OSDOCS-3437: Installing to the AWS SC2S region #44998
Conversation
openshift-ci
bot
added
the
size/M
✅ Deploy Preview for osdocs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
mjpytlak
force-pushed
the
osdocs-3437
branch
2 times, most recently
from
0c51be2
to
db559b7
Compare
| @@ -177,6 +177,10 @@ endif::china[] | |||
| ifdef::china[] | |||
| url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn | |||
| endif::china[] | |||
| ifdef::secret[] | |||
| - name: route53 <9> | |||
There was a problem hiding this comment.
Not sure if this can be any string or must be a specific value. Is route53 valid for this field?
There was a problem hiding this comment.
I think specifying the route53 endpoint is no longer required after https://issues.redhat.com/browse/CORS-1896.
| @@ -177,6 +177,10 @@ endif::china[] | |||
| ifdef::china[] | |||
| url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn | |||
| endif::china[] | |||
| ifdef::secret[] | |||
| - name: route53 <9> | |||
| url: https://route53.us-east-1.amazonaws.com | |||
There was a problem hiding this comment.
Based on the AWS doc, I specified us-east-1 as the region. Please confirm that this is valid for our implementation.
|
@patrickdillon Installing to AWS SC2S doc is ready for eng review. Thanks! |
|
Good morning @patrickdillon following up on my review request. Thank you. |
| @@ -177,6 +177,10 @@ endif::china[] | |||
| ifdef::china[] | |||
| url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn | |||
| endif::china[] | |||
| ifdef::secret[] | |||
| - name: route53 <9> | |||
There was a problem hiding this comment.
I think specifying the route53 endpoint is no longer required after https://issues.redhat.com/browse/CORS-1896.
| <8> The ID of the AMI used to boot machines for the cluster. If set, the AMI must belong to the same region as the cluster. | ||
| <9> The AWS service endpoints. Custom endpoints are required when installing to an unknown AWS region. The endpoint URL must use the `https` protocol and the host must trust the certificate. | ||
| + | ||
| If you are installing to the Secret Commercial Cloud Services (SC2S) Region, specifying the Route53 endpoint is required. |
There was a problem hiding this comment.
Similar comment as above, this should not be required for sc2s after https://issues.redhat.com/browse/CORS-1896
|
@yunjiang29 Engineering comments are addressed. Ready for QE review. Thank you. |
| @@ -362,7 +358,7 @@ endif::openshift-origin[] | |||
| endif::private[] | |||
| ifdef::secret[] | |||
| ifndef::openshift-origin[] | |||
| <14> The custom CA certificate. This is required when deploying to the AWS C2S Top Secret Region because the AWS API requires a custom CA trust bundle. | |||
| <14> The custom CA certificate. This is required when deploying to either the SC2S or Commercial Cloud Services (C2S) Regions because the AWS API requires a custom CA trust bundle. | |||
There was a problem hiding this comment.
SC2S or Commercial Cloud Services (C2S) Regions
It is better to be consistent
- SC2S or C2S Regions
or - Secret Commercial Cloud Services (SC2S) or Commercial Cloud Services (C2S) Regions
| @@ -157,7 +157,7 @@ Topics: | |||
| File: installing-aws-private | |||
| - Name: Installing a cluster on AWS into a government region | |||
| File: installing-aws-government-region | |||
| - Name: Installing a cluster on AWS into a Top Secret Region | |||
| - Name: Installing a cluster on AWS into a Secret or Top Secret Region | |||
There was a problem hiding this comment.
Hello @mjpytlak @patrickdillon
I am bit confused by these names:
Top Secret Region==Commercial Cloud Services Regions==C2S RegionsSecret Region==Secret Commercial Cloud Services Regions==SC2S Regions
Is it right?
It looks like we only use Top Secret Region/Secret Region in the title and TOC, in other places we use C2S/SC2S, is this intentional?
There was a problem hiding this comment.
is this intentional?
Only in the sense that I was following the existing format in 4.10. Open to suggestions. Can you elaborate on what you found confusing?
There was a problem hiding this comment.
Can you elaborate on what you found confusing?
Just curious, my thought was, per security level, looks like Secret Commercial > Commercial ..., so Secret Commercial ... should be Top Secret Region, and Commercial ... should be Secret Region.
But since we have fully reviewed in #39769, I agree with current description.
There was a problem hiding this comment.
Just wanted to give a little bit of insight on C2S. Commercial Cloud Services (C2S) is the program allowing commercial cloud offerings for IC Agencies. The program has three flavors: Unclassified, Secret, and Top Secret. The official abbreviations for them are UC2S, SC2S, TC2S.
The first classified region stood up was TC2S. Since implementation of the C2S program and initial region took so long to be completed, SC2S was delayed several years. During this time, it became common practice to simply refer to TC2S as C2S.
There was a problem hiding this comment.
Thanks @montaguethomas, good to know these background info.
|
@mjpytlak About
|
|
Appreciate the feedback @yunjiang29. PTAL. |
|
@mjpytlak thanks for the updates, /lgtm |
|
LGTM |
mjpytlak
force-pushed
the
osdocs-3437
branch
2 times, most recently
from
9b00515
to
3768d99
Compare
| * Secret Commercial Cloud Services (SC2S) | ||
| * Commercial Cloud Services (C2S) | ||
|
|
||
| To configure a cluster in either region, modify parameters in the `install config.yaml` file before you install the cluster. |
| @@ -82,7 +82,13 @@ If you are working in a disconnected environment, you are unable to reach the pu | |||
| endif::aws-china[] | |||
|
|
|||
| ifdef::aws-secret[] | |||
| * A cluster in a Top Secret Region is unable to reach the public IP addresses for the EC2 and ELB endpoints. You must create a VPC endpoint and attach it to the subnet that the clusters are using. Name the endpoints as follows: | |||
| * A cluster in a SC2S or C2S Region is unable to reach the public IP addresses for the EC2 and ELB endpoints. You must create a VPC endpoint and attach it to the subnet that the clusters are using. Name the endpoints as follows: | |||
There was a problem hiding this comment.
Should it be "an SC2S" or "a SC2S"? I keep saying "an SC2S"
|
/cherrypick enterprise-4.11 |
|
@EricPonvelle: new pull request created: #46400 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Version(s):
CP to 4.11
Issue:
This PR documents CORS-1951/OSDOCS-3437 (Installer support for AWS Secret Region).
Link to docs preview: