OCPBUGS-58062#GCP credential fix #100900
OCPBUGS-58062#GCP credential fix #100900
Conversation
openshift-ci
bot
added
the
size/XS
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
from
4da506d to
f6b75b6
Compare
openshift-ci
bot
added
size/S
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
2 times, most recently
from
cc37477 to
f80243b
Compare
openshift-ci
bot
added
size/XS
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
3 times, most recently
from
90d6c33 to
b6d239f
Compare
| === Configuring a {gcp-short} cluster to use short-term credentials | ||
|
|
||
| To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the CCO utility and create the required {gcp-short} resources for your cluster. | ||
| To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the Cloud Credential Operator (CCO) utility and create the required {gcp-short} resources for your cluster. Cluster Operators use the credential requests created by the CCO. The installation program does not use these credential requests. |
There was a problem hiding this comment.
Drop the word requests in both uses. A credentialRequest is a custom resource definition that allows the various components to communicate to CCO how to create the resources (i.e., what permissions they require). The output of CCO is a) cluster resources (can summarized as credentials) and b) corresponding manifests that the installer will apply to the cluster.
- To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the Cloud Credential Operator (CCO) utility and create the required {gcp-short} resources for your cluster. Cluster Operators use the credential requests created by the CCO. The installation program does not use these credential requests.
+ To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the Cloud Credential Operator (CCO) utility and create the required {gcp-short} resources for your cluster. Cluster Operators use the credentials created by the CCO. The installation program does not use these credentials.
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
2 times, most recently
from
90e5b7c to
9999867
Compare
modules/cco-ccoctl-configuring.adoc
Outdated
|
|
||
| * You have access to an {product-title} account with cluster administrator access. | ||
| * You have authenticated with a service account that uses a {gcp-short} virtual machine (VM) for your cluster installation. | ||
| * You have configured your cluster Operators with the CCO to use {gcp-short} Workload Identity. |
There was a problem hiding this comment.
Could you please explain why we need the above 2 prerequisites? I'm asking because I don't think they should be included in prerequisites. Thanks!
There was a problem hiding this comment.
Hi @jianli-wei, In the 'Description' of https://issues.redhat.com/browse/OCPBUGS-58062, it lists these types credentials as required. Should I remove this text completely or add it to a different part of the documentation?
There was a problem hiding this comment.
Let's wait for Linh's comments, thanks!
There was a problem hiding this comment.
@brendan-daly-red-hat Please see Linh's comment in the bug, and I suggest to remove the two statements from the prerequisites. WDYT?
There was a problem hiding this comment.
@jianli-wei, PTAL at the update to Configuring the Cloud Credential Operator utility based on Linh's comment in the bug. Thanks.
|
|
||
| If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, see xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for GCP] for other options. | ||
|
|
||
| To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the Cloud Credential Operator (CCO) utility and create the required {gcp-short} resources for your cluster. For more information, see xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a {gcp-short} cluster to use short-term credentials]. |
There was a problem hiding this comment.
Rather than adding this paragraph, how about updating the last paragraph as below?
If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-system namespace, see Configuring a Google Cloud cluster to use short-term credentials and/or Manually creating long-term credentials for GCP for other options.
There was a problem hiding this comment.
Applied this change.
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
3 times, most recently
from
39f9b60 to
32b42c0
Compare
openshift-merge-robot
added
the
needs-rebase
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
from
32b42c0 to
01fc613
Compare
openshift-merge-robot
removed
the
needs-rebase
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
from
01fc613 to
4e0ea01
Compare
| Before installing {product-title} on {gcp-first}, you must create a service account and configure a {gcp-short} project. See xref:../../installing/installing_gcp/installing-gcp-account.adoc#installing-gcp-account[Configuring a {gcp-short} project] for details about creating a project, enabling API services, configuring DNS, {gcp-short} account limits, and supported {gcp-short} regions. | ||
|
|
||
| If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, see xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for {gcp-short}] for other options. | ||
| If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, see xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-with-short-term-creds_installing-gcp-customizations[Configuring a {gcp-short} cluster to use short-term credentials], xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#manually-create-iam_installing-gcp-customizations[Manually creating long-term credentials for {gcp-short}], or both for other options. |
There was a problem hiding this comment.
Suggest to replace "identity and access management" with "Identity and Access Management".
There was a problem hiding this comment.
Applied this change.
modules/cco-ccoctl-configuring.adoc
Outdated
| .Prerequisites | ||
|
|
||
| * You have access to an {product-title} account with cluster administrator access. | ||
| * You have run the `ccoctl` utility, to ensure your cluster Operators authenticate with {gcp-short} APIs that use Workload Identity. |
There was a problem hiding this comment.
Running "ccoctl" isn't a prerequisites, instead, it is one of the steps, e.g. see the subsequent "3. Use the ccoctl tool to process all CredentialsRequest objects by running the following command".
There was a problem hiding this comment.
Removed this prerequisite.
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
2 times, most recently
from
528d7c1 to
8df0e88
Compare
brendan-daly-red-hat
force-pushed
the
OCPBUGS-58062
branch
from
8df0e88 to
a6ce984
Compare
|
@brendan-daly-red-hat: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@jianli-wei, PTAL |
|
/label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
ShaunaDiaz
added
branch/enterprise-4.17
branch/enterprise-4.18
branch/enterprise-4.19
branch/enterprise-4.20
branch/enterprise-4.21
and removed
merge-review-needed
|
/cherrypick enterprise-4.21 |
|
/cherrypick enterprise-4.20 |
|
/cherrypick enterprise-4.19 |
|
/cherrypick enterprise-4.18 |
|
/cherrypick enterprise-4.17 |
|
@ShaunaDiaz: new pull request created: #102673 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@ShaunaDiaz: new pull request created: #102674 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@ShaunaDiaz: #100900 failed to apply on top of branch "enterprise-4.19": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@ShaunaDiaz: #100900 failed to apply on top of branch "enterprise-4.18": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@ShaunaDiaz: #100900 failed to apply on top of branch "enterprise-4.17": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Looks like some manual CPs needed @brendan-daly-red-hat |
7 participants
Versions:
4.17+
Issue:
https://issues.redhat.com/browse/OCPBUGS-58062
Link to docs preview:
Requirements for installing OpenShift Container Platform on GCP
Configuring a Google Cloud cluster to use short-term credentials
QE review:
Additional information: