diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml index d1a042bb18..b8a991be82 100644 --- a/_topic_maps/_topic_map_osd.yml +++ b/_topic_maps/_topic_map_osd.yml @@ -121,10 +121,10 @@ Name: Installing, accessing, and deleting OpenShift Dedicated clusters Dir: osd_install_access_delete_cluster Distros: openshift-dedicated Topics: +- Name: Private Service Connect overview + File: creating-a-gcp-psc-enabled-private-cluster - Name: Creating a cluster on GCP with Workload Identity Federation File: creating-a-gcp-cluster-with-workload-identity-federation -- Name: Creating a GCP Private Service Connect enabled private cluster - File: creating-a-gcp-psc-enabled-private-cluster - Name: Creating a cluster on GCP File: creating-a-gcp-cluster #- Name: Creating a cluster on GCP with a Red Hat cloud account diff --git a/architecture/osd-architecture-models-gcp.adoc b/architecture/osd-architecture-models-gcp.adoc index 6a3c5bf11e..f8ef0586ac 100644 --- a/architecture/osd-architecture-models-gcp.adoc +++ b/architecture/osd-architecture-models-gcp.adoc @@ -9,15 +9,18 @@ toc::[] With {product-title} on {GCP}, you can create clusters that are accessible over public or private networks. include::modules/osd-gcp-architecture.adoc[leveloffset=+1] -include::modules/private-service-connect-overview.adoc[leveloffset=+2] -include::modules/osd-private-psc-architecture-model-gcp.adoc[leveloffset=+2] -include::modules/osd-private-architecture-model-gcp.adoc[leveloffset=+2] -include::modules/osd-public-architecture-model-gcp.adoc[leveloffset=+2] +include::modules/osd-understanding-private-service-connect.adoc[leveloffset=+1] +include::modules/private-service-connect-psc-architecture.adoc[leveloffset=+2] +include::modules/osd-private-psc-architecture-model-gcp.adoc[leveloffset=+1] +include::modules/osd-private-architecture-model-gcp.adoc[leveloffset=+1] +include::modules/osd-public-architecture-model-gcp.adoc[leveloffset=+1] [role="_additional-resources"] [id="osd-architecture-models-additional-resources"] == Additional resources -* xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc[Creating a GCP Private Service Connect enabled private cluster] +* xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview] + +* xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation] diff --git a/modules/osd-understanding-private-service-connect.adoc b/modules/osd-understanding-private-service-connect.adoc new file mode 100644 index 0000000000..33c3dd125d --- /dev/null +++ b/modules/osd-understanding-private-service-connect.adoc @@ -0,0 +1,18 @@ +// Module included in the following assemblies: +// +// * osd-architecture-models-gcp.adoc +// * osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc + +:_mod-docs-content-type: CONCEPT +[id="osd-understanding-private-service-connect_{context}"] += Understanding Private Service Connect + +Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. Users that implement PSC as part of their network connectivity can deploy {product-title} clusters in a private and secured environment within {GCP} without any public facing cloud resources. + +For more information about PSC, see link:https://cloud.google.com/vpc/docs/private-service-connect[Private Service Connect]. + +[IMPORTANT] +==== +PSC is only available on {product-title} version 4.17 and later, and is only supported by the Customer Cloud Subscription (CCS) infrastructure type. +==== + diff --git a/modules/private-service-connect-prereqs.adoc b/modules/private-service-connect-prereqs.adoc index 4093f454c4..96e7c0f179 100644 --- a/modules/private-service-connect-prereqs.adoc +++ b/modules/private-service-connect-prereqs.adoc @@ -27,7 +27,12 @@ For information about how to create a VPC on {GCP}, see link:https://cloud.googl In addition to the requirements listed above, clusters configured with the **Service Account authentication type** must grant the `IAP-Secured Tunnel User` role to `osd-ccs-admin` service account. -For more information about the prerequisites that must be completed before deploying an {product-title} on {GCP}, see _Additional resources_. +For more information about the prerequisites that must be completed before deploying an {product-title} on {GCP}, see _Customer Requirements_. + +[NOTE] +==== +PSC is supported with the Customer Cloud Subscription (CCS) infrastructure type only. To create an {product-title} on {GCP} using PSC, see _Creating a cluster on GCP with Workload Identity Federation_. +==== // [id="prereqs-wif-authentication_{context}"] // == Requirements when using Workload Identity Federation authentication type diff --git a/modules/private-service-connect-overview.adoc b/modules/private-service-connect-psc-architecture.adoc similarity index 70% rename from modules/private-service-connect-overview.adoc rename to modules/private-service-connect-psc-architecture.adoc index 37b701f81a..4cac52ff28 100644 --- a/modules/private-service-connect-overview.adoc +++ b/modules/private-service-connect-psc-architecture.adoc @@ -1,20 +1,11 @@ // Module included in the following assemblies: // // * osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc +// * architecture/osd-architecture-models-gcp.adoc :_mod-docs-content-type: CONCEPT -[id="private-service-connect-overview_{context}"] -= Private Service Connect overview -Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. Users that implement PSC as part of their network connectivity can deploy {product-title} clusters in a private and secured environment within {GCP} without any public facing cloud resources. -For more information on PSC, see link:https://cloud.google.com/vpc/docs/private-service-connect[Private Service Connect]. - -[IMPORTANT] -==== -Private Service Connect is supported by the Customer Cloud Subscription (CCS) infrastructure type only. -==== - [id="psc-architecture_{context}"] -== Private Service Connect architecture += Private Service Connect architecture The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers. @@ -32,3 +23,5 @@ The following image depicts how Red HAT SREs and other internal resources access .PSC architecture overview image::psc_arch_2.png[PSC architecture overview] + + diff --git a/osd_getting_started/osd-getting-started.adoc b/osd_getting_started/osd-getting-started.adoc index cffd57f4fa..de5a17aaaa 100644 --- a/osd_getting_started/osd-getting-started.adoc +++ b/osd_getting_started/osd-getting-started.adoc @@ -31,9 +31,9 @@ Complete the steps in one of the following sections to deploy {product-title} in * *Creating a cluster on GCP with CCS*: You can install {product-title} in your own {GCP} account by using the CCS model. -** Red Hat recommends using GCP Workload Identity Federation (WIF) as the authentication type for installing and interacting with the {product-title} cluster deployed on {GCP} because it provides enhanced security. For more details, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc[Creating a cluster on GCP with Workload Identity Federation]. +** Red Hat recommends using GCP Workload Identity Federation (WIF) as the authentication type for installing and interacting with the {product-title} cluster deployed on {GCP} because it provides enhanced security. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc[Creating a cluster on GCP with Workload Identity Federation]. -*** An {product-title} cluster deployed on {GCP} can be created in Private cluster mode, without any cloud resources. In this configuration, Red Hat uses Google Cloud Private Service Connect (PSC) to manage and monitor a cluster to avoid all public ingress network traffic. For more details, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc[Creating a GCP Private Service Connect enabled private cluster]. +** Red Hat also recommends creating an {product-title} cluster deployed on {GCP} in Private cluster mode with Private Service Connect (PSC) to manage and monitor a cluster to avoid all public ingress network traffic. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. ** For installing and interacting with the {product-title} cluster deployed on the {GCP} using the Service Account authentication type, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP]. diff --git a/osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc b/osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc index 0dae9eb9e8..64c2a2ce99 100644 --- a/osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc +++ b/osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc @@ -29,14 +29,14 @@ include::modules/osd-create-cluster-red-hat-account.adoc[leveloffset=+1] * For information about Workload Identity Federation, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation]. -* For information about Private Service Connect (PSC), see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#private-service-connect-overview_osd-creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. +* For information about Private Service Connect (PSC), see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. * For information about configuring a proxy with {product-title}, see xref:../networking/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy]. * For information about persistent storage for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#sdpolicy-storage_osd-service-definition[Storage] section in the {product-title} service definition. * For information about load balancers for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#load-balancers_osd-service-definition[Load balancers] section in the {product-title} service definition. * For more information about etcd encryption, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#etcd-encryption_osd-service-definition[etcd encryption service definition]. * For information about the end-of-life dates for {product-title} versions, see the xref:../osd_architecture/osd_policy/osd-life-cycle.adoc#osd-life-cycle[{product-title} update life cycle]. -* For general information on Cloud network address translation(NAT) that is required for cluster-wide proxy, see link:https://cloud.google.com/nat/docs/overview[Cloud NAT overview] in the Google documentation. -* For general information on Cloud routers that are required for the cluster-wide proxy, see link:https://cloud.google.com/network-connectivity/docs/router/concepts/overview[Cloud Router overview] in the Google documentation. -* For information on creating VPCs within your Google Cloud Provider account, see link:https://cloud.google.com/vpc/docs/create-modify-vpc-networks[Create and manage VPC networks] in the Google documentation. +* For general information about Cloud network address translation(NAT) that is required for cluster-wide proxy, see link:https://cloud.google.com/nat/docs/overview[Cloud NAT overview] in the Google documentation. +* For general information about Cloud routers that are required for the cluster-wide proxy, see link:https://cloud.google.com/network-connectivity/docs/router/concepts/overview[Cloud Router overview] in the Google documentation. +* For information about creating VPCs within your Google Cloud Provider account, see link:https://cloud.google.com/vpc/docs/create-modify-vpc-networks[Create and manage VPC networks] in the Google documentation. * For information about configuring identity providers, see xref:../authentication/sd-configuring-identity-providers.adoc#sd-configuring-identity-providers[Configuring identity providers]. * For information about revoking cluster privileges, see xref:../authentication/osd-revoking-cluster-privileges.adoc#osd-revoking-cluster-privileges[Revoking privileges and access to an {product-title} cluster]. \ No newline at end of file diff --git a/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc b/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc index 7f8a2aa0f5..aed5c9b774 100644 --- a/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc +++ b/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc @@ -1,21 +1,22 @@ :_mod-docs-content-type: ASSEMBLY -[id="osd-creating-a-gcp-psc"] -= Creating a GCP Private Service Connect enabled private cluster +[id="creating-a-gcp-psc-enabled-private-cluster"] += Private Service Connect overview include::_attributes/attributes-openshift-dedicated.adoc[] :context: osd-creating-a-gcp-psc-enabled-private-cluster toc::[] You can create a private {product-title} cluster on {GCP} using Google Cloud's security-enhanced networking feature Private Service Connect (PSC). -include::modules/private-service-connect-overview.adoc[leveloffset=+1] - +include::modules/osd-understanding-private-service-connect.adoc[leveloffset=+1] include::modules/private-service-connect-prereqs.adoc[leveloffset=+1] - -include::modules/private-service-connect-create.adoc[leveloffset=+1] +include::modules/private-service-connect-psc-architecture.adoc[leveloffset=+1] -[id="additional-resources_{context}"] -== Additional resources -For information on {product-title} on {GCP} cluster prerequisites, see xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-requirements_gcp-ccs[Customer Requirements]. +[id="next-steps-psc_{context}"] +== Next steps +* To learn more about {product-title} on {GCP} cluster prerequisites, see xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-requirements_gcp-ccs[Customer Requirements]. -For information about configuring your firewalls , see xref:../osd_planning/gcp-ccs.adoc#osd-gcp-psc-firewall-prerequisites_gcp-ccs[GCP firewall prerequisites]. +* To configure your firewalls, see xref:../osd_planning/gcp-ccs.adoc#osd-gcp-psc-firewall-prerequisites_gcp-ccs[GCP firewall prerequisites]. + +* To create an {product-title} on {GCP} using PSC with the Workload Identity Federation authentication type, see + xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation]. diff --git a/osd_whats_new/osd-whats-new.adoc b/osd_whats_new/osd-whats-new.adoc index 88a268aac1..9931d77a10 100644 --- a/osd_whats_new/osd-whats-new.adoc +++ b/osd_whats_new/osd-whats-new.adoc @@ -28,7 +28,7 @@ xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-i + PSC is a capability of Google Cloud networking that enables private communication between services across different GCP projects or organizations. Implementing PSC as part of your network connectivity allows you to deploy OpenShift Dedicated clusters in a private and secured environment within GCP without using any public-facing cloud resources. + -For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc[Creating a GCP Private Service Connect enabled private cluster]. +For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. [id="osd-q3-2024_{context}"] === Q3 2024