×

You can install the AWS Load Balancer Operator on the Secure Token Service (STS) cluster.

The AWS Load Balancer Operator relies on CredentialsRequest to bootstrap the Operator and for each AWSLoadBalancerController instance. The AWS Load Balancer Operator waits until the required secrets are created and available. The Cloud Credential Operator does not provision the secrets automatically in the STS cluster. You must set the credentials secrets manually by using the ccoctl binary.

Bootstrapping AWS Load Balancer Operator on Secure Token Service cluster

Prerequisites
  • You must extract and prepare the coctl binary.

Procedure
  1. Download the CredentialsRequest custom resource (CR) of the AWS Load Balancer Operator, and create a directory to store it by running the following command:

    $ curl --create-dirs -o <path-to-credrequests-dir>/cr.yaml https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-credentials-request.yaml
  2. Use the ccoctl tool to process CredentialsRequest objects of the AWS Load Balancer Operator, by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <name> --region=<aws_region> \
        --credentials-requests-dir=<path-to-credrequests-dir> \
        --identity-provider-arn <oidc-arn>
  3. Apply the secrets generated in the manifests directory of your cluster by running the following command:

    $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  4. Verify that the credentials secret of the AWS Load Balancer Operator is created by running the following command:

    $ oc -n aws-load-balancer-operator get secret aws-load-balancer-operator --template='{{index .data "credentials"}}' | base64 -d
    Example output
    [default]
    sts_regional_endpoints = regional
    role_arn = arn:aws:iam::999999999999:role/aws-load-balancer-operator-aws-load-balancer-operator
    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token

Configuring AWS Load Balancer Operator on Secure Token Service cluster

Prerequisites
  • You must extract and prepare the coctl binary.

Procedure
  1. The AWS Load Balancer Operator creates the CredentialsRequest object in the openshift-cloud-credential-operator namespace for each AWSLoadBalancerController custom resource (CR). You can extract and save the created CredentialsRequest object in a directory by running the following command:

    $ oc get credentialsrequest -n openshift-cloud-credential-operator  \
        aws-load-balancer-controller-<cr-name> -o yaml > <path-to-credrequests-dir>/cr.yaml (1)
    1 The aws-load-balancer-controller-<cr-name> parameter specifies the credential request name created by the AWS Load Balancer Operator. The cr-name specifies the name of the AWS Load Balancer Controller instance.
  2. Use the ccoctl tool to process all CredentialsRequest objects in the credrequests directory by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <name> --region=<aws_region> \
        --credentials-requests-dir=<path-to-credrequests-dir> \
        --identity-provider-arn <oidc-arn>
  3. Apply the secrets generated in manifests directory to your cluster, by running the following command:

    $ ls manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
  4. Verify that the aws-load-balancer-controller pod is created:

    $ oc -n aws-load-balancer-operator get pods
    NAME                                                            READY   STATUS    RESTARTS   AGE
    aws-load-balancer-controller-cluster-9b766d6-gg82c              1/1     Running   0          137m
    aws-load-balancer-operator-controller-manager-b55ff68cc-85jzg   2/2     Running   0          3h26m