mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
155 lines
4.2 KiB
Plaintext
155 lines
4.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
|
|
[id="manually-maintained-credentials-upgrade_{context}"]
|
|
= Manually updating cloud provider resources
|
|
|
|
Before upgrading a cluster with manually maintained credentials, you must create secrets for any new credentials for the release image that you are upgrading to. You must also review the required permissions for existing credentials and accommodate any new permissions requirements in the new release for those components.
|
|
|
|
.Prerequisites
|
|
|
|
* You have extracted the `CredentialsRequest` custom resources (CRs) from the {product-title} release image and ensured that a namespace that matches the text in the `spec.secretRef.namespace` field exists in the cluster.
|
|
|
|
.Procedure
|
|
|
|
. Create YAML files with secrets for any `CredentialsRequest` custom resources that the new release image adds. The secrets must be stored using the namespace and secret name defined in the `spec.secretRef` for each `CredentialsRequest` object.
|
|
+
|
|
.Sample AWS YAML files
|
|
[%collapsible]
|
|
====
|
|
.Sample AWS `CredentialsRequest` object with secrets
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
name: <component_credentials_request>
|
|
namespace: openshift-cloud-credential-operator
|
|
...
|
|
spec:
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AWSProviderSpec
|
|
statementEntries:
|
|
- effect: Allow
|
|
action:
|
|
- s3:CreateBucket
|
|
- s3:DeleteBucket
|
|
resource: "*"
|
|
...
|
|
secretRef:
|
|
name: <component_secret>
|
|
namespace: <component_namespace>
|
|
...
|
|
----
|
|
|
|
.Sample AWS `Secret` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: <component_secret>
|
|
namespace: <component_namespace>
|
|
data:
|
|
aws_access_key_id: <base64_encoded_aws_access_key_id>
|
|
aws_secret_access_key: <base64_encoded_aws_secret_access_key>
|
|
----
|
|
====
|
|
+
|
|
.Sample Azure YAML files
|
|
[%collapsible]
|
|
====
|
|
[NOTE]
|
|
=====
|
|
Global Azure and Azure Stack Hub use the same `CredentialsRequest` object and secret formats.
|
|
=====
|
|
.Sample Azure `CredentialsRequest` object with secrets
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
name: <component_credentials_request>
|
|
namespace: openshift-cloud-credential-operator
|
|
...
|
|
spec:
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AzureProviderSpec
|
|
roleBindings:
|
|
- role: Contributor
|
|
...
|
|
secretRef:
|
|
name: <component_secret>
|
|
namespace: <component_namespace>
|
|
...
|
|
----
|
|
|
|
.Sample Azure `Secret` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: <component_secret>
|
|
namespace: <component_namespace>
|
|
data:
|
|
azure_subscription_id: <base64_encoded_azure_subscription_id>
|
|
azure_client_id: <base64_encoded_azure_client_id>
|
|
azure_client_secret: <base64_encoded_azure_client_secret>
|
|
azure_tenant_id: <base64_encoded_azure_tenant_id>
|
|
azure_resource_prefix: <base64_encoded_azure_resource_prefix>
|
|
azure_resourcegroup: <base64_encoded_azure_resourcegroup>
|
|
azure_region: <base64_encoded_azure_region>
|
|
----
|
|
====
|
|
+
|
|
.Sample GCP YAML files
|
|
[%collapsible]
|
|
====
|
|
.Sample GCP `CredentialsRequest` object with secrets
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
name: <component_credentials_request>
|
|
namespace: openshift-cloud-credential-operator
|
|
...
|
|
spec:
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: GCPProviderSpec
|
|
predefinedRoles:
|
|
- roles/iam.securityReviewer
|
|
- roles/iam.roleViewer
|
|
skipServiceCheck: true
|
|
...
|
|
secretRef:
|
|
name: <component_secret>
|
|
namespace: <component_namespace>
|
|
...
|
|
----
|
|
|
|
.Sample GCP `Secret` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: <component_secret>
|
|
namespace: <component_namespace>
|
|
data:
|
|
service_account.json: <base64_encoded_gcp_service_account_file>
|
|
----
|
|
====
|
|
|
|
. If the `CredentialsRequest` custom resources for any existing credentials that are stored in secrets have changed permissions requirements, update the permissions as required.
|
|
|
|
.Next steps
|
|
* Update the `upgradeable-to` annotation to indicate that the cluster is ready to upgrade.
|