloud provider.
You can use the Cloud Credential Operator (CCO) utility (`ccoctl`) to create the required {ibm-cloud-name} resources.
.Prerequisites
* You have configured the `ccoctl` binary.
* You have an existing `install-config.yaml` file.
.Procedure
. Edit the `install-config.yaml` configuration file so that the file includes the `credentialsMode` parameter set to `Manual`.
+
ifdef::ibm-vpc[]
.Example `install-config.yaml` configuration file
[source,yaml,subs="+quotes"]
----
apiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual
compute:
- architecture: amd64
hyperthreading: Enabled
----
endif::ibm-vpc[]
ifdef::ibm-power-vs[]
.Example `install-config.yaml` configuration file
[source,yaml,subs="+quotes"]
----
apiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual
compute:
- architecture: ppc64le
hyperthreading: Enabled
----
endif::ibm-power-vs[]
* `credentialsMode`: Set the `credentialsMode` parameter to `Manual`.
. To generate the manifests, run the following command from the directory that includes the installation program:
+
[source,terminal]
----
$ ./openshift-install create manifests --dir <installation_directory>
----
. From the directory that includes the installation program, set a `$RELEASE_IMAGE` variable with the release image from your installation file by running the following command:
+
[source,terminal]
----
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
----
. Extract the list of `CredentialsRequest` custom resources (CRs) from the {product-title} release image by running the following command:
+
[source,terminal]
----
$ oc adm release extract \
--from=$RELEASE_IMAGE \
--credentials-requests \
--included \
--install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \
--to=<path_to_directory_for_credentials_requests>
----
* `--included`: Includes only the manifests that your specific cluster configuration requires.
* `<path_to_directory_with_installation_configuration>`: Specify the location of the `install-config.yaml` file.
* `<path_to_directory_for_credentials_requests>`: Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it.
+
This command creates a YAML file for each `CredentialsRequest` object.
+
.Sample `CredentialsRequest` object
+
[source,yaml]
----
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
labels:
controller-tools.k8s.io: "1.0"
name: openshift-image-registry-ibmcos
namespace: openshift-cloud-credential-operator
spec:
secretRef:
name: installer-cloud-credentials
namespace: openshift-image-registry
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: IBMCloudProviderSpec
policies:
- attributes:
- name: serviceName
value: cloud-object-storage
roles:
- crn:v1:bluemix:public:iam::::role:Viewer
- crn:v1:bluemix:public:iam::::role:Operator
- crn:v1:bluemix:public:iam::::role:Editor
- crn:v1:bluemix:public:iam::::serviceRole:Reader
- crn:v1:bluemix:public:iam::::serviceRole:Writer
- attributes:
- name: resourceType
value: resource-group
roles:
- crn:v1:bluemix:public:iam::::role:Viewer
----
. Create the service ID for each credential request, assign the policies defined, create an API key, and generate the secret:
+
[source,terminal]
----
$ ccoctl ibmcloud create-service-id \
--credentials-requests-dir=<path_to_credential_requests_directory> \
--name=<cluster_name> \
--output-dir=<installation_directory> \
--resource-group-name=<resource_group_name>
----
* `<path_to_credential_requests_directory>`: Specify the directory containing the files for the `CredentialsRequest` objects.
* `<cluster_name>`: Specify the name of the {product-title} cluster.
* `<installation_directory>`: Optional parameter. Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which you run the commands.
* `<resource_group_name>`: Optional parameter. Specify the name of the resource group used for scoping the access policies.
+
--
[NOTE]
====
If you enabled Technology Preview features by using the `TechPreviewNoUpgrade` feature set for your cluster, you must include the `--enable-tech-preview` parameter in the configuration for the `CredentialsRequest` object.
If you provided a wrong resource group name, the installation fails during the bootstrap phase. To find the correct resource group name, run the following command:
ifdef::ibm-vpc[]
[source,terminal]
----
$ grep resourceGroupName <installation_directory>/manifests/cluster-infrastructure-02-config.yml
----
endif::ibm-vpc[]
ifdef::ibm-power-vs[]
[source,terminal]
----
$ grep resourceGroup <installation_directory>/manifests/cluster-infrastructure-02-config.yml
----
endif::ibm-power-vs[]
====
--
.Verification
* Check that the appropriate secrets exist in the `manifests` directory of your cluster.
ifeval::["{context}" == "installing-ibm-cloud-customizations"]
:!ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-vpc"]
:!ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-private"]
:!ibm-vpc:
endif::[]
ifeval::["{context}" == "installing-ibm-power-vs-customizations"]
:!ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-ibm-power-vs-private-cluster"]
:!ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-power-vs"]
:!ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-ibm-powervs-vpc"]
:!ibm-power-vs:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-restricted"]
:!ibm-vpc:
endif::[]
View Git Blame Copy Permalink