mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
OSDOCS-15140: Updated HCP Install guide for migration
This commit is contained in:
EricPonvelle
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
911434153f
commit
54b0169722
@@ -190,6 +190,12 @@ Topics:
|
||||
File: rosa-hcp-quickstart-guide
|
||||
- Name: Creating ROSA with HCP clusters using the default options
|
||||
File: rosa-hcp-sts-creating-a-cluster-quickly
|
||||
- Name: Creating a ROSA cluster using Terraform
|
||||
Dir: terraform
|
||||
Distros: openshift-rosa-hcp
|
||||
Topics:
|
||||
- Name: Creating a default ROSA cluster using Terraform
|
||||
File: rosa-hcp-creating-a-cluster-quickly-terraform
|
||||
- Name: Creating ROSA with HCP clusters using a custom AWS KMS encryption key
|
||||
File: rosa-hcp-creating-cluster-with-aws-kms-key
|
||||
- Name: Creating a private cluster on ROSA with HCP
|
||||
@@ -198,6 +204,8 @@ Topics:
|
||||
File: rosa-hcp-egress-zero-install
|
||||
- Name: Creating a ROSA with HCP cluster that uses direct authentication with an external OIDC identity provider
|
||||
File: rosa-hcp-sts-creating-a-cluster-ext-auth
|
||||
- Name: Deleting a ROSA with HCP cluster
|
||||
File: rosa-hcp-deleting-cluster
|
||||
---
|
||||
Name: Web console
|
||||
Dir: web_console
|
||||
|
||||
@@ -17,17 +17,17 @@ endif::[]
|
||||
|
||||
This section provides steps to delete the account-wide IAM roles and policies that you created for
|
||||
ifdef::sts[]
|
||||
ROSA with STS
|
||||
{rosa-classic-short} with STS
|
||||
endif::sts[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the
|
||||
ifdef::sts[]
|
||||
{product-title} (ROSA) with AWS Security Token Services (STS)
|
||||
{rosa-classic-short} with AWS Security Token Services (STS)
|
||||
endif::sts[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
clusters that depend on them.
|
||||
|
||||
@@ -35,12 +35,12 @@ clusters that depend on them.
|
||||
====
|
||||
The account-wide IAM roles and policies might be used by other
|
||||
ifdef::sts[]
|
||||
ROSA clusters
|
||||
{rosa-classic-short}
|
||||
endif::sts[]
|
||||
ifdef::hcp[]
|
||||
{product-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
in the same AWS account. Only remove the roles if they are not required by other clusters.
|
||||
clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
|
||||
====
|
||||
|
||||
.Prerequisites
|
||||
@@ -109,7 +109,7 @@ I: Successfully deleted the hosted CP account roles
|
||||
----
|
||||
endif::hcp[]
|
||||
+
|
||||
. Delete the account-wide in-line and Operator policies:
|
||||
. Delete the account-wide and Operator policies:
|
||||
.. Under the *Policies* page in the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console], filter the list of policies by the prefix that you specified when you created the account-wide roles and policies.
|
||||
+
|
||||
[NOTE]
|
||||
@@ -117,16 +117,16 @@ endif::hcp[]
|
||||
If you did not specify a custom prefix when you created the account-wide roles, search for the default prefix, `ManagedOpenShift`.
|
||||
====
|
||||
+
|
||||
.. Delete the account-wide in-line policies and Operator policies by using the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console]. For more information about deleting IAM policies by using the AWS IAM Console, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-delete.html[Deleting IAM policies] in the AWS documentation.
|
||||
.. Delete the account-wide policies and Operator policies by using the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console]. For more information about deleting IAM policies by using the AWS IAM Console, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-delete.html[Deleting IAM policies] in the AWS documentation.
|
||||
+
|
||||
[IMPORTANT]
|
||||
====
|
||||
The account-wide in-line and Operator IAM policies might be used by other
|
||||
The account-wide and Operator IAM policies might be used by other
|
||||
ifdef::sts[]
|
||||
ROSA clusters
|
||||
{rosa-classic-short}
|
||||
endif::sts[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
in the same AWS account. Only remove the roles if they are not required by other clusters.
|
||||
clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
|
||||
====
|
||||
|
||||
@@ -16,16 +16,16 @@ ifndef::hcp[]
|
||||
{product-title} (ROSA) with AWS Security Token Services (STS)
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title-first}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
clusters that depend on the account-wide AWS Identity and Access Management (IAM) resources, you can delete the account-wide resources.
|
||||
|
||||
If you no longer need to install a
|
||||
ifndef::hcp[]
|
||||
ROSA with STS
|
||||
{rosa-classic-short} with STS
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
cluster by using {cluster-manager-first}, you can also delete the {cluster-manager} and user IAM roles.
|
||||
|
||||
@@ -33,26 +33,26 @@ cluster by using {cluster-manager-first}, you can also delete the {cluster-manag
|
||||
====
|
||||
The account-wide IAM roles and policies might be used by other
|
||||
ifndef::hcp[]
|
||||
ROSA
|
||||
{rosa-classic-short}
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
clusters in the same AWS account. Only remove the resources if they are not required by other clusters.
|
||||
|
||||
The {cluster-manager} and user IAM roles are required if you want to install, manage, and delete other
|
||||
ifndef::hcp[]
|
||||
ROSA
|
||||
{rosa-classic-short}
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{product-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
clusters in the same AWS account by using {cluster-manager}. Only remove the roles if you no longer need to install
|
||||
ifndef::hcp[]
|
||||
ROSA
|
||||
{rosa-classic-short}
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{product-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
clusters in your account by using {cluster-manager}. For more information about repairing your cluster if these roles are removed before deletion, see "Repairing a cluster that cannot be deleted" in _Troubleshooting cluster deployments_.
|
||||
====
|
||||
@@ -2,10 +2,7 @@
|
||||
//
|
||||
// * rosa_getting_started/rosa-getting-started.adoc
|
||||
// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-getting-started-deleting-a-cluster_{context}"]
|
||||
= Deleting a ROSA cluster and the AWS STS resources
|
||||
// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
|
||||
|
||||
ifeval::["{context}" == "rosa-getting-started"]
|
||||
:getting-started:
|
||||
@@ -13,25 +10,41 @@ endif::[]
|
||||
ifeval::["{context}" == "rosa-quickstart"]
|
||||
:quickstart:
|
||||
endif::[]
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-getting-started-deleting-a-cluster_{context}"]
|
||||
|
||||
ifdef::openshift-rosa[]
|
||||
= Deleting a {rosa-classic-short} cluster and the AWS IAM STS resources
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
= Deleting a {rosa-short} cluster and the AWS IAM STS resources
|
||||
endif::openshift-rosa-hcp[]
|
||||
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
You can delete a ROSA cluster by using the {product-title} (ROSA) CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console.
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
You can delete a ROSA cluster that uses the AWS Security Token Service (STS) by using the {product-title} (ROSA) CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console.
|
||||
You can delete a {rosa-short} cluster by using the ROSA CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide and Operator policies, you can use the AWS IAM Console or the AWS CLI.
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
You can delete a {rosa-classic-short} cluster that uses the AWS Security Token Service (STS) by using the ROSA CLI, `rosa`. You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console or the AWS CLI.
|
||||
endif::openshift-rosa[]
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
|
||||
Account-wide IAM roles and policies might be used by other
|
||||
ifdef::openshift-rosa[]
|
||||
{rosa-classic-short}
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{rosa-short}
|
||||
endif::openshift-rosa-hcp[]
|
||||
clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
|
||||
====
|
||||
|
||||
ifdef::getting-started[]
|
||||
.Prerequisites
|
||||
|
||||
* You installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your workstation.
|
||||
* You installed and configured the latest ROSA CLI, `rosa`, on your workstation.
|
||||
* You logged in to your Red{nbsp}Hat account using the ROSA CLI (`rosa`).
|
||||
* You created a ROSA cluster.
|
||||
* You created a {rosa-classic} cluster.
|
||||
endif::[]
|
||||
|
||||
.Procedure
|
||||
@@ -45,10 +58,10 @@ $ rosa delete cluster --cluster=<cluster_name> --watch
|
||||
+
|
||||
[IMPORTANT]
|
||||
====
|
||||
You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate.
|
||||
You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate with AWS APIs.
|
||||
====
|
||||
|
||||
. Delete the OIDC provider that the cluster Operators use to authenticate:
|
||||
. After the cluster is deleted, delete the OIDC provider that the cluster Operators use to authenticate:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
@@ -80,24 +93,24 @@ Account-wide IAM roles and policies might be used by other ROSA clusters in the
|
||||
----
|
||||
$ rosa delete account-roles --prefix <prefix> --mode auto <1>
|
||||
----
|
||||
<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
|
||||
<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, depending on how they were created, `HCP-ROSA` or `ManagedOpenShift`.
|
||||
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
. Delete the account-wide inline and Operator IAM policies that you created for ROSA deployments:
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
. Delete the account-wide inline and Operator IAM policies that you created for ROSA deployments that use STS:
|
||||
. Delete the account-wide and Operator IAM policies that you created for {rosa-short} deployments:
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
. Delete the account-wide and Operator IAM policies that you created for {rosa-classic-short} deployments that use STS:
|
||||
endif::openshift-rosa[]
|
||||
+
|
||||
.. Log in to the link:https://console.aws.amazon.com/iamv2/home#/home[AWS IAM Console].
|
||||
.. Navigate to *Access management* -> *Policies* and select the checkbox for one of the account-wide policies.
|
||||
.. With the policy selected, click on *Actions* -> *Delete* to open the delete policy dialog.
|
||||
.. Enter the policy name to confirm the deletion and select *Delete* to delete the policy.
|
||||
.. Repeat this step to delete each of the account-wide inline and Operator policies for the cluster.
|
||||
.. Repeat this step to delete each of the account-wide and Operator policies for the cluster.
|
||||
|
||||
ifeval::["{context}" == "rosa-getting-started"]
|
||||
:getting-started:
|
||||
:!getting-started:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "rosa-quickstart"]
|
||||
:quickstart:
|
||||
:!quickstart:
|
||||
endif::[]
|
||||
@@ -7,7 +7,14 @@
|
||||
[id="rosa-getting-started-verifying-rosa-prerequisites_{context}"]
|
||||
= Verifying ROSA prerequisites
|
||||
|
||||
Use the steps in this procedure to enable {product-title} (ROSA) in your AWS account.
|
||||
Use the steps in this procedure to enable
|
||||
ifdef::openshift-rosa[]
|
||||
{rosa-classic-short}
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{rosa-short}
|
||||
endif::openshift-rosa-hcp[]
|
||||
in your AWS account.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
|
||||
@@ -2,11 +2,19 @@
|
||||
//
|
||||
// * rosa_getting_started/rosa-getting-started.adoc
|
||||
// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
|
||||
// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
|
||||
|
||||
[id="rosa-getting-started-environment-setup_{context}"]
|
||||
= Setting up the environment
|
||||
|
||||
Before you create a {product-title} (ROSA) cluster, you must set up your environment by completing the following tasks:
|
||||
Before you create a
|
||||
ifdef::openshift-rosa[]
|
||||
{rosa-classic-short}
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{rosa-short}
|
||||
endif::openshift-rosa-hcp[]
|
||||
cluster, you must set up your environment by completing the following tasks:
|
||||
|
||||
* Verify ROSA prerequisites against your AWS and Red{nbsp}Hat accounts.
|
||||
* Install and configure the required command-line interface (CLI) tools.
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
//
|
||||
// * rosa_getting_started/rosa-getting-started.adoc
|
||||
// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
|
||||
// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
|
||||
// * rosa_planning/rosa-sts-setting-up-environment.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-getting-started-install-configure-cli-tools_{context}"]
|
||||
@@ -19,8 +21,6 @@ Several command-line interface (CLI) tools are required to deploy and work with
|
||||
. Log in to your Red{nbsp}Hat and AWS accounts to access the download page for each required tool.
|
||||
.. Log in to your Red{nbsp}Hat account at link:https://console.redhat.com[console.redhat.com].
|
||||
.. Log in to your AWS account at link:https://aws.amazon.com[aws.amazon.com].
|
||||
|
||||
//This should be a separate module
|
||||
. Install and configure the latest AWS CLI (`aws`).
|
||||
.. Install the AWS CLI by following the link:https://aws.amazon.com/cli/[AWS Command Line Interface] documentation appropriate for your workstation.
|
||||
.. Configure the AWS CLI by specifying your `aws_access_key_id`, `aws_secret_access_key`, and `region` in the `.aws/credentials` file. For more information, see link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html[AWS Configuration basics] in the AWS documentation.
|
||||
@@ -41,8 +41,7 @@ $ aws sts get-caller-identity --output text
|
||||
----
|
||||
<aws_account_id> arn:aws:iam::<aws_account_id>:user/<username> <aws_user_id>
|
||||
----
|
||||
|
||||
//This should be a separate module
|
||||
+
|
||||
. Install and configure the latest ROSA CLI (`rosa`).
|
||||
.. Navigate to link:https://console.redhat.com/openshift/downloads[*Downloads*].
|
||||
.. Find *Red Hat OpenShift Service on AWS command line interface (`rosa)* in the list of tools and click *Download*.
|
||||
@@ -92,8 +91,6 @@ Your ROSA CLI is up to date.
|
||||
// For steps to configure `rosa` tab completion for different shell types, see the help menu by running `rosa completion --help`.
|
||||
// ====
|
||||
// endif::[]
|
||||
|
||||
//The following should probably also be a separate module
|
||||
. Log in to the ROSA CLI using an offline access token.
|
||||
.. Run the login command:
|
||||
+
|
||||
@@ -121,7 +118,6 @@ To login to your Red Hat account, get an offline access token at https://console
|
||||
====
|
||||
In the future you can specify the offline access token by using the `--token="<offline_access_token>"` argument when you run the `rosa login` command.
|
||||
====
|
||||
|
||||
.. Verify that you are logged in and confirm that your credentials are correct before proceeding:
|
||||
+
|
||||
[source,terminal]
|
||||
@@ -144,8 +140,6 @@ OCM Organization ID: <org_id>
|
||||
OCM Organization Name: Your organization
|
||||
OCM Organization External ID: <external_org_id>
|
||||
----
|
||||
|
||||
//This should be a separate module
|
||||
. Install and configure the latest OpenShift CLI (`oc`).
|
||||
.. Use the ROSA CLI to download the `oc` CLI.
|
||||
+
|
||||
|
||||
@@ -10,11 +10,11 @@ ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
|
||||
endif::[]
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-hcp-create-network_{context}"]
|
||||
= Creating a Virtual Private Cloud using the ROSA CLI
|
||||
= Creating an AWS VPC using the ROSA CLI
|
||||
|
||||
The `rosa create network` command is available in v.1.2.48 or later of the ROSA command-line interface (CLI). The command uses AWS CloudFormation to create a VPC and the other networking components used to install a ROSA cluster. CloudFormation is a native AWS infrastructure-as-code tool and is compatible with the AWS CLI.
|
||||
The `rosa create network` command is available in v.1.2.48 or later of the ROSA command-line interface (CLI). The command uses AWS CloudFormation to create a VPC and associated networking components necessary to install a {rosa-short} cluster. CloudFormation is a native AWS infrastructure-as-code tool and is compatible with the AWS CLI.
|
||||
|
||||
If you do not specify a template, CloudFormation uses a default template that creates the following parameters:
|
||||
If you do not specify a template, CloudFormation uses a default template that creates resources with the following parameters:
|
||||
|
||||
[cols="2a,3a",options="header"]
|
||||
|===
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
[id="rosa-hcp-deleting-cluster_{context}"]
|
||||
= Deleting a {hcp-title} cluster and the cluster-specific IAM resources
|
||||
|
||||
You can delete a {hcp-title} cluster by using the ROSA command-line interface (CLI) (`rosa`) or {cluster-manager-first}.
|
||||
You can delete a {rosa-short} cluster by using the ROSA command-line interface (CLI) (`rosa`) or {cluster-manager-first}.
|
||||
|
||||
After deleting the cluster, you can clean up the cluster-specific Identity and Access Management (IAM) resources in your AWS account by using the ROSA CLI. The cluster-specific resources include the Operator roles and the OpenID Connect (OIDC) provider.
|
||||
|
||||
@@ -19,7 +19,7 @@ If add-ons are installed, the cluster deletion takes longer because add-ons are
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You have installed a {hcp-title} cluster.
|
||||
* You have installed a {rosa-short} cluster.
|
||||
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
|
||||
|
||||
.Procedure
|
||||
|
||||
@@ -6,11 +6,11 @@
|
||||
[id="rosa-hcp-sts-creating-a-cluster-cli_{context}-no-cni"]
|
||||
= Creating the cluster
|
||||
|
||||
When using the {product-title} (ROSA) command-line interface (CLI), `rosa`, to create a cluster, you can add an optional flag `--no-cni` to create a cluster without a CNI plugin.
|
||||
When using the {rosa-short} command-line interface (CLI), `rosa`, to create a cluster, you can add an optional flag `--no-cni` to create a cluster without a CNI plugin.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You have completed the AWS prerequisites for {hcp-title}.
|
||||
* You have completed the AWS prerequisites for {rosa-short}.
|
||||
* You have available AWS service quotas.
|
||||
* You have enabled the ROSA service in the AWS Console.
|
||||
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
|
||||
@@ -20,11 +20,11 @@ When using the {product-title} (ROSA) command-line interface (CLI), `rosa`, to c
|
||||
|
||||
.Procedure
|
||||
|
||||
. You can create your {hcp-title} cluster with one of the following commands.
|
||||
. You can create your {rosa-short} cluster with one of the following commands.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
When creating a {hcp-title} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr <address_block>` to the following commands. To learn more about the default CIDR ranges for {product-title}, see xref:../networking/networking_overview/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions].
|
||||
When creating a {rosa-short} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr <address_block>` to the following commands.
|
||||
====
|
||||
+
|
||||
** Create a cluster with a single, initial machine pool, publicly available API, publicly available Ingress, and no CNI plugin by running the following command:
|
||||
@@ -85,4 +85,4 @@ $ rosa logs install --cluster=<cluster_name> --watch <1>
|
||||
|
||||
[id="rosa-hcp-no-cni-expected-behavior_{context}"]
|
||||
== Expected behavior for clusters without a CNI plugin
|
||||
Although {hcp-title} cluster installation is complete, the cluster cannot operate without a CNI plugin. Because the nodes are not ready, the workloads cannot deploy. For example, the {product-title} cluster web console is not available, so you must use the {oc-first} to log in to the cluster. Additionally, other OpenShift components such as the HAProxy-based Ingress Controller, image registry, and prometheus-based monitoring stack are not running. This is expected behavior until you install a CNI provider.
|
||||
Although {rosa-short} cluster installation is complete, the cluster cannot operate without a CNI plugin. Because the nodes are not ready, the workloads cannot deploy. For example, the {product-title} cluster web console is not available, so you must use the {oc-first} to log in to the cluster. Additionally, other OpenShift components such as the HAProxy-based Ingress Controller, image registry, and prometheus-based monitoring stack are not running. This is expected behavior until you install a CNI provider.
|
||||
@@ -1,16 +1,17 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
|
||||
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-hcp-sts-creating-a-cluster-cli_{context}"]
|
||||
= Creating a {hcp-title} cluster using the CLI
|
||||
= Creating a {rosa-short} cluster using the CLI
|
||||
|
||||
When using the {product-title} (ROSA) CLI, `rosa`, to create a cluster, you can select the default options to create the cluster quickly.
|
||||
When using the ROSA CLI, `rosa`, to create a cluster, you can select the default options to create the cluster quickly.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You have completed the AWS prerequisites for {hcp-title}.
|
||||
* You have completed the AWS prerequisites for {rosa-short}.
|
||||
* You have available AWS service quotas.
|
||||
* You have enabled the ROSA service in the AWS Console.
|
||||
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
|
||||
@@ -28,11 +29,11 @@ When using the {product-title} (ROSA) CLI, `rosa`, to create a cluster, you can
|
||||
//REGION="<region>"
|
||||
//----
|
||||
|
||||
. Use one of the following commands to create your {hcp-title} cluster:
|
||||
. Use one of the following commands to create your {rosa-short} cluster:
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
When creating a {hcp-title} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr <address_block>` to the following commands. To learn more about the default CIDR ranges for {product-title}, see CIDR range definitions.
|
||||
When creating a {rosa-short} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr <address_block>` to the following commands. To learn more about the default CIDR ranges for {rosa-short}, see CIDR range definitions.
|
||||
====
|
||||
+
|
||||
* If you did not set environmental variables, run the following command:
|
||||
@@ -49,7 +50,7 @@ $ rosa create cluster --cluster-name=<cluster_name> \ <1>
|
||||
+
|
||||
--
|
||||
<1> Specify the name of your cluster. If your cluster name is longer than 15 characters, it will contain an autogenerated domain prefix as a subdomain for your provisioned cluster on openshiftapps.com. To customize the subdomain, use the `--domain-prefix` flag. The domain prefix cannot be longer than 15 characters, must be unique, and cannot be changed after cluster creation.
|
||||
<2> Optional: The `--private` argument is used to create private {hcp-title} clusters. If you use this argument, ensure that you only use your private subnet ID for `--subnet-ids`.
|
||||
<2> Optional: The `--private` argument is used to create private {rosa-short} clusters. If you use this argument, ensure that you only use your private subnet ID for `--subnet-ids`.
|
||||
<3> By default, the cluster-specific Operator role names are prefixed with the cluster name and a random 4-digit hash. You can optionally specify a custom prefix to replace `<cluster_name>-<hash>` in the role names. The prefix is applied when you create the cluster-specific Operator IAM roles. For information about the prefix, see _About custom Operator IAM role prefixes_.
|
||||
+
|
||||
[NOTE]
|
||||
@@ -97,7 +98,7 @@ The following `State` field changes are listed in the output as the cluster inst
|
||||
If the installation fails or the `State` field does not change to `ready` after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
|
||||
====
|
||||
+
|
||||
. Track the progress of the cluster creation by watching the {product-title} installation program logs. To check the logs, run the following command:
|
||||
. Track the progress of the cluster creation by watching the {rosa-short} installation program logs. To check the logs, run the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
|
||||
@@ -6,11 +6,11 @@
|
||||
[id="rosa-hcp-sts-creating-a-cluster-egress-lockdown-cli_{context}"]
|
||||
= Creating {egress-zero-title} using the CLI
|
||||
|
||||
When using the {product-title} (ROSA) command-line interface (CLI), `rosa`, to create a cluster, you can select the default options to create the cluster quickly.
|
||||
When using the ROSA CLI, `rosa`, to create a cluster, you can select the default options to create the cluster quickly.
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You have completed the AWS prerequisites for {hcp-title}.
|
||||
* You have completed the AWS prerequisites for {rosa-short}.
|
||||
* You have available AWS service quotas.
|
||||
* You have enabled the ROSA service in the AWS Console.
|
||||
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade.
|
||||
@@ -20,7 +20,7 @@ When using the {product-title} (ROSA) command-line interface (CLI), `rosa`, to c
|
||||
|
||||
.Procedure
|
||||
|
||||
. Use one of the following commands to create your {hcp-title} cluster:
|
||||
. Use one of the following commands to create your {rosa-short} cluster:
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
@@ -84,7 +84,7 @@ The following `State` field changes are listed in the output as cluster installa
|
||||
If the installation fails or the `State` field does not change to `ready` after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red{nbsp}Hat Support for assistance, see _Getting support for Red{nbsp}Hat OpenShift Service on AWS_.
|
||||
====
|
||||
+
|
||||
. Track the cluster creation progress by watching the {product-title} installation program logs. To check the logs, run the following command:
|
||||
. Track the cluster creation progress by watching the {rosa-short} installation program logs. To check the logs, run the following command:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
|
||||
@@ -8,9 +8,9 @@ endif::[]
|
||||
|
||||
:_mod-docs-content-type: PREFERENCE
|
||||
[id="rosa-hcp-vpc-manual_{context}"]
|
||||
= Creating a Virtual Private Cloud manually
|
||||
= Creating an AWS Virtual Private Cloud manually
|
||||
|
||||
If you choose to manually create your Virtual Private Cloud (VPC) instead of using Terraform, go to link:https://us-east-1.console.aws.amazon.com/vpc/[the VPC page in the AWS console].
|
||||
If you choose to manually create your AWS Virtual Private Cloud (VPC) instead of using Terraform, go to link:https://us-east-1.console.aws.amazon.com/vpc/[the VPC page in the AWS console].
|
||||
|
||||
include::snippets/rosa-existing-vpc-requirements.adoc[leveloffset=+0]
|
||||
|
||||
@@ -19,7 +19,7 @@ ifdef::rosa-egress-lockdown[]
|
||||
[id="rosa-hcp-vpc-subnet-tagging-manual_{context}"]
|
||||
== Tagging your subnets
|
||||
|
||||
Before you can use your VPC to create a {hcp-title} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly. The following table shows how to tag your resources:
|
||||
Before you can use your VPC to create a {rosa-short} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly. The following table shows how to tag your resources:
|
||||
|
||||
[cols="3a,8a,8a", options="header"]
|
||||
|===
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
[id="rosa-hcp-vpc-subnet-tagging_{context}"]
|
||||
= Tagging your subnets
|
||||
|
||||
Before you can use your VPC to create a {hcp-title} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly before you can use these resources. The following table shows how your resources should be tagged as the following:
|
||||
Before you can use your VPC to create a {rosa-short} cluster, you must tag your VPC subnets. Automated service preflight checks verify that these resources are tagged correctly before you can use these resources for a cluster. The following table shows how your resources should be tagged:
|
||||
|
||||
[cols="3a,8a,8a", options="header"]
|
||||
|===
|
||||
@@ -15,17 +15,17 @@ Before you can use your VPC to create a {hcp-title} cluster, you must tag your V
|
||||
|
||||
| Public subnet
|
||||
| `kubernetes.io/role/elb`
|
||||
| `1` or no value
|
||||
| `1` (or no value)
|
||||
|
||||
| Private subnet
|
||||
| `kubernetes.io/role/internal-elb`
|
||||
| `1` or no value
|
||||
| `1` (or no value)
|
||||
|
||||
|===
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
You must tag at least one private subnet and, if applicable, and one public subnet.
|
||||
You must tag at least one private subnet and, if applicable, one public subnet.
|
||||
====
|
||||
|
||||
.Prerequisites
|
||||
|
||||
@@ -7,17 +7,26 @@
|
||||
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc
|
||||
// * rosa_planning/rosa-hcp-prepare-iam-resources.adoc
|
||||
|
||||
ifeval::["{context}" == "rosa-hcp-cluster-no-cni"]
|
||||
:hcp:
|
||||
endif::[]
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-sts-byo-oidc_{context}"]
|
||||
= Creating an OpenID Connect configuration
|
||||
|
||||
When using a
|
||||
When creating a
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{rosa-short}
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
ifdef::hcp[]
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
ifndef::hcp[]
|
||||
{rosa-classic-short}
|
||||
endif::openshift-rosa-hcp[]
|
||||
endif::hcp[]
|
||||
endif::openshift-rosa[]
|
||||
cluster, you can create the OpenID Connect (OIDC) configuration prior to creating your cluster. This configuration is registered to be used with OpenShift Cluster Manager.
|
||||
|
||||
.Prerequisites
|
||||
@@ -25,9 +34,15 @@ cluster, you can create the OpenID Connect (OIDC) configuration prior to creatin
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
* You have completed the AWS prerequisites for {rosa-short}.
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
* You have completed the AWS prerequisites for {rosa-classic-short}.
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
* You have completed the AWS prerequisites for
|
||||
ifdef::hcp[]
|
||||
{rosa-short}.
|
||||
endif::hcp[]
|
||||
ifndef::hcp[]
|
||||
{rosa-classic-short}.
|
||||
endif::hcp[]
|
||||
endif::openshift-rosa[]
|
||||
* You have installed and configured the latest ROSA CLI, `rosa`, on your installation host.
|
||||
|
||||
.Procedure
|
||||
@@ -97,5 +112,8 @@ $ rosa list oidc-config
|
||||
ID MANAGED ISSUER URL SECRET ARN
|
||||
2330dbs0n8m3chkkr25gkkcd8pnj3lk2 true https://dvbwgdztaeq9o.cloudfront.net/2330dbs0n8m3chkkr25gkkcd8pnj3lk2
|
||||
233hvnrjoqu14jltk6lhbhf2tj11f8un false https://oidc-r7u1.s3.us-east-1.amazonaws.com aws:secretsmanager:us-east-1:242819244:secret:rosa-private-key-oidc-r7u1-tM3MDN
|
||||
|
||||
----
|
||||
|
||||
ifeval::["{context}" == "rosa-hcp-cluster-no-cni"]
|
||||
:!hcp:
|
||||
endif::[]
|
||||
@@ -1,16 +1,27 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * rosa_install_access_delete_clusters/rosa-classic-creating-a-cluster-quickly-terraform.adoc
|
||||
// * rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc
|
||||
// * rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc
|
||||
//
|
||||
ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
|
||||
:tf-defaults:
|
||||
:tf-classic-defaults:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
|
||||
:tf-hcp-defaults:
|
||||
endif::[]
|
||||
:_content-type: PROCEDURE
|
||||
|
||||
[id="rosa-sts-cluster-terraform-setup_{context}"]
|
||||
= Preparing your environment for Terraform
|
||||
|
||||
Before you can create your {product-title} cluster by using Terraform, you need to export your link:https://console.redhat.com/openshift/token[offline {cluster-manager-first} token].
|
||||
Before you can create your
|
||||
ifdef::tf-classic-defaults[]
|
||||
{rosa-classic-short}
|
||||
endif::tf-classic-defaults[]
|
||||
ifdef::tf-hcp-defaults[]
|
||||
{rosa-short}
|
||||
endif::tf-hcp-defaults[]
|
||||
cluster by using Terraform, you need to export your link:https://console.redhat.com/openshift/token[offline {cluster-manager-first} token].
|
||||
|
||||
.Procedure
|
||||
. *Optional*: Because the Terraform files get created in your current directory during this procedure, you can create a new directory to store these files and navigate into it by running the following command:
|
||||
@@ -44,5 +55,8 @@ $ echo $RHCS_TOKEN
|
||||
----
|
||||
|
||||
ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
|
||||
:tf-defaults:
|
||||
:!tf-classic-defaults:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
|
||||
:!tf-hcp-defaults:
|
||||
endif::[]
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
|
||||
// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
|
||||
// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
|
||||
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="rosa-sts-creating-account-wide-sts-roles-and-policies_{context}"]
|
||||
@@ -14,7 +15,14 @@ ifeval::["{context}" == "rosa-quickstart"]
|
||||
:quickstart:
|
||||
endif::[]
|
||||
|
||||
Before using the {cluster-manager-first} {hybrid-console-second} to create {product-title} (ROSA) clusters that use the AWS Security Token Service (STS), create the required account-wide STS roles and policies, including the Operator policies.
|
||||
Before using the {hybrid-console} to create
|
||||
ifdef::openshift-rosa[]
|
||||
{rosa-classic-short}
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{rosa-short}
|
||||
endif::openshift-rosa-hcp[]
|
||||
clusters that use the AWS Security Token Service (STS), create the required account-wide STS roles and policies, including the Operator policies.
|
||||
|
||||
ifdef::quick-install[]
|
||||
.Prerequisites
|
||||
@@ -37,11 +45,19 @@ $ rosa list account-roles
|
||||
----
|
||||
endif::[]
|
||||
|
||||
. If they do not exist in your AWS account, create the required account-wide STS roles and policies:
|
||||
. If they do not exist in your AWS account, create the required account-wide AWS IAM STS roles and policies:
|
||||
+
|
||||
ifdef::openshift-rosa[]
|
||||
[source,terminal]
|
||||
----
|
||||
$ rosa create account-roles
|
||||
----
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
[source,terminal]
|
||||
----
|
||||
$ rosa create account-roles --hosted-cp
|
||||
----
|
||||
endif::openshift-rosa-hcp[]
|
||||
+
|
||||
Select the default values at the prompts to quickly create the roles and policies.
|
||||
|
||||
@@ -1,8 +1,11 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
|
||||
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
|
||||
// * rosa_getting_started/rosa-quickstart-guide-ui.adoc
|
||||
// * rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc
|
||||
// * rosa_hcp/rosa-hcp-quickstart-guide.adoc
|
||||
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
|
||||
// * rosa_install_access_delete_clusters/terraform/rosa-classic-creating-a-cluster-quickly-terraform.adoc
|
||||
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
|
||||
|
||||
ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"]
|
||||
:tf-classic:
|
||||
@@ -10,8 +13,11 @@ endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
|
||||
:tf-hcp:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-quickstart-guide"]
|
||||
:hcp-quickstart:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-sts-creating-a-cluster-quickly"]
|
||||
:hcp-rosa:
|
||||
:hcp:
|
||||
endif::[]
|
||||
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
@@ -21,17 +27,22 @@ endif::[]
|
||||
ifndef::tf-classic,tf-hcp[]
|
||||
You can quickly create a
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{product-title} cluster by using the default installation options.
|
||||
{rosa-title} cluster by using the default installation options.
|
||||
endif::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
ifdef::hcp-quickstart,hcp[]
|
||||
{rosa-title} cluster by using the default installation options.
|
||||
endif::hcp-quickstart,hcp[]
|
||||
ifndef::hcp-quickstart,hcp[]
|
||||
{product-title} (ROSA) cluster with the {sts-first} by using the default installation options.
|
||||
endif::hcp-quickstart,hcp[]
|
||||
endif::openshift-rosa[]
|
||||
The following summary describes the default cluster specifications.
|
||||
endif::tf-classic,tf-hcp[]
|
||||
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa-hcp,hcp[]
|
||||
.Default {product-title} cluster specifications
|
||||
endif::openshift-rosa-hcp[]
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
.Default ROSA with STS cluster specifications
|
||||
endif::openshift-rosa[]
|
||||
@@ -48,9 +59,16 @@ ifdef::tf-classic,tf-hcp[]
|
||||
* Default IAM role prefix: `rosa-<6-digit-alphanumeric-string>`
|
||||
endif::tf-classic,tf-hcp[]
|
||||
ifndef::tf-classic,tf-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
* Default IAM role prefix: `ManagedOpenShift`
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp,hcp[]
|
||||
* Default IAM role prefix: `HCP-ROSA`
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
endif::tf-classic,tf-hcp[]
|
||||
ifndef::openshift-rosa-hcp,hcp[]
|
||||
* No cluster admin role created
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
|
||||
|Cluster settings
|
||||
|
|
||||
@@ -66,33 +84,36 @@ ifndef::tf-classic,tf-hcp[]
|
||||
ifdef::openshift-rosa[]
|
||||
* Default AWS region for installations using the {cluster-manager-first} {hybrid-console-second}: us-east-1 (US East, North Virginia)
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa-hcp,hcp[]
|
||||
* Default AWS region for installations using the ROSA CLI (`rosa`): Defined by your `aws` CLI configuration
|
||||
* Default EC2 IMDS endpoints (both v1 and v2) are enabled
|
||||
endif::openshift-rosa-hcp[]
|
||||
* Availability: Single zone for the data plane
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
endif::tf-classic,tf-hcp[]
|
||||
ifndef::rosa-hcp,tf-hcp[]
|
||||
ifndef::openshift-rosa-hcp,tf-hcp,hcp[]
|
||||
* EC2 Instance Metadata Service (IMDS) is enabled and allows the use of IMDSv1 or IMDSv2 (token optional)
|
||||
endif::rosa-hcp,tf-hcp[]
|
||||
endif::openshift-rosa-hcp,tf-hcp,hcp[]
|
||||
* Availability: Single zone for the data plane
|
||||
* Monitoring for user-defined projects: Enabled
|
||||
ifndef::openshift-rosa-hcp,hcp-rosa[]
|
||||
ifdef::openshift-rosa-hcp,hcp[]
|
||||
* No cluster admin role created
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
ifndef::openshift-rosa-hcp,hcp[]
|
||||
|Encryption
|
||||
|* Cloud storage is encrypted at rest
|
||||
* Additional etcd encryption is not enabled
|
||||
* The default AWS Key Management Service (KMS) key is used as the encryption key for persistent data
|
||||
endif::openshift-rosa-hcp,hcp-rosa[]
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
|
||||
ifdef::openshift-rosa,openshift-rosa-hcp,tf-classic[]
|
||||
ifdef::openshift-rosa,tf-classic[]
|
||||
|Control plane node configuration
|
||||
|* Control plane node instance type: m5.2xlarge (8 vCPU, 32 GiB RAM)
|
||||
* Control plane node count: 3
|
||||
endif::openshift-rosa,openshift-rosa-hcp,tf-classic[]
|
||||
ifndef::openshift-rosa-hcp,hcp-rosa[]
|
||||
endif::openshift-rosa,tf-classic[]
|
||||
ifndef::openshift-rosa-hcp,hcp[]
|
||||
|Infrastructure node configuration
|
||||
|* Infrastructure node instance type: r5.xlarge (4 vCPU, 32 GiB RAM)
|
||||
* Infrastructure node count: 2
|
||||
endif::openshift-rosa-hcp,hcp-rosa[]
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
|
||||
|Compute node machine pool
|
||||
|* Compute node instance type: m5.xlarge (4 vCPU 16, GiB RAM)
|
||||
@@ -133,19 +154,19 @@ ifndef::tf-classic,tf-hcp[]
|
||||
endif::tf-classic,tf-hcp[]
|
||||
* Host prefix: /23
|
||||
+
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
ifdef::openshift-rosa-hcp,hcp[]
|
||||
[NOTE]
|
||||
====
|
||||
The static IP address `172.20.0.1` is reserved for the internal Kubernetes API address. The machine, pod, and service CIDRs ranges must not conflict with this IP address.
|
||||
====
|
||||
endif::openshift-rosa-hcp[]
|
||||
endif::openshift-rosa-hcp,hcp[]
|
||||
|
||||
|Cluster roles and policies
|
||||
|* Mode used to create the Operator roles and the OpenID Connect (OIDC) provider: `auto`
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
For installations that use {cluster-manager} on the {hybrid-console-second}, the `auto` mode requires an admin-privileged {cluster-manager} role.
|
||||
For installations that use {cluster-manager} on the {hybrid-console-second}, the `auto` mode requires an admin-privileged {cluster-manager} role (ocm-role).
|
||||
====
|
||||
ifdef::tf-classic,tf-hcp[]
|
||||
* Default Operator role prefix: `rosa-<6-digit-alphanumeric-string>`
|
||||
@@ -175,7 +196,9 @@ endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"]
|
||||
:!tf-hcp:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "rosa-hcp-sts-creating-a-cluster-quickly"]
|
||||
:!hcp-rosa:
|
||||
ifeval::["{context}" == "rosa-hcp-quickstart-guide"]
|
||||
:!hcp-quickstart:
|
||||
endif::[]
|
||||
|
||||
ifeval::["{context}" == "rosa-hcp-sts-creating-a-cluster-quickly"]
|
||||
:!hcp:
|
||||
endif::[]
|
||||
@@ -1,7 +1,7 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
|
||||
// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
|
||||
// * rosa_hcp/rosa-hcp-deleting-cluster.adoc
|
||||
|
||||
ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
|
||||
:hcp:
|
||||
@@ -13,10 +13,10 @@ endif::[]
|
||||
|
||||
When you install a
|
||||
ifndef::hcp[]
|
||||
{product-title} (ROSA)
|
||||
{rosa-classic-short}
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
cluster by using {cluster-manager-first}, you also create {cluster-manager} and user Identity and Access Management (IAM) roles that link to your Red{nbsp}Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (`rosa`).
|
||||
|
||||
@@ -24,17 +24,17 @@ cluster by using {cluster-manager-first}, you also create {cluster-manager} and
|
||||
====
|
||||
The {cluster-manager} and user IAM roles are required if you want to use {cluster-manager} to install and manage other
|
||||
ifndef::hcp[]
|
||||
ROSA clusters
|
||||
{rosa-classic-short} clusters
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title}
|
||||
{rosa-short}
|
||||
endif::hcp[]
|
||||
in the same AWS account. Only remove the roles if you no longer need to use the {cluster-manager} to install
|
||||
ifndef::hcp[]
|
||||
ROSA clusters.
|
||||
{rosa-classic-short} clusters.
|
||||
endif::hcp[]
|
||||
ifdef::hcp[]
|
||||
{hcp-title} clusters.
|
||||
{rosa-short} clusters.
|
||||
endif::hcp[]
|
||||
====
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
For {hcp-title-first} workloads that do not require public internet access, you can create a private cluster.
|
||||
For {rosa-title} workloads that do not require public internet access, you can create a private cluster.
|
||||
|
||||
//include::modules/osd-aws-privatelink-about.adoc[leveloffset=+1]
|
||||
//include::modules/osd-aws-privatelink-required-resources.adoc[leveloffset=+1]
|
||||
|
||||
@@ -7,20 +7,26 @@ include::_attributes/common-attributes.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
You can use your own Container Network Interface (CNI) plugin when creating a {hcp-title-first} cluster.
|
||||
You can create a {hcp-title} cluster without a CNI and install your own CNI plugin after cluster creation.
|
||||
You can use your own Container Network Interface (CNI) plugin when creating a
|
||||
ifdef::openshift-rosa[]
|
||||
{rosa-title}
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{product-title}
|
||||
endif::openshift-rosa-hcp[]
|
||||
cluster. You can create a {rosa-short} cluster without a CNI and install your own CNI plugin after cluster creation.
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
For customers who choose to use their own CNI, the responsibility of CNI plugin support belongs to the customer in coordination with their chosen CNI vendor.
|
||||
====
|
||||
|
||||
The default plugin for {hcp-title} is the xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin]. This plugin is the only Red Hat supported CNI plugin for {hcp-title}.
|
||||
The default plugin for {rosa-short} is the xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin]. This plugin is the only Red Hat supported CNI plugin for {rosa-short}.
|
||||
|
||||
If you choose to use your own CNI for {hcp-title} clusters, it is strongly recommended that you obtain commercial support from the plugin vendor before creating your clusters. Red Hat support cannot assist with CNI-related issues such as pod to pod traffic for customers who choose to use their own CNI. Red Hat still provides support for all non-CNI issues. If you want CNI-related support from Red Hat, you must install the cluster with the default OVN-Kubernetes network plugin. For more information, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc#rosa-policy-responsibility-matrix[responsibility matrix].
|
||||
If you choose to use your own CNI for {rosa-short} clusters, it is strongly recommended that you obtain commercial support from the plugin vendor before creating your clusters. Red Hat support cannot assist with CNI-related issues such as pod to pod traffic for customers who choose to use their own CNI. Red Hat still provides support for all non-CNI issues. If you want CNI-related support from Red Hat, you must install the cluster with the default OVN-Kubernetes network plugin. For more information, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc#rosa-policy-responsibility-matrix[responsibility matrix].
|
||||
|
||||
[id="rosa-hcp-no-cni-cluster-creation"]
|
||||
== Creating a {hcp-title} cluster without a CNI plugin
|
||||
== Creating a {rosa-short} cluster without a CNI plugin
|
||||
|
||||
=== Prerequisites
|
||||
* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites].
|
||||
@@ -37,7 +43,7 @@ include::modules/rosa-operator-config.adoc[leveloffset=+2]
|
||||
[id="additional-resources_rosa-hcp-operator-prefix-no-cni"]
|
||||
.Additional resources
|
||||
|
||||
* See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] for information on the Operator prefixes.
|
||||
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]
|
||||
|
||||
include::modules/rosa-hcp-sts-creating-a-cluster-cli-no-cni-plugin.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
@@ -6,15 +6,15 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
Create a {product-title} (ROSA) with a {hcp} (HCP) cluster using a custom AWS Key Management Service (KMS) key.
|
||||
Create a {rosa-title} cluster using a custom AWS Key Management Service (KMS) key.
|
||||
|
||||
//include::modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc[leveloffset=+1]
|
||||
//include::modules/rosa-sts-associating-your-aws-account.adoc[leveloffset=+2]
|
||||
|
||||
[id="rosa-hcp-creating-cluster-with-aws-kms-key-prereqs"]
|
||||
== {hcp-title} Prerequisites
|
||||
== {rosa-short} Prerequisites
|
||||
|
||||
To create a {hcp-title} cluster, you must have the following items:
|
||||
To create a {rosa-short} cluster, you must have the following items:
|
||||
|
||||
* A configured virtual private cloud (VPC)
|
||||
* Account-wide roles
|
||||
@@ -22,9 +22,9 @@ To create a {hcp-title} cluster, you must have the following items:
|
||||
* Operator roles
|
||||
|
||||
[id="rosa-hcp-creating-cluster-with-aws-kms-key-creating-vpc"]
|
||||
== Creating a Virtual Private Cloud for your {hcp-title} clusters
|
||||
== Creating a Virtual Private Cloud for your {rosa-short} clusters
|
||||
|
||||
You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. Use one of the following methods to create a VPC:
|
||||
You must have a Virtual Private Cloud (VPC) to create {rosa-short} cluster. Use one of the following methods to create a VPC:
|
||||
|
||||
* Create a VPC using the ROSA command-line interface (CLI)
|
||||
* Create a VPC by using a Terraform template
|
||||
@@ -42,8 +42,8 @@ include::modules/rosa-hcp-create-network.adoc[leveloffset=+3]
|
||||
[id="additional-resources_rosa-hcp-create-network-kms-key"]
|
||||
.Additional resources
|
||||
|
||||
* See the link:https://aws.amazon.com/cloudformation/[AWS CloudFormation] for more information about structuring CloudFormation files to create VPCs.
|
||||
* See the link:https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[default VPC AWS CloudFormation template] for more information.
|
||||
* link:https://aws.amazon.com/cloudformation/[AWS CloudFormation]
|
||||
* link:https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[Default VPC AWS CloudFormation template]
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
|
||||
@@ -52,7 +52,7 @@ include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
|
||||
[id="additional-resources_rosa-hcp-vpc-terraform-kms-key"]
|
||||
.Additional resources
|
||||
|
||||
* See the link:https://github.com/openshift-cs/terraform-vpc-example[Terraform VPC] repository for a detailed list of all options available when customizing the VPC for your needs.
|
||||
* link:https://github.com/openshift-cs/terraform-vpc-example[Terraform VPC repository]
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+2]
|
||||
@@ -91,13 +91,13 @@ ifndef::openshift-rosa-hcp[]
|
||||
[id="additional-resources_rosa-hcp-creating-cluster-with-aws-kms-key"]
|
||||
== Additional resources
|
||||
|
||||
* For information on using the CLI to create a cluster, see xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-cli_rosa-hcp-sts-creating-a-cluster-quickly[Creating a ROSA with HCP cluster using the CLI].
|
||||
* For steps to deploy a ROSA cluster using manual mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations].
|
||||
* For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS].
|
||||
* For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes].
|
||||
* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS].
|
||||
* For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
|
||||
* For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers].
|
||||
* For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations].
|
||||
* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
|
||||
* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-cli_rosa-hcp-sts-creating-a-cluster-quickly[Creating a ROSA with HCP cluster using the CLI]
|
||||
* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations]
|
||||
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS]
|
||||
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]
|
||||
* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]
|
||||
* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes]
|
||||
* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers]
|
||||
* xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations]
|
||||
* xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS]
|
||||
endif::openshift-rosa-hcp[]
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
:_mod-docs-content-type: ASSEMBLY
|
||||
include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
[id="rosa-hcp-deleting-cluster"]
|
||||
= Deleting a {hcp-title} cluster
|
||||
= Deleting a {rosa-short} cluster
|
||||
:context: rosa-hcp-deleting-cluster
|
||||
|
||||
toc::[]
|
||||
|
||||
If you want to delete a {hcp-title-first} cluster, you can use either the {cluster-manager-first} or the ROSA command-line interface (CLI) (`rosa`). After deleting your cluster, you can also delete the AWS Identity and Access Management (IAM) resources that are used by the cluster.
|
||||
If you want to delete a {rosa-title} cluster, you can use either the {cluster-manager-first} or the ROSA command-line interface (CLI) (`rosa`). After deleting your cluster, you can also delete the AWS Identity and Access Management (IAM) resources that are used by the cluster.
|
||||
|
||||
include::modules/rosa-hcp-deleting-cluster.adoc[leveloffset=+1]
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
:context: rosa-hcp-egress-zero-install
|
||||
toc::[]
|
||||
|
||||
Creating {egress-zero-title} provides a way to enhance your cluster's stability and security by allowing your cluster to use the image registry in the local region if the cluster cannot access the internet. Your cluster first tries to pull the images from Quay, and when they aren't reached, it instead pulls the images from the image registry in the local region.
|
||||
Creating {rosa-title} with {egress-zero} provides a way to enhance your cluster's stability and security by allowing your cluster to use the image registry in the local region if the cluster cannot access the internet. Your cluster first tries to pull the images from Quay, and when they aren't reached, it instead pulls the images from the image registry in the local region.
|
||||
|
||||
All public and private clusters with {egress-zero} get their Red{nbsp}Hat container images from an Amazon Elastic Container Registry (ECR) located in the local region of the cluster instead of gathering these images from various endpoints and registries on the internet. ECR provides storage for OpenShift release images as well as Red{nbsp}Hat Operators. All requests for ECR are kept within your AWS network by serving them over a VPC endpoint within your cluster.
|
||||
|
||||
@@ -13,7 +13,7 @@ All public and private clusters with {egress-zero} get their Red{nbsp}Hat contai
|
||||
|
||||
You can create a fully operational cluster that does not require a public egress by configuring a virtual private cloud (VPC) and using the `--properties zero_egress:true` flag when creating your cluster.
|
||||
|
||||
See xref:../upgrading/rosa-hcp-upgrading.adoc#rosa-hcp-upgrading[Upgrading {product-title} clusters] to upgrade clusters using {egress-zero}.
|
||||
See xref:../upgrading/rosa-hcp-upgrading.adoc#rosa-hcp-upgrading[Upgrading {rosa-short} clusters] to upgrade clusters using {egress-zero}.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
@@ -62,7 +62,7 @@ A physical connection might exist between machines on the internal network and a
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
* You can use {egress-zero} on all supported versions of {product-title} that use the hosted control plane architecture; however, Red{nbsp}Hat suggests using the latest available z-stream release for each {ocp} version.
|
||||
* You can use {egress-zero} on all supported versions of {rosa-short} that use the hosted control plane architecture; however, Red{nbsp}Hat suggests using the latest available z-stream release for each {ocp} version.
|
||||
|
||||
* While you may install and upgrade your clusters as you would a regular cluster, due to an upstream issue with how the internal image registry functions in disconnected environments, your cluster that uses {egress-zero} will not be able to fully use all platform components, such as the image registry. You can restore these features by using the latest ROSA version when upgrading or installing your cluster.
|
||||
====
|
||||
@@ -72,7 +72,7 @@ include::modules/rosa-hcp-set-environment-variables.adoc[leveloffset=+1]
|
||||
[id="rosa-hcp-egress-zero-install-creating_{context}"]
|
||||
== Creating a Virtual Private Cloud for your {hcp-title} clusters
|
||||
|
||||
You must have a Virtual Private Cloud (VPC) to create a {hcp-title} cluster. To pull images from the local ECR mirror over your VPC endpoint, you must configure a privatelink service connection and modify the default security groups with specific tags. Use one of the following methods to create a VPC:
|
||||
You must have a Virtual Private Cloud (VPC) to create a {rosa-short} cluster. To pull images from the local ECR mirror over your VPC endpoint, you must configure a privatelink service connection and modify the default security groups with specific tags. Use one of the following methods to create a VPC:
|
||||
|
||||
* Create a VPC using the ROSA command-line interface (CLI)
|
||||
* Create a VPC by using a Terraform template
|
||||
|
||||
@@ -6,7 +6,14 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
Follow this guide to quickly create a {product-title} (ROSA) cluster using the command-line interface (CLI), grant user access, deploy your first application, and learn how to revoke user access and delete your cluster.
|
||||
Follow this guide to quickly create a
|
||||
ifdef::openshift-rosa[]
|
||||
{rosa-title}
|
||||
endif::openshift-rosa[]
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
{product-title}
|
||||
endif::openshift-rosa-hcp[]
|
||||
cluster using the command-line interface (CLI), grant user access, deploy your first application, and learn how to revoke user access and delete your cluster.
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+2]
|
||||
@@ -19,14 +26,14 @@ include::modules/rosa-getting-started-install-configure-cli-tools.adoc[leveloffs
|
||||
|
||||
.Next steps
|
||||
|
||||
Before you can use the {cluster-manager} {hybrid-console-second} to deploy ROSA clusters, you must associate your AWS account with your Red{nbsp}Hat organization and create the required account-wide STS roles and policies.
|
||||
Before you can use the {hybrid-console} to deploy {rosa-short} clusters, you must associate your AWS account with your Red{nbsp}Hat organization and create the required account-wide AWS IAM STS roles and policies for ROSA.
|
||||
|
||||
include::modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1]
|
||||
|
||||
[id="rosa-hcp-quickstart-creating-vpc"]
|
||||
== Creating a Virtual Private Cloud for your {hcp-title} clusters
|
||||
== Creating a Virtual Private Cloud for your {rosa-short} clusters
|
||||
|
||||
You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. You can use the following methods to create a VPC:
|
||||
You must have an AWS Virtual Private Cloud (VPC) to create a {rosa-short} cluster. You can use the following methods to create a VPC:
|
||||
|
||||
* Create a VPC using the ROSA CLI
|
||||
* Create a VPC by using a Terraform template
|
||||
@@ -34,7 +41,7 @@ You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. You c
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use. You should also ensure that when you use this Terraform script it is in the same region that you intend to install your cluster. In these examples, use `us-east-2`.
|
||||
The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use. You should also ensure that when you use this linked Terraform configuration, it is in the same region that you intend to install your cluster. In these examples, `us-east-2` is used.
|
||||
====
|
||||
|
||||
[discrete]
|
||||
@@ -44,8 +51,8 @@ include::modules/rosa-hcp-create-network.adoc[leveloffset=+3]
|
||||
[id="additional-resources_rosa-hcp-create-network-quickstart"]
|
||||
.Additional resources
|
||||
|
||||
* See the link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-ec2-vpc.html[AWS CloudFormation documentation] for more information about structuring CloudFormation files to create VPCs.
|
||||
* See the link:https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[default VPC AWS CloudFormation template] for more information.
|
||||
* link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-ec2-vpc.html[AWS CloudFormation documentation]
|
||||
* link:https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[Default VPC AWS CloudFormation template]
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
|
||||
@@ -54,7 +61,7 @@ include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
|
||||
[id="additional-resources_rosa-hcp-vpc-terraform-quickstart"]
|
||||
.Additional resources
|
||||
|
||||
* See the link:https://github.com/openshift-cs/terraform-vpc-example[Terraform VPC] repository for a detailed list of all options available when customizing the VPC for your needs.
|
||||
* link:https://github.com/openshift-cs/terraform-vpc-example[Terraform VPC repository]
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+2]
|
||||
|
||||
@@ -1,28 +1,28 @@
|
||||
:_mod-docs-content-type: ASSEMBLY
|
||||
[id="rosa-hcp-sts-creating-a-cluster-ext-auth"]
|
||||
= Creating a {hcp-title} cluster that uses direct authentication with an external OIDC identity provider
|
||||
= Creating a {rosa-short} cluster that uses direct authentication with an external OIDC identity provider
|
||||
include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
:context: rosa-hcp-sts-creating-a-cluster-ext-auth
|
||||
|
||||
toc::[]
|
||||
|
||||
You can create {hcp-title-first} clusters that use an external OpenID Connect (OIDC) identity provider to issue tokens for authentication, replacing the built-in OpenShift OAuth server. While the built-in OpenShift OAuth server supports integration with a variety of identity providers, including external OIDC identity providers, it is limited to the capabilities of the OAuth server itself. You can directly integrate external OIDC identity providers with {hcp-title} clusters in order to facilitate machine-to-machine workflows, such as CLI, and provide additional capabilities which are not available when using the built-in OpenShift OAuth server.
|
||||
You can create {rosa-title} clusters that use an external OpenID Connect (OIDC) identity provider to issue tokens for authentication, replacing the built-in OpenShift OAuth server. While the built-in OpenShift OAuth server supports integration with a variety of identity providers, including external OIDC identity providers, it is limited to the capabilities of the OAuth server itself. You can directly integrate external OIDC identity providers with {rosa-short} clusters in order to facilitate machine-to-machine workflows, such as CLI, and provide additional capabilities which are not available when using the built-in OpenShift OAuth server.
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
Since it is not possible to upgrade or convert existing ROSA clusters to a {hcp} architecture, you must create a new cluster to use {hcp-title} functionality. You also cannot convert a cluster that was created to use external authentication providers to use the internal OAuth2 server. You must also create a new cluster.
|
||||
Since it is not possible to upgrade or convert existing {rosa-classic-short} clusters to a {hcp} architecture, you must create a new cluster to use {rosa-short} functionality. You also cannot convert a cluster that was created to use external authentication providers to use the internal OAuth2 server. You must also create a new cluster.
|
||||
====
|
||||
|
||||
include::snippets/imp-rosa-hcp-no-shared-vpc-support.adoc[leveloffset=+0]
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
{hcp-title} clusters only support {sts-first} authentication.
|
||||
{rosa-short} clusters only support {sts-first} authentication.
|
||||
====
|
||||
|
||||
.Further reading
|
||||
ifdef::openshift-rosa-hcp[]
|
||||
* For a comparison between {hcp-title} and ROSA Classic, see the xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-hcp-classic-comparison_rosa-architecture-models[Comparing architecture models] documentation.
|
||||
* For a comparison between {rosa-short} and {rosa-classic-short}, see the xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-hcp-classic-comparison_rosa-architecture-models[Comparing architecture models] documentation.
|
||||
endif::openshift-rosa-hcp[]
|
||||
* See the AWS documentation for information about link:https://docs.aws.amazon.com/rosa/latest/userguide/getting-started-hcp.html[Getting started with ROSA with HCP using the ROSA CLI in auto mode].
|
||||
|
||||
@@ -31,9 +31,9 @@ endif::openshift-rosa-hcp[]
|
||||
//For a full list of the supported certificates, see the xref:#../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red{nbsp}Hat OpenShift Service on AWS".
|
||||
|
||||
[id="rosa-hcp-external-auth-prereqs"]
|
||||
== {hcp-title} Prerequisites
|
||||
== {rosa-short} Prerequisites
|
||||
|
||||
To create a {hcp-title} cluster, you must have completed the following steps:
|
||||
To create a {rosa-short} cluster, you must have completed the following steps:
|
||||
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
* Completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites]
|
||||
@@ -63,7 +63,7 @@ include::modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc[leveloffset=+
|
||||
|
||||
[role="_additional-resources"]
|
||||
.Additional resources
|
||||
* For more information about creating a {hcp-title} cluster with external authentication enabled, see xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc#rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli_rosa-hcp-sts-creating-a-cluster-ext-auth[Creating a {hcp-title} cluster that uses direct authentication with an external OIDC identity provider].
|
||||
* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc#rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli_rosa-hcp-sts-creating-a-cluster-ext-auth[Creating a {rosa-short} cluster that uses direct authentication with an external OIDC identity provider]
|
||||
//* For more information about CLI configurations, see xref:#../cli_reference/openshift_cli/managing-cli-profiles.adoc#managing-cli-profiles[Managing CLI profiles].
|
||||
|
||||
include::modules/rosa-hcp-sts-accessing-a-break-glass-cred-cli.adoc[leveloffset=+1]
|
||||
@@ -82,9 +82,9 @@ include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-c
|
||||
== Additional resources
|
||||
|
||||
// * To learn more about the default CIDR ranges for {product-title}, see xref:#../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions].
|
||||
* For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes].
|
||||
* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS].
|
||||
* For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
|
||||
* For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
|
||||
* For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations].
|
||||
* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
|
||||
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]
|
||||
* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]
|
||||
* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes]
|
||||
* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
|
||||
* xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations]
|
||||
* xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS]
|
||||
@@ -1,32 +1,32 @@
|
||||
:_mod-docs-content-type: ASSEMBLY
|
||||
[id="rosa-hcp-sts-creating-a-cluster-quickly"]
|
||||
= Creating ROSA with HCP clusters using the default options
|
||||
include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
:context: rosa-hcp-sts-creating-a-cluster-quickly
|
||||
[id="rosa-hcp-sts-creating-a-cluster-quickly"]
|
||||
= Creating {rosa-short} clusters using the default options
|
||||
|
||||
toc::[]
|
||||
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
[NOTE]
|
||||
====
|
||||
If you are looking for a quickstart guide for ROSA Classic, see xref:../rosa_getting_started/rosa-quickstart-guide-ui.adoc#rosa-quickstart-guide-ui[{product-title} quickstart guide].
|
||||
If you are looking for a quickstart guide for {rosa-classic-short}, see xref:../rosa_getting_started/rosa-quickstart-guide-ui.adoc#rosa-quickstart-guide-ui[{rosa-classic-title} quickstart guide].
|
||||
====
|
||||
endif::openshift-rosa-hcp[]
|
||||
|
||||
{hcp-title-first} offers a more efficient and reliable architecture for creating {product-title} (ROSA) clusters. With {hcp-title}, each cluster has a dedicated control plane that is isolated in a ROSA service account.
|
||||
{rosa-title} offers a more efficient and reliable architecture for creating {rosa-short} clusters. With {rosa-short}, each cluster has a dedicated control plane that is isolated in the ROSA service AWS account.
|
||||
|
||||
Create a {hcp-title} cluster quickly by using the default options and automatic AWS Identity and Access Management (IAM) resource creation. You can deploy your cluster by using the ROSA CLI (`rosa`).
|
||||
Create a {rosa-short} cluster quickly by using the default options and automatic AWS Identity and Access Management (IAM) resource creation. You can deploy your cluster by using the ROSA CLI (`rosa`).
|
||||
|
||||
[IMPORTANT]
|
||||
====
|
||||
Since it is not possible to upgrade or convert existing ROSA clusters to a {hcp} architecture, you must create a new cluster to use {hcp-title} functionality.
|
||||
Since it is not possible to upgrade or convert existing {rosa-classic-short} clusters to hosted control plane architecture, you must create a new cluster to use {rosa-short} functionality.
|
||||
====
|
||||
|
||||
include::snippets/imp-rosa-hcp-no-shared-vpc-support.adoc[leveloffset=+0]
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
{hcp-title} clusters only support AWS Security Token Service (STS) authentication.
|
||||
{rosa-short} clusters only support AWS IAM Security Token Service (STS) authentication.
|
||||
====
|
||||
|
||||
ifndef::openshift-rosa-hcp[]
|
||||
@@ -59,7 +59,7 @@ include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[le
|
||||
|
||||
//TODO OSDOCS-11789: Move these out of the deployment doc and into the prepare doc? Keep in both locations?
|
||||
[id="rosa-hcp-prereqs"]
|
||||
== {hcp-title} Prerequisites
|
||||
== {rosa-short} Prerequisites
|
||||
|
||||
To create a {hcp-title} cluster, you must have the following items:
|
||||
|
||||
@@ -71,7 +71,7 @@ To create a {hcp-title} cluster, you must have the following items:
|
||||
[id="rosa-hcp-creating-vpc"]
|
||||
=== Creating a Virtual Private Cloud for your {hcp-title} clusters
|
||||
|
||||
You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. You can use the following methods to create a VPC:
|
||||
You must have a Virtual Private Cloud (VPC) to create {rosa-short} cluster. You can use the following methods to create a VPC:
|
||||
|
||||
* Create a VPC using the ROSA CLI
|
||||
* Create a VPC by using a Terraform template
|
||||
@@ -79,7 +79,7 @@ You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. You c
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use. You should also ensure that when you use this Terraform script it is in the same region that you intend to install your cluster. In these examples, use `us-east-2`.
|
||||
The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use. You should also ensure that when you use this Terraform configuration, it is in the same region that you intend to install your cluster. In these examples, `us-east-2` is used.
|
||||
====
|
||||
|
||||
[discrete]
|
||||
@@ -89,8 +89,8 @@ include::modules/rosa-hcp-create-network.adoc[leveloffset=+3]
|
||||
[id="additional-resources_rosa-hcp-create-network"]
|
||||
.Additional resources
|
||||
|
||||
* See the link:https://aws.amazon.com/cloudformation/[AWS CloudFormation documentation] for more information about structuring CloudFormation files to create VPCs.
|
||||
* See the link:https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[default VPC AWS CloudFormation template] for more information.
|
||||
* link:https://aws.amazon.com/cloudformation/[AWS CloudFormation documentation]
|
||||
* link:https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[Default VPC AWS CloudFormation template]
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
|
||||
@@ -99,7 +99,7 @@ include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
|
||||
[id="additional-resources_rosa-hcp-vpc-terraform"]
|
||||
.Additional resources
|
||||
|
||||
* See the link:https://github.com/openshift-cs/terraform-vpc-example[Terraform VPC] repository for a detailed list of all options available when customizing the VPC for your needs.
|
||||
* link:https://github.com/openshift-cs/terraform-vpc-example[Terraform VPC repository]
|
||||
|
||||
[discrete]
|
||||
include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+2]
|
||||
@@ -144,13 +144,13 @@ ifndef::openshift-rosa-hcp[]
|
||||
[id="additional-resources_rosa-sts-creating-a-cluster-quickly"]
|
||||
== Additional resources
|
||||
|
||||
* For steps to deploy a ROSA cluster using manual mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations].
|
||||
* For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS].
|
||||
* See xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups] for information about security group requirements.
|
||||
* For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes].
|
||||
* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS].
|
||||
* For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes].
|
||||
* For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation.
|
||||
* For more information about troubleshooting {hcp-title} cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP installations].
|
||||
* For steps to contact Red{nbsp}Hat Support for assistance, see xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS].
|
||||
* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations]
|
||||
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS]
|
||||
* xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups]
|
||||
* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]
|
||||
* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]
|
||||
* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes]
|
||||
* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers]
|
||||
* xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP installations]
|
||||
* xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS]
|
||||
endif::openshift-rosa-hcp[]
|
||||
@@ -6,9 +6,9 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
|
||||
|
||||
toc::[]
|
||||
|
||||
Create a {product-title} (ROSA) cluster quickly by using a Terraform cluster template that is configured with the default cluster options.
|
||||
Create a {rosa-title} cluster quickly by using a Terraform cluster template that is configured with the default cluster options.
|
||||
|
||||
The cluster creation process described below uses a Terraform configuration that prepares a {hcp-title} cluster with the following resources:
|
||||
The cluster creation process described below uses a Terraform configuration that prepares a {rosa-short} cluster with the following resources:
|
||||
|
||||
* An OIDC provider with a managed `oidc-config` configuration
|
||||
* Prerequisite IAM Operator roles with associated AWS Managed ROSA Policies
|
||||
@@ -23,7 +23,7 @@ include::modules/rosa-sts-terraform-considerations.adoc[leveloffset=+1]
|
||||
include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1]
|
||||
|
||||
[id="rosa-hcp-creating-a-cluster-quickly-terraform-procedure"]
|
||||
== Creating a default ROSA cluster using Terraform
|
||||
== Creating a default {rosa-short} cluster using Terraform
|
||||
|
||||
The cluster creation process outlined below shows how to use Terraform to create your account-wide IAM roles and a ROSA cluster with a managed OIDC configuration.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user