|
| 1 | +# Tokenize with Cloud Credentials Operator |
| 2 | + |
| 3 | +Cloud Credentials Operator (CCO) is installed by default on OCP. |
| 4 | +To check the CCO status |
| 5 | + |
| 6 | +```console |
| 7 | +oc get clusteroperator cloud-credential |
| 8 | +``` |
| 9 | +it show somethig like |
| 10 | + |
| 11 | +```console |
| 12 | +NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE |
| 13 | +cloud-credential 4.x.x True False False ... |
| 14 | +``` |
| 15 | +Pod' status |
| 16 | +```console |
| 17 | +oc get pods -n openshift-cloud-credential-operator |
| 18 | +``` |
| 19 | + |
| 20 | +Credential requests checks |
| 21 | +```console |
| 22 | +oc get credentialsrequests -n openshift-cloud-credential-operator |
| 23 | +``` |
| 24 | + |
| 25 | +CCO details |
| 26 | +```console |
| 27 | +oc describe clusteroperator cloud-credential |
| 28 | +``` |
| 29 | + |
| 30 | +CCO Modality |
| 31 | +```console |
| 32 | +oc get cloudcredential cluster -o yaml |
| 33 | +``` |
| 34 | +On spec.credentialsMode will be the configured setting (Mint, |
| 35 | +Passthrough, Manual, o empty for default). |
| 36 | + |
| 37 | +## How the Operator interact with the CCO |
| 38 | + |
| 39 | +1. Operator declare permissions needed in a CredentialsRequest CR in the namespace openshift-cloud-credential-operator |
| 40 | + |
| 41 | +```console |
| 42 | + apiVersion: cloudcredential.openshift.io/v1 |
| 43 | + kind: CredentialsRequest |
| 44 | + metadata: |
| 45 | + name: my-operator-credentials |
| 46 | + namespace: openshift-cloud-credential-operator |
| 47 | + spec: |
| 48 | + secretRef: |
| 49 | + name: my-cloud-creds |
| 50 | + namespace: my-operator-namespace |
| 51 | + providerSpec: |
| 52 | + apiVersion: cloudcredential.openshift.io/v1 |
| 53 | + kind: AWSProviderSpec # esempio per AWS |
| 54 | + statementEntries: |
| 55 | + - effect: Allow |
| 56 | + action: |
| 57 | + - "s3:GetObject" |
| 58 | + - "s3:PutObject" |
| 59 | + resource: "*" |
| 60 | +``` |
| 61 | + |
| 62 | +2. CCO process the CR and create a Kubernetes Secret with the cloud credentails |
| 63 | + in the namespace specified in spec.secretRef. |
| 64 | + |
| 65 | +3. Operator reads the Secret and use the credentials to interact with the cloud API. |
| 66 | + Operator must tolerate the not immediate availability of the secret becasue take time to create. |
| 67 | + |
| 68 | +## How integrate the CCO with the Helm Chart Operator |
| 69 | + |
| 70 | +1. Define Credential Request in the chart |
| 71 | +2. |
| 72 | +2. Configure Deployment to use the secret created by the CCO |
| 73 | + |
| 74 | +3. Handling the delay of the creation of the secret |
| 75 | + first approact Init container |
| 76 | +```console |
| 77 | + initContainers: |
| 78 | + - name: wait-for-creds |
| 79 | + image: registry.redhat.io/openshift4/ose-cli |
| 80 | + command: |
| 81 | + - /bin/bash |
| 82 | + - -c |
| 83 | + - | |
| 84 | + until oc get secret {{ .Release.Name }}-cloud-creds -n {{ |
| 85 | + .Release.Namespace }} 2>/dev/null; do |
| 86 | + echo "Waiting for cloud credentials..." |
| 87 | + sleep 5 |
| 88 | + done |
| 89 | +``` |
| 90 | + second approach Retry in the Operator's code, but this is available on a full Go Operator |
| 91 | + |
| 92 | +4. Support different cloud provider with values configurations |
| 93 | + |
| 94 | +5. RBAC needed to create the CredentialsRequest |
| 95 | +6. Supporto Manual Mode (STS/WIF) if the cluster use mode o STS, CCO didn't create the secret automatically. |
| 96 | + In STS mode the user must : |
| 97 | + 1. Extract CredentialsRequest from chart |
| 98 | + 2. Use ccoctl tool to generate the credentials |
| 99 | + 3. Create manually the secrets before install the chart |
| 100 | + |
0 commit comments