From f028ef87c320bdd522e666499c649639b384ec2b Mon Sep 17 00:00:00 2001 From: xenolinux Date: Thu, 11 Jul 2024 17:41:08 +0530 Subject: [PATCH] CCO support in HCP on AWS --- .../hcp-authentication-authorization.adoc | 19 +++++++++ modules/hcp-cco-verify-aws-sts.adoc | 42 +++++++++++++++++++ modules/osdk-cco-aws-sts-enabling.adoc | 3 +- 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 modules/hcp-cco-verify-aws-sts.adoc diff --git a/hosted_control_planes/hcp-authentication-authorization.adoc b/hosted_control_planes/hcp-authentication-authorization.adoc index 1ce7666ddb8a..97debd82b546 100644 --- a/hosted_control_planes/hcp-authentication-authorization.adoc +++ b/hosted_control_planes/hcp-authentication-authorization.adoc @@ -9,9 +9,28 @@ toc::[] The {product-title} control plane includes a built-in OAuth server. You can obtain OAuth access tokens to authenticate to the {product-title} API. After you create your hosted cluster, you can configure OAuth by specifying an identity provider. include::modules/hcp-configuring-oauth.adoc[leveloffset=+1] + include::modules/hcp-configuring-oauth-console.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources * To know more about supported identity providers, see xref:../authentication/understanding-identity-provider.adoc#understanding-identity-provider["Understanding identity provider configuration"] in _Authentication and authorization_. + +[id="hcp-cco-aws-sts_{context}"] +== Assigning components IAM roles by using the CCO in a hosted cluster on {aws-short} + +You can assign components IAM roles that provide short-term, limited-privilege security credentials by using the Cloud Credential Operator (CCO) in hosted clusters on {aws-first}. By default, the CCO runs in a hosted control plane. + +[NOTE] +==== +The CCO supports a manual mode only for hosted clusters on {aws-short}. By default, hosted clusters are configured in a manual mode. The management cluster might use modes other than manual. +==== + +include::modules/hcp-cco-verify-aws-sts.adoc[leveloffset=+1] +include::modules/osdk-cco-aws-sts-enabling.adoc[leveloffset=+1] + +[role="_additional-resources"] +.Additional resources + +* xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cluster Operators reference page for the Cloud Credential Operator] diff --git a/modules/hcp-cco-verify-aws-sts.adoc b/modules/hcp-cco-verify-aws-sts.adoc new file mode 100644 index 000000000000..7e260b05251e --- /dev/null +++ b/modules/hcp-cco-verify-aws-sts.adoc @@ -0,0 +1,42 @@ +// Module included in the following assemblies: +// +// Hosted control plane assemblies +// * hosted_control_planes/hcp-authentication-authorization.adoc + +:_mod-docs-content-type: PROCEDURE +[id="hcp-cco-verify-aws-sts_{context}"] += Verifying the CCO installation in a hosted cluster on {aws-short} + +You can verify that the Cloud Credential Operator (CCO) is running correctly in your hosted control plane. + +.Prerequisites + +* You configured the hosted cluster on {aws-first}. + +.Procedure + +. Verify that the CCO is configured in a manual mode in your hosted cluster by running the following command: ++ +[source,terminal] +---- +$ oc get cloudcredentials -n -o=jsonpath={.spec.credentialsMode} +---- ++ +.Expected output +[source,terminal] +---- +Manual +---- + +. Verify that the value for the `serviceAccountIssuer` resource is not empty by running the following command: ++ +[source,terminal] +---- +$ oc get authentication cluster --kubeconfig .kubeconfig -o jsonpath --template '{.spec.serviceAccountIssuer }' +---- ++ +.Example output +[source,terminal] +---- +https://aos-hypershift-ci-oidc-29999.s3.us-east-2.amazonaws.com/hypershift-ci-29999 +---- diff --git a/modules/osdk-cco-aws-sts-enabling.adoc b/modules/osdk-cco-aws-sts-enabling.adoc index 6e2980931983..aee8a3acc38f 100644 --- a/modules/osdk-cco-aws-sts-enabling.adoc +++ b/modules/osdk-cco-aws-sts-enabling.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * operators/operator_sdk/osdk-token-auth.adoc +// * hosted_control_planes/hcp-authentication-authorization.adoc :_mod-docs-content-type: PROCEDURE [id="osdk-cco-aws-sts-enabling_{context}"] @@ -318,4 +319,4 @@ options := session.Options{ SharedConfigFiles: []string{sharedCredentialsFile}, } ---- -==== \ No newline at end of file +====