OSDOCS-4745: Installing Nutanix cluster in a restricted env

_topic_maps/_topic_map.yml

@@ -288,6 +288,8 @@ Topics:
     File: preparing-to-install-on-nutanix
   - Name: Installing a cluster on Nutanix
     File: installing-nutanix-installer-provisioned
+  - Name: Installing a cluster on Nutanix in a restricted network
+    File: installing-restricted-networks-nutanix-installer-provisioned
   - Name: Uninstalling a cluster on Nutanix
     File: uninstalling-cluster-nutanix
 - Name: Installing on bare metal

installing/installing-preparing.adoc

@@ -75,7 +75,7 @@ If you use a user-provisioned installation method, you can configure a proxy for
 
 If you want to prevent your cluster on a public cloud from exposing endpoints externally, you can deploy a private cluster with installer-provisioned infrastructure on xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[AWS], xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Azure], or xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[GCP].
 
-If you need to install your cluster that has limited access to the internet, such as a disconnected or restricted network cluster, you can xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[IBM Z or LinuxONE with {op-system-base} KVM], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], xref:../installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc#installing-restricted-networks-vmc-user-infra[VMC on AWS], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_vmc/installing-restricted-networks-vmc.adoc#installing-restricted-networks-vmc[VMC on AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
+If you need to install your cluster that has limited access to the internet, such as a disconnected or restricted network cluster, you can xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[IBM Z or LinuxONE with {op-system-base} KVM], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], xref:../installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc#installing-restricted-networks-vmc-user-infra[VMC on AWS], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[Nutanix], xref:../installing/installing_vmc/installing-restricted-networks-vmc.adoc#installing-restricted-networks-vmc[VMC on AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
 
 If you need to deploy your cluster to an xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[AWS GovCloud region], xref:../installing/installing_aws/installing-aws-china.adoc#installing-aws-china-region[AWS China region], or xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Azure government region], you can configure those custom regions during an installer-provisioned infrastructure installation.
 
@@ -196,7 +196,7 @@ ifndef::openshift-origin[]
 |
 |
 |xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[✓]
-|
+|xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[✓]
 |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[✓]
 |xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[✓]
 |xref:../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#ipi-install-installation-workflow[✓]
@@ -363,7 +363,7 @@ ifdef::openshift-origin[]
 |
 |
 |xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[✓]
-|
+|xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[✓]
 |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[✓]
 |xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[✓]
 |

installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc

@@ -0,0 +1,64 @@
+:_content-type: ASSEMBLY
+[id="installing-restricted-networks-nutanix-installer-provisioned"]
+= Installing a cluster on Nutanix in a restricted network
+include::_attributes/common-attributes.adoc[]
+:context: installing-restricted-networks-nutanix-installer-provisioned
+
+toc::[]
+
+In {product-title} {product-version}, you can install a cluster on Nutanix infrastructure in a restricted network by creating an internal mirror of the installation release content.
+
+== Prerequisites
+
+* You have reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* If you use a firewall, you have configured it to xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[grant access] to the sites that {product-title} requires. This includes the use of Telemetry.
+* If your Nutanix environment is using the default self-signed SSL/TLS certificate, replace it with a certificate that is signed by a CA. The installation program requires a valid CA-signed certificate to access to the Prism Central API. For more information about replacing the self-signed certificate, see the  https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v6_1:mul-security-ssl-certificate-pc-t.html[Nutanix AOS Security Guide].
++
+[IMPORTANT]
+====
+Use 2048-bit certificates. The installation fails if you use 4096-bit certificates with Prism Central 2022.x.
+====
+* You have a container image registry, such as Red Hat Quay. If you do not already have a registry, you can create a mirror registry using  xref:../../installing/disconnected_install/installing-mirroring-creating-registry.adoc#installing-mirroring-creating-registry[_mirror registry for Red Hat OpenShift_].
+* You have used the xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[oc-mirror OpenShift CLI (oc) plugin] to mirror all of the required {product-title} content and other images, including the Nutanix CSI Operator, to your mirror registry.
++
+[IMPORTANT]
+====
+Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
+====
+
+include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-adding-nutanix-root-certificates.adoc[leveloffset=+1]
+
+include::modules/installation-nutanix-download-rhcos.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+include::modules/installation-nutanix-config-yaml.adoc[leveloffset=+2]
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/manually-configure-iam-nutanix.adoc[leveloffset=+1]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+== Post installation
+Complete the following steps to complete the configuration of your cluster.
+
+include::modules/olm-restricted-networks-configuring-operatorhub.adoc[leveloffset=+2]
+include::modules/oc-mirror-updating-restricted-cluster-manifests.adoc[leveloffset=+2]
+include::modules/registry-configuring-storage-nutanix.adoc[leveloffset=+2]
+
+include::modules/cluster-telemetry.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+== Additional resources
+
+* xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring]
+
+== Next steps
+* xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opt out of remote health reporting]
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

modules/cli-installing-cli.adoc

@@ -50,7 +50,9 @@
 // * installing/installing_rhv/installing-rhv-default.adoc
 // * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 // * microshift_cli_ref/microshift-oc-cli-install.adoc
-//
+// * updating/updating-restricted-network-cluster.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 // AMQ docs link to this; do not change anchor
 
 ifeval::["{context}" == "updating-restricted-network-cluster"]

modules/cluster-telemetry.adoc

@@ -72,6 +72,8 @@
 // * installing/installing_vmc/installing-vmc.adoc
 // * installing/installing_ibm_power/installing-ibm-power.adoc
 // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 :_content-type: CONCEPT
 [id="cluster-telemetry_{context}"]

modules/installation-about-restricted-network.adoc

@@ -12,6 +12,7 @@
 // * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
 // * installing/installing_openstack/installing-openstack-installer-restricted.adoc
 // * installing/installing-rhv-restricted-network.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-ibm-power"]
 :ibm-power:
@@ -37,6 +38,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:ipi:
+endif::[]
 
 :_content-type: CONCEPT
 [id="installation-about-restricted-networks_{context}"]
@@ -51,7 +55,7 @@ still require access to its cloud APIs. Some cloud functions, like
 Amazon Web Service's Route 53 DNS and IAM services, require internet access.
 //behind a proxy
 Depending on your network, you might require less internet
-access for an installation on bare metal hardware or on VMware vSphere.
+access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.
 endif::ibm-power[]
 
 To complete a restricted network installation, you must create a registry that
@@ -103,3 +107,6 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :!ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!ipi:
+endif::[]

modules/installation-adding-nutanix-root-certificates.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 :_content-type: PROCEDURE
 [id="installation-adding-nutanix-root-certificates_{context}"]

modules/installation-configuration-parameters.adoc

@@ -55,6 +55,7 @@
 // * installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
 // * installing/installing_azure_stack_hub/installing-azure-stack-hub-customizations.adoc
 // * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-alibaba-customizations"]
 :alibabacloud:
@@ -223,6 +224,9 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:nutanix:
+endif::[]
 
 :_content-type: CONCEPT
 [id="installation-configuration-parameters_{context}"]
@@ -2052,3 +2056,6 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :!nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!nutanix:
+endif::[]

modules/installation-configure-proxy.adoc

@@ -57,6 +57,8 @@
 // * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
 // * networking/configuring-a-custom-pki.adoc
 // * installing/installing-rhv-restricted-network.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-aws-china-region"]
 :aws:

modules/installation-initializing.adoc

@@ -37,6 +37,7 @@
 // * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
 // * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
 // * installing/installing_nutanix/configuring-iam-nutanix.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 // * installing/installing_gcp/installing-openstack-installer-restricted.adoc
 // Consider also adding the installation-configuration-parameters.adoc module.
@@ -175,6 +176,10 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:nutanix:
+:restricted:
+endif::[]
 
 :_content-type: PROCEDURE
 [id="installation-initializing_{context}"]
@@ -214,7 +219,13 @@ endif::nutanix[]
 * Obtain the {product-title} installation program and the pull secret for your cluster.
 ifdef::restricted[]
 For a restricted network installation, these files are on your mirror host.
+ifndef::nutanix[]
 * Have the `imageContentSources` values that were generated during mirror registry creation.
+endif::nutanix[]
+ifdef::nutanix+restricted[]
+* Have the `imageContentSourcePolicy.yaml` file that was created when you mirrored your registry.
+* Have the location of the {op-system-first} image you download.
+endif::nutanix+restricted[]
 * Obtain the contents of the certificate for your mirror registry.
 ifndef::aws,gcp[]
 * Retrieve a {op-system-first} image and upload it to an accessible location.
@@ -540,6 +551,16 @@ platform:
       clusterOSImage: http://mirror.example.com/images/rhcos-43.81.201912131630.0-vmware.x86_64.ova?sha256=ffebbd68e8a1f2a245ca19522c16c86f67f9ac8e4e0c1f0a812b068b16f7265d
 ----
 endif::vsphere+restricted[]
+ifdef::nutanix+restricted[]
+. In the `install-config.yaml` file, set the value of `platform.nutanix.clusterOSImage` to the image location or name. For example:
++
+[source,yaml]
+----
+platform:
+  nutanix:
+      clusterOSImage: http://mirror.example.com/images/rhcos-47.83.202103221318-0-nutanix.x86_64.qcow2
+----
+endif::nutanix+restricted[]
 ifdef::restricted[]
 . Edit the `install-config.yaml` file to give the additional information that
 is required for an installation in a restricted network.
@@ -604,10 +625,17 @@ imageContentSources:
   source: registry.example.com/ocp/release
 ----
 +
+ifndef::nutanix[]
 For these values, use the `imageContentSources` that you recorded during mirror registry creation.
+endif::nutanix[]
+ifdef::nutanix[]
+For these values, use the `imageContentSourcePolicy.yaml` file that was created when you mirrored the registry.
+endif::nutanix[]
 
+ifndef::nutanix[]
 . Make any other modifications to the `install-config.yaml` file that you require. You can find more information about
 the available parameters in the *Installation configuration parameters* section.
+endif::nutanix[]
 endif::restricted[]
 
 ifdef::nutanix[]
@@ -760,3 +788,7 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :!nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!nutanix:
+:!restricted:
+endif::[]

modules/installation-launching-installer.adoc

@@ -40,7 +40,8 @@
 // * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
 // * installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc
 // * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
-// * installing/installing_nutanix/configuring-iam-nutanix.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 // If you use this module in any other assembly, you must update the ifeval
 // statements.
 
@@ -261,6 +262,11 @@ ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :nutanix:
 :single-step:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:custom-config:
+:nutanix:
+:single-step:
+endif::[]
 
 :_content-type: PROCEDURE
 [id="installation-launching-installer_{context}"]
@@ -764,3 +770,8 @@ ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :!nutanix:
 :!single-step:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!custom-config:
+:!nutanix:
+:!single-step:
+endif::[]

modules/installation-nutanix-config-yaml.adoc

@@ -1,6 +1,14 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_nutanix/configuring-iam-nutanix.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
+
+ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
+:default:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:restricted:
+endif::[]
 
 :_content-type: REFERENCE
 [id="installation-nutanix-config-yaml_{context}"]
@@ -13,6 +21,7 @@ You can customize the `install-config.yaml` file to specify more details about y
 This sample YAML file is provided for reference only. You must obtain your `install-config.yaml` file by using the installation program and modify it.
 ====
 
+ifdef::default[]
 [source,yaml]
 ----
 apiVersion: v1
@@ -68,12 +77,7 @@ platform:
       uuid: 0005b0f1-8f43-a0f2-02b7-3cecef193712
     subnetUUIDs:
     - c7938dc6-7659-453e-a688-e26020c68e43
-ifndef::openshift-origin[]
     clusterOSImage: http://example.com/images/rhcos-47.83.202103221318-0-nutanix.x86_64.qcow2 <6>
-endif::openshift-origin[]
-ifdef::openshift-origin[]
-    clusterOSImage: http://example.com/images/rhcos-47.83.202103221318-0-nutanix.x86_64.qcow2 <6>
-endif::openshift-origin[]
 credentialsMode: Manual
 publish: External
 pullSecret: '{"auths": ...}' <1>
@@ -114,3 +118,150 @@ endif::openshift-origin[]
 ====
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
 ====
+endif::default[]
+
+ifdef::restricted[]
+[source,yaml]
+----
+apiVersion: v1
+baseDomain: example.com <1>
+compute: <2>
+- hyperthreading: Enabled <3>
+  name: worker
+  replicas: 3
+  platform:
+    nutanix: <4>
+      cpus: 2
+      coresPerSocket: 2
+      memoryMiB: 8196
+      osDisk:
+        diskSizeGiB: 120
+controlPlane: <2>
+  hyperthreading: Enabled <3>
+  name: master
+  replicas: 3
+  platform:
+    nutanix: <4>
+      cpus: 4
+      coresPerSocket: 2
+      memoryMiB: 16384
+      osDisk:
+        diskSizeGiB: 120
+metadata:
+  creationTimestamp: null
+  name: test-cluster <1>
+networking:
+  clusterNetwork:
+  - cidr: 10.128.0.0/14
+    hostPrefix: 23
+  machineNetwork:
+  - cidr: 10.0.0.0/16
+  networkType: OVNKubernetes <5>
+  serviceNetwork:
+  - 172.30.0.0/16
+platform:
+  nutanix:
+    apiVIP: 10.40.142.7 <1>
+    ingressVIP: 10.40.142.8 <1>
+    prismCentral:
+      endpoint:
+        address: your.prismcentral.domainname <1>
+        port: 9440 <1>
+      password: samplepassword <1>
+      username: sampleadmin <1>
+    prismElements:
+    - endpoint:
+        address: your.prismelement.domainname
+        port: 9440
+      uuid: 0005b0f1-8f43-a0f2-02b7-3cecef193712
+    subnetUUIDs:
+    - c7938dc6-7659-453e-a688-e26020c68e43
+    clusterOSImage: http://example.com/images/rhcos-47.83.202103221318-0-nutanix.x86_64.qcow2 <6>
+credentialsMode: Manual
+publish: External
+pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}' <7>
+ifndef::openshift-origin[]
+fips: false <8>
+sshKey: ssh-ed25519 AAAA... <9>
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+sshKey: ssh-ed25519 AAAA... <8>
+endif::openshift-origin[]
+ifndef::openshift-origin[]
+additionalTrustBundle: | <10>
+  -----BEGIN CERTIFICATE-----
+  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  -----END CERTIFICATE-----
+imageContentSources: <11>
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-release
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+additionalTrustBundle: | <9>
+  -----BEGIN CERTIFICATE-----
+  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  -----END CERTIFICATE-----
+imageContentSources: <10>
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-release
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+endif::openshift-origin[]
+----
+<1> Required. The installation program prompts you for this value.
+<2> The `controlPlane` section is a single mapping, but the compute section is a sequence of mappings. To meet the requirements of the different data structures, the first line of the `compute` section must begin with a hyphen, `-`, and the first line of the `controlPlane` section must not. Although both sections currently define a single machine pool, it is possible that future versions of {product-title} will support defining multiple compute pools during installation. Only one control plane pool is used.
+<3> Whether to enable or disable simultaneous multithreading, or `hyperthreading`. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores. You can disable it by setting the parameter value to `Disabled`. If you disable simultaneous multithreading in some cluster machines, you must disable it in all cluster machines.
++
+[IMPORTANT]
+====
+If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance.
+====
+<4> Optional: Provide additional configuration for the machine pool parameters for the compute and control plane machines.
+<5> The cluster network plugin to install. The supported values are `OVNKubernetes` and `OpenShiftSDN`. The default value is `OVNKubernetes`.
+<6> Optional: By default, the installation program downloads and installs the {op-system-first} image. If Prism Central does not have internet access, you can override the default behavior by hosting the {op-system} image on any HTTP server or Nutanix Objects and pointing the installation program to the image.
+<7> For `<local_registry>`, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example `registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
+specify the base64-encoded user name and password for your mirror registry.
+ifndef::openshift-origin[]
+<8> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
++
+[IMPORTANT]
+====
+The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
+====
+<9> Optional: You can provide the `sshKey` value that you use to access the machines in your cluster.
++
+[NOTE]
+====
+For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
+====
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+<8> Optional: You can provide the `sshKey` value that you use to access the machines in your cluster.
++
+[NOTE]
+====
+For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
+====
+endif::openshift-origin[]
+ifndef::openshift-origin[]
+<10> Provide the contents of the certificate file that you used for your mirror registry.
+<11> Provide these values from the `metadata.name: release-0` section of the `imageContentSourcePolicy.yaml` file that was created when you mirrored the registry.
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+<9> Provide the contents of the certificate file that you used for your mirror registry.
+<10> Provide these values from the `metadata.name: release-0` section of the `imageContentSourcePolicy.yaml` file that was created when you mirrored the registry.
+endif::openshift-origin[]
+endif::restricted[]
+
+ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
+:!default:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!restricted:
+endif::[]

modules/installation-nutanix-download-rhcos.adoc

@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
+
+:_content-type: PROCEDURE
+[id="installation-nutanix-download-rhcos_{context}"]
+= Downloading the RHCOS cluster image
+
+Prism Central requires access to the {op-system-first} image to install the cluster. You can use the installation program to locate and download the {op-system} image and make it available through an internal HTTP server or Nutanix Objects.
+
+.Prerequisites
+
+* Obtain the {product-title} installation program and the pull secret for your cluster. For a restricted network installation, these files are on your mirror host.
+
+.Procedure
+
+. Change to the directory that contains the installation program and run the following command:
++
+[source,terminal]
+----
+$ ./openshift-install coreos print-stream-json
+----
+
+. Use the output of the command to find the location of the Nutanix image, and click the link to download it.
++
+.Example output
+[source, terminal]
+----
+"nutanix": {
+  "release": "411.86.202210041459-0",
+  "formats": {
+    "qcow2": {
+      "disk": {
+        "location": "https://rhcos.mirror.openshift.com/art/storage/releases/rhcos-4.11/411.86.202210041459-0/x86_64/rhcos-411.86.202210041459-0-nutanix.x86_64.qcow2",
+        "sha256": "42e227cac6f11ac37ee8a2f9528bb3665146566890577fd55f9b950949e5a54b"
+----
+
+. Make the image available through an internal HTTP server or Nutanix Objects.
+
+. Note the location of the downloaded image. You update the `platform` section in the installation configuration file (`install-config.yaml`) with the image's location before deploying the cluster.
+
+.Snippet of an `install-config.yaml` file that specifies the {op-system} image
+
+[source,yaml]
+----
+platform:
+  nutanix:
+    clusterOSImage: http://example.com/images/rhcos-411.86.202210041459-0-nutanix.x86_64.qcow2
+----

modules/manually-configure-iam-nutanix.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_nutanix/configuring-iam-nutanix.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 :_content-type: PROCEDURE
 [id="manually-create-iam-nutanix_{context}"]

modules/oc-mirror-image-set-config-examples.adoc

@@ -140,3 +140,33 @@ mirror:
               minVersion: '1.0.0'
               maxVersion: '2.0.0'
 ----
+
+[discrete]
+[id="oc-mirror-image-set-examples-nutanix-operator_{context}"]
+== Use case: Including the Nutanix CSI Operator
+The following `ImageSetConfiguration` file uses a local storage backend and includes the Nutanix CSI Operator, the OpenShift Update Service (OSUS) graph image, and an additional Red Hat Universal Base Image (UBI).
+
+.Example `ImageSetConfiguration` file
+[source,yaml]
+----
+  kind: ImageSetConfiguration
+  apiVersion: mirror.openshift.io/v1alpha2
+  storageConfig:
+    registry:
+      imageURL: mylocalregistry/ocp-mirror/openshift4
+      skipTLS: false
+  mirror:
+    platform:
+      channels:
+      - name: stable-4.11
+        type: ocp
+      graph: true
+    operators:
+    - catalog: registry.redhat.io/redhat/certified-operator-index:v4.11
+      packages:
+      - name: nutanixcsioperator
+        channels:
+        - name: stable
+    additionalImages:
+    - name: registry.redhat.io/ubi8/ubi:latest
+----

modules/oc-mirror-updating-restricted-cluster-manifests.adoc

@@ -0,0 +1,46 @@
+// Module included in the following assemblies:
+//
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
+
+:_content-type: PROCEDURE
+[id="oc-mirror-updating-cluster-manifests_{context}"]
+= Installing the policy resources into the cluster
+
+Mirroring the {product-title} content using the oc-mirror OpenShift CLI (oc) plugin creates resources, which include `catalogSource-certified-operator-index.yaml` and `imageContentSourcePolicy.yaml`.
+
+* The `ImageContentSourcePolicy` resource associates the mirror registry with the source registry and redirects image pull requests from the online registries to the mirror registry.
+* The `CatalogSource` resource is used by Operator Lifecycle Manager (OLM) to retrieve information about the available Operators in the mirror registry, which lets users discover and install Operators.
+
+After you install the cluster, you must install these resources into the cluster.
+
+.Prerequisites
+
+* You have mirrored the image set to the registry mirror in the disconnected environment.
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+
+. Log in to the OpenShift CLI as a user with the `cluster-admin` role.
+
+. Apply the YAML files from the results directory to the cluster:
++
+[source,terminal]
+----
+$ oc apply -f ./oc-mirror-workspace/results-<id>/
+----
+
+.Verification
+
+. Verify that the `ImageContentSourcePolicy` resources were successfully installed:
++
+[source,terminal]
+----
+$ oc get imagecontentsourcepolicy --all-namespaces
+----
+
+. Verify that the `CatalogSource` resources were successfully installed:
++
+[source,terminal]
+----
+$ oc get catalogsource --all-namespaces
+----

modules/olm-restricted-networks-configuring-operatorhub.adoc

@@ -17,6 +17,7 @@
 // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
 // * operators/admin/olm-restricted-networks.adoc
 // * operators/admin/olm-managing-custom-catalogs.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "olm-restricted-networks"]
 :olm-restricted-networks:

modules/registry-configuring-storage-nutanix.adoc

@@ -0,0 +1,9 @@
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
+
+:_content-type: PROCEDURE
+[id="registry-configuring-storage-nutanix_{context}"]
+= Configuring the default storage container
+
+After you install the cluster, you must install the Nutanix CSI Operator and configure the default storage container for the cluster.
+
+For more information, see the Nutanix documentation for link:https://opendocs.nutanix.com/openshift/operators/csi/[installing the CSI Operator] and link:https://opendocs.nutanix.com/openshift/install/ipi/#openshift-image-registry-configuration[configuring registry storage].

modules/ssh-agent-using.adoc

@@ -56,6 +56,7 @@
 // * installing/installing_ibm_z/installing-ibm-power.adoc
 // * installing/installing-rhv-restricted-network.adoc
 // * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 
 ifeval::["{context}" == "installing-restricted-networks-vsphere"]