diff --git a/docs/content/how-to/azure/azure-workload-identity-setup.md b/docs/content/how-to/azure/azure-workload-identity-setup.md deleted file mode 100644 index c7523d6b119..00000000000 --- a/docs/content/how-to/azure/azure-workload-identity-setup.md +++ /dev/null @@ -1,134 +0,0 @@ -# Azure Workload Identity Setup for Self-Managed Clusters - -!!! note "Developer Preview in OCP 4.21" - - Self-managed Azure HostedClusters are available as a Developer Preview feature in OpenShift Container Platform 4.21. - -This document describes how to set up Azure Workload Identities and OIDC issuer for self-managed Azure HostedClusters. - -!!! warning "Persistent Resource Groups" - - When setting up workload identities and OIDC issuer for the first time, create them in a **persistent resource group** that will not be deleted when individual clusters are destroyed. This allows you to reuse the same workload identities and OIDC issuer across multiple HostedClusters, reducing setup time and avoiding unnecessary resource recreation. - - - Use a persistent resource group like `os4-common`. - - This resource group should be separate from the cluster-specific resource groups that get created and deleted with each HostedCluster. - - The OIDC issuer storage account should also be created in this persistent resource group. - -## Prerequisites - -- Azure CLI (`az`) installed and configured -- `jq` command-line JSON processor -- Cloud Credential Operator (CCO) tool installed -- Appropriate Azure permissions - -## Create Azure Workload Identities - -!!! note "OIDC Issuer Required" - - Before running this command, you need an OIDC issuer URL. If you haven't set this up yet, see [Configure OIDC Issuer](#configure-oidc-issuer) below first. - -You can create the required managed identities and federated credentials using the HyperShift CLI: - -```bash -# Set environment variables -PERSISTENT_RG_NAME="os4-common" # Use persistent resource group -LOCATION="eastus" -CLUSTER_NAME="my-self-managed-cluster" -INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" -AZURE_CREDS="/path/to/azure-creds.json" - -# Create persistent resource group (if it doesn't exist) -az group create --name $PERSISTENT_RG_NAME --location $LOCATION - -# Create workload identities using the HyperShift CLI -# (requires OIDC issuer URL - see next section if you haven't set this up yet) -hypershift create iam azure \ - --name $CLUSTER_NAME \ - --infra-id $INFRA_ID \ - --azure-creds $AZURE_CREDS \ - --location $LOCATION \ - --resource-group-name $PERSISTENT_RG_NAME \ - --oidc-issuer-url $OIDC_ISSUER_URL \ - --output-file workload-identities.json -``` - -This creates 7 managed identities with federated credentials for: - -- Disk CSI driver -- File CSI driver -- Image Registry -- Ingress Operator -- Cloud Provider -- NodePool Management -- Network Operator - -To also create a KMS identity for Azure Key Vault etcd encryption at rest, add the `--enable-kms` flag: - -```bash -hypershift create iam azure \ - --name $CLUSTER_NAME \ - --infra-id $INFRA_ID \ - --azure-creds $AZURE_CREDS \ - --location $LOCATION \ - --resource-group-name $PERSISTENT_RG_NAME \ - --oidc-issuer-url $OIDC_ISSUER_URL \ - --output-file workload-identities.json \ - --enable-kms -``` - -!!! warning "KMS Key Vault Role Assignment" - - If you use `--enable-kms`, you must **manually** assign the `Key Vault Crypto User` role to the KMS identity on your Key Vault. The `--auto-assign-roles` flag does not cover this because the Key Vault scope is user-provided. See [Enabling KMS Encryption](create-self-managed-azure-cluster.md#enabling-kms-encryption-etcd-encryption-at-rest) for the role assignment commands. - -For complete documentation on the IAM commands, see [Create Azure IAM Resources Separately](create-iam-separately.md). - -## Configure OIDC Issuer - -Use the Cloud Credential Operator (CCO) tool to create the OIDC issuer: - -```bash -# Set OIDC issuer variables (reusing variables from previous steps) -OIDC_STORAGE_ACCOUNT_NAME="yourstorageaccount" -TENANT_ID="your-tenant-id" -# SUBSCRIPTION_ID and PERSISTENT_RG_NAME already set from previous section -# Create an RSA key pair and save the private and public key -ccoctl azure create-key-pair - -SA_TOKEN_ISSUER_PRIVATE_KEY_PATH="/path/to/serviceaccount-signer.private" -SA_TOKEN_ISSUER_PUBLIC_KEY_PATH="/path/to/serviceaccount-signer.public" - -# Create OIDC issuer using CCO tool in os4-common resource group -ccoctl azure create-oidc-issuer \ - --oidc-resource-group-name ${PERSISTENT_RG_NAME} \ - --tenant-id ${TENANT_ID} \ - --region ${LOCATION} \ - --name ${OIDC_STORAGE_ACCOUNT_NAME} \ - --subscription-id ${SUBSCRIPTION_ID} \ - --public-key-file ${SA_TOKEN_ISSUER_PUBLIC_KEY_PATH} - -# Set OIDC issuer URL -OIDC_ISSUER_URL="https://${OIDC_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/${OIDC_STORAGE_ACCOUNT_NAME}" -``` - -## Verification - -Verify the setup: - -```bash -# List created managed identities -az identity list --resource-group $PERSISTENT_RG_NAME --output table - -# Verify federated credentials for one identity -az identity federated-credential list \ - --identity-name "${AZURE_DISK_MI_NAME}" \ - --resource-group $PERSISTENT_RG_NAME - -# Test OIDC issuer accessibility -curl -s "${OIDC_ISSUER_URL}/.well-known/openid-configuration" | jq . -``` - -## Next Steps - -After setting up workload identities, you can proceed to: - -- [Setup Azure Management Cluster for HyperShift](setup-management-cluster.md) \ No newline at end of file diff --git a/docs/content/how-to/azure/create-iam-separately.md b/docs/content/how-to/azure/create-iam-separately.md index e392d0ec577..77abf4ab809 100644 --- a/docs/content/how-to/azure/create-iam-separately.md +++ b/docs/content/how-to/azure/create-iam-separately.md @@ -4,6 +4,10 @@ title: Create Azure IAM resources separately # Create Azure IAM resources separately +!!! note "Developer Preview in OCP 4.21" + + Self-managed Azure HostedClusters are available as a Developer Preview feature in OpenShift Container Platform 4.21. + The `hypershift create iam azure` command creates Azure workload identities separately from infrastructure, following the same pattern as AWS and GCP. This enables you to manage IAM resources independently from your cluster infrastructure lifecycle. @@ -11,15 +15,30 @@ your cluster infrastructure lifecycle. ## Overview For self-managed Azure HyperShift clusters, workload identities authenticate cluster components to Azure -services using OIDC federation. You must create identities separately using `create iam azure` and then +services using OIDC federation. The setup consists of two steps: + +1. **Configure an OIDC Issuer** using the Cloud Credential Operator (CCO) tool +2. **Create workload identities** using `hypershift create iam azure` + +You must create identities separately using `create iam azure` and then consume them during infrastructure or cluster creation via the `--workload-identities-file` flag. -This approach provides control over the IAM lifecycle and follows the same pattern as AWS and GCP platforms. +!!! warning "Persistent Resource Groups" + + When setting up workload identities and OIDC issuer for the first time, create them in a **persistent resource group** that will not be deleted when individual clusters are destroyed. This allows you to reuse the same workload identities and OIDC issuer across multiple HostedClusters, reducing setup time and avoiding unnecessary resource recreation. + + - Use a persistent resource group like `os4-common`. + - This resource group should be separate from the cluster-specific resource groups that get created and deleted with each HostedCluster. + - The OIDC issuer storage account should also be created in this persistent resource group. ## Prerequisites Before creating Azure IAM resources, ensure you have: +- Azure CLI (`az`) installed and configured +- Cloud Credential Operator (CCO) tool (`ccoctl`) installed +- `jq` command-line JSON processor +- Appropriate Azure permissions - An Azure credentials file with the following format: ```json { @@ -30,20 +49,57 @@ Before creating Azure IAM resources, ensure you have: } ``` - An existing resource group where the managed identities will be created -- An OIDC issuer URL for workload identity federation + +## Configure OIDC Issuer + +Before creating workload identities, you need an OIDC issuer URL. Use the Cloud Credential Operator (CCO) tool to create one: + +```bash +# Set OIDC issuer variables +PERSISTENT_RG_NAME="os4-common" # Use persistent resource group +LOCATION="eastus" +OIDC_STORAGE_ACCOUNT_NAME="yourstorageaccount" +TENANT_ID="your-tenant-id" +SUBSCRIPTION_ID="your-subscription-id" + +# Create persistent resource group (if it doesn't exist) +az group create --name $PERSISTENT_RG_NAME --location $LOCATION + +# Create an RSA key pair and save the private and public key +ccoctl azure create-key-pair + +SA_TOKEN_ISSUER_PRIVATE_KEY_PATH="/path/to/serviceaccount-signer.private" +SA_TOKEN_ISSUER_PUBLIC_KEY_PATH="/path/to/serviceaccount-signer.public" + +# Create OIDC issuer using CCO tool in persistent resource group +ccoctl azure create-oidc-issuer \ + --oidc-resource-group-name ${PERSISTENT_RG_NAME} \ + --tenant-id ${TENANT_ID} \ + --region ${LOCATION} \ + --name ${OIDC_STORAGE_ACCOUNT_NAME} \ + --subscription-id ${SUBSCRIPTION_ID} \ + --public-key-file ${SA_TOKEN_ISSUER_PUBLIC_KEY_PATH} + +# Set OIDC issuer URL +OIDC_ISSUER_URL="https://${OIDC_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/${OIDC_STORAGE_ACCOUNT_NAME}" +``` ## Creating Workload Identities Use the `hypershift create iam azure` command: ```bash +CLUSTER_NAME="my-self-managed-cluster" +INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" +AZURE_CREDS="/path/to/azure-creds.json" + hypershift create iam azure \ - --name CLUSTER_NAME \ - --infra-id INFRA_ID \ - --azure-creds AZURE_CREDENTIALS_FILE \ - --location LOCATION \ - --resource-group-name RESOURCE_GROUP \ - --oidc-issuer-url OIDC_ISSUER_URL \ + --name $CLUSTER_NAME \ + --infra-id $INFRA_ID \ + --azure-creds $AZURE_CREDS \ + --location $LOCATION \ + --resource-group-name $PERSISTENT_RG_NAME \ + --oidc-issuer-url $OIDC_ISSUER_URL \ --output-file workload-identities.json ``` @@ -52,11 +108,11 @@ where: * `CLUSTER_NAME` is the name of the hosted cluster you intend to create. * `INFRA_ID` is a unique identifier used to name Azure resources. Typically this is the cluster name with a random suffix appended. -* `AZURE_CREDENTIALS_FILE` points to an Azure credentials file with permission to create +* `AZURE_CREDS` points to an Azure credentials file with permission to create managed identities and federated credentials. * `LOCATION` is the Azure region for the managed identities (e.g., `eastus`, `westus2`). -* `RESOURCE_GROUP` is the name of an existing resource group where identities will be created. -* `OIDC_ISSUER_URL` is the URL of the OIDC identity provider used for workload identity federation. +* `PERSISTENT_RG_NAME` is the name of an existing resource group where identities will be created. +* `OIDC_ISSUER_URL` is the URL of the OIDC identity provider created in the previous step. Running this command creates: @@ -71,6 +127,26 @@ Running this command creates: - Control Plane Operator * Federated Identity Credentials for each identity, configured with the OIDC issuer +### Enabling KMS Identity + +To also create a KMS identity for Azure Key Vault etcd encryption at rest, add the `--enable-kms` flag: + +```bash +hypershift create iam azure \ + --name $CLUSTER_NAME \ + --infra-id $INFRA_ID \ + --azure-creds $AZURE_CREDS \ + --location $LOCATION \ + --resource-group-name $PERSISTENT_RG_NAME \ + --oidc-issuer-url $OIDC_ISSUER_URL \ + --output-file workload-identities.json \ + --enable-kms +``` + +!!! warning "KMS Key Vault Role Assignment" + + If you use `--enable-kms`, you must **manually** assign the `Key Vault Crypto User` role to the KMS identity on your Key Vault. The `--auto-assign-roles` flag does not cover this because the Key Vault scope is user-provided. See [Enabling KMS Encryption](create-self-managed-azure-cluster.md#enabling-kms-encryption-etcd-encryption-at-rest) for the role assignment commands. + ## Private Endpoint Access The **Control Plane Operator** identity is always created by `create iam azure`. For private @@ -150,6 +226,23 @@ hypershift create cluster azure \ --workload-identities-file workload-identities.json ``` +## Verification + +Verify the setup: + +```bash +# List created managed identities +az identity list --resource-group $PERSISTENT_RG_NAME --output table + +# Verify federated credentials for one identity +az identity federated-credential list \ + --identity-name "${CLUSTER_NAME}-disk-${INFRA_ID}" \ + --resource-group $PERSISTENT_RG_NAME + +# Test OIDC issuer accessibility +curl -s "${OIDC_ISSUER_URL}/.well-known/openid-configuration" | jq . +``` + ## Destroying Workload Identities To destroy the workload identities that were created: @@ -181,16 +274,17 @@ Both the managed identities and their federated credentials are removed. | `--name` | Name of the HostedCluster | | `--infra-id` | Unique infrastructure identifier | | `--azure-creds` | Path to Azure credentials JSON file | -| `--location` | Azure region for identities | +| `--resource-group-name` | Resource group for identities | | `--oidc-issuer-url` | OIDC issuer URL for federation | +| `--output-file` | Output file path | ### Optional Flags for `create iam azure` | Flag | Description | Default | |------|-------------|---------| -| `--resource-group-name` | Resource group for identities | `{name}-{infra-id}` | -| `--output-file` | Output file path | `{name}-iam-output.json` | +| `--location` | Azure region for identities | `eastus` | | `--cloud` | Azure cloud environment | `AzurePublicCloud` | +| `--enable-kms` | Create KMS identity for etcd encryption | `false` | ### Required Flags for `destroy iam azure` @@ -220,22 +314,37 @@ export INFRA_ID="${NAME}-$(openssl rand -hex 4)" export LOCATION="eastus" export BASE_DOMAIN="example.com" export AZURE_CREDS="/path/to/azure-creds.json" -export OIDC_ISSUER_URL="https://my-oidc-issuer.com" - -# 2. Create a resource group for identities -az group create --name ${NAME}-rg --location ${LOCATION} - -# 3. Create workload identities +export PERSISTENT_RG_NAME="os4-common" +export TENANT_ID="your-tenant-id" +export SUBSCRIPTION_ID="your-subscription-id" +export OIDC_STORAGE_ACCOUNT_NAME="yourstorageaccount" +export RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:XYZ" + +# 2. Create persistent resource group (if it doesn't exist) +az group create --name ${PERSISTENT_RG_NAME} --location ${LOCATION} + +# 3. Create OIDC issuer +ccoctl azure create-key-pair +ccoctl azure create-oidc-issuer \ + --oidc-resource-group-name ${PERSISTENT_RG_NAME} \ + --tenant-id ${TENANT_ID} \ + --region ${LOCATION} \ + --name ${OIDC_STORAGE_ACCOUNT_NAME} \ + --subscription-id ${SUBSCRIPTION_ID} \ + --public-key-file /path/to/serviceaccount-signer.public +export OIDC_ISSUER_URL="https://${OIDC_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/${OIDC_STORAGE_ACCOUNT_NAME}" + +# 4. Create workload identities hypershift create iam azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ --azure-creds ${AZURE_CREDS} \ --location ${LOCATION} \ - --resource-group-name ${NAME}-rg \ + --resource-group-name ${PERSISTENT_RG_NAME} \ --oidc-issuer-url ${OIDC_ISSUER_URL} \ --output-file workload-identities.json -# 4. Create infrastructure using pre-created identities +# 5. Create infrastructure using pre-created identities hypershift create infra azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ @@ -243,9 +352,11 @@ hypershift create infra azure \ --base-domain ${BASE_DOMAIN} \ --location ${LOCATION} \ --workload-identities-file workload-identities.json \ + --assign-identity-roles \ + --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ --output-file infra-output.yaml -# 5. Create the cluster +# 6. Create the cluster hypershift create cluster azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ @@ -253,35 +364,41 @@ hypershift create cluster azure \ --base-domain ${BASE_DOMAIN} \ --location ${LOCATION} \ --pull-secret /path/to/pull-secret \ - --infra-json infra-output.yaml + --generate-ssh \ + --release-image ${RELEASE_IMAGE} \ + --sa-token-issuer-private-key-path /path/to/serviceaccount-signer.private \ + --oidc-issuer-url ${OIDC_ISSUER_URL} \ + --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ + --assign-service-principal-roles \ + --infra-json infra-output.yaml \ + --diagnostics-storage-account-type Managed # --- Cleanup --- -# 6. Destroy the cluster +# 7. Destroy the cluster hypershift destroy cluster azure \ --name ${NAME} \ --azure-creds ${AZURE_CREDS} \ - --dns-zone-rg-name ${DNS_ZONE_RG} + --dns-zone-rg-name ${PERSISTENT_RG_NAME} -# 7. Destroy infrastructure +# 8. Destroy infrastructure hypershift destroy infra azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ --azure-creds ${AZURE_CREDS} -# 8. Destroy IAM resources +# 9. Destroy IAM resources (only if no longer needed) hypershift destroy iam azure \ --azure-creds ${AZURE_CREDS} \ --workload-identities-file workload-identities.json \ - --resource-group-name ${RESOURCE_GROUP} \ + --resource-group-name ${PERSISTENT_RG_NAME} \ --name ${NAME} \ --infra-id ${INFRA_ID} \ - --dns-zone-rg-name ${DNS_ZONE_RG} + --dns-zone-rg-name ${PERSISTENT_RG_NAME} ``` ## See Also - [Create Azure Infrastructure Separately](create-infra-separately.md) -- [Azure Workload Identity Setup](azure-workload-identity-setup.md) - [Self-Managed Azure Overview](self-managed-azure-index.md) - [Deploy Azure Private Clusters](deploy-azure-private-clusters.md) — End-to-end guide for private endpoint access diff --git a/docs/content/how-to/azure/create-self-managed-azure-cluster.md b/docs/content/how-to/azure/create-self-managed-azure-cluster.md index f1b337508e8..a0bffb39b88 100644 --- a/docs/content/how-to/azure/create-self-managed-azure-cluster.md +++ b/docs/content/how-to/azure/create-self-managed-azure-cluster.md @@ -27,7 +27,7 @@ Before creating a self-managed Azure HostedCluster, ensure you have: This guide assumes you have already completed the workload identity configuration and management cluster setup. Follow these guides in order: - 1. [Azure Workload Identity Setup](azure-workload-identity-setup.md) - Workload identities and OIDC issuer configuration + 1. [Create Azure IAM Resources](create-iam-separately.md) - Workload identities and OIDC issuer configuration 2. [Setup Azure Management Cluster for HyperShift](setup-management-cluster.md) - HyperShift operator installation (with or without External DNS) ### Permission Requirements @@ -42,124 +42,71 @@ Your Azure service principal must have the following permissions: ## Creating the Self-Managed Azure HostedCluster -!!! tip "Alternative: Use `create infra azure` and `create iam azure`" - - This guide creates Azure infrastructure manually with `az` CLI commands for - transparency. Alternatively, you can use the HyperShift CLI to automate - infrastructure and IAM creation: - - - [Create Azure IAM Resources Separately](create-iam-separately.md) — `hypershift create iam azure` - - [Create Azure Infrastructure Separately](create-infra-separately.md) — `hypershift create infra azure` - - The private cluster guide ([Deploy Azure Private Clusters](deploy-azure-private-clusters.md)) - uses these automated commands and is the recommended approach for private topology. - ### Infrastructure Setup -Before creating the HostedCluster, set up the necessary Azure infrastructure: - -!!! note "About PERSISTENT_RG_NAME" - In Red Hat environments, a periodic Azure resource "reaper" deletes resources that are not properly tagged or not located in an approved resource group. We frequently use the `os4-common` resource group for shared, long-lived assets (for example, public DNS zones) to avoid accidental cleanup. If you are not in Red Hat infrastructure, set `PERSISTENT_RG_NAME` to any long-lived resource group in your subscription that will not be automatically reaped, or ensure your organization's required tags/policies are applied. The name does not have to be `os4-common`—use whatever persistent resource group fits your environment. +Create the Azure infrastructure using the HyperShift CLI: ```bash # Set cluster configuration variables -PREFIX="your-prefix-sm" -RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:XYZ" -TAG="latest" - +CLUSTER_NAME="my-self-managed-cluster" +INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" LOCATION="eastus" -MANAGED_RG_NAME="${PREFIX}-managed-rg" -VNET_RG_NAME="${PREFIX}-customer-vnet-rg" -NSG_RG_NAME="${PREFIX}-customer-nsg-rg" -VNET_NAME="${PREFIX}-customer-vnet" -VNET_SUBNET1="${PREFIX}-customer-subnet-1" -NSG="${PREFIX}-customer-nsg" -DNS_ZONE_NAME="your-subdomain.your-parent.dns.zone.com" -CLUSTER_NAMESPACE="clusters" -CLUSTER_NAME="${PREFIX}-hc" -AZURE_CREDS="/path/to/azure/credentials" +BASE_DOMAIN="example.com" +AZURE_CREDS="/path/to/azure-creds.json" PULL_SECRET="/path/to/pull-secret.json" -HYPERSHIFT_BINARY_PATH="/path/to/hypershift/bin" +RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:XYZ" +PERSISTENT_RG_NAME="os4-common" OIDC_ISSUER_URL="https://yourstorageaccount.blob.core.windows.net/yourstorageaccount" SA_TOKEN_ISSUER_PRIVATE_KEY_PATH="/path/to/serviceaccount-signer.private" -PERSISTENT_RG_NAME="os4-common" -PARENT_DNS_ZONE="your-parent.dns.zone.com" - -# Clean up any previous instances (optional) -az group delete -n "${VNET_RG_NAME}" --yes --no-wait || true -az group delete -n "${NSG_RG_NAME}" --yes --no-wait || true - -# Create managed resource group -az group create --name "${MANAGED_RG_NAME}" --location ${LOCATION} - -# Create VNET & NSG resource groups -az group create --name "${VNET_RG_NAME}" --location ${LOCATION} -az group create --name "${NSG_RG_NAME}" --location ${LOCATION} - -# Create network security group -az network nsg create \ - --resource-group "${NSG_RG_NAME}" \ - --name "${NSG}" - -# Get NSG ID -GetNsgID=$(az network nsg list --query "[?name=='${NSG}'].id" -o tsv) - -# Create VNet with subnet -az network vnet create \ - --name "${VNET_NAME}" \ - --resource-group "${VNET_RG_NAME}" \ - --address-prefix 10.0.0.0/16 \ - --subnet-name "${VNET_SUBNET1}" \ - --subnet-prefixes 10.0.0.0/24 \ - --nsg "${GetNsgID}" - -# Get VNet and Subnet IDs -GetVnetID=$(az network vnet list --query "[?name=='${VNET_NAME}'].id" -o tsv) -GetSubnetID=$(az network vnet subnet show \ - --vnet-name "${VNET_NAME}" \ - --name "${VNET_SUBNET1}" \ - --resource-group "${VNET_RG_NAME}" \ - --query id --output tsv) -``` -### Create the HostedCluster +# Create infrastructure +hypershift create infra azure \ + --name ${CLUSTER_NAME} \ + --infra-id ${INFRA_ID} \ + --azure-creds ${AZURE_CREDS} \ + --base-domain ${BASE_DOMAIN} \ + --location ${LOCATION} \ + --workload-identities-file workload-identities.json \ + --assign-identity-roles \ + --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ + --output-file infra-output.yaml +``` -!!! note "Federated Identity Prerequisites" +This creates the resource groups, VNet, subnet, NSG, Private DNS zone, and load balancer for your cluster. For advanced options like using existing network resources, see [Create Azure Infrastructure Separately](create-infra-separately.md). - Before creating the cluster, ensure that all federated identity credentials have been set up for your workload identities as described in the [Azure Workload Identity Setup](azure-workload-identity-setup.md) guide. The cluster creation will fail if these are not properly configured. +### Create the HostedCluster !!! note "Azure Marketplace Images" For OpenShift 4.20 and later, HyperShift automatically selects the appropriate Azure Marketplace image from the release payload. You no longer need to specify `--marketplace-*` flags unless you want to use a specific custom image. See [Configuring Azure Marketplace Images](#configuring-azure-marketplace-images) for more details. -Create the HostedCluster: +Create the HostedCluster using the infrastructure output: ```bash -# Create the HostedCluster -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ - --namespace "$CLUSTER_NAMESPACE" \ + --infra-id "$INFRA_ID" \ --azure-creds $AZURE_CREDS \ --location ${LOCATION} \ --node-pool-replicas 2 \ - --base-domain $PARENT_DNS_ZONE \ + --base-domain $BASE_DOMAIN \ --pull-secret $PULL_SECRET \ --generate-ssh \ --release-image ${RELEASE_IMAGE} \ - --external-dns-domain ${DNS_ZONE_NAME} \ - --resource-group-name "${MANAGED_RG_NAME}" \ - --vnet-id "${GetVnetID}" \ - --subnet-id "${GetSubnetID}" \ - --network-security-group-id "${GetNsgID}" \ --sa-token-issuer-private-key-path "${SA_TOKEN_ISSUER_PRIVATE_KEY_PATH}" \ --oidc-issuer-url "${OIDC_ISSUER_URL}" \ - --control-plane-operator-image="quay.io/hypershift/hypershift:${TAG}" \ --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ --assign-service-principal-roles \ - --workload-identities-file ./workload-identities.json \ + --infra-json infra-output.yaml \ --diagnostics-storage-account-type Managed ``` +!!! tip "External DNS" + + If using External DNS for automatic DNS management, also pass + `--external-dns-domain ` to the cluster creation command. + See [Setup Azure Management Cluster](setup-management-cluster.md) for DNS configuration. + !!! tip "Private Clusters" To create a private cluster with Azure Private Link, see @@ -181,7 +128,7 @@ For OpenShift 4.20+, HyperShift automatically selects the appropriate Azure Mark ```bash # No marketplace flags needed - HyperShift will auto-select the image # Gen2 VM generation is used by default -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ # ... other flags ... ``` @@ -193,7 +140,7 @@ This is the **recommended approach** as it ensures your nodes use the officially If you need to use a specific VM generation (Gen1 or Gen2), you can specify only the `--image-generation` flag: ```bash -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ --image-generation Gen2 \ # Or Gen1 (case-sensitive) # ... other flags ... @@ -210,7 +157,7 @@ ${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ If you need to use a specific custom marketplace image, provide all marketplace details: ```bash -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ --marketplace-publisher azureopenshift \ --marketplace-offer aro4 \ @@ -234,18 +181,18 @@ When creating additional NodePools, you can specify image configuration in the s ```bash # Use default from release payload (OCP 4.20+) -${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ +hypershift create nodepool azure \ --cluster-name "$CLUSTER_NAME" \ # ... other flags ... # Or specify generation -${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ +hypershift create nodepool azure \ --cluster-name "$CLUSTER_NAME" \ --image-generation Gen1 \ # ... other flags ... # Or use custom marketplace image -${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ +hypershift create nodepool azure \ --cluster-name "$CLUSTER_NAME" \ --marketplace-publisher azureopenshift \ --marketplace-offer aro4 \ @@ -256,16 +203,14 @@ ${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ !!! important "Key Configuration Options" - - `--workload-identities-file`: References the workload identities configuration created in the setup guide + - `--infra-json`: Path to infrastructure output from `hypershift create infra azure` (includes workload identities) - `--assign-service-principal-roles`: Automatically assigns required Azure roles to workload identities - `--sa-token-issuer-private-key-path`: Path to the private key for service account token signing - - `--oidc-issuer-url`: URL of the OIDC issuer created in the workload identity setup - - `--vnet-id`, `--subnet-id`, `--network-security-group-id`: Custom networking infrastructure + - `--oidc-issuer-url`: URL of the OIDC issuer created in the IAM setup - `--image-generation`: (Optional) VM generation (`Gen1` or `Gen2`, defaults to `Gen2`). For OCP 4.20+, omit to use release payload defaults. See [Configuring Azure Marketplace Images](#configuring-azure-marketplace-images) - `--marketplace-publisher/offer/sku/version`: (Optional) Explicit Azure Marketplace image. Must specify all four flags together, or omit all to use defaults (OCP 4.20+) - `--dns-zone-rg-name`: Resource group containing the DNS zone (os4-common) - `--diagnostics-storage-account-type Managed`: Use Azure managed storage for diagnostics - - `--control-plane-operator-image`: Custom HyperShift operator image (optional) ## Enabling KMS Encryption (etcd Encryption at Rest) @@ -276,19 +221,7 @@ Self-managed Azure HostedClusters support encrypting etcd data at rest using [Az ### Prerequisites -Ensure the `kms` workload identity is included in your `workload-identities.json` file. When using `hypershift create iam azure`, pass the `--enable-kms` flag to create the KMS identity (using the `INFRA_ID` set during [Azure Workload Identity Setup](azure-workload-identity-setup.md)): - -```bash -hypershift create iam azure \ - --name "$CLUSTER_NAME" \ - --infra-id "$INFRA_ID" \ - --azure-creds "$AZURE_CREDS" \ - --location "$LOCATION" \ - --resource-group-name "$PERSISTENT_RG_NAME" \ - --oidc-issuer-url "$OIDC_ISSUER_URL" \ - --output-file ./workload-identities.json \ - --enable-kms -``` +Ensure the `kms` workload identity is included in your `workload-identities.json` file. When using `hypershift create iam azure`, pass the `--enable-kms` flag to create the KMS identity. See [Enabling KMS Identity](create-iam-separately.md#enabling-kms-identity) for details. ### Create a Key Vault and Key @@ -308,7 +241,8 @@ hypershift create iam azure \ ```bash # Create Key Vault -KV_NAME="${PREFIX}-kv" +KV_NAME="${CLUSTER_NAME}-kv" +MANAGED_RG_NAME="${CLUSTER_NAME}-managed-rg" az keyvault create \ --name "${KV_NAME}" \ --resource-group "${MANAGED_RG_NAME}" \ @@ -316,7 +250,7 @@ az keyvault create \ --enable-rbac-authorization # Create encryption key -KEY_NAME="${PREFIX}-etcd-key" +KEY_NAME="${CLUSTER_NAME}-etcd-key" az keyvault key create \ --vault-name "${KV_NAME}" \ --name "${KEY_NAME}" \ @@ -367,26 +301,21 @@ az role assignment create \ Add the `--encryption-key-id` flag to your cluster creation command: ```bash -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ - --namespace "$CLUSTER_NAMESPACE" \ + --infra-id "$INFRA_ID" \ --azure-creds $AZURE_CREDS \ --location ${LOCATION} \ --node-pool-replicas 2 \ - --base-domain $PARENT_DNS_ZONE \ + --base-domain $BASE_DOMAIN \ --pull-secret $PULL_SECRET \ --generate-ssh \ --release-image ${RELEASE_IMAGE} \ - --external-dns-domain ${DNS_ZONE_NAME} \ - --resource-group-name "${MANAGED_RG_NAME}" \ - --vnet-id "${GetVnetID}" \ - --subnet-id "${GetSubnetID}" \ - --network-security-group-id "${GetNsgID}" \ --sa-token-issuer-private-key-path "${SA_TOKEN_ISSUER_PRIVATE_KEY_PATH}" \ --oidc-issuer-url "${OIDC_ISSUER_URL}" \ --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ --assign-service-principal-roles \ - --workload-identities-file ./workload-identities.json \ + --infra-json infra-output.yaml \ --encryption-key-id "${ENCRYPTION_KEY_ID}" \ --diagnostics-storage-account-type Managed ``` @@ -415,22 +344,28 @@ oc get clusterversion ## Cleanup -To delete the HostedCluster: +To delete the HostedCluster and its infrastructure: ```bash # Delete the HostedCluster hypershift destroy cluster azure \ --name $CLUSTER_NAME \ --azure-creds $AZURE_CREDS \ - --resource-group-name $MANAGED_RG_NAME \ --dns-zone-rg-name $PERSISTENT_RG_NAME + +# Destroy infrastructure +hypershift destroy infra azure \ + --name $CLUSTER_NAME \ + --infra-id $INFRA_ID \ + --azure-creds $AZURE_CREDS ``` !!! note "Resource Cleanup" - The HyperShift destroy command will clean up the cluster resources. Workload identities and OIDC issuer created during setup can be reused for other clusters or cleaned up separately if no longer needed. + The HyperShift destroy commands clean up the cluster and infrastructure resources. Workload identities and OIDC issuer created during setup can be reused for other clusters or cleaned up separately if no longer needed. See [Destroying Workload Identities](create-iam-separately.md#destroying-workload-identities). ## Related Documentation -1. [Azure Workload Identity Setup](azure-workload-identity-setup.md) - Workload identities and OIDC issuer setup -2. [Setup Azure Management Cluster for HyperShift](setup-management-cluster.md) - DNS and HyperShift operator setup \ No newline at end of file +1. [Create Azure IAM Resources](create-iam-separately.md) - Workload identities and OIDC issuer setup +2. [Create Azure Infrastructure Separately](create-infra-separately.md) - Advanced infrastructure options +3. [Setup Azure Management Cluster for HyperShift](setup-management-cluster.md) - DNS and HyperShift operator setup diff --git a/docs/content/how-to/azure/index.md b/docs/content/how-to/azure/index.md index d0fd3c8d9ad..326e898ab4a 100644 --- a/docs/content/how-to/azure/index.md +++ b/docs/content/how-to/azure/index.md @@ -24,10 +24,9 @@ Self-managed Azure uses an OpenShift cluster (running on any platform - AWS, Azu **Guides:** - [Self-Managed Azure Overview](self-managed-azure-index.md) - Architecture and deployment workflow -- [Azure Workload Identity Setup](azure-workload-identity-setup.md) - Set up managed identities and OIDC federation +- [Create Azure IAM Resources](create-iam-separately.md) - Set up OIDC issuer, managed identities, and workload identity federation - [Setup Azure Management Cluster](setup-management-cluster.md) - Install HyperShift operator - [Create a Self-Managed Azure HostedCluster](create-self-managed-azure-cluster.md) - Deploy your first hosted cluster -- [Create Azure IAM Resources Separately](create-iam-separately.md) - Manage workload identities independently - [Create Azure Infrastructure Separately](create-infra-separately.md) - Create infrastructure before cluster ## Comparison diff --git a/docs/content/how-to/azure/self-managed-azure-index.md b/docs/content/how-to/azure/self-managed-azure-index.md index db41b912195..afdf2bc053d 100644 --- a/docs/content/how-to/azure/self-managed-azure-index.md +++ b/docs/content/how-to/azure/self-managed-azure-index.md @@ -66,10 +66,7 @@ You can create workload identities using either: **When to Complete**: This is a one-time setup that can be reused across multiple hosted clusters. Complete this before proceeding to Phase 2. -👉 **Guides**: - -- [Azure Workload Identity Setup](azure-workload-identity-setup.md) - Overview with CLI and OIDC configuration -- [Create Azure IAM Resources Separately](create-iam-separately.md) - Detailed IAM command reference +👉 **Guide**: [Create Azure IAM Resources](create-iam-separately.md) - OIDC issuer configuration and workload identity creation ### Phase 2: Management Cluster Setup @@ -168,7 +165,7 @@ Self-managed Azure HyperShift implements several security best practices: Begin your self-managed Azure HyperShift deployment by following the guides in order: -1. **[Azure Workload Identity Setup](azure-workload-identity-setup.md)** - Set up managed identities and OIDC federation (or use [Create Azure IAM Resources Separately](create-iam-separately.md) for CLI-based setup) +1. **[Create Azure IAM Resources](create-iam-separately.md)** - Set up OIDC issuer, managed identities, and workload identity federation 2. **[Setup Azure Management Cluster for HyperShift](setup-management-cluster.md)** - Install HyperShift operator (with or without External DNS) 3. **[Create a Self-Managed Azure HostedCluster](create-self-managed-azure-cluster.md)** - Deploy your first hosted cluster 4. **[Deploy Azure Private Clusters](deploy-azure-private-clusters.md)** (Optional) - Configure private endpoint access with Azure Private Link diff --git a/docs/content/reference/aggregated-docs.md b/docs/content/reference/aggregated-docs.md index 827372f6d67..bb7f1f71a87 100644 --- a/docs/content/reference/aggregated-docs.md +++ b/docs/content/reference/aggregated-docs.md @@ -9616,145 +9616,6 @@ spec: - Scale-from-zero (`autoScaling.min: 0`) is not supported on Azure. The minimum must be >= 1. ---- - -## Source: docs/content/how-to/azure/azure-workload-identity-setup.md - -# Azure Workload Identity Setup for Self-Managed Clusters - -!!! note "Developer Preview in OCP 4.21" - - Self-managed Azure HostedClusters are available as a Developer Preview feature in OpenShift Container Platform 4.21. - -This document describes how to set up Azure Workload Identities and OIDC issuer for self-managed Azure HostedClusters. - -!!! warning "Persistent Resource Groups" - - When setting up workload identities and OIDC issuer for the first time, create them in a **persistent resource group** that will not be deleted when individual clusters are destroyed. This allows you to reuse the same workload identities and OIDC issuer across multiple HostedClusters, reducing setup time and avoiding unnecessary resource recreation. - - - Use a persistent resource group like `os4-common`. - - This resource group should be separate from the cluster-specific resource groups that get created and deleted with each HostedCluster. - - The OIDC issuer storage account should also be created in this persistent resource group. - -## Prerequisites - -- Azure CLI (`az`) installed and configured -- `jq` command-line JSON processor -- Cloud Credential Operator (CCO) tool installed -- Appropriate Azure permissions - -## Create Azure Workload Identities - -!!! note "OIDC Issuer Required" - - Before running this command, you need an OIDC issuer URL. If you haven't set this up yet, see Configure OIDC Issuer below first. - -You can create the required managed identities and federated credentials using the HyperShift CLI: - -```bash -# Set environment variables -PERSISTENT_RG_NAME="os4-common" # Use persistent resource group -LOCATION="eastus" -CLUSTER_NAME="my-self-managed-cluster" -INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" -AZURE_CREDS="/path/to/azure-creds.json" - -# Create persistent resource group (if it doesn't exist) -az group create --name $PERSISTENT_RG_NAME --location $LOCATION - -# Create workload identities using the HyperShift CLI -# (requires OIDC issuer URL - see next section if you haven't set this up yet) -hypershift create iam azure \ - --name $CLUSTER_NAME \ - --infra-id $INFRA_ID \ - --azure-creds $AZURE_CREDS \ - --location $LOCATION \ - --resource-group-name $PERSISTENT_RG_NAME \ - --oidc-issuer-url $OIDC_ISSUER_URL \ - --output-file workload-identities.json -``` - -This creates 7 managed identities with federated credentials for: - -- Disk CSI driver -- File CSI driver -- Image Registry -- Ingress Operator -- Cloud Provider -- NodePool Management -- Network Operator - -To also create a KMS identity for Azure Key Vault etcd encryption at rest, add the `--enable-kms` flag: - -```bash -hypershift create iam azure \ - --name $CLUSTER_NAME \ - --infra-id $INFRA_ID \ - --azure-creds $AZURE_CREDS \ - --location $LOCATION \ - --resource-group-name $PERSISTENT_RG_NAME \ - --oidc-issuer-url $OIDC_ISSUER_URL \ - --output-file workload-identities.json \ - --enable-kms -``` - -!!! warning "KMS Key Vault Role Assignment" - - If you use `--enable-kms`, you must **manually** assign the `Key Vault Crypto User` role to the KMS identity on your Key Vault. The `--auto-assign-roles` flag does not cover this because the Key Vault scope is user-provided. See Enabling KMS Encryption for the role assignment commands. - -For complete documentation on the IAM commands, see Create Azure IAM Resources Separately. - -## Configure OIDC Issuer - -Use the Cloud Credential Operator (CCO) tool to create the OIDC issuer: - -```bash -# Set OIDC issuer variables (reusing variables from previous steps) -OIDC_STORAGE_ACCOUNT_NAME="yourstorageaccount" -TENANT_ID="your-tenant-id" -# SUBSCRIPTION_ID and PERSISTENT_RG_NAME already set from previous section -# Create an RSA key pair and save the private and public key -ccoctl azure create-key-pair - -SA_TOKEN_ISSUER_PRIVATE_KEY_PATH="/path/to/serviceaccount-signer.private" -SA_TOKEN_ISSUER_PUBLIC_KEY_PATH="/path/to/serviceaccount-signer.public" - -# Create OIDC issuer using CCO tool in os4-common resource group -ccoctl azure create-oidc-issuer \ - --oidc-resource-group-name ${PERSISTENT_RG_NAME} \ - --tenant-id ${TENANT_ID} \ - --region ${LOCATION} \ - --name ${OIDC_STORAGE_ACCOUNT_NAME} \ - --subscription-id ${SUBSCRIPTION_ID} \ - --public-key-file ${SA_TOKEN_ISSUER_PUBLIC_KEY_PATH} - -# Set OIDC issuer URL -OIDC_ISSUER_URL="https://${OIDC_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/${OIDC_STORAGE_ACCOUNT_NAME}" -``` - -## Verification - -Verify the setup: - -```bash -# List created managed identities -az identity list --resource-group $PERSISTENT_RG_NAME --output table - -# Verify federated credentials for one identity -az identity federated-credential list \ - --identity-name "${AZURE_DISK_MI_NAME}" \ - --resource-group $PERSISTENT_RG_NAME - -# Test OIDC issuer accessibility -curl -s "${OIDC_ISSUER_URL}/.well-known/openid-configuration" | jq . -``` - -## Next Steps - -After setting up workload identities, you can proceed to: - -- Setup Azure Management Cluster for HyperShift - --- ## Source: docs/content/how-to/azure/create-azure-cluster-on-aks.md @@ -10327,6 +10188,10 @@ title: Create Azure IAM resources separately # Create Azure IAM resources separately +!!! note "Developer Preview in OCP 4.21" + + Self-managed Azure HostedClusters are available as a Developer Preview feature in OpenShift Container Platform 4.21. + The `hypershift create iam azure` command creates Azure workload identities separately from infrastructure, following the same pattern as AWS and GCP. This enables you to manage IAM resources independently from your cluster infrastructure lifecycle. @@ -10334,15 +10199,30 @@ your cluster infrastructure lifecycle. ## Overview For self-managed Azure HyperShift clusters, workload identities authenticate cluster components to Azure -services using OIDC federation. You must create identities separately using `create iam azure` and then +services using OIDC federation. The setup consists of two steps: + +1. **Configure an OIDC Issuer** using the Cloud Credential Operator (CCO) tool +2. **Create workload identities** using `hypershift create iam azure` + +You must create identities separately using `create iam azure` and then consume them during infrastructure or cluster creation via the `--workload-identities-file` flag. -This approach provides control over the IAM lifecycle and follows the same pattern as AWS and GCP platforms. +!!! warning "Persistent Resource Groups" + + When setting up workload identities and OIDC issuer for the first time, create them in a **persistent resource group** that will not be deleted when individual clusters are destroyed. This allows you to reuse the same workload identities and OIDC issuer across multiple HostedClusters, reducing setup time and avoiding unnecessary resource recreation. + + - Use a persistent resource group like `os4-common`. + - This resource group should be separate from the cluster-specific resource groups that get created and deleted with each HostedCluster. + - The OIDC issuer storage account should also be created in this persistent resource group. ## Prerequisites Before creating Azure IAM resources, ensure you have: +- Azure CLI (`az`) installed and configured +- Cloud Credential Operator (CCO) tool (`ccoctl`) installed +- `jq` command-line JSON processor +- Appropriate Azure permissions - An Azure credentials file with the following format: ```json { @@ -10353,20 +10233,57 @@ Before creating Azure IAM resources, ensure you have: } ``` - An existing resource group where the managed identities will be created -- An OIDC issuer URL for workload identity federation + +## Configure OIDC Issuer + +Before creating workload identities, you need an OIDC issuer URL. Use the Cloud Credential Operator (CCO) tool to create one: + +```bash +# Set OIDC issuer variables +PERSISTENT_RG_NAME="os4-common" # Use persistent resource group +LOCATION="eastus" +OIDC_STORAGE_ACCOUNT_NAME="yourstorageaccount" +TENANT_ID="your-tenant-id" +SUBSCRIPTION_ID="your-subscription-id" + +# Create persistent resource group (if it doesn't exist) +az group create --name $PERSISTENT_RG_NAME --location $LOCATION + +# Create an RSA key pair and save the private and public key +ccoctl azure create-key-pair + +SA_TOKEN_ISSUER_PRIVATE_KEY_PATH="/path/to/serviceaccount-signer.private" +SA_TOKEN_ISSUER_PUBLIC_KEY_PATH="/path/to/serviceaccount-signer.public" + +# Create OIDC issuer using CCO tool in persistent resource group +ccoctl azure create-oidc-issuer \ + --oidc-resource-group-name ${PERSISTENT_RG_NAME} \ + --tenant-id ${TENANT_ID} \ + --region ${LOCATION} \ + --name ${OIDC_STORAGE_ACCOUNT_NAME} \ + --subscription-id ${SUBSCRIPTION_ID} \ + --public-key-file ${SA_TOKEN_ISSUER_PUBLIC_KEY_PATH} + +# Set OIDC issuer URL +OIDC_ISSUER_URL="https://${OIDC_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/${OIDC_STORAGE_ACCOUNT_NAME}" +``` ## Creating Workload Identities Use the `hypershift create iam azure` command: ```bash +CLUSTER_NAME="my-self-managed-cluster" +INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" +AZURE_CREDS="/path/to/azure-creds.json" + hypershift create iam azure \ - --name CLUSTER_NAME \ - --infra-id INFRA_ID \ - --azure-creds AZURE_CREDENTIALS_FILE \ - --location LOCATION \ - --resource-group-name RESOURCE_GROUP \ - --oidc-issuer-url OIDC_ISSUER_URL \ + --name $CLUSTER_NAME \ + --infra-id $INFRA_ID \ + --azure-creds $AZURE_CREDS \ + --location $LOCATION \ + --resource-group-name $PERSISTENT_RG_NAME \ + --oidc-issuer-url $OIDC_ISSUER_URL \ --output-file workload-identities.json ``` @@ -10375,11 +10292,11 @@ where: * `CLUSTER_NAME` is the name of the hosted cluster you intend to create. * `INFRA_ID` is a unique identifier used to name Azure resources. Typically this is the cluster name with a random suffix appended. -* `AZURE_CREDENTIALS_FILE` points to an Azure credentials file with permission to create +* `AZURE_CREDS` points to an Azure credentials file with permission to create managed identities and federated credentials. * `LOCATION` is the Azure region for the managed identities (e.g., `eastus`, `westus2`). -* `RESOURCE_GROUP` is the name of an existing resource group where identities will be created. -* `OIDC_ISSUER_URL` is the URL of the OIDC identity provider used for workload identity federation. +* `PERSISTENT_RG_NAME` is the name of an existing resource group where identities will be created. +* `OIDC_ISSUER_URL` is the URL of the OIDC identity provider created in the previous step. Running this command creates: @@ -10394,6 +10311,26 @@ Running this command creates: - Control Plane Operator * Federated Identity Credentials for each identity, configured with the OIDC issuer +### Enabling KMS Identity + +To also create a KMS identity for Azure Key Vault etcd encryption at rest, add the `--enable-kms` flag: + +```bash +hypershift create iam azure \ + --name $CLUSTER_NAME \ + --infra-id $INFRA_ID \ + --azure-creds $AZURE_CREDS \ + --location $LOCATION \ + --resource-group-name $PERSISTENT_RG_NAME \ + --oidc-issuer-url $OIDC_ISSUER_URL \ + --output-file workload-identities.json \ + --enable-kms +``` + +!!! warning "KMS Key Vault Role Assignment" + + If you use `--enable-kms`, you must **manually** assign the `Key Vault Crypto User` role to the KMS identity on your Key Vault. The `--auto-assign-roles` flag does not cover this because the Key Vault scope is user-provided. See Enabling KMS Encryption for the role assignment commands. + ## Private Endpoint Access The **Control Plane Operator** identity is always created by `create iam azure`. For private @@ -10473,6 +10410,23 @@ hypershift create cluster azure \ --workload-identities-file workload-identities.json ``` +## Verification + +Verify the setup: + +```bash +# List created managed identities +az identity list --resource-group $PERSISTENT_RG_NAME --output table + +# Verify federated credentials for one identity +az identity federated-credential list \ + --identity-name "${CLUSTER_NAME}-disk-${INFRA_ID}" \ + --resource-group $PERSISTENT_RG_NAME + +# Test OIDC issuer accessibility +curl -s "${OIDC_ISSUER_URL}/.well-known/openid-configuration" | jq . +``` + ## Destroying Workload Identities To destroy the workload identities that were created: @@ -10504,16 +10458,17 @@ Both the managed identities and their federated credentials are removed. | `--name` | Name of the HostedCluster | | `--infra-id` | Unique infrastructure identifier | | `--azure-creds` | Path to Azure credentials JSON file | -| `--location` | Azure region for identities | +| `--resource-group-name` | Resource group for identities | | `--oidc-issuer-url` | OIDC issuer URL for federation | +| `--output-file` | Output file path | ### Optional Flags for `create iam azure` | Flag | Description | Default | |------|-------------|---------| -| `--resource-group-name` | Resource group for identities | `{name}-{infra-id}` | -| `--output-file` | Output file path | `{name}-iam-output.json` | +| `--location` | Azure region for identities | `eastus` | | `--cloud` | Azure cloud environment | `AzurePublicCloud` | +| `--enable-kms` | Create KMS identity for etcd encryption | `false` | ### Required Flags for `destroy iam azure` @@ -10543,22 +10498,37 @@ export INFRA_ID="${NAME}-$(openssl rand -hex 4)" export LOCATION="eastus" export BASE_DOMAIN="example.com" export AZURE_CREDS="/path/to/azure-creds.json" -export OIDC_ISSUER_URL="https://my-oidc-issuer.com" +export PERSISTENT_RG_NAME="os4-common" +export TENANT_ID="your-tenant-id" +export SUBSCRIPTION_ID="your-subscription-id" +export OIDC_STORAGE_ACCOUNT_NAME="yourstorageaccount" +export RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:XYZ" -# 2. Create a resource group for identities -az group create --name ${NAME}-rg --location ${LOCATION} +# 2. Create persistent resource group (if it doesn't exist) +az group create --name ${PERSISTENT_RG_NAME} --location ${LOCATION} + +# 3. Create OIDC issuer +ccoctl azure create-key-pair +ccoctl azure create-oidc-issuer \ + --oidc-resource-group-name ${PERSISTENT_RG_NAME} \ + --tenant-id ${TENANT_ID} \ + --region ${LOCATION} \ + --name ${OIDC_STORAGE_ACCOUNT_NAME} \ + --subscription-id ${SUBSCRIPTION_ID} \ + --public-key-file /path/to/serviceaccount-signer.public +export OIDC_ISSUER_URL="https://${OIDC_STORAGE_ACCOUNT_NAME}.blob.core.windows.net/${OIDC_STORAGE_ACCOUNT_NAME}" -# 3. Create workload identities +# 4. Create workload identities hypershift create iam azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ --azure-creds ${AZURE_CREDS} \ --location ${LOCATION} \ - --resource-group-name ${NAME}-rg \ + --resource-group-name ${PERSISTENT_RG_NAME} \ --oidc-issuer-url ${OIDC_ISSUER_URL} \ --output-file workload-identities.json -# 4. Create infrastructure using pre-created identities +# 5. Create infrastructure using pre-created identities hypershift create infra azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ @@ -10566,9 +10536,11 @@ hypershift create infra azure \ --base-domain ${BASE_DOMAIN} \ --location ${LOCATION} \ --workload-identities-file workload-identities.json \ + --assign-identity-roles \ + --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ --output-file infra-output.yaml -# 5. Create the cluster +# 6. Create the cluster hypershift create cluster azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ @@ -10576,36 +10548,42 @@ hypershift create cluster azure \ --base-domain ${BASE_DOMAIN} \ --location ${LOCATION} \ --pull-secret /path/to/pull-secret \ - --infra-json infra-output.yaml + --generate-ssh \ + --release-image ${RELEASE_IMAGE} \ + --sa-token-issuer-private-key-path /path/to/serviceaccount-signer.private \ + --oidc-issuer-url ${OIDC_ISSUER_URL} \ + --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ + --assign-service-principal-roles \ + --infra-json infra-output.yaml \ + --diagnostics-storage-account-type Managed # --- Cleanup --- -# 6. Destroy the cluster +# 7. Destroy the cluster hypershift destroy cluster azure \ --name ${NAME} \ --azure-creds ${AZURE_CREDS} \ - --dns-zone-rg-name ${DNS_ZONE_RG} + --dns-zone-rg-name ${PERSISTENT_RG_NAME} -# 7. Destroy infrastructure +# 8. Destroy infrastructure hypershift destroy infra azure \ --name ${NAME} \ --infra-id ${INFRA_ID} \ --azure-creds ${AZURE_CREDS} -# 8. Destroy IAM resources +# 9. Destroy IAM resources (only if no longer needed) hypershift destroy iam azure \ --azure-creds ${AZURE_CREDS} \ --workload-identities-file workload-identities.json \ - --resource-group-name ${RESOURCE_GROUP} \ + --resource-group-name ${PERSISTENT_RG_NAME} \ --name ${NAME} \ --infra-id ${INFRA_ID} \ - --dns-zone-rg-name ${DNS_ZONE_RG} + --dns-zone-rg-name ${PERSISTENT_RG_NAME} ``` ## See Also - Create Azure Infrastructure Separately -- Azure Workload Identity Setup - Self-Managed Azure Overview - Deploy Azure Private Clusters — End-to-end guide for private endpoint access @@ -10880,7 +10858,7 @@ Before creating a self-managed Azure HostedCluster, ensure you have: This guide assumes you have already completed the workload identity configuration and management cluster setup. Follow these guides in order: - 1. Azure Workload Identity Setup - Workload identities and OIDC issuer configuration + 1. Create Azure IAM Resources - Workload identities and OIDC issuer configuration 2. Setup Azure Management Cluster for HyperShift - HyperShift operator installation (with or without External DNS) ### Permission Requirements @@ -10895,124 +10873,71 @@ Your Azure service principal must have the following permissions: ## Creating the Self-Managed Azure HostedCluster -!!! tip "Alternative: Use `create infra azure` and `create iam azure`" - - This guide creates Azure infrastructure manually with `az` CLI commands for - transparency. Alternatively, you can use the HyperShift CLI to automate - infrastructure and IAM creation: - - - Create Azure IAM Resources Separately — `hypershift create iam azure` - - Create Azure Infrastructure Separately — `hypershift create infra azure` - - The private cluster guide (Deploy Azure Private Clusters) - uses these automated commands and is the recommended approach for private topology. - ### Infrastructure Setup -Before creating the HostedCluster, set up the necessary Azure infrastructure: - -!!! note "About PERSISTENT_RG_NAME" - In Red Hat environments, a periodic Azure resource "reaper" deletes resources that are not properly tagged or not located in an approved resource group. We frequently use the `os4-common` resource group for shared, long-lived assets (for example, public DNS zones) to avoid accidental cleanup. If you are not in Red Hat infrastructure, set `PERSISTENT_RG_NAME` to any long-lived resource group in your subscription that will not be automatically reaped, or ensure your organization's required tags/policies are applied. The name does not have to be `os4-common`—use whatever persistent resource group fits your environment. +Create the Azure infrastructure using the HyperShift CLI: ```bash # Set cluster configuration variables -PREFIX="your-prefix-sm" -RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:XYZ" -TAG="latest" - +CLUSTER_NAME="my-self-managed-cluster" +INFRA_ID="${CLUSTER_NAME}-$(openssl rand -hex 4)" LOCATION="eastus" -MANAGED_RG_NAME="${PREFIX}-managed-rg" -VNET_RG_NAME="${PREFIX}-customer-vnet-rg" -NSG_RG_NAME="${PREFIX}-customer-nsg-rg" -VNET_NAME="${PREFIX}-customer-vnet" -VNET_SUBNET1="${PREFIX}-customer-subnet-1" -NSG="${PREFIX}-customer-nsg" -DNS_ZONE_NAME="your-subdomain.your-parent.dns.zone.com" -CLUSTER_NAMESPACE="clusters" -CLUSTER_NAME="${PREFIX}-hc" -AZURE_CREDS="/path/to/azure/credentials" +BASE_DOMAIN="example.com" +AZURE_CREDS="/path/to/azure-creds.json" PULL_SECRET="/path/to/pull-secret.json" -HYPERSHIFT_BINARY_PATH="/path/to/hypershift/bin" +RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:XYZ" +PERSISTENT_RG_NAME="os4-common" OIDC_ISSUER_URL="https://yourstorageaccount.blob.core.windows.net/yourstorageaccount" SA_TOKEN_ISSUER_PRIVATE_KEY_PATH="/path/to/serviceaccount-signer.private" -PERSISTENT_RG_NAME="os4-common" -PARENT_DNS_ZONE="your-parent.dns.zone.com" - -# Clean up any previous instances (optional) -az group delete -n "${VNET_RG_NAME}" --yes --no-wait || true -az group delete -n "${NSG_RG_NAME}" --yes --no-wait || true - -# Create managed resource group -az group create --name "${MANAGED_RG_NAME}" --location ${LOCATION} - -# Create VNET & NSG resource groups -az group create --name "${VNET_RG_NAME}" --location ${LOCATION} -az group create --name "${NSG_RG_NAME}" --location ${LOCATION} - -# Create network security group -az network nsg create \ - --resource-group "${NSG_RG_NAME}" \ - --name "${NSG}" -# Get NSG ID -GetNsgID=$(az network nsg list --query "[?name=='${NSG}'].id" -o tsv) - -# Create VNet with subnet -az network vnet create \ - --name "${VNET_NAME}" \ - --resource-group "${VNET_RG_NAME}" \ - --address-prefix 10.0.0.0/16 \ - --subnet-name "${VNET_SUBNET1}" \ - --subnet-prefixes 10.0.0.0/24 \ - --nsg "${GetNsgID}" - -# Get VNet and Subnet IDs -GetVnetID=$(az network vnet list --query "[?name=='${VNET_NAME}'].id" -o tsv) -GetSubnetID=$(az network vnet subnet show \ - --vnet-name "${VNET_NAME}" \ - --name "${VNET_SUBNET1}" \ - --resource-group "${VNET_RG_NAME}" \ - --query id --output tsv) +# Create infrastructure +hypershift create infra azure \ + --name ${CLUSTER_NAME} \ + --infra-id ${INFRA_ID} \ + --azure-creds ${AZURE_CREDS} \ + --base-domain ${BASE_DOMAIN} \ + --location ${LOCATION} \ + --workload-identities-file workload-identities.json \ + --assign-identity-roles \ + --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ + --output-file infra-output.yaml ``` -### Create the HostedCluster +This creates the resource groups, VNet, subnet, NSG, Private DNS zone, and load balancer for your cluster. For advanced options like using existing network resources, see Create Azure Infrastructure Separately. -!!! note "Federated Identity Prerequisites" - - Before creating the cluster, ensure that all federated identity credentials have been set up for your workload identities as described in the Azure Workload Identity Setup guide. The cluster creation will fail if these are not properly configured. +### Create the HostedCluster !!! note "Azure Marketplace Images" For OpenShift 4.20 and later, HyperShift automatically selects the appropriate Azure Marketplace image from the release payload. You no longer need to specify `--marketplace-*` flags unless you want to use a specific custom image. See Configuring Azure Marketplace Images for more details. -Create the HostedCluster: +Create the HostedCluster using the infrastructure output: ```bash -# Create the HostedCluster -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ - --namespace "$CLUSTER_NAMESPACE" \ + --infra-id "$INFRA_ID" \ --azure-creds $AZURE_CREDS \ --location ${LOCATION} \ --node-pool-replicas 2 \ - --base-domain $PARENT_DNS_ZONE \ + --base-domain $BASE_DOMAIN \ --pull-secret $PULL_SECRET \ --generate-ssh \ --release-image ${RELEASE_IMAGE} \ - --external-dns-domain ${DNS_ZONE_NAME} \ - --resource-group-name "${MANAGED_RG_NAME}" \ - --vnet-id "${GetVnetID}" \ - --subnet-id "${GetSubnetID}" \ - --network-security-group-id "${GetNsgID}" \ --sa-token-issuer-private-key-path "${SA_TOKEN_ISSUER_PRIVATE_KEY_PATH}" \ --oidc-issuer-url "${OIDC_ISSUER_URL}" \ - --control-plane-operator-image="quay.io/hypershift/hypershift:${TAG}" \ --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ --assign-service-principal-roles \ - --workload-identities-file ./workload-identities.json \ + --infra-json infra-output.yaml \ --diagnostics-storage-account-type Managed ``` +!!! tip "External DNS" + + If using External DNS for automatic DNS management, also pass + `--external-dns-domain ` to the cluster creation command. + See Setup Azure Management Cluster for DNS configuration. + !!! tip "Private Clusters" To create a private cluster with Azure Private Link, see @@ -11034,7 +10959,7 @@ For OpenShift 4.20+, HyperShift automatically selects the appropriate Azure Mark ```bash # No marketplace flags needed - HyperShift will auto-select the image # Gen2 VM generation is used by default -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ # ... other flags ... ``` @@ -11046,7 +10971,7 @@ This is the **recommended approach** as it ensures your nodes use the officially If you need to use a specific VM generation (Gen1 or Gen2), you can specify only the `--image-generation` flag: ```bash -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ --image-generation Gen2 \ # Or Gen1 (case-sensitive) # ... other flags ... @@ -11063,7 +10988,7 @@ ${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ If you need to use a specific custom marketplace image, provide all marketplace details: ```bash -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ --marketplace-publisher azureopenshift \ --marketplace-offer aro4 \ @@ -11087,18 +11012,18 @@ When creating additional NodePools, you can specify image configuration in the s ```bash # Use default from release payload (OCP 4.20+) -${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ +hypershift create nodepool azure \ --cluster-name "$CLUSTER_NAME" \ # ... other flags ... # Or specify generation -${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ +hypershift create nodepool azure \ --cluster-name "$CLUSTER_NAME" \ --image-generation Gen1 \ # ... other flags ... # Or use custom marketplace image -${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ +hypershift create nodepool azure \ --cluster-name "$CLUSTER_NAME" \ --marketplace-publisher azureopenshift \ --marketplace-offer aro4 \ @@ -11109,16 +11034,14 @@ ${HYPERSHIFT_BINARY_PATH}/hypershift create nodepool azure \ !!! important "Key Configuration Options" - - `--workload-identities-file`: References the workload identities configuration created in the setup guide + - `--infra-json`: Path to infrastructure output from `hypershift create infra azure` (includes workload identities) - `--assign-service-principal-roles`: Automatically assigns required Azure roles to workload identities - `--sa-token-issuer-private-key-path`: Path to the private key for service account token signing - - `--oidc-issuer-url`: URL of the OIDC issuer created in the workload identity setup - - `--vnet-id`, `--subnet-id`, `--network-security-group-id`: Custom networking infrastructure + - `--oidc-issuer-url`: URL of the OIDC issuer created in the IAM setup - `--image-generation`: (Optional) VM generation (`Gen1` or `Gen2`, defaults to `Gen2`). For OCP 4.20+, omit to use release payload defaults. See Configuring Azure Marketplace Images - `--marketplace-publisher/offer/sku/version`: (Optional) Explicit Azure Marketplace image. Must specify all four flags together, or omit all to use defaults (OCP 4.20+) - `--dns-zone-rg-name`: Resource group containing the DNS zone (os4-common) - `--diagnostics-storage-account-type Managed`: Use Azure managed storage for diagnostics - - `--control-plane-operator-image`: Custom HyperShift operator image (optional) ## Enabling KMS Encryption (etcd Encryption at Rest) @@ -11129,19 +11052,7 @@ Self-managed Azure HostedClusters support encrypting etcd data at rest using Azu ### Prerequisites -Ensure the `kms` workload identity is included in your `workload-identities.json` file. When using `hypershift create iam azure`, pass the `--enable-kms` flag to create the KMS identity (using the `INFRA_ID` set during Azure Workload Identity Setup): - -```bash -hypershift create iam azure \ - --name "$CLUSTER_NAME" \ - --infra-id "$INFRA_ID" \ - --azure-creds "$AZURE_CREDS" \ - --location "$LOCATION" \ - --resource-group-name "$PERSISTENT_RG_NAME" \ - --oidc-issuer-url "$OIDC_ISSUER_URL" \ - --output-file ./workload-identities.json \ - --enable-kms -``` +Ensure the `kms` workload identity is included in your `workload-identities.json` file. When using `hypershift create iam azure`, pass the `--enable-kms` flag to create the KMS identity. See Enabling KMS Identity for details. ### Create a Key Vault and Key @@ -11161,7 +11072,8 @@ hypershift create iam azure \ ```bash # Create Key Vault -KV_NAME="${PREFIX}-kv" +KV_NAME="${CLUSTER_NAME}-kv" +MANAGED_RG_NAME="${CLUSTER_NAME}-managed-rg" az keyvault create \ --name "${KV_NAME}" \ --resource-group "${MANAGED_RG_NAME}" \ @@ -11169,7 +11081,7 @@ az keyvault create \ --enable-rbac-authorization # Create encryption key -KEY_NAME="${PREFIX}-etcd-key" +KEY_NAME="${CLUSTER_NAME}-etcd-key" az keyvault key create \ --vault-name "${KV_NAME}" \ --name "${KEY_NAME}" \ @@ -11220,26 +11132,21 @@ az role assignment create \ Add the `--encryption-key-id` flag to your cluster creation command: ```bash -${HYPERSHIFT_BINARY_PATH}/hypershift create cluster azure \ +hypershift create cluster azure \ --name "$CLUSTER_NAME" \ - --namespace "$CLUSTER_NAMESPACE" \ + --infra-id "$INFRA_ID" \ --azure-creds $AZURE_CREDS \ --location ${LOCATION} \ --node-pool-replicas 2 \ - --base-domain $PARENT_DNS_ZONE \ + --base-domain $BASE_DOMAIN \ --pull-secret $PULL_SECRET \ --generate-ssh \ --release-image ${RELEASE_IMAGE} \ - --external-dns-domain ${DNS_ZONE_NAME} \ - --resource-group-name "${MANAGED_RG_NAME}" \ - --vnet-id "${GetVnetID}" \ - --subnet-id "${GetSubnetID}" \ - --network-security-group-id "${GetNsgID}" \ --sa-token-issuer-private-key-path "${SA_TOKEN_ISSUER_PRIVATE_KEY_PATH}" \ --oidc-issuer-url "${OIDC_ISSUER_URL}" \ --dns-zone-rg-name ${PERSISTENT_RG_NAME} \ --assign-service-principal-roles \ - --workload-identities-file ./workload-identities.json \ + --infra-json infra-output.yaml \ --encryption-key-id "${ENCRYPTION_KEY_ID}" \ --diagnostics-storage-account-type Managed ``` @@ -11268,25 +11175,32 @@ oc get clusterversion ## Cleanup -To delete the HostedCluster: +To delete the HostedCluster and its infrastructure: ```bash # Delete the HostedCluster hypershift destroy cluster azure \ --name $CLUSTER_NAME \ --azure-creds $AZURE_CREDS \ - --resource-group-name $MANAGED_RG_NAME \ --dns-zone-rg-name $PERSISTENT_RG_NAME + +# Destroy infrastructure +hypershift destroy infra azure \ + --name $CLUSTER_NAME \ + --infra-id $INFRA_ID \ + --azure-creds $AZURE_CREDS ``` !!! note "Resource Cleanup" - The HyperShift destroy command will clean up the cluster resources. Workload identities and OIDC issuer created during setup can be reused for other clusters or cleaned up separately if no longer needed. + The HyperShift destroy commands clean up the cluster and infrastructure resources. Workload identities and OIDC issuer created during setup can be reused for other clusters or cleaned up separately if no longer needed. See Destroying Workload Identities. ## Related Documentation -1. Azure Workload Identity Setup - Workload identities and OIDC issuer setup -2. Setup Azure Management Cluster for HyperShift - DNS and HyperShift operator setup +1. Create Azure IAM Resources - Workload identities and OIDC issuer setup +2. Create Azure Infrastructure Separately - Advanced infrastructure options +3. Setup Azure Management Cluster for HyperShift - DNS and HyperShift operator setup + --- @@ -12164,10 +12078,9 @@ Self-managed Azure uses an OpenShift cluster (running on any platform - AWS, Azu **Guides:** - Self-Managed Azure Overview - Architecture and deployment workflow -- Azure Workload Identity Setup - Set up managed identities and OIDC federation +- Create Azure IAM Resources - Set up OIDC issuer, managed identities, and workload identity federation - Setup Azure Management Cluster - Install HyperShift operator - Create a Self-Managed Azure HostedCluster - Deploy your first hosted cluster -- Create Azure IAM Resources Separately - Manage workload identities independently - Create Azure Infrastructure Separately - Create infrastructure before cluster ## Comparison @@ -12448,10 +12361,7 @@ You can create workload identities using either: **When to Complete**: This is a one-time setup that can be reused across multiple hosted clusters. Complete this before proceeding to Phase 2. -👉 **Guides**: - -- Azure Workload Identity Setup - Overview with CLI and OIDC configuration -- Create Azure IAM Resources Separately - Detailed IAM command reference +👉 **Guide**: Create Azure IAM Resources - OIDC issuer configuration and workload identity creation ### Phase 2: Management Cluster Setup @@ -12550,7 +12460,7 @@ Self-managed Azure HyperShift implements several security best practices: Begin your self-managed Azure HyperShift deployment by following the guides in order: -1. **Azure Workload Identity Setup** - Set up managed identities and OIDC federation (or use Create Azure IAM Resources Separately for CLI-based setup) +1. **Create Azure IAM Resources** - Set up OIDC issuer, managed identities, and workload identity federation 2. **Setup Azure Management Cluster for HyperShift** - Install HyperShift operator (with or without External DNS) 3. **Create a Self-Managed Azure HostedCluster** - Deploy your first hosted cluster 4. **Deploy Azure Private Clusters** (Optional) - Configure private endpoint access with Azure Private Link @@ -53887,7 +53797,7 @@ You can use an existing VNet and NSG from the same resource group, which places ## Related Documentation -- Azure Workload Identity Setup - Set up managed identities and OIDC federation +- Create Azure IAM Resources - Set up OIDC issuer, managed identities, and workload identity federation - Setup Azure Management Cluster for HyperShift - Install HyperShift operator - Create a Self-Managed Azure HostedCluster - Deploy your first hosted cluster - Self-Managed Azure Overview - Comprehensive overview diff --git a/docs/content/reference/infrastructure/azure-self-managed.md b/docs/content/reference/infrastructure/azure-self-managed.md index 5c86af12273..7e654f89604 100644 --- a/docs/content/reference/infrastructure/azure-self-managed.md +++ b/docs/content/reference/infrastructure/azure-self-managed.md @@ -281,7 +281,7 @@ You can use an existing VNet and NSG from the same resource group, which places ## Related Documentation -- [Azure Workload Identity Setup](../../how-to/azure/azure-workload-identity-setup.md) - Set up managed identities and OIDC federation +- [Create Azure IAM Resources](../../how-to/azure/create-iam-separately.md) - Set up OIDC issuer, managed identities, and workload identity federation - [Setup Azure Management Cluster for HyperShift](../../how-to/azure/setup-management-cluster.md) - Install HyperShift operator - [Create a Self-Managed Azure HostedCluster](../../how-to/azure/create-self-managed-azure-cluster.md) - Deploy your first hosted cluster - [Self-Managed Azure Overview](../../how-to/azure/self-managed-azure-index.md) - Comprehensive overview diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index a3e7edb9720..c50f7e0a1fa 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -163,7 +163,6 @@ nav: - 'Self-managed Azure': - how-to/azure/self-managed-azure-index.md - how-to/azure/autoscaling-self-managed.md - - how-to/azure/azure-workload-identity-setup.md - how-to/azure/create-self-managed-azure-cluster.md - how-to/azure/create-iam-separately.md - how-to/azure/create-infra-separately.md