From d5c9be6faf0128472d62e992d350a6d88ada299d Mon Sep 17 00:00:00 2001
From: Julie Stickler <jstickler@gmail.com>
Date: Thu, 7 Jul 2022 15:55:24 -0400
Subject: [PATCH] OSSMDOC-522: Update installation for ROSA.

---
 modules/ossm-install-rosa.adoc         | 87 ++++++++++++++++++++++++++
 service_mesh/v2x/ossm-create-smcp.adoc | 11 +++-
 2 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 modules/ossm-install-rosa.adoc

diff --git a/modules/ossm-install-rosa.adoc b/modules/ossm-install-rosa.adoc
new file mode 100644
index 000000000000..bfa23b9afae4
--- /dev/null
+++ b/modules/ossm-install-rosa.adoc
@@ -0,0 +1,87 @@
+////
+This module included in the following assemblies:
+* service_mesh/v2/ossm-create-smcp.adoc
+////
+
+:_content-type: REFERENCE
+[id="ossm-install-rosa_{context}"]
+= Installing on Red Hat OpenShift Service on AWS (ROSA)
+
+Starting with version 2.2, {SMProductName} supports installation on Red Hat OpenShift Service on AWS (ROSA). This section documents the additional requirements when installing Service Mesh on this platform.
+
+[id="ossm-install-rosa-location_{context}"]
+== Installation location
+
+You must create a new namespace, for example `istio-system`, when installing {SMProductName} and creating the `ServiceMeshControlPlane`.
+
+[id="ossm-install-rosa-smcp_{context}"]
+== Required control plane configuration
+
+The default configuration in the `ServiceMeshControlPlane` file does not work on a ROSA cluster. You must modify the default SMCP and set `spec.security.identity.type=ThirdParty` when installing on Red Hat OpenShift Service on AWS.
+
+.Example `ServiceMeshControlPlane` resource for ROSA
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+metadata:
+  name: basic
+  namespace: istio-system
+spec:
+  version: v2.1
+  security:
+    identity:
+      type: ThirdParty  #required setting for ROSA
+  tracing:
+    type: Jaeger
+    sampling: 10000
+  policy:
+    type: Istiod
+  addons:
+    grafana:
+      enabled: true
+    jaeger:
+      install:
+        storage:
+          type: Memory
+    kiali:
+      enabled: true
+    prometheus:
+      enabled: true
+  telemetry:
+    type: Istiod
+----
+
+[id="ossm-install-rosa-kiali-config_{context}"]
+== Restrictions on Kiali configuration
+
+Red Hat OpenShift Service on AWS places additional restrictions on where you can create resources and does not let you create the Kiali resource in a Red Hat managed namespace.
+
+This means that the following common settings for `spec.deployment.accessible_namespaces` are not allowed in a ROSA cluster:
+
+* `['**']`   (all namespaces)
+* `default`
+* `codeready-*`
+* `openshift-*`
+* `redhat-*`
+
+The validation error message provides a complete list of all the restricted namespaces.
+
+.Example `Kiali` resource for ROSA
+[source,yaml]
+----
+apiVersion: kiali.io/v1alpha1
+kind: Kiali
+metadata:
+  name: kiali
+  namespace: istio-system
+spec:
+  auth:
+    strategy: openshift
+  deployment:
+    accessible_namespaces:   #restricted setting for ROSA
+      - istio-system
+    image_pull_policy: ''
+    ingress_enabled: true
+    namespace: istio-system
+----
diff --git a/service_mesh/v2x/ossm-create-smcp.adoc b/service_mesh/v2x/ossm-create-smcp.adoc
index 961c67a30f12..6f999e7bc64d 100644
--- a/service_mesh/v2x/ossm-create-smcp.adoc
+++ b/service_mesh/v2x/ossm-create-smcp.adoc
@@ -6,11 +6,16 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-You can deploy a basic installation of the `ServiceMeshControlPlane` by using either the {product-title} web console or from the command line using the `oc` client tool.
+You can deploy a basic installation of the `ServiceMeshControlPlane`(SMCP) by using either the {product-title} web console or from the command line using the `oc` client tool.
 
 [NOTE]
 ====
-This basic installation is configured based on the default OpenShift settings and is not designed for production use.  Use this default installation to verify your installation, and then configure your `ServiceMeshControlPlane` for your environment.
+This basic installation is configured based on the default OpenShift settings and is not designed for production use. Use this default installation to verify your installation, and then configure your `ServiceMeshControlPlane` for your environment.
+====
+
+[NOTE]
+====
+Red Hat OpenShift Service on AWS (ROSA) places additional restrictions on where you can create resources and as a result the default deployment does not work. See xref:../../service_mesh/v2x/ossm-create-smcp.adoc#ossm-install-rosa_ossm-create-smcp[Installing Service Mesh on Red Hat OpenShift Service on AWS] for additional requirements before deploying your SMCP in a ROSA environment.
 ====
 
 [NOTE]
@@ -26,6 +31,8 @@ include::modules/ossm-validate-smcp-cli.adoc[leveloffset=+1]
 
 include::modules/ossm-validate-smcp-kiali.adoc[leveloffset=+1]
 
+include::modules/ossm-install-rosa.adoc[leveloffset=+1]
+
 [role="_additional-resources"]
 == Additional resources