diff --git a/modules/albo-installation.adoc b/modules/albo-installation.adoc index 6f16dd17dc77..41c4a0b6d9bb 100644 --- a/modules/albo-installation.adoc +++ b/modules/albo-installation.adoc @@ -113,6 +113,8 @@ spec: EOF ---- +Set `spec.channel` to the OLM channel that matches your {product-title} version. The value `stable-v1` is appropriate for many clusters. For the branch and channel that correspond to your version, see xref:understanding-aws-load-balancer-operator.adoc#albo-openshift-version-compatibility[OpenShift version compatibility]. + . Create an AWS IAM policy for the AWS Load Balancer Controller. + .. Download the appropriate IAM policy: diff --git a/modules/albo-openshift-version-compatibility.adoc b/modules/albo-openshift-version-compatibility.adoc new file mode 100644 index 000000000000..6f39c99ca8b4 --- /dev/null +++ b/modules/albo-openshift-version-compatibility.adoc @@ -0,0 +1,49 @@ +// Module included in the following assemblies: +// +// * modules/nw-aws-load-balancer-operator-considerations.adoc +// * networking/networking_operators/aws_load_balancer_operator/preparing-sts-cluster-for-albo.adoc + +:_mod-docs-content-type: REFERENCE +[id="albo-openshift-version-compatibility"] +[discrete] +== OpenShift version compatibility + +The following table lists {product-title} versions for which specific {aws-short} Load Balancer Operator releases are intended, including the corresponding Git branch and Operator Lifecycle Manager (OLM) channels. + +For the full support policy and the latest updates to this matrix, see link:https://github.com/openshift/aws-load-balancer-operator/blob/main/docs/versioning.md[Versioning and branching in the AWS Load Balancer Operator] in the upstream repository. + +.AWS Load Balancer Operator compatibility with {product-title} +[cols="1,2,2",options="header"] +|=== +|{product-title} version |{aws-short} Load Balancer Operator branch |{aws-short} Load Balancer Operator OLM channel + +|4.17 +|release-1.2 +|stable-v1.2, stable-v1 + +|4.16 +|release-1.1 +|stable-v1.1, stable-v1 + +|4.15 +|release-1.1 +|stable-v1.1, stable-v1 + +|4.14 +|release-1.1 +|stable-v1.1, stable-v1 + +|4.13 +|release-1.0 +|stable-v1.0, stable-v1 + +|4.12 +|release-0.2 +|stable-v0.2, stable-v0 + +|4.11 +|release-0.1 +|stable-v0.1, stable-v0 +|=== + +Choose the OLM channel that matches your {product-title} version. The `stable-v1` channel follows the latest minor release in the v1 product line; you can instead subscribe to a specific minor channel (for example, `stable-v1.1`) to pin the Operator to that line. diff --git a/modules/installing-aws-load-balancer-operator-cli.adoc b/modules/installing-aws-load-balancer-operator-cli.adoc index ed2953b7615a..c26fa9393560 100644 --- a/modules/installing-aws-load-balancer-operator-cli.adoc +++ b/modules/installing-aws-load-balancer-operator-cli.adoc @@ -81,6 +81,8 @@ spec: sourceNamespace: openshift-marketplace ---- + +Set `spec.channel` to the OLM channel that matches your {product-title} version. The value `stable-v1` is appropriate for many clusters. For the branch and channel that correspond to your version, see xref:understanding-aws-load-balancer-operator.adoc#albo-openshift-version-compatibility[OpenShift version compatibility]. ++ .. Create the `Subscription` object by running the following command: + [source,terminal] diff --git a/modules/installing-aws-load-balancer-operator.adoc b/modules/installing-aws-load-balancer-operator.adoc index e0cff1f91a6b..c518757ea922 100644 --- a/modules/installing-aws-load-balancer-operator.adoc +++ b/modules/installing-aws-load-balancer-operator.adoc @@ -25,7 +25,7 @@ To deploy the AWS Load Balancer Operator, install the Operator by using the web . On the *Install Operator* page, select the following options: + -.. For the *Update the channel* option, select *stable-v1*. +.. For the *Update the channel* option, select the OLM channel that matches your {product-title} version. For many clusters, *stable-v1* is appropriate. For the operator branch and channel that correspond to your version, see xref:understanding-aws-load-balancer-operator.adoc#albo-openshift-version-compatibility[OpenShift version compatibility]. + .. For the *Installation mode* option, select *All namespaces on the cluster (default)*. + diff --git a/modules/nw-aws-load-balancer-operator-considerations.adoc b/modules/nw-aws-load-balancer-operator-considerations.adoc index 9daf986909a6..fbc449975263 100644 --- a/modules/nw-aws-load-balancer-operator-considerations.adoc +++ b/modules/nw-aws-load-balancer-operator-considerations.adoc @@ -8,6 +8,8 @@ [role="_abstract"] To ensure a successful deployment, review the limitations of the AWS Load Balancer Operator. Understanding these constraints helps avoid compatibility issues and ensures the Operator meets your architectural requirements before installation. +include::modules/albo-openshift-version-compatibility.adoc[leveloffset=+1] + Review the following limitations before installing and using the AWS Load Balancer Operator: * The IP traffic mode only works on AWS Elastic Kubernetes Service (EKS). The AWS Load Balancer Operator disables the IP traffic mode for the AWS Load Balancer Controller. As a result of disabling the IP traffic mode, the AWS Load Balancer Controller cannot use the pod readiness gate. diff --git a/modules/specifying-role-arn-albo-sts.adoc b/modules/specifying-role-arn-albo-sts.adoc index 4d1d056f5ecd..923d97ca4d15 100644 --- a/modules/specifying-role-arn-albo-sts.adoc +++ b/modules/specifying-role-arn-albo-sts.adoc @@ -59,6 +59,8 @@ spec: EOF ---- + +Set `spec.channel` to the OLM channel that matches your {product-title} version. The value `stable-v1` is appropriate for many clusters. For the branch and channel that correspond to your version, see xref:understanding-aws-load-balancer-operator.adoc#albo-openshift-version-compatibility[OpenShift version compatibility]. ++ where: + ``:: Specifies the ARN role to be used in the `CredentialsRequest` to provision the {aws-short} credentials for the {aws-short} Load Balancer Operator. An example for `` is `arn:aws:iam:::role/albo-operator`. diff --git a/modules/using-aws-cli-create-iam-role-alb-controller.adoc b/modules/using-aws-cli-create-iam-role-alb-controller.adoc index c454ff11317a..59a7f69db3c0 100644 --- a/modules/using-aws-cli-create-iam-role-alb-controller.adoc +++ b/modules/using-aws-cli-create-iam-role-alb-controller.adoc @@ -11,7 +11,21 @@ To enable the {aws-short} Load Balancer Controller to interact with subnets and .Prerequisites -* You must have access to the {aws-short} command-line interface (`aws`). +* You must have access to the {aws-short} Command Line Interface (`aws`). +* You installed the {oc-first}. +* You know the infrastructure ID of your cluster. To show this ID, run the following command in your CLI: ++ +[source,terminal] +---- +$ oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}" +---- +* You know the OpenID Connect (OIDC) DNS information for your cluster. To show this information, enter the following command in your CLI: ++ +[source,terminal] +---- +$ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}" +---- +* You logged into the {aws-short} management console, navigated to *IAM* -> *Access management* -> *Identity providers*, and located the OIDC Amazon Resource Name (ARN) information. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/`. .Procedure @@ -31,7 +45,7 @@ $ cat < albo-controller-trust-policy.json "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - ":sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" + ":sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" } } } @@ -43,7 +57,7 @@ EOF where: + ``:: Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. -`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller. An example of `` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. +`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller, `aws-load-balancer-controller-cluster`. An example of `` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. . Create an {aws-short} IAM role with the generated trust policy by running the following command: + @@ -58,7 +72,7 @@ $ aws iam create-role --role-name albo-controller --assume-role-policy-document ROLE arn:aws:iam:::role/albo-controller 2023-08-02T12:13:22Z <1> ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRoleWithWebIdentity Allow -STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager +STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster PRINCIPAL arn:aws:iam::oidc-provider/ ---- + diff --git a/modules/using-aws-cli-create-iam-role-alb-operator.adoc b/modules/using-aws-cli-create-iam-role-alb-operator.adoc index 69e9bc6c325c..64211b6124b7 100644 --- a/modules/using-aws-cli-create-iam-role-alb-operator.adoc +++ b/modules/using-aws-cli-create-iam-role-alb-operator.adoc @@ -12,6 +12,20 @@ To enable the {aws-short} Load Balancer Operator to interact with subnets and VP .Prerequisites * You must have access to the {aws-short} Command Line Interface (`aws`). +* You installed the {oc-first}. +* You know the infrastructure ID of your cluster. To show this ID, run the following command in your CLI: ++ +[source,terminal] +---- +$ oc get infrastructure cluster -o=jsonpath="{.status.infrastructureName}" +---- +* You know the OpenID Connect (OIDC) DNS information for your cluster. To show this information, enter the following command in your CLI: ++ +[source,terminal] +---- +$ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}" +---- +* You logged into the {aws-short} management console, navigated to *IAM* -> *Access management* -> *Identity providers*, and located the OIDC Amazon Resource Name (ARN) information. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/`. .Procedure @@ -43,7 +57,7 @@ EOF where: + ``:: Specifies the Amazon Resource Name (ARN) of the OIDC identity provider, such as `arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. -`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Controller. An example of `` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. +`serviceaccount`:: Specifies the service account for the {aws-short} Load Balancer Operator. An example of `` is `rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f`. . Create the IAM role with the generated trust policy by running the following command: + @@ -58,7 +72,7 @@ $ aws iam create-role --role-name albo-operator --assume-role-policy-document fi ROLE arn:aws:iam:::role/albo-operator 2023-08-02T12:13:22Z <1> ASSUMEROLEPOLICYDOCUMENT 2012-10-17 STATEMENT sts:AssumeRoleWithWebIdentity Allow -STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-manager +STRINGEQUALS system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager PRINCIPAL arn:aws:iam::oidc-provider/ ---- + @@ -73,7 +87,7 @@ where: $ curl -o albo-operator-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/operator-permission-policy.json ---- -. Attach the permission policy for the {aws-short} Load Balancer Controller to the IAM role by running the following command: +. Attach the permission policy for the {aws-short} Load Balancer Operator to the IAM role by running the following command: + [source,terminal] ---- diff --git a/networking/networking_operators/aws_load_balancer_operator/preparing-sts-cluster-for-albo.adoc b/networking/networking_operators/aws_load_balancer_operator/preparing-sts-cluster-for-albo.adoc index 7f2700d0971b..919ef2bda930 100644 --- a/networking/networking_operators/aws_load_balancer_operator/preparing-sts-cluster-for-albo.adoc +++ b/networking/networking_operators/aws_load_balancer_operator/preparing-sts-cluster-for-albo.adoc @@ -11,6 +11,8 @@ To install the {aws-first} Load Balancer Operator on a cluster that uses the {st The {aws-short} Load Balancer Operator waits until the required secrets are created and available. +include::modules/albo-openshift-version-compatibility.adoc[] + Before you start any {sts-first} procedures, ensure that you meet the following prerequisites: * You installed the {oc-first}.