📖 Documentation Update to Creating a ROSA HCP cluster directions#5920
📖 Documentation Update to Creating a ROSA HCP cluster directions#5920tinaafitz wants to merge 11 commits intokubernetes-sigs:mainfrom
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
kind/documentation
k8s-ci-robot
added
needs-priority
cncf-cla: yes
|
Hi @tinaafitz. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
tinaafitz
force-pushed
the
create_cluster_doc_fix
branch
4 times, most recently
from
8f82392 to
818e792
Compare
tinaafitz
changed the title
tinaafitz
changed the title
…ong with examples for each.
tinaafitz
force-pushed
the
create_cluster_doc_fix
branch
from
c6eaab7 to
9afb9f1
Compare
|
|
||
| ## Authentication | ||
| The CAPA controller requires service account credentials to provision ROSA HCP clusters. | ||
| If you already have a service account, you can skip these steps. |
There was a problem hiding this comment.
| If you already have a service account, you can skip these steps. | |
| **Note:** If you already have a service account, you can skip these steps. |
| rosaClusterName: rosa-hcp-1 | ||
| domainPrefix: rosa-hcp | ||
| rosaRoleConfigRef: | ||
| name: role-config |
There was a problem hiding this comment.
| name: role-config | |
| name: role-config # reference to the ROSARoleConfig created above |
| version: "4.19.0" | ||
| region: "us-west-2" | ||
| rosaNetworkRef: | ||
| name: "rosa-vpc" |
There was a problem hiding this comment.
| name: "rosa-vpc" | |
| name: "rosa-vpc" # reference to the ROSANetwork created above |
… and deletion steps - Bold the service account skip note - Add full resource headers (apiVersion, kind, metadata, spec) to ROSARoleConfig and ROSANetwork status examples - Add inline comments to rosaRoleConfigRef and rosaNetworkRef for clarity - Add example for creating an additional ROSAMachinePool (workers-extra) - Add section for deleting a ROSA HCP cluster and cleaning up resources
| 1. Extract the OIDC provider from the management cluster and set your AWS account ID: | ||
|
|
||
| ```shell | ||
| export OIDC_PROVIDER=$(kubectl get authentication.config.openshift.io cluster -ojson | jq -r .spec.serviceAccountIssuer | sed 's/https:\/\///') |
There was a problem hiding this comment.
This is only for Openshift not kubernetes in general
| @@ -0,0 +1,86 @@ | |||
| # Specifying the IAM Role for ROSA HCP Management Components | |||
|
|
|||
| When using a management cluster (kind or minikube) with CAPI and CAPA installed, you can configure the CAPA controller to use IAM roles instead of storing AWS credentials. This uses OIDC federation to allow the CAPA controller service account to assume an IAM role. | |||
There was a problem hiding this comment.
lets mentioned that a rosa-hcp is the management cluster or any cluster created using aws credential
- Add IAM Role Configuration section linking to specify-management-iam-role doc - Reorder prerequisites: ROSA setup first, management cluster second - Fix Authentication section formatting and numbering - Add new specify-management-iam-role doc with step-by-step IAM role setup instructions
tinaafitz
force-pushed
the
create_cluster_doc_fix
branch
2 times, most recently
from
d911351 to
cc9fec5
Compare
- Add ROSA and MachinePool feature gate requirements before clusterctl init - Add note about rosa-creds-secret namespace matching resource namespace - Add note about ROSARoleConfig prefix max length (4 characters) - Update OpenShift version from 4.19.0 to 4.20.11 with version check hint - Update Cluster and MachinePool API version from v1beta1 to v1beta2
tinaafitz
force-pushed
the
create_cluster_doc_fix
branch
from
cc9fec5 to
f21d69f
Compare
…nces
- Fix Markdown rendering issues: add blank lines to separate code blocks,
notes, and section headings within list items
- Remove YAML document separators (---) that were being interpreted as
Markdown thematic breaks, breaking code block rendering
- Move AWSClusterControllerIdentity to its own step before cluster creation
- Remove separate identityRef/multi-tenancy step (identity now created upfront)
- Remove IAM Role Configuration section
- Add namespace: "capa-system" to ROSARoleConfig and ROSANetwork examples
and their expected status output
tinaafitz
force-pushed
the
create_cluster_doc_fix
branch
from
ee140cd to
0441ae8
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/retest |
| --policy-arn arn:aws:iam::aws:policy/AmazonVPCFullAccess | ||
| ``` | ||
|
|
||
| ## Annotate the Service Account |
There was a problem hiding this comment.
Before this step we assume the CAPA and CAPI are been installed. Better to show the steps using clusterctl and clusterawsadm to initialize CAPI/CAPA as below
# kubeconfig is pointing to the same cluster we retrieved the OIDC_PROVIDER from
export EXP_ROSA=true
export EXP_MACHINE_POOL=true
# Not sure; if we set the env variable the capa deployment and serviceAccount will be annotated.
export AWS_CONTROLLER_IAM_ROLE=$(aws iam get-role --role-name=capa-manager-role --query Role.Arn --output text)
clusterctl init --infrastructure aws
| oidcProviderType: Managed | ||
| apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 |
There was a problem hiding this comment.
I believe the --- separator is missing from here
| export OPENSHIFT_VERSION="4.19.0" | ||
| export OPENSHIFT_VERSION="4.20.11" # check available versions with: rosa list versions --hosted-cp | ||
| export AWS_REGION="us-west-2" | ||
| export AWS_AVAILABILITY_ZONE="us-west-2a" |
There was a problem hiding this comment.
we could probably provide the aws sts commands here:
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export AWS_CREATOR_ARN=$(aws sts get-caller-identity --query Arn --output text)
| Save the following to a file named `rosa-role-network.yaml`: | ||
|
|
||
| ```yaml | ||
| apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 |
There was a problem hiding this comment.
It would be nice that this yaml file and the ones below have the cat <<EOF ... > command so that a user can just copy and paste them
| controlPlaneRef: | ||
| apiGroup: controlplane.cluster.x-k8s.io | ||
| kind: ROSAControlPlane | ||
| name: "rosa-hcp-1-control-plane" |
There was a problem hiding this comment.
I believe the --- separator is missing from here
| kind: ROSACluster | ||
| metadata: | ||
| name: "rosa-hcp-1" | ||
| spec: {} |
There was a problem hiding this comment.
I believe the --- separator is missing from here
| infrastructureRef: | ||
| apiGroup: infrastructure.cluster.x-k8s.io | ||
| kind: ROSAMachinePool | ||
| name: "workers-extra" |
k8s-ci-robot
added
cncf-cla: no
tinaafitz
force-pushed
the
create_cluster_doc_fix
branch
from
731e1ae to
f989baa
Compare
k8s-ci-robot
added
cncf-cla: yes
serngawy
left a comment
serngawy
left a comment
There was a problem hiding this comment.
thanks @tinaafitz , looks good
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. DetailsGit tree hash: 314c01c9afd6bd6d11f5faa2212d84bd75bd675e |
4 participants
/kind documentation