From acfd76332bf8400a2b2fc06a0d20793c48d485d9 Mon Sep 17 00:00:00 2001 From: Cody Hoag Date: Tue, 11 May 2021 09:13:26 -0400 Subject: [PATCH] Installing a cluster on GCP in a restricted network --- _topic_map.yml | 2 + installing/installing-preparing.adoc | 4 +- ...ed-networks-gcp-installer-provisioned.adoc | 62 ++++++++++++ modules/cli-installing-cli.adoc | 1 + modules/cli-logging-in-kubeadmin.adoc | 1 + modules/cluster-entitlements.adoc | 7 ++ ...installation-about-restricted-network.adoc | 7 ++ ...installation-configuration-parameters.adoc | 7 ++ modules/installation-configure-proxy.adoc | 1 + modules/installation-gcp-config-yaml.adoc | 99 ++++++++++++++++--- modules/installation-initializing.adoc | 27 ++++- modules/installation-launching-installer.adoc | 9 ++ modules/ssh-agent-using.adoc | 4 + 13 files changed, 214 insertions(+), 17 deletions(-) create mode 100644 installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc diff --git a/_topic_map.yml b/_topic_map.yml index 0d0f1cb69235..e351f6619653 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -191,6 +191,8 @@ Topics: File: installing-gcp-customizations - Name: Installing a cluster on GCP with network customizations File: installing-gcp-network-customizations + - Name: Installing a cluster on GCP in a restricted network + File: installing-restricted-networks-gcp-installer-provisioned - Name: Installing a cluster on GCP into an existing VPC File: installing-gcp-vpc - Name: Installing a private cluster on GCP diff --git a/installing/installing-preparing.adoc b/installing/installing-preparing.adoc index 217c7666498c..d77bc4275c68 100644 --- a/installing/installing-preparing.adoc +++ b/installing/installing-preparing.adoc @@ -62,7 +62,7 @@ If you use a user-provisioned installation method, you can configure a proxy for If you want to prevent your cluster on a public cloud from exposing endpoints externally, you can deploy a private cluster with installer-provisioned infrastructure on xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[AWS], xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Azure], or xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[GCP]. -If you need to install your cluster that has limited access to the Internet, such as a disconnected or restricted network cluster, you can xref:../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere]. +If you need to install your cluster that has limited access to the Internet, such as a disconnected or restricted network cluster, you can xref:../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere]. If you need to deploy your cluster to an xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[AWS GovCloud region] or xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Azure government region], you can configure those custom regions during an installer-provisioned infrastructure installation. @@ -145,7 +145,7 @@ endif::openshift-origin[] |Restricted network |xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[X] | -| +|xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[X] |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[X] |xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[X] | diff --git a/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc b/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc new file mode 100644 index 000000000000..8c2a649bea79 --- /dev/null +++ b/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc @@ -0,0 +1,62 @@ +[id="installing-restricted-networks-gcp-installer-provisioned"] += Installing a cluster on GCP in a restricted network +include::modules/common-attributes.adoc[] +:context: installing-restricted-networks-gcp-installer-provisioned + +toc::[] + +In {product-title} {product-version}, you can install a cluster on Google Cloud Platform (GCP) in a restricted network by creating an internal mirror of the installation release content on an existing Google Virtual Private Cloud (VPC). + +[IMPORTANT] +==== +You can install an {product-title} cluster by using mirrored installation release content, but your cluster will require internet access to use the GCP APIs. +==== + +[id="prerequisites_installing-restricted-networks-gcp-installer-provisioned"] +== Prerequisites + +* You xref:../../installing/install_config/installing-restricted-networks-preparations.adoc#installing-restricted-networks-preparations[created a mirror registry on your bastion host] and obtained the `imageContentSources` data for your version of {product-title}. ++ +[IMPORTANT] +==== +Because the installation media is on the bastion host, use that computer to complete all installation steps. +==== +* You have an existing VPC in GCP. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements: +** Contains the mirror registry +** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. +* If you use a firewall, you must xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to. While you might need to grant access to more sites, you must grant access to `*.googleapis.com` and `accounts.google.com`. +* If you do not allow the system to manage identity and access management (IAM), then a cluster administrator can xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-creating-iam-gcp[manually create and maintain IAM credentials]. Manual mode can also be used in environments where the cloud IAM APIs are not reachable. + +include::modules/installation-about-restricted-network.adoc[leveloffset=+1] + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +include::modules/installation-initializing.adoc[leveloffset=+1] + +include::modules/installation-configuration-parameters.adoc[leveloffset=+2] + +include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2] + +include::modules/installation-configure-proxy.adoc[leveloffset=+2] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + +include::modules/cli-installing-cli.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +[id="next-steps_installing-restricted-networks-gcp-installer-provisioned"] +== Next steps + +* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validate an installation]. +* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]. +* Learn how to xref:../../operators/admin/olm-restricted-networks.adoc#olm-understanding-operator-catalog-images_olm-restricted-networks[use Operator Lifecycle Manager (OLM) on restricted networks]. +* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores]. +* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting]. diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index 61cdffe60d34..ffdab1d7ee96 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -21,6 +21,7 @@ // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-user-infra.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/install_config/installing-restricted-networks-preparations.adoc // * installing/installing_vmc/installing-vmc-user-infra.adoc // * installing/installing_vmc/installing-vmc.adoc diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc index d4de84b64d9b..f2d485a2af21 100644 --- a/modules/cli-logging-in-kubeadmin.adoc +++ b/modules/cli-logging-in-kubeadmin.adoc @@ -22,6 +22,7 @@ // * installing/installing_gcp/installing-gcp-user-infra.adoc // * installing/installing_gcp_user_infra/installing-gcp-user-infra.adoc // * installing/installing_gcp/installing-restricted-networks-gcp.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc diff --git a/modules/cluster-entitlements.adoc b/modules/cluster-entitlements.adoc index 34afc222cb7a..835b88111420 100644 --- a/modules/cluster-entitlements.adoc +++ b/modules/cluster-entitlements.adoc @@ -20,6 +20,7 @@ // * installing/installing_gcp/installing-gcp-private.adoc // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc @@ -45,6 +46,9 @@ ifeval::["{context}" == "installing-restricted-networks-bare-metal"] :restricted: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:restricted: +endif::[] ifeval::["{context}" == "installing-restricted-networks-vsphere"] :restricted: endif::[] @@ -99,6 +103,9 @@ endif::openshift-origin[] ifeval::["{context}" == "installing-restricted-networks-bare-metal"] :!restricted: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!restricted: +endif::[] ifeval::["{context}" == "installing-restricted-networks-vsphere"] :!restricted: endif::[] diff --git a/modules/installation-about-restricted-network.adoc b/modules/installation-about-restricted-network.adoc index 64e4709d293f..02bf1be58643 100644 --- a/modules/installation-about-restricted-network.adoc +++ b/modules/installation-about-restricted-network.adoc @@ -3,6 +3,7 @@ // * installing/installing_aws/installing-restricted-networks-aws.adoc // * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_vmc/installing-restricted-networks-vmc.adoc // * installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc @@ -18,6 +19,9 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-ibm-power"] :ibm-power: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:ipi: +endif::[] ifeval::["{context}" == "installing-openstack-installer-restricted"] :ipi: endif::[] @@ -81,6 +85,9 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-ibm-power"] :!ibm-power: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!ipi: +endif::[] ifeval::["{context}" == "installing-openstack-installer-restricted"] :!ipi: endif::[] diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index f6c3f8dca3aa..3965f6d43fc8 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -15,6 +15,7 @@ // * installing/installing_gcp/installing-gcp-private.adoc // * installing/installing_gcp/installing-gcp-network-customizations.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-user.adoc @@ -72,6 +73,9 @@ endif::[] ifeval::["{context}" == "installing-gcp-vpc"] :gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:gcp: +endif::[] ifeval::["{context}" == "installing-aws-customizations"] :aws: endif::[] @@ -944,6 +948,9 @@ endif::[] ifeval::["{context}" == "installing-gcp-vpc"] :!gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!gcp: +endif::[] ifeval::["{context}" == "installing-aws-customizations"] :!aws: endif::[] diff --git a/modules/installation-configure-proxy.adoc b/modules/installation-configure-proxy.adoc index d693da378c15..e1bc04b87aff 100644 --- a/modules/installation-configure-proxy.adoc +++ b/modules/installation-configure-proxy.adoc @@ -8,6 +8,7 @@ // * installing/installing_azure/installing-azure-user-infra.adoc // * installing/installing_gcp/installing-gcp-user-infra.adoc // * installing/installing_gcp/installing-restricted-networks-gcp.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_bare_metal/installing-bare-metal.adoc // * installing/installing_aws/installing-restricted-networks-aws.adoc // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc diff --git a/modules/installation-gcp-config-yaml.adoc b/modules/installation-gcp-config-yaml.adoc index 84bf09ec96c0..134fb16f701c 100644 --- a/modules/installation-gcp-config-yaml.adoc +++ b/modules/installation-gcp-config-yaml.adoc @@ -4,6 +4,7 @@ // * installing/installing_gcp/installing-gcp-network-customizations.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-private.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc ifeval::["{context}" == "installing-gcp-network-customizations"] :with-networking: @@ -18,6 +19,9 @@ ifeval::["{context}" == "installing-gcp-private"] :private: :vpc: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:restricted: +endif::[] [id="installation-gcp-config-yaml_{context}"] = Sample customized `install-config.yaml` file for GCP @@ -33,8 +37,8 @@ This sample YAML file is provided for reference only. You must obtain your `inst ---- apiVersion: v1 baseDomain: example.com <1> -controlPlane: <2> - hyperthreading: Enabled <3> <4> +controlPlane: <2> <3> + hyperthreading: Enabled <4> name: master platform: gcp: @@ -52,8 +56,8 @@ controlPlane: <2> location: global projectID: project-id replicas: 3 -compute: <2> -- hyperthreading: Enabled <3> +compute: <2> <3> +- hyperthreading: Enabled <4> name: worker platform: gcp: @@ -96,13 +100,18 @@ platform: gcp: projectID: openshift-production <1> region: us-central1 <1> -ifdef::vpc[] +ifdef::vpc,restricted[] network: existing_vpc <6> controlPlaneSubnet: control_plane_subnet <7> computeSubnet: compute_subnet <8> -endif::vpc[] +endif::vpc,restricted[] +ifndef::restricted[] pullSecret: '{"auths": ...}' <1> -ifndef::vpc[] +endif::restricted[] +ifdef::restricted[] +pullSecret: '{"auths":{"": {"auth": "","email": "you@example.com"}}}' <9> +endif::restricted[] +ifndef::vpc,restricted[] ifndef::openshift-origin[] fips: false <6> sshKey: ssh-ed25519 AAAA... <7> @@ -110,7 +119,7 @@ endif::openshift-origin[] ifdef::openshift-origin[] sshKey: ssh-ed25519 AAAA... <6> endif::openshift-origin[] -endif::vpc[] +endif::vpc,restricted[] ifdef::vpc[] ifndef::openshift-origin[] fips: false <9> @@ -120,6 +129,15 @@ ifdef::openshift-origin[] sshKey: ssh-ed25519 AAAA... <9> endif::openshift-origin[] endif::vpc[] +ifdef::restricted[] +ifndef::openshift-origin[] +fips: false <10> +sshKey: ssh-ed25519 AAAA... <11> +endif::openshift-origin[] +ifdef::openshift-origin[] +sshKey: ssh-ed25519 AAAA... <10> +endif::openshift-origin[] +endif::restricted[] ifdef::private[] ifndef::openshift-origin[] publish: Internal <11> @@ -128,6 +146,34 @@ ifdef::openshift-origin[] publish: Internal <10> endif::openshift-origin[] endif::private[] +ifdef::restricted[] +ifndef::openshift-origin[] +additionalTrustBundle: | <12> + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- +imageContentSources: <13> +- mirrors: + - //release + source: quay.io/openshift-release-dev/ocp-release +- mirrors: + - //release + source: registry.svc.ci.openshift.org/ocp/release +endif::openshift-origin[] +ifdef::openshift-origin[] +additionalTrustBundle: | <11> + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- +imageContentSources: <12> +- mirrors: + - //release + source: quay.io/openshift-release-dev/ocp-release +- mirrors: + - //release + source: registry.svc.ci.openshift.org/ocp/release +endif::openshift-origin[] +endif::restricted[] ---- <1> Required. The installation program prompts you for this value. <2> If you do not provide these parameters and values, the installation program provides the default value. @@ -139,10 +185,15 @@ endif::private[] If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. Use larger machine types, such as `n1-standard-8`, for your machines if you disable simultaneous multithreading. ==== <5> Optional: The custom encryption key section to encrypt both virtual machines and persistent volumes. Your default compute service account must have the permissions granted to use your KMS key and have the correct IAM role assigned. The default service account name follows the `service-@compute-system.iam.gserviceaccount.com` pattern. For more information on granting the correct permissions for your service account, see "Machine management" -> "Creating machine sets" -> "Creating a machine set on GCP". +ifdef::vpc,restricted[] +<6> Specify the name of an existing VPC. +<7> Specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified. +<8> Specify the name of the existing subnet to deploy the compute machines to. The subnet must belong to the VPC that you specified. +endif::vpc,restricted[] +ifdef::restricted[] +<9> For ``, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, `registry.example.com` or `registry.example.com:5000`. For ``, specify the base64-encoded user name and password for your mirror registry. +endif::restricted[] ifdef::vpc[] -<6> If you use an existing VPC, specify its name. -<7> If you use an existing VPC, specify the name of the existing subnet to deploy the control plane machines to. The subnet must belong to the VPC that you specified. -<8> If you use an existing VPC, specify the name of the existing subnet to deploy the compute machines to. The subnet must belong to the VPC that you specified. ifndef::openshift-origin[] <9> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead. <10> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. @@ -151,7 +202,16 @@ ifdef::openshift-origin[] <9> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] endif::vpc[] -ifndef::vpc[] +ifdef::restricted[] +ifndef::openshift-origin[] +<10> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead. +<11> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. +endif::openshift-origin[] +ifdef::openshift-origin[] +<10> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. +endif::openshift-origin[] +endif::restricted[] +ifndef::vpc,restricted[] ifndef::openshift-origin[] <6> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead. <7> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. @@ -159,7 +219,7 @@ endif::openshift-origin[] ifdef::openshift-origin[] <6> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. endif::openshift-origin[] -endif::vpc[] +endif::vpc,restricted[] + [NOTE] ==== @@ -168,6 +228,16 @@ For production {product-title} clusters on which you want to perform installatio ifdef::private[] <11> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the Internet. The default value is `External`. endif::private[] +ifdef::restricted[] +ifndef::openshift-origin[] +<12> Provide the contents of the certificate file that you used for your mirror registry. +<13> Provide the `imageContentSources` section from the output of the command to mirror the repository. +endif::openshift-origin[] +ifdef::openshift-origin[] +<11> Provide the contents of the certificate file that you used for your mirror registry. +<12> Provide the `imageContentSources` section from the output of the command to mirror the repository. +endif::openshift-origin[] +endif::restricted[] ifeval::["{context}" == "installing-gcp-network-customizations"] :!with-networking: @@ -182,3 +252,6 @@ ifeval::["{context}" == "installing-gcp-private"] :!private: :!vpc: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!restricted: +endif::[] diff --git a/modules/installation-initializing.adoc b/modules/installation-initializing.adoc index ba84f79f9b52..6a4cd44df430 100644 --- a/modules/installation-initializing.adoc +++ b/modules/installation-initializing.adoc @@ -13,6 +13,7 @@ // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-user-infra.adoc // * installing/installing_gcp/installing-restricted-networks-gcp.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer-restricted.adoc @@ -73,6 +74,10 @@ endif::[] ifeval::["{context}" == "installing-restricted-networks-gcp"] :gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:gcp: +:restricted: +endif::[] ifeval::["{context}" == "installing-openstack-installer-custom"] :osp: endif::[] @@ -156,9 +161,9 @@ ifdef::restricted[] For a restricted network installation, these files are on your bastion host. * Have the `imageContentSources` values that were generated during mirror registry creation. * Obtain the contents of the certificate for your mirror registry. -ifndef::aws[] +ifndef::aws,gcp[] * Retrieve a {op-system-first} image and upload it to an accessible location. -endif::aws[] +endif::aws,gcp[] endif::restricted[] .Procedure @@ -406,6 +411,7 @@ additionalTrustBundle: | ---- + The value must be the contents of the certificate file that you used for your mirror registry, which can be an existing, trusted certificate authority or the self-signed certificate that you generated for the mirror registry. + ifdef::aws+restricted[] .. Define the subnets for the VPC to install the cluster in: + @@ -417,6 +423,19 @@ subnets: - subnet-3 ---- endif::aws+restricted[] +ifdef::gcp+restricted[] +.. Define the network and subnets for the VPC to install the cluster in under the parent `platform.gcp` field: ++ +[source,yaml] +---- +network: +controlPlaneSubnet: +computeSubnet: +---- ++ +For `platform.gcp.network`, specify the name for the existing Google VPC. For `platform.gcp.controlPlaneSubnet` and `platform.gcp.computeSubnet`, specify the existing subnets to deploy the control plane machines and compute machines, respectively. +endif::gcp+restricted[] + .. Add the image content resources, which look like this excerpt: + [source,yaml] @@ -487,6 +506,10 @@ endif::[] ifeval::["{context}" == "installing-gcp-user-infra-vpc"] :!gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!gcp: +:!restricted: +endif::[] ifeval::["{context}" == "installing-openstack-installer-custom"] :!osp: endif::[] diff --git a/modules/installation-launching-installer.adoc b/modules/installation-launching-installer.adoc index ebde507a6085..283b463e2d61 100644 --- a/modules/installation-launching-installer.adoc +++ b/modules/installation-launching-installer.adoc @@ -16,6 +16,7 @@ // * installing/installing_gcp/installing-gcp-private.adoc // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc @@ -72,6 +73,10 @@ ifeval::["{context}" == "installing-gcp-default"] :no-config: :gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:custom-config: +:gcp: +endif::[] ifeval::["{context}" == "installing-azure-customizations"] :custom-config: :azure: @@ -474,6 +479,10 @@ ifeval::["{context}" == "installing-gcp-default"] :!no-config: :!gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!custom-config: +:!gcp: +endif::[] ifeval::["{context}" == "installing-azure-customizations"] :!custom-config: :!azure: diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc index 4e6f08f1397b..3fd079cea932 100644 --- a/modules/ssh-agent-using.adoc +++ b/modules/ssh-agent-using.adoc @@ -19,6 +19,7 @@ // * installing/installing_gcp/installing-gcp-private.adoc // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc +// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc @@ -72,6 +73,9 @@ endif::[] ifeval::["{context}" == "installing-gcp-vpc"] :gcp: endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:gcp: +endif::[] ifeval::["{context}" == "installing-bare-metal"] :user-infra: endif::[]