mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
125 lines
8.8 KiB
Plaintext
125 lines
8.8 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
[id="installing-restricted-networks-aws-installer-provisioned"]
|
|
= Installing a cluster on AWS in a disconnected environment
|
|
include::_attributes/common-attributes.adoc[]
|
|
:context: installing-restricted-networks-aws-installer-provisioned
|
|
|
|
toc::[]
|
|
|
|
[role="_abstract"]
|
|
You can install a cluster on {aws-first} in a restricted network by creating an internal mirror of the installation release content on an existing {aws-short} Virtual Private Cloud (VPC). By using this configuration, you can deploy a cluster in an environment with limited internet connectivity to help ensure compliance with security policies.
|
|
|
|
[id="prerequisites_installing-restricted-networks-aws-installer-provisioned"]
|
|
== Prerequisites
|
|
|
|
* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
|
|
* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
|
|
* You xref:../../../disconnected/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
|
|
====
|
|
* You have an existing VPC in AWS. When installing to a restricted network using installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:
|
|
** Contains the mirror registry
|
|
** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere
|
|
* You xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster.
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program.
|
|
====
|
|
* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX)] in the AWS documentation.
|
|
* If you use a firewall and plan to use the Telemetry service, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to.
|
|
+
|
|
[NOTE]
|
|
====
|
|
If you are configuring a proxy, be sure to also review this site list.
|
|
====
|
|
|
|
include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
|
|
|
|
include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
|
|
|
|
include::modules/installation-initializing.adoc[leveloffset=+1]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
* xref:../../../installing/installing_aws/installation-config-parameters-aws.adoc#installation-config-parameters-aws[Installation configuration parameters for AWS]
|
|
|
|
include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
|
|
* xref:../../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]
|
|
|
|
include::modules/installing-aws-managing-dns-solution.adoc[leveloffset=+2]
|
|
|
|
include::modules/installation-aws-config-yaml-customizations.adoc[leveloffset=+2]
|
|
|
|
[role="_additional-resources"]
|
|
.Additional resources
|
|
|
|
* xref:../../../installing/installing_aws/installation-config-parameters-aws.adoc#installation-config-parameters-aws[Installation configuration parameters for AWS]
|
|
|
|
include::modules/installation-configure-proxy.adoc[leveloffset=+2]
|
|
|
|
[id="installing-aws-manual-modes_{context}"]
|
|
== Alternatives to storing administrator-level secrets in the kube-system project
|
|
|
|
By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:
|
|
|
|
* To manage long-term cloud credentials manually, follow the procedure in xref:../../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-aws-installer-provisioned[Manually creating long-term credentials].
|
|
|
|
* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-aws-with-short-term-creds_installing-restricted-networks-aws-installer-provisioned[Configuring an AWS cluster to use short-term credentials].
|
|
|
|
//Manually creating long-term credentials
|
|
include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]
|
|
|
|
//Supertask: Configuring an AWS cluster to use short-term credentials
|
|
[id="installing-aws-with-short-term-creds_{context}"]
|
|
=== Configuring an AWS cluster to use short-term credentials
|
|
|
|
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
|
|
|
|
//Task part 1: Configuring the Cloud Credential Operator utility
|
|
include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]
|
|
|
|
//Task part 2: Creating the required AWS resources
|
|
[id="sts-mode-create-aws-resources-ccoctl_{context}"]
|
|
==== Creating AWS resources with the Cloud Credential Operator utility
|
|
|
|
You have the following options when creating AWS resources:
|
|
|
|
* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-creating-at-once_installing-restricted-networks-aws-installer-provisioned[Creating AWS resources with a single command].
|
|
|
|
* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#cco-ccoctl-creating-individually_installing-restricted-networks-aws-installer-provisioned[Creating AWS resources individually].
|
|
|
|
//Task part 2a: Creating the required AWS resources all at once
|
|
include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+4]
|
|
|
|
//Task part 2b: Creating the required AWS resources individually
|
|
include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+4]
|
|
|
|
//Task part 3: Incorporating the Cloud Credential Operator utility manifests
|
|
include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]
|
|
|
|
include::modules/installation-launching-installer.adoc[leveloffset=+1]
|
|
|
|
include::modules/installation-aws-provisioning-dns-records.adoc[leveloffset=+1]
|
|
|
|
include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
|
|
|
|
include::modules/olm-restricted-networks-configuring-operatorhub.adoc[leveloffset=+1]
|
|
|
|
[id="next-steps_installing-restricted-networks-aws-installer-provisioned"]
|
|
== Next steps
|
|
|
|
* xref:../../../installing/validation_and_troubleshooting/validating-an-installation.adoc#validating-an-installation[Validate an installation].
|
|
* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
|
|
* xref:../../../post_installation_configuration/cluster-tasks.adoc#post-install-must-gather-disconnected[Configure image streams] for the Cluster Samples Operator and the `must-gather` tool.
|
|
* Learn how to xref:../../../disconnected/using-olm.adoc#olm-restricted-networks[use Operator Lifecycle Manager in disconnected environments].
|
|
* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
|
|
* If necessary, you can xref:../../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].
|