diff --git a/installing/installing_aws/installing-aws-account.adoc b/installing/installing_aws/installing-aws-account.adoc index 179e8b458c18..02b7df7f36dd 100644 --- a/installing/installing_aws/installing-aws-account.adoc +++ b/installing/installing_aws/installing-aws-account.adoc @@ -1,13 +1,14 @@ :_mod-docs-content-type: ASSEMBLY [id="installing-aws-account"] -= Configuring an AWS account include::_attributes/common-attributes.adoc[] += Configuring an AWS account + :context: installing-aws-account toc::[] -Before you can install {product-title}, you must configure an -Amazon Web Services (AWS) account. +[role="_abstract"] +Before you can install {product-title}, you must configure an {aws-first} account. include::modules/installation-aws-route53.adoc[leveloffset=+1] @@ -35,10 +36,8 @@ include::modules/installation-aws-marketplace.adoc[leveloffset=+1] include::modules/installation-aws-regions.adoc[leveloffset=+1] -== Next steps - -* Install an {product-title} cluster: -** xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Quickly install a cluster] with default options on installer-provisioned infrastructure -** xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure] -** xref:../../installing/installing_aws/ipi/installing-aws-network-customizations.adoc#installing-aws-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure] -** xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates] \ No newline at end of file +[role="_additional-resources"] +.Additional resources +* xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Quickly install a cluster] +* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure] +* xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates] diff --git a/installing/installing_aws/installing-aws-three-node.adoc b/installing/installing_aws/installing-aws-three-node.adoc index c4237f68961c..5b44d17975bd 100644 --- a/installing/installing_aws/installing-aws-three-node.adoc +++ b/installing/installing_aws/installing-aws-three-node.adoc @@ -1,22 +1,25 @@ :_mod-docs-content-type: ASSEMBLY -[id="installing-aws-three-node"] -= Installing a three-node cluster on AWS include::_attributes/common-attributes.adoc[] +[id="installing-aws-three-node"] += Installing a three-node cluster on {aws-short} :context: installing-aws-three-node toc::[] -In {product-title} version {product-version}, you can install a three-node cluster on Amazon Web Services (AWS). A three-node cluster consists of three control plane machines, which also act as compute machines. This type of cluster provides a smaller, more resource efficient cluster, for cluster administrators and developers to use for testing, development, and production. +[role="_abstract"] +In {product-title} version {product-version}, you can install a three-node cluster on {aws-first}. A three-node cluster consists of three control plane machines, which also act as compute machines. + +This type of cluster provides a smaller, more resource efficient cluster, for cluster administrators and developers to use for testing, development, and production. You can install a three-node cluster using either installer-provisioned or user-provisioned infrastructure. [NOTE] ==== -Deploying a three-node cluster using an AWS Marketplace image is not supported. +Deploying a three-node cluster using an {aws-short} Marketplace image is not supported. ==== include::modules/installation-three-node-cluster-cloud-provider.adoc[leveloffset=+1] -== Next steps +== Additional resources * xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a cluster on AWS with customizations] * xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates] diff --git a/installing/installing_aws/ipi/ipi-aws-preparing-to-install.adoc b/installing/installing_aws/ipi/ipi-aws-preparing-to-install.adoc index 1504cbbd5f7c..ea688a632545 100644 --- a/installing/installing_aws/ipi/ipi-aws-preparing-to-install.adoc +++ b/installing/installing_aws/ipi/ipi-aws-preparing-to-install.adoc @@ -6,11 +6,16 @@ include::_attributes/common-attributes.adoc[] toc::[] -You prepare to install an {product-title} cluster on AWS by completing the following steps: +[role="_abstract"] +To install an {product-title} cluster on {aws-first}, you must verify your internet connectivity, download the installation program, install the {oc-first}, and generate an SSH key pair. + +If required, you also need to manually create long-term credentials for {aws-short} or configure an {aws-short} cluster to use short-term credentials with Amazon Web Services Security Token Service ({aws-short} STS). + +The following list outlines in detail the steps to prepare to install an {product-title} cluster on {aws-short}: * Verifying internet connectivity for your cluster. -* xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configuring an AWS account]. +* xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configuring an aws-short} account]. * Downloading the installation program. + @@ -26,7 +31,7 @@ If you are installing in a disconnected environment, install `oc` to the mirror ==== * Generating an SSH key pair. You can use this key pair to authenticate into the {product-title} cluster's nodes after it is deployed. -* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[manually creating long-term credentials for AWS] or xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[configuring an AWS cluster to use short-term credentials] with Amazon Web Services Security Token Service (AWS STS). +* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[manually creating long-term credentials for {aws-short}] or xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[configuring an {aws-short} cluster to use short-term credentials] with ({aws-short} STS). include::modules/cluster-entitlements.adoc[leveloffset=+1] diff --git a/installing/installing_aws/preparing-to-install-on-aws.adoc b/installing/installing_aws/preparing-to-install-on-aws.adoc index c0076f389ec8..a85270c03794 100644 --- a/installing/installing_aws/preparing-to-install-on-aws.adoc +++ b/installing/installing_aws/preparing-to-install-on-aws.adoc @@ -1,47 +1,36 @@ :_mod-docs-content-type: ASSEMBLY -[id="preparing-to-install-on-aws"] +[id="installing-methods-aws"] = Installation methods include::_attributes/common-attributes.adoc[] :context: preparing-to-install-on-aws toc::[] -You can install {product-title} on Amazon Web Services (AWS) using installer-provisioned or user-provisioned infrastructure. The default installation type uses installer-provisioned infrastructure, where the installation program provisions the underlying infrastructure for the cluster. You can also install {product-title} on infrastructure that you provision. If you do not use infrastructure that the installation program provisions, you must manage and maintain the cluster resources yourself. You can also install {product-title} on a single node, which is a specialized installation method that is ideal for edge computing environments. +[role="_abstract"] +You can install {product-title} on {aws-full} using installer-provisioned, user-provisioned infrastructure, or on a single node, depending on the needs of your use case. -[id="choosing-an-method-to-install-ocp-on-aws-installer-provisioned"] -== Installing a cluster on installer-provisioned infrastructure +The default installation type uses installer-provisioned infrastructure, where the installation program provisions the underlying infrastructure for the cluster. -You can install a cluster on AWS infrastructure that is provisioned by the {product-title} installation program, by using one of the following methods: +You can also install {product-title} on infrastructure that you provision. If you do not use infrastructure that the installation program provisions, you must manage and maintain the cluster resources yourself. -* **xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Installing a cluster quickly on AWS]**: You can install {product-title} on AWS infrastructure that is provisioned by the {product-title} installation program. You can install a cluster quickly by using the default configuration options. +You can also install {product-title} on a single node, which is a specialized installation method that is ideal for edge computing environments. -* **xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a customized cluster on AWS]**: You can install a customized cluster on AWS infrastructure that the installation program provisions. The installation program allows for some customization to be applied at the installation stage. Many other customization options are available xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-cluster-tasks[post-installation]. +include::modules/installing-aws-ipi.adoc[leveloffset=+1] -* **xref:../../installing/installing_aws/ipi/installing-aws-network-customizations.adoc#installing-aws-network-customizations[Installing a cluster on AWS with network customizations]**: You can customize your {product-title} network configuration during installation, so that your cluster can coexist with your existing IP address allocations and adhere to your network requirements. +include::modules/installing-aws-upi.adoc[leveloffset=+1] -* **xref:../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[Installing a cluster on AWS in a restricted network]**: You can install {product-title} on AWS on installer-provisioned infrastructure by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components. - -* **xref:../../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[Installing a cluster on an existing Virtual Private Cloud]**: You can install {product-title} on an existing AWS Virtual Private Cloud (VPC). You can use this installation method if you have constraints set by the guidelines of your company, such as limits when creating new accounts or infrastructure. - -* **xref:../../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[Installing a private cluster on an existing VPC]**: You can install a private cluster on an existing AWS VPC. You can use this method to deploy {product-title} on an internal network that is not visible to the internet. - -* **xref:../../installing/installing_aws/ipi/installing-aws-government-region.adoc#installing-aws-government-region[Installing a cluster on AWS into a government or secret region]**: {product-title} can be deployed into AWS regions that are specifically designed for US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that must run sensitive workloads in the cloud. - -[id="choosing-an-method-to-install-ocp-on-aws-user-provisioned"] -== Installing a cluster on user-provisioned infrastructure - -You can install a cluster on AWS infrastructure that you provision, by using one of the following methods: - -* **xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on AWS infrastructure that you provide]**: You can install {product-title} on AWS infrastructure that you provide. You can use the provided CloudFormation templates to create stacks of AWS resources that represent each of the components required for an {product-title} installation. - -* **xref:../../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[Installing a cluster on AWS in a restricted network with user-provisioned infrastructure]**: You can install {product-title} on AWS infrastructure that you provide by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components. You can also use this installation method to ensure that your clusters only use container images that satisfy your organizational controls on external content. While you can install {product-title} by using the mirrored content, your cluster still requires internet access to use the AWS APIs. - -[id="choosing-an-method-to-install-ocp-on-aws-single-node"] -== Installing a cluster on a single node - -Installing {product-title} on a single node alleviates some of the requirements for high availability and large scale clusters. However, you must address the xref:../../installing/installing_sno/install-sno-preparing-to-install-sno.adoc#install-sno-requirements-for-installing-on-a-single-node_install-sno-preparing[requirements for installing on a single node], and the xref:../../installing/installing_sno/install-sno-installing-sno.adoc#additional-requirements-for-installing-sno-on-a-cloud-provider_install-sno-installing-sno-with-the-assisted-installer[additional requirements for installing {sno} on a cloud provider]. After addressing the requirements for single node installation, use the xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a customized cluster on AWS] procedure to install the cluster. The xref:../../installing/installing_sno/install-sno-installing-sno.adoc#install-sno-installing-sno-manually[installing single-node OpenShift manually] section contains an exemplary `install-config.yaml` file when installing an {product-title} cluster on a single node. +include::modules/installing-aws-single-node.adoc[leveloffset=+1] [role="_additional-resources"] -[id="preparing-to-install-on-aws-additional-resources"] +[id="installing-methods-aws-ipi-additional-resources"] == Additional resources +* xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Installing a cluster quickly on AWS] +* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a customized cluster on AWS] +* xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-cluster-tasks[Post-installation] +* xref:../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[Installing a cluster on AWS in a restricted network] +* xref:../../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[Installing a cluster on an existing Virtual Private Cloud] +* xref:../../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[Installing a private cluster on an existing VPC] +* xref:../../installing/installing_aws/ipi/installing-aws-specialized-region.adoc#installing-aws-specialized-region[Installing a cluster on AWS into a government or secret region] +* xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on AWS infrastructure that you provide] +* xref:../../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[Installing a cluster on AWS in a restricted network with user-provisioned infrastructure] * xref:../../architecture/architecture-installation.adoc#installation-process_architecture-installation[Installation process] \ No newline at end of file diff --git a/installing/installing_aws/uninstalling-cluster-aws.adoc b/installing/installing_aws/uninstalling-cluster-aws.adoc index 904a0c030620..5f101c2e43a9 100644 --- a/installing/installing_aws/uninstalling-cluster-aws.adoc +++ b/installing/installing_aws/uninstalling-cluster-aws.adoc @@ -1,12 +1,13 @@ :_mod-docs-content-type: ASSEMBLY -[id="uninstalling-cluster-aws"] -= Uninstalling a cluster on AWS include::_attributes/common-attributes.adoc[] +[id="uninstalling-cluster-aws"] += Uninstalling a cluster on {aws-short} :context: uninstall-cluster-aws toc::[] -You can remove a cluster that you deployed to Amazon Web Services (AWS). +[role="_abstract"] +You can remove a cluster that you deployed to {aws-first}. include::modules/installation-uninstall-clouds.adoc[leveloffset=+1] @@ -16,9 +17,9 @@ include::modules/installation-aws-delete-cluster.adoc[leveloffset=+1] [role="_additional-resources"] [id="installing-localzone-additional-resources"] -.Additional resources +== Additional resources -* See link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html[Working with stacks] in the AWS documentation for more information about AWS CloudFormation stacks. +* link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html[Working with stacks] * link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#opt-in-local-zone[Opt into AWS Local Zones] * link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/locations[AWS Local Zones available locations] * link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/features[AWS Local Zones features] \ No newline at end of file diff --git a/modules/cco-ccoctl-deleting-sts-resources.adoc b/modules/cco-ccoctl-deleting-sts-resources.adoc index 4b25b5f1472b..963454fc2a18 100644 --- a/modules/cco-ccoctl-deleting-sts-resources.adoc +++ b/modules/cco-ccoctl-deleting-sts-resources.adoc @@ -27,6 +27,7 @@ endif::[] [id="cco-ccoctl-deleting-sts-resources_{context}"] = Deleting {cp-first} resources with the Cloud Credential Operator utility +[role="_abstract"] After uninstalling an {product-title} cluster that uses short-term credentials managed outside the cluster, you can use the CCO utility (`ccoctl`) to remove the {cp-first} resources that `ccoctl` created during installation. .Prerequisites @@ -51,11 +52,14 @@ $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}' $ oc adm release extract \ --from=$RELEASE_IMAGE \ --credentials-requests \ - --included \// <1> - --to= <2> + --included \ + --to= ---- -<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires. -<2> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. ++ +where: + +`--included`:: The parameter includes only the manifests that your specific cluster configuration requires. +`':: Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it. . Delete the {cp} resources that `ccoctl` created by running the following command: endif::gcp-workload-id[] @@ -66,27 +70,30 @@ endif::aws-sts,azure-workload-id[] [source,terminal,subs="attributes+"] ---- $ ccoctl {cp-name} delete \ - --name= \// <1> -ifdef::aws-sts[ --region=<{cp-name}_region> <2>] + --name= \ +ifdef::aws-sts +[ --region=<{cp-name}_region>] ifdef::gcp-workload-id[] - --project=<{cp-name}_project_id> \// <2> + --project=<{cp-name}_project_id> \ --credentials-requests-dir= \ - --force-delete-custom-roles <3> + --force-delete-custom-roles endif::gcp-workload-id[] ifdef::azure-workload-id[] - --region=<{cp-name}_region> \// <2> - --subscription-id=<{cp-name}_subscription_id> \// <3> + --region=<{cp-name}_region> \ + --subscription-id=<{cp-name}_subscription_id> \ --delete-oidc-resource-group endif::azure-workload-id[] ---- + -<1> `` matches the name that was originally used to create and tag the cloud resources. -ifdef::aws-sts,azure-workload-id[<2> `<{cp-name}_region>` is the {cp} region in which to delete cloud resources.] +where: + +``:: Matches the name that was originally used to create and tag the cloud resources. +ifdef::aws-sts,azure-workload-id[`<{cp-name}_region>`:: is the {cp} region in which to delete cloud resources.] ifdef::gcp-workload-id[] -<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources. -<3> Optional: This parameter deletes the custom roles that the `ccoctl` utility creates during installation. {gcp-short} does not permanently delete custom roles immediately. For more information, see {gcp-short} documentation about link:https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role[deleting a custom role]. +`<{cp-name}_project_id>`:: The {cp} project ID in which to delete cloud resources. +`force-delete-custom-roles`:: Optional: This parameter deletes the custom roles that the `ccoctl` utility creates during installation. {gcp-short} does not permanently delete custom roles immediately. For more information, see {gcp-short} documentation about link:https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role[deleting a custom role]. endif::gcp-workload-id[] -ifdef::azure-workload-id[<3> `<{cp-name}_subscription_id>` is the {cp} subscription ID for which to delete cloud resources.] +ifdef::azure-workload-id[`<{cp-name}_subscription_id>`:: is the {cp} subscription ID for which to delete cloud resources.] ifdef::aws-sts[] + .Example output diff --git a/modules/installation-aws-access-analyzer.adoc b/modules/installation-aws-access-analyzer.adoc index 73f85242935f..cc9f93728552 100644 --- a/modules/installation-aws-access-analyzer.adoc +++ b/modules/installation-aws-access-analyzer.adoc @@ -2,6 +2,9 @@ [id="create-custom-permissions-for-iam-instance-profiles_{context}"] = Using AWS IAM Analyzer to create policy templates +[role="_abstract"] +To reduce security risk, you can use AWS IAM Access Analyzer and CloudTrail to generate and apply minimal, fine-grained IAM policies for cluster control plane and compute instance profiles. + The minimal set of permissions that the control plane and compute instance profiles require depends on how the cluster is configured for its daily operation. One way to determine which permissions the cluster instances require is to use the AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) to create a policy template: @@ -10,9 +13,6 @@ One way to determine which permissions the cluster instances require is to use t * You can then use the template to create policies with fine-grained permissions. .Procedure - -The overall process could be: - . Ensure that CloudTrail is enabled. CloudTrail records all of the actions and events in your AWS account, including the API calls that are required to create a policy template. For more information, see the AWS documentation for https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html[working with CloudTrail]. . Create an instance profile for control plane instances and an instance profile for compute instances. Be sure to assign each role a permissive policy, such as PowerUserAccess. For more information, see the AWS documentation for https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html[creating instance profile roles]. @@ -22,7 +22,7 @@ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.ht . Create and add a fine-grained policy to each instance profile. . Remove the permissive policy from each instance profile. . Deploy a production cluster using the existing instance profiles with the new policies. - ++ [NOTE] ==== You can add https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM Conditions] to your policy to make it more restrictive and compliant with your organization security requirements. diff --git a/modules/installation-aws-add-iam-roles.adoc b/modules/installation-aws-add-iam-roles.adoc index 43aa52405acf..9135280f3aeb 100644 --- a/modules/installation-aws-add-iam-roles.adoc +++ b/modules/installation-aws-add-iam-roles.adoc @@ -6,6 +6,7 @@ [id="specify-an-existing-iam-role_{context}"] = Specifying an existing IAM role +[role="_abstract"] Instead of allowing the installation program to create IAM instance profiles with the default permissions, you can use the `install-config.yaml` file to specify an existing IAM role for control plane and compute instances. .Prerequisites @@ -38,8 +39,10 @@ controlPlane: aws: iamRole: ExampleRole ---- + . Save the file and reference it when installing the {product-title} cluster. ++ [NOTE] ==== To change or update an IAM account after the cluster has been installed, see link:https://access.redhat.com/solutions/4284011[RHOCP 4 AWS cloud-credentials access key is expired] (Red{nbsp}Hat Knowledgebase). diff --git a/modules/installation-aws-delete-cluster.adoc b/modules/installation-aws-delete-cluster.adoc index aa3fb36a1508..4e2b2967c894 100644 --- a/modules/installation-aws-delete-cluster.adoc +++ b/modules/installation-aws-delete-cluster.adoc @@ -4,9 +4,10 @@ :_mod-docs-content-type: PROCEDURE [id="installation-aws-delete-cluster"] -= Deleting a cluster with a configured AWS Local Zone infrastructure += Deleting a cluster with a configured {aws-short} Local Zone infrastructure -After you install a cluster on Amazon Web Services (AWS) into an existing Virtual Private Cloud (VPC), and you set subnets for each Local Zone location, you can delete the cluster and any AWS resources associated with it. +[role="_abstract"] +After you install a cluster on {aws-first} into an existing Virtual Private Cloud (VPC), and you set subnets for each Local Zone location, you can delete the cluster and any {aws-short} resources associated with it. The example in the procedure assumes that you created a VPC and its subnets by using a CloudFormation template. @@ -22,11 +23,14 @@ The example in the procedure assumes that you created a VPC and its subnets by u + [source,terminal] ---- -$ ./openshift-install destroy cluster --dir \//<1> - --log-level=debug <2> +$ ./openshift-install destroy cluster --dir \ + --log-level=debug ---- -<1> For ``, specify the directory that stored any files created by the installation program. -<2> To view different log details, specify `error`, `info`, or `warn` instead of `debug`. ++ +where: + +``:: Specify the directory that stored any files created by the installation program. +`--log-level=debug`:: To view different log details, specify `error`, `info`, or `warn` instead of `debug`. . Delete the CloudFormation stack for the Local Zone subnet: + @@ -44,7 +48,7 @@ $ aws cloudformation delete-stack --stack-name .Verification -* Check that you removed the stack resources by issuing the following commands in the AWS CLI. The AWS CLI outputs that no template component exists. +* Check that you removed the stack resources by issuing the following commands in the {aws-short} CLI. The AWS CLI outputs that no template component exists. + [source,terminal] ---- diff --git a/modules/installation-aws-iam-policies-about.adoc b/modules/installation-aws-iam-policies-about.adoc index b4ca0e80f689..d90bbf6b76c4 100644 --- a/modules/installation-aws-iam-policies-about.adoc +++ b/modules/installation-aws-iam-policies-about.adoc @@ -4,9 +4,10 @@ :_mod-docs-content-type: CONCEPT [id="iam-policies-and-aws-authentication_{context}"] -= IAM Policies and AWS authentication += IAM Policies and {aws-short} authentication -By default, the installation program creates instance profiles for the bootstrap, control plane, and compute instances with the necessary permissions for the cluster to operate. +[role="_abstract"] +You can specify your own IAM roles if required. By default, the installation program creates instance profiles for the bootstrap, control plane, and compute instances with the necessary permissions for the cluster to operate. [NOTE] ==== @@ -21,4 +22,4 @@ However, you can create your own IAM roles and specify them as part of the insta If you choose to specify your own IAM roles, you can take the following steps: * Begin with the default policies and adapt as required. For more information, see "Default permissions for IAM instance profiles". -* To create a policy template that is based on the cluster's activity, see "Using AWS IAM Analyzer to create policy templates". +* To create a policy template that is based on the cluster's activity, see "Using {aws-short} IAM Analyzer to create policy templates". diff --git a/modules/installation-aws-iam-user.adoc b/modules/installation-aws-iam-user.adoc index c3398be871c4..3473779cb106 100644 --- a/modules/installation-aws-iam-user.adoc +++ b/modules/installation-aws-iam-user.adoc @@ -6,33 +6,29 @@ [id="installation-aws-iam-user_{context}"] = Creating an IAM user -Each Amazon Web Services (AWS) account contains a root user account that is based on the email address you used to create the account. +[role="_abstract"] +Before you install {product-title}, you must create a secondary IAM administrative user and assign permissions to create the cluster. + +Each {aws-first} account contains a root user account that is based on the email address you used to create the account. [IMPORTANT] ==== This is a highly-privileged account, and it is recommended to use it for only initial account and billing configuration, creating an initial set of users, and securing the account. ==== -Before you install {product-title}, create a secondary IAM -administrative user. As you complete the +As you complete the link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html[Creating an IAM User in Your AWS Account] -procedure in the AWS documentation, set the following options: +procedure in the {aws-first} documentation, set the following options: .Procedure . Specify the IAM user name and select `Programmatic access`. -. Attach the `AdministratorAccess` policy to ensure that the account has -sufficient permission to create the cluster. This policy provides the cluster -with the ability to grant credentials to each {product-title} component. The -cluster grants the components only the credentials that they require. +. Attach the `AdministratorAccess` policy to ensure that the account has sufficient permission to create the cluster. This policy provides the cluster with the ability to grant credentials to each {product-title} component. The cluster grants the components only the credentials that they require. + [NOTE] ==== -While it is possible to create a policy that grants the all of the required -AWS permissions and attach it to the user, this is not the preferred option. -The cluster will not have the ability to grant additional credentials to -individual components, so the same credentials are used by all components. +While it is possible to create a policy that grants the all of the required AWS permissions and attach it to the user, this is not the preferred option. The cluster will not have the ability to grant additional credentials to individual components, so the same credentials are used by all components. ==== . Optional: Add metadata to the user by attaching tags. @@ -40,14 +36,8 @@ individual components, so the same credentials are used by all components. . Confirm that the user name that you specified is granted the `AdministratorAccess` policy. -. Record the access key ID and secret access key values. You must use these -values when you configure your local machine to run the installation program. +. Record the access key ID and secret access key values. You must use these values when you configure your local machine to run the installation program. + [IMPORTANT] -==== -You cannot use a temporary session token that you generated while using a -multi-factor authentication device to authenticate to AWS when you deploy a -cluster. The cluster continues to use your current AWS credentials to -create AWS resources for the entire life of the cluster, so you must +You cannot use a temporary session token that you generated while using a multi-factor authentication device to authenticate to {aws-short} when you deploy a cluster. The cluster continues to use your current {aws-short} credentials to create {aws-short} resources for the entire life of the cluster, so you must use key-based, long-term credentials. -==== diff --git a/modules/installation-aws-limits.adoc b/modules/installation-aws-limits.adoc index 48dbbc8e17de..2a89a13b5db0 100644 --- a/modules/installation-aws-limits.adoc +++ b/modules/installation-aws-limits.adoc @@ -4,22 +4,21 @@ :_mod-docs-content-type: CONCEPT [id="installation-aws-limits_{context}"] -= AWS account limits += {aws-short} account limits -The {product-title} cluster uses a number of Amazon Web Services (AWS) +[role="_abstract"] +The {product-title} cluster uses several {aws-first} components, and the default -link:https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html[Service Limits] -affect your ability to install {product-title} clusters. If you use certain -cluster configurations, deploy your cluster in certain AWS regions, or -run multiple clusters from your account, you might need -to request additional resources for your AWS account. +link:https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html[Service Limits] affect your ability to install {product-title} clusters. -The following table summarizes the AWS components whose limits can impact your -ability to install and run {product-title} clusters. +If you use certain cluster configurations, deploy your cluster in certain {aws-short} regions, or run multiple clusters from your account, you might need +to request additional resources for your {aws-short} account. + +The following table summarizes the {aws-short} components whose limits can impact your ability to install and run {product-title} clusters. [cols="2a,3a,3a,8a",options="header"] |=== -|Component |Number of clusters available by default| Default AWS limit |Description +|Component |Number of clusters available by default| Default {aws-short} limit |Description |Instance Limits |Varies @@ -30,15 +29,10 @@ ability to install and run {product-title} clusters. * Three control plane nodes * Three worker nodes -These instance type counts are within a new account's default limit. To deploy -more worker nodes, enable autoscaling, deploy large workloads, or use a -different instance type, review your account limits to ensure that your cluster -can deploy the machines that you need. +These instance type counts are within a new account's default limit. To deploy more worker nodes, enable autoscaling, deploy large workloads, or use a different instance type, review your account limits to ensure that your cluster can deploy the machines that you need. In most regions, the worker machines use an `m6i.large` instance -and the bootstrap and control plane machines use `m6i.xlarge` instances. In some regions, including -all regions that do not support these instance types, `m5.large` and `m5.xlarge` -instances are used instead. +and the bootstrap and control plane machines use `m6i.xlarge` instances. In some regions, including all regions that do not support these instance types, `m5.large` and `m5.xlarge` instances are used instead. |Elastic IPs (EIPs) |0 to 1 @@ -52,10 +46,7 @@ and each NAT gateway requires a separate link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html[elastic IP]. Review the link:https://aws.amazon.com/about-aws/global-infrastructure/[AWS region map] to -determine how many availability zones are in each region. To take advantage of -the default high availability, install the cluster in a region with at least -three availability zones. To install a cluster in a region with more than five -availability zones, you must increase the EIP limit. +determine how many availability zones are in each region. To take advantage of the default high availability, install the cluster in a region with at least three availability zones. To install a cluster in a region with more than five availability zones, you must increase the EIP limit. [IMPORTANT] ==== To use the `us-east-1` region, you must increase the EIP limit for your account. @@ -70,8 +61,7 @@ To use the `us-east-1` region, you must increase the EIP limit for your account. |3 |20 per region |By default, each cluster creates internal and external network load balancers for the master -API server and a single Classic Load Balancer for the router. Deploying -more Kubernetes `Service` objects with type `LoadBalancer` will create additional +API server and a single Classic Load Balancer for the router. Deploying more Kubernetes `Service` objects with type `LoadBalancer` will create additional link:https://aws.amazon.com/elasticloadbalancing/[load balancers]. @@ -84,13 +74,11 @@ link:https://aws.amazon.com/elasticloadbalancing/[load balancers]. |At least 12 |350 per region |The default installation creates 21 ENIs and an ENI for each availability zone -in your region. For example, the `us-east-1` region contains six availability -zones, so a cluster that is deployed in that zone uses 27 ENIs. Review the +in your region. For example, the `us-east-1` region contains six availability zones, so a cluster that is deployed in that zone uses 27 ENIs. Review the link:https://aws.amazon.com/about-aws/global-infrastructure/[AWS region map] to determine how many availability zones are in each region. -Additional ENIs are created for additional machines and ELB load balancers -that are created by cluster usage and deployed workloads. +Additional ENIs are created for additional machines and ELB load balancers that are created by cluster usage and deployed workloads. |VPC Gateway |20 @@ -101,9 +89,7 @@ that are created by cluster usage and deployed workloads. |S3 buckets |99 |100 buckets per account -|Because the installation process creates a temporary bucket and the registry -component in each cluster creates a bucket, you can create only 99 -{product-title} clusters per AWS account. +|Because the installation process creates a temporary bucket and the registry component in each cluster creates a bucket, you can create only 99 {product-title} clusters per {aws-short} account. |Security Groups |250 diff --git a/modules/installation-aws-marketplace.adoc b/modules/installation-aws-marketplace.adoc index cab41cab72b5..73fdfc1f4dba 100644 --- a/modules/installation-aws-marketplace.adoc +++ b/modules/installation-aws-marketplace.adoc @@ -4,9 +4,10 @@ :_mod-docs-content-type: CONCEPT [id="installation-aws-marketplace_{context}"] -= Supported AWS Marketplace regions += Supported {aws-short} Marketplace regions -Installing an {product-title} cluster using an AWS Marketplace image is available to customers who purchase the offer in North America. +[role="_abstract"] +Installing an {product-title} cluster using an {aws-short} Marketplace image is available to customers who purchase the offer in North America. While the offer must be purchased in North America, you can deploy the cluster to any of the following supported paritions: @@ -15,5 +16,5 @@ While the offer must be purchased in North America, you can deploy the cluster t [NOTE] ==== -Deploying a {product-title} cluster using an AWS Marketplace image is not supported for the AWS secret regions or China regions. +Deploying a {product-title} cluster using an {aws-short} Marketplace image is not supported for the {aws-short} secret regions or China regions. ==== diff --git a/modules/installation-aws-permissions-iam-roles.adoc b/modules/installation-aws-permissions-iam-roles.adoc index 337791fe3092..64a5daad54b0 100644 --- a/modules/installation-aws-permissions-iam-roles.adoc +++ b/modules/installation-aws-permissions-iam-roles.adoc @@ -6,6 +6,7 @@ [id="installation-aws-permissions-iam-roles_{context}"] = Default permissions for IAM instance profiles +[role="_abstract"] By default, the installation program creates IAM instance profiles for the bootstrap, control plane and worker instances with the necessary permissions for the cluster to operate. The following lists specify the default permissions for control plane and compute machines: diff --git a/modules/installation-aws-permissions.adoc b/modules/installation-aws-permissions.adoc index bb95edcda104..effb4c8d096e 100644 --- a/modules/installation-aws-permissions.adoc +++ b/modules/installation-aws-permissions.adoc @@ -6,15 +6,17 @@ :_mod-docs-content-type: REFERENCE [id="installation-aws-permissions_{context}"] -= Required AWS permissions for the IAM user += Required {aws-short} permissions for the IAM user + +[role="_abstract"] +To deploy all components of an {product-title} cluster, you must grant the all the required permissions to the IAM user that you create in {aws-first}. [NOTE] ==== -Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the AWS API requirement, the {product-title} installation program performs various actions in this region. +Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the {aws-short} API requirement, the {product-title} installation program performs various actions in this region. ==== -When you attach the `AdministratorAccess` policy to the IAM user that you create in Amazon Web Services (AWS), -you grant that user all of the required permissions. To deploy all components of an {product-title} +When you attach the `AdministratorAccess` policy to the IAM user that you create in {aws-first}, you grant that user all of the required permissions. To deploy all components of an {product-title} cluster, the IAM user requires the following permissions: .Required EC2 permissions for installation @@ -157,7 +159,7 @@ If you use an existing Virtual Private Cloud (VPC), your account does not requir ===== * If you specify an existing IAM role in the `install-config.yaml` file, the following IAM permissions are not required: `iam:CreateRole`,`iam:DeleteRole`, `iam:DeleteRolePolicy`, and `iam:PutRolePolicy`. -* If you have not created a load balancer in your AWS account, the IAM user also requires the `iam:CreateServiceLinkedRole` permission. +* If you have not created a load balancer in your {aws-short} account, the IAM user also requires the `iam:CreateServiceLinkedRole` permission. ===== ==== diff --git a/modules/installation-aws-regions.adoc b/modules/installation-aws-regions.adoc index e30003b94b31..9a1366fb73e1 100644 --- a/modules/installation-aws-regions.adoc +++ b/modules/installation-aws-regions.adoc @@ -4,19 +4,20 @@ :_mod-docs-content-type: REFERENCE [id="installation-aws-regions_{context}"] -= Supported AWS regions += Supported {aws-short} regions +[role="_abstract"] You can deploy an {product-title} cluster to the following regions. [NOTE] ==== -Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the AWS API requirement, the {product-title} installation program performs various actions in this region. +Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the {aws-short} API requirement, the {product-title} installation program performs various actions in this region. ==== [id="installation-aws-public_{context}"] -== AWS public regions +== {aws-short} public regions -The following AWS public regions are supported: +The following {aws-short} public regions are supported: * `af-south-1` (Cape Town) * `ap-east-1` (Hong Kong) @@ -50,25 +51,25 @@ The following AWS public regions are supported: * `us-west-2` (Oregon) [id="installation-aws-govcloud_{context}"] -== AWS GovCloud regions +== {aws-short} GovCloud regions -The following AWS GovCloud regions are supported: +The following {aws-short} GovCloud regions are supported: * `us-gov-west-1` * `us-gov-east-1` [id="installation-aws-c2s_{context}"] -== AWS SC2S and C2S secret regions +== {aws-short} SC2S and C2S secret regions -The following AWS secret regions are supported: +The following {aws-short} secret regions are supported: * `us-isob-east-1` Secret Commercial Cloud Services (SC2S) * `us-iso-east-1` Commercial Cloud Services (C2S) [id="installation-aws-china_{context}"] -== AWS China regions +== {aws-short} China regions -The following AWS China regions are supported: +The following {aws-short} China regions are supported: * `cn-north-1` (Beijing) * `cn-northwest-1` (Ningxia) diff --git a/modules/installation-aws-route53.adoc b/modules/installation-aws-route53.adoc index 069c96de8328..d42e01a88a0d 100644 --- a/modules/installation-aws-route53.adoc +++ b/modules/installation-aws-route53.adoc @@ -6,43 +6,38 @@ [id="installation-aws-route53_{context}"] = Configuring Route 53 -To install {product-title}, the Amazon Web Services (AWS) account you use must -have a dedicated public hosted zone in your Route 53 service. This zone must be -authoritative for the domain. The Route 53 service provides -cluster DNS resolution and name lookup for external connections to the cluster. +[role="_abstract"] +To install {product-title}, the {aws-first} account you use must have a dedicated public hosted zone in your Route 53 service. This zone must be +authoritative for the domain. The Route 53 service provides cluster DNS resolution and name lookup for external connections to the cluster. .Procedure . Identify your domain, or subdomain, and registrar. You can transfer an existing domain and -registrar or obtain a new one through AWS or another source. +registrar or obtain a new one through {aws-short} or another source. + [NOTE] ==== -If you purchase a new domain through AWS, it takes time for the relevant DNS -changes to propagate. For more information about purchasing domains -through AWS, see +If you purchase a new domain through {aws-short}, it takes time for the relevant DNS changes to propagate. For more information about purchasing domains +through {aws-short}, see link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html[Registering Domain Names Using Amazon Route 53] -in the AWS documentation. +in the {aws-short} documentation. ==== -. If you are using an existing domain and registrar, migrate its DNS to AWS. See +. If you are using an existing domain and registrar, migrate its DNS to {aws-short}. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html[Making Amazon Route 53 the DNS Service for an Existing Domain] -in the AWS documentation. +in the {aws-short} documentation. . Create a public hosted zone for your domain or subdomain. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html[Creating a Public Hosted Zone] -in the AWS documentation. +in the {aws-short} documentation. + -Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain, -such as `clusters.openshiftcorp.com`. +Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain, such as `clusters.openshiftcorp.com`. . Extract the new authoritative name servers from the hosted zone records. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/GetInfoAboutHostedZone.html[Getting the Name Servers for a Public Hosted Zone] -in the AWS documentation. +in the {aws-short} documentation. -. Update the registrar records for the AWS Route 53 name servers that your domain -uses. For example, if you registered your domain to a Route 53 service in a -different accounts, see the following topic in the AWS documentation: +. Update the registrar records for the {aws-short} Route 53 name servers that your domain uses. For example, if you registered your domain to a Route 53 service in a different accounts, see the following topic in the {aws-short} documentation: link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html#domain-name-servers-glue-records-procedure[Adding or Changing Name Servers or Glue Records]. -. If you are using a subdomain, add its delegation records to the parent domain. This gives Amazon Route 53 responsibility for the subdomain. Follow the delegation procedure outlined by the DNS provider of the parent domain. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html[Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain] in the AWS documentation for an example high level procedure. +. If you are using a subdomain, add its delegation records to the parent domain. This gives Amazon Route 53 responsibility for the subdomain. Follow the delegation procedure outlined by the DNS provider of the parent domain. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html[Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain] in the {aws-short} documentation for an example high level procedure. diff --git a/modules/installation-three-node-cluster-cloud-provider.adoc b/modules/installation-three-node-cluster-cloud-provider.adoc index f7440473b18a..05af3ba44283 100644 --- a/modules/installation-three-node-cluster-cloud-provider.adoc +++ b/modules/installation-three-node-cluster-cloud-provider.adoc @@ -27,7 +27,10 @@ endif::[] [id="installation-three-node-cluster_{context}"] = Configuring a three-node cluster -You configure a three-node cluster by setting the number of worker nodes to `0` in the `install-config.yaml` file before deploying the cluster. Setting the number of worker nodes to `0` ensures that the control plane machines are schedulable. This allows application workloads to be scheduled to run from the control plane nodes. +[role="_abstract"] +To configure a three-node cluster, set the number of worker nodes to `0` in the `install-config.yaml` file before you deploy the cluster. + +Setting the number of worker nodes to `0` ensures that the control plane machines are schedulable. This allows application workloads to be scheduled to run from the control plane nodes. [NOTE] ==== @@ -40,13 +43,14 @@ Because application workloads run from control plane nodes, additional subscript .Procedure +ifndef::nutanix,openstack[] +. Set the number of compute replicas to `0` in your `install-config.yaml` file, as shown in the following `compute` stanza: +endif::nutanix,openstack[] + ifdef::nutanix,openstack[] * Set the number of compute replicas to `0` in your `install-config.yaml` file, as shown in the following `compute` stanza: endif::nutanix,openstack[] -ifndef::nutanix,openstack[] -. Set the number of compute replicas to `0` in your `install-config.yaml` file, as shown in the following `compute` stanza: -endif::nutanix,openstack[] + .Example `install-config.yaml` file for a three-node cluster [source,yaml] @@ -59,6 +63,7 @@ compute: replicas: 0 # ... ---- + ifndef::vsphere,nutanix,openstack[] . If you are deploying a cluster with user-provisioned infrastructure: ** After you create the Kubernetes manifest files, make sure that the `spec.mastersSchedulable` parameter is set to `true` in `cluster-scheduler-02-config.yml` file. You can locate this file in `/manifests`. @@ -84,6 +89,7 @@ endif::vsphere[] ** Do not create additional worker nodes. endif::vsphere[] + ifndef::nutanix,openstack[] .Example `cluster-scheduler-02-config.yml` file for a three-node cluster [source,yaml] diff --git a/modules/installation-uninstall-clouds.adoc b/modules/installation-uninstall-clouds.adoc index 721887d6d975..bd147b9c9458 100644 --- a/modules/installation-uninstall-clouds.adoc +++ b/modules/installation-uninstall-clouds.adoc @@ -28,7 +28,8 @@ endif::[] [id="installation-uninstall-clouds_{context}"] = Removing a cluster that uses installer-provisioned infrastructure -You can remove a cluster that uses installer-provisioned infrastructure from your cloud. +[role="_abstract"] +You can remove a cluster that uses installer-provisioned infrastructure that you provisioned from your cloud platform. ifdef::aws[] [NOTE] @@ -112,11 +113,13 @@ endif::ibm-cloud,ibm-power-vs[] [source,terminal] ---- $ ./openshift-install destroy cluster \ ---dir --log-level info <1> <2> +--dir --log-level info ---- -<1> For ``, specify the path to the directory that you -stored the installation files in. -<2> To view different details, specify `warn`, `debug`, or `error` instead of `info`. ++ +where: + +:: Specify the path to the directory that you stored the installation files in. +--log-level info:: To view different details, specify `warn`, `debug`, or `error` instead of `info`. ifndef::ibm-power-vs[] + [NOTE] diff --git a/modules/installing-aws-ipi.adoc b/modules/installing-aws-ipi.adoc new file mode 100644 index 000000000000..9e9a27a2c2d4 --- /dev/null +++ b/modules/installing-aws-ipi.adoc @@ -0,0 +1,19 @@ +:_mod-docs-content-type: CONCEPT +[id="choosing-an-method-to-install-ocp-on-aws-installer-provisioned_{context}"] += Installing a cluster on installer-provisioned infrastructure +:context: installing-aws-ipi + +[role="_abstract"] +You can install a cluster on {aws-short} infrastructure that is provisioned by the {product-title} installation program, by using one of the following methods: + +You can install {product-title} on {aws-short} infrastructure that is provisioned by the {product-title} installation program. You can install a cluster quickly by using the default configuration options. + +You can install a customized cluster on {aws-short} infrastructure that the installation program provisions. You can also customize your {product-title} network configuration during installation, so that your cluster can coexist with your existing IP address allocations and adhere to your network requirements. The installation program allows for some customization to be applied at the installation stage. Many other customization options are available post-installation. + +You can install {product-title} on {aws-short} on installer-provisioned infrastructure by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components. + +You can install {product-title} on an existing {aws-short} Virtual Private Cloud (VPC). You can use this installation method if you have constraints set by the guidelines of your company, such as limits when creating new accounts or infrastructure. + +You can install a private cluster on an existing {aws-short} VPC. You can use this method to deploy {product-title} on an internal network that is not visible to the internet. + +{product-title} can be deployed into {aws-short} regions that are specifically designed for US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that must run sensitive workloads in the cloud. diff --git a/modules/installing-aws-single-node.adoc b/modules/installing-aws-single-node.adoc new file mode 100644 index 000000000000..8be77aa1c914 --- /dev/null +++ b/modules/installing-aws-single-node.adoc @@ -0,0 +1,11 @@ +:_mod-docs-content-type: CONCEPT +[id="choosing-an-method-to-install-ocp-on-aws-single-node"_{context}"] += Installing a cluster on a single node +:context: installing-single-node-aws + +[role="_abstract"] +Installing {product-title} on a single node alleviates some of the requirements for high availability and large scale clusters. However, you must address requirements for installing on a single node, and the additional requirements for installing {sno} on a cloud provider. + +After addressing the requirements for single node installation, use the installing a customized cluster on AWS procedure to install the cluster. The installing single-node OpenShift manually section contains an exemplary `install-config.yaml` file when installing an {product-title} cluster on a single node. + + diff --git a/modules/installing-aws-upi.adoc b/modules/installing-aws-upi.adoc new file mode 100644 index 000000000000..b8e5accabcac --- /dev/null +++ b/modules/installing-aws-upi.adoc @@ -0,0 +1,11 @@ +:_mod-docs-content-type: CONCEPT +[id="choosing-an-method-to-install-ocp-on-aws-user-provisioned-provisioned_{context}"] += Installing a cluster on user-provisioned infrastructure +:context: installing-upi-aws + +[role="_abstract"] +You can install a cluster on {aws-short} in one of two ways: on infrastructure that you provide or infrastructure that you provide by using an internal mirror of the installation release content. + +To install {product-title} on {aws-short} infrastructure that you provide, you can use the provided CloudFormation templates to create stacks of {aws-short} resources that represent each of the components required for an {product-title} installation. + +To install a cluster that does not require an active internet connection to obtain the software components, install {product-title} on {aws-short} infrastructure that you provide by using an internal mirror of the installation release content. You can also use this installation method to ensure that your clusters only use container images that satisfy your organizational controls on external content. While you can install {product-title} by using the mirrored content, your cluster still requires internet access to use the {aws-short} APIs. \ No newline at end of file diff --git a/modules/nw-endpoint-route53.adoc b/modules/nw-endpoint-route53.adoc index fcfce67e5e4d..0ec10cc3cc70 100644 --- a/modules/nw-endpoint-route53.adoc +++ b/modules/nw-endpoint-route53.adoc @@ -4,9 +4,10 @@ :_mod-docs-content-type: REFERENCE [id="nw-endpoint-route53_{context}"] -= Ingress Operator endpoint configuration for AWS Route 53 += Ingress Operator endpoint configuration for {aws-short} Route 53 -If you install in either Amazon Web Services (AWS) GovCloud (US) US-West or US-East region, the Ingress Operator uses `us-gov-west-1` region for Route53 and tagging API clients. +[role="_abstract"] +If you install in either {aws-first} GovCloud (US) US-West or US-East region, the Ingress Operator uses `us-gov-west-1` region for Route53 and tagging API clients. The Ingress Operator uses `https://tagging.us-gov-west-1.amazonaws.com` as the tagging API endpoint if a tagging custom endpoint is configured that includes the string 'us-gov-east-1'. @@ -14,7 +15,7 @@ For more information on AWS GovCloud (US) endpoints, see the link:https://docs.a [IMPORTANT] ==== -Private, disconnected installations are not supported for AWS GovCloud when you install in the `us-gov-east-1` region. +Private, disconnected installations are not supported for {aws-short} GovCloud when you install in the `us-gov-east-1` region. ==== .Example Route 53 configuration @@ -29,9 +30,12 @@ platform: - name: elasticloadbalancing url: https://elasticloadbalancing.us-gov-west-1.amazonaws.com - name: route53 - url: https://route53.us-gov.amazonaws.com <1> + url: https://route53.us-gov.amazonaws.com - name: tagging - url: https://tagging.us-gov-west-1.amazonaws.com <2> + url: https://tagging.us-gov-west-1.amazonaws.com ---- -<1> Route 53 defaults to `https://route53.us-gov.amazonaws.com` for both AWS GovCloud (US) regions. -<2> Only the US-West region has endpoints for tagging. Omit this parameter if your cluster is in another region. ++ +where: + +`https://route53.us-gov.amazonaws.com`:: Defaults to `https://route53.us-gov.amazonaws.com` for both {aws-short} GovCloud (US) regions. +`https://tagging.us-gov-west-1.amazonaws.com`:: Only the US-West region has endpoints for tagging. Omit this parameter if your cluster is in another region.