From d4a188cc7f76b2e06462ea71073c7626fb7f996e Mon Sep 17 00:00:00 2001
From: Kathryn Alexander <kalexand@redhat.com>
Date: Fri, 22 Nov 2019 08:24:58 -0500
Subject: [PATCH] osdocs-774 private Azure

---
 _topic_map.yml                                |  2 +
 .../installing-azure-private.adoc             | 50 +++++++++++++++++++
 modules/cli-installing-cli.adoc               |  1 +
 modules/cli-logging-in-kubeadmin.adoc         |  1 +
 modules/cluster-entitlements.adoc             |  1 +
 .../installation-about-custom-azure-vnet.adoc |  1 +
 modules/installation-azure-config-yaml.adoc   | 12 ++++-
 ...installation-configuration-parameters.adoc |  1 +
 modules/installation-initializing.adoc        |  1 +
 modules/installation-launching-installer.adoc |  1 +
 modules/installation-obtaining-installer.adoc |  1 +
 modules/installation-vsphere-config-yaml.adoc |  1 +
 modules/private-clusters-about-azure.adoc     | 35 +++++++++++++
 modules/private-clusters-default.adoc         |  1 +
 modules/ssh-agent-using.adoc                  |  1 +
 15 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 installing/installing_azure/installing-azure-private.adoc
 create mode 100644 modules/private-clusters-about-azure.adoc

diff --git a/_topic_map.yml b/_topic_map.yml
index a8df1440d7..b3cf6d055e 100644
--- a/_topic_map.yml
+++ b/_topic_map.yml
@@ -119,6 +119,8 @@ Topics:
     File: installing-azure-network-customizations
   - Name: Installing a cluster on Azure into an existing VNet
     File: installing-azure-vnet
+  - Name: Installing a private cluster on Azure
+    File: installing-azure-private
   - Name: Uninstalling a cluster on Azure
     File: uninstalling-cluster-azure
 - Name: Installing on GCP
diff --git a/installing/installing_azure/installing-azure-private.adoc b/installing/installing_azure/installing-azure-private.adoc
new file mode 100644
index 0000000000..991de48986
--- /dev/null
+++ b/installing/installing_azure/installing-azure-private.adoc
@@ -0,0 +1,50 @@
+[id="installing-azure-private"]
+= Installing a private cluster on Azure
+include::modules/common-attributes.adoc[]
+:context: installing-azure-private
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a private cluster into an existing Azure Virtual Network (VNet) on Microsoft Azure. The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster.
+
+.Prerequisites
+
+* Review details about the
+xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update]
+processes.
+* xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[Configure an Azure account] to host the cluster and determine the tested and validated region to deploy the cluster to.
+* If you use a firewall, you must
+xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to.
+
+include::modules/private-clusters-default.adoc[leveloffset=+1]
+
+include::modules/private-clusters-about-azure.adoc[leveloffset=+2]
+
+include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-azure-config-yaml.adoc[leveloffset=+2]
+
+// Removing; Proxy not supported for Azure IPI for 4.2
+// include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+.Next steps
+
+* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster].
+* If necessary, you can
+xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc
index f396855bb3..bfd895d877 100644
--- a/modules/cli-installing-cli.adoc
+++ b/modules/cli-installing-cli.adoc
@@ -9,6 +9,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc
index fd97947eaf..1b519a2643 100644
--- a/modules/cli-logging-in-kubeadmin.adoc
+++ b/modules/cli-logging-in-kubeadmin.adoc
@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
diff --git a/modules/cluster-entitlements.adoc b/modules/cluster-entitlements.adoc
index dd6204f684..30edcfc723 100644
--- a/modules/cluster-entitlements.adoc
+++ b/modules/cluster-entitlements.adoc
@@ -9,6 +9,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
diff --git a/modules/installation-about-custom-azure-vnet.adoc b/modules/installation-about-custom-azure-vnet.adoc
index 1a0061bfd3..a1595a437f 100644
--- a/modules/installation-about-custom-azure-vnet.adoc
+++ b/modules/installation-about-custom-azure-vnet.adoc
@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 
 [id="installation-about-custom-azure-vnet_{context}"]
diff --git a/modules/installation-azure-config-yaml.adoc b/modules/installation-azure-config-yaml.adoc
index c90c647cdc..138b2c34d6 100644
--- a/modules/installation-azure-config-yaml.adoc
+++ b/modules/installation-azure-config-yaml.adoc
@@ -13,6 +13,10 @@ endif::[]
 ifeval::["{context}" == "installing-azure-vnet"]
 :vnet:
 endif::[]
+ifeval::["{context}" == "installing-azure-private"]
+:vnet:
+:private:
+endif::[]
 
 [id="installation-azure-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for Azure
@@ -84,7 +88,9 @@ ifndef::vnet[]
 fips: false <8>
 sshKey: ssh-ed25519 AAAA... <9>
 endif::vnet[]
-
+ifdef::private[]
+publish: Internal <14>
+endif::private[]
 ----
 <1> Required. The installation program prompts you for this value.
 <2> If you do not provide these parameters and values, the installation program provides the default value.
@@ -117,7 +123,9 @@ endif::vnet[]
 ====
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery on, specify an SSH key that your `ssh-agent` process uses.
 ====
-
+ifdef::private[]
+<14> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
+endif::private[]
 
 ifeval::["{context}" == "installing-azure-network-customizations"]
 :!with-networking:
diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc
index 1f94328ac6..f58d10f916 100644
--- a/modules/installation-configuration-parameters.adoc
+++ b/modules/installation-configuration-parameters.adoc
@@ -6,6 +6,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-network-customizations.adoc
diff --git a/modules/installation-initializing.adoc b/modules/installation-initializing.adoc
index a633f9582f..182880e8fa 100644
--- a/modules/installation-initializing.adoc
+++ b/modules/installation-initializing.adoc
@@ -6,6 +6,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-network-customizations.adoc
diff --git a/modules/installation-launching-installer.adoc b/modules/installation-launching-installer.adoc
index 044657335e..313035bc3c 100644
--- a/modules/installation-launching-installer.adoc
+++ b/modules/installation-launching-installer.adoc
@@ -7,6 +7,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-default.adoc
diff --git a/modules/installation-obtaining-installer.adoc b/modules/installation-obtaining-installer.adoc
index 22e99e7e9b..f5d9060ca7 100644
--- a/modules/installation-obtaining-installer.adoc
+++ b/modules/installation-obtaining-installer.adoc
@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
diff --git a/modules/installation-vsphere-config-yaml.adoc b/modules/installation-vsphere-config-yaml.adoc
index d39bd232f1..21df3f84a7 100644
--- a/modules/installation-vsphere-config-yaml.adoc
+++ b/modules/installation-vsphere-config-yaml.adoc
@@ -40,6 +40,7 @@ fips: false <12>
 pullSecret: '{"auths": ...}' <13>
 endif::restricted[]
 ifdef::restricted[]
+fips: false <12>
 pullSecret: '{"auths":{"<bastion_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}' <13>
 endif::restricted[]
 sshKey: 'ssh-ed25519 AAAA...' <14>
diff --git a/modules/private-clusters-about-azure.adoc b/modules/private-clusters-about-azure.adoc
new file mode 100644
index 0000000000..9cefaa5ea9
--- /dev/null
+++ b/modules/private-clusters-about-azure.adoc
@@ -0,0 +1,35 @@
+// Module included in the following assemblies:
+//
+// * installing/
+
+[id="private-clusters-about-azure_{context}"]
+= Private clusters in Azure
+
+To create a private cluster on Microsoft Azure, you must provide an existing private VNet and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for only internal traffic.
+
+Depending how your network connects to the private VNET, you might need to use a DNS forwarder in order to resolve the cluster's private DNS records. The cluster's machines use `168.63.129.16` internally for DNS resolution. For more information, see link:https://docs.microsoft.com/en-us/azure/dns/private-dns-overview[What is Azure Private DNS?] and link:https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16[What is IP address 168.63.129.16?] in the Azure documentation.
+
+The cluster still requires access to Internet to access the Azure APIs.
+
+The following items are not required or created when you install a private cluster:
+
+* A `BaseDomainResourceGroup`, since the cluster does not create public records
+* Public IP addresses
+* Public DNS records
+* Public endpoints
+
+ The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
+
+[id="private-clusters-limitations-azure_{context}"]
+== Limitations
+
+Private clusters on Azure are subject to only the limitations that are associated with the use of an existing VNet
+
+
+////
+Is this also valid in Azure?
+
+The ability to add public functionality to a private cluster is limited.
+
+* You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VNet for each availablity zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from Internet on 6443 (Kubernetes API port).
+////
diff --git a/modules/private-clusters-default.adoc b/modules/private-clusters-default.adoc
index 609a8f34b5..e890f16a96 100644
--- a/modules/private-clusters-default.adoc
+++ b/modules/private-clusters-default.adoc
@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_gcp/installing-gcp-private.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 
 [id="private-clusters-default_{context}"]
 = Private clusters
diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc
index 3731ea5d40..4cf0162893 100644
--- a/modules/ssh-agent-using.adoc
+++ b/modules/ssh-agent-using.adoc
@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc