mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
209 lines
7.2 KiB
Plaintext
209 lines
7.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_ibm_cloud/installing-ibm-cloud-customizations.adoc
|
|
// * installing/installing_ibm_cloud/installing-ibm-cloud-network-customizations.adoc
|
|
// * installing/installing_ibm_cloud/installing-ibm-cloud-vpc.adoc
|
|
// * installing/installing_ibm_cloud/installing-ibm-cloud-private.adoc
|
|
// * installing/installing_ibm_powervs/installing-ibm-power-vs-customizations.adoc
|
|
// * installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc
|
|
// * installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc
|
|
// * installing/installing_ibm_powervs/installing-ibm-powervs-vpc.adoc
|
|
// * installing/installing_ibm_cloud/installing-ibm-cloud-restricted.adoc
|
|
|
|
ifeval::["{context}" == "installing-ibm-cloud-customizations"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-network-customizations"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-vpc"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-private"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-power-vs-customizations"]
|
|
:ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-power-vs-private-cluster"]
|
|
:ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-power-vs"]
|
|
:ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-powervs-vpc"]
|
|
:ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-restricted"]
|
|
:ibm-vpc:
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="manually-create-iam-ibm-cloud_{context}"]
|
|
= Manually creating IAM
|
|
|
|
Installing the cluster requires that the Cloud Credential Operator (CCO) operate in manual mode. While the installation program configures the CCO for manual mode, you must specify the identity and access management secrets for you cloud provider.
|
|
|
|
You can use the Cloud Credential Operator (CCO) utility (`ccoctl`) to create the required {ibm-cloud-name} resources.
|
|
|
|
.Prerequisites
|
|
|
|
* You have configured the `ccoctl` binary.
|
|
* You have an existing `install-config.yaml` file.
|
|
|
|
.Procedure
|
|
|
|
. Edit the `install-config.yaml` configuration file so that it contains the `credentialsMode` parameter set to `Manual`.
|
|
+
|
|
.Example `install-config.yaml` configuration file
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
baseDomain: cluster1.example.com
|
|
credentialsMode: Manual <1>
|
|
compute:
|
|
ifdef::ibm-vpc[]
|
|
- architecture: amd64
|
|
endif::ibm-vpc[]
|
|
ifdef::ibm-power-vs[]
|
|
- architecture: ppc64le
|
|
endif::ibm-power-vs[]
|
|
hyperthreading: Enabled
|
|
----
|
|
<1> This line is added to set the `credentialsMode` parameter to `Manual`.
|
|
|
|
. To generate the manifests, run the following command from the directory that contains the installation program:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ./openshift-install create manifests --dir <installation_directory>
|
|
----
|
|
|
|
. From the directory that contains the installation program, set a `$RELEASE_IMAGE` variable with the release image from your installation file by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
|
|
----
|
|
|
|
. Extract the list of `CredentialsRequest` custom resources (CRs) from the {product-title} release image by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc adm release extract \
|
|
--from=$RELEASE_IMAGE \
|
|
--credentials-requests \
|
|
--included \// <1>
|
|
--install-config=<path_to_directory_with_installation_configuration>/install-config.yaml \// <2>
|
|
--to=<path_to_directory_for_credentials_requests> <3>
|
|
----
|
|
<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires.
|
|
<2> Specify the location of the `install-config.yaml` file.
|
|
<3> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it.
|
|
+
|
|
This command creates a YAML file for each `CredentialsRequest` object.
|
|
+
|
|
.Sample `CredentialsRequest` object
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: openshift-image-registry-ibmcos
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
secretRef:
|
|
name: installer-cloud-credentials
|
|
namespace: openshift-image-registry
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: IBMCloudProviderSpec
|
|
policies:
|
|
- attributes:
|
|
- name: serviceName
|
|
value: cloud-object-storage
|
|
roles:
|
|
- crn:v1:bluemix:public:iam::::role:Viewer
|
|
- crn:v1:bluemix:public:iam::::role:Operator
|
|
- crn:v1:bluemix:public:iam::::role:Editor
|
|
- crn:v1:bluemix:public:iam::::serviceRole:Reader
|
|
- crn:v1:bluemix:public:iam::::serviceRole:Writer
|
|
- attributes:
|
|
- name: resourceType
|
|
value: resource-group
|
|
roles:
|
|
- crn:v1:bluemix:public:iam::::role:Viewer
|
|
----
|
|
|
|
. Create the service ID for each credential request, assign the policies defined, create an API key, and generate the secret:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ ccoctl ibmcloud create-service-id \
|
|
--credentials-requests-dir=<path_to_credential_requests_directory> \// <1>
|
|
--name=<cluster_name> \// <2>
|
|
--output-dir=<installation_directory> \// <3>
|
|
--resource-group-name=<resource_group_name> <4>
|
|
----
|
|
<1> Specify the directory containing the files for the component `CredentialsRequest` objects.
|
|
<2> Specify the name of the {product-title} cluster.
|
|
<3> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
|
|
<4> Optional: Specify the name of the resource group used for scoping the access policies.
|
|
+
|
|
--
|
|
[NOTE]
|
|
====
|
|
If your cluster uses Technology Preview features that are enabled by the `TechPreviewNoUpgrade` feature set, you must include the `--enable-tech-preview` parameter.
|
|
|
|
If an incorrect resource group name is provided, the installation fails during the bootstrap phase. To find the correct resource group name, run the following command:
|
|
|
|
ifdef::ibm-vpc[]
|
|
[source,terminal]
|
|
----
|
|
$ grep resourceGroupName <installation_directory>/manifests/cluster-infrastructure-02-config.yml
|
|
----
|
|
endif::ibm-vpc[]
|
|
ifdef::ibm-power-vs[]
|
|
[source,terminal]
|
|
----
|
|
$ grep resourceGroup <installation_directory>/manifests/cluster-infrastructure-02-config.yml
|
|
----
|
|
endif::ibm-power-vs[]
|
|
====
|
|
--
|
|
|
|
.Verification
|
|
|
|
* Ensure that the appropriate secrets were generated in your cluster's `manifests` directory.
|
|
|
|
ifeval::["{context}" == "installing-ibm-cloud-customizations"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-network-customizations"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-vpc"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-private"]
|
|
:!ibm-vpc:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-power-vs-customizations"]
|
|
:!ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-power-vs-private-cluster"]
|
|
:!ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-power-vs"]
|
|
:!ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-powervs-vpc"]
|
|
:!ibm-power-vs:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-cloud-restricted"]
|
|
:!ibm-vpc:
|
|
endif::[]
|