diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml index 8ba49b56f1..de018900ea 100644 --- a/_topic_maps/_topic_map_osd.yml +++ b/_topic_maps/_topic_map_osd.yml @@ -117,26 +117,34 @@ Topics: - Name: Getting started with OpenShift Dedicated File: osd-getting-started --- -Name: Installing, accessing, and deleting OpenShift Dedicated clusters -Dir: osd_install_access_delete_cluster +Name: OpenShift Dedicated clusters on GCP +Dir: osd_gcp_clusters Distros: openshift-dedicated Topics: - Name: Private Service Connect overview File: creating-a-gcp-psc-enabled-private-cluster -- Name: Creating a cluster on GCP with Workload Identity Federation +- Name: Creating a cluster on GCP with Workload Identity Federation authentication File: creating-a-gcp-cluster-with-workload-identity-federation -- Name: Creating a cluster on GCP +- Name: Creating a cluster on GCP with Service Account authentication File: creating-a-gcp-cluster -#- Name: Creating a cluster on GCP with a Red Hat cloud account -# File: creating-a-gcp-cluster-redhat-account -- Name: Creating a cluster on AWS - File: creating-an-aws-cluster +- Name: Creating a cluster on GCP with a Red Hat cloud account + File: creating-a-gcp-cluster-redhat-account + #- Name: Configuring your identity providers # File: config-identity-providers #- Name: Revoking privileges and access to an OpenShift Dedicated cluster # File: osd-revoking-cluster-privileges -- Name: Deleting an OpenShift Dedicated cluster - File: osd-deleting-a-cluster +- Name: Deleting an OpenShift Dedicated cluster on GCP + File: osd-deleting-a-cluster-gcp +--- +Name: OpenShift Dedicated clusters on AWS +Dir: osd_aws_clusters +Distros: openshift-dedicated +Topics: +- Name: Creating a cluster on AWS + File: creating-an-aws-cluster +- Name: Deleting an OpenShift Dedicated cluster on AWS + File: osd-deleting-a-cluster-aws --- Name: Support Dir: support diff --git a/architecture/osd-architecture-models-gcp.adoc b/architecture/osd-architecture-models-gcp.adoc index f8ef0586ac..d21ad7253f 100644 --- a/architecture/osd-architecture-models-gcp.adoc +++ b/architecture/osd-architecture-models-gcp.adoc @@ -19,8 +19,8 @@ include::modules/osd-public-architecture-model-gcp.adoc[leveloffset=+1] [id="osd-architecture-models-additional-resources"] == Additional resources -* xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview] - -* xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation] +* xref:../osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview] +* xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication] +* xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with Service Account authentication] diff --git a/modules/configuring-a-proxy-during-installation-ocm.adoc b/modules/configuring-a-proxy-during-installation-ocm.adoc index 54bd9a4e3b..0aeb661825 100644 --- a/modules/configuring-a-proxy-during-installation-ocm.adoc +++ b/modules/configuring-a-proxy-during-installation-ocm.adoc @@ -21,7 +21,7 @@ endif::openshift-dedicated[] Prior to the installation, you must verify that the proxy is accessible from the VPC that the cluster is being installed into. The proxy must also be accessible from the private subnets of the VPC. ifdef::openshift-dedicated[] -For detailed steps to configure a cluster-wide proxy during installation by using {cluster-manager}, see _Creating a cluster on AWS with CCS_ or _Creating a cluster on GCP with CCS_. +For detailed steps to configure a cluster-wide proxy during installation by using {cluster-manager}, see _Creating a cluster on AWS_ or _Creating a cluster on GCP_. endif::openshift-dedicated[] ifdef::openshift-rosa[] diff --git a/modules/create-wif-cluster-ocm.adoc b/modules/create-wif-cluster-ocm.adoc index 0a5b7def88..02db88a139 100644 --- a/modules/create-wif-cluster-ocm.adoc +++ b/modules/create-wif-cluster-ocm.adoc @@ -12,12 +12,7 @@ . Log in to {cluster-manager-url} and click *Create cluster* on the {product-title} card. . Under *Billing model*, configure the subscription type and infrastructure type. -+ -[IMPORTANT] -==== -Workload Identity Federation is supported by the Customer Cloud Subscription (CCS) infrastructure type only. -==== -+ + .. Select a subscription type. For information about {product-title} subscription options, see link:https://access.redhat.com/documentation/en-us/openshift_cluster_manager/1-latest/html-single/managing_clusters/index#assembly-cluster-subscriptions[Cluster subscriptions and registration] in the {cluster-manager} documentation. + diff --git a/modules/deleting-cluster-aws.adoc b/modules/deleting-cluster-aws.adoc new file mode 100644 index 0000000000..9f449706b7 --- /dev/null +++ b/modules/deleting-cluster-aws.adoc @@ -0,0 +1,23 @@ +// Module included in the following assemblies: +// +// * osd_install_access_delete_cluster/osd-deleting-a-cluster.adoc +// * osd_getting_started/osd-getting-started.adoc + +:_mod-docs-content-type: PROCEDURE +[id="deleting-cluster_aws_{context}"] += Deleting your cluster + +You can delete your {product-title} cluster in {cluster-manager-first}. + +.Prerequisites + +* You logged in to {cluster-manager-url}. +* You created an {product-title} cluster. + +.Procedure + +. From {cluster-manager-url}, click on the cluster you want to delete. + +. Select *Delete cluster* from the *Actions* drop-down menu. + +. Type the name of the cluster highlighted in bold, then click *Delete*. Cluster deletion occurs automatically. diff --git a/modules/deleting-cluster.adoc b/modules/deleting-cluster.adoc index 2f220beabc..7b7422a6b4 100644 --- a/modules/deleting-cluster.adoc +++ b/modules/deleting-cluster.adoc @@ -9,6 +9,8 @@ You can delete your {product-title} cluster in {cluster-manager-first}. +.Prerequisites + * You logged in to {cluster-manager-url}. * You created an {product-title} cluster. @@ -19,6 +21,7 @@ You can delete your {product-title} cluster in {cluster-manager-first}. . Select *Delete cluster* from the *Actions* drop-down menu. . Type the name of the cluster highlighted in bold, then click *Delete*. Cluster deletion occurs automatically. + + [NOTE] ==== diff --git a/modules/osd-create-cluster-ccs-gcp.adoc b/modules/osd-create-cluster-ccs-gcp.adoc new file mode 100644 index 0000000000..dedd32bf66 --- /dev/null +++ b/modules/osd-create-cluster-ccs-gcp.adoc @@ -0,0 +1,267 @@ +// Module included in the following assemblies: +// +// * osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc + + + +:_mod-docs-content-type: PROCEDURE + + +[id="osd-create-gcp-cluster-ccs1_{context}"] += Creating a cluster on GCP with CCS + +.Procedure + +. Log in to {cluster-manager-url} and click *Create cluster*. + +. On the *Create an OpenShift cluster* page, select *Create cluster* in the *Red Hat OpenShift Dedicated* row. + +. Under *Billing model*, configure the subscription type and infrastructure type: +.. Select a subscription type. For information about {product-title} subscription options, see link:https://access.redhat.com/documentation/en-us/openshift_cluster_manager/1-latest/html-single/managing_clusters/index#assembly-cluster-subscriptions[Cluster subscriptions and registration] in the {cluster-manager} documentation. ++ +[NOTE] +==== +The subscription types that are available to you depend on your {product-title} subscriptions and resource quotas. +Red Hat recommends deploying your cluster with the On-Demand subscription type purchased through the {GCP} Marketplace. This option provides flexible, consumption-based billing, consuming additional capacity is frictionless, and no Red Hat intervention is required. + +For more information, contact your sales representative or Red Hat support. +==== ++ +.. Select the *Customer Cloud Subscription* infrastructure type to deploy {product-title} in an existing cloud provider account that you own. +.. Click *Next*. + +. Select *Run on Google Cloud Platform*. +. Select *Service Account* as the Authentication type. ++ +[NOTE] +==== +Red Hat recommends using Workload Identity Federation as the Authentication type. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication]. +==== ++ + + +. Review and complete the listed *Prerequisites*. +. Select the checkbox to acknowledge that you have read and completed all of the prerequisites. +. Provide your GCP service account private key in JSON format. You can either click *Browse* to locate and attach a JSON file or add the details in the *Service account JSON* field. + +. Click *Next* to validate your cloud provider account and go to the *Cluster details* page. + +. On the *Cluster details* page, provide a name for your cluster and specify the cluster details: +.. Add a *Cluster name*. +.. Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on `openshiftapps.com`. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string. ++ +To customize the subdomain, select the *Create customize domain prefix* checkbox, and enter your domain prefix name in the *Domain prefix* field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation. +.. Select a cluster version from the *Version* drop-down menu. + +[IMPORTANT] +==== +Clusters configured with Private Service Connect (PSC) are only supported on OpenShift Dedicated version 4.17 and later. For more information regarding PSC, see _Private Service Overview_ in the _Additional resources_ section. +==== ++ + +.. Select a cloud provider region from the *Region* drop-down menu. +.. Select a *Single zone* or *Multi-zone* configuration. ++ + +.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. ++ +[IMPORTANT] +==== +To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints]. +==== ++ + +.. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default. +.. Optional: Expand *Advanced Encryption* to make changes to encryption settings. + +... Accept the default setting *Use default KMS Keys* to use your default AWS KMS key, or select *Use Custom KMS keys* to use a custom KMS key. +.... With *Use Custom KMS keys* selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the *Key ARN* field. +The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster. + ++ + +... Select *Use custom KMS keys* to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting *Use default KMS Keys*. ++ +[IMPORTANT] +==== +To use custom KMS keys, the IAM service account `osd-ccs-admin` must be granted the *Cloud KMS CryptoKey Encrypter/Decrypter* role. For more information about granting roles on a resource, see link:https://cloud.google.com/kms/docs/iam#granting_roles_on_a_resource[Granting roles on a resource]. +==== ++ +With *Use Custom KMS keys* selected: + +.... Select a key ring location from the *Key ring location* drop-down menu. +.... Select a key ring from the *Key ring* drop-down menu. +.... Select a key name from the *Key name* drop-down menu. +.... Provide the *KMS Service Account*. ++ +... Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated. ++ +[NOTE] +==== +If *Enable FIPS cryptography* is selected, *Enable additional etcd encryption* is enabled by default and cannot be disabled. You can select *Enable additional etcd encryption* without selecting *Enable FIPS cryptography*. +==== ++ +... Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default. ++ +[NOTE] +==== +By enabling additional etcd encryption, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case. +==== ++ +.. Click *Next*. + +. On the *Default machine pool* page, select a *Compute node instance type* from the drop-down menu. +. Optional: Select the *Enable autoscaling* checkbox to enable autoscaling. +.. Click *Edit cluster autoscaling settings* to make changes to the autoscaling settings. +.. Once you have made your desired changes, click *Close*. +.. Select a minimum and maximum node count. Node counts can be selected by engaging the available plus and minus signs or inputting the desired node count into the number input field. +. Select a *Compute node count* from the drop-down menu. ++ +[NOTE] +==== +If you are using multiple availability zones, the compute node count is per zone. After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your {product-title} subscription. +==== ++ + +. Optional: Expand *Add node labels* to add labels to your nodes. Click *Add additional label* to add an additional node label and select *Next*. + ++ +[IMPORTANT] +==== +This step refers to labels within Kubernetes, not Google Cloud. For more information regarding Kubernetes labels, see link:https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/[Labels and Selectors]. +==== ++ + +. On the *Network configuration* page, select *Public* or *Private* to use either public or private API endpoints and application routes for your cluster. + +If you select *Private* and selected {product-title} version 4.17 or later as your cluster version, *Use Private Service Connect* is selected by default. Private Service Connect (PSC) is Google Cloud’s security-enhanced networking feature. You can disable PSC by clicking the *Use Private Service Connect* checkbox. ++ +[NOTE] +==== +Red Hat recommends using Private Service Connect when deploying a private {product-title} cluster on Google Cloud. Private Service Connect ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE) and private {product-title} clusters. +==== + +[IMPORTANT] +==== +If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account. +==== ++ + +. Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC): +.. Select *Install into an existing VPC*. ++ +[IMPORTANT] +==== +Private Service Connect is supported only with *Install into an existing VPC*. +==== ++ +.. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select *Configure a cluster-wide proxy*. ++ +[IMPORTANT] +==== +In order to configure a cluster-wide proxy for your cluster, you must first create the Cloud network address translation (NAT) and a Cloud router. See the _Additional resources_ section for more information. +==== ++ +. Accept the default application ingress settings, or to create your own custom settings, select *Custom Settings*. + +.. Optional: Provide route selector. +.. Optional: Provide excluded namespaces. +.. Select a namespace ownership policy. +.. Select a wildcard policy. ++ +For more information about custom application ingress settings, click on the information icon provided for each setting. + ++ +. Click *Next*. + +. Optional: To install the cluster into a GCP Shared VPC: ++ +[IMPORTANT] +==== + +To install a cluster into a Shared VPC, you must use {product-title} version 4.13.15 or later. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc[Enable a host project]. +==== + +.. Select *Install into GCP Shared VPC*. +.. Specify the *Host project ID*. If the specified host project ID is incorrect, cluster creation fails. ++ +[IMPORTANT] +==== +Once you complete the steps within the cluster configuration wizard and click *Create Cluster*, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: *Compute Network Administrator*, *Compute Security Administrator*, *Project IAM Admin*, and *DNS Administrator*. +The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails. +For information about Shared VPC permissions, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#migs-service-accounts[Provision Shared VPC]. +==== + ++ +. If you opted to install the cluster in an existing GCP VPC, provide your *Virtual Private Cloud (VPC) subnet settings* and select *Next*. +You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs. + ++ +[NOTE] +==== +If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project. +==== + +. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the *Cluster-wide proxy* page: ++ +.. Enter a value in at least one of the following fields: +** Specify a valid *HTTP proxy URL*. +** Specify a valid *HTTPS proxy URL*. +** In the *Additional trust bundle* field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required if you use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the {op-system-first} trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the `http-proxy` and `https-proxy` arguments. ++ +.. Click *Next*. ++ +For more information about configuring a proxy with {product-title}, see _Configuring a cluster-wide proxy_. + +. In the *CIDR ranges* dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided. ++ +[NOTE] +==== +If you are installing into a VPC, the *Machine CIDR* range must match the VPC subnets. +==== ++ +[IMPORTANT] +==== +CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding. +==== + +. On the *Cluster update strategy* page, configure your update preferences: +.. Choose a cluster update method: +** Select *Individual updates* if you want to schedule each update individually. This is the default option. +** Select *Recurring updates* to update your cluster on your preferred day and start time, when updates are available. ++ +[NOTE] +==== +You can review the end-of-life dates in the update lifecycle documentation for {product-title}. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#osd-life-cycle[OpenShift Dedicated update life cycle]. +==== ++ +.. Provide administrator approval based on your cluster update method: +** Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click *Approve and continue*. +** Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click *Approve and continue*. {cluster-manager} does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment. ++ + +.. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus. +.. Optional: You can set a grace period for *Node draining* during cluster upgrades. A *1 hour* grace period is set by default. +.. Click *Next*. ++ +[NOTE] +==== +In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see link:https://access.redhat.com/security/updates/classification[Understanding Red Hat security ratings]. +==== + +. Review the summary of your selections and click *Create cluster* to start the cluster installation. The installation takes approximately 30-40 minutes to complete. ++ +. Optional: On the *Overview* tab, you can enable the delete protection feature by selecting *Enable*, which is located directly under *Delete Protection: Disabled*. This will prevent your cluster from being deleted. To disable delete protection, select *Disable*. +By default, clusters are created with the delete protection feature disabled. ++ + +[NOTE] +==== +If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation. +==== + + +.Verification + +* You can monitor the progress of the installation in the *Overview* page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the *Status* in the *Details* section of the page is listed as *Ready*. + diff --git a/modules/osd-create-cluster-ccs.adoc b/modules/osd-create-cluster-ccs.adoc index 681a2d50c9..dc67a9f9b3 100644 --- a/modules/osd-create-cluster-ccs.adoc +++ b/modules/osd-create-cluster-ccs.adoc @@ -1,84 +1,12 @@ // Module included in the following assemblies: // // * osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc -// * osd_install_access_delete_cluster/creating-an-aws-cluster.adoc -ifeval::["{context}" == "osd-creating-a-cluster-on-aws"] -:osd-on-aws: -endif::[] -ifeval::["{context}" == "osd-creating-a-cluster-on-gcp"] -:osd-on-gcp: -endif::[] :_mod-docs-content-type: PROCEDURE -ifdef::osd-on-aws[] -[id="osd-create-aws-cluster-ccs_{context}"] -= Creating a cluster on AWS with CCS -endif::osd-on-aws[] -ifdef::osd-on-gcp[] -[id="osd-create-gcp-cluster-ccs_{context}"] -= Creating a cluster on GCP with CCS -endif::osd-on-gcp[] - -By using the Customer Cloud Subscription (CCS) billing model, you can create an {product-title} cluster in an existing -ifdef::osd-on-aws[] -{AWS} -endif::osd-on-aws[] -ifdef::osd-on-gcp[] -{GCP} -endif::osd-on-gcp[] -account that you own. - -You must meet several prerequisites if you use the CCS model to deploy and manage {product-title} into your -ifdef::osd-on-aws[] -AWS -endif::osd-on-aws[] -ifdef::osd-on-gcp[] -GCP -endif::osd-on-gcp[] -account. - -.Prerequisites - -ifdef::osd-on-aws[] -* You have configured your AWS account for use with {product-title}. -* You have not deployed any services in your AWS account. -* You have configured the AWS account quotas and limits that are required to support the desired cluster size. -* You have an `osdCcsAdmin` AWS Identity and Access Management (IAM) user with the `AdministratorAccess` policy attached. -* You have set up a service control policy (SCP) in your AWS organization. For more information, see _Minimum required service control policy (SCP)_. -* Consider having *Business Support* or higher from AWS. -* If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into. The proxy must also be accessible from the private subnets of the VPC. -endif::osd-on-aws[] -ifdef::osd-on-gcp[] -* You have configured your GCP account for use with {product-title}. -* You have configured the GCP account quotas and limits that are required to support the desired cluster size. -* You have created a GCP project. -* You have enabled the Google Cloud Resource Manager API in your GCP project. For more information about enabling APIs for your project, see link:https://cloud.google.com/endpoints/docs/openapi/enable-api[the Google Cloud documentation]. -* You have an IAM service account in GCP called `osd-ccs-admin` with the following roles attached: - ** Compute Admin - ** DNS Administrator - ** Security Admin - ** Service Account Admin - ** Service Account Key Admin - ** Service Account User - ** Organization Policy Viewer - ** Service Management Administrator - ** Service Usage Admin - ** Storage Admin - ** Compute Load Balancer Admin - ** Role Viewer - ** Role Administrator -* You have created a key for your `osd-ccs-admin` GCP service account and exported it to a file named `osServiceAccount.json`. -+ -[NOTE] -==== -For more information about creating a key for your GCP service account and exporting it to a JSON file, see link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Creating service account keys] in the Google Cloud documentation. -==== -* Consider having link:https://cloud.google.com/support[Enhanced Support] or higher from GCP. -* To prevent potential conflicts, consider having no other resources provisioned in the project prior to installing {product-title}. -* If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into. -endif::osd-on-gcp[] +[id="osd-create-gcp-cluster-ccs1_{context}"] += Creating a cluster with Service Account authentication using {cluster-manager} .Procedure . Log in to {cluster-manager-url} and click *Create cluster*. @@ -91,50 +19,27 @@ endif::osd-on-gcp[] [NOTE] ==== The subscription types that are available to you depend on your {product-title} subscriptions and resource quotas. -ifdef::osd-on-gcp[] Red Hat recommends deploying your cluster with the On-Demand subscription type purchased through the {GCP} Marketplace. This option provides flexible, consumption-based billing, consuming additional capacity is frictionless, and no Red Hat intervention is required. -endif::osd-on-gcp[] + For more information, contact your sales representative or Red Hat support. ==== + .. Select the *Customer Cloud Subscription* infrastructure type to deploy {product-title} in an existing cloud provider account that you own. .. Click *Next*. -ifdef::osd-on-aws[] -. Select *Run on Amazon Web Services*. -endif::osd-on-aws[] -ifdef::osd-on-gcp[] . Select *Run on Google Cloud Platform*. . Select *Service Account* as the Authentication type. + [NOTE] ==== -Red Hat recommends using Workload Identity Federation as the Authentication type. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation]. +Red Hat recommends using Workload Identity Federation as the Authentication type. For more information, see _Creating a cluster on GCP with Workload Identity Federation authentication_ in the _Additional resources_ section. ==== + -endif::osd-on-gcp[] . Review and complete the listed *Prerequisites*. . Select the checkbox to acknowledge that you have read and completed all of the prerequisites. -ifdef::osd-on-aws[] -. Provide your AWS account details: -.. Enter your *AWS account ID*. -.. Enter your *AWS access key ID* and *AWS secret access key* for your AWS IAM user account. -+ -[NOTE] -==== -Revoking these credentials in AWS results in a loss of access to any cluster created with these credentials. -==== -.. Optional: You can select *Bypass AWS service control policy (SCP) checks* to disable the SCP checks. -+ -[NOTE] -==== -Some AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. The SCP is still enforced even if the checks are bypassed. -==== -endif::osd-on-aws[] -ifdef::osd-on-gcp[] . Provide your GCP service account private key in JSON format. You can either click *Browse* to locate and attach a JSON file or add the details in the *Service account JSON* field. -endif::osd-on-gcp[] + . Click *Next* to validate your cloud provider account and go to the *Cluster details* page. . On the *Cluster details* page, provide a name for your cluster and specify the cluster details: @@ -143,18 +48,17 @@ endif::osd-on-gcp[] + To customize the subdomain, select the *Create customize domain prefix* checkbox, and enter your domain prefix name in the *Domain prefix* field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation. .. Select a cluster version from the *Version* drop-down menu. -ifdef::osd-on-gcp[] + [IMPORTANT] ==== Clusters configured with Private Service Connect (PSC) are only supported on OpenShift Dedicated version 4.17 and later. For more information regarding PSC, see _Private Service Overview_ in the _Additional resources_ section. ==== -+ -endif::osd-on-gcp[] + + .. Select a cloud provider region from the *Region* drop-down menu. .. Select a *Single zone* or *Multi-zone* configuration. + -ifdef::osd-on-gcp[] + .. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. + [IMPORTANT] @@ -162,22 +66,16 @@ ifdef::osd-on-gcp[] To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints]. ==== + -endif::osd-on-gcp[] + .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default. .. Optional: Expand *Advanced Encryption* to make changes to encryption settings. -ifdef::osd-on-aws[] + ... Accept the default setting *Use default KMS Keys* to use your default AWS KMS key, or select *Use Custom KMS keys* to use a custom KMS key. .... With *Use Custom KMS keys* selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the *Key ARN* field. The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster. -//Commented out due to changes in the UI -//[IMPORTANT] -//==== -//Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key. -//PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key. -//==== + + -endif::osd-on-aws[] -ifdef::osd-on-gcp[] + ... Select *Use custom KMS keys* to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting *Use default KMS Keys*. + [IMPORTANT] @@ -192,7 +90,6 @@ With *Use Custom KMS keys* selected: .... Select a key name from the *Key name* drop-down menu. .... Provide the *KMS Service Account*. + -endif::osd-on-gcp[] ... Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated. + [NOTE] @@ -221,63 +118,31 @@ By enabling additional etcd encryption, you will incur a performance overhead of If you are using multiple availability zones, the compute node count is per zone. After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your {product-title} subscription. ==== + -ifdef::osd-on-aws[] -. Choose your preference for the Instance Metadata Service (IMDS) type, either using both IMDSv1 and IMDSv2 types or requiring your EC2 instances to use only IMDSv2. You can access instance metadata from a running instance in two ways: -+ -* Instance Metadata Service Version 1 (IMDSv1) - a request/response method -* Instance Metadata Service Version 2 (IMDSv2) - a session-oriented method -+ -[IMPORTANT] -==== -The Instance Metadata Service settings cannot be changed after your cluster is created. -==== -+ -[NOTE] -==== -IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can range from a minimum of one second to a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future requests. -==== -+ -For more information regarding IMDS, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data] in the AWS documentation. -endif::osd-on-aws[] . Optional: Expand *Add node labels* to add labels to your nodes. Click *Add additional label* to add an additional node label and select *Next*. -ifdef::osd-on-gcp[] + + [IMPORTANT] ==== This step refers to labels within Kubernetes, not Google Cloud. For more information regarding Kubernetes labels, see link:https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/[Labels and Selectors]. ==== + -endif::osd-on-gcp[] + . On the *Network configuration* page, select *Public* or *Private* to use either public or private API endpoints and application routes for your cluster. -ifdef::osd-on-gcp[] ++ If you select *Private* and selected {product-title} version 4.17 or later as your cluster version, *Use Private Service Connect* is selected by default. Private Service Connect (PSC) is Google Cloud’s security-enhanced networking feature. You can disable PSC by clicking the *Use Private Service Connect* checkbox. + [NOTE] ==== Red Hat recommends using Private Service Connect when deploying a private {product-title} cluster on Google Cloud. Private Service Connect ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE) and private {product-title} clusters. ==== -endif::osd-on-gcp[] + [IMPORTANT] ==== If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account. ==== + -ifdef::osd-on-aws[] -. Optional: To install the cluster in an existing AWS Virtual Private Cloud (VPC): -.. Select *Install into an existing VPC*. -.. If you are installing into an existing VPC and opted to use private API endpoints, you can select *Use a PrivateLink*. This option enables connections to the cluster by Red Hat Site Reliability Engineering (SRE) using only AWS PrivateLink endpoints. -+ -[NOTE] -==== -The *Use a PrivateLink* option cannot be changed after a cluster is created. -==== -+ -.. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select *Configure a cluster-wide proxy*. -endif::osd-on-aws[] -ifdef::osd-on-gcp[] . Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC): .. Select *Install into an existing VPC*. + @@ -302,11 +167,9 @@ In order to configure a cluster-wide proxy for your cluster, you must first crea + For more information about custom application ingress settings, click on the information icon provided for each setting. -endif::osd-on-gcp[] + . Click *Next*. -ifdef::osd-on-gcp[] . Optional: To install the cluster into a GCP Shared VPC: + [IMPORTANT] @@ -324,38 +187,17 @@ Once you complete the steps within the cluster configuration wizard and click *C The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails. For information about Shared VPC permissions, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#migs-service-accounts[Provision Shared VPC]. ==== -endif::osd-on-gcp[] + + -. If you opted to install the cluster in an existing -ifdef::osd-on-aws[] -AWS -endif::osd-on-aws[] -ifdef::osd-on-gcp[] -GCP -endif::osd-on-gcp[] -VPC, provide your *Virtual Private Cloud (VPC) subnet settings* and select *Next*. +. If you opted to install the cluster in an existing GCP VPC, provide your *Virtual Private Cloud (VPC) subnet settings* and select *Next*. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs. -ifdef::osd-on-aws[] -+ -[NOTE] -==== -You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required. -==== -endif::osd-on-aws[] -ifdef::osd-on-gcp[] + + [NOTE] ==== If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project. ==== -endif::osd-on-gcp[] -ifdef::osd-on-aws[] -.. Optional: Expand *Additional security groups* and select additional custom security groups to apply to nodes in the machine pools that are created by default. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster. -+ -By default, the security groups you specify are added for all node types. Clear the *Apply the same security groups to all node types* checkbox to apply different security groups for each node type. -+ -For more information, see the requirements for _Security groups_ under _Additional resources_. -endif::osd-on-aws[] + . If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the *Cluster-wide proxy* page: + .. Enter a value in at least one of the following fields: @@ -409,20 +251,13 @@ In the event of critical security concerns that significantly impact the securit By default, clusters are created with the delete protection feature disabled. + -ifdef::osd-on-gcp[] [NOTE] ==== If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation. ==== -endif::osd-on-gcp[] + .Verification * You can monitor the progress of the installation in the *Overview* page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the *Status* in the *Details* section of the page is listed as *Ready*. -ifeval::["{context}" == "osd-creating-a-cluster-on-aws"] -:!osd-on-aws: -endif::[] -ifeval::["{context}" == "osd-creating-a-cluster-on-gcp"] -:!osd-on-gcp: -endif::[] diff --git a/modules/osd-create-cluster-red-hat-account.adoc b/modules/osd-create-cluster-red-hat-account.adoc index 0e4d46ce3e..7efd7d6204 100644 --- a/modules/osd-create-cluster-red-hat-account.adoc +++ b/modules/osd-create-cluster-red-hat-account.adoc @@ -4,8 +4,8 @@ :_mod-docs-content-type: PROCEDURE -[id="osd-create-aws-cluster-ccs_{context}"] -= Creating a cluster on GCP with a Red Hat cloud account +[id="osd-create-gcp-cluster-ccs_{context}"] += Creating a cluster on GCP with a Red Hat cloud account using {cluster-manager} Through {cluster-manager-url}, you can create an {product-title} cluster on {GCP} using a standard cloud provider account owned by Red Hat. @@ -98,8 +98,8 @@ You can review the end-of-life dates in the update lifecycle documentation for { ==== + .. Provide administrator approval based on your cluster update method: -** Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click *Approve and continue*. -** Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click *Approve and continue*. {cluster-manager} does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment. +** Individual updates: If you select an update version that requires approval, provide an administrator's acknowledgment and click *Approve and continue*. +** Recurring updates: If you selected recurring updates for your cluster, provide an administrator's acknowledgment and click *Approve and continue*. {cluster-manager} does not start scheduled y-stream updates for minor versions without receiving an administrator's acknowledgment. + .. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus. .. Optional: You can set a grace period for *Node draining* during cluster upgrades. A *1 hour* grace period is set by default. @@ -119,4 +119,3 @@ By default, clusters are created with the delete protection feature disabled. .Verification * You can monitor the progress of the installation in the *Overview* page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the *Status* in the *Details* section of the page is listed as *Ready*. - diff --git a/modules/private-service-connect-create.adoc b/modules/private-service-connect-create.adoc index 665392dc88..6cdb0f3182 100644 --- a/modules/private-service-connect-create.adoc +++ b/modules/private-service-connect-create.adoc @@ -7,4 +7,4 @@ = Creating a private cluster with Private Service Connect Private Service Connect is supported with the Customer Cloud Subscription (CCS) infrastructure type only. To create an {product-title} on {GCP} using PSC, see - xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. \ No newline at end of file + xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. \ No newline at end of file diff --git a/modules/service-account-auth-overview.adoc b/modules/service-account-auth-overview.adoc new file mode 100644 index 0000000000..70ebb27fb5 --- /dev/null +++ b/modules/service-account-auth-overview.adoc @@ -0,0 +1,17 @@ +// Module included in the following assemblies: +// +// * osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc + + +:_mod-docs-content-type: CONCEPT +[id="service-account-auth-overview_{context}"] += Service Account authentication overview + +The Service Account authentication type uses a private key for authentication purposes. Service accounts use RSA key pairs, which consist of a public and private key, with the private key being the service account key. The public portion of the key pair is stored on Google Cloud, while the private key is kept by the user. The private key allows users to authenticate as a service account and gain access to assets and resources associated with that service account. + +Service account keys are a security risk if not managed carefully. Users should routinely rotate their service account keys to reduce the risk of leaked or stolen keys. + +[IMPORTANT] +===== +Because of the potential security risk when using the Service Account authentication type, Red Hat recommends using GCP Workload Identity Federation (WIF) as the authentication type for installing and interacting with the OpenShift Dedicated cluster deployed on Google Cloud Platform (GCP) because it provides enhanced security. For more information, see _Creating a cluster on GCP with Workload Identity Federation authentication_ in the _Additional resources_ section. +===== \ No newline at end of file diff --git a/modules/wif-overview.adoc b/modules/wif-overview.adoc index 73967ec906..ca99871be4 100644 --- a/modules/wif-overview.adoc +++ b/modules/wif-overview.adoc @@ -5,9 +5,8 @@ :_mod-docs-content-type: CONCEPT [id="workload-identity-federation-overview_{context}"] -= Workload Identity Federation Overview += Workload Identity Federation overview -// Workload Identity Federation (WIF) allows {product-title} on {GCP} customers to use federated identities instead of service account keys when creating the necessary credentials needed to access GCP resources. Credentials created using WIF are short-term and more secure, while credentials created using service account keys are long-term and less secure. WIF minimizes the rights granted to third parties such as Red Hat, and ensures all Google Cloud native IAM and best practices for securing Google Cloud services and infrastructure are followed. Workload Identity Federation (WIF) is a {GCP} Identity and Access Management (IAM) feature that provides third parties a secure method to access resources on a customer's cloud account. WIF eliminates the need for service account keys, and is Google Cloud's preferred method of credential authentication. While service account keys can provide powerful access to your Google Cloud resources, they must be maintained by the end user and can be a security risk if they are not managed properly. WIF does not use service keys as an access method for your Google cloud resources. Instead, WIF grants access by using credentials from external identity providers to generate short-lived credentials for workloads. The workloads can then use these credentials to temporarily impersonate service accounts and access Google Cloud resources. This removes the burden of having to properly maintain service account keys, and removes the risk of unauthorized users gaining access to service account keys. @@ -29,6 +28,6 @@ For more information about Workload Identity Federation, see the link:https://cl [IMPORTANT] ==== -Workload Identity Federation (WIF) is only supported on {product-title} version 4.17 and later. +Workload Identity Federation (WIF) is only available on {product-title} version 4.17 and later, and is only supported by the Customer Cloud Subscription (CCS) infrastructure type. ==== diff --git a/networking/configuring-cluster-wide-proxy.adoc b/networking/configuring-cluster-wide-proxy.adoc index 5b41e8fa95..224ccb4b91 100644 --- a/networking/configuring-cluster-wide-proxy.adoc +++ b/networking/configuring-cluster-wide-proxy.adoc @@ -65,8 +65,8 @@ ifdef::openshift-rosa[] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-cli_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations using the CLI] endif::openshift-rosa[] ifdef::openshift-dedicated[] -* xref:../osd_install_access_delete_cluster/creating-an-aws-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-aws[Creating a cluster on AWS with CCS] -* xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS] +* xref:../osd_aws_clusters/creating-an-aws-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-aws[Creating a cluster on AWS] +* xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP] endif::openshift-dedicated[] [id="configuring-a-proxy-after-installation_{context}"] diff --git a/osd_architecture/osd_policy/osd-sre-access.adoc b/osd_architecture/osd_policy/osd-sre-access.adoc index 4a55832746..d3f0e90e87 100644 --- a/osd_architecture/osd_policy/osd-sre-access.adoc +++ b/osd_architecture/osd_policy/osd-sre-access.adoc @@ -13,4 +13,4 @@ include::modules/how-service-accounts-assume-aws-iam-roles-in-sre-owned-projects [id="additional-resources_{context}"] == Additional resources -For more information about WIF configuration and SRE access roles, see xref:../../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a WIF configuration]. +For more information about WIF configuration and SRE access roles, see xref:../../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a WIF configuration]. diff --git a/osd_install_access_delete_cluster/_attributes b/osd_aws_clusters/_attributes similarity index 100% rename from osd_install_access_delete_cluster/_attributes rename to osd_aws_clusters/_attributes diff --git a/osd_install_access_delete_cluster/creating-an-aws-cluster.adoc b/osd_aws_clusters/creating-an-aws-cluster.adoc similarity index 100% rename from osd_install_access_delete_cluster/creating-an-aws-cluster.adoc rename to osd_aws_clusters/creating-an-aws-cluster.adoc diff --git a/osd_install_access_delete_cluster/images b/osd_aws_clusters/images similarity index 100% rename from osd_install_access_delete_cluster/images rename to osd_aws_clusters/images diff --git a/osd_install_access_delete_cluster/modules b/osd_aws_clusters/modules similarity index 100% rename from osd_install_access_delete_cluster/modules rename to osd_aws_clusters/modules diff --git a/osd_aws_clusters/osd-deleting-a-cluster-aws.adoc b/osd_aws_clusters/osd-deleting-a-cluster-aws.adoc new file mode 100644 index 0000000000..9a1c56d477 --- /dev/null +++ b/osd_aws_clusters/osd-deleting-a-cluster-aws.adoc @@ -0,0 +1,12 @@ +:_mod-docs-content-type: ASSEMBLY +[id="osd-deleting-a-cluster"] += Deleting an {product-title} cluster on AWS +include::_attributes/attributes-openshift-dedicated.adoc[] +:context: osd-deleting-a-cluster-aws + +toc::[] + +[role="_abstract"] +As cluster owner, you can delete your {product-title} clusters. + +include::modules/deleting-cluster-aws.adoc[leveloffset=+1] \ No newline at end of file diff --git a/osd_install_access_delete_cluster/snippets b/osd_aws_clusters/snippets similarity index 100% rename from osd_install_access_delete_cluster/snippets rename to osd_aws_clusters/snippets diff --git a/osd_gcp_clusters/_attributes b/osd_gcp_clusters/_attributes new file mode 120000 index 0000000000..f27fd275ea --- /dev/null +++ b/osd_gcp_clusters/_attributes @@ -0,0 +1 @@ +../_attributes/ \ No newline at end of file diff --git a/osd_install_access_delete_cluster/config-identity-providers.adoc b/osd_gcp_clusters/config-identity-providers.adoc similarity index 100% rename from osd_install_access_delete_cluster/config-identity-providers.adoc rename to osd_gcp_clusters/config-identity-providers.adoc diff --git a/osd_gcp_clusters/creating-a-gcp-cluster-redhat-account.adoc b/osd_gcp_clusters/creating-a-gcp-cluster-redhat-account.adoc new file mode 100644 index 0000000000..34b78991eb --- /dev/null +++ b/osd_gcp_clusters/creating-a-gcp-cluster-redhat-account.adoc @@ -0,0 +1,25 @@ +:_mod-docs-content-type: ASSEMBLY +[id="osd-creating-a-gcp-cluster-rh-account"] += Creating a cluster on GCP with a Red Hat cloud account +include::_attributes/attributes-openshift-dedicated.adoc[] +:context: osd-creating-a-gcp-cluster-rh-account + +toc::[] + +:_mod-docs-content-type: PROCEDURE + +Through {cluster-manager-url}, you can create an {product-title} cluster on {GCP} using a standard cloud provider account owned by Red Hat. + +[id="osd-creating-a-cluster-on-gcp-prerequisites1_{context}"] +== Prerequisites + +* You reviewed the xref:../osd_architecture/osd-understanding.adoc#osd-understanding[introduction to {product-title}] and the documentation on xref:../architecture/index.adoc#architecture-overview[architecture concepts]. +* You reviewed the xref:../osd_getting_started/osd-understanding-your-cloud-deployment-options.adoc#osd-understanding-your-cloud-deployment-options[{product-title} cloud deployment options]. + +include::modules/osd-create-cluster-red-hat-account.adoc[leveloffset=+1] + +[id="next-steps-rh-account_{context}"] +== Next steps +* To learn about configuring identity providers for your cluster, see xref:../authentication/sd-configuring-identity-providers.adoc#sd-configuring-identity-providers[Configuring Identity Providers]. + +* To learn about granting administrator privileges to a user for your cluster, see xref:../osd_getting_started/osd-getting-started.adoc#osd-grant-admin-privileges_osd-getting-started[Granting administrator privileges to a user]. \ No newline at end of file diff --git a/osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc b/osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc similarity index 81% rename from osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc rename to osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc index 9c53d32bf3..1fdb3f1461 100644 --- a/osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc +++ b/osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc @@ -1,6 +1,6 @@ :_mod-docs-content-type: ASSEMBLY [id="osd-creating-a-cluster-on-gcp-with-workload-identity-federation"] -= Creating a cluster on GCP with Workload Identity Federation += Creating a cluster on GCP with Workload Identity Federation authentication include::_attributes/attributes-openshift-dedicated.adoc[] :context: osd-creating-a-cluster-on-gcp-with-workload-identity-federation @@ -10,7 +10,7 @@ include::modules/wif-overview.adoc[leveloffset=+1] [id="osd-creating-a-cluster-on-gcp-prerequisites1_{context}"] == Prerequisites -You must complete the following prerequisites before xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-ocm_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a Workload Identity Federation cluster using OpenShift Cluster Manager] and xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a Workload Identity Federation cluster using the OCM CLI]. +You must complete the following prerequisites before xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-ocm_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a Workload Identity Federation cluster using OpenShift Cluster Manager] and xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a Workload Identity Federation cluster using the OCM CLI]. * You have confirmed your Google Cloud account has the necessary resource quotas and limits to support your desired cluster size according to the cluster resource requirements. @@ -28,7 +28,7 @@ For more information regarding resource quotas and limits, see _Additional resou [NOTE] ==== WIF supports the deployment of a private {product-title} on {GCP} cluster with Private Service Connect (PSC). Red Hat recommends using PSC when deploying private clusters. -For more information about the prerequisites for PSC, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#private-service-connect-prereqs[Prerequisites for Private Service Connect]. +For more information about the prerequisites for PSC, see xref:../osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc#private-service-connect-prereqs[Prerequisites for Private Service Connect]. ==== include::modules/create-wif-cluster-ocm.adoc[leveloffset=+1] diff --git a/osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc b/osd_gcp_clusters/creating-a-gcp-cluster.adoc similarity index 68% rename from osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc rename to osd_gcp_clusters/creating-a-gcp-cluster.adoc index 64c2a2ce99..7f5ee2aa30 100644 --- a/osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc +++ b/osd_gcp_clusters/creating-a-gcp-cluster.adoc @@ -1,35 +1,34 @@ :_mod-docs-content-type: ASSEMBLY [id="osd-creating-a-cluster-on-gcp"] -= Creating a cluster on GCP += Creating a cluster on GCP with Service Account authentication include::_attributes/attributes-openshift-dedicated.adoc[] :context: osd-creating-a-cluster-on-gcp toc::[] [role="_abstract"] -[IMPORTANT] -===== -The following topic addresses creating an {product-title} on {GCP} cluster using a service account key, which creates credentials required for cluster access. Service account keys produce long-lived credentials. To install and interact with an {product-title} on {GCP} cluster using Workload Identity Federation (WIF), which is the recommended authentication type because it provides enhanced security, see the topic xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation]. -===== -You can install {product-title} on {GCP} by using your own GCP account through the Customer Cloud Subscription (CCS) model or by using a GCP infrastructure account that is owned by Red Hat. +include::modules/service-account-auth-overview.adoc[leveloffset=+1] -[id="osd-creating-a-cluster-on-gcp-prerequisites_{context}"] + +[id="osd-creating-a-cluster-on-gcp-sa-prerequisites_{context}"] == Prerequisites * You reviewed the xref:../osd_architecture/osd-understanding.adoc#osd-understanding[introduction to {product-title}] and the documentation on xref:../architecture/index.adoc#architecture-overview[architecture concepts]. * You reviewed the xref:../osd_getting_started/osd-understanding-your-cloud-deployment-options.adoc#osd-understanding-your-cloud-deployment-options[{product-title} cloud deployment options]. +* You reviewed and completed the xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-procedure_gcp-ccs[Required customer procedure]. include::modules/osd-create-cluster-ccs.adoc[leveloffset=+1] + //include::modules/osd-create-cluster-gcp-account.adoc[leveloffset=+1] -include::modules/osd-create-cluster-red-hat-account.adoc[leveloffset=+1] +// include::modules/osd-create-cluster-red-hat-account.adoc[leveloffset=+1] //include::modules/osd-create-cluster-rhm-gcp-account.adoc[leveloffset=+1] [id="additional-resources_{context}"] == Additional resources -* For information about Workload Identity Federation, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation]. +* For information about Workload Identity Federation, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication]. -* For information about Private Service Connect (PSC), see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. +* For information about Private Service Connect (PSC), see xref:../osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. * For information about configuring a proxy with {product-title}, see xref:../networking/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy]. * For information about persistent storage for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#sdpolicy-storage_osd-service-definition[Storage] section in the {product-title} service definition. * For information about load balancers for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#load-balancers_osd-service-definition[Load balancers] section in the {product-title} service definition. diff --git a/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc b/osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc similarity index 82% rename from osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc rename to osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc index aed5c9b774..6b622ddbc7 100644 --- a/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc +++ b/osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc @@ -19,4 +19,4 @@ include::modules/private-service-connect-psc-architecture.adoc[leveloffset=+1] * To configure your firewalls, see xref:../osd_planning/gcp-ccs.adoc#osd-gcp-psc-firewall-prerequisites_gcp-ccs[GCP firewall prerequisites]. * To create an {product-title} on {GCP} using PSC with the Workload Identity Federation authentication type, see - xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation]. + xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication]. diff --git a/osd_gcp_clusters/creating-an-aws-cluster.adoc b/osd_gcp_clusters/creating-an-aws-cluster.adoc new file mode 100644 index 0000000000..8fd6037fa7 --- /dev/null +++ b/osd_gcp_clusters/creating-an-aws-cluster.adoc @@ -0,0 +1,31 @@ +:_mod-docs-content-type: ASSEMBLY +[id="osd-creating-a-cluster-on-aws"] += Creating a cluster on AWS +include::_attributes/attributes-openshift-dedicated.adoc[] +:context: osd-creating-a-cluster-on-aws + +toc::[] + +[role="_abstract"] +You can deploy {product-title} on {AWS} by using your own AWS account through the Customer Cloud Subscription (CCS) model or by using an AWS infrastructure account that is owned by Red Hat. + +[id="osd-creating-a-cluster-on-aws-prerequisites_{context}"] +== Prerequisites + +* You reviewed the xref:../osd_architecture/osd-understanding.adoc#osd-understanding[introduction to {product-title}] and the documentation on xref:../architecture/index.adoc#architecture-overview[architecture concepts]. +* You reviewed the xref:../osd_getting_started/osd-understanding-your-cloud-deployment-options.adoc#osd-understanding-your-cloud-deployment-options[{product-title} cloud deployment options]. + +include::modules/osd-create-cluster-ccs-aws.adoc[leveloffset=+1] + +[id="additional-resources_{context}"] +== Additional resources + +* For information about configuring a proxy with {product-title}, see xref:../networking/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy]. +* For details about the AWS service control policies required for CCS deployments, see xref:../osd_planning/aws-ccs.adoc#ccs-aws-scp_aws-ccs[Minimum required service control policy (SCP)]. +* For information about persistent storage for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#sdpolicy-storage_osd-service-definition[Storage] section in the {product-title} service definition. +* For information about load balancers for {product-title}, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#load-balancers_osd-service-definition[Load balancers] section in the {product-title} service definition. +* For more information about etcd encryption, see the xref:../osd_architecture/osd_policy/osd-service-definition.adoc#etcd-encryption_osd-service-definition[etcd encryption service definition]. +* For information about the end-of-life dates for {product-title} versions, see the xref:../osd_architecture/osd_policy/osd-life-cycle.adoc#osd-life-cycle[{product-title} update life cycle]. +* For information about the requirements for custom additional security groups, see xref:../osd_planning/aws-ccs.adoc#osd-security-groups-custom_aws-ccs[Additional custom security groups]. +* For information about configuring identity providers, see xref:../authentication/sd-configuring-identity-providers.adoc#sd-configuring-identity-providers[Configuring identity providers]. +* For information about revoking cluster privileges, see xref:../authentication/osd-revoking-cluster-privileges.adoc#osd-revoking-cluster-privileges[Revoking privileges and access to an {product-title} cluster]. \ No newline at end of file diff --git a/osd_gcp_clusters/images b/osd_gcp_clusters/images new file mode 120000 index 0000000000..5e67573196 --- /dev/null +++ b/osd_gcp_clusters/images @@ -0,0 +1 @@ +../images \ No newline at end of file diff --git a/osd_gcp_clusters/modules b/osd_gcp_clusters/modules new file mode 120000 index 0000000000..464b823aca --- /dev/null +++ b/osd_gcp_clusters/modules @@ -0,0 +1 @@ +../modules \ No newline at end of file diff --git a/osd_gcp_clusters/osd-deleting-a-cluster-gcp.adoc b/osd_gcp_clusters/osd-deleting-a-cluster-gcp.adoc new file mode 100644 index 0000000000..56ad26066b --- /dev/null +++ b/osd_gcp_clusters/osd-deleting-a-cluster-gcp.adoc @@ -0,0 +1,12 @@ +:_mod-docs-content-type: ASSEMBLY +[id="osd-deleting-a-cluster"] += Deleting an {product-title} cluster on GCP +include::_attributes/attributes-openshift-dedicated.adoc[] +:context: osd-deleting-a-cluster-gcp + +toc::[] + +[role="_abstract"] +As cluster owner, you can delete your {product-title} clusters. + +include::modules/deleting-cluster.adoc[leveloffset=+1] \ No newline at end of file diff --git a/osd_install_access_delete_cluster/osd-deleting-a-cluster.adoc b/osd_gcp_clusters/osd-deleting-a-cluster.adoc similarity index 100% rename from osd_install_access_delete_cluster/osd-deleting-a-cluster.adoc rename to osd_gcp_clusters/osd-deleting-a-cluster.adoc diff --git a/osd_gcp_clusters/snippets b/osd_gcp_clusters/snippets new file mode 120000 index 0000000000..9f5bc7e4dd --- /dev/null +++ b/osd_gcp_clusters/snippets @@ -0,0 +1 @@ +../snippets \ No newline at end of file diff --git a/osd_getting_started/osd-getting-started.adoc b/osd_getting_started/osd-getting-started.adoc index ec855f8e05..342b2bbcfb 100644 --- a/osd_getting_started/osd-getting-started.adoc +++ b/osd_getting_started/osd-getting-started.adoc @@ -27,11 +27,12 @@ Choose from one of the following methods to deploy your cluster. You can install {product-title} in your own {GCP} account by using the CCS model. Complete the steps in one of the following sections to deploy {product-title} in your own {GCP} account. -* Red Hat recommends using GCP Workload Identity Federation (WIF) as the authentication type for installing and interacting with the {product-title} cluster deployed on {GCP} because it provides enhanced security. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc[Creating a cluster on GCP with Workload Identity Federation]. +* *xref:../osd_aws_clusters/creating-an-aws-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-aws[Creating a cluster on AWS]*: You can install {product-title} in your own {AWS} account by using the CCS model. -* Red Hat also recommends creating an {product-title} cluster deployed on {GCP} in Private cluster mode with Private Service Connect (PSC) to manage and monitor a cluster to avoid all public ingress network traffic. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. +* Red Hat also recommends creating an {product-title} cluster deployed on {GCP} in Private cluster mode with Private Service Connect (PSC) to manage and monitor a cluster to avoid all public ingress network traffic. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. -* For installing and interacting with the {product-title} cluster deployed on the {GCP} using the Service Account authentication type, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with Service Account authentication]. +* For installing and interacting with the {product-title} cluster deployed on the {GCP} using the Service Account authentication type, see xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with Service Account authentication]. +** Red Hat recommends using GCP Workload Identity Federation (WIF) as the authentication type for installing and interacting with the {product-title} cluster deployed on {GCP} because it provides enhanced security. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication]. // Update link with new title when new SA auth guide goes live. @@ -40,16 +41,16 @@ You can install {product-title} in your own {GCP} account by using the CCS model You can install {product-title} in your own {AWS} account by using the CCS model. -* xref:../osd_install_access_delete_cluster/creating-an-aws-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-aws[Creating a cluster on AWS] +* xref:../osd_aws_clusters/creating-an-aws-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-aws[Creating a cluster on AWS] [id="osd-getting-started-create-cluster-red-hat-cloud-account"] === Creating a cluster using a Red Hat cloud account Complete the steps in one of the following sections to deploy {product-title} in a cloud account that is owned by Red Hat: -* xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with a Red Hat cloud account]: You can install {product-title} in an GCP account that is owned by Red Hat. +* xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with a Red Hat cloud account]: You can install {product-title} in an GCP account that is owned by Red Hat. -* xref:../osd_install_access_delete_cluster/creating-an-aws-cluster.adoc#osd-create-aws-cluster-red-hat-account_osd-creating-a-cluster-on-aws[Creating a cluster on AWS]: You can install {product-title} in an AWS account that is owned by Red Hat. +* xref:../osd_aws_clusters/creating-an-aws-cluster.adoc#osd-create-aws-cluster-red-hat-account_osd-creating-a-cluster-on-aws[Creating a cluster on AWS]: You can install {product-title} in an AWS account that is owned by Red Hat. // Update link when OSDOCS-12950 goes live. include::modules/config-idp.adoc[leveloffset=+1] @@ -91,6 +92,11 @@ include::modules/deleting-cluster.adoc[leveloffset=+1] * For information about the end-of-life dates for {product-title} versions, see the xref:../osd_architecture/osd_policy/osd-life-cycle.adoc#osd-life-cycle[{product-title} update life cycle]. -* For more information about deploying {product-title} clusters, see xref:../osd_install_access_delete_cluster/creating-an-aws-cluster.adoc#osd-creating-a-cluster-on-aws[Creating a cluster on AWS] and xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-creating-a-cluster-on-gcp[Creating a cluster on GCP]. +* For more information about deploying {product-title} clusters on AWS, see xref:../osd_aws_clusters/creating-an-aws-cluster.adoc#osd-create-aws-cluster-ccs_osd-creating-a-cluster-on-aws[Creating a cluster on AWS]. + +* For more information about deploying {product-title} clusters on GCP, see xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with Service Account authentication] and xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication]. * For documentation on upgrading your cluster, see xref:../upgrading/osd-upgrades.adoc#osd-upgrades[{product-title} cluster upgrades]. + + +xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a cluster on GCP with Workload Identity Federation authentication] \ No newline at end of file diff --git a/osd_install_access_delete_cluster/creating-a-gcp-cluster-redhat-account.adoc b/osd_install_access_delete_cluster/creating-a-gcp-cluster-redhat-account.adoc deleted file mode 100644 index bbea79c28c..0000000000 --- a/osd_install_access_delete_cluster/creating-a-gcp-cluster-redhat-account.adoc +++ /dev/null @@ -1,131 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -[id="osd-creating-a-gcp-cluster-rh-account"] -= Creating a cluster on GCP with a Red Hat cloud account -include::_attributes/attributes-openshift-dedicated.adoc[] -:context: osd-creating-a-gcp-cluster-rh-account - -toc::[] - -:_mod-docs-content-type: PROCEDURE - -Through {cluster-manager-url}, you can create an {product-title} cluster on {GCP} using a standard cloud provider account owned by Red Hat. - -.Procedure - -. Log in to {cluster-manager-url} and click *Create cluster*. - -. In the *Cloud* tab, click *Create cluster* in the *Red Hat OpenShift Dedicated* row. - -. Under *Billing model*, configure the subscription type and infrastructure type: -.. Select the *Annual* subscription type. Only the *Annual* subscription type is available when you deploy a cluster using a Red Hat cloud account. -+ -For information about {product-title} subscription options, see link:https://access.redhat.com/documentation/en-us/openshift_cluster_manager/1-latest/html-single/managing_clusters/index#assembly-cluster-subscriptions[Cluster subscriptions and registration] in the {cluster-manager} documentation. -+ -[NOTE] -==== -You must have the required resource quota for the *Annual* subscription type to be available. For more information, contact your sales representative or Red Hat support. -==== -+ -.. Select the *Red Hat cloud account* infrastructure type to deploy {product-title} in a cloud provider account that is owned by Red Hat. -.. Click *Next*. - - -. Select *Run on Google Cloud Platform* - -and click *Next*. - -. On the *Cluster details* page, provide a name for your cluster and specify the cluster details: -.. Add a *Cluster name*. -.. Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on `openshiftapps.com`. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated as a 15-character string. -+ -To customize the subdomain, select the *Create custom domain prefix* checkbox, and enter your domain prefix name in the *Domain prefix* field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation. -.. Select a cluster version from the *Version* drop-down menu. -.. Select a cloud provider region from the *Region* drop-down menu. -.. Select a *Single zone* or *Multi-zone* configuration. -.. Select a *Persistent storage* capacity for the cluster. For more information, see the _Storage_ section in the {product-title} service definition. -.. Specify the number of *Load balancers* that you require for your cluster. For more information, see the _Load balancers_ section in the {product-title} service definition. -+ - -.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. -+ -[IMPORTANT] -==== -To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints]. -==== -+ - -.. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default. - -. Optional: Expand *Advanced Encryption* to make changes to encryption settings. -+ -.. Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated. -+ -[NOTE] -==== -If *Enable FIPS cryptography* is selected, *Enable additional etcd encryption* is enabled by default and cannot be disabled. You can select *Enable additional etcd encryption* without selecting *Enable FIPS cryptography*. -==== - -.. Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default. -+ -[NOTE] -==== -By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case. -==== -+ -.. Click *Next*. - -. On the *Default machine pool* page, select a *Compute node instance type* and a *Compute node count*. The number and types of nodes that are available depend on your {product-title} subscription. If you are using multiple availability zones, the compute node count is per zone. -+ -[NOTE] -==== -After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a machine pool. For clusters that use the CCS model, you can add machine pools after installation that use a different instance type. The number and types of nodes available to you depend on your {product-title} subscription. -==== - -. Optional: Expand *Edit node labels* to add labels to your nodes. Click *Add label* to add more node labels and select *Next*. - -. In the *Cluster privacy* dialog, select *Public* or *Private* to use either public or private API endpoints and application routes for your cluster. - -. Click *Next*. - -. In the *CIDR ranges* dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided. -+ -[IMPORTANT] -==== -CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding. - -If the cluster privacy is set to *Private*, you cannot access your cluster until you configure private connections in your cloud provider. -==== - -. On the *Cluster update strategy* page, configure your update preferences: -.. Choose a cluster update method: -** Select *Individual updates* if you want to schedule each update individually. This is the default option. -** Select *Recurring updates* to update your cluster on your preferred day and start time, when updates are available. -+ -[NOTE] -==== -You can review the end-of-life dates in the update lifecycle documentation for {product-title}. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#osd-life-cycle[OpenShift Dedicated update life cycle]. -==== -+ -.. Provide administrator approval based on your cluster update method: -** Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click *Approve and continue*. -** Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click *Approve and continue*. {cluster-manager} does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment. -+ -.. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus. -.. Optional: You can set a grace period for *Node draining* during cluster upgrades. A *1 hour* grace period is set by default. -.. Click *Next*. -+ -[NOTE] -==== -In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see link:https://access.redhat.com/security/updates/classification[Understanding Red Hat security ratings]. -==== - -. Review the summary of your selections and click *Create cluster* to start the cluster installation. The installation takes approximately 30-40 minutes to complete. -+ -. Optional: On the *Overview* tab, you can enable the delete protection feature by selecting *Enable*, which is located directly under *Delete Protection: Disabled*. This will prevent your cluster from being deleted. To disable delete protection, select *Disable*. -By default, clusters are created with the delete protection feature disabled. -+ - -.Verification - -* You can monitor the progress of the installation in the *Overview* page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the *Status* in the *Details* section of the page is listed as *Ready*. - diff --git a/osd_planning/gcp-ccs.adoc b/osd_planning/gcp-ccs.adoc index 244d9a862b..968be0ed5d 100644 --- a/osd_planning/gcp-ccs.adoc +++ b/osd_planning/gcp-ccs.adoc @@ -24,6 +24,6 @@ include::modules/osd-gcp-psc-firewall-prerequisites.adoc[leveloffset=+1] * xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] -* For more information about creating an {product-title} cluster with the Workload Identity Federation (WIF) authentication type, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a WIF configuration]. +* For more information about creating an {product-title} cluster with the Workload Identity Federation (WIF) authentication type, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#create-wif-cluster-cli_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Creating a WIF configuration]. * For more information about the specific roles and permissions that are specific to clusters created when using the Workload Identity Federation (WIF) authentication type, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.17/vanilla.yaml[managed-cluster-config]. diff --git a/osd_whats_new/osd-whats-new.adoc b/osd_whats_new/osd-whats-new.adoc index 9931d77a10..71cea18496 100644 --- a/osd_whats_new/osd-whats-new.adoc +++ b/osd_whats_new/osd-whats-new.adoc @@ -22,13 +22,13 @@ With its foundation in Kubernetes, {product-title} is a complete {OCP} cluster p WIF is Google Cloud's preferred method for credential authentication. + For more information, see -xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster-with-workload-identity-federation.adoc[Creating a cluster on GCP with Workload Identity Federation]. +xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc[Creating a cluster on GCP with Workload Identity Federation authentication]. * **Private Service Connect (PSC) networking feature is now available.** You can now create a private {product-title} cluster on Google Cloud Platform (GCP) using Google Cloud's security-enhanced networking feature Private Service Connect (PSC). + PSC is a capability of Google Cloud networking that enables private communication between services across different GCP projects or organizations. Implementing PSC as part of your network connectivity allows you to deploy OpenShift Dedicated clusters in a private and secured environment within GCP without using any public-facing cloud resources. + -For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. +For more information, see xref:../osd_gcp_clusters/creating-a-gcp-psc-enabled-private-cluster.adoc#creating-a-gcp-psc-enabled-private-cluster[Private Service Connect overview]. [id="osd-q3-2024_{context}"] === Q3 2024 @@ -56,7 +56,9 @@ For more information about region availabilities, see xref:../osd_architecture/o [id="osd-q2-2024_{context}"] === Q2 2024 -* **Cluster delete protection.** {product-title} on {GCP} users can now enable the cluster delete protection option, which helps to prevent users from accidentally deleting a cluster. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. +* **Cluster delete protection.** {product-title} on {GCP} users can now enable the cluster delete protection option, which helps to prevent users from accidentally deleting a cluster. +//Removed link as is no longer valid. Need to decide if we need a link here and if so, what it will be. +// For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. * **CSI Operator update.** {product-title} is capable of provisioning persistent volumes (PVs) using the Container Storage Interface (CSI) driver for Google Compute Platform (GCP) Filestore Storage. For more information, see xref:../storage/container_storage_interface/persistent-storage-csi-google-cloud-file.adoc#persistent-storage-csi-google-cloud-file-overview[Google Compute Platform Filestore CSI Driver Operator]. @@ -74,9 +76,13 @@ For more information about region availabilities, see xref:../osd_architecture/o * **Policy constraint update.** {product-title} on {GCP} users can now enable UEFISecureBoot during cluster installation, as required by the GCP ShieldVM policy. This new feature adds further protection from boot or kernel-level malware or rootkits. -* **Cluster install update.** {product-title} clusters can now be installed on {GCP} shared VPCs. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. +* **Cluster install update.** {product-title} clusters can now be installed on {GCP} shared VPCs. +//Removed link as is no longer valid. Need to decide if we need a link here and if so, what it will be. +// For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. -* **{product-title} on Google Cloud Marketplace availability.** When creating an {product-title} (OSD) cluster on Google Cloud through the Hybrid Cloud Console, customers can now select Google Cloud Marketplace as their preferred billing model. This billing model allows Red Hat customers to take advantage of their link:https://cloud.google.com/docs/cuds[Google Committed Use Discounts (CUD)] towards {product-title} purchased through the Google Cloud Marketplace. For more information, see xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. +* **{product-title} on Google Cloud Marketplace availability.** When creating an {product-title} (OSD) cluster on Google Cloud through the Hybrid Cloud Console, customers can now select Google Cloud Marketplace as their preferred billing model. This billing model allows Red Hat customers to take advantage of their link:https://cloud.google.com/docs/cuds[Google Committed Use Discounts (CUD)] towards {product-title} purchased through the Google Cloud Marketplace. +//Removed link as is no longer valid. Need to decide if we need a link here and if so, what it will be. +// For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster.adoc#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with CCS]. [id="osd-known-issues_{context}"] == Known issues