diff --git a/_topic_map.yml b/_topic_map.yml index 232576b2acad..4ca5074771f9 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -115,13 +115,19 @@ Topics: File: installing-gcp-customizations - Name: Uninstalling a cluster on GCP File: uninstalling-cluster-gcp -#- Name: Installing in a disconnected environment -# Dir: installing_disconnected -# Topics: +- Name: Installing in restricted networks + Dir: installing_restricted_networks + Topics: # - Name: Preparing for a disconnected installation -# File: installing-disconnected-preparations -# - Name: Installing in a disconnected environment -# File: installing-disconnected +# File: installing-restricted-networks-preparations + - Name: Restricted network AWS installation + File: installing-restricted-networks-aws + - Name: Restricted network bare metal installation + File: installing-restricted-networks-bare-metal +# - Name: Restricted network GCP installation +# File: installing-restricted-networks-GCP + - Name: Restricted network vSphere installation + File: installing-restricted-networks-vsphere - Name: Installing on bare metal Dir: installing_bare_metal Topics: diff --git a/installing/install_config/configuring-custom-ca.adoc b/installing/install_config/configuring-custom-ca.adoc index a75720f578d8..bb2303b65fc0 100644 --- a/installing/install_config/configuring-custom-ca.adoc +++ b/installing/install_config/configuring-custom-ca.adoc @@ -5,7 +5,7 @@ include::modules/common-attributes.adoc[] toc::[] -If you install {product-title} with a proxy or in a disconnected environment, +If you install {product-title} with a proxy or in a restricted network, you might need to configure a custom certificate authority (CA). //include::modules/configuring-firewall.adoc[leveloffset=+1] diff --git a/installing/installing_disconnected/installing-disconnected.adoc b/installing/installing_disconnected/installing-disconnected.adoc deleted file mode 100644 index 46b4c2908502..000000000000 --- a/installing/installing_disconnected/installing-disconnected.adoc +++ /dev/null @@ -1,45 +0,0 @@ -[id="installing-disconnected"] -= Installing a disconnected cluster -include::modules/common-attributes.adoc[] -:context: installing-disconnected - -toc::[] - -In {product-title} version {product-version}, you can install a cluster on -infrastructure that you provision in a disconnected environment. - -.Prerequisites - -* Review details about the -xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] -processes. -* xref:../../installing/installing_disconnected/installing-disconnected-preparations.adoc#installing-disconnected-preparations[Prepare your environment] -to host the cluster. -* If you use a firewall, you must -xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. - -include::modules/cluster-entitlements.adoc[leveloffset=+1] - -include::modules/ssh-agent-using.adoc[leveloffset=+1] - -include::modules/installation-obtaining-installer.adoc[leveloffset=+1] - -include::modules/installation-initializing.adoc[leveloffset=+1] - -include::modules/installation-configuration-parameters.adoc[leveloffset=+2] - -//include::modules/nw-install-config-parameters.adoc[leveloffset=+2] - -//include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] - -include::modules/installation-launching-installer.adoc[leveloffset=+1] - -include::modules/cli-install.adoc[leveloffset=+1] - -include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] - -.Next steps - -* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. -* If necessary, you can -xref:../../telemetry/opting-out-of-telemetry.adoc#opting-out-of-telemetry[opt out of telemetry]. diff --git a/installing/installing_disconnected/installing-disconnected-preparations.adoc b/installing/installing_restricted_networks/installing-disconnected-preparations.adoc similarity index 76% rename from installing/installing_disconnected/installing-disconnected-preparations.adoc rename to installing/installing_restricted_networks/installing-disconnected-preparations.adoc index e03f1bb4f6e0..37a34ed0e586 100644 --- a/installing/installing_disconnected/installing-disconnected-preparations.adoc +++ b/installing/installing_restricted_networks/installing-disconnected-preparations.adoc @@ -1,12 +1,12 @@ -[id="installing-disconnected-preparations"] +[id="installing-restricted-networks-preparations"] = Preparing to install a disconnected cluster include::modules/common-attributes.adoc[] -:context: installing-disconnected-preparations +:context: installing-restricted-networks-preparations toc::[] Before you install a cluster on infrastructure that you provision in a -disconnected environment, you must prepare the environment. +restricted network, you must prepare the environment. //include::modules/cluster-entitlements.adoc[leveloffset=+1] diff --git a/installing/installing_restricted_networks/installing-restricted-networks-aws.adoc b/installing/installing_restricted_networks/installing-restricted-networks-aws.adoc new file mode 100644 index 000000000000..6bd8117cc655 --- /dev/null +++ b/installing/installing_restricted_networks/installing-restricted-networks-aws.adoc @@ -0,0 +1,134 @@ +[id="installing-restricted-networks-aws"] += Installing a cluster on AWS that uses mirrored installation content +include::modules/common-attributes.adoc[] +:context: installing-restricted-networks-aws + +toc::[] + +In {product-title} version {product-version}, you can install a +cluster on Amazon Web Services (AWS) using infrastructure that you provide and +an internal mirror of the installation release content. + +[IMPORTANT] +==== +While you can install a {product-title} cluster by using mirrored installation +release content, your cluster still requires internet access to use the AWS APIs. +==== + +One way to create this infrastructure is to use the provided +CloudFormation templates. You can modify the templates to customize your +infrastructure or use the information that they contain to create AWS objects +according to your company's policies. + +.Prerequisites + +//* xref:../../installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc[Create a mirror registry on your bastion host] +// and obtain the `imageContentSources` data for your version of {product-title}. +//// +[IMPORTANT] +==== +Because the installation media is on the bastion host, use that computer +to complete all installation steps. +//// +* Review details about the +xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] +processes. +* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account] +to host the cluster. ++ +[IMPORTANT] +==== +If you have an AWS profile stored on your computer, it must not use a temporary +session token that you generated while using a multi-factor authentication +device. The cluster continues to use your current AWS credentials to +create AWS resources for the entire life of the cluster, so you must +use key-based, long-lived credentials. To generate appropriate keys, see +link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] +in the AWS documentation. You can supply the keys when you run the installation +program. +==== +* Download the AWS CLI and install it on your computer. See +link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] +in the AWS documentation. +* If you use a firewall and plan to use telemetry, you must +xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. + +include::modules/installation-about-restricted-network.adoc[leveloffset=+1] + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1] + +include::modules/installation-aws-permissions.adoc[leveloffset=+2] + +//You extract the installation program from the mirrored content. + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +include::modules/installation-generate-aws-user-infra.adoc[leveloffset=+1] + +// After the proxy change merges, I need to put it in and emphasize that you +// must configure a proxy for the AWS mirrored content story. + +include::modules/installation-extracting-infraid.adoc[leveloffset=+1] + +include::modules/installation-creating-aws-vpc.adoc[leveloffset=+1] + +include::modules/installation-cloudformation-vpc.adoc[leveloffset=+2] + +include::modules/installation-creating-aws-dns.adoc[leveloffset=+1] + +include::modules/installation-cloudformation-dns.adoc[leveloffset=+2] + +include::modules/installation-creating-aws-security.adoc[leveloffset=+1] + +include::modules/installation-cloudformation-security.adoc[leveloffset=+2] + +include::modules/installation-aws-user-infra-rhcos-ami.adoc[leveloffset=+1] + +include::modules/installation-creating-aws-bootstrap.adoc[leveloffset=+1] + +include::modules/installation-cloudformation-bootstrap.adoc[leveloffset=+2] + +include::modules/installation-creating-aws-control-plane.adoc[leveloffset=+1] + +include::modules/installation-cloudformation-control-plane.adoc[leveloffset=+2] + +include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1] + +//// +[id="installing-workers-aws-user-infra"] +== Creating worker nodes + +You can either manually create worker nodes or use a MachineSet to create worker +nodes after the cluster deploys. If you use a MachineSet to create and maintain +the workers, you can allow the cluster to manage them. This allows you to easily +scale, manage, and upgrade your workers. +//// + + +include::modules/installation-creating-aws-worker.adoc[leveloffset=+2] + +include::modules/installation-cloudformation-worker.adoc[leveloffset=+3] + +//You install the CLI on the bastion host. + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +include::modules/installation-approve-csrs.adoc[leveloffset=+1] + +include::modules/installation-operators-config.adoc[leveloffset=+1] + +include::modules/installation-registry-storage-config.adoc[leveloffset=+2] + +include::modules/registry-configuring-storage-aws-user-infra.adoc[leveloffset=+3] + +include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] + +include::modules/installation-aws-user-infra-installation.adoc[leveloffset=+1] + +.Next steps + +* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. +* If necessary, you can +xref:../../telemetry/opting-out-of-telemetry.adoc#opting-out-of-telemetry[opt out of telemetry]. diff --git a/installing/installing_restricted_networks/installing-restricted-networks-bare-metal.adoc b/installing/installing_restricted_networks/installing-restricted-networks-bare-metal.adoc new file mode 100644 index 000000000000..68530ffcda15 --- /dev/null +++ b/installing/installing_restricted_networks/installing-restricted-networks-bare-metal.adoc @@ -0,0 +1,95 @@ +[id="installing-restricted-networks-bare-metal"] += Installing a cluster on bare metal in a restricted network +include::modules/common-attributes.adoc[] +:context: installing-restricted-networks-bare-metal + +toc::[] + +In {product-title} version {product-version}, you can install a cluster on +bare metal infrastructure that you provision in a restricted network. + +[IMPORTANT] +==== +While you might be able to follow this procedure to deploy a cluster on +virtualized or cloud environments, you must be aware of additional +considerations for non-bare metal platforms. Review the information in the +link:https://access.redhat.com/articles/4207611[guidelines for deploying {product-title} on non-tested platforms] +before you attempt to install an {product-title} cluster in such an environment. +==== + +.Prerequisites + +//* xref:../../installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc[Create a mirror registry on your bastion host] +// and obtain the `imageContentSources` data for your version of {product-title}. +//// +[IMPORTANT] +==== +Because the installation media is on the bastion host, use that computer +to complete all installation steps. +//// +* Provision +xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[persistent storage] +for your cluster. To deploy a private image registry, your storage must provide +ReadWriteMany access modes. +* Review details about the +xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] +processes. +* If you use a firewall and plan to use telemetry, you must +xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. + +include::modules/installation-about-restricted-network.adoc[leveloffset=+1] + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +include::modules/installation-requirements-user-infra.adoc[leveloffset=+1] + +include::modules/installation-infrastructure-user-infra.adoc[leveloffset=+1] + +include::modules/installation-network-user-infra.adoc[leveloffset=+2] + +include::modules/installation-dns-user-infra.adoc[leveloffset=+2] + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +//You extract the installation program from the mirrored content. + +//You install the CLI on the bastion host. + +include::modules/installation-initializing-manual.adoc[leveloffset=+1] + +include::modules/installation-bare-metal-config-yaml.adoc[leveloffset=+2] + +include::modules/installation-generate-ignition-configs.adoc[leveloffset=+1] + +[id="creating-machines-bare-metal-restricted-network"] +== Creating {op-system-first} machines + +Before you install a cluster on bare metal infrastructure that you provision, +you must create {op-system} machines for it to use. Follow either the steps +to use an ISO image or network PXE booting to create the machines. + +include::modules/installation-user-infra-machines-iso.adoc[leveloffset=+2] + +include::modules/installation-user-infra-machines-pxe.adoc[leveloffset=+2] + +include::modules/installation-installing-bare-metal.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +include::modules/installation-approve-csrs.adoc[leveloffset=+1] + +include::modules/installation-operators-config.adoc[leveloffset=+1] + +include::modules/installation-registry-storage-config.adoc[leveloffset=+2] + +include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+3] + +include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] + +include::modules/installation-complete-user-infra.adoc[leveloffset=+1] + +.Next steps + +* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. +* If necessary, you can +xref:../../telemetry/opting-out-of-telemetry.adoc#opting-out-of-telemetry[opt out of telemetry]. diff --git a/installing/installing_restricted_networks/installing-restricted-networks-vsphere.adoc b/installing/installing_restricted_networks/installing-restricted-networks-vsphere.adoc new file mode 100644 index 000000000000..568c995581c2 --- /dev/null +++ b/installing/installing_restricted_networks/installing-restricted-networks-vsphere.adoc @@ -0,0 +1,80 @@ +[id="installing-restricted-networks-vsphere"] += Installing a cluster on vSphere in a restricted network +include::modules/common-attributes.adoc[] +:context: installing-restricted-networks-vsphere + +toc::[] + +In {product-title} version {product-version}, you can install a cluster on +VMware vSphere infrastructure that you provision in a restricted network. + +.Prerequisites + +//* xref:../../installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc[Create a mirror registry on your bastion host] +// and obtain the `imageContentSources` data for your version of {product-title}. +//// +[IMPORTANT] +==== +Because the installation media is on the bastion host, use that computer +to complete all installation steps. +//// +* Provision +xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[persistent storage] +for your cluster. To deploy a private image registry, your storage must provide +ReadWriteMany access modes. +* Review details about the +xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] +processes. +* If you use a firewall and plan to use telemetry, you must +xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. + +include::modules/installation-about-restricted-network.adoc[leveloffset=+1] + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +include::modules/installation-vsphere-infrastructure.adoc[leveloffset=+1] + +include::modules/installation-requirements-user-infra.adoc[leveloffset=+1] + +include::modules/installation-infrastructure-user-infra.adoc[leveloffset=+1] + +include::modules/installation-network-user-infra.adoc[leveloffset=+2] + +include::modules/installation-dns-user-infra.adoc[leveloffset=+2] + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +//You extract the installation program from the mirrored content. + +//You install the CLI on the bastion host. + +include::modules/installation-initializing-manual.adoc[leveloffset=+1] + +include::modules/installation-vsphere-config-yaml.adoc[leveloffset=+2] + +include::modules/installation-generate-ignition-configs.adoc[leveloffset=+1] + +include::modules/installation-vsphere-machines.adoc[leveloffset=+1] + +include::modules/installation-installing-bare-metal.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +include::modules/installation-approve-csrs.adoc[leveloffset=+1] + +include::modules/installation-operators-config.adoc[leveloffset=+1] + +include::modules/installation-registry-storage-config.adoc[leveloffset=+2] + +include::modules/registry-configuring-storage-vsphere.adoc[leveloffset=+3] + +include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] + +include::modules/installation-complete-user-infra.adoc[leveloffset=+1] + + +.Next steps + +* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. +* If necessary, you can +xref:../../telemetry/opting-out-of-telemetry.adoc#opting-out-of-telemetry[opt out of telemetry]. diff --git a/modules/installation-about-restricted-network.adoc b/modules/installation-about-restricted-network.adoc new file mode 100644 index 000000000000..a65160d5ab60 --- /dev/null +++ b/modules/installation-about-restricted-network.adoc @@ -0,0 +1,49 @@ +// Module included in the following assemblies: +// +// * installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc + +[id="installation-about-restricted-networks_{context}"] += About installations in restricted networks + +In {product-title} {version}, you can perform an installation that does not +require an active connection to the internet to obtain software components. You +complete an installation in a restricted network on only infrastructure that you provision, +not infrastructure that the installer provisions, so your platform selection is +limited. +// maybe point out that you can follow the bare metal installation rules on supported hardware and link to the matrix + +If you choose to perform a restricted network installation on a cloud platform, you +still require access to its cloud APIs. Some cloud functions, like +Amazon Web Service's IAM service, require internet access, so you might still +require internet access. +//behind a proxy +Depending on your network, you might require less internet +access for an installation on bare metal hardware or on VMware vSphere. + +To complete a restricted network installation, you must create a registry that +mirrors the contents of the {product-title} registry and contains the +installation media. You can create this mirror on a bastion host, which can +access both the internet and your closed network, or by using other methods +that meet your restrictions. + +[IMPORTANT] +==== +Restricted network installations always use user-provisioned infrastructure. +Because of the complexity of the configuration for user-provisioned installations, +consider completing a standard user-provisioned infrastructure installation before +you attempt a restricted network installation. Completing this test installation might +make it easier to isolate and troubleshoot any issues that might arise +during your installation in a restricted network. +==== + +[id="installation-restricted-network-limits{context}"] +== Additional limits + +Clusters in restricted networks have the following additional limitations and restrictions: + +* The ClusterVersion status includes an `Unable to retrieve available updates` +error. +//* The authentication Operator might randomly fail. +* By default, you cannot use the contents of the Developer Catalog because + you cannot access the required ImageStreamTags. +//* The `TelemeterClientDown` and `Watchdog` alerts from the monitoring Operator always display. diff --git a/modules/installation-bare-metal-config-yaml.adoc b/modules/installation-bare-metal-config-yaml.adoc index e464d2c482bd..897a15bcb287 100644 --- a/modules/installation-bare-metal-config-yaml.adoc +++ b/modules/installation-bare-metal-config-yaml.adoc @@ -1,6 +1,11 @@ // Module included in the following assemblies: // // * installing/installing_bare_metal/installing-bare-metal.adoc +// * installing/installing_restricted_networks/installing-restricted-networks-bare-metal.adoc + +ifeval::["{context}" == "installing-restricted-networks-bare-metal"] +:restricted: +endif::[] [id="installation-bare-metal-config-yaml_{context}"] = Sample `install-config.yaml` file for bare metal @@ -32,8 +37,26 @@ networking: - 172.30.0.0/16 platform: none: {} <10> +ifndef::restricted[] pullSecret: '{"auths": ...}' <11> +endif::restricted[] +ifdef::restricted[] +pullSecret: '{"auths":{":5000": {"auth": "","email": "you@example.com"}}}' <11> +endif::restricted[] sshKey: 'ssh-ed25519 AAAA...' <12> +ifdef::restricted[] +additionalTrustBundle: | <13> + -----BEGIN CERTIFICATE----- + ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ + -----END CERTIFICATE----- +imageContentSources: <14> +- mirrors: + - :5000//release + source: quay.io/openshift-release-dev/ocp-release +- mirrors: + - :5000//release + source: registry.svc.ci.openshift.org/ocp/release +endif::restricted[] ---- <1> The base domain of the cluster. All DNS records must be sub-domains of this base and include the cluster name. @@ -79,11 +102,19 @@ one IP address pool. If you need to access the services from an external network configure load balancers and routers to manage the traffic. <10> You must set the platform to `none`. You cannot provide additional platform configuration variables for bare metal infrastructure. +ifndef::restricted[] <11> The pull secret that you obtained from the link:https://cloud.redhat.com/openshift/install[OpenShift Infrastructure Providers] page. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for {product-title} components. +endif::restricted[] +ifdef::restricted[] +<11> For `bastion_host_name`, specify the registry domain name +that you specified in the certificate for your mirror registry, and for +``, specify the base64-encoded user name and password for +your mirror registry. +endif::restricted[] <12> The public portion of the default SSH key for the `core` user in {op-system-first}. + @@ -93,3 +124,9 @@ For production {product-title} clusters on which you want to perform installatio debugging or disaster recovery on, you must provide an SSH key that your `ssh-agent` process uses to the installation program. ==== +ifdef::restricted[] +<13> Provide the contents of the certificate file that you used for your mirror +registry. +<14> Provide the `imageContentSources` section from the output of the command to +mirror the repository. +endif::restricted[] diff --git a/modules/installation-generate-aws-user-infra.adoc b/modules/installation-generate-aws-user-infra.adoc index 3ee82d46c4c5..316a5031075c 100644 --- a/modules/installation-generate-aws-user-infra.adoc +++ b/modules/installation-generate-aws-user-infra.adoc @@ -2,6 +2,10 @@ // // * installing/installing_aws_user_infra/installing-aws-user-infra.adoc +ifeval::["{context}" == "installing-restricted-networks-aws"] +:restricted: +endif::[] + [id="installation-generate-aws-user-infra_{context}"] = Creating the installation files for AWS @@ -22,6 +26,9 @@ to ensure that the first certificate rotation has finished. .Prerequisites * Obtain the {product-title} installation program and the pull secret for your cluster. +ifdef::restricted[] +For a restricted network installation, these files are on your bastion host. +endif::restricted[] .Procedure @@ -52,7 +59,7 @@ For production {product-title} clusters on which you want to perform installatio debugging or disaster recovery on, you must provide an SSH key that your `ssh-agent` process uses to the installation program. ==== -... Select AWS as the platform to target. +... Select *aws* as the platform to target. ... If you do not have an AWS profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program. @@ -74,6 +81,47 @@ compute: replicas: 0 ---- +ifdef::restricted[] +. Edit the `install-config.yaml` file to provide the additional information that +is required for an installation in a restricted network. +.. Update the `pullSecret` value to contain the authentication information for +your registry: ++ +---- +pullSecret: '{"auths":{":5000": {"auth": "","email": "you@example.com"}}}' +---- ++ +For `bastion_host_name`, specify the registry domain name +that you specified in the certificate for your mirror registry, and for +``, specify the base64-encoded user name and password for +your mirror registry. +.. Add the `additionalTrustBundle` parameter and value: ++ +---- +additionalTrustBundle: | + -----BEGIN CERTIFICATE----- + ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ + -----END CERTIFICATE----- +---- ++ +Provide the contents of the certificate file that you used for your mirror +registry. +.. Update image content resources: ++ +---- +imageContentSources: +- mirrors: + - :5000//release + source: quay.io/openshift-release-dev/ocp-release +- mirrors: + - :5000//release + source: registry.svc.ci.openshift.org/ocp/release +---- ++ +Use the `imageContentSources` section from the output of the command to +mirror the repository. +endif::restricted[] + . Optional: Back up the `install-config.yaml` file. + [IMPORTANT] diff --git a/modules/installation-generate-ignition-configs.adoc b/modules/installation-generate-ignition-configs.adoc index 1a3bf0fec6e2..cd0b329b200b 100644 --- a/modules/installation-generate-ignition-configs.adoc +++ b/modules/installation-generate-ignition-configs.adoc @@ -3,6 +3,13 @@ // * installing/installing_bare_metal/installing-bare-metal.adoc // * installing/installing_vsphere/installing-vsphere.adoc +ifeval::["{context}" == "installing-restricted-networks-vsphere"] +:restricted: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-bare-metal"] +:restricted: +endif::[] + [id="installation-generate-ignition-configs_{context}"] = Creating the Ignition config files @@ -20,6 +27,9 @@ to ensure that the first certificate rotation has finished. .Prerequisites * Obtain the {product-title} installation program and the pull secret for your cluster. +ifdef::restricted[] +For a restricted network installation, these files are on your bastion host. +endif::restricted[] .Procedure diff --git a/modules/installation-initializing-manual.adoc b/modules/installation-initializing-manual.adoc index 814a4683d7eb..d5e99277cabd 100644 --- a/modules/installation-initializing-manual.adoc +++ b/modules/installation-initializing-manual.adoc @@ -1,8 +1,17 @@ // Module included in the following assemblies: // // * installing/installing_bare_metal/installing-bare-metal.adoc +// * installing/installing_restricted_networks/installing-restricted-networks-bare-metal.adoc +// * installing/installing_restricted_networks/installing-restricted-networks-vsphere.adoc // * installing/installing_vsphere/installing-vsphere.adoc +ifeval::["{context}" == "installing-restricted-networks-vsphere"] +:restricted: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-bare-metal"] +:restricted: +endif::[] + [id="installation-initializing-manual_{context}"] = Manually creating the installation configuration file @@ -13,6 +22,11 @@ infrastructure, you must manually generate your installation configuration file. * Obtain the {product-title} installation program and the access token for your cluster. +ifdef::restricted[] +* Obtain the `imageContentSources` section from the output of the command to +mirror the repository. +* Obtain the contents of the certificate for your mirror registry. +endif::restricted[] .Procedure @@ -33,13 +47,21 @@ names for the installation assets might change between releases. Use caution when copying installation files from an earlier {product-title} version. ==== -. Customize the following `install-config.yaml` file template and save +. Customize the following `install-config.yaml` file template and save it in the ``. + [NOTE] ==== You must name this configuration file `install-config.yaml`. ==== +ifdef::restricted[] +** Unless you use a registry that {op-system} trusts by default, such as +`docker.io`, you must provide the contents of the certificate for your mirror +repository in the `additionalTrustBundle` section. In most cases, you must +provide the certificate for your mirror. +** You must include the `imageContentSources` section from the output of the command to +mirror the repository. +endif::restricted[] . Back up the `install-config.yaml` file so that you can use it to install multiple clusters. diff --git a/modules/installation-vsphere-config-yaml.adoc b/modules/installation-vsphere-config-yaml.adoc index 4e6bca31d8a2..9d1d9ce3b545 100644 --- a/modules/installation-vsphere-config-yaml.adoc +++ b/modules/installation-vsphere-config-yaml.adoc @@ -1,7 +1,12 @@ // Module included in the following assemblies: // +// * installing/installing_restricted_networks/installing-restricted-networks-vsphere.adoc // * installing/installing_vsphere/installing-vsphere.adoc +ifeval::["{context}" == "installing-restricted-networks-vsphere"] +:restricted: +endif::[] + [id="installation-vsphere-config-yaml_{context}"] = Sample `install-config.yaml` file for VMware vSphere @@ -30,9 +35,26 @@ platform: password: password <9> datacenter: datacenter <10> defaultDatastore: datastore <11> +ifndef::restricted[] pullSecret: '{"auths": ...}' <12> +endif::restricted[] +ifdef::restricted[] +pullSecret: '{"auths":{":5000": {"auth": "","email": "you@example.com"}}}' <12> +endif::restricted[] sshKey: 'ssh-ed25519 AAAA...' <13> - +ifdef::restricted[] +additionalTrustBundle: | <14> + -----BEGIN CERTIFICATE----- + ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ + -----END CERTIFICATE----- +imageContentSources: <15> +- mirrors: + - :5000//release + source: quay.io/openshift-release-dev/ocp-release +- mirrors: + - :5000//release + source: registry.svc.ci.openshift.org/ocp/release +endif::restricted[] ---- <1> The base domain of the cluster. All DNS records must be sub-domains of this base and include the cluster name. @@ -74,11 +96,19 @@ in vSphere. <9> The password associated with the vSphere user. <10> The vSphere datacenter. <11> The default vSphere datastore to use. +ifndef::restricted[] <12> The pull secret that you obtained from the link:https://cloud.redhat.com/openshift/install[OpenShift Infrastructure Providers] page. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for {product-title} components. +endif::restricted[] +ifdef::restricted[] +<12> For `bastion_host_name`, specify the registry domain name +that you specified in the certificate for your mirror registry, and for +``, specify the base64-encoded user name and password for +your mirror registry. +endif::restricted[] <13> The public portion of the default SSH key for the `core` user in {op-system-first}. + @@ -88,3 +118,9 @@ For production {product-title} clusters on which you want to perform installatio debugging or disaster recovery on, you must provide an SSH key that your `ssh-agent` process uses to the installer. ==== +ifdef::restricted[] +<14> Provide the contents of the certificate file that you used for your mirror +registry. +<15> Provide the `imageContentSources` section from the output of the command to +mirror the repository. +endif::restricted[] diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc index fbe69dcf9ac9..dcfbfce8a527 100644 --- a/modules/ssh-agent-using.adoc +++ b/modules/ssh-agent-using.adoc @@ -64,6 +64,6 @@ Identity added: /home/// () .Next steps -When you install {product-title}, provide the SSH public key to the installer. +When you install {product-title}, provide the SSH public key to the installation program. If you install a cluster on infrastructure that you provision, you must provide this key to your cluster's machines. diff --git a/modules/telemetry-consequences-of-disabling-telemetry.adoc b/modules/telemetry-consequences-of-disabling-telemetry.adoc index 24d13fa10634..fcfe0fb033c2 100644 --- a/modules/telemetry-consequences-of-disabling-telemetry.adoc +++ b/modules/telemetry-consequences-of-disabling-telemetry.adoc @@ -14,4 +14,4 @@ Some of the consequences of opting out of Telemetry are: * You will not gain quality assurance by reporting faults encountered during upgrades. * You cannot entitle your cluster. -Deployment and management of {product-title} for disconnected environments is a critical goal and will be delivered in a future version of {product-title}. +Deployment and management of {product-title} for restricted networks is a critical goal and will be delivered in a future version of {product-title}. diff --git a/updating/updating-disconnected-cluster.adoc b/updating/updating-disconnected-cluster.adoc index c6dd1219ff06..92ea53cbbe6b 100644 --- a/updating/updating-disconnected-cluster.adoc +++ b/updating/updating-disconnected-cluster.adoc @@ -6,7 +6,7 @@ include::modules/common-attributes.adoc[] toc::[] You can update, or upgrade, an {product-title} cluster that you installed in a -disconnected environment to a minor version by using the web console. +restricted network to a minor version by using the web console. .Prerequisites