mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
156 lines
5.1 KiB
Plaintext
156 lines
5.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc
|
|
// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
|
|
// * installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
|
|
// * installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
|
|
|
|
ifeval::["{context}" == "installing-ibm-cloud-customizations"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-network-customizations"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-vpc"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-private"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
|
|
:_content-type: PROCEDURE
|
|
[id="manually-create-iam-ibm-cloud_{context}"]
|
|
= Manually creating IAM for IBM Cloud VPC
|
|
|
|
Installing the cluster requires that the Cloud Credential Operator (CCO) operate in manual mode. While the installation program configures the CCO for manual mode, you must specify the identity and access management secrets for you cloud provider.
|
|
|
|
You can use the Cloud Credential Operator (CCO) utility (`ccoctl`) to create the required IBM Cloud VPC resources.
|
|
|
|
.Prerequisites
|
|
|
|
* You have configured the `ccoctl` binary.
|
|
* You have an existing `install-config.yaml` file.
|
|
|
|
.Procedure
|
|
|
|
. Edit the `install-config.yaml` configuration file so that it contains the `credentialsMode` parameter set to `Manual`.
|
|
+
|
|
.Example `install-config.yaml` configuration file
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
baseDomain: cluster1.example.com
|
|
credentialsMode: Manual <1>
|
|
compute:
|
|
ifdef::ibm-vpc[]
|
|
- architecture: amd64
|
|
endif::ibm-vpc[]
|
|
hyperthreading: Enabled
|
|
----
|
|
<1> This line is added to set the `credentialsMode` parameter to `Manual`.
|
|
|
|
. To generate the manifests, run the following command from the directory that contains the installation program:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ openshift-install create manifests --dir <installation_directory>
|
|
----
|
|
|
|
. From the directory that contains the installation program, obtain the {product-title} release image that your `openshift-install` binary is built to use:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
|
|
----
|
|
|
|
. Extract the `CredentialsRequest` objects from the {product-title} release image:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc adm release extract --cloud=ibmcloud --credentials-requests $RELEASE_IMAGE \
|
|
--to=<path_to_credential_requests_directory> <1>
|
|
----
|
|
<1> The directory where the credential requests will be stored.
|
|
+
|
|
This command creates a YAML file for each `CredentialsRequest` object.
|
|
+
|
|
.Sample `CredentialsRequest` object
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: openshift-image-registry-ibmcos
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
secretRef:
|
|
name: installer-cloud-credentials
|
|
namespace: openshift-image-registry
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: IBMCloudProviderSpec
|
|
policies:
|
|
- attributes:
|
|
- name: serviceName
|
|
value: cloud-object-storage
|
|
roles:
|
|
- crn:v1:bluemix:public:iam::::role:Viewer
|
|
- crn:v1:bluemix:public:iam::::role:Operator
|
|
- crn:v1:bluemix:public:iam::::role:Editor
|
|
- crn:v1:bluemix:public:iam::::serviceRole:Reader
|
|
- crn:v1:bluemix:public:iam::::serviceRole:Writer
|
|
- attributes:
|
|
- name: resourceType
|
|
value: resource-group
|
|
roles:
|
|
- crn:v1:bluemix:public:iam::::role:Viewer
|
|
----
|
|
|
|
. Create the service ID for each credential request, assign the policies defined, create an API key in IBM Cloud VPC, and generate the secret:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl ibmcloud create-service-id \
|
|
--credentials-requests-dir <path_to_credential_requests_directory> \ <1>
|
|
--name <cluster_name> \ <2>
|
|
--output-dir <installation_directory> \
|
|
--resource-group-name <resource_group_name> <3>
|
|
----
|
|
<1> The directory where the credential requests are stored.
|
|
<2> The name of the {product-title} cluster.
|
|
<3> Optional: The name of the resource group used for scoping the access policies.
|
|
+
|
|
--
|
|
[NOTE]
|
|
====
|
|
If your cluster uses Technology Preview features that are enabled by the `TechPreviewNoUpgrade` feature set, you must include the `--enable-tech-preview` parameter.
|
|
|
|
If an incorrect resource group name is provided, the installation fails during the bootstrap phase. To find the correct resource group name, run the following command:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ grep resourceGroupName <installation_directory>/manifests/cluster-infrastructure-02-config.yml
|
|
----
|
|
====
|
|
--
|
|
|
|
.Verification
|
|
|
|
* Ensure that the appropriate secrets were generated in your cluster's `manifests` directory.
|
|
|
|
ifeval::["{context}" == "installing-ibm-cloud-customizations"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-network-customizations"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-vpc"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-private"]
|
|
:!ibm-vpc:
|
|
endif::[]
|