diff --git a/_topic_map.yml b/_topic_map.yml index 759307988917..d86b7700389e 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -141,6 +141,8 @@ Topics: File: installing-aws-customizations - Name: Installing a cluster on AWS with network customizations File: installing-aws-network-customizations + - Name: Installing a cluster on AWS in a restricted network + File: installing-restricted-networks-aws-installer-provisioned - Name: Installing a cluster on AWS into an existing VPC File: installing-aws-vpc - Name: Installing a private cluster on AWS diff --git a/installing/install_config/installing-restricted-networks-preparations.adoc b/installing/install_config/installing-restricted-networks-preparations.adoc index 13544714894b..04bca7482c8a 100644 --- a/installing/install_config/installing-restricted-networks-preparations.adoc +++ b/installing/install_config/installing-restricted-networks-preparations.adoc @@ -5,7 +5,7 @@ include::modules/common-attributes.adoc[] toc::[] -Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content. +Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content. [IMPORTANT] ==== diff --git a/installing/installing-preparing.adoc b/installing/installing-preparing.adoc index ecfb748f0908..217c7666498c 100644 --- a/installing/installing-preparing.adoc +++ b/installing/installing-preparing.adoc @@ -62,7 +62,7 @@ If you use a user-provisioned installation method, you can configure a proxy for If you want to prevent your cluster on a public cloud from exposing endpoints externally, you can deploy a private cluster with installer-provisioned infrastructure on xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[AWS], xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Azure], or xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[GCP]. -If you need to install your cluster that has limited access to the Internet, such as a disconnected or restricted network cluster, you can xref:../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. +If you need to install your cluster that has limited access to the Internet, such as a disconnected or restricted network cluster, you can xref:../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere]. If you need to deploy your cluster to an xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[AWS GovCloud region] or xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Azure government region], you can configure those custom regions during an installer-provisioned infrastructure installation. @@ -143,7 +143,7 @@ endif::openshift-origin[] | |Restricted network -| +|xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[X] | | |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[X] diff --git a/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc b/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc new file mode 100644 index 000000000000..78ee02aea030 --- /dev/null +++ b/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc @@ -0,0 +1,72 @@ +[id="installing-restricted-networks-aws-installer-provisioned"] += Installing a cluster on AWS in a restricted network +include::modules/common-attributes.adoc[] +:context: installing-restricted-networks-aws-installer-provisioned + +toc::[] + +In {product-title} version {product-version}, you can install a cluster on Amazon Web Services (AWS) in a restricted network by creating an internal mirror of the installation release content on an existing Amazon Virtual Private Cloud (VPC). + +[id="prerequisites_installing-restricted-networks-aws-installer-provisioned"] +== Prerequisites + +* You xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[created a mirror registry on your mirror host] and obtained the `imageContentSources` data for your version of {product-title}. ++ +[IMPORTANT] +==== +Because the installation media is on the mirror host, you can use that computer to complete all installation steps. +==== +* You have an existing VPC in AWS. When installing to a restricted network using installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements: +** Contains the mirror registry. +** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere. +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. +* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster. ++ +[IMPORTANT] +==== +If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-lived credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program. +==== +* You downloaded the AWS CLI and installed it on your computer. See +link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] in the AWS documentation. +* If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to. ++ +[NOTE] +==== +If you are configuring a proxy, be sure to also review this site list. +==== +* If you do not allow the system to manage identity and access management (IAM), then a cluster administrator can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials]. Manual mode can also be used in environments where the cloud IAM APIs are not reachable. + +include::modules/installation-about-restricted-network.adoc[leveloffset=+1] + +include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1] + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +include::modules/installation-initializing.adoc[leveloffset=+1] + +include::modules/installation-configuration-parameters.adoc[leveloffset=+2] + +include::modules/installation-aws-config-yaml.adoc[leveloffset=+2] + +include::modules/installation-configure-proxy.adoc[leveloffset=+2] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + +include::modules/cli-installing-cli.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +[id="next-steps_installing-restricted-networks-aws-installer-provisioned"] +== Next steps + +* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation]. +* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]. +* Learn how to xref:../../operators/admin/olm-restricted-networks.adoc#olm-understanding-operator-catalog-images_olm-restricted-networks[use Operator Lifecycle Manager (OLM) on restricted networks]. +* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores]. +* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting]. diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index a93e511c23ae..61cdffe60d34 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -8,6 +8,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-default.adoc // * installing/installing_azure/installing-azure-government-region.adoc diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc index 3cd37712e3e5..d4de84b64d9b 100644 --- a/modules/cli-logging-in-kubeadmin.adoc +++ b/modules/cli-logging-in-kubeadmin.adoc @@ -7,6 +7,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-default.adoc // * installing/installing_azure/installing-azure-government-region.adoc diff --git a/modules/cluster-entitlements.adoc b/modules/cluster-entitlements.adoc index f3a88cebc06c..34afc222cb7a 100644 --- a/modules/cluster-entitlements.adoc +++ b/modules/cluster-entitlements.adoc @@ -8,6 +8,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-default.adoc // * installing/installing_azure/installing-azure-government-region.adoc @@ -56,6 +57,13 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"] :restricted: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:restricted: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws"] +:restricted: +endif::[] + [id="cluster-entitlements_{context}"] ifndef::openshift-origin[] @@ -103,3 +111,9 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"] :!restricted: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:!restricted: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws"] +:!restricted: +endif::[] diff --git a/modules/installation-about-restricted-network.adoc b/modules/installation-about-restricted-network.adoc index bd07a969e738..82cdb8cb585f 100644 --- a/modules/installation-about-restricted-network.adoc +++ b/modules/installation-about-restricted-network.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/installing_aws/installing-restricted-networks-aws.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc // * installing/installing_vmc/installing-restricted-networks-vmc.adoc // * installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc @@ -29,6 +30,9 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-vmc"] :ipi: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:ipi: +endif::[] [id="installation-about-restricted-networks_{context}"] = About installations in restricted networks @@ -89,3 +93,6 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-vmc"] :!ipi: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:!ipi: +endif::[] diff --git a/modules/installation-aws-config-yaml.adoc b/modules/installation-aws-config-yaml.adoc index cef19a28b7ad..e42f6e7469c7 100644 --- a/modules/installation-aws-config-yaml.adoc +++ b/modules/installation-aws-config-yaml.adoc @@ -5,6 +5,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc ifeval::["{context}" == "installing-aws-network-customizations"] :with-networking: @@ -24,7 +25,9 @@ ifeval::["{context}" == "installing-aws-government-region"] :private: :gov: endif::[] - +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:restricted: +endif::[] [id="installation-aws-config-yaml_{context}"] = Sample customized `install-config.yaml` file for AWS @@ -114,7 +117,7 @@ endif::gov[] userTags: adminContact: jdoe costCenter: 7536 -ifdef::vpc[] +ifdef::vpc,restricted[] subnets: <7> - subnet-1 - subnet-2 @@ -124,15 +127,14 @@ ifdef::vpc[] - name: ec2 url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com hostedZone: Z3URY6TWQ91KVV <10> -endif::vpc[] -ifndef::vpc[] +endif::vpc,restricted[] +ifndef::vpc,restricted[] amiID: ami-96c6f8f7 <7> serviceEndpoints: <8> - name: ec2 url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com -endif::vpc[] -pullSecret: '{"auths": ...}' <1> -ifdef::vpc[] +endif::vpc,restricted[] +ifdef::vpc,restricted[] ifndef::openshift-origin[] fips: false <11> sshKey: ssh-ed25519 AAAA... <12> @@ -140,8 +142,8 @@ endif::openshift-origin[] ifdef::openshift-origin[] sshKey: ssh-ed25519 AAAA... <11> endif::openshift-origin[] -endif::vpc[] -ifndef::vpc[] +endif::vpc,restricted[] +ifndef::vpc,restricted[] ifndef::openshift-origin[] fips: false <9> sshKey: ssh-ed25519 AAAA... <10> @@ -149,12 +151,18 @@ endif::openshift-origin[] ifdef::openshift-origin[] sshKey: ssh-ed25519 AAAA... <9> endif::openshift-origin[] -endif::vpc[] +endif::vpc,restricted[] ifdef::private[] ifndef::openshift-origin[] publish: Internal <13> endif::openshift-origin[] endif::private[] +ifndef::restricted[] +pullSecret: '{"auths": ...}' <1> +endif::restricted[] +ifdef::restricted[] +pullSecret: '{"auths":{"": {"auth": "","email": "you@example.com"}}}' <13> +endif::restricted[] ifdef::gov[] ifndef::openshift-origin[] additionalTrustBundle: | <14> @@ -176,6 +184,21 @@ additionalTrustBundle: | <13> -----END CERTIFICATE----- endif::openshift-origin[] endif::gov[] +ifdef::restricted[] +additionalTrustBundle: | <14> + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- +imageContentSources: <15> +- mirrors: + - //release + source: quay.io/openshift-release-dev/ocp-release +- mirrors: + - //release + source: registry.svc.ci.openshift.org/ocp/release +endif::restricted[] + + ---- ifndef::gov[] <1> Required. The installation program prompts you for this value. @@ -209,7 +232,7 @@ disable simultaneous multithreading. ==== <6> To configure faster storage for etcd, especially for larger clusters, set the storage type as `io1` and set `iops` to `2000`. -ifdef::vpc[] +ifdef::vpc,restricted[] <7> If you provide your own VPC, specify subnets for each availability zone that your cluster uses. <8> The ID of the AMI used to boot machines for the cluster. If set, the AMI must belong to the same region as the cluster. @@ -226,8 +249,8 @@ ifdef::openshift-origin[] <11> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] -endif::vpc[] -ifndef::vpc[] +endif::vpc,restricted[] +ifndef::vpc,restricted[] <7> The ID of the AMI used to boot machines for the cluster. If set, the AMI must belong to the same region as the cluster. <8> The AWS service endpoints. Custom endpoints are required when installing to @@ -242,7 +265,7 @@ ifdef::openshift-origin[] <9> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] -endif::vpc[] +endif::vpc,restricted[] + [NOTE] ==== @@ -254,6 +277,14 @@ endif::private[] ifdef::gov[] <14> The custom CA certificate. This is required when deploying to the AWS C2S Secret Region because the AWS API requires a custom CA trust bundle. endif::gov[] +ifdef::restricted[] +<13> For ``, specify the registry domain name, and optionally the +port, that your mirror registry uses to serve content. For example +`registry.example.com` or `registry.example.com:5000`. For ``, +specify the base64-encoded user name and password for your mirror registry. +<14> Provide the contents of the certificate file that you used for your mirror registry. +<15> Provide the `imageContentSources` section from the output of the command to mirror the repository. +endif::restricted[] ifeval::["{context}" == "installing-aws-network-customizations"] :!with-networking: @@ -273,3 +304,6 @@ ifeval::["{context}" == "installing-aws-government-region"] :!private: :!gov: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:!restricted: +endif::[] diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index 342925d5f902..a96a9af78ef1 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -5,6 +5,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-government-region.adoc // * installing/installing_azure/installing-azure-network-customizations.adoc @@ -41,6 +42,9 @@ endif::[] ifeval::["{context}" == "installing-aws-vpc"] :aws: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:aws: +endif::[] ifeval::["{context}" == "installing-azure-customizations"] :azure: endif::[] @@ -907,6 +911,9 @@ endif::[] ifeval::["{context}" == "installing-aws-vpc"] :!aws: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:!aws: +endif::[] ifeval::["{context}" == "installing-azure-customizations"] :!azure: endif::[] diff --git a/modules/installation-configure-proxy.adoc b/modules/installation-configure-proxy.adoc index 467451ff8bca..d693da378c15 100644 --- a/modules/installation-configure-proxy.adoc +++ b/modules/installation-configure-proxy.adoc @@ -2,6 +2,7 @@ // // * installing/installing_aws/installing-aws-user-infra.adoc // * installing/installing_aws/installing-aws-government-region.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-government-region.adoc // * installing/installing_azure/installing-azure-private.adoc // * installing/installing_azure/installing-azure-user-infra.adoc diff --git a/modules/installation-custom-aws-vpc.adoc b/modules/installation-custom-aws-vpc.adoc index 830b278b30ce..31e55fb08ff3 100644 --- a/modules/installation-custom-aws-vpc.adoc +++ b/modules/installation-custom-aws-vpc.adoc @@ -32,7 +32,9 @@ Your VPC must meet the following characteristics: * The VPC must not use the `kubernetes.io/cluster/.*: owned` tag. * You must enable the `enableDnsSupport` and `enableDnsHostnames` attributes in your VPC so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support[DNS Support in Your VPC] in the AWS documentation. If you prefer using your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the `platform.aws.hostedZone` field in the `install-config.yaml` file. -If you use a cluster with public access, you must create a public and a private subnet for each availability zone that your cluster uses. The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify. +If you use a cluster with public access, you must create a public and a private subnet for each availability zone that your cluster uses. + +The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify. If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2 and ELB endpoints. To resolve this, you must create diff --git a/modules/installation-initializing.adoc b/modules/installation-initializing.adoc index 17ab22643424..2a40675f0e7d 100644 --- a/modules/installation-initializing.adoc +++ b/modules/installation-initializing.adoc @@ -3,6 +3,7 @@ // * installing/installing_aws/installing-aws-customizations.adoc // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-network-customizations // * installing/installing_azure/installing-azure-vnet.adoc @@ -38,6 +39,10 @@ endif::[] ifeval::["{context}" == "installing-aws-vpc"] :aws: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:aws: +:restricted: +endif::[] ifeval::["{context}" == "installing-azure-customizations"] :azure: endif::[] @@ -162,7 +167,9 @@ ifdef::restricted[] For a restricted network installation, these files are on your bastion host. * Have the `imageContentSources` values that were generated during mirror registry creation. * Obtain the contents of the certificate for your mirror registry. +ifndef::aws[] * Retrieve a {op-system-first} image and upload it to an accessible location. +endif::aws[] endif::restricted[] .Procedure @@ -410,7 +417,17 @@ additionalTrustBundle: | ---- + The value must be the contents of the certificate file that you used for your mirror registry, which can be an existing, trusted certificate authority or the self-signed certificate that you generated for the mirror registry. - +ifdef::aws+restricted[] +.. Define the subnets for the VPC to install the cluster in: ++ +[source,yaml] +---- +subnets: +- subnet-1 +- subnet-2 +- subnet-3 +---- +endif::aws+restricted[] .. Add the image content resources, which look like this excerpt: + [source,yaml] @@ -450,6 +467,10 @@ endif::[] ifeval::["{context}" == "installing-aws-vpc"] :!aws: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:!aws: +:!restricted: +endif::[] ifeval::["{context}" == "installing-azure-customizations"] :!azure: endif::[] diff --git a/modules/installation-launching-installer.adoc b/modules/installation-launching-installer.adoc index 6ba27ee09874..58779cfbb793 100644 --- a/modules/installation-launching-installer.adoc +++ b/modules/installation-launching-installer.adoc @@ -6,6 +6,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-default.adoc // * installing/installing_azure/installing-azure-government-region.adoc @@ -47,6 +48,10 @@ ifeval::["{context}" == "installing-aws-vpc"] :custom-config: :aws: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:custom-config: +:aws: +endif::[] ifeval::["{context}" == "installing-aws-default"] :no-config: :aws: @@ -436,6 +441,10 @@ ifeval::["{context}" == "installing-aws-vpc"] :!custom-config: :!aws: endif::[] +ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"] +:!custom-config: +:!aws: +endif::[] ifeval::["{context}" == "installing-aws-default"] :!no-config: :!aws: diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc index 9de6b9967334..4e6f08f1397b 100644 --- a/modules/ssh-agent-using.adoc +++ b/modules/ssh-agent-using.adoc @@ -7,6 +7,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc // * installing/installing_aws/installing-aws-vpc.adoc +// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc // * installing/installing_azure/installing-azure-default.adoc // * installing/installing_azure/installing-azure-government-region.adoc