Installation
Installation Options
- Operator Lifecycle Manager (OLM) from operatorhub.io
- Operator Lifecycle Manager (OLM)
- Manual Installation
Operator Lifecycle Manager (OLM) from operatorhub.io
Check the deploy directory for manifest examples. These instructions assume that you have OLM installed in the default olm namespace.
Create an OperatorGroup
kubectl create namespace aws-auth-operator-system
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/operatorhub/operatorgroup.yaml
Install subscription
Make sure to set AWS secrets for the operator. See AWS User Policy section for required access for this user.
This example shows how to set the secrets using 'Secret' resource:
kubectl create secret generic \
-n aws-auth-operator-system \
aws-auth-operator-secret \
--from-literal=AWS_ACCESS_KEY_ID="<key>" \
--from-literal=AWS_SECRET_ACCESS_KEY="<secret>" \
--from-literal=AWS_DEFAULT_REGION="<region>"
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/operatorhub/subscription.yaml
Approve InstallPlan
Wait for subsctiption, you can check current status with the following commands:
kubectl get subscriptions -n aws-auth-operator-system aws-auth-operator
kubectl describe subscription -n aws-auth-operator-system aws-auth-operator
Manually approve the InstallPlan:
kubectl get installplans -n aws-auth-operator-system
kubectl patch installplan <InstallPlan Name> --type merge --patch '{"spec": {"approved": true}}'
If the InstallPlan does not appear, check olm logs:
kubectl logs -f -n olm <olm-operator-xxx pod name>
Check if the operator was successfully deployed:
kubectl get csv -n aws-auth-operator-system
kubectl get pods -n aws-auth-operator-system
Operator Lifecycle Manager (OLM)
Check the deploy directory for manifest examples. These instructions assume that you have OLM installed in the default olm namespace.
Install catalog source
kubectl apply -n olm -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/olm/catalogsource.yaml
# verify
kubectl describe catalogsource -n olm aws-auth-operator-catalog
Create an OperatorGroup
kubectl create namespace aws-auth-operator-system
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/olm/operatorgroup.yaml
Install subscription
Make sure to set AWS secrets for the operator. See AWS User Policy section for required access for this user.
This example shows how to set the secrets using 'Secret' resource:
kubectl create secret generic \
-n aws-auth-operator-system \
aws-auth-operator-secret \
--from-literal=AWS_ACCESS_KEY_ID="<key>" \
--from-literal=AWS_SECRET_ACCESS_KEY="<secret>" \
--from-literal=AWS_DEFAULT_REGION="<region>"
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/olm/subscription.yaml
Approve InstallPlan
Wait for subsctiption, you can check current status with the following commands:
kubectl get subscriptions -n aws-auth-operator-system aws-auth-operator
kubectl describe subscription -n aws-auth-operator-system aws-auth-operator
Manually approve the InstallPlan:
kubectl get installplans -n aws-auth-operator-system
kubectl patch installplan <InstallPlan Name> --type merge --patch '{"spec": {"approved": true}}'
If the InstallPlan does not appear, check olm logs:
kubectl logs -f -n olm <olm-operator-xxx pod name>
Check if the operator was successfully deployed:
kubectl get csv -n aws-auth-operator-system
kubectl get pods -n aws-auth-operator-system
Manual Installation
Namespace
Create a new namespace for the operator
kubectl create namespace aws-auth-operator-system
Install CRDs
Install Custom Resource Definitions
kubectl apply -n aws-auth-operator-system -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/crds.yaml
Create Secrets
Make sure to set AWS secrets for the operator. See AWS User Policy section for required access for this user.
This example shows how to set the secrets using 'Secret' resource:
kubectl create secret generic \
-n aws-auth-operator-system \
aws-auth-operator-secret \
--from-literal=AWS_ACCESS_KEY_ID="<key>" \
--from-literal=AWS_SECRET_ACCESS_KEY="<secret>" \
--from-literal=AWS_DEFAULT_REGION="<region>"
Install all other resources
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/serviceaccount.yaml
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/role.yaml
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/role_binding.yaml
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/role_leader_election.yaml
kubectl apply -f https://raw.githubusercontent.com/gp42/aws-auth-operator/main/deploy/manual/role_binding_leader_election.yaml
**
AWS User Policy
AWS user which keys are provided to the operator, must have the following policy attached to be able to do IAM group scanning:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:GetGroup",
"Resource": "*"
}
]
}
Usage
See Usage section.