Installing AWS Load Balancer Operator on a Security Token Service cluster

You can install the AWS Load Balancer Operator on a Security Token Service (STS) cluster.

The AWS Load Balancer Operator relies on CredentialsRequest to bootstrap the Operator and for each AWSLoadBalancerController instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the ccoctl binary.

If you do not want to provision credential secret by using the Cloud Credential Operator, you can configure the AWSLoadBalancerController instance on the STS cluster by specifying the credential secret in the AWS load Balancer Controller custom resource (CR).

Bootstrapping AWS Load Balancer Operator on Security Token Service cluster

Prerequisites

  • You must extract and prepare the ccoctl binary.

Procedure

  1. Create the aws-load-balancer-operator namespace by running the following command:

    1. $ oc create namespace aws-load-balancer-operator
  2. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command:

    1. $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
  3. Use the ccoctl tool to process CredentialsRequest objects of the AWS Load Balancer Operator, by running the following command:

    1. $ ccoctl aws create-iam-roles \
    2. --name <name> --region=<aws_region> \
    3. --credentials-requests-dir=<path-to-credrequests-dir> \
    4. --identity-provider-arn <oidc-arn>
  4. Apply the secrets generated in the manifests directory of your cluster by running the following command:

    1. $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  5. Verify that the credentials secret of the AWS Load Balancer Operator is created by running the following command:

    1. $ oc -n aws-load-balancer-operator get secret aws-load-balancer-operator --template='{{index .data "credentials"}}' | base64 -d

    Example output

    1. [default]
    2. sts_regional_endpoints = regional
    3. role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-operator
    4. web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token

Configuring AWS Load Balancer Operator on Security Token Service cluster by using managed CredentialsRequest objects

Prerequisites

  • You must extract and prepare the ccoctl binary.

Procedure

  1. The AWS Load Balancer Operator creates the CredentialsRequest object in the openshift-cloud-credential-operator namespace for each AWSLoadBalancerController custom resource (CR). You can extract and save the created CredentialsRequest object in a directory by running the following command:

    1. $ oc get credentialsrequest -n openshift-cloud-credential-operator \
    2. aws-load-balancer-controller-<cr-name> -o yaml > <path-to-credrequests-dir>/cr.yaml (1)
    1The aws-load-balancer-controller-<cr-name> parameter specifies the credential request name created by the AWS Load Balancer Operator. The cr-name specifies the name of the AWS Load Balancer Controller instance.
  2. Use the ccoctl tool to process all CredentialsRequest objects in the credrequests directory by running the following command:

    1. $ ccoctl aws create-iam-roles \
    2. --name <name> --region=<aws_region> \
    3. --credentials-requests-dir=<path-to-credrequests-dir> \
    4. --identity-provider-arn <oidc-arn>
  3. Apply the secrets generated in manifests directory to your cluster, by running the following command:

    1. $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  4. Verify that the aws-load-balancer-controller pod is created:

    1. $ oc -n aws-load-balancer-operator get pods
    2. NAME READY STATUS RESTARTS AGE
    3. aws-load-balancer-controller-cluster-9b766d6-gg82c 1/1 Running 0 137m
    4. aws-load-balancer-operator-controller-manager-b55ff68cc-85jzg 2/2 Running 0 3h26m

Configuring the AWS Load Balancer Operator on Security Token Service cluster by using specific credentials

You can specify the credential secret by using the spec.credentials field in the AWS Load Balancer Controller custom resource (CR). You can use the predefined CredentialsRequest object of the controller to know which roles are required.

Prerequisites

  • You must extract and prepare the ccoctl binary.

Procedure

  1. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Controller, and create a directory to store it by running the following command:

    1. $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
  2. Use the ccoctl tool to process the CredentialsRequest object of the controller:

    1. $ ccoctl aws create-iam-roles \
    2. --name <name> --region=<aws_region> \
    3. --credentials-requests-dir=<path-to-credrequests-dir> \
    4. --identity-provider-arn <oidc-arn>
  3. Apply the secrets to your cluster:

    1. $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  4. Verify the credentials secret has been created for use by the controller:

    1. $ oc -n aws-load-balancer-operator get secret aws-load-balancer-controller-manual-cluster --template='{{index .data "credentials"}}' | base64 -d

    Example output

    1. [default]
    2. sts_regional_endpoints = regional
    3. role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-controller
    4. web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
  5. Create the AWSLoadBalancerController resource YAML file, for example, sample-aws-lb-manual-creds.yaml, as follows:

    1. apiVersion: networking.olm.openshift.io/v1
    2. kind: AWSLoadBalancerController (1)
    3. metadata:
    4. name: cluster (2)
    5. spec:
    6. credentials:
    7. name: <secret-name> (3)
    1Defines the AWSLoadBalancerController resource.
    2Defines the AWS Load Balancer Controller instance name. This instance name gets added as a suffix to all related resources.
    3Specifies the secret name containing AWS credentials that the controller uses.

Additional resources