Adding support for installing a cluster to AWS China regions

_topic_map.yml

@@ -156,6 +156,8 @@ Topics:
     File: installing-aws-private
   - Name: Installing a cluster on AWS into a government or secret region
     File: installing-aws-government-region
+  - Name: Installing a cluster on AWS into a China region
+    File: installing-aws-china
   - Name: Installing a cluster on AWS using CloudFormation templates
     File: installing-aws-user-infra
   - Name: Installing a cluster on AWS in a restricted network with user-provisioned infrastructure

installing/installing_aws/installing-aws-china.adoc

@@ -0,0 +1,68 @@
+[id="installing-aws-china-region"]
+= Installing a cluster on AWS China
+include::modules/common-attributes.adoc[]
+:context: installing-aws-china-region
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a cluster to the following Amazon Web Services (AWS) China regions:
+
+* `cn-north-1` (Beijing)
+* `cn-northwest-1` (Ningxia)
+
+== Prerequisites
+
+* You have an Internet Content Provider (ICP) license.
+* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
+* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster.
+* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
+* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials].
+
+[IMPORTANT]
+====
+If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-lived credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program.
+====
+
+include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/private-clusters-default.adoc[leveloffset=+1]
+include::modules/private-clusters-about-aws.adoc[leveloffset=+2]
+
+include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/installation-initializing-manual.adoc[leveloffset=+1]
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
+include::modules/installation-supported-aws-machine-types.adoc[leveloffset=+2]
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1]
+
+include::modules/cluster-telemetry.adoc[leveloffset=+1]
+
+.Additional resources
+
+* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
+* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
+
+== Next steps
+
+* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
+* If necessary, you can xref:../../authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc#manually-removing-cloud-creds_cco-mode-mint[remove cloud provider credentials].

installing/installing_aws/installing-aws-government-region.adoc

@@ -24,6 +24,7 @@ If you have an AWS profile stored on your computer, it must not use a temporary
 * If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials].
 
 include::modules/installation-aws-about-government-region.adoc[leveloffset=+1]
+include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+1]
 
 include::modules/private-clusters-default.adoc[leveloffset=+1]
 include::modules/private-clusters-about-aws.adoc[leveloffset=+2]
@@ -34,14 +35,15 @@ include::modules/cluster-entitlements.adoc[leveloffset=+1]
 
 include::modules/ssh-agent-using.adoc[leveloffset=+1]
 
+include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+1]
+
 include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
 
 include::modules/installation-initializing-manual.adoc[leveloffset=+1]
 include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
 include::modules/installation-supported-aws-machine-types.adoc[leveloffset=+2]
 include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
-include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+2]
-include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+2]
+
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]
 
 include::modules/installation-launching-installer.adoc[leveloffset=+1]

modules/cli-installing-cli.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc

modules/cluster-entitlements.adoc

@@ -35,6 +35,7 @@
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
+// * installing/installing_aws/installing-aws-china-region.adoc
 // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
 // * installing/installing_openstack/installing-openstack-installer-restricted.adoc
 // * installing/installing_openstack/installing-openstack-user.adoc
@@ -130,7 +131,7 @@ ifdef::openshift-enterprise,openshift-webscale[]
 
 [IMPORTANT]
 ====
-If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the content that is required and use it to populate a mirror registry with the packages that you need to install a cluster and generate the installation program. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
+If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
 ====
 
 endif::openshift-enterprise,openshift-webscale[]

modules/cluster-telemetry.adoc

@@ -35,6 +35,7 @@
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
 // * installing/installing_openstack/installing-openstack-installer-restricted.adoc
 // * installing/installing_openstack/installing-openstack-user.adoc

modules/installation-aws-about-government-region.adoc

@@ -21,12 +21,3 @@ The following AWS GovCloud partitions are supported:
 The following AWS Secret Region partition is supported:
 
 * `us-iso-east-1`
-
-The AWS government or secret region, and accompanying custom AMI, must be manually configured in the
-`install-config.yaml` file since {op-system} AMIs are not provided by Red Hat
-for those regions.
-
-[IMPORTANT]
-====
-If you are deploying to the C2S Secret Region, you must also define a custom CA certificate in the `additionalTrustBundle` field of the `install-config.yaml` file because the AWS API requires a custom CA trust bundle. To allow the installation program to access the AWS API, the CA certificates must also be defined on the machine that runs the installation program. You must add the CA bundle to the trust store on the machine, use the `AWS_CA_BUNDLE` environment variable, or define the CA bundle in the link:https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html[`ca_bundle`] field of the AWS config file.
-====

modules/installation-aws-config-yaml.adoc

@@ -25,6 +25,11 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :private:
 :gov:
 endif::[]
+ifeval::["{context}" == "installing-aws-china-region"]
+:vpc:
+:private:
+:china:
+endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :restricted:
 endif::[]
@@ -32,15 +37,24 @@ endif::[]
 [id="installation-aws-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for AWS
 
-You can customize the `install-config.yaml` file to specify more details about
+You can customize the installation configuration file (`install-config.yaml`) to specify more details about
 your {product-title} cluster's platform or modify the values of the required
 parameters.
 
+ifndef::china,gov[]
 [IMPORTANT]
 ====
 This sample YAML file is provided for reference only. You must obtain your
 `install-config.yaml` file by using the installation program and modify it.
 ====
+endif::china,gov[]
+
+ifdef::china,gov[]
+[IMPORTANT]
+====
+This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually.
+====
+endif::china,gov[]
 
 [source,yaml]
 ----
@@ -53,14 +67,18 @@ controlPlane: <3> <4>
   platform:
     aws:
       zones:
+ifdef::china[]
+      - cn-north-1a
+      - cn-north-1b
+endif::china[]
 ifdef::gov[]
       - us-gov-west-1a
       - us-gov-west-1b
 endif::gov[]
-ifndef::gov[]
+ifndef::gov,china[]
       - us-west-2a
       - us-west-2b
-endif::gov[]
+endif::gov,china[]
       rootVolume:
         iops: 4000
         size: 500
@@ -78,12 +96,15 @@ compute: <3>
         type: io1 <6>
       type: c5.4xlarge
       zones:
+ifdef::china[]
+      - cn-north-1a
+endif::china[]
 ifdef::gov[]
       - us-gov-west-1c
 endif::gov[]
-ifndef::gov[]
+ifndef::gov,china[]
       - us-west-2c
-endif::gov[]
+endif::gov,china[]
   replicas: 3
 metadata:
   name: test-cluster <1>
@@ -108,11 +129,14 @@ endif::openshift-origin[]
   - 172.30.0.0/16
 platform:
   aws:
-ifndef::gov[]
+ifndef::gov,china[]
     region: us-west-2 <1>
-endif::gov[]
+endif::gov,china[]
+ifdef::china[]
+    region: cn-north-1 <1>
+endif::china[]
 ifdef::gov[]
-    region: us-gov-west-1
+    region: us-gov-west-1 <1>
 endif::gov[]
     userTags:
       adminContact: jdoe
@@ -122,10 +146,20 @@ ifdef::vpc,restricted[]
     - subnet-1
     - subnet-2
     - subnet-3
+ifndef::gov,china[]
     amiID: ami-96c6f8f7 <8>
+endif::gov,china[]
+ifdef::gov,china[]
+    amiID: ami-96c6f8f7 <1> <8>
+endif::gov,china[]
     serviceEndpoints: <9>
       - name: ec2
+ifndef::china[]
         url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
+endif::china[]
+ifdef::china[]
+        url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn
+endif::china[]
     hostedZone: Z3URY6TWQ91KVV <10>
 endif::vpc,restricted[]
 ifndef::vpc,restricted[]
@@ -220,12 +254,12 @@ endif::restricted[]
 
 
 ----
-ifndef::gov[]
+ifndef::gov,china[]
 <1> Required. The installation program prompts you for this value.
-endif::gov[]
-ifdef::gov[]
+endif::gov,china[]
+ifdef::gov,china[]
 <1> Required.
-endif::gov[]
+endif::gov,china[]
 <2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode, instead of having the CCO dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the _Cloud Credential Operator_ entry in the _Red Hat Operators reference_ content.
 <3> If you do not provide these parameters and values, the installation program
 provides the default value.
@@ -354,6 +388,11 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :!private:
 :!gov:
 endif::[]
+ifeval::["{context}" == "installing-aws-china-region"]
+:!vpc:
+:!private:
+:!china:
+endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :!restricted:
 endif::[]

modules/installation-aws-regions-with-no-ami.adoc

@@ -1,17 +1,31 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-user-infra.adoc
 
-[id="installation-aws-regions-with-no-ami_{context}"]
-= AWS regions without a published {op-system} AMI
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:aws-gov:
+endif::[]
 
+[id="installation-aws-regions-with-no-ami_{context}"]
+ifndef::aws-china,aws-gov[]
+= AWS regions without a published {op-system} AMI
+endif::aws-china,aws-gov[]
+
+ifdef::aws-china,aws-gov[]
+= Installation requirments
+endif::aws-china,aws-gov[]
+
+ifndef::aws-china,aws-gov[]
 You can deploy an {product-title} cluster to Amazon Web Services (AWS) regions
 without native support for a {op-system-first} Amazon Machine Image (AMI) or the
 AWS software development kit (SDK). If a
 published AMI is not available for an AWS region, you can upload a custom AMI
-prior to installing the cluster. This is required if you are deploying your
-cluster to an AWS government or secret region. AWS government and secret regions are supported by the AWS SDK.
+prior to installing the cluster.
 
 If you are deploying to a region not supported by the AWS SDK
 and you do not specify a custom AMI, the installation program
@@ -25,3 +39,32 @@ A region without native support for an {op-system} AMI is not available to
 select from the terminal during cluster creation because it is not published.
 However, you can install to this region by configuring the custom AMI in the
 `install-config.yaml` file.
+endif::aws-china,aws-gov[]
+
+ifdef::aws-china,aws-gov[]
+ifdef::aws-china[Red Hat does not publish a {op-system-first} Amazon Machine Image (AMI) for the AWS China regions.]
+ifdef::aws-gov[Red Hat does not publish a {op-system-first} Amzaon Machine Image for the AWS government or secret regions.]
+
+Before you can install the cluster, you must:
+
+* Upload a custom {op-system} AMI.
+* Manually create the installation configuration file (`install-config.yaml`).
+* Specify the AWS region, and the accompanying custom AMI, in the installation configuration file.
+
+You cannot use the {product-title} installation program to create the installation configuration file. The installer does not list an AWS region without native support for an {op-system} AMI.
+
+ifdef::aws-gov[]
+[IMPORTANT]
+====
+If you are deploying to the C2S Secret Region, you must also define a custom CA certificate in the `additionalTrustBundle` field of the `install-config.yaml` file because the AWS API requires a custom CA trust bundle. To allow the installation program to access the AWS API, the CA certificates must also be defined on the machine that runs the installation program. You must add the CA bundle to the trust store on the machine, use the `AWS_CA_BUNDLE` environment variable, or define the CA bundle in the link:https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html[`ca_bundle`] field of the AWS config file.
+====
+endif::aws-gov[]
+
+endif::aws-china,aws-gov[]
+
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:!aws-gov:
+endif::[]

modules/installation-aws-regions.adoc

@@ -5,7 +5,12 @@
 [id="installation-aws-regions_{context}"]
 = Supported AWS regions
 
-You can deploy an {product-title} cluster to the following public regions:
+You can deploy an {product-title} cluster to the following regions.
+
+[id="installation-aws-public_{context}"]
+== AWS public regions
+
+The following AWS public regions are supported:
 
 * `af-south-1` (Cape Town)
 * `ap-east-1` (Hong Kong)
@@ -28,11 +33,23 @@ You can deploy an {product-title} cluster to the following public regions:
 * `us-west-1` (N. California)
 * `us-west-2` (Oregon)
 
+[id="installation-aws-govcloud_{context}"]
+== AWS GovCloud regions
+
 The following AWS GovCloud regions are supported:
 
 * `us-gov-west-1`
 * `us-gov-east-1`
 
-The AWS C2S Secret Region is supported:
+[id="installation-aws-c2s_{context}"]
+== AWS C2S Secret region
 
-* `us-iso-east-1`
+The `us-iso-east-1` region is supported.
+
+[id="installation-aws-china_{context}"]
+== AWS China regions
+
+The following AWS China regions are supported:
+
+* `cn-north-1` (Beijing)
+* `cn-northwest-1` (Ningxia)

modules/installation-aws-upload-custom-rhcos-ami.adoc

@@ -2,6 +2,13 @@
 //
 // * installing/installing_aws/installing-aws-government-region.adoc
 
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:aws-gov:
+endif::[]
+
 [id="installation-aws-upload-custom-rhcos-ami_{context}"]
 = Uploading a custom {op-system} AMI in AWS
 
@@ -29,7 +36,8 @@ link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Instal
 ----
 $ export AWS_PROFILE=<aws_profile> <1>
 ----
-<1> The AWS profile name that holds your AWS credentials, like `govcloud`.
+ifdef::aws-gov[<1> The AWS profile name that holds your AWS credentials, like `govcloud`.]
+ifdef::aws-china[<1> The AWS profile name that holds your AWS credentials, like `beijingadmin`.]
 
 . Export the region to associate with your custom AMI as an environment
 variable:
@@ -38,7 +46,8 @@ variable:
 ----
 $ export AWS_DEFAULT_REGION=<aws_region> <1>
 ----
-<1> The AWS region, like `us-gov-east-1`.
+ifdef::aws-gov[<1> The AWS region, like `us-gov-east-1`.]
+ifdef::aws-china[<1> The AWS region, like `cn-north-1`.]
 
 . Export the version of {op-system} you uploaded to Amazon S3 as an environment
 variable:
@@ -140,3 +149,10 @@ $ aws ec2 register-image \
 To learn more about these APIs, see the AWS documentation for
 link:https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-import-snapshot.html[importing snapshots]
 and link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot[creating EBS-backed AMIs].
+
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:!aws-gov:
+endif::[]

modules/installation-configuration-parameters.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
@@ -35,11 +36,14 @@
 // * installing/installing_ibm_power/installing-ibm-power.adoc
 // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
 
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :aws:
 endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
-:aws:
+:aws-gov:
 endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :aws:
@@ -170,14 +174,25 @@ endif::[]
 = Installation configuration parameters
 
 // If install-config.yaml is generated by openshift-install
-ifndef::bare,ibm-power,ibm-z[]
+ifndef::bare,ibm-power,ibm-z,aws-china,aws-gov[]
 Before you deploy an {product-title} cluster, you provide parameter values to describe your account on the cloud platform that hosts your cluster and optionally customize your cluster's platform. When you create the `install-config.yaml` installation configuration file, you provide values for the required parameters through the command line. If you customize your cluster, you can modify the `install-config.yaml` file to provide more details about the platform.
-endif::bare,ibm-power,ibm-z[]
+endif::bare,ibm-power,ibm-z,aws-china,aws-gov[]
 // If the user manually creates install-config.yaml
 ifdef::bare,ibm-power,ibm-z[]
 Before you deploy an {product-title} cluster, you provide a customized `install-config.yaml` installation configuration file that describes the details for your environment.
 endif::bare,ibm-power,ibm-z[]
 
+ifdef::aws-china,aws-gov[]
+Before you deploy an {product-title} cluster, modify the installation configuration file (`install-config.yaml`) to describe your environment. While there are other required parameters, you must specify:
+
+* The platform and region to which you are installing the cluster.
+* The name of the {op-system} Amazon machine image (AMI) that you created.
+
+You can find the parameters for these values under `platform`.
+
+The following tables detail the required, as well as optional, parameters.
+endif::aws-china,aws-gov[]
+
 [NOTE]
 ====
 After installation, you cannot modify these parameters in the `install-config.yaml` file.
@@ -581,7 +596,7 @@ sshKey:
 ```
 |====
 
-ifdef::aws[]
+ifdef::aws,aws-china,aws-gov[]
 [id="installation-configuration-parameters-optional-aws_{context}"]
 == Optional AWS configuration parameters
 
@@ -679,7 +694,7 @@ host must trust the certificate.
 |Valid subnet IDs.
 
 |====
-endif::aws[]
+endif::aws,aws-china,aws-gov[]
 
 ifdef::osp[]
 [id="installation-configuration-parameters-additional-osp_{context}"]
@@ -1220,11 +1235,15 @@ endif::vsphere,vmc[]
 ifdef::bare[]
 :!bare:
 endif::bare[]
+
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :!aws:
 endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
-:!aws:
+:!aws-gov:
 endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!aws:

modules/installation-configure-proxy.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing_aws-china.adoc
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
@@ -22,6 +23,9 @@
 // * networking/configuring-a-custom-pki.adoc
 // * installing/installing-rhv-restricted-network.adoc
 
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
 ifeval::["{context}" == "installing-bare-metal"]
 :bare-metal:
 endif::[]
@@ -70,7 +74,12 @@ The `Proxy` object `status.noProxy` field is populated with the values of the `n
 
 For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and {rh-openstack-first}, the `Proxy` object `status.noProxy` field is also populated with the instance metadata endpoint (`169.254.169.254`).
 ====
+ifndef::aws-china[]
 * If your cluster is on AWS, you added the `ec2.<region>.amazonaws.com`,  `elasticloadbalancing.<region>.amazonaws.com`, and `s3.<region>.amazonaws.com` endpoints to your VPC endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works on the container level, not the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not sufficient.
+endif::aws-china[]
+ifdef::aws-china[]
+* You have added the `ec2.<region>.amazonaws.com.cn`, `elasticloadbalancing.<region>.amazonaws.com`, and `s3.<region>.amazonaws.com` endpoints to your VPC endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works on the container level, not the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not sufficient.
+endif::aws-china[]
 // TODO: xref installation-aws-user-infra-requirements.adoc#installation-aws-user-infra-other-infrastructure_{context} as a relative link
 
 .Procedure
@@ -129,6 +138,9 @@ Only the `Proxy` object named `cluster` is supported, and no additional
 proxies can be created.
 ====
 
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]
 ifeval::["{context}" == "installing-bare-metal"]
 :!bare-metal:
 endif::[]

modules/installation-custom-aws-vpc.adoc

@@ -6,6 +6,9 @@
 
 [id="installation-custom-aws-vpc_{context}"]
 = About using a custom VPC
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
 
 In {product-title} {product-version}, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying {product-title} into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company's guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
 
@@ -36,14 +39,21 @@ If you use a cluster with public access, you must create a public and a private
 
 The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify.
 
-If you are working in a disconnected environment, you are unable to reach the
-public IP addresses for EC2 and ELB endpoints. To resolve this, you must create
-a VPC endpoint and attach it to the subnet that the clusters are using. The
-endpoints should be named as follows:
+ifndef::aws-china[]
+If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2 and ELB endpoints. To resolve this, you must create a VPC endpoint and attach it to the subnet that the clusters are using. The endpoints should be named as follows:
 
 * `ec2.<region>.amazonaws.com`
 * `elasticloadbalancing.<region>.amazonaws.com`
 * `s3.<region>.amazonaws.com`
+endif::aws-china[]
+
+ifdef::aws-china[]
+If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2 and ELB endpoints. To resolve this, you must create a VPC endpoint and attach it to the subnet that the clusters are using. The endpoints should be named as follows:
+
+* `ec2.<region>.amazonaws.com.cn`
+* `elasticloadbalancing.<region>.amazonaws.com`
+* `s3.<region>.amazonaws.com`
+endif::aws-china[]
 
 .Required VPC components
 
@@ -146,4 +156,8 @@ If you deploy {product-title} to an existing network, the isolation of cluster s
 //You can restrict ingress to the control plane and compute security groups by either adding the security groups to an SSH bastion instance or altering rules to allow the bastion.
 * Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
 * Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
+
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]
 //This should be restricted to the control plane and compute security groups, instead of the current by-VPC-CIDR logic to avoid leaking sensitive Ignition configs to non-cluster entities sharing the VPC.

modules/installation-initializing-manual.adoc

@@ -28,6 +28,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
 :restricted:
 endif::[]
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
 :aws-gov:
 endif::[]
@@ -44,14 +47,14 @@ endif::[]
 [id="installation-initializing-manual_{context}"]
 = Manually creating the installation configuration file
 
-ifndef::aws-gov,azure-gov,aws-private,azure-private,gcp-private[]
+ifndef::aws-china,aws-gov,azure-gov,aws-private,azure-private,gcp-private[]
 For user-provisioned installations of {product-title}, you manually generate your installation configuration file.
-endif::aws-gov,azure-gov,aws-private,azure-private,gcp-private[]
-ifdef::aws-gov[]
+endif::aws-china,aws-gov,azure-gov,aws-private,azure-private,gcp-private[]
+ifdef::aws-china,aws-gov[]
 When installing {product-title} on Amazon Web Services (AWS) into a region
 requiring a custom {op-system-first} AMI, you must manually generate your
 installation configuration file.
-endif::aws-gov[]
+endif::aws-china,aws-gov[]
 ifdef::azure-gov[]
 When installing {product-title} on Microsoft Azure into a government region, you
 must manually generate your installation configuration file.
@@ -62,6 +65,9 @@ endif::aws-private,azure-private,gcp-private[]
 
 .Prerequisites
 
+ifdef::aws-china,aws-gov[]
+* You have uploaded a custom RHCOS AMI.
+endif::aws-china,aws-gov[]
 * You have an SSH public key on your local machine to provide to the installation program. The key will be used for SSH authentication onto your cluster nodes for debugging and disaster recovery.
 * You have obtained the {product-title} installation program and the pull secret for your
 cluster.
@@ -107,10 +113,13 @@ provide the certificate for your mirror.
 mirror the repository.
 endif::restricted[]
 +
+
+ifndef::aws-china,aws-gov[]
 [NOTE]
 ====
 For some platform types, you can alternatively run `./openshift-install create install-config --dir=<installation_directory>` to generate an `install-config.yaml` file. You can provide details about your cluster configuration at the prompts.
 ====
+endif::aws-china,aws-gov[]
 
 . Back up the `install-config.yaml` file so that you can use it to install
 multiple clusters.
@@ -133,6 +142,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
 :!restricted:
 endif::[]
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
 :!aws-gov:
 endif::[]

modules/installation-launching-installer.adoc

@@ -37,6 +37,10 @@ ifeval::["{context}" == "installing-aws-customizations"]
 :custom-config:
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-china-region"]
+:custom-config:
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
 :custom-config:
 :aws:
@@ -427,6 +431,10 @@ ifeval::["{context}" == "installing-aws-customizations"]
 :!custom-config:
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-china-region"]
+:!custom-config:
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
 :!custom-config:
 :!aws:

modules/logging-in-by-using-the-web-console.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// *installing/installing_aws/installing-aws-china.adoc.
 // *installing/validating-an-installation.adoc
 // *installing/installing_aws/installing-aws-user-infra.adoc
 // *installing/installing_aws/installing-restricted-networks-aws.adoc
@@ -20,7 +21,7 @@ The `kubeadmin` user exists by default after an {product-title} installation. Yo
 +
 [source,terminal]
 ----
-$ cat <installation_directory>/auth/kubeadmin-password 
+$ cat <installation_directory>/auth/kubeadmin-password
 ----
 +
 [NOTE]

modules/private-clusters-default.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_gcp/installing-gcp-private.adoc
@@ -13,6 +14,10 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :aws-gov:
 endif::[]
 
+ifeval::["{context}" == "installing-aws-china-region"]
+:aws-china:
+endif::[]
+
 You can deploy a private {product-title} cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the internet.
 
 ifdef::aws-gov[]
@@ -25,10 +30,34 @@ endif::aws-gov[]
 
 By default, {product-title} is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
 
-To deploy a private cluster, you must use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
+To deploy a private cluster, you must:
 
-Additionally, you must deploy a private cluster from a machine that has access the API services for the cloud you provision to, the hosts on the network that you provision, and to the internet to obtain installation media. You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.
+* Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
+* Deploy from a machine that has access to:
+** The API services for the cloud to which you provision.
+** The hosts on the network that you provision.
+** The internet to obtain installation media.
+
+ifndef::aws-china[]
+You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.
+endif::aws-china[]
+
+ifdef::aws-china[]
+You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network.
+endif::aws-china[]
+
+ifdef::aws-china[]
+[NOTE]
+====
+AWS China does not support a VPN connection between the VPC and your network. For more information about the Amazon VPC service in the Beijing and Ningxia regions, see link:https://docs.amazonaws.cn/en_us/aws/latest/userguide/vpc.html[Amazon Virtual Private Cloud] in the AWS China documentation.
+
+====
+endif::aws-china[]
 
 ifeval::["{context}" == "installing-aws-government-region"]
 :!aws-gov:
 endif::[]
+
+ifeval::["{context}" == "installing-aws-china-region"]
+:!aws-china:
+endif::[]

modules/ssh-agent-using.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-aws-user-infra.adoc
+// * installing/installing_aws/installing-aws-china.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc