Installing AWS Load Balancer Operator on Secure Token Service cluster

You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster.

The AWS Load Balancer Operator relies on CredentialsRequest to bootstrap the Operator and for each AWSLoadBalancerController instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the ccoctl binary.

If you do not want to provision credential secret by using the Cloud Credential Operator, you can configure the AWSLoadBalancerController instance on the STS cluster by specifying the credential secret in the AWS load Balancer Controller custom resource (CR).

Bootstrapping AWS Load Balancer Operator on Secure Token Service cluster

Prerequisites

• You must extract and prepare the ccoctl binary.

Procedure

1. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command:

   $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml

2. Use the ccoctl tool to process CredentialsRequest objects of the AWS Load Balancer Operator, by running the following command:

   $ ccoctl aws create-iam-roles \
       --name <name> --region=<aws_region> \
       --credentials-requests-dir=<path-to-credrequests-dir> \
       --identity-provider-arn <oidc-arn>

3. Apply the secrets generated in the manifests directory of your cluster by running the following command:

   $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}

4. Verify that the credentials secret of the AWS Load Balancer Operator is created by running the following command:

   $ oc -n aws-load-balancer-operator get secret aws-load-balancer-operator --template='{{index .data "credentials"}}' | base64 -d

   Example output

   [default]
   sts_regional_endpoints = regional
   role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-operator
   web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token

Configuring AWS Load Balancer Operator on Secure Token Service cluster by using managed CredentialsRequest objects

Prerequisites

• You must extract and prepare the ccoctl binary.

Procedure

1. The AWS Load Balancer Operator creates the CredentialsRequest object in the openshift-cloud-credential-operator namespace for each AWSLoadBalancerController custom resource (CR). You can extract and save the created CredentialsRequest object in a directory by running the following command:

   $ oc get credentialsrequest -n openshift-cloud-credential-operator  \
       aws-load-balancer-controller-<cr-name> -o yaml > <path-to-credrequests-dir>/cr.yaml (1)

   1	The aws-load-balancer-controller-<cr-name> parameter specifies the credential request name created by the AWS Load Balancer Operator. The cr-name specifies the name of the AWS Load Balancer Controller instance.

2. Use the ccoctl tool to process all CredentialsRequest objects in the credrequests directory by running the following command:

   $ ccoctl aws create-iam-roles \
       --name <name> --region=<aws_region> \
       --credentials-requests-dir=<path-to-credrequests-dir> \
       --identity-provider-arn <oidc-arn>

3. Apply the secrets generated in manifests directory to your cluster, by running the following command:

   $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}

4. Verify that the aws-load-balancer-controller pod is created:

   $ oc -n aws-load-balancer-operator get pods
   NAME                                                            READY   STATUS    RESTARTS   AGE
   aws-load-balancer-controller-cluster-9b766d6-gg82c              1/1     Running   0          137m
   aws-load-balancer-operator-controller-manager-b55ff68cc-85jzg   2/2     Running   0          3h26m

Configuring the AWS Load Balancer Operator on Secure Token Service cluster by using specific credentials

You can specify the credential secret by using the spec.credentials field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined CredentialsRequest object of the controller to know which roles are required.

Prerequisites

• You must extract and prepare the ccoctl binary.

Procedure

1. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command:

   $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml

2. Use the ccoctl tool to process the CredentialsRequest object of the controller:

   $ ccoctl aws create-iam-roles \
           --name <name> --region=<aws_region> \
           --credentials-requests-dir=<path-to-credrequests-dir> \
           --identity-provider-arn <oidc-arn>

3. Apply the secrets to your cluster:

   $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}

4. Verify the credentials secret has been created for use by the controller:

   $ oc -n aws-load-balancer-operator get secret aws-load-balancer-controller-manual-cluster --template='{{index .data "credentials"}}' | base64 -d

   Example output

   [default]
       sts_regional_endpoints = regional
       role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-controller
       web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token

5. Create the AWSLoadBalancerController resource YAML file, for example, sample-aws-lb-manual-creds.yaml, as follows:

   apiVersion: networking.olm.openshift.io/v1alpha1
   kind: AWSLoadBalancerController (1)
   metadata:
     name: cluster (2)
   spec:
     credentials:
       name: <secret-name> (3)

   1	Defines the AWSLoadBalancerController resource.
   2	Defines the AWS Load Balancer Controller instance name. This instance name gets added as a suffix to all related resources.
   3	Specifies the secret name containing AWS credentials that the controller uses.

Additional resources

• Configuring the Cloud Credential Operator utility