- Installing AWS Load Balancer Operator on a Security Token Service cluster
- Bootstrapping AWS Load Balancer Operator on Security Token Service cluster
- Configuring AWS Load Balancer Operator on Security Token Service cluster by using managed
CredentialsRequest
objects - Configuring the AWS Load Balancer Operator on Security Token Service cluster by using specific credentials
- Additional resources
Installing AWS Load Balancer Operator on a Security Token Service cluster
You can install the AWS Load Balancer Operator on a Security Token Service (STS) cluster.
The AWS Load Balancer Operator relies on CredentialsRequest
to bootstrap the Operator and for each AWSLoadBalancerController
instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the ccoctl
binary.
If you do not want to provision credential secret by using the Cloud Credential Operator, you can configure the AWSLoadBalancerController
instance on the STS cluster by specifying the credential secret in the AWS load Balancer Controller custom resource (CR).
Bootstrapping AWS Load Balancer Operator on Security Token Service cluster
Prerequisites
- You must extract and prepare the
ccoctl
binary.
Procedure
Create the
aws-load-balancer-operator
namespace by running the following command:$ oc create namespace aws-load-balancer-operator
Download the
CredentialsRequest
custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command:$ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
Use the
ccoctl
tool to processCredentialsRequest
objects of the AWS Load Balancer Operator, by running the following command:$ ccoctl aws create-iam-roles \
--name <name> --region=<aws_region> \
--credentials-requests-dir=<path-to-credrequests-dir> \
--identity-provider-arn <oidc-arn>
Apply the secrets generated in the manifests directory of your cluster by running the following command:
$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
Verify that the credentials secret of the AWS Load Balancer Operator is created by running the following command:
$ oc -n aws-load-balancer-operator get secret aws-load-balancer-operator --template='{{index .data "credentials"}}' | base64 -d
Example output
[default]
sts_regional_endpoints = regional
role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-operator
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
Configuring AWS Load Balancer Operator on Security Token Service cluster by using managed CredentialsRequest
objects
Prerequisites
- You must extract and prepare the
ccoctl
binary.
Procedure
The AWS Load Balancer Operator creates the
CredentialsRequest
object in theopenshift-cloud-credential-operator
namespace for eachAWSLoadBalancerController
custom resource (CR). You can extract and save the createdCredentialsRequest
object in a directory by running the following command:$ oc get credentialsrequest -n openshift-cloud-credential-operator \
aws-load-balancer-controller-<cr-name> -o yaml > <path-to-credrequests-dir>/cr.yaml (1)
1 The aws-load-balancer-controller-<cr-name>
parameter specifies the credential request name created by the AWS Load Balancer Operator. Thecr-name
specifies the name of the AWS Load Balancer Controller instance.Use the
ccoctl
tool to process allCredentialsRequest
objects in thecredrequests
directory by running the following command:$ ccoctl aws create-iam-roles \
--name <name> --region=<aws_region> \
--credentials-requests-dir=<path-to-credrequests-dir> \
--identity-provider-arn <oidc-arn>
Apply the secrets generated in manifests directory to your cluster, by running the following command:
$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
Verify that the
aws-load-balancer-controller
pod is created:$ oc -n aws-load-balancer-operator get pods
NAME READY STATUS RESTARTS AGE
aws-load-balancer-controller-cluster-9b766d6-gg82c 1/1 Running 0 137m
aws-load-balancer-operator-controller-manager-b55ff68cc-85jzg 2/2 Running 0 3h26m
Configuring the AWS Load Balancer Operator on Security Token Service cluster by using specific credentials
You can specify the credential secret by using the spec.credentials
field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined CredentialsRequest
object of the controller to know which roles are required.
Prerequisites
- You must extract and prepare the
ccoctl
binary.
Procedure
Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command:
$ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
Use the
ccoctl
tool to process theCredentialsRequest
object of the controller:$ ccoctl aws create-iam-roles \
--name <name> --region=<aws_region> \
--credentials-requests-dir=<path-to-credrequests-dir> \
--identity-provider-arn <oidc-arn>
Apply the secrets to your cluster:
$ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
Verify the credentials secret has been created for use by the controller:
$ oc -n aws-load-balancer-operator get secret aws-load-balancer-controller-manual-cluster --template='{{index .data "credentials"}}' | base64 -d
Example output
[default]
sts_regional_endpoints = regional
role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-controller
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
Create the
AWSLoadBalancerController
resource YAML file, for example,sample-aws-lb-manual-creds.yaml
, as follows:apiVersion: networking.olm.openshift.io/v1
kind: AWSLoadBalancerController (1)
metadata:
name: cluster (2)
spec:
credentials:
name: <secret-name> (3)
1 Defines the AWSLoadBalancerController
resource.2 Defines the AWS Load Balancer Controller instance name. This instance name gets added as a suffix to all related resources. 3 Specifies the secret name containing AWS credentials that the controller uses.