New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CFE-712: Adds the procedure to configure AWS Load Balancer Operator on STS cluster by using predefined credentials #53666
Conversation
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/5369 |
83640a4
to
4b34300
Compare
2994707
to
5295746
Compare
.Prerequisites | ||
|
||
* You must extract and prepare the `ccoctl` binary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part is repeated in each sub chapter of Installing the AWS Load Balancer Operator on Secure Token Service cluster
, maybe worth moving it to the very top to reduce the repetitive commands?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, since this is part of a prerequisites section, we must keep it at the beginning of each chapter. But I can check once the peer-review process begins if we can eliminate the repetitive commands
|
||
* You must extract and prepare the `ccoctl` binary. | ||
|
||
.Procedure |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the first setp we need to retrieve the predefined credentials file, similar to what we did in Bootstraping ...
chapter but from another directory:
$ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
$ ccoctl aws create-iam-roles \ | ||
--name <name> --region=<aws_region> \ | ||
--credentials-requests-dir=hack/controller \ | ||
--identity-provider-arn <oidc-arn> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$ ccoctl aws create-iam-roles \ | |
--name <name> --region=<aws_region> \ | |
--credentials-requests-dir=hack/controller \ | |
--identity-provider-arn <oidc-arn> | |
$ ccoctl aws create-iam-roles \ | |
--name <name> --region=<aws_region> \ | |
--credentials-requests-dir=<path-to-credrequests-dir> \ | |
--identity-provider-arn <oidc-arn> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
--credentials-requests-dir=hack/controller \ | ||
--identity-provider-arn <oidc-arn> | ||
---- | ||
For each `CredentialsRequest` object, the `ccoctl` tool creates an IAM role with a trust policy. The trust policy contains the specified OIDC identity provider, and permissions policy as defined in each `CredentialsRequest` object. The `ccoctl` tool also generates a set of secrets in a `manifests` directory that the AWS Load Balancer Controller uses. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We didn't mention these details before, maybe we can skip them this time too. ccoctl
details can be discovered in its documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token | ||
---- | ||
|
||
. Create the `aws-load-balancer-controller` resource YAML file, for example, `sample-aws-lb-predefined-creds.yaml`, as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
. Create the `aws-load-balancer-controller` resource YAML file, for example, `sample-aws-lb-predefined-creds.yaml`, as follows: | |
. Create the `AWSLoadBalancerController` resource YAML file, for example, `sample-aws-lb-manual-creds.yaml`, as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
spec: | ||
credentials: <secret-name> <3> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
spec: | |
credentials: <secret-name> <3> | |
spec: | |
credentials: | |
name: <secret-name> <3> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
spec: | ||
credentials: <secret-name> <3> | ||
---- | ||
<1> Defines the `aws-load-balancer-controller` resource. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<1> Defines the `aws-load-balancer-controller` resource. | |
<1> Defines the `AWSLoadBalancerController` resource. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noticed that we could do some more clarifications. Feel free to rephrase the suggestions, I just wanted to give an idea.
The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | ||
The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | ||
|
||
You can also configure the AWS Load Balancer Operator on the STS cluster by using predefined credentials. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can elaborate on this one because the reason to add the new configuration possibility was driven by the fact that the Cloud Credential Operator is not available in all the clusters. In the GitHub doc we mentioned this briefly. What do you think about something like this:
You can also configure the AWS Load Balancer Operator on the STS cluster by using predefined credentials. | |
In case the provisioning of the credentials secret should not be done by the Cloud Credential Operator, the `AWSLoadBalancerController` instance can be configured with explicitly specified credentials secret. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
@@ -3,11 +3,11 @@ | |||
|
|||
:_content-type: PROCEDURE | |||
[id="nw-installing-albo-on-sts-cluster_{context}"] | |||
= Configuring AWS Load Balancer Operator on Secure Token Service cluster | |||
= Configuring AWS Load Balancer Operator on Secure Token Service cluster by using `CredentialsRequest` objects |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
= Configuring AWS Load Balancer Operator on Secure Token Service cluster by using `CredentialsRequest` objects | |
= Configuring AWS Load Balancer Operator on Secure Token Service cluster by using managed `CredentialsRequest` objects |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or maybe even managed by operator
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
[id="nw-installing-albo-on-sts-cluster-predefined-credentials_{context}"] | ||
= Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials | ||
|
||
You can use the predefined `CredentialsRequest` object by specifying the `spec.credential` field in the AWS load Balancer Controller custom resource (CR). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use the predefined `CredentialsRequest` object by specifying the `spec.credential` field in the AWS load Balancer Controller custom resource (CR). | |
The credentials secret can be specified explicitly using the `spec.credentials` field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined controller's `CredentialsRequest` object to fin dout which roles are required by the controller. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
|
||
.Procedure | ||
|
||
. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command: | |
. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
|
||
:_content-type: PROCEDURE | ||
[id="nw-installing-albo-on-sts-cluster-predefined-credentials_{context}"] | ||
= Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
= Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using predefined credentials | |
= Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using explicitly set credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
46b6eff
to
d02b32a
Compare
/lgtm |
@lihongan Please take a look at this PR at your leisure |
Looks good. Thank you @xenolinux |
/label peer-review-in-progress |
@@ -8,12 +8,16 @@ toc::[] | |||
|
|||
You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster. | |||
|
|||
The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. | |||
The AWS Load Balancer Operator relies on `CredentialsRequest` to bootstrap the Operator and for each `AWSLoadBalancerController` instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the `ccoctl` binary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sentence "The AWS Load Balancer Operator waits until the required secrets are created and available." is passive voice. The problem is the phrase "are created". A possible rewrite could be: "The AWS Load Balancer Operator requires the secrets to be created and available for correct function."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, Servesha! Only two very small suggestions for change. I am on peer review all week, reach out to me if you would like me to re-review tomorrow or (US) Friday, I am glad to do so.
$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {} | ||
---- | ||
|
||
. Verify that the credentials secret of the controller is created: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: Instead of "Verify that the credentials secret of the controller is created:", replace with "Verify the credentials secret has been created for use by the controller:" See https://www.ibm.com/docs/en/ibm-style?topic=grammar-verbs under the heading "Voice" . (Please ping me if you have trouble seeing the IBM style guide.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed
/label peer-review-completed |
@GroceryBoyJr: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/label peer-review-done |
…en Service cluster by using predefined credentials
New changes are detected. LGTM label has been removed. |
/cherrypick enterprise-4.12 |
@snarayan-redhat: new pull request created: #53868 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Adds the procedure to configure AWS Load Balancer Operator on STS cluster by using predefined credentials
Version(s): 4.12+
Issue: https://issues.redhat.com/browse/CFE-712
Link to docs preview: https://53666--docspreview.netlify.app/openshift-enterprise/latest/networking/aws_load_balancer_operator/installing-albo-sts-cluster.html#nw-installing-albo-on-sts-cluster-predefined-credentials_albo-sts-cluster
QE review:
Additional information: