From 6d4c197448091a5a75804e3103fdf3dd2fe4b0a2 Mon Sep 17 00:00:00 2001 From: Mike Pytlak Date: Tue, 17 Aug 2021 09:56:43 -0400 Subject: [PATCH] Adding support for installing a cluster to AWS China regions --- _topic_map.yml | 2 + .../installing_aws/installing-aws-china.adoc | 68 +++++++++++++++++++ .../installing-aws-government-region.adoc | 6 +- modules/cli-installing-cli.adoc | 1 + modules/cli-logging-in-kubeadmin.adoc | 1 + modules/cluster-entitlements.adoc | 3 +- modules/cluster-telemetry.adoc | 1 + ...tallation-aws-about-government-region.adoc | 9 --- modules/installation-aws-config-yaml.adoc | 63 +++++++++++++---- .../installation-aws-regions-with-no-ami.adoc | 51 ++++++++++++-- modules/installation-aws-regions.adoc | 23 ++++++- ...tallation-aws-upload-custom-rhcos-ami.adoc | 20 +++++- ...installation-configuration-parameters.adoc | 31 +++++++-- modules/installation-configure-proxy.adoc | 12 ++++ modules/installation-custom-aws-vpc.adoc | 22 ++++-- modules/installation-initializing-manual.adoc | 20 ++++-- modules/installation-launching-installer.adoc | 8 +++ .../logging-in-by-using-the-web-console.adoc | 3 +- modules/private-clusters-default.adoc | 33 ++++++++- modules/ssh-agent-using.adoc | 1 + 20 files changed, 328 insertions(+), 50 deletions(-) create mode 100644 installing/installing_aws/installing-aws-china.adoc diff --git a/_topic_map.yml b/_topic_map.yml index 0027a6e277..c2d0a1c8ad 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -156,6 +156,8 @@ Topics: File: installing-aws-private - Name: Installing a cluster on AWS into a government or secret region File: installing-aws-government-region + - Name: Installing a cluster on AWS into a China region + File: installing-aws-china - Name: Installing a cluster on AWS using CloudFormation templates File: installing-aws-user-infra - Name: Installing a cluster on AWS in a restricted network with user-provisioned infrastructure diff --git a/installing/installing_aws/installing-aws-china.adoc b/installing/installing_aws/installing-aws-china.adoc new file mode 100644 index 0000000000..96bfbc57fc --- /dev/null +++ b/installing/installing_aws/installing-aws-china.adoc @@ -0,0 +1,68 @@ +[id="installing-aws-china-region"] += Installing a cluster on AWS China +include::modules/common-attributes.adoc[] +:context: installing-aws-china-region + +toc::[] + +In {product-title} version {product-version}, you can install a cluster to the following Amazon Web Services (AWS) China regions: + +* `cn-north-1` (Beijing) +* `cn-northwest-1` (Ningxia) + +== Prerequisites + +* You have an Internet Content Provider (ICP) license. +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. +* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. +* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster. +* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials]. + +[IMPORTANT] +==== +If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-lived credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program. +==== + +include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+1] + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +include::modules/private-clusters-default.adoc[leveloffset=+1] +include::modules/private-clusters-about-aws.adoc[leveloffset=+2] + +include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1] + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+1] + +include::modules/installation-obtaining-installer.adoc[leveloffset=+1] + +include::modules/installation-initializing-manual.adoc[leveloffset=+1] +include::modules/installation-configuration-parameters.adoc[leveloffset=+2] +include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] +include::modules/installation-supported-aws-machine-types.adoc[leveloffset=+2] +include::modules/installation-configure-proxy.adoc[leveloffset=+2] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + +include::modules/cli-installing-cli.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1] + +include::modules/cluster-telemetry.adoc[leveloffset=+1] + +.Additional resources + +* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console. +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + +== Next steps + +* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation]. +* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]. +* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting]. +* If necessary, you can xref:../../authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc#manually-removing-cloud-creds_cco-mode-mint[remove cloud provider credentials]. diff --git a/installing/installing_aws/installing-aws-government-region.adoc b/installing/installing_aws/installing-aws-government-region.adoc index 8d30ac79f1..8c50ded6f0 100644 --- a/installing/installing_aws/installing-aws-government-region.adoc +++ b/installing/installing_aws/installing-aws-government-region.adoc @@ -24,6 +24,7 @@ If you have an AWS profile stored on your computer, it must not use a temporary * If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials]. include::modules/installation-aws-about-government-region.adoc[leveloffset=+1] +include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+1] include::modules/private-clusters-default.adoc[leveloffset=+1] include::modules/private-clusters-about-aws.adoc[leveloffset=+2] @@ -34,14 +35,15 @@ include::modules/cluster-entitlements.adoc[leveloffset=+1] include::modules/ssh-agent-using.adoc[leveloffset=+1] +include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+1] + include::modules/installation-obtaining-installer.adoc[leveloffset=+1] include::modules/installation-initializing-manual.adoc[leveloffset=+1] include::modules/installation-configuration-parameters.adoc[leveloffset=+2] include::modules/installation-supported-aws-machine-types.adoc[leveloffset=+2] include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] -include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+2] -include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+2] + include::modules/installation-configure-proxy.adoc[leveloffset=+2] include::modules/installation-launching-installer.adoc[leveloffset=+1] diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index 15d316c20b..cf634481fc 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -4,6 +4,7 @@ // * installing/installing_aws/installing-aws-user-infra.adoc // * installing/installing_aws/installing-aws-customizations.adoc // * installing/installing_aws/installing-aws-default.adoc +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc index f2d485a2af..b8985f0733 100644 --- a/modules/cli-logging-in-kubeadmin.adoc +++ b/modules/cli-logging-in-kubeadmin.adoc @@ -3,6 +3,7 @@ // * installing/installing_aws/installing-aws-user-infra.adoc // * installing/installing_aws/installing-aws-customizations.adoc // * installing/installing_aws/installing-aws-default.adoc +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc diff --git a/modules/cluster-entitlements.adoc b/modules/cluster-entitlements.adoc index 55c49d7656..817414b69c 100644 --- a/modules/cluster-entitlements.adoc +++ b/modules/cluster-entitlements.adoc @@ -35,6 +35,7 @@ // * installing/installing_aws/installing-aws-default.adoc // * installing/installing_aws/installing-aws-vpc.adoc // * installing/installing_aws/installing-aws-government-region.adoc +// * installing/installing_aws/installing-aws-china-region.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer-restricted.adoc // * installing/installing_openstack/installing-openstack-user.adoc @@ -130,7 +131,7 @@ ifdef::openshift-enterprise,openshift-webscale[] [IMPORTANT] ==== -If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the content that is required and use it to populate a mirror registry with the packages that you need to install a cluster and generate the installation program. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry. +If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry. ==== endif::openshift-enterprise,openshift-webscale[] diff --git a/modules/cluster-telemetry.adoc b/modules/cluster-telemetry.adoc index 8a29518769..a3640d629c 100644 --- a/modules/cluster-telemetry.adoc +++ b/modules/cluster-telemetry.adoc @@ -35,6 +35,7 @@ // * installing/installing_aws/installing-aws-default.adoc // * installing/installing_aws/installing-aws-vpc.adoc // * installing/installing_aws/installing-aws-government-region.adoc +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer-restricted.adoc // * installing/installing_openstack/installing-openstack-user.adoc diff --git a/modules/installation-aws-about-government-region.adoc b/modules/installation-aws-about-government-region.adoc index fd1808202f..b932b3b39b 100644 --- a/modules/installation-aws-about-government-region.adoc +++ b/modules/installation-aws-about-government-region.adoc @@ -21,12 +21,3 @@ The following AWS GovCloud partitions are supported: The following AWS Secret Region partition is supported: * `us-iso-east-1` - -The AWS government or secret region, and accompanying custom AMI, must be manually configured in the -`install-config.yaml` file since {op-system} AMIs are not provided by Red Hat -for those regions. - -[IMPORTANT] -==== -If you are deploying to the C2S Secret Region, you must also define a custom CA certificate in the `additionalTrustBundle` field of the `install-config.yaml` file because the AWS API requires a custom CA trust bundle. To allow the installation program to access the AWS API, the CA certificates must also be defined on the machine that runs the installation program. You must add the CA bundle to the trust store on the machine, use the `AWS_CA_BUNDLE` environment variable, or define the CA bundle in the link:https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html[`ca_bundle`] field of the AWS config file. -==== diff --git a/modules/installation-aws-config-yaml.adoc b/modules/installation-aws-config-yaml.adoc index 4563bc670b..ec5faec785 100644 --- a/modules/installation-aws-config-yaml.adoc +++ b/modules/installation-aws-config-yaml.adoc @@ -25,6 +25,11 @@ ifeval::["{context}" == "installing-aws-government-region"] :private: :gov: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:vpc: +:private: +:china: +endif::[] ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] :restricted: endif::[] @@ -32,15 +37,24 @@ endif::[] [id="installation-aws-config-yaml_{context}"] = Sample customized `install-config.yaml` file for AWS -You can customize the `install-config.yaml` file to specify more details about +You can customize the installation configuration file (`install-config.yaml`) to specify more details about your {product-title} cluster's platform or modify the values of the required parameters. +ifndef::china,gov[] [IMPORTANT] ==== This sample YAML file is provided for reference only. You must obtain your `install-config.yaml` file by using the installation program and modify it. ==== +endif::china,gov[] + +ifdef::china,gov[] +[IMPORTANT] +==== +This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually. +==== +endif::china,gov[] [source,yaml] ---- @@ -53,14 +67,18 @@ controlPlane: <3> <4> platform: aws: zones: +ifdef::china[] + - cn-north-1a + - cn-north-1b +endif::china[] ifdef::gov[] - us-gov-west-1a - us-gov-west-1b endif::gov[] -ifndef::gov[] +ifndef::gov,china[] - us-west-2a - us-west-2b -endif::gov[] +endif::gov,china[] rootVolume: iops: 4000 size: 500 @@ -78,12 +96,15 @@ compute: <3> type: io1 <6> type: c5.4xlarge zones: +ifdef::china[] + - cn-north-1a +endif::china[] ifdef::gov[] - us-gov-west-1c endif::gov[] -ifndef::gov[] +ifndef::gov,china[] - us-west-2c -endif::gov[] +endif::gov,china[] replicas: 3 metadata: name: test-cluster <1> @@ -108,11 +129,14 @@ endif::openshift-origin[] - 172.30.0.0/16 platform: aws: -ifndef::gov[] +ifndef::gov,china[] region: us-west-2 <1> -endif::gov[] +endif::gov,china[] +ifdef::china[] + region: cn-north-1 <1> +endif::china[] ifdef::gov[] - region: us-gov-west-1 + region: us-gov-west-1 <1> endif::gov[] userTags: adminContact: jdoe @@ -122,10 +146,20 @@ ifdef::vpc,restricted[] - subnet-1 - subnet-2 - subnet-3 +ifndef::gov,china[] amiID: ami-96c6f8f7 <8> +endif::gov,china[] +ifdef::gov,china[] + amiID: ami-96c6f8f7 <1> <8> +endif::gov,china[] serviceEndpoints: <9> - name: ec2 +ifndef::china[] url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com +endif::china[] +ifdef::china[] + url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn +endif::china[] hostedZone: Z3URY6TWQ91KVV <10> endif::vpc,restricted[] ifndef::vpc,restricted[] @@ -220,12 +254,12 @@ endif::restricted[] ---- -ifndef::gov[] +ifndef::gov,china[] <1> Required. The installation program prompts you for this value. -endif::gov[] -ifdef::gov[] +endif::gov,china[] +ifdef::gov,china[] <1> Required. -endif::gov[] +endif::gov,china[] <2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode, instead of having the CCO dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the _Cloud Credential Operator_ entry in the _Red Hat Operators reference_ content. <3> If you do not provide these parameters and values, the installation program provides the default value. @@ -354,6 +388,11 @@ ifeval::["{context}" == "installing-aws-government-region"] :!private: :!gov: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:!vpc: +:!private: +:!china: +endif::[] ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] :!restricted: endif::[] diff --git a/modules/installation-aws-regions-with-no-ami.adoc b/modules/installation-aws-regions-with-no-ami.adoc index 84a2e6829f..e60ed5aa31 100644 --- a/modules/installation-aws-regions-with-no-ami.adoc +++ b/modules/installation-aws-regions-with-no-ami.adoc @@ -1,17 +1,31 @@ // Module included in the following assemblies: // +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-aws-user-infra.adoc -[id="installation-aws-regions-with-no-ami_{context}"] -= AWS regions without a published {op-system} AMI +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] +ifeval::["{context}" == "installing-aws-government-region"] +:aws-gov: +endif::[] +[id="installation-aws-regions-with-no-ami_{context}"] +ifndef::aws-china,aws-gov[] += AWS regions without a published {op-system} AMI +endif::aws-china,aws-gov[] + +ifdef::aws-china,aws-gov[] += Installation requirments +endif::aws-china,aws-gov[] + +ifndef::aws-china,aws-gov[] You can deploy an {product-title} cluster to Amazon Web Services (AWS) regions without native support for a {op-system-first} Amazon Machine Image (AMI) or the AWS software development kit (SDK). If a published AMI is not available for an AWS region, you can upload a custom AMI -prior to installing the cluster. This is required if you are deploying your -cluster to an AWS government or secret region. AWS government and secret regions are supported by the AWS SDK. +prior to installing the cluster. If you are deploying to a region not supported by the AWS SDK and you do not specify a custom AMI, the installation program @@ -25,3 +39,32 @@ A region without native support for an {op-system} AMI is not available to select from the terminal during cluster creation because it is not published. However, you can install to this region by configuring the custom AMI in the `install-config.yaml` file. +endif::aws-china,aws-gov[] + +ifdef::aws-china,aws-gov[] +ifdef::aws-china[Red Hat does not publish a {op-system-first} Amazon Machine Image (AMI) for the AWS China regions.] +ifdef::aws-gov[Red Hat does not publish a {op-system-first} Amzaon Machine Image for the AWS government or secret regions.] + +Before you can install the cluster, you must: + +* Upload a custom {op-system} AMI. +* Manually create the installation configuration file (`install-config.yaml`). +* Specify the AWS region, and the accompanying custom AMI, in the installation configuration file. + +You cannot use the {product-title} installation program to create the installation configuration file. The installer does not list an AWS region without native support for an {op-system} AMI. + +ifdef::aws-gov[] +[IMPORTANT] +==== +If you are deploying to the C2S Secret Region, you must also define a custom CA certificate in the `additionalTrustBundle` field of the `install-config.yaml` file because the AWS API requires a custom CA trust bundle. To allow the installation program to access the AWS API, the CA certificates must also be defined on the machine that runs the installation program. You must add the CA bundle to the trust store on the machine, use the `AWS_CA_BUNDLE` environment variable, or define the CA bundle in the link:https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-ca_bundle.html[`ca_bundle`] field of the AWS config file. +==== +endif::aws-gov[] + +endif::aws-china,aws-gov[] + +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] +ifeval::["{context}" == "installing-aws-government-region"] +:!aws-gov: +endif::[] diff --git a/modules/installation-aws-regions.adoc b/modules/installation-aws-regions.adoc index 56037b11fe..3a6139893f 100644 --- a/modules/installation-aws-regions.adoc +++ b/modules/installation-aws-regions.adoc @@ -5,7 +5,12 @@ [id="installation-aws-regions_{context}"] = Supported AWS regions -You can deploy an {product-title} cluster to the following public regions: +You can deploy an {product-title} cluster to the following regions. + +[id="installation-aws-public_{context}"] +== AWS public regions + +The following AWS public regions are supported: * `af-south-1` (Cape Town) * `ap-east-1` (Hong Kong) @@ -28,11 +33,23 @@ You can deploy an {product-title} cluster to the following public regions: * `us-west-1` (N. California) * `us-west-2` (Oregon) +[id="installation-aws-govcloud_{context}"] +== AWS GovCloud regions + The following AWS GovCloud regions are supported: * `us-gov-west-1` * `us-gov-east-1` -The AWS C2S Secret Region is supported: +[id="installation-aws-c2s_{context}"] +== AWS C2S Secret region -* `us-iso-east-1` +The `us-iso-east-1` region is supported. + +[id="installation-aws-china_{context}"] +== AWS China regions + +The following AWS China regions are supported: + +* `cn-north-1` (Beijing) +* `cn-northwest-1` (Ningxia) diff --git a/modules/installation-aws-upload-custom-rhcos-ami.adoc b/modules/installation-aws-upload-custom-rhcos-ami.adoc index e4c991d1f0..cc076ceb69 100644 --- a/modules/installation-aws-upload-custom-rhcos-ami.adoc +++ b/modules/installation-aws-upload-custom-rhcos-ami.adoc @@ -2,6 +2,13 @@ // // * installing/installing_aws/installing-aws-government-region.adoc +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] +ifeval::["{context}" == "installing-aws-government-region"] +:aws-gov: +endif::[] + [id="installation-aws-upload-custom-rhcos-ami_{context}"] = Uploading a custom {op-system} AMI in AWS @@ -29,7 +36,8 @@ link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Instal ---- $ export AWS_PROFILE= <1> ---- -<1> The AWS profile name that holds your AWS credentials, like `govcloud`. +ifdef::aws-gov[<1> The AWS profile name that holds your AWS credentials, like `govcloud`.] +ifdef::aws-china[<1> The AWS profile name that holds your AWS credentials, like `beijingadmin`.] . Export the region to associate with your custom AMI as an environment variable: @@ -38,7 +46,8 @@ variable: ---- $ export AWS_DEFAULT_REGION= <1> ---- -<1> The AWS region, like `us-gov-east-1`. +ifdef::aws-gov[<1> The AWS region, like `us-gov-east-1`.] +ifdef::aws-china[<1> The AWS region, like `cn-north-1`.] . Export the version of {op-system} you uploaded to Amazon S3 as an environment variable: @@ -140,3 +149,10 @@ $ aws ec2 register-image \ To learn more about these APIs, see the AWS documentation for link:https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-import-snapshot.html[importing snapshots] and link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot[creating EBS-backed AMIs]. + +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] +ifeval::["{context}" == "installing-aws-government-region"] +:!aws-gov: +endif::[] diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index 8ad829f258..6fb6fb8e4f 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -1,5 +1,6 @@ // Module included in the following assemblies: // +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_aws/installing-aws-customizations.adoc // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-aws-network-customizations.adoc @@ -35,11 +36,14 @@ // * installing/installing_ibm_power/installing-ibm-power.adoc // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] ifeval::["{context}" == "installing-aws-customizations"] :aws: endif::[] ifeval::["{context}" == "installing-aws-government-region"] -:aws: +:aws-gov: endif::[] ifeval::["{context}" == "installing-aws-network-customizations"] :aws: @@ -170,14 +174,25 @@ endif::[] = Installation configuration parameters // If install-config.yaml is generated by openshift-install -ifndef::bare,ibm-power,ibm-z[] +ifndef::bare,ibm-power,ibm-z,aws-china,aws-gov[] Before you deploy an {product-title} cluster, you provide parameter values to describe your account on the cloud platform that hosts your cluster and optionally customize your cluster's platform. When you create the `install-config.yaml` installation configuration file, you provide values for the required parameters through the command line. If you customize your cluster, you can modify the `install-config.yaml` file to provide more details about the platform. -endif::bare,ibm-power,ibm-z[] +endif::bare,ibm-power,ibm-z,aws-china,aws-gov[] // If the user manually creates install-config.yaml ifdef::bare,ibm-power,ibm-z[] Before you deploy an {product-title} cluster, you provide a customized `install-config.yaml` installation configuration file that describes the details for your environment. endif::bare,ibm-power,ibm-z[] +ifdef::aws-china,aws-gov[] +Before you deploy an {product-title} cluster, modify the installation configuration file (`install-config.yaml`) to describe your environment. While there are other required parameters, you must specify: + +* The platform and region to which you are installing the cluster. +* The name of the {op-system} Amazon machine image (AMI) that you created. + +You can find the parameters for these values under `platform`. + +The following tables detail the required, as well as optional, parameters. +endif::aws-china,aws-gov[] + [NOTE] ==== After installation, you cannot modify these parameters in the `install-config.yaml` file. @@ -581,7 +596,7 @@ sshKey: ``` |==== -ifdef::aws[] +ifdef::aws,aws-china,aws-gov[] [id="installation-configuration-parameters-optional-aws_{context}"] == Optional AWS configuration parameters @@ -679,7 +694,7 @@ host must trust the certificate. |Valid subnet IDs. |==== -endif::aws[] +endif::aws,aws-china,aws-gov[] ifdef::osp[] [id="installation-configuration-parameters-additional-osp_{context}"] @@ -1220,11 +1235,15 @@ endif::vsphere,vmc[] ifdef::bare[] :!bare: endif::bare[] + +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] ifeval::["{context}" == "installing-aws-customizations"] :!aws: endif::[] ifeval::["{context}" == "installing-aws-government-region"] -:!aws: +:!aws-gov: endif::[] ifeval::["{context}" == "installing-aws-network-customizations"] :!aws: diff --git a/modules/installation-configure-proxy.adoc b/modules/installation-configure-proxy.adoc index b120efc5e0..cc0f5644fb 100644 --- a/modules/installation-configure-proxy.adoc +++ b/modules/installation-configure-proxy.adoc @@ -1,5 +1,6 @@ // Module included in the following assemblies: // +// * installing/installing_aws/installing_aws-china.adoc // * installing/installing_aws/installing-aws-user-infra.adoc // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc @@ -22,6 +23,9 @@ // * networking/configuring-a-custom-pki.adoc // * installing/installing-rhv-restricted-network.adoc +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] ifeval::["{context}" == "installing-bare-metal"] :bare-metal: endif::[] @@ -70,7 +74,12 @@ The `Proxy` object `status.noProxy` field is populated with the values of the `n For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and {rh-openstack-first}, the `Proxy` object `status.noProxy` field is also populated with the instance metadata endpoint (`169.254.169.254`). ==== +ifndef::aws-china[] * If your cluster is on AWS, you added the `ec2..amazonaws.com`, `elasticloadbalancing..amazonaws.com`, and `s3..amazonaws.com` endpoints to your VPC endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works on the container level, not the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not sufficient. +endif::aws-china[] +ifdef::aws-china[] +* You have added the `ec2..amazonaws.com.cn`, `elasticloadbalancing..amazonaws.com`, and `s3..amazonaws.com` endpoints to your VPC endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works on the container level, not the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not sufficient. +endif::aws-china[] // TODO: xref installation-aws-user-infra-requirements.adoc#installation-aws-user-infra-other-infrastructure_{context} as a relative link .Procedure @@ -129,6 +138,9 @@ Only the `Proxy` object named `cluster` is supported, and no additional proxies can be created. ==== +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] ifeval::["{context}" == "installing-bare-metal"] :!bare-metal: endif::[] diff --git a/modules/installation-custom-aws-vpc.adoc b/modules/installation-custom-aws-vpc.adoc index dd8ebe7e6a..265a9d20d9 100644 --- a/modules/installation-custom-aws-vpc.adoc +++ b/modules/installation-custom-aws-vpc.adoc @@ -6,6 +6,9 @@ [id="installation-custom-aws-vpc_{context}"] = About using a custom VPC +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] In {product-title} {product-version}, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying {product-title} into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company's guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option. @@ -36,14 +39,21 @@ If you use a cluster with public access, you must create a public and a private The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify. -If you are working in a disconnected environment, you are unable to reach the -public IP addresses for EC2 and ELB endpoints. To resolve this, you must create -a VPC endpoint and attach it to the subnet that the clusters are using. The -endpoints should be named as follows: +ifndef::aws-china[] +If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2 and ELB endpoints. To resolve this, you must create a VPC endpoint and attach it to the subnet that the clusters are using. The endpoints should be named as follows: * `ec2..amazonaws.com` * `elasticloadbalancing..amazonaws.com` * `s3..amazonaws.com` +endif::aws-china[] + +ifdef::aws-china[] +If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2 and ELB endpoints. To resolve this, you must create a VPC endpoint and attach it to the subnet that the clusters are using. The endpoints should be named as follows: + +* `ec2..amazonaws.com.cn` +* `elasticloadbalancing..amazonaws.com` +* `s3..amazonaws.com` +endif::aws-china[] .Required VPC components @@ -146,4 +156,8 @@ If you deploy {product-title} to an existing network, the isolation of cluster s //You can restrict ingress to the control plane and compute security groups by either adding the security groups to an SSH bastion instance or altering rules to allow the bastion. * Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network. * Control plane TCP 22623 ingress (MCS) is allowed to the entire network. + +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] //This should be restricted to the control plane and compute security groups, instead of the current by-VPC-CIDR logic to avoid leaking sensitive Ignition configs to non-cluster entities sharing the VPC. diff --git a/modules/installation-initializing-manual.adoc b/modules/installation-initializing-manual.adoc index 56e5eb3f10..bc8dc8bb1e 100644 --- a/modules/installation-initializing-manual.adoc +++ b/modules/installation-initializing-manual.adoc @@ -28,6 +28,9 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-bare-metal"] :restricted: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] ifeval::["{context}" == "installing-aws-government-region"] :aws-gov: endif::[] @@ -44,14 +47,14 @@ endif::[] [id="installation-initializing-manual_{context}"] = Manually creating the installation configuration file -ifndef::aws-gov,azure-gov,aws-private,azure-private,gcp-private[] +ifndef::aws-china,aws-gov,azure-gov,aws-private,azure-private,gcp-private[] For user-provisioned installations of {product-title}, you manually generate your installation configuration file. -endif::aws-gov,azure-gov,aws-private,azure-private,gcp-private[] -ifdef::aws-gov[] +endif::aws-china,aws-gov,azure-gov,aws-private,azure-private,gcp-private[] +ifdef::aws-china,aws-gov[] When installing {product-title} on Amazon Web Services (AWS) into a region requiring a custom {op-system-first} AMI, you must manually generate your installation configuration file. -endif::aws-gov[] +endif::aws-china,aws-gov[] ifdef::azure-gov[] When installing {product-title} on Microsoft Azure into a government region, you must manually generate your installation configuration file. @@ -62,6 +65,9 @@ endif::aws-private,azure-private,gcp-private[] .Prerequisites +ifdef::aws-china,aws-gov[] +* You have uploaded a custom RHCOS AMI. +endif::aws-china,aws-gov[] * You have an SSH public key on your local machine to provide to the installation program. The key will be used for SSH authentication onto your cluster nodes for debugging and disaster recovery. * You have obtained the {product-title} installation program and the pull secret for your cluster. @@ -107,10 +113,13 @@ provide the certificate for your mirror. mirror the repository. endif::restricted[] + + +ifndef::aws-china,aws-gov[] [NOTE] ==== For some platform types, you can alternatively run `./openshift-install create install-config --dir=` to generate an `install-config.yaml` file. You can provide details about your cluster configuration at the prompts. ==== +endif::aws-china,aws-gov[] . Back up the `install-config.yaml` file so that you can use it to install multiple clusters. @@ -133,6 +142,9 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-bare-metal"] :!restricted: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] ifeval::["{context}" == "installing-aws-government-region"] :!aws-gov: endif::[] diff --git a/modules/installation-launching-installer.adoc b/modules/installation-launching-installer.adoc index 5505af76e6..2743e33e04 100644 --- a/modules/installation-launching-installer.adoc +++ b/modules/installation-launching-installer.adoc @@ -37,6 +37,10 @@ ifeval::["{context}" == "installing-aws-customizations"] :custom-config: :aws: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:custom-config: +:aws: +endif::[] ifeval::["{context}" == "installing-aws-government-region"] :custom-config: :aws: @@ -427,6 +431,10 @@ ifeval::["{context}" == "installing-aws-customizations"] :!custom-config: :!aws: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:!custom-config: +:!aws: +endif::[] ifeval::["{context}" == "installing-aws-government-region"] :!custom-config: :!aws: diff --git a/modules/logging-in-by-using-the-web-console.adoc b/modules/logging-in-by-using-the-web-console.adoc index 9e710d20b4..6c4f3a581b 100644 --- a/modules/logging-in-by-using-the-web-console.adoc +++ b/modules/logging-in-by-using-the-web-console.adoc @@ -1,5 +1,6 @@ // Module included in the following assemblies: // +// *installing/installing_aws/installing-aws-china.adoc. // *installing/validating-an-installation.adoc // *installing/installing_aws/installing-aws-user-infra.adoc // *installing/installing_aws/installing-restricted-networks-aws.adoc @@ -20,7 +21,7 @@ The `kubeadmin` user exists by default after an {product-title} installation. Yo + [source,terminal] ---- -$ cat /auth/kubeadmin-password +$ cat /auth/kubeadmin-password ---- + [NOTE] diff --git a/modules/private-clusters-default.adoc b/modules/private-clusters-default.adoc index 240433980b..23a1da36cb 100644 --- a/modules/private-clusters-default.adoc +++ b/modules/private-clusters-default.adoc @@ -1,5 +1,6 @@ // Module included in the following assemblies: // +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_gcp/installing-gcp-private.adoc @@ -13,6 +14,10 @@ ifeval::["{context}" == "installing-aws-government-region"] :aws-gov: endif::[] +ifeval::["{context}" == "installing-aws-china-region"] +:aws-china: +endif::[] + You can deploy a private {product-title} cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the internet. ifdef::aws-gov[] @@ -25,10 +30,34 @@ endif::aws-gov[] By default, {product-title} is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet. -To deploy a private cluster, you must use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network. +To deploy a private cluster, you must: -Additionally, you must deploy a private cluster from a machine that has access the API services for the cloud you provision to, the hosts on the network that you provision, and to the internet to obtain installation media. You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN. +* Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network. +* Deploy from a machine that has access to: +** The API services for the cloud to which you provision. +** The hosts on the network that you provision. +** The internet to obtain installation media. + +ifndef::aws-china[] +You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN. +endif::aws-china[] + +ifdef::aws-china[] +You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network. +endif::aws-china[] + +ifdef::aws-china[] +[NOTE] +==== +AWS China does not support a VPN connection between the VPC and your network. For more information about the Amazon VPC service in the Beijing and Ningxia regions, see link:https://docs.amazonaws.cn/en_us/aws/latest/userguide/vpc.html[Amazon Virtual Private Cloud] in the AWS China documentation. + +==== +endif::aws-china[] ifeval::["{context}" == "installing-aws-government-region"] :!aws-gov: endif::[] + +ifeval::["{context}" == "installing-aws-china-region"] +:!aws-china: +endif::[] diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc index 19cd44d1ec..ab35bfe915 100644 --- a/modules/ssh-agent-using.adoc +++ b/modules/ssh-agent-using.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/installing_aws/installing-aws-user-infra.adoc +// * installing/installing_aws/installing-aws-china.adoc // * installing/installing_aws/installing-aws-customizations.adoc // * installing/installing_aws/installing-aws-default.adoc // * installing/installing_aws/installing-aws-government-region.adoc