[OSDOCS-19522]: Setting up workload identities for HCP on Azure#111958
Conversation
openshift-ci
Bot
added
the
size/L
|
🤖 Fri May 29 16:05:14 - Prow CI generated the docs preview: https://111958--ocpdocs-pr.netlify.app/ |
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
6 times, most recently
from
6b67ee4 to
2b04abc
Compare
|
/retest |
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
2 times, most recently
from
c82ca21 to
dc82417
Compare
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
4 times, most recently
from
be2b5b6 to
221cd3f
Compare
lahinson
changed the title
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
from
221cd3f to
96481e7
Compare
|
Thanks for writing this up, Laura! A few things I noticed: Missing variable: In Variable placement across modules
Flag alignment with upstream docs Bryan's upstream docs PR (hypershift#8566) updates the required/optional flag classification for
|
|
@bryan-cox the |
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
from
96481e7 to
eb3bfbe
Compare
|
|
||
| [IMPORTANT] | ||
| ==== | ||
| The first time that you set up an OIDC issuer, create it in a persistent resource group that will not be deleted when individual hosted clusters are deleted. By using a persistent resource group, you can reuse the same OIDC issuer across hosted clusters, reducing setup time. |
There was a problem hiding this comment.
IMO, this whole section can be dropped. This comes from instructions for how we do things on the Red Hat side since we have a reaper on Azure that deletes everything every 12h.
|
|
||
| * The {azure-short} command-line interface (CLI) is installed and configured. | ||
| * The `jq` command-line JSON processor is installed. | ||
| * The Cloud Credential Operator tool is installed. |
There was a problem hiding this comment.
Do we need to point them to where to get this?
There was a problem hiding this comment.
Yes, that would be helpful. I actually don't see a procedure in the official docs about how to get the ccoctl utility, but I found a Knowledgebase article I can link to.
| = Deleting {azure-short} Workload Identities | ||
|
|
||
| [role="_abstract"] | ||
| If you need to delete a hosted cluster on {azure-short}, first delete the hosted cluster and infrastructure, and then delete the Workload Identities. |
There was a problem hiding this comment.
I think this could be reworded to improve the intent behind the sentence. It currently reads to me like " To delete a hosted cluster on azure, first delete the hosted cluster..."
There was a problem hiding this comment.
Good point -- will revise
|
|
||
| * If you created infrastructure by using the Workload Identities, delete the infrastructure before you delete the identities. | ||
|
|
||
| .Procedure |
There was a problem hiding this comment.
Shouldn't there be a procedure before this step to delete the infra before deleting the iam?
There was a problem hiding this comment.
Yep. I haven't written the infra docs yet, though, because I was waiting to find out which upstream docs to use:
These: https://hypershift.pages.dev/how-to/azure/create-infra-separately/
Or these: https://hypershift.pages.dev/how-to/azure/create-self-managed-azure-cluster/#infrastructure-setup
After I have the infra docs written, I'll be sure to add the procedure about deleting infrastructure before this one.
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
from
eb3bfbe to
bf0d386
Compare
lahinson
added
the
merge-review-needed
skopacz1
added
the
merge-review-in-progress
skopacz1
left a comment
skopacz1
left a comment
There was a problem hiding this comment.
A few comments, otherwise LGTM!
| ---- | ||
| $ hcp destroy iam azure \ | ||
| --azure-creds <azure_credentials_file> \ | ||
| --workload-identities-file <workload-identities.json> \ |
There was a problem hiding this comment.
I see why this is formatted this way, but it still technically goes against the way user-replaced values are typically formatted. I would suggest an alternative with underscores:
| --workload-identities-file <workload-identities.json> \ | |
| --workload-identities-file <workload_identities_json> \ |
| `<azure_credentials_file>`:: Specifies the {azure-short} credentials file with permission to create managed identities and federated credentials. | ||
| `<resource_group>`:: Specifies the name of the resource group where you intend to create identities. | ||
| `<oidc_issuer_url>`:: Specifies the URL of the OIDC identity provider for Workload Identity federation. | ||
| `<workload-identities.json>`:: Specifies the output file path, such as `<name>-iam-output.json`. |
There was a problem hiding this comment.
Same suggestion here about the underscores, except in this case the description list item doesn't match what's in the code block above either way. I would make sure all mentions of this value in the assembly are consistently formatted
There was a problem hiding this comment.
Good catch. I'll take a look to make sure everything is consistent.
| `--location`:: Specifies the {azure-short} region for the managed identities. The default value is `eastus`. | ||
| `--cloud`:: Specifies the {azure-short} cloud environment. The default value is `AzurePublicCloud`. |
There was a problem hiding this comment.
These don't seem to appear in the code block above
| `--location`:: Specifies the {azure-short} region for the managed identities. The default value is `eastus`. | ||
| `--cloud`:: Specifies the {azure-short} cloud environment. The default value is `AzurePublicCloud`. | ||
|
|
||
| . Review the output file, which looks like the following example: |
There was a problem hiding this comment.
Not really a big deal either way, but maybe this is more of a verification step? I'm not sure since I'm not familiar with this content
There was a problem hiding this comment.
Moved to a "Verification" section
| [role="_additional-resources"] | ||
| .Additional resources | ||
|
|
||
| * link:https://access.redhat.com/solutions/7001811[How to obtain the ccoctl tool for OpenShift 4] |
There was a problem hiding this comment.
I'm not sure about this, but technically if this is pointing out of the OCP docs, should it have a parenthetical about the destination?
| * link:https://access.redhat.com/solutions/7001811[How to obtain the ccoctl tool for OpenShift 4] | |
| * link:https://access.redhat.com/solutions/7001811[How to obtain the ccoctl tool for OpenShift 4 (Red{nbsp}Hat Knowledgebase article)] |
Or is that only for like truly external docs such as from another company?
There was a problem hiding this comment.
I think we use a parenthetical whenever we point out of the OCP docs, not just for truly external docs. Will fix.
skopacz1
added
ok-to-merge
and removed
merge-review-in-progress
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
from
bf0d386 to
02dbbb5
Compare
|
New changes are detected. LGTM label has been removed. |
lahinson
force-pushed
the
osdocs-19522-hcp-azure-prep
branch
from
02dbbb5 to
76a33d8
Compare
|
@lahinson: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest |
|
/cherrypick enterprise-4.22 |
|
@lahinson: new pull request created: #112516 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
7 participants
Version(s): 4.22+
Issue: https://redhat.atlassian.net/browse/OSDOCS-19522
Link to docs preview: https://111958--ocpdocs-pr.netlify.app/openshift-enterprise/latest/hosted_control_planes/hcp-deploy/hcp-deploy-azure.html#hcp-azure-workload-id-oidc_hcp-deploy-azure
QE review:
Additional information: