You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/aws-sts-provisioning.md
+9-2Lines changed: 9 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Provisioning AWS STS Clusters
2
2
3
-
It is possible to use Hive to provision clusters configured to use Amazon's Security Token Service, where cluster components use short lived credentials that are rotated frequently, and the cluster does not have an admin level AWS credential. This feature was added to the in-cluster OpenShift components in 4.7, see documentation [here](https://docs.openshift.com/container-platform/4.7/authentication/managing_cloud_provider_credentials/cco-mode-sts.html).
3
+
It is possible to use Hive to provision clusters configured to use Amazon's Security Token Service, where cluster components use short lived credentials that are rotated frequently, and the cluster does not have an admin level AWS credential. This feature was added to the in-cluster OpenShift components in 4.20, see documentation [here](https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/authentication_and_authorization/managing-cloud-provider-credentials#cco-short-term-creds).
4
4
5
5
At present Hive does not automate the STS setup, rather we assume the user configures STS components manually and provides information to Hive. The following instructions refer to the `ccoctl` tool. This tool can be extracted from the OpenShift release image. See steps below.
6
6
@@ -31,7 +31,7 @@ chmod u+x ccoctl
31
31
32
32
## Setup STS Infrastructure
33
33
34
-
Create AWS resources using the [ccoctl](ccoctl.md#steps-create) tool (you will need aws credentials with sufficient permissions). The command below will generate public/private ServiceAccount signing keys, create the S3 bucket (with public read-only access), upload the OIDC config into the bucket, set up an IAM Identity Provider that trusts that bucket configuration, and create IAM Roles for each AWS CredentialsRequest extracted above. It will also dump the files needed by the installer in the `_output` directory. Installation secret manifests will be found within `_output/manifests`.
34
+
Create AWS resources using the ccoctl tool (you will need aws credentials with sufficient permissions). The command below will generate public/private ServiceAccount signing keys, create the S3 bucket (with public read-only access), upload the OIDC config into the bucket, set up an IAM Identity Provider that trusts that bucket configuration, and create IAM Roles for each AWS CredentialsRequest extracted above. It will also dump the files needed by the installer in the `_output` directory. Installation secret manifests will be found within `_output/manifests`.
@@ -54,3 +54,10 @@ Create a ClusterDeployment normally with the following changes:
54
54
1. In your ClusterDeployment set `spec.boundServiceAccountSigningKeySecretRef.name` to point to the Secret created above (`bound-service-account-signing-key`).
55
55
1. In your ClusterDeployment set `spec.provisioning.manifestsSecretRef` to point to the Secret created above (`cluster-manifests`).
56
56
1. Create your ClusterDeployment + InstallConfig to provision your STS cluster.
57
+
58
+
## Note: Cleanup AWS resources after uninstalling the cluster
59
+
Make sure you clean up the following resources after you uninstall your cluster. To delete resources created by ccoctl, run
where name is the name used to tag and account any cloud resources that were created, and region is the aws region in which cloud resources were created.
Copy file name to clipboardExpand all lines: docs/hiveutil.md
+25Lines changed: 25 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,6 +15,31 @@ To view what `create-cluster` generates, *without* submitting it to the API serv
15
15
16
16
`--release-image` can be specified to control which OpenShift release image to use.
17
17
18
+
#### Pull Secret
19
+
20
+
A pull secret is required for all cluster deployments. The pull secret can be obtained from https://console.redhat.com/openshift/install/pull-secret.
21
+
22
+
The `create-cluster` command will look for the pull secret in the following order of precedence:
23
+
24
+
1.`PULL_SECRET` environment variable
25
+
2.`--pull-secret` command line parameter (pull secret content as a string)
26
+
3.`--pull-secret-file` command line parameter (path to file containing pull secret)
27
+
4. Default file location: `~/.pull-secret` (if the file exists)
28
+
29
+
If none of these are provided and no global pull secret is configured in HiveConfig, the cluster deployment will be created but installation will fail with an error about missing pull secret.
30
+
31
+
**Best Practice:** Save your pull secret to `~/.pull-secret` for convenient reuse:
32
+
33
+
```bash
34
+
# Download pull secret from console.redhat.com and save it
35
+
cat >~/.pull-secret << 'EOF'
36
+
{"auths":{"xxxx":{"auth":"...","email":"..."}}}
37
+
EOF
38
+
39
+
# Or specify it explicitly when creating a cluster
Credentials will be read from your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. If the environment variables are missing or empty, then `create-cluster` will look for creds at `~/.aws/credentials`. Alternatively you can specify an AWS credentials file with `--creds-file`.
0 commit comments