mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
338 lines
10 KiB
Plaintext
338 lines
10 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_alibaba/installing-alibaba-default.adoc
|
|
// * installing/installing_alibaba/installing-alibaba-customizations.adoc
|
|
// * installing/installing_aws/manually-creating-iam.adoc
|
|
// * installing/installing_azure/manually-creating-iam-azure.adoc
|
|
// * installing/installing_gcp/manually-creating-iam-gcp.adoc
|
|
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
|
|
|
|
ifeval::["{context}" == "installing-alibaba-default"]
|
|
:alibaba-default:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-alibaba-customizations"]
|
|
:alibaba-custom:
|
|
endif::[]
|
|
ifeval::["{context}" == "manually-creating-iam-aws"]
|
|
:aws:
|
|
:cco-multi-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "manually-creating-iam-azure"]
|
|
:azure:
|
|
:cco-multi-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "manually-creating-iam-gcp"]
|
|
:google-cloud-platform:
|
|
:cco-multi-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-stack-hub-default"]
|
|
:ash:
|
|
:cco-manual-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-stack-hub-network-customizations"]
|
|
:ash:
|
|
:cco-manual-mode:
|
|
endif::[]
|
|
|
|
|
|
:_content-type: PROCEDURE
|
|
[id="manually-create-iam_{context}"]
|
|
|
|
//For providers that support multiple modes of operation
|
|
ifdef::cco-multi-mode[]
|
|
= Manually create IAM
|
|
endif::cco-multi-mode[]
|
|
|
|
//For providers who only support manual mode
|
|
ifdef::cco-manual-mode[]
|
|
[id="manually-create-iam_{context}"]
|
|
= Manually manage cloud credentials
|
|
endif::cco-manual-mode[]
|
|
|
|
//For providers that support multiple modes of operation
|
|
ifdef::alibaba-default,alibaba-custom[]
|
|
[id="manually-create-manifests_{context}"]
|
|
= Generating the required installation manifests
|
|
endif::alibaba-default,alibaba-custom[]
|
|
|
|
//For providers that support multiple modes of operation
|
|
ifdef::cco-multi-mode[]
|
|
The Cloud Credential Operator (CCO) can be put into manual mode prior to
|
|
installation in environments where the cloud identity and access management
|
|
(IAM) APIs are not reachable, or the administrator prefers not to store an
|
|
administrator-level credential secret in the cluster `kube-system` namespace.
|
|
endif::cco-multi-mode[]
|
|
|
|
//For providers who only support manual mode
|
|
ifdef::cco-manual-mode[]
|
|
The Cloud Credential Operator (CCO) only supports your cloud provider in manual mode. As a result, you must specify the identity and access management (IAM) secrets for your cloud provider.
|
|
endif::cco-manual-mode[]
|
|
|
|
ifdef::alibaba-default,alibaba-custom[]
|
|
You must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.
|
|
endif::alibaba-default,alibaba-custom[]
|
|
|
|
.Procedure
|
|
|
|
ifdef::cco-multi-mode[]
|
|
. Change to the directory that contains the installation program and create the `install-config.yaml` file:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ openshift-install create install-config --dir <installation_directory>
|
|
----
|
|
+
|
|
where `<installation_directory>` is the directory in which the installation program creates files.
|
|
|
|
. Edit the `install-config.yaml` configuration file so that it contains the `credentialsMode` parameter set to `Manual`.
|
|
+
|
|
.Example `install-config.yaml` configuration file
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
baseDomain: cluster1.example.com
|
|
credentialsMode: Manual <1>
|
|
compute:
|
|
- architecture: amd64
|
|
hyperthreading: Enabled
|
|
...
|
|
----
|
|
<1> This line is added to set the `credentialsMode` parameter to `Manual`.
|
|
endif::cco-multi-mode[]
|
|
|
|
. Generate the manifests by running the following command from the directory that contains the installation program:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ openshift-install create manifests --dir <installation_directory>
|
|
----
|
|
+
|
|
where:
|
|
|
|
`<installation_directory>`:: Specifies the directory in which the installation program creates files.
|
|
|
|
. Copy the generated credential files to the target manifests directory:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cp ./<path_to_ccoctl_output_dir>/manifests/*credentials.yaml ./<path_to_installation>dir>/manifests/
|
|
----
|
|
+
|
|
where:
|
|
|
|
`<path_to_ccoctl_output_dir>`:: Specifies the directory created by the `ccoctl alibabacloud create-ram-users` command.
|
|
`<path_to_installation>dir>`:: Specifies the directory in which the installation program creates files.
|
|
|
|
ifndef::alibaba-default,alibaba-custom[]
|
|
. From the directory that contains the installation program, obtain details of the {product-title} release image that your `openshift-install` binary is built to use:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ openshift-install version
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64
|
|
----
|
|
|
|
. Locate all `CredentialsRequest` objects in this release image that target the cloud you are deploying on:
|
|
+
|
|
[source,terminal]
|
|
ifdef::custom[]
|
|
----
|
|
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=alibaba
|
|
----
|
|
endif::custom[]
|
|
ifdef::aws[]
|
|
----
|
|
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=aws
|
|
----
|
|
endif::aws[]
|
|
ifdef::azure,ash[]
|
|
----
|
|
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure
|
|
----
|
|
endif::azure,ash[]
|
|
ifdef::google-cloud-platform[]
|
|
----
|
|
$ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=gcp
|
|
----
|
|
endif::google-cloud-platform[]
|
|
+
|
|
This command creates a YAML file for each `CredentialsRequest` object.
|
|
+
|
|
ifdef::custom[]
|
|
.Sample `CredentialsRequest` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: openshift-image-registry-alibaba
|
|
namespace: openshift-cloud-credential-operator
|
|
annotations:
|
|
include.release.openshift.io/ibm-cloud-managed: "true"
|
|
include.release.openshift.io/self-managed-high-availability: "true"
|
|
include.release.openshift.io/single-node-developer: "true"
|
|
spec:
|
|
secretRef:
|
|
name: installer-cloud-credentials
|
|
namespace: openshift-image-registry
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AlibabaCloudProviderSpec
|
|
statementEntries:
|
|
- effect: Allow
|
|
action:
|
|
- oss:PutBucket
|
|
...
|
|
resource: "*"
|
|
serviceAccountNames:
|
|
- cluster-image-registry-operator
|
|
- registry
|
|
----
|
|
endif::custom[]
|
|
ifdef::aws[]
|
|
.Sample `CredentialsRequest` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
name: cloud-credential-operator-iam-ro
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
secretRef:
|
|
name: cloud-credential-operator-iam-ro-creds
|
|
namespace: openshift-cloud-credential-operator
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AWSProviderSpec
|
|
statementEntries:
|
|
- effect: Allow
|
|
action:
|
|
- iam:GetUser
|
|
- iam:GetUserPolicy
|
|
- iam:ListAccessKeys
|
|
resource: "*"
|
|
----
|
|
endif::aws[]
|
|
ifdef::azure,ash[]
|
|
.Sample `CredentialsRequest` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: openshift-image-registry-azure
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
secretRef:
|
|
name: installer-cloud-credentials
|
|
namespace: openshift-image-registry
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AzureProviderSpec
|
|
roleBindings:
|
|
- role: Contributor
|
|
----
|
|
endif::azure,ash[]
|
|
ifdef::google-cloud-platform[]
|
|
.Sample `CredentialsRequest` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: openshift-image-registry-gcs
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
secretRef:
|
|
name: installer-cloud-credentials
|
|
namespace: openshift-image-registry
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: GCPProviderSpec
|
|
predefinedRoles:
|
|
- roles/storage.admin
|
|
- roles/iam.serviceAccountUser
|
|
skipServiceCheck: true
|
|
----
|
|
endif::google-cloud-platform[]
|
|
|
|
ifdef::cco-manual-mode[]
|
|
|
|
. Remove the YAML file for any `CredentialRequest` object that is in Technology Preview or they cause the installation to fail. As of {product-version}, the only credential request in Technology Preview is for the `capi-operator`. To remove this request:
|
|
.. To list the credential request, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ grep "release.openshift.io/feature-gate" *
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
0000_30_capi-operator_00_credentials-request.yaml: release.openshift.io/feature-gate: TechPreviewNoUpgrade
|
|
----
|
|
.. To remove the credential request, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rm 0000_30_capi-operator_00_credentials-request.yaml
|
|
----
|
|
endif::cco-manual-mode[]
|
|
|
|
. Create YAML files for secrets in the `openshift-install` manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the `spec.secretRef` for each `CredentialsRequest` object. The format for the secret data varies for each cloud provider.
|
|
|
|
ifdef::cco-multi-mode[]
|
|
. From the directory that contains the installation program, proceed with your cluster creation:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ openshift-install create cluster --dir <installation_directory>
|
|
----
|
|
endif::cco-multi-mode[]
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
|
|
====
|
|
|
|
endif::alibaba-default,alibaba-custom[]
|
|
|
|
ifeval::["{context}" == "manually-creating-alibaba-default"]
|
|
:!alibaba-default:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-alibaba-customizations"]
|
|
:!alibaba-custom:
|
|
endif::[]
|
|
ifeval::["{context}" == "manually-creating-iam-aws"]
|
|
:!aws:
|
|
:!cco-multi-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "manually-creating-iam-azure"]
|
|
:!azure:
|
|
:!cco-multi-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "manually-creating-iam-gcp"]
|
|
:!google-cloud-platform:
|
|
:!cco-multi-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-stack-hub-default"]
|
|
:!ash:
|
|
:!cco-manual-mode:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-stack-hub-network-customizations"]
|
|
:!ash:
|
|
:!cco-manual-mode:
|
|
endif::[]
|