From f71233605b69badac90e79148ad3a65d5d8356d8 Mon Sep 17 00:00:00 2001 From: Janelle Neczypor Date: Fri, 8 Mar 2024 13:57:03 -0800 Subject: [PATCH] OSDOCS-9529 --- _topic_maps/_topic_map_rosa.yml | 2 + modules/rosa-create-objects.adoc | 5 +- ...-creating-a-cluster-cli-no-cni-plugin.adoc | 84 +++++++++++++++++++ modules/rosa-policy-change-management.adoc | 2 + modules/rosa-policy-incident.adoc | 8 +- modules/rosa-policy-responsibilities.adoc | 11 ++- rosa_hcp/rosa-hcp-cluster-no-cni.adoc | 44 ++++++++++ 7 files changed, 151 insertions(+), 5 deletions(-) create mode 100644 modules/rosa-hcp-sts-creating-a-cluster-cli-no-cni-plugin.adoc create mode 100644 rosa_hcp/rosa-hcp-cluster-no-cni.adoc diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml index 770ea6530f..7bec3ce166 100644 --- a/_topic_maps/_topic_map_rosa.yml +++ b/_topic_maps/_topic_map_rosa.yml @@ -262,6 +262,8 @@ Topics: File: rosa-hcp-aws-private-creating-cluster - Name: Creating ROSA with HCP clusters with external authentication File: rosa-hcp-sts-creating-a-cluster-ext-auth +- Name: Creating ROSA with HCP clusters without a CNI plugin + File: rosa-hcp-cluster-no-cni - Name: Using the Node Tuning Operator on ROSA with HCP File: rosa-tuning-config - Name: Deleting a ROSA with HCP cluster diff --git a/modules/rosa-create-objects.adoc b/modules/rosa-create-objects.adoc index deac5ca9ab..9d0dad9a94 100644 --- a/modules/rosa-create-objects.adoc +++ b/modules/rosa-create-objects.adoc @@ -240,6 +240,9 @@ OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the `1 |--multi-az |Deploys to multiple data centers. +|--no-cni +|Creates a cluster without a Container Network Interface (CNI) plugin. Customers can then bring their own CNI plugin and install it after cluster creation. + |--operator-roles-prefix |Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one. @@ -283,7 +286,7 @@ a|--sts \| --non-sts When using `--private-link`, the `--subnet-ids` argument is required and only one private subnet is allowed per zone. |--support-role-arn string -|The ARN of the role used by Red{nbsp}Hat Site Reliabilty Engineers (SREs) to enable access to the cluster account to provide support. +|The ARN of the role used by Red Hat Site Reliability Engineers (SREs) to enable access to the cluster account to provide support. |--tags a|Tags that are used on resources created by {product-title} in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar". diff --git a/modules/rosa-hcp-sts-creating-a-cluster-cli-no-cni-plugin.adoc b/modules/rosa-hcp-sts-creating-a-cluster-cli-no-cni-plugin.adoc new file mode 100644 index 0000000000..ac69622a13 --- /dev/null +++ b/modules/rosa-hcp-sts-creating-a-cluster-cli-no-cni-plugin.adoc @@ -0,0 +1,84 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/rosa-hcp-cluster-no-cni.adoc + +:_mod-docs-content-type: PROCEDURE +[id="rosa-hcp-sts-creating-a-cluster-cli_{context}-no-cni"] += Creating the cluster + +When using the {product-title} (ROSA) command line interface (CLI), `rosa`, to create a cluster, you can add an optional flag `--no-cni` to create a cluster without a CNI plugin. + +.Prerequisites + +* You have completed the AWS prerequisites for {hcp-title}. +* You have available AWS service quotas. +* You have enabled the ROSA service in the AWS Console. +* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host. Run `rosa version` to see your currently installed version of the ROSA CLI. If a newer version is available, the CLI provides a link to download this upgrade. +* You have logged in to your Red Hat account by using the ROSA CLI. +* You have created an OIDC configuration. +* You have verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account. + +.Procedure + +. You can create your {hcp-title} cluster with one of the following commands. ++ +[NOTE] +==== +When creating a {hcp-title} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr ` to the following commands. To learn more about the default CIDR ranges for {product-title}, see xref:../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions]. +==== ++ +** Create a cluster with a single, initial machine pool, publicly available API, publicly available Ingress, and no CNI plugin by running the following command: ++ +[source,terminal] +---- +$ rosa create cluster --cluster-name= \ + --sts --mode=auto --hosted-cp --operator-roles-prefix \ + --oidc-config-id --subnet-ids=, --no-cni +---- + +** Create a cluster with a single, initial machine pool, privately available API, privately available Ingress, and no CNI plugin by running the following command: ++ +[source,terminal] +---- +$ rosa create cluster --private --cluster-name= \ + --sts --mode=auto --hosted-cp --subnet-ids= --no-cni +---- + +** If you used the `OIDC_ID`, `SUBNET_IDS`, and `OPERATOR_ROLES_PREFIX` variables to prepare your environment, you can continue to use those variables when creating your cluster without a CNI plugin. For example, run the following command: ++ +[source,terminal] +---- +$ rosa create cluster --hosted-cp --subnet-ids=$SUBNET_IDS --oidc-config-id=$OIDC_ID --cluster-name= --operator-roles-prefix=$OPERATOR_ROLES_PREFIX --no-cni +---- + +. Check the status of your cluster by running the following command: ++ +[source,terminal] +---- +$ rosa describe cluster --cluster= +---- ++ +The following `State` field changes are listed in the output as the cluster installation progresses: ++ +* `pending (Preparing account)` +* `installing (DNS setup in progress)` +* `installing` +* `ready` ++ +[NOTE] +==== +If the installation fails or the `State` field does not change to `ready` after more than 10 minutes, check the installation troubleshooting documentation for details. For more information, see _Troubleshooting installations_. For steps to contact Red Hat Support for assistance, see _Getting support for Red Hat OpenShift Service on AWS_. +==== ++ +[IMPORTANT] +==== +When you first log in to the cluster after it reaches `ready` status, the nodes will still be in the `not ready` state until you install your own CNI plugin. After CNI installation, the nodes will change to `ready`. +==== + +. Track the progress of the cluster creation by watching the {product-title} installation program logs. To check the logs, run the following command: ++ +[source,terminal] +---- +$ rosa logs install --cluster= --watch <1> +---- +<1> Optional: To watch for new log messages as the installation progresses, use the `--watch` argument. \ No newline at end of file diff --git a/modules/rosa-policy-change-management.adoc b/modules/rosa-policy-change-management.adoc index 98887c9bde..c6b0898f34 100644 --- a/modules/rosa-policy-change-management.adoc +++ b/modules/rosa-policy-change-management.adoc @@ -117,6 +117,8 @@ You can review the history of all cluster upgrade events in the {cluster-manager |- Configure your firewall to grant access to the required OpenShift and AWS domains and ports before the cluster is provisioned. For more information, see "AWS firewall prerequisites". - Provide optional non-default IP address ranges for machine CIDR, service CIDR, and pod CIDR if needed through {cluster-manager} when the cluster is provisioned. - Request that the API service endpoint be made public or private on cluster creation or after cluster creation through {cluster-manager}. +- Create additional Ingress Controllers to publish additional application routes. +- Install, configure, and upgrade optional CNI plugins if clusters are installed without the default OpenShift CNI plugins. |Virtual networking management |**Red{nbsp}Hat** diff --git a/modules/rosa-policy-incident.adoc b/modules/rosa-policy-incident.adoc index b8a0b91e35..3553444396 100644 --- a/modules/rosa-policy-incident.adoc +++ b/modules/rosa-policy-incident.adoc @@ -23,6 +23,12 @@ service, and respond to alerts. |- Monitor health of application routes, and the endpoints behind them. - Report outages to Red{nbsp}Hat and AWS. +|Cluster networking +|**Red Hat** + +- Monitor, alert, and address incidents related to cluster DNS, network plugin connectivity between cluster components, and the default Ingress Controller. +|- Monitor and address incidents related to optional Ingress Controllers, additional Operators installed through the OperatorHub, and network plugins replacing the default OpenShift CNI plugins. + |Virtual networking management |**Red{nbsp}Hat** @@ -84,7 +90,7 @@ permissions to AWS resources in the customer account. |**AWS** - For information regarding AWS incident and operations management, see link:https://docs.aws.amazon.com/whitepapers/latest/aws-operational-resilience/how-aws-maintains-operational-resilience-and-continuity-of-service.html#incident-management[How AWS maintains operational -resilience and continuity of service] in the AWS whitepaper. +resilience and continuity of service] in the AWS white paper. |- Configure, manage, and monitor customer applications and data to ensure application and data security controls are properly enforced. diff --git a/modules/rosa-policy-responsibilities.adoc b/modules/rosa-policy-responsibilities.adoc index f5329dca09..0c441cd62a 100644 --- a/modules/rosa-policy-responsibilities.adoc +++ b/modules/rosa-policy-responsibilities.adoc @@ -6,7 +6,6 @@ [id="rosa-policy-responsibilities_{context}"] = Shared responsibilities for {product-title} - While Red{nbsp}Hat and Amazon Web Services (AWS) manage the {product-title} services, the customer shares certain responsibilities. The {product-title} services are accessed remotely, hosted on public cloud resources, created in customer-owned AWS accounts, and have underlying platform and data security that is owned by Red{nbsp}Hat. [IMPORTANT] @@ -36,7 +35,12 @@ If the `cluster-admin` role is added to a user, see the responsibilities and exc |Application networking |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat |Red{nbsp}Hat -|Cluster networking |Red{nbsp}Hat |Red{nbsp}Hat and Customer ^[1]^ |Red{nbsp}Hat and Customer |Red{nbsp}Hat |Red{nbsp}Hat +|Cluster networking +|Red Hat ^[1]^ +|Red Hat and Customer ^[2]^ +|Red Hat and Customer +|Red Hat ^[1]^ +|Red Hat ^[1]^ |Virtual networking management |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer |Red{nbsp}Hat and Customer @@ -54,4 +58,5 @@ If the `cluster-admin` role is added to a user, see the responsibilities and exc |Hardware/AWS global infrastructure |AWS |AWS |AWS |AWS |AWS |=== -. The customer must configure their firewall to grant access to the required OpenShift and AWS domains and ports before the cluster is provisioned. For more information, see "AWS firewall prerequisites". +1. If the customer chooses to use their own CNI plugin, the responsibility shifts to the customer. +2. The customer must configure their firewall to grant access to the required OpenShift and AWS domains and ports before the cluster is provisioned. For more information, see "AWS firewall prerequisites". \ No newline at end of file diff --git a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc new file mode 100644 index 0000000000..cf92fb41ee --- /dev/null +++ b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc @@ -0,0 +1,44 @@ +:_mod-docs-content-type: ASSEMBLY +[id="rosa-hcp-cluster-no-cli"] += {hcp-title} clusters without a CNI plugin +include::_attributes/attributes-openshift-dedicated.adoc[] +include::_attributes/common-attributes.adoc[] +:context: rosa-hcp-cluster-no-cni + +toc::[] + +You can use your own Container Network Interface (CNI) plugin when creating a {hcp-title-first} cluster. +You can create a {hcp-title} cluster without a CNI and install your own CNI plugin after cluster creation. + +[NOTE] +==== +For customers who choose to use their own CNI, the responsibility of CNI plugin support belongs to the customer in coordination with their chosen CNI vendor. +==== + +[id="rosa-hcp-no-cni-cluster-creation"] +== Creating a {hcp-title} cluster without a CNI plugin + +=== Prerequisites +* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. + +* Ensure that you have a configured xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[virtual private cloud] (VPC). + +include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2] + +include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2] + +include::modules/rosa-operator-config.adoc[leveloffset=+2] + +[role="_additional-resources"] +[id="additional-resources_rosa-hcp-operator-prefix-no-cni"] +.Additional resources + +* See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] for information on the Operator prefixes. + +include::modules/rosa-hcp-sts-creating-a-cluster-cli-no-cni-plugin.adoc[leveloffset=+1] + +[id="next-steps-2_{context}"] +== Next steps + +* Install your CNI plugin. The nodes will then change from the `not ready` to `ready` state. +* Access your ROSA cluster with the xref:../rosa_install_access_delete_clusters/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Accessing a ROSA cluster] documentation. \ No newline at end of file