[enterprise-4.6] Installing a cluster on AWS in a restricted network

_topic_map.yml

@@ -137,6 +137,8 @@ Topics:
     File: installing-aws-customizations
   - Name: Installing a cluster on AWS with network customizations
     File: installing-aws-network-customizations
+  - Name: Installing a cluster on AWS in a restricted network
+    File: installing-restricted-networks-aws-installer-provisioned
   - Name: Installing a cluster on AWS into an existing VPC
     File: installing-aws-vpc
   - Name: Installing a private cluster on AWS
@@ -145,7 +147,7 @@ Topics:
     File: installing-aws-government-region
   - Name: Installing a cluster on AWS using CloudFormation templates
     File: installing-aws-user-infra
-  - Name: Installing a cluster on AWS in a restricted network
+  - Name: Installing a cluster on AWS in a restricted network with user-provisioned infrastructure
     File: installing-restricted-networks-aws
   - Name: Uninstalling a cluster on AWS
     File: uninstalling-cluster-aws

installing/install_config/installation-types.adoc

@@ -58,7 +58,7 @@ endif::openshift-origin[]
 |
 
 |Restricted network
-|
+|xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[X]
 |
 |
 |xref:../../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[X]

installing/install_config/installing-restricted-networks-preparations.adoc

@@ -5,7 +5,7 @@ include::modules/common-attributes.adoc[]
 
 toc::[]
 
-Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
+Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
 
 [IMPORTANT]
 ====

installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc

@@ -0,0 +1,72 @@
+[id="installing-restricted-networks-aws-installer-provisioned"]
+= Installing a cluster on AWS in a restricted network
+include::modules/common-attributes.adoc[]
+:context: installing-restricted-networks-aws-installer-provisioned
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a cluster on Amazon Web Services (AWS) in a restricted network by creating an internal mirror of the installation release content on an existing Amazon Virtual Private Cloud (VPC).
+
+[id="prerequisites_installing-restricted-networks-aws-installer-provisioned"]
+== Prerequisites
+
+* You xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[created a mirror registry on your mirror host] and obtained the `imageContentSources` data for your version of {product-title}.
++
+[IMPORTANT]
+====
+Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
+====
+* You have an existing VPC in AWS. When installing to a restricted network using installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:
+** Contains the mirror registry.
+** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere.
+* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster.
++
+[IMPORTANT]
+====
+If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-lived credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program.
+====
+* You downloaded the AWS CLI and installed it on your computer. See
+link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] in the AWS documentation.
+* If you use a firewall and plan to use the Telemetry service, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured the firewall to allow the sites] that your cluster requires access to.
++
+[NOTE]
+====
+If you are configuring a proxy, be sure to also review this site list.
+====
+* If you do not allow the system to manage identity and access management (IAM), then a cluster administrator can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials]. Manual mode can also be used in environments where the cloud IAM APIs are not reachable.
+
+include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
+
+include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+.Additional resources
+
+* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
+
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+[id="next-steps_installing-restricted-networks-aws-installer-provisioned"]
+== Next steps
+
+* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation].
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* Learn how to xref:../../operators/admin/olm-restricted-networks.adoc#olm-understanding-operator-catalog-images_olm-restricted-networks[use Operator Lifecycle Manager (OLM) on restricted networks].
+* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
+* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

installing/installing_aws/installing-restricted-networks-aws.adoc

@@ -1,5 +1,5 @@
 [id="installing-restricted-networks-aws"]
-= Installing a cluster on AWS that uses mirrored installation content
+= Installing a cluster on AWS in a restricted network with user-provisioned infrastructure
 include::modules/common-attributes.adoc[]
 :context: installing-restricted-networks-aws
 

modules/cli-installing-cli.adoc

@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -7,6 +7,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc

modules/cluster-entitlements.adoc

@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc
@@ -55,6 +56,13 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
 :restricted:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:restricted:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws"]
+:restricted:
+endif::[]
+
 
 [id="cluster-entitlements_{context}"]
 ifndef::openshift-origin[]
@@ -102,3 +110,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
 :!restricted:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!restricted:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws"]
+:!restricted:
+endif::[]

modules/installation-about-restricted-network.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-restricted-networks-aws.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
 // * installing/installing_vmc/installing-restricted-networks-vmc.adoc
 // * installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc
@@ -25,6 +26,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-vmc"]
 :ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:ipi:
+endif::[]
 
 [id="installation-about-restricted-networks_{context}"]
 = About installations in restricted networks
@@ -82,3 +86,6 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-vmc"]
 :!ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!ipi:
+endif::[]

modules/installation-aws-config-yaml.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :with-networking:
@@ -24,7 +25,9 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :private:
 :gov:
 endif::[]
-
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:restricted:
+endif::[]
 
 [id="installation-aws-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for AWS
@@ -114,7 +117,7 @@ endif::gov[]
     userTags:
       adminContact: jdoe
       costCenter: 7536
-ifdef::vpc[]
+ifdef::vpc,restricted[]
     subnets: <7>
     - subnet-1
     - subnet-2
@@ -123,37 +126,53 @@ ifdef::vpc[]
     serviceEndpoints: <9>
       - name: ec2
         url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
-endif::vpc[]
-ifndef::vpc[]
+endif::vpc,restricted[]
+ifndef::vpc,restricted[]
     amiID: ami-96c6f8f7 <7>
     serviceEndpoints: <8>
       - name: ec2
         url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
-endif::vpc[]
-pullSecret: '{"auths": ...}' <1>
-ifdef::vpc[]
+endif::vpc,restricted[]
+ifdef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <10>
 sshKey: ssh-ed25519 AAAA... <11>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <10>
 endif::openshift-origin[]
-endif::vpc[]
-ifndef::vpc[]
+endif::vpc,restricted[]
+ifndef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <9>
 sshKey: ssh-ed25519 AAAA... <10>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <9>
 endif::openshift-origin[]
-endif::vpc[]
+endif::vpc,restricted[]
 ifdef::private[]
 ifndef::openshift-origin[]
 publish: Internal <12>
 endif::openshift-origin[]
 endif::private[]
+ifndef::restricted[]
+pullSecret: '{"auths": ...}' <1>
+endif::restricted[]
+ifdef::restricted[]
+pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <12>
+additionalTrustBundle: | <13>
+    -----BEGIN CERTIFICATE-----
+    <MY_TRUSTED_CA_CERT>
+    -----END CERTIFICATE-----
+imageContentSources: <14>
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-release
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: registry.svc.ci.openshift.org/ocp/release
+endif::restricted[]
 ----
 ifndef::gov[]
 <1> Required. The installation program prompts you for this value.
@@ -187,7 +206,7 @@ disable simultaneous multithreading.
 ====
 <6> To configure faster storage for etcd, especially for larger clusters, set the
 storage type as `io1` and set `iops` to `2000`.
-ifdef::vpc[]
+ifdef::vpc,restricted[]
 <7> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
 <8> The ID of the AMI used to boot machines for the cluster. If set, the AMI
 must belong to the same region as the cluster.
@@ -203,8 +222,8 @@ ifdef::openshift-origin[]
 <10> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
-endif::vpc[]
-ifndef::vpc[]
+endif::vpc,restricted[]
+ifndef::vpc,restricted[]
 <7> The ID of the AMI used to boot machines for the cluster. If set, the AMI
 must belong to the same region as the cluster.
 <8> The AWS service endpoints. Custom endpoints are required when installing to
@@ -219,7 +238,7 @@ ifdef::openshift-origin[]
 <9> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
-endif::vpc[]
+endif::vpc,restricted[]
 +
 [NOTE]
 ====
@@ -228,6 +247,14 @@ For production {product-title} clusters on which you want to perform installatio
 ifdef::private[]
 <12> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the Internet. The default value is `External`.
 endif::private[]
+ifdef::restricted[]
+<12> For `<local_registry>`, specify the registry domain name, and optionally the
+port, that your mirror registry uses to serve content. For example
+`registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
+specify the base64-encoded user name and password for your mirror registry.
+<13> Provide the contents of the certificate file that you used for your mirror registry.
+<14> Provide the `imageContentSources` section from the output of the command to mirror the repository.
+endif::restricted[]
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!with-networking:
@@ -247,3 +274,6 @@ ifeval::["{context}" == "installing-aws-government-region"]
 :!private:
 :!gov:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!restricted:
+endif::[]

modules/installation-configuration-parameters.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc
 // * installing/installing_azure/installing-azure-network-customizations.adoc
@@ -41,6 +42,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-azure-customizations"]
 :azure:
 endif::[]
@@ -826,6 +830,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-azure-customizations"]
 :!azure:
 endif::[]

modules/installation-configure-proxy.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
+// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_azure/installing-azure-government-region.adoc
 // * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-user-infra.adoc

modules/installation-custom-aws-vpc.adoc

@@ -32,7 +32,9 @@ Your VPC must meet the following characteristics:
 * The VPC must not use the `kubernetes.io/cluster/.*: owned` tag.
 * You must enable the `enableDnsSupport` and `enableDnsHostnames` attributes in your VPC so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support[DNS Support in Your VPC] in the AWS documentation.
 
-If you use a cluster with public access, you must create a public and a private subnet for each availability zone that your cluster uses. The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify.
+If you use a cluster with public access, you must create a public and a private subnet for each availability zone that your cluster uses.
+
+The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify.
 
 If you are working in a disconnected environment, you are unable to reach the
 public IP addresses for EC2 and ELB endpoints. To resolve this, you must create