mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 00:48:01 +01:00
135 lines
6.8 KiB
Plaintext
135 lines
6.8 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * updating/preparing_for_updates/preparing-manual-creds-update.adoc
|
|
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="cco-ccoctl-upgrading_{context}"]
|
|
= Updating cloud provider resources with the Cloud Credential Operator utility
|
|
|
|
The process for upgrading an {product-title} cluster that was configured using the CCO utility (`ccoctl`) is similar to creating the cloud provider resources during installation.
|
|
|
|
[NOTE]
|
|
====
|
|
On AWS clusters, some `ccoctl` commands make AWS API calls to create or modify AWS resources. You can use the `--dry-run` flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the `--cli-input-json` parameters.
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* You have extracted the `CredentialsRequest` custom resources (CRs) from the {product-title} release image and ensured that a namespace that matches the text in the `spec.secretRef.namespace` field exists in the cluster.
|
|
|
|
* You have extracted and configured the `ccoctl` binary from the release image.
|
|
|
|
.Procedure
|
|
|
|
. Use the `ccoctl` tool to process all `CredentialsRequest` objects by running the command for your cloud provider. The following commands process `CredentialsRequest` objects:
|
|
+
|
|
.{alibaba}
|
|
[%collapsible]
|
|
====
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl alibabacloud create-ram-users \
|
|
--name <name> \// <1>
|
|
--region=<alibaba_region> \// <2>
|
|
--credentials-requests-dir=<path_to_credentials_requests_directory> \// <3>
|
|
--output-dir=<path_to_ccoctl_output_dir> <4>
|
|
----
|
|
<1> Specify the name used to tag any cloud resources that are created for tracking.
|
|
<2> Specify the Alibaba Cloud region in which cloud resources will be created.
|
|
<3> Specify the directory containing the files for the component `CredentialsRequest` objects.
|
|
<4> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
|
|
|
|
[NOTE]
|
|
=====
|
|
A RAM user can have up to two AccessKeys at the same time. If you run `ccoctl alibabacloud create-ram-users` more than twice, the previously generated manifests secret becomes stale and you must reapply the newly generated secrets.
|
|
=====
|
|
====
|
|
+
|
|
.Amazon Web Services (AWS)
|
|
[%collapsible]
|
|
====
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl aws create-all \// <1>
|
|
--name=<name> \// <2>
|
|
--region=<aws_region> \// <3>
|
|
--credentials-requests-dir=<path_to_credentials_requests_directory> \// <4>
|
|
--output-dir=<path_to_ccoctl_output_dir> \// <5>
|
|
--create-private-s3-bucket <6>
|
|
----
|
|
<1> To create the AWS resources individually, use the "Creating AWS resources individually" procedure in the "Installing a cluster on AWS with customizations" content. This option might be useful if you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization.
|
|
<2> Specify the name used to tag any cloud resources that are created for tracking.
|
|
<3> Specify the AWS region in which cloud resources will be created.
|
|
<4> Specify the directory containing the files for the component `CredentialsRequest` objects.
|
|
<5> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
|
|
<6> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
|
|
====
|
|
+
|
|
.Google Cloud Platform (GCP)
|
|
[%collapsible]
|
|
====
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl gcp create-all \
|
|
--name=<name> \// <1>
|
|
--region=<gcp_region> \// <2>
|
|
--project=<gcp_project_id> \// <3>
|
|
--credentials-requests-dir=<path_to_credentials_requests_directory> \// <4>
|
|
--output-dir=<path_to_ccoctl_output_dir> <5>
|
|
----
|
|
<1> Specify the user-defined name for all created GCP resources used for tracking.
|
|
<2> Specify the GCP region in which cloud resources will be created.
|
|
<3> Specify the GCP project ID in which cloud resources will be created.
|
|
<4> Specify the directory containing the files of `CredentialsRequest` manifests to create GCP service accounts.
|
|
<5> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
|
|
====
|
|
+
|
|
.{ibm-cloud-title}
|
|
[%collapsible]
|
|
====
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl ibmcloud create-service-id \
|
|
--credentials-requests-dir=<path_to_credential_requests_directory> \// <1>
|
|
--name=<cluster_name> \// <2>
|
|
--output-dir=<installation_directory> \// <3>
|
|
--resource-group-name=<resource_group_name> <4>
|
|
----
|
|
<1> Specify the directory containing the files for the component `CredentialsRequest` objects.
|
|
<2> Specify the name of the {product-title} cluster.
|
|
<3> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
|
|
<4> Optional: Specify the name of the resource group used for scoping the access policies.
|
|
====
|
|
+
|
|
.Nutanix
|
|
[%collapsible]
|
|
====
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl nutanix create-shared-secrets \
|
|
--credentials-requests-dir=<path_to_credentials_requests_directory> \// <1>
|
|
--output-dir=<ccoctl_output_dir> \// <2>
|
|
--credentials-source-filepath=<path_to_credentials_file> <3>
|
|
----
|
|
<1> Specify the path to the directory that contains the files for the component `CredentialsRequests` objects.
|
|
<2> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
|
|
<3> Optional: Specify the directory that contains the credentials data YAML file. By default, `ccoctl` expects this file to be in `<home_directory>/.nutanix/credentials`.
|
|
====
|
|
+
|
|
For each `CredentialsRequest` object, `ccoctl` creates the required provider resources and a permissions policy as defined in each `CredentialsRequest` object from the {product-title} release image.
|
|
|
|
. Apply the secrets to your cluster by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ls <path_to_ccoctl_output_dir>/manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
|
|
----
|
|
|
|
.Verification
|
|
|
|
You can verify that the required provider resources and permissions policies are created by querying the cloud provider. For more information, refer to your cloud provider documentation on listing roles or service accounts.
|
|
|
|
.Next steps
|
|
|
|
* Update the `upgradeable-to` annotation to indicate that the cluster is ready to upgrade. |