openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

OSDOCS-6147: Updated ROSA with HCP content

Browse Source
This commit is contained in:
Eric Ponvelle
2023-05-18 14:49:40 -04:00
parent 007a9ac9c9
commit dc3314ed59
17 changed files with 285 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_topic_maps/_topic_map_rosa.yml
View File

@@ -111,7 +111,7 @@ Topics:
- Name: Using the Node Tuning Operator on ROSA with HCP
File: rosa-tuning-config
---
Name: Install ROSA classic clusters
Name: Install ROSA Classic clusters
Dir: rosa_install_access_delete_clusters
Distros: openshift-rosa
Topics:

2
modules/rosa-adding-tuning.adoc
View File

@@ -12,7 +12,7 @@ You can add tunings for compute (also known as worker) nodes in a machine pool t
ifdef::openshift-rosa[]
* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
* You logged in to your Red Hat account by using the `rosa` CLI.
* You logged in to your Red Hat account by using the ROSA CLI.
* You created a {product-title} (ROSA) cluster.
endif::openshift-rosa[]
ifndef::openshift-rosa[]

2
modules/rosa-creating-node-tuning.adoc
View File

@@ -6,7 +6,7 @@
[id="rosa-creating-node-tuning_{context}"]
= Creating node tuning configurations on {hcp-title}
You can create tuning configurations using the `rosa` CLI.
You can create tuning configurations using the ROSA CLI.
.Prerequisites

2
modules/rosa-deleting-node-tuning.adoc
View File

@@ -6,7 +6,7 @@
[id="rosa-deleting-node-tuning_{context}"]
= Deleting node tuning configurations on {hcp-title}
You can delete tuning configurations by using the `rosa` CLI.
You can delete tuning configurations by using the ROSA CLI.
[NOTE]
====

30
modules/rosa-hcp-byo-oidc.adoc
View File

@@ -4,16 +4,9 @@
:_content-type: PROCEDURE
[id="rosa-hcp-byo-oidc_{context}"]
= Generating your own OpenID Connect configuration
= Creating an OpenID Connect configuration
You can create your own OpenID Connect (OIDC) configuration before you create your cluster by using the `rosa create oidc-config --mode=auto` command. This command produces an OIDC configuration that is hosted under Red Hat's AWS account. The `rosa` CLI provides some additional options for creating your OIDC configuration.
You can generate managed or unmanaged OIDC configurations. Customer-hosted, or unmanaged, OIDC configurations are stored within your AWS account, and the configurations are flagged for use with {cluster-manager-first}. This process also provides you with a private key to have access to and take ownership of the configurations. Red Hat-hosted, or managed, OIDC configurations are stored within Red Hat's AWS account. This process provides you with private keys for accessing the configuration.
[NOTE]
====
When using the `--managed` parameter, you can only create a new managed OIDC configuration if there are no unused configurations; all existing OIDC configurations must be attached to a cluster. If you delete all of your clusters with attached managed OIDC configurations, you cannot create a new configuration until the unused one is reused or deleted.
====
When using a {hcp-title} cluster, you must create the OpenID Connect (OIDC) configuration prior to creating your cluster. This configuration is registered to be used with OCM.
.Prerequisites
@@ -35,18 +28,17 @@ This command returns the following information.
+
[source,terminal]
----
I: This command will create a S3 bucket populating it with documents to be compliant with OIDC protocol. It will also create a Secret in Secrets Manager containing the private key
I: Using arn:aws:iam::242819244:role/ManagedOpenShift-Installer-Role for the Installer role
? Prefix for OIDC (optional):
I: Setting up unmanaged OIDC configuration 'oidc-r7u1'
I: Please run the following command to create a cluster with this oidc config
rosa create cluster --sts --oidc-config-id 233hvnrjoqu14jltk6lhbhf2tj11f8un
I: Creating OIDC provider using 'arn:aws:iam::242819244:user/userName'
? Would you like to create a Managed (Red Hat hosted) OIDC Configuration Yes
I: Setting up managed OIDC configuration
I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
rosa create operator-roles --prefix <user-defined> --oidc-config-id 13cdr6b
If you are going to create a Hosted Control Plane cluster please include '--hosted-cp'
I: Creating OIDC provider using 'arn:aws:iam::4540112244:user/userName'
? Create the OIDC provider? Yes
I: Created OIDC provider with ARN 'arn:aws:iam::242819244:oidc-provider/oidc-r7u1.s3.us-east-1.amazonaws.com'
I: Created OIDC provider with ARN 'arn:aws:iam::4540112244:oidc-provider/dvbwgdztaeq9o.cloudfront.net/13cdr6b'
----
When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for `--mode auto`, otherwise you must to determine these values based on `aws` CLI output for `--mode manual`.
+
When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for `--mode auto`, otherwise you must determine these values based on `aws` CLI output for `--mode manual`.
.Verification

35
modules/rosa-hcp-classic-comparison.adoc
View File

@@ -18,9 +18,9 @@
| Hosted Control Plane
| Classic
| *What are each of the installation paths?*
| This installation path deploys control plane components, such as etcd, API server, and oauth, that are hosted separately on AWS in a Red Hat-owned and managed account.
| This installation path deploys the control plane components side by side with infrastructure and worker nodes that are hosted together in the customers same AWS account.
| Cluster infrastructure hosting
| {hcp-title} deploys control plane components, such as etcd, API server, and oauth, that are hosted separately on AWS in a Red Hat-owned and managed account.
| ROSA Classic deploys the control plane components side by side with infrastructure and worker nodes that are hosted together in the customers same AWS account.
| *Provisioning Time*
| Approximately 10 minutes
@@ -29,17 +29,18 @@
| *Architecture*
|
* Underlying control plane infrastructure is fully managed and directly unavailable to end customers except through dedicated and explicitly exposed endpoints
* Work nodes are hosted in the customer's AWS account
|
* Customer is responsible for hosting control plane and AWS infrastructure, while still being _managed_ by Red Hat
* All-in-one {product-title} infrastructure architecture
* Work nodes are hosted in the customer's AWS account
| *Footprint*
| *Minimum Amazon EC2 footprint*
| One cluster requires a minimum of two nodes
| One cluster requires a minimum of seven nodes
| *Deployment*
|
* Deploy using ROSA CLI or web UI
* Deploy using ROSA CLI
* Customers provision "Hosted Clusters" that deploy the control plane components into Red Hat's AWS account
* Customers provision "Machine Pools" that deploy worker nodes into the customer's AWS account
|
@@ -52,22 +53,16 @@
| *Regional Availability*
|
* eu-central-1
* eu-west-1
* us-east-1
* us-east-2
* us-west-2
| Available for purchase in all countries where AWS is commercially available
* Europe - Frankfort (eu-central-1)
* Europe - Ireland (eu-west-1)
* US East - N. Virginia (us-east-1)
* US East - Ohio (us-east-2)
* US West - Oregon (us-west-2)
| For AWS Region availability, see link:https://docs.aws.amazon.com/general/latest/gr/rosa.html[Red Hat OpenShift Service on AWS endpoints and quotas] in the AWS documentation.
| *Compliance*
|
* Compliance certifications planned for after GA
* FIPS compliance not yet available
* Compliance certifications and FIPS are not yet available.
|
* ISO 27001, 17, 18
* SOC 2 Type 2
* SOC 3
* PCI-DSS
* HIPAA
* Compliance specifics are located in the {product-title} documentation.
|===

28
modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc
View File

@@ -6,7 +6,7 @@
[id="rosa-sts-creating-account-wide-sts-roles-and-policies_{context}"]
= Creating the account-wide STS roles and policies
Before using the {cluster-manager-first} {hybrid-console-second} to create {hcp-title-first} clusters, create the required account-wide roles and policies, including the Operator policies.
Before using the ROSA CLI to create {hcp-title-first} clusters, create the required account-wide roles and policies, including the Operator policies.
.Prerequisites
@@ -19,31 +19,15 @@ Before using the {cluster-manager-first} {hybrid-console-second} to create {hcp-
====
To successfully install {hcp-title} clusters, use the latest version of the ROSA CLI (`rosa`).
====
* You have logged in to your Red Hat account by using the `rosa` CLI.
* You have logged in to your Red Hat account by using the ROSA CLI.
.Procedure
. Check your AWS account for existing roles and policies by running the following command:
+
[source,terminal]
----
$ rosa list account-roles
----
+
.Sample output
[source,terminal]
----
I: Fetching account roles
ROLE NAME ROLE TYPE ROLE ARN OPENSHIFT VERSION
ManagedOpenShift-ControlPlane-Role Control plane arn:aws:iam::8744:role/ManagedOpenShift-ControlPlane-Role 4.13
ManagedOpenShift-Installer-Role Installer arn:aws:iam::8744:role/ManagedOpenShift-Installer-Role 4.13
ManagedOpenShift-Support-Role Support arn:aws:iam::8744:role/ManagedOpenShift-Support-Role 4.13
ManagedOpenShift-Worker-Role Worker arn:aws:iam::8744:role/ManagedOpenShift-Worker-Role 4.13
----
. If they do not exist in your AWS account, create the required account-wide STS roles and policies by running the following command:
+
[source,terminal]
----
$ rosa create account-roles
----
$ rosa create account-roles --force-policy-creation
----
+
The `--force-policy-creation` parameter updates any existing roles and policies that are present. If no roles and policies are present, the command creates these resources instead.

17
modules/rosa-hcp-sts-creating-a-cluster-cli.adoc
View File

@@ -19,7 +19,8 @@ When using {product-title} (ROSA) CLI (`rosa`) to create a cluster, you can sele
====
To successfully install ROSA clusters, use the latest version of the ROSA CLI (`rosa`).
====
* You have logged in to your Red Hat account by using the `rosa` CLI.
* You have logged in to your Red Hat account by using the ROSA CLI.
* You have created an OIDC configuration.
* You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.
.Procedure
@@ -33,18 +34,14 @@ To successfully install ROSA clusters, use the latest version of the ROSA CLI (`
//----
. You can create your {hcp-title} cluster with one of the following commands.
+
[NOTE]
====
If you are using your own OIDC provider, you must include the OIDC config ID, such as `--oidc-config-id <oidc_config_id>`.
====
** Create a cluster with a single, initial machine pool, publicly available API, and publicly available Ingress by running the following command:
+
[source,terminal]
----
$ rosa create cluster --cluster-name=<cluster_name> \
--sts --mode=auto --hosted-cp --subnet-ids=<public-subnet-id>,<private-subnet-id>
--sts --mode=auto --hosted-cp --operator-roles-prefix <operator-role-prefix> \
--oidc-config-id <ID-of-OIDC-configuration> --subnet-ids=<public-subnet-id>,<private-subnet-id>
----
** Create a cluster with a single, initial machine pool, privately available API, and privately available Ingress by running the following command:
@@ -54,11 +51,6 @@ $ rosa create cluster --cluster-name=<cluster_name> \
$ rosa create cluster --private --cluster-name=<cluster_name> \
--sts --mode=auto --hosted-cp --subnet-ids=<private-subnet-id>
----
+
[NOTE]
====
When you specify `--mode auto`, the `rosa create cluster` command creates the cluster-specific Operator IAM roles and the OIDC provider automatically. The Operators use the OIDC provider to authenticate.
====
. Check the status of your cluster by running the following command:
+
@@ -69,7 +61,6 @@ $ rosa describe cluster --cluster=<cluster_name>
+
The following `State` field changes are listed in the output as the cluster installation progresses:
+
* `waiting (Waiting for OIDC configuration)`
* `pending (Preparing account)`
* `installing (DNS setup in progress)`
* `installing`

2
modules/rosa-hcp-vpc-manual.adoc
View File

@@ -6,7 +6,7 @@
[id="rosa-hcp-vpc-manual_{context}"]
= Creating a Virtual Private Cloud manually
To manually create your Virtual Private Cloud (VPC), go to link:https://us-east-1.console.aws.amazon.com/vpc/[the VPC page in the AWS console]. Your VPC must have the following details.
If you choose to manually create your Virtual Private Cloud (VPC) instead of using Terraform, go to link:https://us-east-1.console.aws.amazon.com/vpc/[the VPC page in the AWS console]. Your VPC must meet the requirements shown in the following table.
.Requirements for your VPC
[options="header",cols="50,50"]

4
modules/rosa-hcp-vpc-terraform.adoc
View File

@@ -44,11 +44,11 @@ $ terraform init
+
A message confirming the initialization appears when this process completes.
. To build your VPC Terraform plan based off of the downloaded template, run the `plan` command. You can specify a cluster name and your AWS region.
. To build your VPC Terraform plan based off of the downloaded template, run the `plan` command. You must include your AWS region. Optionally, you can specify a cluster name.
+
[source,terminal]
----
$ terraform plan -out rosa.plan [-var aws_region=<region>] [-var cluster_name=<cluster_name>]
$ terraform plan -out rosa.plan -var aws_region=<region> [-var cluster_name=<cluster_name>]
----
. You should have a `rosa.plan` file in the directory that you created in the first step. Apply this plan file to build your VPC by running the following command:

2
modules/rosa-modifying-node-tuning.adoc
View File

@@ -6,7 +6,7 @@
[id="rosa-modifying-node-tuning_{context}"]
= Modifying your node tuning configurations for {hcp-title}
You can can view and update the node tuning configurations using the `rosa` CLI.
You can can view and update the node tuning configurations using the ROSA CLI.
.Prerequisites

98
modules/rosa-operator-config.adoc Normal file
View File

@@ -0,0 +1,98 @@
// Module included in the following assemblies:
//
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
:_content-type: PROCEDURE
[id="rosa-operator-config_{context}"]
= Creating Operator roles and policies
When using a {hcp-title} cluster, you must create the Operator IAM roles that are required for {hcp-title-first} deployments. The cluster Operators use the Operator roles to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage, cloud provider credentials, and external access to a cluster.
.Prerequisites
* You have completed the AWS prerequisites for {hcp-title}.
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
* You created the account-wide AWS roles.
.Procedure
* To create your Operator roles, run the following command:
+
[source,terminal]
----
$ rosa create operator-roles --prefix <prefix-name> <1>
--oidc-config-id <oidc-config-id> <2>
--hosted-cp
----
+
--
<1> You must supply a prefix when creating these Operator roles. Failing to do so produces an error.
<2> This value is the OIDC configuration ID that you created for your {hcp-title} cluster.
--
+
You must include the `--hosted-cp` parameter to create the correct roles for {hcp-title} clusters. This command returns the following information.
+
.Sample output
+
[source,terminal]
----
? Role creation mode: auto
? Operator roles prefix: <pre-filled_prefix> <1>
? OIDC Configuration ID: 23soa2bgvpek9kmes9s7os0a39i13qm4 | https://dvbwgdztaeq9o.cloudfront.net/23soa2bgvpek9kmes9s7os0a39i13qm4 <2>
? Create hosted control plane operator roles: Yes
W: More than one Installer role found
? Installer role ARN: arn:aws:iam::4540112244:role/<prefix>-Installer-Role
? Permissions boundary ARN (optional):
I: Reusable OIDC Configuration detected. Validating trusted relationships to operator roles:
I: Creating roles using 'arn:aws:iam::4540112244:user/<userName>'
I: Created role '<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials'
I: Created role '<prefix>-openshift-cloud-network-config-controller-cloud-credenti' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti'
I: Created role '<prefix>-kube-system-kube-controller-manager' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager'
I: Created role '<prefix>-kube-system-capa-controller-manager' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager'
I: Created role '<prefix>-kube-system-control-plane-operator' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator'
I: Created role '<prefix>-kube-system-kms-provider' with ARN 'arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider'
I: Created role '<prefix>-openshift-image-registry-installer-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials'
I: Created role '<prefix>-openshift-ingress-operator-cloud-credentials' with ARN 'arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials'
I: To create a cluster with these roles, run the following command:
rosa create cluster --sts --oidc-config-id 23soa2bgvpek9kmes9s7os0a39i13qm4 --operator-roles-prefix <prefix> --hosted-cp
----
+
--
<1> This field is prefilled with the prefix that you set in the initial creation command.
<2> This field requires you to select an OIDC configuration that you created for your {hcp-title} cluster.
--
+
The Operator roles are now created and ready to use for creating your {hcp-title} cluster.
.Verification
. You can list the Operator roles associated with your ROSA account. Run the following command:
+
[source,terminal]
----
$ rosa list operator-roles
----
+
.Sample output
+
[source,terminal]
----
I: Fetching operator roles
ROLE PREFIX AMOUNT IN BUNDLE
<prefix> 8
? Would you like to detail a specific prefix Yes <1>
? Operator Role Prefix: <prefix>
ROLE NAME ROLE ARN VERSION MANAGED
<prefix>-kube-system-capa-controller-manager arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager 4.13 No
<prefix>-kube-system-control-plane-operator arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator 4.13 No
<prefix>-kube-system-kms-provider arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider 4.13 No
<prefix>-kube-system-kube-controller-manager arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager 4.13 No
<prefix>-openshift-cloud-network-config-controller-cloud-credenti arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti 4.13 No
<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials 4.13 No
<prefix>-openshift-image-registry-installer-cloud-credentials arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials 4.13 No
<prefix>-openshift-ingress-operator-cloud-credentials arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials 4.13 No
----
+
--
<1> After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics.
--

18
modules/rosa-policy-security-regulation-compliance.adoc
View File

@@ -52,15 +52,23 @@ Any issues that may be discovered are prioritized based on severity. Any issues
.Security and control certifications for {product-title}
[cols= "3,3",options="header"]
[cols= "3,3,3",options="header"]
|===
| Certification | {product-title}
| Certification | {product-title} | {hcp-title-first}
| ISO 27001 | Yes
| HIPAA | Yes | No
| PCI DSS | Yes
| ISO 27001 | Yes | No
| SOC 2 Type 2 | Yes
| ISO 27017 | Yes | No
| ISO 27018 | Yes | No
| PCI DSS | Yes | No
| SOC 2 Type 2 | Yes | No
| SOC 3 | Yes | No
|===

61
rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
View File

@@ -8,25 +8,36 @@ toc::[]
[NOTE]
====
If you are looking for a quickstart guide for ROSA, see xref:../rosa_getting_started/rosa-quickstart-guide-ui.adoc#rosa-quickstart-guide-ui[{product-title} quickstart guide].
If you are looking for a quickstart guide for ROSA Classic, see xref:../rosa_getting_started/rosa-quickstart-guide-ui.adoc#rosa-quickstart-guide-ui[{product-title} quickstart guide].
====
{hcp-title-first} offers a more efficient and reliable architecture for creating ROSA clusters. With {hcp-title}, each cluster has a dedicated control plane that is isolated in a Red Hat account.
{hcp-title-first} offers a more efficient and reliable architecture for creating ROSA clusters. With {hcp-title}, each cluster has a dedicated control plane that is isolated in a ROSA service account.
:FeatureName: {hcp-title-first}
include::snippets/technology-preview.adoc[]
Create a {hcp-title} cluster quickly by using the default options and automatic AWS Identity and Access Management (IAM) resource creation. You can deploy your cluster by using the ROSA CLI (`rosa`).
[IMPORTANT]
====
Since it is not possible to "upgrade" to a {hcp} architecture, you must create a new cluster to benefit from the for {hcp-title} functionality.
Since it is not possible to upgrade or convert existing ROSA clusters to a {hcp} architecture, you must creata a new cluster to use {hcp-title} functionality.
====
Create {hcp-title} cluster quickly by using the default options and automatic AWS Identity and Access Management (IAM) resource creation. You can deploy your cluster by using the ROSA CLI (`rosa`).
[NOTE]
====
All {hcp-title} clusters require AWS Security Token Service (STS) to be enabled.
{hcp-title} clusters only support AWS Security Token Service (STS) authentication.
====
include::modules/rosa-hcp-classic-comparison.adoc[leveloffset=+1]
.Additional resources
For a full list of the supported certificates, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-compliance_rosa-policy-process-security[Compliance] section of "Understanding process and security for Red Hat OpenShift Service on AWS".
[discrete]
[id="hcp-considerations_{context}"]
=== Considerations regarding auto creation mode
The procedures in this document use the `auto` mode in the ROSA CLI (`rosa`) to immediately create the required IAM resources using the current AWS account. The required resources include the account-wide IAM roles and policies, cluster-specific Operator roles and policies, and OpenID Connect (OIDC) identity provider.
Alternatively, you can use `manual` mode, which outputs the `aws` commands needed to create the IAM resources instead of deploying them automatically. For steps to deploy a {hcp-title} cluster by using `manual` mode or with customizations, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations].
@@ -47,15 +58,34 @@ include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[le
//
//include::modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc[leveloffset=+1]
//include::modules/rosa-sts-associating-your-aws-account.adoc[leveloffset=+2]
include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1]
[id="rosa-hcp-prereqs"]
== {hcp-title} Prerequisites
To create a {hcp-title} cluster, you must have the following items:
* A configured virtual private cloud (VPC)
* Account-wide roles
* An OIDC configuration
* Operator roles
[id="rosa-hcp-creating-vpc"]
== Creating a Virtual Private Cloud for your {hcp-title} clusters
=== Creating a Virtual Private Cloud for your {hcp-title} clusters
You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. You can manually create this VPC using the AWS console, or you can use `terraform` to create a VPC by using a template.
You must have a Virtual Private Cloud (VPC) to create {hcp-title} cluster. You can use the following methods to create a VPC:
include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+2]
* Create a VPC by using a Terraform template
* Manually create the VPC resources in the AWS console
include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+2]
[NOTE]
====
The Terraform instructions are for testing and demonstration purposes. Your own installation requires some modifications to the VPC for your own use.
====
[discrete]
include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+3]
[discrete]
include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+3]
[role="_additional-resources"]
[id="additional-resources_rosa-hcp-vpc-aws"]
@@ -64,16 +94,11 @@ include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+2]
* link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html[Get Started with Amazon VPC]
* link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation]
[id="rosa-hcp-byo-odic-overview_{context}"]
== Creating an OpenID Connect Configuration
include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2]
When using a Red Hat-hosted cluster, you can create a managed or unmanaged OpenID Connect (OIDC) configuration that is generated by the CLI. A managed OIDC configuration is stored within Red Hat's AWS account. A generated unmanaged OIDC configuration is stored in your AWS account. The configuration is registered to be used with OCM. This generated unmanaged OIDC configuration provides the private key for you to access. This process does not provide a private key for users to access.
[discrete]
include::modules/rosa-hcp-byo-oidc.adoc[leveloffset=+2]
[discrete]
include::modules/rosa-hcp-byo-oidc-options.adoc[leveloffset=+2]
include::modules/rosa-operator-config.adoc[leveloffset=+2]
include::modules/rosa-hcp-sts-creating-a-cluster-cli.adoc[leveloffset=+1]

3
rosa_hcp/rosa-tuning-config.adoc
View File

@@ -8,6 +8,9 @@ toc::[]
{hcp-title-first} supports the Node Tuning Operator to improve performance of your nodes on your {hcp-title} clusters. Prior to creating a node tuning configuration, you must create a custom tuning specification.
:FeatureName: {hcp-title-first}
include::snippets/technology-preview.adoc[]
include::modules/node-tuning-operator.adoc[leveloffset=+1]
include::modules/custom-tuning-specification.adoc[leveloffset=+1]

83
rosa_planning/rosa-hcp-prereqs.adoc Normal file
View File

@@ -0,0 +1,83 @@
:_content-type: ASSEMBLY
include::_attributes/attributes-openshift-dedicated.adoc[]
:context: rosa-sts-aws-prereqs
[id="rosa-hcp-prereqs"]
= AWS prerequisites for {hcp-title}
toc::[]
{hcp-title-first} provides a model that Red Hat hosts the control plane and uses your AWS account to deploy clusters.
Ensure that the following AWS prerequisites are met before installing ROSA with STS.
include::modules/rosa-aws-understand.adoc[leveloffset=+1]
[IMPORTANT]
====
When you create a ROSA cluster using AWS STS, an associated AWS OpenID Connect (OIDC) identity provider is created as well. This OIDC provider configuration relies on a public key that is located in the `us-east-1` AWS region. Customers with AWS SCPs must allow the use of the `us-east-1` AWS region, even if these clusters are deployed in a different region.
====
[id="rosa-sts-customer-requirements_{context}"]
== Customer requirements when using STS for deployment
The following prerequisites must be complete before you deploy a {product-title} (ROSA) cluster that uses the AWS Security Token Service (STS).
include::modules/rosa-sts-aws-requirements-account.adoc[leveloffset=+2]
[role="_additional-resources"]
[id="additional-resources_aws-account-requirements_{context}"]
.Additional resources
* xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability]
* xref:../sd_support/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-general-deployment-elb[Creating the Elastic Load Balancing (ELB) service-linked role]
include::modules/rosa-sts-aws-requirements-access-req.adoc[leveloffset=+2]
[role="_additional-resources"]
[id="additional-resources_aws-access-requirements_{context}"]
.Additional resources
* See xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-applications-config-custom-domains[Configuring custom domains for applications]
include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2]
include::modules/rosa-sts-aws-requirements-security-req.adoc[leveloffset=+2]
[role="_additional-resources"]
[id="additional-resources_aws-security-requirements_{context}"]
.Additional resources
* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites]
include::modules/rosa-sts-aws-requirements-ocm.adoc[leveloffset=+2]
include::modules/rosa-sts-aws-requirements-association-concept.adoc[leveloffset=+3]
include::modules/rosa-sts-aws-requirements-creating-association.adoc[leveloffset=+3]
[discrete]
[role="_additional-resources"]
[id="additional-resources_creating-association_{context}"]
== Additional resources
* See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference] for a list of IAM roles needed for cluster creation.
include::modules/rosa-sts-aws-requirements-creating-multi-association.adoc[leveloffset=+3]
include::modules/rosa-requirements-deploying-in-opt-in-regions.adoc[leveloffset=+1]
include::modules/rosa-setting-the-aws-security-token-version.adoc[leveloffset=+2]
[id="rosa-sts-policy-iam_{context}"]
== Red Hat managed IAM references for AWS
With the STS deployment model, Red Hat is no longer responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles.
* To use the `ocm` CLI, you must have an `ocm-role` and `user-role` resource. See xref:../rosa_planning/rosa-sts-ocm-role.adoc#rosa-sts-ocm-role[OpenShift Cluster Manager IAM role resources].
* If you have a single cluster, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference].
* For every cluster, you must have the necessary operator roles. See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference].
include::modules/rosa-aws-provisioned.adoc[leveloffset=+1]
include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+1]
== Next steps
* xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Review the required AWS service quotas]
[role="_additional-resources"]
[id="additional-resources_aws-prerequisites_{context}"]
== Additional resources
* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red Hat OpenShift Service on AWS clusters]
* xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-applications-config-custom-domains[Configuring custom domains for applications]
* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types]

2
upgrading/rosa-hcp-upgrading.adoc
View File

@@ -15,7 +15,7 @@ You can manually upgrade your cluster. Red Hat Site Reliability Engineers (SREs)
[id="rosa-hcp-upgrading-a-cluster"]
== Upgrading a ROSA cluster
You can upgrade {hcp-title-first} clusters by using individual upgrades through the `rosa` CLI.
You can upgrade {hcp-title-first} clusters by using individual upgrades through the ROSA CLI.
[NOTE]
====