[enterprise-4.6] OSDOCS-1770 Installing a cluster on GCP in a restricted network

_topic_map.yml

@@ -187,6 +187,8 @@ Topics:
     File: installing-gcp-customizations
   - Name: Installing a cluster on GCP with network customizations
     File: installing-gcp-network-customizations
+  - Name: Installing a cluster on GCP in a restricted network
+    File: installing-restricted-networks-gcp-installer-provisioned
   - Name: Installing a cluster on GCP into an existing VPC
     File: installing-gcp-vpc
   - Name: Installing a private cluster on GCP
@@ -195,7 +197,7 @@ Topics:
     File: installing-gcp-user-infra
   - Name: Installing a cluster on GCP using Deployment Manager templates and a shared VPC
     File: installing-gcp-user-infra-vpc
-  - Name: Restricted network GCP installation
+  - Name: Installing a cluster on GCP in a restricted network with user-provisioned infrastructure
     File: installing-restricted-networks-gcp
   - Name: Uninstalling a cluster on GCP
     File: uninstalling-cluster-gcp

installing/install_config/installation-types.adoc

@@ -60,7 +60,7 @@ endif::openshift-origin[]
 |Restricted network
 |xref:../../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[X]
 |
-|
+|xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[X]
 |xref:../../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[X]
 |
 |

installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc

@@ -0,0 +1,62 @@
+[id="installing-restricted-networks-gcp-installer-provisioned"]
+= Installing a cluster on GCP in a restricted network
+include::modules/common-attributes.adoc[]
+:context: installing-restricted-networks-gcp-installer-provisioned
+
+toc::[]
+
+In {product-title} {product-version}, you can install a cluster on Google Cloud Platform (GCP) in a restricted network by creating an internal mirror of the installation release content on an existing Google Virtual Private Cloud (VPC).
+
+[IMPORTANT]
+====
+You can install an {product-title} cluster by using mirrored installation release content, but your cluster will require internet access to use the GCP APIs.
+====
+
+[id="prerequisites_installing-restricted-networks-gcp-installer-provisioned"]
+== Prerequisites
+
+* You xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[created a mirror registry on your bastion host] and obtained the `imageContentSources` data for your version of {product-title}.
++
+[IMPORTANT]
+====
+Because the installation media is on the bastion host, use that computer to complete all installation steps.
+====
+* You have an existing VPC in GCP. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:
+** Contains the mirror registry
+** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere
+* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* If you use a firewall, you must xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to. While you might need to grant access to more sites, you must grant access to `*.googleapis.com` and `accounts.google.com`.
+* If you do not allow the system to manage identity and access management (IAM), then a cluster administrator can xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-creating-iam-gcp[manually create and maintain IAM credentials]. Manual mode can also be used in environments where the cloud IAM APIs are not reachable.
+
+include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+.Additional resources
+
+* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]
+
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+[id="next-steps_installing-restricted-networks-gcp-installer-provisioned"]
+== Next steps
+
+* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation].
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* Learn how to xref:../../operators/admin/olm-restricted-networks.adoc#olm-understanding-operator-catalog-images_olm-restricted-networks[use Operator Lifecycle Manager (OLM) on restricted networks].
+* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
+* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

installing/installing_gcp/installing-restricted-networks-gcp.adoc

@@ -1,5 +1,5 @@
 [id="installing-restricted-networks-gcp"]
-= Installing a cluster on GCP in a restricted network
+= Installing a cluster on GCP in a restricted network with user-provisioned infrastructure
 include::modules/common-attributes.adoc[]
 :context: installing-restricted-networks-gcp
 

modules/cli-installing-cli.adoc

@@ -21,6 +21,7 @@
 // * installing/installing_gcp/installing-gcp-default.adoc
 // * installing/installing_gcp/installing-gcp-vpc.adoc
 // * installing/installing_gcp/installing-gcp-user-infra.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 // * installing/install_config/installing-restricted-networks-preparations.adoc
 // * installing/installing_vmc/installing-vmc-user-infra.adoc
 // * installing/installing_vmc/installing-vmc.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -22,6 +22,7 @@
 // * installing/installing_gcp/installing-gcp-user-infra.adoc
 // * installing/installing_gcp_user_infra/installing-gcp-user-infra.adoc
 // * installing/installing_gcp/installing-restricted-networks-gcp.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 // * installing/installing_openstack/installing-openstack-installer-custom.adoc
 // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
 // * installing/installing_openstack/installing-openstack-installer.adoc

modules/cluster-entitlements.adoc

@@ -20,6 +20,7 @@
 // * installing/installing_gcp/installing-gcp-private.adoc
 // * installing/installing_gcp/installing-gcp-default.adoc
 // * installing/installing_gcp/installing-gcp-vpc.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 // * installing/installing_openstack/installing-openstack-installer-custom.adoc
 // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
 // * installing/installing_openstack/installing-openstack-installer.adoc
@@ -44,6 +45,9 @@
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
 :restricted:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:restricted:
+endif::[]
 ifeval::["{context}" == "installing-restricted-networks-vsphere"]
 :restricted:
 endif::[]
@@ -98,6 +102,9 @@ endif::openshift-origin[]
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
 :!restricted:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:!restricted:
+endif::[]
 ifeval::["{context}" == "installing-restricted-networks-vsphere"]
 :!restricted:
 endif::[]

modules/installation-about-restricted-network.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-restricted-networks-aws.adoc
 // * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 // * installing/installing_vmc/installing-restricted-networks-vmc.adoc
 // * installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc
 // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
@@ -17,6 +18,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-ibm-power"]
 :ibm-power:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:ipi:
+endif::[]
 ifeval::["{context}" == "installing-openstack-installer-restricted"]
 :ipi:
 endif::[]
@@ -77,6 +81,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-ibm-power"]
 :!ibm-power:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:!ipi:
+endif::[]
 ifeval::["{context}" == "installing-openstack-installer-restricted"]
 :!ipi:
 endif::[]

modules/installation-configuration-parameters.adoc

@@ -15,6 +15,7 @@
 // * installing/installing_gcp/installing-gcp-private.adoc
 // * installing/installing_gcp/installing-gcp-network-customizations.adoc
 // * installing/installing_gcp/installing-gcp-vpc.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 // * installing/installing_openstack/installing-openstack-installer-custom.adoc
 // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc
 // * installing/installing_openstack/installing-openstack-user.adoc
@@ -72,6 +73,9 @@ endif::[]
 ifeval::["{context}" == "installing-gcp-vpc"]
 :gcp:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:gcp:
+endif::[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :aws:
 endif::[]
@@ -874,6 +878,9 @@ endif::[]
 ifeval::["{context}" == "installing-gcp-vpc"]
 :!gcp:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:!gcp:
+endif::[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :!aws:
 endif::[]

modules/installation-configure-proxy.adoc

@@ -8,6 +8,7 @@
 // * installing/installing_azure/installing-azure-user-infra.adoc
 // * installing/installing_gcp/installing-gcp-user-infra.adoc
 // * installing/installing_gcp/installing-restricted-networks-gcp.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_aws/installing-restricted-networks-aws.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc

modules/installation-gcp-config-yaml.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-vpc.adoc
 // * installing/installing_gcp/installing-gcp-private.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-gcp-network-customizations"]
 :with-networking:
@@ -17,6 +18,9 @@ ifeval::["{context}" == "installing-gcp-private"]
 :private:
 :vpc:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:restricted:
+endif::[]
 
 [id="installation-gcp-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for GCP
@@ -32,8 +36,8 @@ This sample YAML file is provided for reference only. You must obtain your `inst
 ----
 apiVersion: v1
 baseDomain: example.com <1>
-controlPlane: <2>
-  hyperthreading: Enabled <3> <4>
+controlPlane: <2> <3>
+  hyperthreading: Enabled <4>
   name: master
   platform:
     gcp:
@@ -42,8 +46,8 @@ controlPlane: <2>
       - us-central1-a
       - us-central1-c
   replicas: 3
-compute: <2>
-- hyperthreading: Enabled <3>
+compute: <2> <3>
+- hyperthreading: Enabled <4>
   name: worker
   platform:
     gcp:
@@ -77,21 +81,26 @@ platform:
   gcp:
     projectID: openshift-production <1>
     region: us-central1 <1>
-ifdef::vpc[]
+ifdef::vpc,restricted[]
     network: existing_vpc <5>
     controlPlaneSubnet: control_plane_subnet <6>
     computeSubnet: compute_subnet <7>
-endif::vpc[]
+endif::vpc,restricted[]
+ifndef::restricted[]
 pullSecret: '{"auths": ...}' <1>
-ifndef::vpc[]
+endif::restricted[]
+ifdef::restricted[]
+pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <8>
+endif::restricted[]
+ifndef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <5>
 sshKey: ssh-ed25519 AAAA... <6>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <5>
 endif::openshift-origin[]
-endif::vpc[]
+endif::vpc,restricted[]
 ifdef::vpc[]
 ifndef::openshift-origin[]
 fips: false <8>
@@ -101,6 +110,15 @@ ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <8>
 endif::openshift-origin[]
 endif::vpc[]
+ifdef::restricted[]
+ifndef::openshift-origin[]
+fips: false <9>
+sshKey: ssh-ed25519 AAAA... <10>
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+sshKey: ssh-ed25519 AAAA... <9>
+endif::openshift-origin[]
+endif::restricted[]
 ifdef::private[]
 ifndef::openshift-origin[]
 publish: Internal <10>
@@ -109,6 +127,34 @@ ifdef::openshift-origin[]
 publish: Internal <9>
 endif::openshift-origin[]
 endif::private[]
+ifdef::restricted[]
+ifndef::openshift-origin[]
+additionalTrustBundle: | <11>
+    -----BEGIN CERTIFICATE-----
+    <MY_TRUSTED_CA_CERT>
+    -----END CERTIFICATE-----
+imageContentSources: <12>
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-release
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: registry.svc.ci.openshift.org/ocp/release
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+additionalTrustBundle: | <10>
+  -----BEGIN CERTIFICATE-----
+  <MY_TRUSTED_CA_CERT>
+  -----END CERTIFICATE-----
+imageContentSources: <11>
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: quay.io/openshift-release-dev/ocp-release
+- mirrors:
+  - <local_registry>/<local_repository_name>/release
+  source: registry.svc.ci.openshift.org/ocp/release
+endif::openshift-origin[]
+endif::restricted[]
 ----
 <1> Required. The installation program prompts you for this value.
 <2> If you do not provide these parameters and values, the installation program provides the default value.
@@ -119,10 +165,15 @@ endif::private[]
 ====
 If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. Use larger machine types, such as `n1-standard-8`, for your machines if you disable simultaneous multithreading.
 ====
+ifdef::vpc,restricted[]
+<5> Specify the name of an existing VPC.
+<6> Specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified.
+<7> Specify the name of the existing subnet to deploy the compute machines to. The subnet must belong to the VPC that you specified.
+endif::vpc,restricted[]
+ifdef::restricted[]
+<8> For `<local_registry>`, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, `registry.example.com` or `registry.example.com:5000`. For `<credentials>`, specify the base64-encoded user name and password for your mirror registry.
+endif::restricted[]
 ifdef::vpc[]
-<5> If you use an existing VPC, specify its name.
-<6> If you use an existing VPC, specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified.
-<7> If you use an existing VPC, specify the name of the existing subnet to deploy the compute machines to. The subnet must belong to the VPC that you specified.
 ifndef::openshift-origin[]
 <8> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 <9> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
@@ -131,15 +182,24 @@ ifdef::openshift-origin[]
 <8> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 endif::vpc[]
-ifndef::vpc[]
+ifdef::restricted[]
+ifndef::openshift-origin[]
+<9> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
+<10> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+<9> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
+endif::openshift-origin[]
+endif::restricted[]
+ifndef::vpc,restricted[]
 ifndef::openshift-origin[]
 <5> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 <6> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 <5> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
 endif::openshift-origin[]
-endif::vpc[]
+endif::vpc,restricted[]
 +
 [NOTE]
 ====
@@ -153,6 +213,16 @@ ifdef::openshift-origin[]
 <9> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the Internet. The default value is `External`.
 endif::openshift-origin[]
 endif::private[]
+ifdef::restricted[]
+ifndef::openshift-origin[]
+<11> Provide the contents of the certificate file that you used for your mirror registry.
+<12> Provide the `imageContentSources` section from the output of the command to mirror the repository.
+endif::openshift-origin[]
+ifdef::openshift-origin[]
+<10> Provide the contents of the certificate file that you used for your mirror registry.
+<11> Provide the `imageContentSources` section from the output of the command to mirror the repository.
+endif::openshift-origin[]
+endif::restricted[]
 
 ifeval::["{context}" == "installing-gcp-network-customizations"]
 :!with-networking:
@@ -167,3 +237,6 @@ ifeval::["{context}" == "installing-gcp-private"]
 :!private:
 :!vpc:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
+:!restricted:
+endif::[]