resolved conflict

updated blocked parameters and ca file in output hcp topic map suppotr gather data conflict resolved resolved callout applied new trusted ca and config platform allowlist on editing command and not configuring applied ying suggestions about platform in example outputs applied maggie suggestions created new module for platform allowlist removed platform allowlist from parameters file removed plus sign from parameters file added platform list in create and edit workflow outputs removed line from platform allowed
2026-02-05 12:46:18 +01:00 · 2024-09-30 17:27:48 +01:00
parent f4877d087a
commit c19daddc15
5 changed files with 51 additions and 21 deletions
--- a/modules/images-configuration-image-registry-settings-hcp.adoc
+++ b/modules/images-configuration-image-registry-settings-hcp.adoc
@@ -96,17 +96,25 @@ Audit Log Forwarding:       Disabled
 External Authentication:    Disabled
 Etcd Encryption:            Disabled
 Registry Configuration:
- - Allowed Registries:     <allowed_registry> <1>
- - Insecure Registries:    <insecure_registry> <2>
- - Allowed Registries for Import: <3>
-    - Domain Name:          <domain_name> <4>
-    - Insecure:             true <5>
+ - Allowed Registries: <allowed_registry> <1> <2>
+ - Insecure Registries: <insecure_registry> <3>
+ - Allowed Registries for Import: <4>
+    - Domain Name: <domain_name> <5>
+    - Insecure: true <6>
+ - Platform Allowlist: <platform_allowlist_id> <7>
+    - Registries:      <list_of_registries> <8>
+ - Additional Trusted CA: <9>
+    - <registry_name> : REDACTED
 ----
 <1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
-<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
-<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
-<4> `domainName`: Specifies a domain name for the registry.
-<5> `insecure`: Indicates whether the registry is secure or insecure.
+<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
+<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
+<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
+<5> `domainName`: Specifies a domain name for the registry.
+<6> `insecure`: Indicates whether the registry is secure or insecure.
+<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
+<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
+<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

 . List your nodes to check the applied changes by running the following command:
 +
--- a/modules/images-configuration-parameters-hcp.adoc
+++ b/modules/images-configuration-parameters-hcp.adoc
@@ -32,9 +32,6 @@ Parameters such as `DisableScheduledImport`, `MaxImagesBulkImportedPerRepository
 |`registry-config-additional-trusted-ca`
 |A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

-|`registry-config-platform-allowlist`
-|A list of Red{nbsp}Hat registries is automatically allowed. This list can be periodically updated and impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID.
-
 |===

 [WARNING]
--- a/modules/images-editing-image-registry-settings-hcp.adoc
+++ b/modules/images-editing-image-registry-settings-hcp.adoc
@@ -104,14 +104,22 @@ Audit Log Forwarding:       Disabled
 External Authentication:    Disabled
 Etcd Encryption:            Disabled
 Registry Configuration:
- - Allowed Registries:      <allowed_registry> <1>
- - Insecure Registries:     <insecure_registry> <2>
- - Allowed Registries for Import: <3>
-    - Domain Name:          <domain_name> <4>
-    - Insecure:             true <5>
+ - Allowed Registries: <allowed_registry> <1> <2>
+ - Insecure Registries: <insecure_registry> <3>
+ - Allowed Registries for Import: <4>
+    - Domain Name: <domain_name> <5>
+    - Insecure: true <6>
+ - Platform Allowlist: <platform_allowlist_id> <7>
+    - Registries:      <list_of_registries> <8>
+ - Additional Trusted CA: <9>
+    - <registry_name> : REDACTED
 ----
 <1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
-<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
-<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
-<4> `domainName`: Specifies a domain name for the registry.
-<5> `insecure`: Indicates whether the registry is secure or insecure.
+<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
+<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
+<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
+<5> `domainName`: Specifies a domain name for the registry.
+<6> `insecure`: Indicates whether the registry is secure or insecure.
+<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
+<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
+<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
--- a/modules/images-updating-platform-allowlist-hcp.adoc
+++ b/modules/images-updating-platform-allowlist-hcp.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration-hcp.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="images-updating-platform-allowlist-hcp_{context}"]
+= Updating platform allowlist for {hcp-title}
+
+A list of Red Hat registries is automatically allowed and it is visible when running rosa describe cluster. This list can be periodically updated to ensure platform can be operated correctly. Impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID. Update or edit the image registry for the cluster by running the following command:
+
+[source,terminal]
+----
+$ rosa edit cluster --registry-config-platform-allowlist <newID>
+----
--- a/openshift_images/image-configuration-hcp.adoc
+++ b/openshift_images/image-configuration-hcp.adoc
@@ -17,6 +17,8 @@ include::modules/images-configuration-image-registry-settings-hcp.adoc[leveloffs

 include::modules/images-editing-image-registry-settings-hcp.adoc[leveloffset=+1]

+include::modules/images-updating-platform-allowlist-hcp.adoc[leveloffset=+2]
+
 ifndef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
 [role="_additional-resources"]
 .Additional resources