openshift-docs/installing/installing_aws/ipi/installing-aws-customizations.adoc

:_mod-docs-content-type: ASSEMBLY
include::_attributes/common-attributes.adoc[]
[id="installing-aws-customizations"]
= Installing a cluster on {aws-short} with customizations
:context: installing-aws-customizations
:platform: AWS

toc::[]

In {product-title} version {product-version}, you can install a cluster on {aws-first} by using installer-provisioned infrastructure with customizations, including network configuration options. In each, you modify parameters in the `install-config.yaml` file before you install the cluster.

By customizing your network configuration, your cluster can coexist with existing IP address allocations in your environment and integrate with existing MTU and VXLAN configurations.

You must set most of the network configuration parameters during installation, and you can modify only `kubeProxy` configuration parameters in a running cluster.

[NOTE]
====
The scope of the {product-title} installation configurations is intentionally narrow. It is designed for simplicity and ensured success. You can complete many more {product-title} configuration tasks after an installation completes.
====

== Prerequisites

* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
* You xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster.
+
[IMPORTANT]
====
If you have an {aws-short} profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current {aws-short} credentials to create {aws-short} resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the {aws-short} documentation. You can supply the keys when you run the installation program.
====
* If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.

include::modules/installation-aws-marketplace-subscribe.adoc[leveloffset=+1]

include::modules/nw-network-config.adoc[leveloffset=+1]

include::modules/installation-initializing.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources

* xref:../../../installing/installing_aws/installation-config-parameters-aws.adoc#installation-config-parameters-aws[Installation configuration parameters for {aws-short}]

include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources

* xref:../../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]

include::modules/installation-aws-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-aws-arm-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-aws-config-yaml-customizations.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources

* xref:../../../installing/installing_aws/installation-config-parameters-aws.adoc#installation-config-parameters-aws[Installation configuration parameters for {aws-short}]

include::modules/installation-configure-proxy.adoc[leveloffset=+2]

[id="installing-aws-manual-modes_{context}"]
== Alternatives to storing administrator-level secrets in the kube-system project

By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:

* To manage long-term cloud credentials manually, follow the procedure in xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[Manually creating long-term credentials].

* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[Configuring an {aws-short} cluster to use short-term credentials].

//Manually creating long-term credentials
include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]

//Supertask: Configuring an AWS cluster to use short-term credentials
[id="installing-aws-with-short-term-creds_{context}"]
=== Configuring an {aws-short} cluster to use short-term credentials

To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.

//Task part 1: Configuring the Cloud Credential Operator utility
include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]

//Task part 2: Creating the required AWS resources
[id="sts-mode-create-aws-resources-ccoctl_{context}"]
==== Creating {aws-short} resources with the Cloud Credential Operator utility

You have the following options when creating {aws-short} resources:

* You can use the `ccoctl aws create-all` command to create the {aws-short} resources automatically. This is the quickest way to create the resources. See xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-creating-at-once_installing-aws-customizations[Creating {aws-short} resources with a single command].

* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the {aws-short} resources individually. See xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#cco-ccoctl-creating-individually_installing-aws-customizations[Creating {aws-short} resources individually].

//Task part 2a: Creating the required AWS resources all at once
include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4]

//Task part 2b: Creating the required AWS resources individually
include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4]

//Task part 3: Incorporating the Cloud Credential Operator utility manifests
include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

// Network Operator specific configuration
include::modules/nw-operator-cr.adoc[leveloffset=+1]

include::modules/nw-modifying-operator-install-config.adoc[leveloffset=+1]

[NOTE]
====
For more information on using a Network Load Balancer (NLB) on {aws-short}, see xref:../../../networking/ingress_load_balancing/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-aws.adoc#nw-configuring-ingress-cluster-traffic-aws-network-load-balancer_configuring-ingress-cluster-traffic-aws[Configuring Ingress cluster traffic on {aws-short} using a Network Load Balancer].
====

include::modules/nw-aws-nlb-new-cluster.adoc[leveloffset=+1]

include::modules/configuring-hybrid-ovnkubernetes.adoc[leveloffset=+1]

include::modules/installation-launching-installer.adoc[leveloffset=+1]

include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources

* xref:../../../web_console/web-console.adoc#web-console[Accessing the web console]

== Next steps

* xref:../../../installing/validation_and_troubleshooting/validating-an-installation.adoc#validating-an-installation[Validating an installation].
* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
* If necessary, you can xref:../../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].
* If necessary, you can xref:../../../post_installation_configuration/changing-cloud-credentials-configuration.adoc#manually-removing-cloud-creds_changing-cloud-credentials-configuration[remove cloud provider credentials].