openshift-docs icon indicating copy to clipboard operation
openshift-docs copied to clipboard

Published 20 hours ago verified publisher icon openshift

OSDOCS#10947: Support for CCO in HCP

Open xenolinux opened this issue 1 year ago • 6 comments
trafficstars

Version(s): 4.15+

Issue: https://issues.redhat.com/browse/OSDOCS-10947

Link to docs preview: https://77653--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-authentication-authorization#hcp-ccoctl-aws-sts_hcp-authentication-authorization

QE review:

  • [ ] QE has approved this change.

Additional information:

xenolinux avatar Jun 18 '24 14:06 xenolinux

🤖 Mon Aug 26 11:57:59 - Prow CI generated the docs preview:

https://77653--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-authentication-authorization.html https://77653--ocpdocs-pr.netlify.app/openshift-enterprise/latest/operators/operator_sdk/token_auth/osdk-cco-aws-sts.html

ocpdocs-previewbot avatar Jun 18 '24 14:06 ocpdocs-previewbot

looks good. Thanks @xenolinux

zanetworker avatar Jul 02 '24 08:07 zanetworker

Hi @xenolinux Please hold off on merging this documentation PR for now. I’ve just reviewed the current doc and noticed that some issues are not clearly explained. I am in the process of reviewing it and will add my comments once I’m finished. Thank you!

huangmingxia avatar Jul 03 '24 07:07 huangmingxia

@huangmingxia Sure. Thanks.

xenolinux avatar Jul 03 '24 08:07 xenolinux

@jianping-shu @heliubj18 @YuLi517 Just want you to know this specific change. @jianping-shu @heliubj18 Please also help review this change when you have time, if you have any questions or other suggestions, please feel free to raise them here. Thanks.

huangmingxia avatar Jul 05 '24 07:07 huangmingxia

@huangmingxia I appreciate your review. Thank you!!

I updated this PR as per your suggestions. Can you please re-review?

3. Add below verification steps after installation:
* Verify Hosted Cluster in Manual Mode, check that the Cloud Credential Operator is set to Manual mode by running:
  $oc get cloudcredentials cluster -o=jsonpath={.spec.credentialsMode}
  The output should be Manual:
  Manual

In this command (and the next command) cluster is the hosted cluster name, right? I updated this command as oc get cloudcredentials <hosted_cluster_name> -n <hosted_cluster_namespace> -o=jsonpath={.spec.credentialsMode} -- Please let me know if it needs to be corrected.

* Verify Service Account Issuer is not empty, ensure the `serviceAccountIssuer` is not empty by executing:
  $oc get authentication cluster -o jsonpath --template '{.spec.serviceAccountIssuer }'
  The output like:
  https://aos-hypershift-ci-oidc-26499.s3.us-east-2.amazonaws.com/hypershift-ci-26499

This link https://aos-hypershift-ci-oidc-26499.s3.us-east-2.amazonaws.com/hypershift-ci-26499 is giving the [1] output. Is it the expected output? If not, can you please help with the expected command output?

[1]

<Message>The specified bucket does not exist</Message>
<BucketName>aos-hypershift-ci-oidc-26499</BucketName>
<RequestId>3H472PZ2T22NS3Q9</RequestId>
<HostId>
9I0VrG2h+ZOYvFZMvwsv88WYSbEr+/HTvEpP3p8cuDF+CvXCQKYw/3Tk54cIQ0mqG9HTQd2JWq3BUALblTlR5+M/JWzScfTnhj8Yv/lEW5k=

xenolinux avatar Jul 11 '24 12:07 xenolinux

Hi @xenolinux Thank you for the update! I am working on some blocker tasks today and expect to have time to review either tomorrow or next Monday. I will address all the issues you mentioned during my review. By the way, could you please share the docs preview link again? (It looks like the link is invalid.) Thanks. If you have any other questions, feel free to contact me.

huangmingxia avatar Jul 11 '24 13:07 huangmingxia

Hi @xenolinux Thank you for the update! I am working on some blocker tasks today and expect to have time to review either tomorrow or next Monday. I will address all the issues you mentioned during my review. By the way, could you please share the docs preview link again? (It looks like the link is invalid.) Thanks. If you have any other questions, feel free to contact me.

@huangmingxia Sure. No rush. :) Thanks!

It takes a couple of mins to get the preview updated again. Here's the updated preview link to the particular sections:

xenolinux avatar Jul 11 '24 13:07 xenolinux

Sorry for late review and feedback! I'd like to add some background firstly. Let's assume that cloud is aws for next. Hypershift hosted cluster only supports STS , and its management cluster can be non-STS with CCO running as normal. Previously Hypershift hosted cluster is created by Hypershift operator without utilizing ccoctl, all logic is done by Hypershift own. There's no CCO running on the hosted cluster. Feature OCPSTRAT-171 introduced a function that add awsSTSIAMRoleARN in CredentialsRequest file and CCO will generate its corresponding credential secret automatically. To implement the similar feature for the hosted cluster, that's OCPSTRAT-110 which the current doc PR is tied up to. With OCPSTRAT-110, CCO is running on control plane for the hosted cluster and CCO mode is hard code to Manual. My comment: To address OCPSTRAT-110 feature usage, it is better to have a link to the procedure of Add token auth via CCO for Operator authors (AWS STS), introduced by the following PR. I don't know if any difference to add operator for ocp and hosted clusters, I assume the procedures are the same or very close. https://github.com/openshift/openshift-docs/pull/64808

jianping-shu avatar Jul 15 '24 03:07 jianping-shu

@xenolinux The update looks good to me. @celebdor @jstuever Pls. help review this doc change too, the background is here, thanks

jianping-shu avatar Jul 31 '24 02:07 jianping-shu

/cc

jstuever avatar Aug 08 '24 16:08 jstuever

@jstuever Did you get a chance to review this PR?

xenolinux avatar Aug 13 '24 11:08 xenolinux

With a brief read, it looks good to me.

jstuever avatar Aug 13 '24 16:08 jstuever

/label peer-review-needed

xenolinux avatar Aug 16 '24 09:08 xenolinux

@xenolinux: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Aug 26 '24 11:08 openshift-ci[bot]

/label merge-review-needed

xenolinux avatar Aug 26 '24 12:08 xenolinux

/cherrypick enterprise-4.15

kcarmichael08 avatar Aug 26 '24 18:08 kcarmichael08

/cherrypick enterprise-4.16

kcarmichael08 avatar Aug 26 '24 18:08 kcarmichael08

/cherrypick enterprise-4.17

kcarmichael08 avatar Aug 26 '24 18:08 kcarmichael08

@kcarmichael08: new pull request created: #80906

In response to this:

/cherrypick enterprise-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-cherrypick-robot avatar Aug 26 '24 18:08 openshift-cherrypick-robot

@kcarmichael08: new pull request created: #80907

In response to this:

/cherrypick enterprise-4.16

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-cherrypick-robot avatar Aug 26 '24 18:08 openshift-cherrypick-robot

@kcarmichael08: new pull request created: #80908

In response to this:

/cherrypick enterprise-4.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-cherrypick-robot avatar Aug 26 '24 18:08 openshift-cherrypick-robot