Skip to content

Commit dd1a0f3

Browse files
Merge pull request #77653 from xenolinux/cco-hcp
OSDOCS#10947: Support for CCO in HCP
2 parents 852be4d + f028ef8 commit dd1a0f3

File tree

3 files changed

+63
-1
lines changed

3 files changed

+63
-1
lines changed

hosted_control_planes/hcp-authentication-authorization.adoc

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,28 @@ toc::[]
99
The {product-title} control plane includes a built-in OAuth server. You can obtain OAuth access tokens to authenticate to the {product-title} API. After you create your hosted cluster, you can configure OAuth by specifying an identity provider.
1010

1111
include::modules/hcp-configuring-oauth.adoc[leveloffset=+1]
12+
1213
include::modules/hcp-configuring-oauth-console.adoc[leveloffset=+1]
1314

1415
[role="_additional-resources"]
1516
.Additional resources
1617

1718
* To know more about supported identity providers, see xref:../authentication/understanding-identity-provider.adoc#understanding-identity-provider["Understanding identity provider configuration"] in _Authentication and authorization_.
19+
20+
[id="hcp-cco-aws-sts_{context}"]
21+
== Assigning components IAM roles by using the CCO in a hosted cluster on {aws-short}
22+
23+
You can assign components IAM roles that provide short-term, limited-privilege security credentials by using the Cloud Credential Operator (CCO) in hosted clusters on {aws-first}. By default, the CCO runs in a hosted control plane.
24+
25+
[NOTE]
26+
====
27+
The CCO supports a manual mode only for hosted clusters on {aws-short}. By default, hosted clusters are configured in a manual mode. The management cluster might use modes other than manual.
28+
====
29+
30+
include::modules/hcp-cco-verify-aws-sts.adoc[leveloffset=+1]
31+
include::modules/osdk-cco-aws-sts-enabling.adoc[leveloffset=+1]
32+
33+
[role="_additional-resources"]
34+
.Additional resources
35+
36+
* xref:../operators/operator-reference.adoc#cloud-credential-operator_cluster-operators-ref[Cluster Operators reference page for the Cloud Credential Operator]

modules/hcp-cco-verify-aws-sts.adoc

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
// Module included in the following assemblies:
2+
//
3+
// Hosted control plane assemblies
4+
// * hosted_control_planes/hcp-authentication-authorization.adoc
5+
6+
:_mod-docs-content-type: PROCEDURE
7+
[id="hcp-cco-verify-aws-sts_{context}"]
8+
= Verifying the CCO installation in a hosted cluster on {aws-short}
9+
10+
You can verify that the Cloud Credential Operator (CCO) is running correctly in your hosted control plane.
11+
12+
.Prerequisites
13+
14+
* You configured the hosted cluster on {aws-first}.
15+
16+
.Procedure
17+
18+
. Verify that the CCO is configured in a manual mode in your hosted cluster by running the following command:
19+
+
20+
[source,terminal]
21+
----
22+
$ oc get cloudcredentials <hosted_cluster_name> -n <hosted_cluster_namespace> -o=jsonpath={.spec.credentialsMode}
23+
----
24+
+
25+
.Expected output
26+
[source,terminal]
27+
----
28+
Manual
29+
----
30+
31+
. Verify that the value for the `serviceAccountIssuer` resource is not empty by running the following command:
32+
+
33+
[source,terminal]
34+
----
35+
$ oc get authentication cluster --kubeconfig <hosted_cluster_name>.kubeconfig -o jsonpath --template '{.spec.serviceAccountIssuer }'
36+
----
37+
+
38+
.Example output
39+
[source,terminal]
40+
----
41+
https://aos-hypershift-ci-oidc-29999.s3.us-east-2.amazonaws.com/hypershift-ci-29999
42+
----

modules/osdk-cco-aws-sts-enabling.adoc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
// Module included in the following assemblies:
22
//
33
// * operators/operator_sdk/osdk-token-auth.adoc
4+
// * hosted_control_planes/hcp-authentication-authorization.adoc
45

56
:_mod-docs-content-type: PROCEDURE
67
[id="osdk-cco-aws-sts-enabling_{context}"]
@@ -318,4 +319,4 @@ options := session.Options{
318319
SharedConfigFiles: []string{sharedCredentialsFile},
319320
}
320321
----
321-
====
322+
====

0 commit comments

Comments
 (0)