-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osdocs-627 disconnected install #16696
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
[id="installing-restricted-networks-aws"] | ||
= Installing a cluster on AWS that uses mirrored installation content | ||
include::modules/common-attributes.adoc[] | ||
:context: installing-restricted-networks-aws | ||
|
||
toc::[] | ||
|
||
In {product-title} version {product-version}, you can install a | ||
cluster on Amazon Web Services (AWS) using infrastructure that you provide and | ||
an internal mirror of the installation release content. | ||
|
||
[IMPORTANT] | ||
==== | ||
While you can install a {product-title} cluster by using mirrored installation | ||
release content, your cluster still requires internet access to use the AWS APIs. | ||
==== | ||
|
||
One way to create this infrastructure is to use the provided | ||
CloudFormation templates. You can modify the templates to customize your | ||
infrastructure or use the information that they contain to create AWS objects | ||
according to your company's policies. | ||
|
||
.Prerequisites | ||
|
||
//* xref:../../installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc[Create a mirror registry on your bastion host] | ||
// and obtain the `imageContentSources` data for your version of {product-title}. | ||
//// | ||
[IMPORTANT] | ||
==== | ||
Because the installation media is on the bastion host, use that computer | ||
to complete all installation steps. | ||
//// | ||
* Review details about the | ||
xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] | ||
processes. | ||
* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account] | ||
to host the cluster. | ||
+ | ||
[IMPORTANT] | ||
==== | ||
If you have an AWS profile stored on your computer, it must not use a temporary | ||
session token that you generated while using a multi-factor authentication | ||
device. The cluster continues to use your current AWS credentials to | ||
create AWS resources for the entire life of the cluster, so you must | ||
use key-based, long-lived credentials. To generate appropriate keys, see | ||
link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] | ||
in the AWS documentation. You can supply the keys when you run the installation | ||
program. | ||
==== | ||
* Download the AWS CLI and install it on your computer. See | ||
link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix)] | ||
in the AWS documentation. | ||
* If you use a firewall and plan to use telemetry, you must | ||
xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. | ||
|
||
include::modules/installation-about-restricted-network.adoc[leveloffset=+1] | ||
|
||
include::modules/cluster-entitlements.adoc[leveloffset=+1] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Go through this section, seem like not suitable for disconnected install, especially for the following lines, though I am not expert for Telemetry part. You must have internet access to:
""" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I opened a PR here to try to address this: #16985 |
||
|
||
include::modules/installation-aws-user-infra-requirements.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-aws-permissions.adoc[leveloffset=+2] | ||
|
||
//You extract the installation program from the mirrored content. | ||
|
||
include::modules/ssh-agent-using.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-generate-aws-user-infra.adoc[leveloffset=+1] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In disconnected env, user probably need bring his/her own DNS, but not provisioned by ingress router, just like what is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1743483#c20, so we need openshift/installer#2221, and mentioned that in the disconnected install doc. Once that, There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jianlinliu, does the whole file need to be removed? Just part of it's removed in that installer PR. I have a draft here: https://github.com/openshift/openshift-docs/pull/17190/files There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, not remove the whole file, but change some line in manifests/cluster-dns-02-config.yml, will follow up in your new PR. |
||
|
||
// After the proxy change merges, I need to put it in and emphasize that you | ||
// must configure a proxy for the AWS mirrored content story. | ||
|
||
include::modules/installation-extracting-infraid.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-creating-aws-vpc.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-cloudformation-vpc.adoc[leveloffset=+2] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If follow the same CF template and process to install cluster, personally I do not think it is meaningful to link a common UPI install here (except the part of consuming release image from mirror registry). From customer perspective, I will be more interested in what change should be applied once the installation is happening in restricted networks. The long document is easy to make user miss his/her focus. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The idea of the assembly is to provide all of the context that a user would need to complete the the installation. They shouldn't have to use the other assembly at all. Can you tell me more about the other improvements at the end of the process? |
||
|
||
include::modules/installation-creating-aws-dns.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-cloudformation-dns.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-creating-aws-security.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-cloudformation-security.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-aws-user-infra-rhcos-ami.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-creating-aws-bootstrap.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-cloudformation-bootstrap.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-creating-aws-control-plane.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-cloudformation-control-plane.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-aws-user-infra-bootstrap.adoc[leveloffset=+1] | ||
|
||
//// | ||
[id="installing-workers-aws-user-infra"] | ||
== Creating worker nodes | ||
|
||
You can either manually create worker nodes or use a MachineSet to create worker | ||
nodes after the cluster deploys. If you use a MachineSet to create and maintain | ||
the workers, you can allow the cluster to manage them. This allows you to easily | ||
scale, manage, and upgrade your workers. | ||
//// | ||
|
||
|
||
include::modules/installation-creating-aws-worker.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-cloudformation-worker.adoc[leveloffset=+3] | ||
|
||
//You install the CLI on the bastion host. | ||
|
||
include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-approve-csrs.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-operators-config.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-registry-storage-config.adoc[leveloffset=+2] | ||
|
||
include::modules/registry-configuring-storage-aws-user-infra.adoc[leveloffset=+3] | ||
|
||
include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] | ||
|
||
include::modules/installation-aws-user-infra-installation.adoc[leveloffset=+1] | ||
|
||
.Next steps | ||
|
||
* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. | ||
* If necessary, you can | ||
xref:../../telemetry/opting-out-of-telemetry.adoc#opting-out-of-telemetry[opt out of telemetry]. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
[id="installing-restricted-networks-bare-metal"] | ||
= Installing a cluster on bare metal in a restricted network | ||
include::modules/common-attributes.adoc[] | ||
:context: installing-restricted-networks-bare-metal | ||
|
||
toc::[] | ||
|
||
In {product-title} version {product-version}, you can install a cluster on | ||
bare metal infrastructure that you provision in a restricted network. | ||
|
||
[IMPORTANT] | ||
==== | ||
While you might be able to follow this procedure to deploy a cluster on | ||
virtualized or cloud environments, you must be aware of additional | ||
considerations for non-bare metal platforms. Review the information in the | ||
link:https://access.redhat.com/articles/4207611[guidelines for deploying {product-title} on non-tested platforms] | ||
before you attempt to install an {product-title} cluster in such an environment. | ||
==== | ||
|
||
.Prerequisites | ||
|
||
//* xref:../../installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc[Create a mirror registry on your bastion host] | ||
// and obtain the `imageContentSources` data for your version of {product-title}. | ||
//// | ||
[IMPORTANT] | ||
==== | ||
Because the installation media is on the bastion host, use that computer | ||
to complete all installation steps. | ||
//// | ||
* Provision | ||
xref:../../storage/understanding-persistent-storage.adoc#understanding-persistent-storage[persistent storage] | ||
for your cluster. To deploy a private image registry, your storage must provide | ||
ReadWriteMany access modes. | ||
* Review details about the | ||
xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] | ||
processes. | ||
* If you use a firewall and plan to use telemetry, you must | ||
xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to access Red Hat Insights]. | ||
|
||
include::modules/installation-about-restricted-network.adoc[leveloffset=+1] | ||
|
||
include::modules/cluster-entitlements.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-requirements-user-infra.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-infrastructure-user-infra.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-network-user-infra.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-dns-user-infra.adoc[leveloffset=+2] | ||
|
||
include::modules/ssh-agent-using.adoc[leveloffset=+1] | ||
|
||
//You extract the installation program from the mirrored content. | ||
|
||
//You install the CLI on the bastion host. | ||
|
||
include::modules/installation-initializing-manual.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-bare-metal-config-yaml.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-generate-ignition-configs.adoc[leveloffset=+1] | ||
|
||
[id="creating-machines-bare-metal-restricted-network"] | ||
== Creating {op-system-first} machines | ||
|
||
Before you install a cluster on bare metal infrastructure that you provision, | ||
you must create {op-system} machines for it to use. Follow either the steps | ||
to use an ISO image or network PXE booting to create the machines. | ||
|
||
include::modules/installation-user-infra-machines-iso.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-user-infra-machines-pxe.adoc[leveloffset=+2] | ||
|
||
include::modules/installation-installing-bare-metal.adoc[leveloffset=+1] | ||
|
||
include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-approve-csrs.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-operators-config.adoc[leveloffset=+1] | ||
|
||
include::modules/installation-registry-storage-config.adoc[leveloffset=+2] | ||
|
||
include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+3] | ||
|
||
include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] | ||
|
||
include::modules/installation-complete-user-infra.adoc[leveloffset=+1] | ||
|
||
.Next steps | ||
|
||
* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster]. | ||
* If necessary, you can | ||
xref:../../telemetry/opting-out-of-telemetry.adoc#opting-out-of-telemetry[opt out of telemetry]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@morenod Could you help review this part - upi install on baremetal in a restricted network (originally we call it 'disconnected')?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On "Sample install-config.yaml file for bare metal". Point 14: imageContentSources is a requirement?
What happens if quay.io connection is also not allowed from the host where installer is being executed and image have been already uploaded to the internal registry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You still need to provide imageContentSources with the mirror mapping of quay.io and the internal registry to the install-config.yaml. This way you don't have to go in and manually change the names of the images to be
internal-registry/internal-repo
, it can still bequay.io/myrepo
and with the mirror mapping, the installer will know to try the mirrored location (i.e the internal registry) first.