OSDOCS#7581,7582: Add token auth via CCO for Operator authors (AWS STS) #64808
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -153,11 +153,27 @@ spec: | |||||
| <6> The `env` parameter defines a list of Environment Variables that must exist in all containers in the pod created by OLM. | ||||||
| <7> The `envFrom` parameter defines a list of sources to populate Environment Variables in the container. | ||||||
| <8> The `volumes` parameter defines a list of Volumes that must exist on the pod created by OLM. | ||||||
| <9> The `volumeMounts` parameter defines a list of volume mounts that must exist in all containers in the pod created by OLM. If a `volumeMount` references a `volume` that does not exist, OLM fails to deploy the Operator. | ||||||
| <10> The `tolerations` parameter defines a list of Tolerations for the pod created by OLM. | ||||||
| <11> The `resources` parameter defines resource constraints for all the containers in the pod created by OLM. | ||||||
| <12> The `nodeSelector` parameter defines a `NodeSelector` for the pod created by OLM. | ||||||
|
|
||||||
| . If the cluster is in STS mode, include the following fields in the `Subscription` object: | ||||||
|
There was a problem hiding this comment. I have a general comment on "STS mode" but not sure, personally I have a little concern that user may be confused by "STS mode" and "manual mode".And I searched "STS mode" in OCP4.13 document but found no result.
Contributor
There was a problem hiding this comment. Yes, I also worry about the inconsistency, and that eventually this will not be a feature for only AWS, so the terminology should be generalized. Right now, the GUI says "STS Mode", so I think for GUI steps it makes sense to match the text the user will see. Last week, I proposed using platform-neutral language that is consistent with existing CCO terminology in the GUI, and @gallettilance was onboard with it. But I don't know if that is a change that can happen before 4.14 or not.
Contributor
Author
There was a problem hiding this comment. Could change the wording here in the meantime to be more specific like:
Suggested change
Contributor
There was a problem hiding this comment. @adellape That change makes sense to me until the language can be updated post-4.14 in the console.
Contributor
There was a problem hiding this comment. Would it help to spell STS out? |
||||||
| + | ||||||
| [source,yaml] | ||||||
| ---- | ||||||
| kind: Subscription | ||||||
| # ... | ||||||
| spec: | ||||||
| installPlanApproval: Manual <1> | ||||||
| config: | ||||||
| env: | ||||||
| - name: ROLEARN | ||||||
| value: "<role_arn>" <2> | ||||||
| ---- | ||||||
| <1> Subscriptions with automatic update approvals are not recommended because there might be permission changes to make prior to updating. Subscriptions with manual update approvals ensure that administrators have the opportunity to verify the permissions of the later version and take any necessary steps prior to update. | ||||||
| <2> Include the role ARN details. | ||||||
|
|
||||||
| . Create the `Subscription` object: | ||||||
| + | ||||||
| [source,terminal] | ||||||
|
|
||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operators/operator_sdk/osdk-token-auth.adoc | ||
|
|
||
| :_content-type: CONCEPT | ||
| [id="osdk-cco-aws-sts-alt_{context}"] | ||
| = Alternative method | ||
|
|
||
| As an alternative method for Operator authors, you can indicate that the user is responsible for creating the `CredentialsRequest` object for the Cloud Credential Operator (CCO) before installing the Operator. | ||
|
|
||
| The Operator instructions must indicate the following to users: | ||
|
|
||
| * Provide a YAML version of a `CredentialsRequest` object, either by providing the YAML inline in the instructions or pointing users to a download location | ||
| * Instruct the user to create the `CredentialsRequest` object | ||
|
|
||
| In {product-title} 4.14 and later, after the `CredentialsRequest` object appears on the cluster with the appropriate STS information added, the Operator can then read the CCO-generated `Secret` or mount it, having defined the mount in the cluster service version (CSV). | ||
|
|
||
| For earlier versions of {product-title}, the Operator instructions must also indicate the following to users: | ||
|
|
||
| * Use the CCO utility (`ccoctl`) to generate the `Secret` YAML object from the `CredentialsRequest` object | ||
| * Apply the `Secret` object to the cluster in the appropriate namespace | ||
|
|
||
| The Operator still must be able to consume the resulting secret to communicate with cloud APIs. Because in this case the secret is created by the user before the Operator is installed, the Operator can do either of the following: | ||
|
|
||
| * Define an explicit mount in the `Deployment` object within the CSV | ||
| * Programmatically read the `Secret` object from the API server, as shown in the recommended "Enabling Operators to support CCO-based workflows with AWS STS" method |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jeana-redhat FYI, updating link for prime-time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you so much for relieving me of remembering to do a thing 🙇