-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSDOCS-3437: Installing to the AWS SC2S region #44998
Conversation
✅ Deploy Preview for osdocs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
0c51be2
to
db559b7
Compare
@@ -177,6 +177,10 @@ endif::china[] | |||
ifdef::china[] | |||
url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn | |||
endif::china[] | |||
ifdef::secret[] | |||
- name: route53 <9> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this can be any string or must be a specific value. Is route53
valid for this field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think specifying the route53 endpoint is no longer required after https://issues.redhat.com/browse/CORS-1896.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. Done.
@@ -177,6 +177,10 @@ endif::china[] | |||
ifdef::china[] | |||
url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn | |||
endif::china[] | |||
ifdef::secret[] | |||
- name: route53 <9> | |||
url: https://route53.us-east-1.amazonaws.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on the AWS doc, I specified us-east-1
as the region. Please confirm that this is valid for our implementation.
@patrickdillon Installing to AWS SC2S doc is ready for eng review. Thanks! |
Good morning @patrickdillon following up on my review request. Thank you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe it is no longer necessary to specify the endpoint, which would make this even simpler.
@@ -177,6 +177,10 @@ endif::china[] | |||
ifdef::china[] | |||
url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn | |||
endif::china[] | |||
ifdef::secret[] | |||
- name: route53 <9> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think specifying the route53 endpoint is no longer required after https://issues.redhat.com/browse/CORS-1896.
<8> The ID of the AMI used to boot machines for the cluster. If set, the AMI must belong to the same region as the cluster. | ||
<9> The AWS service endpoints. Custom endpoints are required when installing to an unknown AWS region. The endpoint URL must use the `https` protocol and the host must trust the certificate. | ||
+ | ||
If you are installing to the Secret Commercial Cloud Services (SC2S) Region, specifying the Route53 endpoint is required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar comment as above, this should not be required for sc2s after https://issues.redhat.com/browse/CORS-1896
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks.
@yunjiang29 Engineering comments are addressed. Ready for QE review. Thank you. |
@@ -362,7 +358,7 @@ endif::openshift-origin[] | |||
endif::private[] | |||
ifdef::secret[] | |||
ifndef::openshift-origin[] | |||
<14> The custom CA certificate. This is required when deploying to the AWS C2S Top Secret Region because the AWS API requires a custom CA trust bundle. | |||
<14> The custom CA certificate. This is required when deploying to either the SC2S or Commercial Cloud Services (C2S) Regions because the AWS API requires a custom CA trust bundle. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SC2S or Commercial Cloud Services (C2S) Regions
It is better to be consistent
- SC2S or C2S Regions
or - Secret Commercial Cloud Services (SC2S) or Commercial Cloud Services (C2S) Regions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Thank you.
@@ -157,7 +157,7 @@ Topics: | |||
File: installing-aws-private | |||
- Name: Installing a cluster on AWS into a government region | |||
File: installing-aws-government-region | |||
- Name: Installing a cluster on AWS into a Top Secret Region | |||
- Name: Installing a cluster on AWS into a Secret or Top Secret Region |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @mjpytlak @patrickdillon
I am bit confused by these names:
Top Secret Region
==Commercial Cloud Services Regions
==C2S Regions
Secret Region
==Secret Commercial Cloud Services Regions
==SC2S Regions
Is it right?
It looks like we only use Top Secret Region
/Secret Region
in the title and TOC, in other places we use C2S
/SC2S
, is this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this intentional?
Only in the sense that I was following the existing format in 4.10. Open to suggestions. Can you elaborate on what you found confusing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on what you found confusing?
Just curious, my thought was, per security level, looks like Secret Commercial
> Commercial ...
, so Secret Commercial ...
should be Top Secret Region
, and Commercial ...
should be Secret Region
.
But since we have fully reviewed in #39769, I agree with current description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wanted to give a little bit of insight on C2S. Commercial Cloud Services (C2S) is the program allowing commercial cloud offerings for IC Agencies. The program has three flavors: Unclassified, Secret, and Top Secret. The official abbreviations for them are UC2S, SC2S, TC2S.
The first classified region stood up was TC2S. Since implementation of the C2S program and initial region took so long to be completed, SC2S was delayed several years. During this time, it became common practice to simply refer to TC2S as C2S.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @montaguethomas, good to know these background info.
@mjpytlak About
|
Appreciate the feedback @yunjiang29. PTAL. |
@mjpytlak thanks for the updates, /lgtm |
LGTM |
9b00515
to
3768d99
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had some small nitpicks.
* Secret Commercial Cloud Services (SC2S) | ||
* Commercial Cloud Services (C2S) | ||
|
||
To configure a cluster in either region, modify parameters in the `install config.yaml` file before you install the cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/modify/change
@@ -82,7 +82,13 @@ If you are working in a disconnected environment, you are unable to reach the pu | |||
endif::aws-china[] | |||
|
|||
ifdef::aws-secret[] | |||
* A cluster in a Top Secret Region is unable to reach the public IP addresses for the EC2 and ELB endpoints. You must create a VPC endpoint and attach it to the subnet that the clusters are using. Name the endpoints as follows: | |||
* A cluster in a SC2S or C2S Region is unable to reach the public IP addresses for the EC2 and ELB endpoints. You must create a VPC endpoint and attach it to the subnet that the clusters are using. Name the endpoints as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be "an SC2S" or "a SC2S"? I keep saying "an SC2S"
/cherrypick enterprise-4.11 |
@EricPonvelle: new pull request created: #46400 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Version(s):
CP to 4.11
Issue:
This PR documents CORS-1951/OSDOCS-3437 (Installer support for AWS Secret Region).
Link to docs preview: