This is a cache of https://docs.okd.io/4.13/networking/aws_load_balancer_operator/installing-albo-sts-cluster.html. It is a snapshot of the page at 2024-11-24T00:19:53.141+0000.
Preparing for the AWS Load Balancer Operator on a cluster using the AWS Security Token Service (STS) - AWS Load Balancer Operator | Networking | OKD 4.13
×

You can install the AWS Load Balancer Operator on a cluster that uses STS. Follow these steps to prepare your cluster before installing the Operator.

The AWS Load Balancer Operator relies on the CredentialsRequest object to bootstrap the Operator and the AWS Load Balancer Controller. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the ccoctl binary.

If you do not want to provision credential secret by using the Cloud Credential Operator, you can configure the AWSLoadBalancerController instance on the STS cluster by specifying the credential secret in the AWS load Balancer Controller custom resource (CR).

Bootstrapping AWS Load Balancer Operator on Security Token Service cluster

Prerequisites
  • You must extract and prepare the ccoctl binary.

Procedure
  1. Create the aws-load-balancer-operator namespace by running the following command:

    $ oc create namespace aws-load-balancer-operator
  2. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command:

    $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
  3. Use the ccoctl tool to process CredentialsRequest objects of the AWS Load Balancer Operator, by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <name> --region=<aws_region> \
        --credentials-requests-dir=<path-to-credrequests-dir> \
        --identity-provider-arn <oidc-arn>
  4. Apply the secrets generated in the manifests directory of your cluster by running the following command:

    $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  5. Verify that the credentials secret of the AWS Load Balancer Operator is created by running the following command:

    $ oc -n aws-load-balancer-operator get secret aws-load-balancer-operator --template='{{index .data "credentials"}}' | base64 -d
    Example output
    [default]
    sts_regional_endpoints = regional
    role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-operator
    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token

Configuring AWS Load Balancer Operator on Security Token Service cluster by using managed CredentialsRequest objects

Prerequisites
  • You must extract and prepare the ccoctl binary.

Procedure
  1. The AWS Load Balancer Operator creates the CredentialsRequest object in the openshift-cloud-credential-operator namespace for each AWSLoadBalancerController custom resource (CR). You can extract and save the created CredentialsRequest object in a directory by running the following command:

    $ oc get credentialsrequest -n openshift-cloud-credential-operator  \
        aws-load-balancer-controller-<cr-name> -o yaml > <path-to-credrequests-dir>/cr.yaml (1)
    1 The aws-load-balancer-controller-<cr-name> parameter specifies the credential request name created by the AWS Load Balancer Operator. The cr-name specifies the name of the AWS Load Balancer Controller instance.
  2. Use the ccoctl tool to process all CredentialsRequest objects in the credrequests directory by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <name> --region=<aws_region> \
        --credentials-requests-dir=<path-to-credrequests-dir> \
        --identity-provider-arn <oidc-arn>
  3. Apply the secrets generated in manifests directory to your cluster, by running the following command:

    $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  4. Verify that the aws-load-balancer-controller pod is created:

    $ oc -n aws-load-balancer-operator get pods
    NAME                                                            READY   STATUS    RESTARTS   AGE
    aws-load-balancer-controller-cluster-9b766d6-gg82c              1/1     Running   0          137m
    aws-load-balancer-operator-controller-manager-b55ff68cc-85jzg   2/2     Running   0          3h26m

Configuring the AWS Load Balancer Operator on Security Token Service cluster by using specific credentials

You can specify the credential secret by using the spec.credentials field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined CredentialsRequest object of the controller to know which roles are required.

Prerequisites
  • You must extract and prepare the ccoctl binary.

Procedure
  1. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command:

    $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
  2. Use the ccoctl tool to process the CredentialsRequest object of the controller:

    $ ccoctl aws create-iam-roles \
            --name <name> --region=<aws_region> \
            --credentials-requests-dir=<path-to-credrequests-dir> \
            --identity-provider-arn <oidc-arn>
  3. Apply the secrets to your cluster:

    $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  4. Verify the credentials secret has been created for use by the controller:

    $ oc -n aws-load-balancer-operator get secret aws-load-balancer-controller-manual-cluster --template='{{index .data "credentials"}}' | base64 -d
    Example output
    [default]
        sts_regional_endpoints = regional
        role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-controller
        web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
  5. Create the AWSLoadBalancerController resource YAML file, for example, sample-aws-lb-manual-creds.yaml, as follows:

    apiVersion: networking.olm.openshift.io/v1
    kind: AWSLoadBalancerController (1)
    metadata:
      name: cluster (2)
    spec:
      credentials:
        name: <secret-name> (3)
    1 Defines the AWSLoadBalancerController resource.
    2 Defines the AWS Load Balancer Controller instance name. This instance name gets added as a suffix to all related resources.
    3 Specifies the secret name containing AWS credentials that the controller uses.