From 39ddee2e22d7c6bd0469901c0725b774d30f1c1c Mon Sep 17 00:00:00 2001 From: Paul Needle Date: Fri, 4 Dec 2020 13:52:49 +0000 Subject: [PATCH] OSDOCS-1960 - Adding to the AWS UPI installation path --- architecture/architecture-installation.adoc | 9 +++ .../installing-aws-account.adoc | 4 ++ .../installing-aws-customizations.adoc | 4 ++ .../installing-aws-default.adoc | 8 +++ .../installing-aws-government-region.adoc | 4 ++ ...installing-aws-network-customizations.adoc | 4 ++ .../installing-aws-private.adoc | 4 ++ .../installing-aws-user-infra.adoc | 66 ++++++++++++++++--- .../installing_aws/installing-aws-vpc.adoc | 4 ++ .../installing-restricted-networks-aws.adoc | 48 ++++++++++---- .../installing_aws/manually-creating-iam.adoc | 17 +++++ ...-storing-admin-secrets-in-kube-system.adoc | 14 ++++ modules/cli-logging-in-kubeadmin.adoc | 4 +- modules/configuring-hybrid-ovnkubernetes.adoc | 2 +- modules/installation-approve-csrs.adoc | 10 +++ ...tallation-aws-upload-custom-rhcos-ami.adoc | 8 +-- ...installation-aws-user-infra-bootstrap.adoc | 43 ++++++++---- ...ation-aws-user-infra-delete-bootstrap.adoc | 2 + ...tallation-aws-user-infra-installation.adoc | 16 +++-- ...tallation-aws-user-infra-requirements.adoc | 18 +++-- modules/installation-bootstrap-gather.adoc | 4 +- modules/installation-configure-proxy.adoc | 4 +- ...stallation-create-ingress-dns-records.adoc | 6 +- .../installation-creating-aws-bootstrap.adoc | 33 ++++++---- ...stallation-creating-aws-control-plane.adoc | 37 ++++++++--- modules/installation-creating-aws-dns.adoc | 50 ++++++++------ .../installation-creating-aws-security.adoc | 24 ++++--- modules/installation-creating-aws-vpc.adoc | 20 ++++-- modules/installation-creating-aws-worker.adoc | 44 ++++++++----- modules/installation-extracting-infraid.adoc | 8 +-- ...enerate-aws-user-infra-install-config.adoc | 26 +++----- ...nstallation-getting-debug-information.adoc | 2 +- modules/installation-initializing.adoc | 2 +- modules/installation-launching-installer.adoc | 28 +++++++- modules/installation-obtaining-installer.adoc | 9 ++- modules/installation-overview.adoc | 3 +- ...tion-special-config-encrypt-disk-tpm2.adoc | 2 +- .../installation-special-config-kargs.adoc | 2 +- modules/installation-uninstall-clouds.adoc | 2 +- ...-infra-generate-k8s-manifest-ignition.adoc | 22 +++---- .../logging-in-by-using-the-web-console.adoc | 10 +-- ...lly-create-identity-access-management.adoc | 8 +-- modules/mint-mode.adoc | 20 ++---- modules/nw-aws-nlb-new-cluster.adoc | 2 +- .../nw-modifying-operator-install-config.adoc | 2 +- ...ry-configuring-storage-aws-user-infra.adoc | 2 +- 46 files changed, 459 insertions(+), 202 deletions(-) create mode 100644 modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc diff --git a/architecture/architecture-installation.adoc b/architecture/architecture-installation.adoc index dcc842019f..21f281fd39 100644 --- a/architecture/architecture-installation.adoc +++ b/architecture/architecture-installation.adoc @@ -6,6 +6,15 @@ toc::[] include::modules/installation-overview.adoc[leveloffset=+1] +.Additional resources + +* See xref:../installing/install_config/customizations.adoc#customizations[Available cluster customizations] for details about {product-title} configuration resources. + include::modules/update-service-overview.adoc[leveloffset=+1] include::modules/unmanaged-operators.adoc[leveloffset=+1] + +[id="architecture-installation-next-steps"] +== Next steps + +* xref:../installing/installing-preparing.adoc#installing-preparing[Selecting a cluster installation method and preparing it for users] \ No newline at end of file diff --git a/installing/installing_aws/installing-aws-account.adoc b/installing/installing_aws/installing-aws-account.adoc index 0a435a40b5..96700a2389 100644 --- a/installing/installing_aws/installing-aws-account.adoc +++ b/installing/installing_aws/installing-aws-account.adoc @@ -18,6 +18,10 @@ include::modules/installation-aws-permissions.adoc[leveloffset=+1] include::modules/installation-aws-iam-user.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[Manually creating IAM for AWS] for steps to set the Cloud Credential Operator (CCO) to manual mode prior to installation. Use this mode in environments where the cloud identity and access management (IAM) APIs are not reachable, or if you prefer not to store an administrator-level credential secret in the cluster `kube-system` project. + include::modules/installation-aws-regions.adoc[leveloffset=+1] == Next steps diff --git a/installing/installing_aws/installing-aws-customizations.adoc b/installing/installing_aws/installing-aws-customizations.adoc index d0e0c7ecc6..65d7f3c237 100644 --- a/installing/installing_aws/installing-aws-customizations.adoc +++ b/installing/installing_aws/installing-aws-customizations.adoc @@ -39,6 +39,10 @@ environments where the cloud IAM APIs are not reachable. include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-default.adoc b/installing/installing_aws/installing-aws-default.adoc index b0a70394b1..fcb2b69bc5 100644 --- a/installing/installing_aws/installing-aws-default.adoc +++ b/installing/installing_aws/installing-aws-default.adoc @@ -37,12 +37,20 @@ environments where the cloud IAM APIs are not reachable. include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service + include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] include::modules/installation-launching-installer.adoc[leveloffset=+1] +.Additional resources + +* See link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html[Configuration and credential file settings] in the AWS documentation for more information about AWS profile and credential configuration. + include::modules/cli-installing-cli.adoc[leveloffset=+1] include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-government-region.adoc b/installing/installing_aws/installing-aws-government-region.adoc index 4de1711608..beef2fa237 100644 --- a/installing/installing_aws/installing-aws-government-region.adoc +++ b/installing/installing_aws/installing-aws-government-region.adoc @@ -46,6 +46,10 @@ include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1] include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-network-customizations.adoc b/installing/installing_aws/installing-aws-network-customizations.adoc index 91e7468a73..3c3799e7ef 100644 --- a/installing/installing_aws/installing-aws-network-customizations.adoc +++ b/installing/installing_aws/installing-aws-network-customizations.adoc @@ -46,6 +46,10 @@ environments where the cloud IAM APIs are not reachable. include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-private.adoc b/installing/installing_aws/installing-aws-private.adoc index ad61a29e52..40c87841a8 100644 --- a/installing/installing_aws/installing-aws-private.adoc +++ b/installing/installing_aws/installing-aws-private.adoc @@ -43,6 +43,10 @@ include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1] include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-aws-user-infra.adoc b/installing/installing_aws/installing-aws-user-infra.adoc index 3a35c06512..4dc87fa05c 100644 --- a/installing/installing_aws/installing-aws-user-infra.adoc +++ b/installing/installing_aws/installing-aws-user-infra.adoc @@ -15,10 +15,10 @@ according to your company's policies. == Prerequisites -* Review details about the +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. -* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account] +* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster. + [IMPORTANT] @@ -32,11 +32,10 @@ link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys in the AWS documentation. You can supply the keys when you run the installation program. ==== -* Download the AWS CLI and install it on your computer. See +* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] in the AWS documentation. -* If you use a firewall, you must -xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to. +* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. + [NOTE] ==== @@ -50,6 +49,10 @@ environments where the cloud IAM APIs are not reachable. include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1] include::modules/installation-aws-permissions.adoc[leveloffset=+2] @@ -62,6 +65,10 @@ include::modules/installation-user-infra-generate.adoc[leveloffset=+1] include::modules/installation-generate-aws-user-infra-install-config.adoc[leveloffset=+2] +.Additional resources + +* See link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html[Configuration and credential file settings] in the AWS documentation for more information about AWS profile and credential configuration. + include::modules/installation-configure-proxy.adoc[leveloffset=+2] //include::modules/installation-three-node-cluster.adoc[leveloffset=+2] @@ -74,14 +81,30 @@ include::modules/installation-creating-aws-vpc.adoc[leveloffset=+1] include::modules/installation-cloudformation-vpc.adoc[leveloffset=+2] +.Additional resources + +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + include::modules/installation-creating-aws-dns.adoc[leveloffset=+1] include::modules/installation-cloudformation-dns.adoc[leveloffset=+2] +.Additional resources + +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + +* You can view details about your hosted zones by navigating to the link:https://console.aws.amazon.com/route53/[AWS Route 53 console]. + +* See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ListInfoOnHostedZone.html[Listing public hosted zones] in the AWS documentation for more information about listing public hosted zones. + include::modules/installation-creating-aws-security.adoc[leveloffset=+1] include::modules/installation-cloudformation-security.adoc[leveloffset=+2] +.Additional resources + +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + include::modules/installation-aws-user-infra-rhcos-ami.adoc[leveloffset=+1] include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+2] @@ -92,11 +115,21 @@ include::modules/installation-creating-aws-bootstrap.adoc[leveloffset=+1] include::modules/installation-cloudformation-bootstrap.adoc[leveloffset=+2] +.Additional resources + +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + +* See xref:../../installing/installing_aws/installing-aws-user-infra.adoc#installation-aws-user-infra-rhcos-ami_installing-aws-user-infra[{op-system} AMIs for the AWS infrastructure] for details about the {op-system-first} AMIs for the AWS zones. + include::modules/installation-creating-aws-control-plane.adoc[leveloffset=+1] include::modules/installation-cloudformation-control-plane.adoc[leveloffset=+2] -include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1] +.Additional resources + +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + +include::modules/installation-creating-aws-worker.adoc[leveloffset=+1] //// [id="installing-workers-aws-user-infra"] @@ -108,10 +141,21 @@ the workers, you can allow the cluster to manage them. This allows you to easily scale, manage, and upgrade your workers. //// +include::modules/installation-cloudformation-worker.adoc[leveloffset=+2] -include::modules/installation-creating-aws-worker.adoc[leveloffset=+2] +.Additional resources -include::modules/installation-cloudformation-worker.adoc[leveloffset=+3] +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + +include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1] + +.Additional resources + +* See xref:../../support/troubleshooting/troubleshooting-installations.html#monitoring-installation-progress_troubleshooting-installations[Monitoring installation progress] for details about monitoring the installation, bootstrap, and control plane logs as an {product-title} installation progresses. + +* See xref:../../support/troubleshooting/troubleshooting-installations.adoc#gathering-bootstrap-diagnostic-data_troubleshooting-installations[Gathering bootstrap node diagnostic data] for information about troubleshooting issues related to the bootstrap process. + +* You can view details about the running instances that are created by using the link:https://console.aws.amazon.com/ec2[AWS EC2 console]. include::modules/cli-installing-cli.adoc[leveloffset=+1] @@ -137,10 +181,14 @@ include::modules/installation-aws-user-infra-installation.adoc[leveloffset=+1] include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1] -.Additional resources +[id="installing-aws-user-infra-additional-resources"] +== Additional resources * See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console. +* See link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html[Working with stacks] in the AWS documentation for more information about AWS CloudFormation stacks. + +[id="installing-aws-user-infra-next-steps"] == Next steps * xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation]. diff --git a/installing/installing_aws/installing-aws-vpc.adoc b/installing/installing_aws/installing-aws-vpc.adoc index dd03e9f73f..fb824f2906 100644 --- a/installing/installing_aws/installing-aws-vpc.adoc +++ b/installing/installing_aws/installing-aws-vpc.adoc @@ -39,6 +39,10 @@ include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1] include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + include::modules/ssh-agent-using.adoc[leveloffset=+1] include::modules/installation-obtaining-installer.adoc[leveloffset=+1] diff --git a/installing/installing_aws/installing-restricted-networks-aws.adoc b/installing/installing_aws/installing-restricted-networks-aws.adoc index 677097079c..0c5ee3ab03 100644 --- a/installing/installing_aws/installing-restricted-networks-aws.adoc +++ b/installing/installing_aws/installing-restricted-networks-aws.adoc @@ -22,18 +22,18 @@ according to your company's policies. == Prerequisites -* xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[Create a mirror registry on your mirror host] - and obtain the `imageContentSources` data for your version of {product-title}. +* You xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[created a mirror registry on your mirror host] + and obtained the `imageContentSources` data for your version of {product-title}. + [IMPORTANT] ==== Because the installation media is on the mirror host, you can use that computer to complete all installation steps. ==== -* Review details about the +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. -* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account] +* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster. + [IMPORTANT] @@ -47,11 +47,10 @@ link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys in the AWS documentation. You can supply the keys when you run the installation program. ==== -* Download the AWS CLI and install it on your computer. See +* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] in the AWS documentation. -* If you use a firewall and plan to use telemetry, you must -xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure the firewall to allow the sites] that your cluster requires access to. +* If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to. + [NOTE] ==== @@ -67,6 +66,10 @@ include::modules/installation-about-restricted-network.adoc[leveloffset=+1] include::modules/cluster-entitlements.adoc[leveloffset=+1] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service + include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1] include::modules/installation-aws-permissions.adoc[leveloffset=+2] @@ -79,6 +82,10 @@ include::modules/installation-user-infra-generate.adoc[leveloffset=+1] include::modules/installation-generate-aws-user-infra-install-config.adoc[leveloffset=+2] +.Additional resources + +* See link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html[Configuration and credential file settings] in the AWS documentation for more information about AWS profile and credential configuration. + include::modules/installation-configure-proxy.adoc[leveloffset=+2] //include::modules/installation-three-node-cluster.adoc[leveloffset=+2] @@ -95,6 +102,10 @@ include::modules/installation-creating-aws-dns.adoc[leveloffset=+1] include::modules/installation-cloudformation-dns.adoc[leveloffset=+2] +.Additional resources + +* See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ListInfoOnHostedZone.html[Listing public hosted zones] in the AWS documentation for more information about listing public hosted zones. + include::modules/installation-creating-aws-security.adoc[leveloffset=+1] include::modules/installation-cloudformation-security.adoc[leveloffset=+2] @@ -105,11 +116,15 @@ include::modules/installation-creating-aws-bootstrap.adoc[leveloffset=+1] include::modules/installation-cloudformation-bootstrap.adoc[leveloffset=+2] +.Additional resources + +* See xref:../../installing/installing_aws/installing-aws-user-infra.adoc#installation-aws-user-infra-rhcos-ami_installing-aws-user-infra[{op-system} AMIs for the AWS infrastructure] for details about the {op-system-first} AMIs for the AWS zones. + include::modules/installation-creating-aws-control-plane.adoc[leveloffset=+1] include::modules/installation-cloudformation-control-plane.adoc[leveloffset=+2] -include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1] +include::modules/installation-creating-aws-worker.adoc[leveloffset=+1] //// [id="installing-workers-aws-user-infra"] @@ -121,10 +136,15 @@ the workers, you can allow the cluster to manage them. This allows you to easily scale, manage, and upgrade your workers. //// +include::modules/installation-cloudformation-worker.adoc[leveloffset=+2] -include::modules/installation-creating-aws-worker.adoc[leveloffset=+2] +include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1] -include::modules/installation-cloudformation-worker.adoc[leveloffset=+3] +.Additional resources + +* See xref:../../support/troubleshooting/troubleshooting-installations.html#monitoring-installation-progress_troubleshooting-installations[Monitoring installation progress] for details about monitoring the installation, bootstrap, and control plane logs as an {product-title} installation progresses. + +* See xref:../../support/troubleshooting/troubleshooting-installations.adoc#gathering-bootstrap-diagnostic-data_troubleshooting-installations[Gathering bootstrap node diagnostic data] for information about troubleshooting issues related to the bootstrap process. //You can install the CLI on the mirror host. @@ -148,13 +168,17 @@ include::modules/installation-aws-user-infra-installation.adoc[leveloffset=+1] include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1] -.Additional resources +[id="installing-restricted-networks-aws-additional-resources"] +== Additional resources * See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console. +* See link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html[Working with stacks] in the AWS documentation for more information about AWS CloudFormation stacks. + +[id="installing-restricted-networks-aws-next-steps"] == Next steps -* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation]. +* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation]. * xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. * If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores]. * If necessary, you can diff --git a/installing/installing_aws/manually-creating-iam.adoc b/installing/installing_aws/manually-creating-iam.adoc index 73dc49b4e8..90bacbb070 100644 --- a/installing/installing_aws/manually-creating-iam.adoc +++ b/installing/installing_aws/manually-creating-iam.adoc @@ -5,6 +5,14 @@ include::modules/common-attributes.adoc[] toc::[] +In environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster `kube-system` namespace, you can put the Cloud Credential Operator (CCO) into manual mode before you install the cluster. + +include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[leveloffset=+1] + +.Additional resources + +See xref:../../operators/operator-reference.adoc#cloud-credential-operator_red-hat-operators[Cloud Credential Operator] for a detailed description of all available CCO credential modes and their supported platforms. + include::modules/manually-create-identity-access-management.adoc[leveloffset=+1] include::modules/admin-credentials-root-secret-formats.adoc[leveloffset=+1] @@ -14,3 +22,12 @@ include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1] include::modules/mint-mode.adoc[leveloffset=+1] include::modules/mint-mode-with-removal-of-admin-credential.adoc[leveloffset=+1] + +[id="manually-creating-iam-aws-next-steps"] +== Next steps + +* Install an {product-title} cluster: +** xref:../../installing/installing_aws/installing-aws-default.adoc#installing-aws-default[Quickly install a cluster] with default options on installer-provisioned infrastructure +** xref:../../installing/installing_aws/installing-aws-customizations.adoc#installing-aws-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure] +** xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#installing-aws-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure] +** xref:../../installing/installing_aws/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates] diff --git a/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc b/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc new file mode 100644 index 0000000000..69acc74ebc --- /dev/null +++ b/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc @@ -0,0 +1,14 @@ +// Module included in the following assemblies: +// +// * installing/installing_gcp/manually-creating-iam-gcp.adoc + +[id="alternatives-to-storing-admin-secrets-in-kube-system.adoc_{context}"] += Alternatives to storing administrator-level secrets in the `kube-system` project + +The Cloud Credential Operator (CCO) manages cloud provider credentials as Kubernetes custom resource definitions (CRDs). You can configure the CCO to suit the security requirements of your organization by setting different values for the `credentialsMode` parameter in the `install-config.yaml` file. + +If you prefer not to store an administrator-level credential secret in the cluster `kube-system` project, you can choose one of the following options when installing {product-title} on AWS: + +* *Manage cloud credentials manually*. You can set the `credentialsMode` for the CCO to `Manual` to manage cloud credentials manually. Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them. + +* *Remove the administrator-level credential secret after installing {product-title} with mint mode*. You can remove or rotate the administrator-level credential after installing {product-title} with the `Mint` CCO credentials mode applied. The `Mint` CCO credentials mode is the default. This option requires the presence of the administrator-level credential during an installation. The administrator-level credential is used during the installation to mint other credentials with some permissions granted. The original credential secret is not stored in the cluster permanently. \ No newline at end of file diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc index 259b4fde71..d6d47fb6db 100644 --- a/modules/cli-logging-in-kubeadmin.adoc +++ b/modules/cli-logging-in-kubeadmin.adoc @@ -44,8 +44,8 @@ The file is specific to a cluster and is created during {product-title} installa .Prerequisites -* Deploy an {product-title} cluster. -* Install the `oc` CLI. +* You deployed an {product-title} cluster. +* You installed the `oc` CLI. .Procedure diff --git a/modules/configuring-hybrid-ovnkubernetes.adoc b/modules/configuring-hybrid-ovnkubernetes.adoc index 4625cbfdb8..0372daf8b9 100644 --- a/modules/configuring-hybrid-ovnkubernetes.adoc +++ b/modules/configuring-hybrid-ovnkubernetes.adoc @@ -20,7 +20,7 @@ You must configure hybrid networking with OVN-Kubernetes during the installation .Procedure -. Use the following command to create manifests: +. Create the manifests from the directory that contains the installation program: + [source,terminal] ---- diff --git a/modules/installation-approve-csrs.adoc b/modules/installation-approve-csrs.adoc index ee1345232a..077970a212 100644 --- a/modules/installation-approve-csrs.adoc +++ b/modules/installation-approve-csrs.adoc @@ -58,6 +58,11 @@ worker-1 NotReady worker 70s v1.20.0 ---- + The output lists all of the machines that you created. ++ +[NOTE] +==== +The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. +==== . Review the pending CSRs and ensure that you see a client and server request with the `Pending` or `Approved` status for each machine that you added to the cluster: + @@ -125,6 +130,11 @@ $ oc adm certificate approve <1> $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve ---- +[NOTE] +==== +Some Operators might not become available until some CSRs are approved. +==== + .Additional information * For more information on CSRs, see link:https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/[Certificate Signing Requests]. diff --git a/modules/installation-aws-upload-custom-rhcos-ami.adoc b/modules/installation-aws-upload-custom-rhcos-ami.adoc index 5fca9d1ada..209ca27ef3 100644 --- a/modules/installation-aws-upload-custom-rhcos-ami.adoc +++ b/modules/installation-aws-upload-custom-rhcos-ami.adoc @@ -11,13 +11,13 @@ that region. .Prerequisites -* Configure an AWS account. -* Create an Amazon S3 bucket with the required IAM +* You configured an AWS account. +* You created an Amazon S3 bucket with the required IAM link:https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role[service role]. -* Upload your {op-system} VMDK file to Amazon S3. The {op-system} VMDK file must +* You uploaded your {op-system} VMDK file to Amazon S3. The {op-system} VMDK file must be the highest version that is less than or equal to the {product-title} version you are installing. -* Download the AWS CLI and install it on your computer. See +* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer]. .Procedure diff --git a/modules/installation-aws-user-infra-bootstrap.adoc b/modules/installation-aws-user-infra-bootstrap.adoc index 606f5c20ef..e451c8c782 100644 --- a/modules/installation-aws-user-infra-bootstrap.adoc +++ b/modules/installation-aws-user-infra-bootstrap.adoc @@ -4,26 +4,26 @@ // * installing/installing_aws/installing-restricted-networks-aws.adoc [id="installation-aws-user-infra-bootstrap_{context}"] -= Initializing the bootstrap node on AWS with user-provisioned infrastructure += Initializing the bootstrap sequence on AWS with user-provisioned infrastructure After you create all of the required infrastructure in Amazon Web Services (AWS), -you can install the cluster. +you can start the bootstrap sequence that initializes the {product-title} control plane. .Prerequisites -* Configure an AWS account. -* Generate the Ignition config files for your cluster. -* Create and configure a VPC and associated subnets in AWS. -* Create and configure DNS, load balancers, and listeners in AWS. -* Create control plane and compute roles. -* Create the bootstrap machine. -* Create the control plane machines. -* If you plan to manually manage the worker machines, create the worker machines. +* You configured an AWS account. +* You added your AWS keys and region to your local AWS profile by running `aws configure`. +* You generated the Ignition config files for your cluster. +* You created and configured a VPC and associated subnets in AWS. +* You created and configured DNS, load balancers, and listeners in AWS. +* You created the security groups and roles required for your cluster in AWS. +* You created the bootstrap machine. +* You created the control plane machines. +* You created the worker nodes. .Procedure -. Change to the directory that contains the installation program and run the -following command: +. Change to the directory that contains the installation program and start the bootstrap process that initializes the {product-title} control plane: + [source,terminal] ---- @@ -35,5 +35,20 @@ stored the installation files in. <2> To view different installation details, specify `warn`, `debug`, or `error` instead of `info`. + -If the command exits without a `FATAL` warning, your production control plane -has initialized. +.Example output +[source,terminal] +---- +INFO Waiting up to 20m0s for the Kubernetes API at https://api.mycluster.example.com:6443... +INFO API v1.19.0+9f84db3 up +INFO Waiting up to 30m0s for bootstrapping to complete... +INFO It is now safe to remove the bootstrap resources +INFO Time elapsed: 1s +---- ++ +If the command exits without a `FATAL` warning, your {product-title} control plane +has initialized. ++ +[NOTE] +==== +After the control plane initializes, it sets up the compute nodes and installs additional services in the form of Operators. +==== diff --git a/modules/installation-aws-user-infra-delete-bootstrap.adoc b/modules/installation-aws-user-infra-delete-bootstrap.adoc index c49d5e7933..28c9b1f8a8 100644 --- a/modules/installation-aws-user-infra-delete-bootstrap.adoc +++ b/modules/installation-aws-user-infra-delete-bootstrap.adoc @@ -16,9 +16,11 @@ After you complete the initial Operator configuration for the cluster, remove th . Delete the bootstrap resources. If you used the CloudFormation template, link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html[delete its stack]: +** Delete the stack by using the AWS CLI: + [source,terminal] ---- $ aws cloudformation delete-stack --stack-name <1> ---- <1> `` is the name of your bootstrap stack. +** Delete the stack by using the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. diff --git a/modules/installation-aws-user-infra-installation.adoc b/modules/installation-aws-user-infra-installation.adoc index be4d60f911..e39f9ad713 100644 --- a/modules/installation-aws-user-infra-installation.adoc +++ b/modules/installation-aws-user-infra-installation.adoc @@ -15,16 +15,16 @@ user-provisioned infrastructure, monitor the deployment to completion. .Prerequisites -* Removed the bootstrap node for an {product-title} cluster on user-provisioned AWS infrastructure. -* Install the `oc` CLI and log in. +* You removed the bootstrap node for an {product-title} cluster on user-provisioned AWS infrastructure. +* You installed the `oc` CLI. .Procedure ifdef::restricted[] -. Complete +. From the directory that contains the installation program, complete endif::restricted[] ifndef::restricted[] -* Complete +* From the directory that contains the installation program, complete endif::restricted[] the cluster installation: + @@ -38,7 +38,13 @@ stored the installation files in. .Example output [source,terminal] ---- -INFO Waiting up to 30m0s for the cluster to initialize... +INFO Waiting up to 40m0s for the cluster at https://api.mycluster.example.com:6443 to initialize... +INFO Waiting up to 10m0s for the openshift-console route to be created... +INFO Install complete! +INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/myuser/install_dir/auth/kubeconfig' +INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mycluster.example.com +INFO Login to the console with user: "kubeadmin", and password: "4vYBz-Fe5en-ymBEc-Wt6NL" +INFO Time elapsed: 1s ---- + [IMPORTANT] diff --git a/modules/installation-aws-user-infra-requirements.adoc b/modules/installation-aws-user-infra-requirements.adoc index c1db2216b1..a0706b8463 100644 --- a/modules/installation-aws-user-infra-requirements.adoc +++ b/modules/installation-aws-user-infra-requirements.adoc @@ -6,12 +6,20 @@ [id="installation-aws-user-infra-requirements_{context}"] = Required AWS infrastructure components -To install {product-title} on user-provisioned infrastructure in Amazon Web Services (AWS), you must manually create both the machines and their -supporting infrastructure. +To install {product-title} on user-provisioned infrastructure in Amazon Web Services (AWS), you must manually create both the machines and their supporting infrastructure. For more information about the integration testing for different platforms, see the link:https://access.redhat.com/articles/4128421[OpenShift Container Platform 4.x Tested Integrations] page. -You can use the provided Cloud Formation templates to create this infrastructure, you can manually create the components, or you can reuse existing infrastructure that meets the cluster requirements. Review the Cloud Formation templates for more details about how the components interrelate. +By using the provided CloudFormation templates, you can create stacks of AWS resources that represent the following components: + +* An AWS Virtual Private Cloud (VPC) +* Networking and load balancing components +* Security groups and roles +* An {product-title} bootstrap node +* {product-title} control plane nodes +* An {product-title} compute node + +Alternatively, you can manually create the components or you can reuse existing infrastructure that meets the cluster requirements. Review the CloudFormation templates for more details about how the components interrelate. [id="installation-aws-user-infra-cluster-machines_{context}"] == Cluster machines @@ -28,7 +36,7 @@ control plane initializes and you can access the cluster API by using the `oc` command line interface. //// -You can use the following instance types for the cluster machines with the provided Cloud Formation templates. +You can use the following instance types for the cluster machines with the provided CloudFormation templates. [IMPORTANT] @@ -527,7 +535,7 @@ a `AWS::EC2::SecurityGroupIngress` resource. .Roles and instance profiles You must grant the machines permissions in AWS. The provided CloudFormation -templates grant the machines permission the following `AWS::IAM::Role` objects +templates grant the machines `Allow` permissions for the following `AWS::IAM::Role` objects and provide a `AWS::IAM::InstanceProfile` for each set of roles. If you do not use the templates, you can grant the machines the following broad permissions or the following individual permissions. diff --git a/modules/installation-bootstrap-gather.adoc b/modules/installation-bootstrap-gather.adoc index 0925016196..049fd8f1a5 100644 --- a/modules/installation-bootstrap-gather.adoc +++ b/modules/installation-bootstrap-gather.adoc @@ -28,7 +28,7 @@ running cluster, use the `oc adm must-gather` command. the bootstrap and control plane machines: + -- -** If you used installer-provisioned infrastructure, run the following command: +** If you used installer-provisioned infrastructure, change to the directory that contains the installation program and run the following command: + [source,terminal] ---- @@ -41,7 +41,7 @@ For installer-provisioned infrastructure, the installation program stores information about the cluster, so you do not specify the host names or IP addresses. -** If you used infrastructure that you provisioned yourself, run the following +** If you used infrastructure that you provisioned yourself, change to the directory that contains the installation program and run the following command: + [source,terminal] diff --git a/modules/installation-configure-proxy.adoc b/modules/installation-configure-proxy.adoc index f104a12e34..4a024a8eb7 100644 --- a/modules/installation-configure-proxy.adoc +++ b/modules/installation-configure-proxy.adoc @@ -47,9 +47,9 @@ endif::bare-metal[] .Prerequisites -* An existing `install-config.yaml` file. +* You have an existing `install-config.yaml` file. // TODO: xref (../../installing/install_config/configuring-firewall.adoc#configuring-firewall) -* Review the sites that your cluster requires access to and determine whether any need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. Add sites to the `Proxy` object's `spec.noProxy` field to bypass the proxy if necessary. +* You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the `Proxy` object's `spec.noProxy` field to bypass the proxy if necessary. + [NOTE] ==== diff --git a/modules/installation-create-ingress-dns-records.adoc b/modules/installation-create-ingress-dns-records.adoc index 7cb92c3b8c..e8388f2ba2 100644 --- a/modules/installation-create-ingress-dns-records.adoc +++ b/modules/installation-create-ingress-dns-records.adoc @@ -12,9 +12,9 @@ You can create either a wildcard record or specific records. While the following .Prerequisites * You deployed an {product-title} cluster on Amazon Web Services (AWS) that uses infrastructure that you provisioned. -* Install the OpenShift CLI (`oc`). -* Install the `jq` package. -* Download the AWS CLI and install it on your computer. See +* You installed the OpenShift CLI (`oc`). +* You installed the `jq` package. +* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)]. .Procedure diff --git a/modules/installation-creating-aws-bootstrap.adoc b/modules/installation-creating-aws-bootstrap.adoc index add5f835e9..f6fcf85278 100644 --- a/modules/installation-creating-aws-bootstrap.adoc +++ b/modules/installation-creating-aws-bootstrap.adoc @@ -6,9 +6,9 @@ [id="installation-creating-aws-bootstrap_{context}"] = Creating the bootstrap node in AWS -You must create the bootstrap node in Amazon Web Services (AWS) to use during -{product-title} cluster initialization. The easiest way to create this node is -to modify the provided CloudFormation template. +You must create the bootstrap node in Amazon Web Services (AWS) to use during {product-title} cluster initialization. + +You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the bootstrap node that your {product-title} installation requires. [NOTE] ==== @@ -20,11 +20,12 @@ have to contact Red Hat support with your installation logs. .Prerequisites -* Configure an AWS account. -* Generate the Ignition config files for your cluster. -* Create and configure a VPC and associated subnets in AWS. -* Create and configure DNS, load balancers, and listeners in AWS. -* Create control plane and compute roles. +* You configured an AWS account. +* You added your AWS keys and region to your local AWS profile by running `aws configure`. +* You generated the Ignition config files for your cluster. +* You created and configured a VPC and associated subnets in AWS. +* You created and configured DNS, load balancers, and listeners in AWS. +* You created the security groups and roles required for your cluster in AWS. .Procedure @@ -61,14 +62,15 @@ address that the bootstrap machine can reach. ---- $ aws s3 mb s3://-infra <1> ---- -<1> `-infra` is the bucket name. +<1> `-infra` is the bucket name. When creating the `install-config.yaml` file, replace `` with the name specified for the cluster. .. Upload the `bootstrap.ign` Ignition config file to the bucket: + [source,terminal] ---- -$ aws s3 cp bootstrap.ign s3://-infra/bootstrap.ign +$ aws s3 cp /bootstrap.ign s3://-infra/bootstrap.ign <1> ---- +<1> For ``, specify the path to the directory that you stored the installation files in. .. Verify that the file uploaded: + @@ -185,7 +187,7 @@ deploying the cluster to an AWS GovCloud region. section of this topic and save it as a YAML file on your computer. This template describes the bootstrap machine that your cluster requires. -. Launch the template: +. Launch the CloudFormation template to create a stack of AWS resources that represent the bootstrap node: + [IMPORTANT] ==== @@ -197,7 +199,7 @@ You must enter the command on a single line. $ aws cloudformation create-stack --stack-name <1> --template-body file://