CFE-712: Adds the procedure to configure AWS Load Balancer Operator on STS cluster by using predefined credentials #53666
Conversation
openshift-ci
bot
added
the
size/S
xenolinux
changed the title
xenolinux
changed the title
|
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/5369 |
xenolinux
force-pushed
the
sts-api
branch
3 times, most recently
from
83640a4
to
4b34300
Compare
openshift-ci
bot
added
size/M
xenolinux
force-pushed
the
sts-api
branch
5 times, most recently
from
2994707
to
5295746
Compare
| .Prerequisites | ||
|
|
||
| * You must extract and prepare the `ccoctl` binary. |
There was a problem hiding this comment.
This part is repeated in each sub chapter of Installing the AWS Load Balancer Operator on Secure Token Service cluster, maybe worth moving it to the very top to reduce the repetitive commands?
There was a problem hiding this comment.
IMO, since this is part of a prerequisites section, we must keep it at the beginning of each chapter. But I can check once the peer-review process begins if we can eliminate the repetitive commands
|
|
||
| * You must extract and prepare the `ccoctl` binary. | ||
|
|
||
| .Procedure |
There was a problem hiding this comment.
As the first setp we need to retrieve the predefined credentials file, similar to what we did in Bootstraping ... chapter but from another directory:
$ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
| $ ccoctl aws create-iam-roles \ | ||
| --name <name> --region=<aws_region> \ | ||
| --credentials-requests-dir=hack/controller \ | ||
| --identity-provider-arn <oidc-arn> |
There was a problem hiding this comment.
| $ ccoctl aws create-iam-roles \ | |
| --name <name> --region=<aws_region> \ | |
| --credentials-requests-dir=hack/controller \ | |
| --identity-provider-arn <oidc-arn> | |
| $ ccoctl aws create-iam-roles \ | |
| --name <name> --region=<aws_region> \ | |
| --credentials-requests-dir=<path-to-credrequests-dir> \ | |
| --identity-provider-arn <oidc-arn> |
| --credentials-requests-dir=hack/controller \ | ||
| --identity-provider-arn <oidc-arn> | ||
| ---- | ||
| For each `CredentialsRequest` object, the `ccoctl` tool creates an IAM role with a trust policy. The trust policy contains the specified OIDC identity provider, and permissions policy as defined in each `CredentialsRequest` object. The `ccoctl` tool also generates a set of secrets in a `manifests` directory that the AWS Load Balancer Controller uses. |
There was a problem hiding this comment.
We didn't mention these details before, maybe we can skip them this time too. ccoctl details can be discovered in its documentation.
| web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token | ||
| ---- | ||
|
|
||
| . Create the `aws-load-balancer-controller` resource YAML file, for example, `sample-aws-lb-predefined-creds.yaml`, as follows: |
There was a problem hiding this comment.
| . Create the `aws-load-balancer-controller` resource YAML file, for example, `sample-aws-lb-predefined-creds.yaml`, as follows: | |
| . Create the `AWSLoadBalancerController` resource YAML file, for example, `sample-aws-lb-manual-creds.yaml`, as follows: |
| spec: | ||
| credentials: <secret-name> <3> |
There was a problem hiding this comment.
| spec: | |
| credentials: <secret-name> <3> | |
| spec: | |
| credentials: | |
| name: <secret-name> <3> |
| spec: | ||
| credentials: <secret-name> <3> | ||
| ---- | ||
| <1> Defines the `aws-load-balancer-controller` resource. |
There was a problem hiding this comment.
| <1> Defines the `aws-load-balancer-controller` resource. | |
| <1> Defines the `AWSLoadBalancerController` resource. |
| The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | ||
| The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | ||
|
|
||
| You can also configure the AWS Load Balancer Operator on the STS cluster by using predefined credentials. |
There was a problem hiding this comment.
Maybe we can elaborate on this one because the reason to add the new configuration possibility was driven by the fact that the Cloud Credential Operator is not available in all the clusters. In the GitHub doc we mentioned this briefly. What do you think about something like this:
| You can also configure the AWS Load Balancer Operator on the STS cluster by using predefined credentials. | |
| In case the provisioning of the credentials secret should not be done by the Cloud Credential Operator, the `AWSLoadBalancerController` instance can be configured with explicitly specified credentials secret. |
| @@ -3,11 +3,11 @@ | |||
|
|
|||
| :_content-type: PROCEDURE | |||
| [id="nw-installing-albo-on-sts-cluster_{context}"] | |||
| = Configuring AWS Load Balancer Operator on Secure Token Service cluster | |||
| = Configuring AWS Load Balancer Operator on Secure Token Service cluster by using `CredentialsRequest` objects | |||
There was a problem hiding this comment.
| = Configuring AWS Load Balancer Operator on Secure Token Service cluster by using `CredentialsRequest` objects | |
| = Configuring AWS Load Balancer Operator on Secure Token Service cluster by using managed `CredentialsRequest` objects |
There was a problem hiding this comment.
Or maybe even managed by operator.
| [id="nw-installing-albo-on-sts-cluster-predefined-credentials_{context}"] | ||
| = Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials | ||
|
|
||
| You can use the predefined `CredentialsRequest` object by specifying the `spec.credential` field in the AWS load Balancer Controller custom resource (CR). |
There was a problem hiding this comment.
| You can use the predefined `CredentialsRequest` object by specifying the `spec.credential` field in the AWS load Balancer Controller custom resource (CR). | |
| The credentials secret can be specified explicitly using the `spec.credentials` field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined controller's `CredentialsRequest` object to fin dout which roles are required by the controller. |
|
|
||
| .Procedure | ||
|
|
||
| . Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command: |
There was a problem hiding this comment.
| . Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command: | |
| . Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command: |
|
|
||
| :_content-type: PROCEDURE | ||
| [id="nw-installing-albo-on-sts-cluster-predefined-credentials_{context}"] | ||
| = Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials |
There was a problem hiding this comment.
| = Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials | |
| = Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using explicitly set credentials |
xenolinux
force-pushed
the
sts-api
branch
3 times, most recently
from
46b6eff
to
d02b32a
Compare
|
/lgtm |
|
@lihongan Please take a look at this PR at your leisure |
|
Looks good. Thank you @xenolinux |
xenolinux
added
the
peer-review-needed
|
/label peer-review-in-progress |
openshift-ci
bot
added
peer-review-in-progress
| @@ -8,12 +8,16 @@ toc::[] | |||
|
|
|||
| You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster. | |||
|
|
|||
| The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | |||
| The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | |||
There was a problem hiding this comment.
The sentence "The AWS Load Balancer Operator waits until the required secrets are created and available." is passive voice. The problem is the phrase "are created". A possible rewrite could be: "The AWS Load Balancer Operator requires the secrets to be created and available for correct function."
| $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {} | ||
| ---- | ||
|
|
||
| . Verify that the credentials secret of the controller is created: |
There was a problem hiding this comment.
Suggestion: Instead of "Verify that the credentials secret of the controller is created:", replace with "Verify the credentials secret has been created for use by the controller:" See https://www.ibm.com/docs/en/ibm-style?topic=grammar-verbs under the heading "Voice" . (Please ping me if you have trouble seeing the IBM style guide.)
|
/label peer-review-completed |
openshift-ci
bot
removed
the
peer-review-in-progress
|
@GroceryBoyJr: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/label peer-review-done |
openshift-ci
bot
added
the
peer-review-done
…en Service cluster by using predefined credentials
xenolinux
added
the
merge-review-needed
|
New changes are detected. LGTM label has been removed. |
snarayan-redhat
added
merge-review-in-progress
|
/cherrypick enterprise-4.12 |
|
@snarayan-redhat: new pull request created: #53868 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
xenolinux
changed the title
Adds the procedure to configure AWS Load Balancer Operator on STS cluster by using predefined credentials
Version(s): 4.12+
Issue: https://issues.redhat.com/browse/CFE-712
Link to docs preview: https://53666--docspreview.netlify.app/openshift-enterprise/latest/networking/aws_load_balancer_operator/installing-albo-sts-cluster.html#nw-installing-albo-on-sts-cluster-predefined-credentials_albo-sts-cluster
QE review:
Additional information: