OCPBUGS-15609: docs - add AWS CLI commands for STS instructions #97
Conversation
openshift-ci-robot
added
jira/severity-important
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
approved
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@alebedev87: This pull request references Jira Issue OCPBUGS-15609, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign |
| secret needs to be provisioned manually. The **aws-load-balancer-operator** will wait until the required | ||
| secret is created and available before spawning the **aws-load-balancer-controller** pod. | ||
|
|
||
| #### Pre-Requisites | ||
| ### Post operator installation |
There was a problem hiding this comment.
Just add a little intro. Something like this, but tweak to make it correct.
| ### Post operator installation | |
| ### Post operator installation | |
| There are three ways to manually create the required `CredentialsRequest`s. You can use the `ccoctl` binary on ____, but not on MacOS. Use the `ccoctl` binary to to use the `CredentialsRequest` created by the operator, or use a predefined Secret. Use the AWS CLI to create a predefined Secret if you prefer not to use `ccoctl`, or are running the process on MacOS. |
There was a problem hiding this comment.
An intro is added.
docs/install.md
Outdated
| In case the provisioning of the credentials secret should not be done by the **cloud-credential-operator**, the secret can to be explicitly referenced in `AWSLoadBalancerController` CR, see [credentials.name field description](./tutorial.md#credentialsname). | ||
| The credentials secret needs to reference a role with all the policies needed by the controller. There are multiple options of how to create the credentials secret. |
There was a problem hiding this comment.
| In case the provisioning of the credentials secret should not be done by the **cloud-credential-operator**, the secret can to be explicitly referenced in `AWSLoadBalancerController` CR, see [credentials.name field description](./tutorial.md#credentialsname). | |
| The credentials secret needs to reference a role with all the policies needed by the controller. There are multiple options of how to create the credentials secret. | |
| In some cases, the provisioning of the credentials secret cannot be done by the **cloud-credential-operator**, e.g. on the MacOS. Instead, the secret can be explicitly referenced in the `AWSLoadBalancerController` CR, see [credentials.name field description](./tutorial.md#credentialsname). | |
| The credentials secret needs to reference a role with all the policies needed by the controller. | |
| There are two options for creating the credentials secret. Use Option 1 with `ccoctl`, or Option 2 with the AWS CLI. |
There was a problem hiding this comment.
Applied with some edits.
|
|
||
| CR_FILE="${1:-operator-credentials-request.yaml}" | ||
| POLICY_FILE="${2:-operator-permission-policy.json}" | ||
| YQ_BIN="go run github.com/mikefarah/yq/v4" |
There was a problem hiding this comment.
Does the user already have access to the go binary?
There was a problem hiding this comment.
This script is run as a part of make generate rule which is used during the building of the operator binary. So, it's assumed that the user has go toolchain.
alebedev87
force-pushed
the
aws-cli-commands-for-sts
branch
3 times, most recently
from
c8e8d19 to
6142b3c
Compare
|
Remove unnecessary diff introduced by a wrong indent in |
|
After created a rosa sts cluster and followed the steps, both the aws lb operator pods and aws lb controller pod are created successfully. ` NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE NAME READY UP-TO-DATE AVAILABLE AGE NAME DESIRED CURRENT READY AGE |
docs/install.md
Outdated
|
|
||
| #### [Extract and prepare the `ccoctl` binary](https://docs.openshift.com/container-platform/4.11/authentication/managing_cloud_provider_credentials/cco-mode-sts.html#cco-ccoctl-configuring_cco-mode-sts) | ||
| The generated credentials secret can either be awaited by the controller pod already or can be configured in the credentials field of the AWSLoadBalancerController prior to creating the controller. |
There was a problem hiding this comment.
It's not clear what "awaited by the controller pod already" means here.
There was a problem hiding this comment.
Rephrased to
The controller pod will wait for the generated credentials secret if
AWSLoadBalancerControlleralready exists or it can be configured in thecredentialsfield ofAWSLoadBalancerControllerbefore its creation.
docs/install.md
Outdated
| - Using a pre-defined `CredentialsRequest` from this repository for an `AWSLoadBalancerController` that has not yet been created. | ||
| - Employing AWS CLI commands for an `AWSLoadBalancerController` that has not yet been created. |
There was a problem hiding this comment.
I'm not sure what happened here, but this doesn't match the titles of the three ways you listed below, which are something like:
- Use CredentialsRequest created by the operator
- Use a Predefined Secret and ccoctl
- Use a Predefined Secret and the AWS CLI
There was a problem hiding this comment.
Rephrased to better to match the titles.
My idea was to keep it focused on the functional aspect - creation of the IAM resources. The choice of the concrete client (ccoctl or aws) was supposed to be a technical detail to be described down the document.
alebedev87
force-pushed
the
aws-cli-commands-for-sts
branch
2 times, most recently
from
61b55fe to
791e160
Compare
alebedev87
force-pushed
the
aws-cli-commands-for-sts
branch
from
791e160 to
943c6a6
Compare
|
@alebedev87: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/docs-approved |
|
@alebedev87: Jira Issue OCPBUGS-15609: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-15609 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR updates the documentation about the manual configuration for STS clusters. The main goal is to provide AWS CLI commands as alternative to
ccoctlcommands because the latterMakefile's
generatetarget is updated to generate the missing permission policy for the operator. This permission policy is required by AWS to create a IAM role.Manual test on ROSA STS cluster: