Manually creating IAM for Azure

In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster.

Alternatives to storing administrator-level secrets in the kube-system project

The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the credentialsMode parameter in the install-config.yaml file.

If you prefer not to store an administrator-level credential secret in the cluster kube-system project, you can set the credentialsMode parameter for the CCO to Manual when installing OKD and manage your cloud credentials manually.

Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them.

Additional resources

For a detailed description of all available CCO credential modes and their supported platforms, see About the Cloud Credential Operator.

Manually create IAM

The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.

Procedure

  1. Change to the directory that contains the installation program and create the install-config.yaml file:

    1. $ openshift-install create install-config --dir <installation_directory>

    where <installation_directory> is the directory in which the installation program creates files.

  2. Edit the install-config.yaml configuration file so that it contains the credentialsMode parameter set to Manual.

    Example install-config.yaml configuration file

    1. apiVersion: v1
    2. baseDomain: cluster1.example.com
    3. credentialsMode: Manual (1)
    4. compute:
    5. - architecture: amd64
    6.   hyperthreading: Enabled
    7. ...
    1This line is added to set the credentialsMode parameter to Manual.

  3. To generate the manifests, run the following command from the directory that contains the installation program:

    1. $ openshift-install create manifests --dir <installation_directory>

  4. From the directory that contains the installation program, obtain details of the OKD release image that your openshift-install binary is built to use:

    1. $ openshift-install version

    Example output

    1. release image quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64

  5. Locate all CredentialsRequest objects in this release image that target the cloud you are deploying on:

    1. $ oc adm release extract quay.io/openshift-release-dev/ocp-release:4.y.z-x86_64 --credentials-requests --cloud=azure

    This command creates a YAML file for each CredentialsRequest object.

    Sample CredentialsRequest object

    1. apiVersion: cloudcredential.openshift.io/v1
    2. kind: CredentialsRequest
    3. metadata:
    4.   labels:
    5.     controller-tools.k8s.io: "1.0"
    6.   name: openshift-image-registry-azure
    7.   namespace: openshift-cloud-credential-operator
    8. spec:
    9.   secretRef:
    10.     name: installer-cloud-credentials
    11.     namespace: openshift-image-registry
    12.   providerSpec:
    13.     apiVersion: cloudcredential.openshift.io/v1
    14.     kind: AzureProviderSpec
    15.     roleBindings:
    16.     - role: Contributor

  6. Create YAML files for secrets in the openshift-install manifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the spec.secretRef for each CredentialsRequest object. The format for the secret data varies for each cloud provider.

  7. From the directory that contains the installation program, proceed with your cluster creation:

    1. $ openshift-install create cluster --dir <installation_directory>

    Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state. For details, see the “Upgrading clusters with manually maintained credentials” section of the installation content for your cloud provider.

Admin credentials root secret format

Each cloud provider uses a credentials root secret in the kube-system namespace by convention, which is then used to satisfy all credentials requests and create their respective secrets. This is done either by minting new credentials, with mint mode, or by copying the credentials root secret, with passthrough mode.

The format for the secret varies by cloud, and is also used for each CredentialsRequest secret.

Microsoft Azure secret format

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4.   namespace: kube-system
  5.   name: azure-credentials
  6. stringData:
  7.   azure_subscription_id: <SubscriptionID>
  8.   azure_client_id: <ClientID>
  9.   azure_client_secret: <ClientSecret>
  10.   azure_tenant_id: <TenantID>
  11.   azure_resource_prefix: <ResourcePrefix>
  12.   azure_resourcegroup: <ResourceGroup>
  13.   azure_region: <Region>

On Microsoft Azure, the credentials secret format includes two properties that must contain the cluster’s infrastructure ID, generated randomly for each cluster installation. This value can be found after running create manifests:

  1. $ cat .openshift_install_state.json | jq '."*installconfig.ClusterID".InfraID' -r

Example output

  1. mycluster-2mpcn

This value would be used in the secret data as follows:

  1. azure_resource_prefix: mycluster-2mpcn
  2. azure_resourcegroup: mycluster-2mpcn-rg

Upgrading clusters with manually maintained credentials

The Cloud Credential Operator (CCO) Upgradable status for a cluster with manually maintained credentials is False by default.

  • For minor releases, for example, from 4.8 to 4.9, this status prevents you from upgrading until you have addressed any updated permissions and annotated the CloudCredential resource to indicate that the permissions are updated as needed for the next version. This annotation changes the Upgradable status to True.

  • For z-stream releases, for example, from 4.9.0 to 4.9.1, no permissions are added or changed, so the upgrade is not blocked.

Before upgrading a cluster with manually maintained credentials, you must create any new credentials for the release image that you are upgrading to. Additionally, you must review the required permissions for existing credentials and accommodate any new permissions requirements in the new release for those components.

Procedure

  1. Extract and examine the CredentialsRequest custom resource for the new release.

    The “Manually creating IAM” section of the installation content for your cloud provider explains how to obtain and use the credentials required for your cloud.

  2. Update the manually maintained credentials on your cluster:

    • Create new secrets for any CredentialsRequest custom resources that are added by the new release image.

    • If the CredentialsRequest custom resources for any existing credentials that are stored in secrets have changed their permissions requirements, update the permissions as required.

  3. When all of the secrets are correct for the new release, indicate that the cluster is ready to upgrade:

    1. Log in to the OKD CLI as a user with the cluster-admin role.

    2. Edit the CloudCredential resource to add an upgradeable-to annotation within the metadata field:

      1. $ oc edit cloudcredential cluster

      Text to add

      1. ...
      2.   metadata:
      3.     annotations:
      4.       cloudcredential.openshift.io/upgradeable-to: <version_number>
      5. ...

      Where <version_number> is the version you are upgrading to, in the format x.y.z. For example, 4.8.2 for OKD 4.8.2.

      It may take several minutes after adding the annotation for the upgradeable status to change.

  4. Verify that the CCO is upgradeable:

    1. In the Administrator perspective of the web console, navigate to AdministrationCluster Settings.

    2. To view the CCO status details, click cloud-credential in the Cluster Operators list.

    3. If the Upgradeable status in the Conditions section is False, verify that the upgradeable-to annotation is free of typographical errors.

When the Upgradeable status in the Conditions section is True, you can begin the OKD upgrade.

Mint mode

Mint mode is the default and recommended Cloud Credential Operator (CCO) credentials mode for OKD. In this mode, the CCO uses the provided administrator-level cloud credential to run the cluster. Mint mode is supported for AWS, GCP, and Azure.

In mint mode, the admin credential is stored in the kube-system namespace and then used by the CCO to process the CredentialsRequest objects in the cluster and create users for each with specific permissions.

The benefits of mint mode include:

  • Each cluster component has only the permissions it requires

  • Automatic, on-going reconciliation for cloud credentials, including additional credentials or permissions that might be required for upgrades

One drawback is that mint mode requires admin credential storage in a cluster kube-system secret.

Next steps