Merge pull request #18876 from openshift-cherrypick-robot/cherry-pick-18206-to-enterprise-4.3

[enterprise-4.3] osdocs771 AWS private clusters

_topic_map.yml

@@ -98,6 +98,8 @@ Topics:
     File: installing-aws-network-customizations
   - Name: Installing a cluster on AWS into an existing VPC
     File: installing-aws-vpc
+  - Name: Installing a private cluster on AWS
+    File: installing-aws-private
   - Name: Installing a cluster on AWS using CloudFormation templates
     File: installing-aws-user-infra
   - Name: Installing a cluster on AWS in a restricted network

installing/installing_aws/installing-aws-private.adoc

@@ -0,0 +1,63 @@
+[id="installing-aws-private"]
+= Installing a private cluster on AWS
+include::modules/common-attributes.adoc[]
+:context: installing-aws-private
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a private cluster into an existing VPC on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify
+parameters in the `install-config.yaml` file before you install the cluster.
+.Prerequisites
+
+* Review details about the
+xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update]
+processes.
+* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account]
+to host the cluster.
++
+[IMPORTANT]
+====
+If you have an AWS profile stored on your computer, it must not use a temporary
+session token that you generated while using a multi-factor authentication
+device. The cluster continues to use your current AWS credentials to create
+AWS resources for the entire life of the cluster, so you must use long-lived
+credentials. To generate appropriate keys, see
+link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users]
+in the AWS documentation. You can supply the keys when you run the installation
+program.
+====
+* If you use a firewall, you must
+xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to.
+
+include::modules/private-clusters-default.adoc[leveloffset=+1]
+
+include::modules/private-clusters-about-aws.adoc[leveloffset=+2]
+
+include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
+
+// Removing; Proxy not supported for AWS IPI for 4.2
+// include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+.Next steps
+
+* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster].
+* If necessary, you can
+xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

modules/cli-installing-cli.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc

modules/cluster-entitlements.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc

modules/installation-aws-config-yaml.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
@@ -13,6 +14,10 @@ endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :vpc:
 endif::[]
+ifeval::["{context}" == "installing-aws-private"]
+:vpc:
+:private:
+endif::[]
 
 
 [id="installation-aws-config-yaml_{context}"]
@@ -95,6 +100,9 @@ ifndef::vpc[]
 fips: false <6>
 sshKey: ssh-ed25519 AAAA... <7>
 endif::vpc[]
+ifdef::private[]
+publish: Internal <9>
+endif::private[]
 ----
 <1> Required. The installation program prompts you for this value.
 <2> If you do not provide these parameters and values, the installation program
@@ -138,6 +146,9 @@ endif::vpc[]
 ====
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery on, specify an SSH key that your `ssh-agent` process uses.
 ====
+ifdef::private[]
+<9> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
+endif::private[]
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!with-networking:
@@ -148,3 +159,7 @@ endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :!vpc:
 endif::[]
+ifeval::["{context}" == "installing-aws-private"]
+:!vpc:
+:!private:
+endif::[]

modules/installation-configuration-parameters.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations.adoc
@@ -18,6 +19,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-private"]
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :aws:
 endif::[]
@@ -143,6 +147,10 @@ For production {product-title} clusters on which you want to perform installatio
 |Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
 |`false` or `true`
 
+|`publish`
+|How to publish the user-facing endpoints of your cluster.
+|`Internal` or `External`. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
+
 |`compute.hyperthreading`
 |Whether to enable or disable simultaneous multithreading, or `hyperthreading`,
 on compute machines. By default, simultaneous multithreading is enabled
@@ -384,6 +392,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-private"]
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :!aws:
 endif::[]

modules/installation-custom-aws-vpc.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 
 [id="installation-custom-aws-vpc_{context}"]

modules/installation-initializing.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations

modules/installation-launching-installer.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc

modules/installation-obtaining-installer.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc

modules/private-clusters-about-aws.adoc

@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_aws/installing-aws-private.adoc
+
+[id="private-clusters-about-aws_{context}"]
+= Private clusters in AWS
+
+To create a private cluster on Amazon Web Services (AWS), you must provide an existing private VPC and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for access from only the private network.
+
+The cluster still requires access to Internet to access the AWS APIs.
+
+The following items are not required or created when you install a private cluster:
+
+* Public subnets
+* Public load balancers, which support public ingress
+* A public Route 53 Zone that matches the `baseDomain` for the cluster
+
+The installation program does use the `baseDomain` that you specify to create a private Route 53 Zone and the required records for the cluster. The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
+
+[id="private-clusters-limitations-aws_{context}"]
+== Limitations
+
+The ability to add public functionality to a private cluster is limited.
+
+* You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VPC for each availablity zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from Internet on 6443 (Kubernetes API port).
+* If you use a public Service type load balancer, you must tag a public subnet in each availability zone with `kubernetes.io/cluster/<cluster-infra-id>: shared` so that AWS can use them to create public load balancers.

modules/private-clusters-default.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_aws/installing-aws-private.adoc
+// * installing/installing_gcp/installing-gcp-private.adoc
+
+[id="private-clusters-default_{context}"]
+= Private clusters
+
+If your environment does not require an external internet connection, you can deploy a private {product-title} cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the Internet.
+
+By default, {product-title} is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
+
+To deploy a private cluster, you must use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
+
+Additionally, you must deploy a private cluster from a machine that has access the API services for the cloud you provision to, the hosts on the network that you provision, and to the internet to obtain installation media. You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.

modules/ssh-agent-using.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc