[enterprise-4.7] Installing a cluster on AWS in a restricted network

_topic_map.yml

@@ -141,6 +141,8 @@ Topics:
     File: installing-aws-customizations
   - Name: Installing a cluster on AWS with network customizations
     File: installing-aws-network-customizations
+  - Name: Installing a cluster on AWS in a restricted network
+    File: installing-restricted-networks-aws-installer-provisioned
   - Name: Installing a cluster on AWS into an existing VPC
     File: installing-aws-vpc
   - Name: Installing a private cluster on AWS

installing/install_config/installing-restricted-networks-preparations.adoc

@@ -5,7 +5,7 @@ include::modules/common-attributes.adoc[]
 
 toc::[]
 
-Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
+Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
 
 [IMPORTANT]
 ====

installing/installing-preparing.adoc

@@ -62,7 +62,7 @@ If you use a user-provisioned installation method, you can configure a proxy for
 
 If you want to prevent your cluster on a public cloud from exposing endpoints externally, you can deploy a private cluster with installer-provisioned infrastructure on xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[AWS], xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Azure], or xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[GCP].
 
-If you need to install your cluster that has limited access to the Internet, such as a disconnected or restricted network cluster, you can xref:../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal].
+If you need to install your cluster that has limited access to the Internet, such as a disconnected or restricted network cluster, you can xref:../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
 
 If you need to deploy your cluster to an xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[AWS GovCloud region] or xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Azure government region], you can configure those custom regions during an installer-provisioned infrastructure installation.
 
@@ -143,7 +143,7 @@ endif::openshift-origin[]
 |
 
 |Restricted network
-|
+|xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[X]
 |
 |
 |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[X]

installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc

@@ -0,0 +1,72 @@
+[id="installing-restricted-networks-aws-installer-provisioned"]
+= Installing a cluster on AWS in a restricted network
+include::modules/common-attributes.adoc[]
+:context: installing-restricted-networks-aws-installer-provisioned
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a cluster on Amazon Web Services (AWS) in a restricted network by creating an internal mirror of the installation release content on an existing Amazon Virtual Private Cloud (VPC).
+
+[id="prerequisites_installing-restricted-networks-aws-installer-provisioned"]
+== Prerequisites
+
+* You xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[created a mirror registry on your mirror host] and obtained the `imageContentSources` data for your version of {product-title}.
++
+[IMPORTANT]
+====
+Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
+====
+* You have an existing VPC in AWS. When installing to a restricted network using installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:
+** Contains the mirror registry.
+** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere.
+* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster.
++
+[IMPORTANT]
+====
+If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-lived credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program.
+====
+* You downloaded the AWS CLI and installed it on your computer. See
+link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] in the AWS documentation.
+* If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to.
++
+[NOTE]
+====
+If you are configuring a proxy, be sure to also review this site list.
+====
+* If you do not allow the system to manage identity and access management (IAM), then a cluster administrator can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials]. Manual mode can also be used in environments where the cloud IAM APIs are not reachable.
+
+include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
+
+include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+.Additional resources
+
+* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
+
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+[id="next-steps_installing-restricted-networks-aws-installer-provisioned"]
+== Next steps
+
+* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation].
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* Learn how to xref:../../operators/admin/olm-restricted-networks.adoc#olm-understanding-operator-catalog-images_olm-restricted-networks[use Operator Lifecycle Manager (OLM) on restricted networks].
+* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
+* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

modules/cli-installing-cli.adoc

@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -7,6 +7,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc

modules/cluster-entitlements.adoc

@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc
@@ -56,6 +57,13 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
 :restricted:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:restricted:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws"]
+:restricted:
+endif::[]
+
 
 [id="cluster-entitlements_{context}"]
 ifndef::openshift-origin[]
@@ -103,3 +111,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
 :!restricted:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!restricted:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws"]
+:!restricted:
+endif::[]

modules/installation-about-restricted-network.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-restricted-networks-aws.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
 // * installing/installing_vmc/installing-restricted-networks-vmc.adoc
 // * installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc
@@ -29,6 +30,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-vmc"]
 :ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:ipi:
+endif::[]
 
 [id="installation-about-restricted-networks_{context}"]
 = About installations in restricted networks
@@ -89,3 +93,6 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-vmc"]
 :!ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!ipi:
+endif::[]

modules/installation-aws-config-yaml.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :with-networking:
@@ -24,7 +25,9 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :private:
 :gov:
 endif::[]
-
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:restricted:
+endif::[]
 
 [id="installation-aws-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for AWS
@@ -114,7 +117,7 @@ endif::gov[]
     userTags:
       adminContact: jdoe
       costCenter: 7536
-ifdef::vpc[]
+ifdef::vpc,restricted[]
     subnets: <7>
     - subnet-1
     - subnet-2
@@ -123,37 +126,42 @@ ifdef::vpc[]
     serviceEndpoints: <9>
       - name: ec2
         url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
-endif::vpc[]
-ifndef::vpc[]
+endif::vpc,restricted[]
+ifndef::vpc,restricted[]
     amiID: ami-96c6f8f7 <7>
     serviceEndpoints: <8>
       - name: ec2
         url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
-endif::vpc[]
-pullSecret: '{"auths": ...}' <1>
-ifdef::vpc[]
+endif::vpc,restricted[]
+ifdef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <10>
 sshKey: ssh-ed25519 AAAA... <11>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <10>
 endif::openshift-origin[]
-endif::vpc[]
-ifndef::vpc[]
+endif::vpc,restricted[]
+ifndef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <9>
 sshKey: ssh-ed25519 AAAA... <10>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <9>
 endif::openshift-origin[]
-endif::vpc[]
+endif::vpc,restricted[]
 ifdef::private[]
 ifndef::openshift-origin[]
 publish: Internal <12>
 endif::openshift-origin[]
 endif::private[]
+ifndef::restricted[]
+pullSecret: '{"auths": ...}' <1>
+endif::restricted[]
+ifdef::restricted[]
+pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <12>
+endif::restricted[]
 ifdef::gov[]
 ifndef::openshift-origin[]
 additionalTrustBundle: | <13>
@@ -175,6 +183,19 @@ additionalTrustBundle: | <12>
     -----END CERTIFICATE-----
 endif::openshift-origin[]
 endif::gov[]
+ifdef::restricted[]
+additionalTrustBundle: | <13>
+    -----BEGIN CERTIFICATE-----
+    <MY_TRUSTED_CA_CERT>
+    -----END CERTIFICATE-----
+imageContentSources: <14>
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-release
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: registry.svc.ci.openshift.org/ocp/release
+endif::restricted[]
 ----
 ifndef::gov[]
 <1> Required. The installation program prompts you for this value.
@@ -208,7 +229,7 @@ disable simultaneous multithreading.
 ====
 <6> To configure faster storage for etcd, especially for larger clusters, set the
 storage type as `io1` and set `iops` to `2000`.
-ifdef::vpc[]
+ifdef::vpc,restricted[]
 <7> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
 <8> The ID of the AMI used to boot machines for the cluster. If set, the AMI
 must belong to the same region as the cluster.
@@ -224,8 +245,8 @@ ifdef::openshift-origin[]
 <10> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
-endif::vpc[]
-ifndef::vpc[]
+endif::vpc,restricted[]
+ifndef::vpc,restricted[]
 <7> The ID of the AMI used to boot machines for the cluster. If set, the AMI
 must belong to the same region as the cluster.
 <8> The AWS service endpoints. Custom endpoints are required when installing to
@@ -240,7 +261,7 @@ ifdef::openshift-origin[]
 <9> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
-endif::vpc[]
+endif::vpc,restricted[]
 +
 [NOTE]
 ====
@@ -252,6 +273,14 @@ endif::private[]
 ifdef::gov[]
 <13> The custom CA certificate. This is required when deploying to the AWS C2S Secret Region because the AWS API requires a custom CA trust bundle.
 endif::gov[]
+ifdef::restricted[]
+<12> For `<local_registry>`, specify the registry domain name, and optionally the
+port, that your mirror registry uses to serve content. For example
+`registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
+specify the base64-encoded user name and password for your mirror registry.
+<13> Provide the contents of the certificate file that you used for your mirror registry.
+<14> Provide the `imageContentSources` section from the output of the command to mirror the repository.
+endif::restricted[]
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!with-networking:
@@ -271,3 +300,6 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :!private:
 :!gov:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!restricted:
+endif::[]