openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/manually-create-identity-access-management.adoc

453 lines
13 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-network-customizations.adoc
//
// AWS assemblies:
// * installing/installing_aws/installing-aws-customizations.adoc
// * installing/installing_aws/installing-aws-network-customizations.adoc
// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
// * installing/installing_aws/installing-aws-vpc.adoc
// * installing/installing_aws/installing-aws-private.adoc
// * installing/installing_aws/installing-aws-government-region.adoc
// * installing/installing_aws/installing-aws-secret-region.adoc
// * installing/installing_aws/installing-aws-china.adoc
// * installing/installing_aws/installing-aws-outposts-remote-workers.adoc
//
// GCP assemblies:
// * installing/installing_gcp/installing-gcp-customizations.adoc
// * installing/installing_gcp/installing-gcp-network-customizations.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
// * installing/installing_gcp/installing-gcp-vpc.adoc
// * installing/installing_gcp/installing-gcp-shared-vpc.adoc
// * installing/installing_gcp/installing-gcp-private.adoc
//
// Azure assemblies
// * installing/installing_azure/installing-azure-customizations.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-network-customizations.adoc
// * installing/installing_azure/installing-azure-private.adoc
// * installing/installing_azure/installing-azure-vnet.adoc
// * installing/installing_azure/installing-restricted-networks-azure-installer-provisioned.adoc
//Platforms that must manually create IAM
ifeval::["{context}" == "installing-azure-stack-hub-default"]
:ash:
:cco-manual-mode:
endif::[]
ifeval::["{context}" == "installing-azure-stack-hub-network-customizations"]
:ash:
:cco-manual-mode:
endif::[]
//AWS install assemblies
ifeval::["{context}" == "installing-aws-customizations"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-network-customizations"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-vpc"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-private"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-government-region"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-secret-region"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-specialized-region"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-china-region"]
:aws:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-outposts-remote-workers"]
:aws:
:cco-multi-mode:
endif::[]
//GCP install assemblies
ifeval::["{context}" == "installing-gcp-customizations"]
:google-cloud-platform:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-network-customizations"]
:google-cloud-platform:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
:google-cloud-platform:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-vpc"]
:google-cloud-platform:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-shared-vpc"]
:google-cloud-platform:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-private"]
:google-cloud-platform:
:cco-multi-mode:
endif::[]
//global Azure install assemblies
ifeval::["{context}" == "installing-azure-customizations"]
:azure:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-government-region"]
:azure:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-network-customizations"]
:azure:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-private"]
:azure:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-vnet"]
:azure:
:cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
:azure:
:cco-multi-mode:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="manually-create-iam_{context}"]
//For providers that support multiple modes of operation
ifdef::cco-multi-mode[]
= Manually creating long-term credentials
endif::cco-multi-mode[]
//For providers who only support manual mode
ifdef::cco-manual-mode[]
= Manually manage cloud credentials
endif::cco-manual-mode[]
//For providers that support multiple modes of operation
ifdef::cco-multi-mode[]
The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster `kube-system` namespace.
endif::cco-multi-mode[]
//For providers who only support manual mode
ifdef::cco-manual-mode[]
The Cloud Credential Operator (CCO) only supports your cloud provider in manual mode. As a result, you must specify the identity and access management (IAM) secrets for your cloud provider.
endif::cco-manual-mode[]
.Procedure
ifdef::google-cloud-platform[]
. Add the following granular permissions to the {gcp-short} account that the installation program uses:
+
.Required {gcp-short} permissions
[%collapsible]
====
* compute.machineTypes.list
* compute.regions.list
* compute.zones.list
* dns.changes.create
* dns.changes.get
* dns.managedZones.create
* dns.managedZones.delete
* dns.managedZones.get
* dns.managedZones.list
* dns.networks.bindPrivateDNSZone
* dns.resourceRecordSets.create
* dns.resourceRecordSets.delete
* dns.resourceRecordSets.list
====
endif::google-cloud-platform[]
ifdef::cco-multi-mode[]
. If you did not set the `credentialsMode` parameter in the `install-config.yaml` configuration file to `Manual`, modify the value as shown:
+
.Sample configuration file snippet
[source,yaml]
----
apiVersion: v1
baseDomain: example.com
credentialsMode: Manual
# ...
----
endif::cco-multi-mode[]
. If you have not previously created installation manifest files, do so by running the following command:
+
[source,terminal]
----
$ openshift-install create manifests --dir <installation_directory>
----
+
where `<installation_directory>` is the directory in which the installation program creates files.
. Set a `$RELEASE_IMAGE` variable with the release image from your installation file by running the following command:
+
[source,terminal]
----
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
----
. Extract the list of `CredentialsRequest` custom resources (CRs) from the {product-title} release image by running the following command:
+
[source,terminal]
----
$ oc adm release extract \
--from=$RELEASE_IMAGE \
--credentials-requests \
--included \// <1>
--install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \// <2>
--to=<path_to_directory_for_credentials_requests> <3>
----
<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires.
<2> Specify the location of the `install-config.yaml` file.
<3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it.
+
This command creates a YAML file for each `CredentialsRequest` object.
+
.Sample `CredentialsRequest` object
[source,yaml]
----
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: <component_credentials_request>
namespace: openshift-cloud-credential-operator
...
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
ifdef::aws[]
kind: AWSProviderSpec
statementEntries:
- effect: Allow
action:
- iam:GetUser
- iam:GetUserPolicy
- iam:ListAccessKeys
resource: "*"
endif::aws[]
ifdef::azure,ash[]
kind: AzureProviderSpec
roleBindings:
- role: Contributor
endif::azure,ash[]
ifdef::google-cloud-platform[]
kind: GCPProviderSpec
predefinedRoles:
- roles/storage.admin
- roles/iam.serviceAccountUser
skipServiceCheck: true
endif::google-cloud-platform[]
...
----
. Create YAML files for secrets in the `openshift-install` manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the `spec.secretRef` for each `CredentialsRequest` object.
+
.Sample `CredentialsRequest` object with secrets
[source,yaml]
----
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: <component_credentials_request>
namespace: openshift-cloud-credential-operator
...
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
ifdef::aws[]
kind: AWSProviderSpec
statementEntries:
- effect: Allow
action:
- s3:CreateBucket
- s3:DeleteBucket
resource: "*"
endif::aws[]
ifdef::ash,azure[]
kind: AzureProviderSpec
roleBindings:
- role: Contributor
endif::ash,azure[]
ifdef::gcp[]
kind: GCPProviderSpec
predefinedRoles:
- roles/iam.securityReviewer
- roles/iam.roleViewer
skipServiceCheck: true
endif::gcp[]
...
secretRef:
name: <component_secret>
namespace: <component_namespace>
...
----
+
.Sample `Secret` object
[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: <component_secret>
namespace: <component_namespace>
ifdef::aws[]
data:
aws_access_key_id: <base64_encoded_aws_access_key_id>
aws_secret_access_key: <base64_encoded_aws_secret_access_key>
endif::aws[]
ifdef::azure,ash[]
data:
azure_subscription_id: <base64_encoded_azure_subscription_id>
azure_client_id: <base64_encoded_azure_client_id>
azure_client_secret: <base64_encoded_azure_client_secret>
azure_tenant_id: <base64_encoded_azure_tenant_id>
azure_resource_prefix: <base64_encoded_azure_resource_prefix>
azure_resourcegroup: <base64_encoded_azure_resourcegroup>
azure_region: <base64_encoded_azure_region>
endif::azure,ash[]
ifdef::google-cloud-platform[]
data:
service_account.json: <base64_encoded_gcp_service_account_file>
endif::google-cloud-platform[]
----
[IMPORTANT]
====
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
====
//Platforms that must manually create IAM
ifeval::["{context}" == "installing-azure-stack-hub-default"]
:!ash:
:!cco-manual-mode:
endif::[]
ifeval::["{context}" == "installing-azure-stack-hub-network-customizations"]
:!ash:
:!cco-manual-mode:
endif::[]
//AWS install assemblies
ifeval::["{context}" == "installing-aws-customizations"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-network-customizations"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-vpc"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-specialized-region"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-private"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-government-region"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-secret-region"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-china-region"]
:!aws:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-aws-outposts-remote-workers"]
:!aws:
:!cco-multi-mode:
endif::[]
//GCP install assemblies
ifeval::["{context}" == "installing-gcp-customizations"]
:!google-cloud-platform:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-network-customizations"]
:!google-cloud-platform:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
:!google-cloud-platform:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-vpc"]
:!google-cloud-platform:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-shared-vpc"]
:!google-cloud-platform:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-gcp-private"]
:!google-cloud-platform:
:!cco-multi-mode:
endif::[]
//Azure will also be moved as part of work on `ccoctl` support for Azure
ifeval::["{context}" == "manually-creating-iam-azure"]
:!azure:
:!cco-multi-mode:
endif::[]
//global Azure install assemblies
ifeval::["{context}" == "installing-azure-customizations"]
:!azure:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-government-region"]
:!azure:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-network-customizations"]
:!azure:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-private"]
:!azure:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-azure-vnet"]
:!azure:
:!cco-multi-mode:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
:!azure:
:!cco-multi-mode:
endif::[]
View Git Blame Copy Permalink