openshift · xenolinux · Sep 24, 2024 · Sep 19, 2024
diff --git a/hosted_control_planes/hcp-manage/hcp-manage-aws.adoc b/hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
@@ -1,7 +1,34 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="hcp-manage-aws"]
 include::_attributes/common-attributes.adoc[]
-= Managing {hcp} on AWS 
+= Managing {hcp} on {aws-short}
 :context: hcp-managing-aws
 
-toc::[]
+toc::[]
+
+When you use {hcp} for {product-title} on {aws-first}, the infrastructure requirements vary based on your setup.
+
+
+include::modules/hcp-manage-aws-prereq.adoc[leveloffset=+1]
+
+include::modules/hcp-manage-aws-infra-req.adoc[leveloffset=+2]
+
+include::modules/hcp-manage-aws-infra-ho-req.adoc[leveloffset=+2]
+
+include::modules/hcp-unmanaged-aws-hc-prereq.adoc[leveloffset=+2]
+
+include::modules/hcp-managed-aws-infra-mgmt.adoc[leveloffset=+2]
+
+include::modules/hcp-managed-aws-infra-hc.adoc[leveloffset=+2]
+
+include::modules/hcp-k8s-managed-aws-infra-hc.adoc[leveloffset=+2]
+
+include::modules/hcp-managed-aws-iam.adoc[leveloffset=+1]
+
+include::modules/hcp-managed-aws-infra-iam-separate.adoc[leveloffset=+1]
+
+include::modules/hcp-managed-aws-infra-separate.adoc[leveloffset=+2]
+
+include::modules/hcp-managed-aws-iam-separate.adoc[leveloffset=+2]
+
+include::modules/hcp-managed-aws-hc-separate.adoc[leveloffset=+2]
diff --git a/modules/hcp-k8s-managed-aws-infra-hc.adoc b/modules/hcp-k8s-managed-aws-infra-hc.adoc
@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-k8s-managed-aws-infra-hc_{context}"]
+= Kubernetes-managed infrastructure in a hosted cluster {aws-short} account
+
+When Kubernetes manages your infrastructure in a hosted cluster {aws-first} account, the infrastructure requirements are as follows:
+
+* A network load balancer for default Ingress
+* An S3 bucket for registry
diff --git a/modules/hcp-manage-aws-infra-ho-req.adoc b/modules/hcp-manage-aws-infra-ho-req.adoc
@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-manage-aws-infra-ho-req_{context}"]
+= Unmanaged infrastructure for the HyperShift Operator in an {aws-short} account
+
+An arbitrary {aws-first} account depends on the provider of the {hcp} service.
+
+In self-managed {hcp}, the cluster service provider controls the {aws-short} account. The cluster service provider is the administrator who hosts cluster control planes and is responsible for uptime. In managed {hcp}, the {aws-short} account belongs to Red Hat.
+
+In a prerequired and unmanaged infrastructure for the HyperShift Operator, the following infrastructure requirements apply for a management cluster {aws-short} account:
+
+* One S3 Bucket
+** OpenID Connect (OIDC)
+
+* Route 53 hosted zones
+** A domain to host private and public entries for hosted clusters
diff --git a/modules/hcp-manage-aws-infra-req.adoc b/modules/hcp-manage-aws-infra-req.adoc
@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-manage-aws-infra-req_{context}"]
+= Infrastructure requirements for {aws-short}
+
+When you use {hcp} on {aws-first}, the infrastructure requirements fit in the following categories:
+
+* Prerequired and unmanaged infrastructure for the HyperShift Operator in an arbitrary {aws-short} account
+* Prerequired and unmanaged infrastructure in a hosted cluster {aws-short} account
+* {hcp-capital}-managed infrastructure in a management {aws-short} account
+* {hcp-capital}-managed infrastructure in a hosted cluster {aws-short} account
+* Kubernetes-managed infrastructure in a hosted cluster {aws-short} account
+
+Prerequired means that {hcp} requires {aws-short} infrastructure to properly work. Unmanaged means that no Operator or controller creates the infrastructure for you.
diff --git a/modules/hcp-manage-aws-prereq.adoc b/modules/hcp-manage-aws-prereq.adoc
@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-manage-aws-prereq_{context}"]
+= Prerequisites to manage {aws-short} infrastructure and IAM permissions
+
+To configure {hcp} for {product-title} on {aws-first}, you must meet the following the infrastructure requirements:
+
+* You configured {hcp} before you can create hosted clusters.
+* You created an {aws-short} Identity and Access Management (IAM) role and {aws-short} Security Token Service (STS) credentials.
diff --git a/modules/hcp-managed-aws-hc-separate.adoc b/modules/hcp-managed-aws-hc-separate.adoc
@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-managed-aws-hc-separate_{context}"]
+= Creating a hosted cluster separately
+
+You can create a hosted cluster separately on {aws-first}.
+
+To create a hosted cluster separately, enter the following command:
+
+[source,terminal]
+[subs="+quotes"]
+----
+$ hcp create cluster aws \
+    --infra-id <infra_id> \// <1>
+    --name <hosted_cluster_name> \// <2>
+    --sts-creds <path_to_sts_credential_file> \// <3>
+    --pull-secret <path_to_pull_secret> \// <4>
+    --generate-ssh \// <5>
+    --node-pool-replicas 3
+    --role-arn <role_name> <6>
+----
+<1> Replace `<infra_id>` with the same ID that you specified in the `create infra aws` command. This value identifies the IAM resources that are associated with the hosted cluster.
+<2> Replace `<hosted_cluster_name>` with the name of your hosted cluster.
+<3> Replace `<path_to_sts_credential_file>` with the same name that you specified in the `create infra aws` command.
+<4> Replace `<path_to_pull_secret>` with the name of the file that contains a valid {ocp-short} pull secret.
+<5> The `--generate-ssh` flag is optional, but is good to include in case you need to SSH to your workers. An SSH key is generated for you and is stored as a secret in the same namespace as the hosted cluster.
+<6> Replace `<role_name>` with the Amazon Resource Name (ARN), for example, `arn:aws:iam::820196288204:role/myrole`. Specify the Amazon Resource Name (ARN), for example, `arn:aws:iam::820196288204:role/myrole`. For more information about ARN roles, see "Identity and Access Management (IAM) permissions".
+
+You can also add the `--render` flag to the command and redirect output to a file where you can edit the resources before you apply them to the cluster.
+
+After you run the command, the following resources are applied to your cluster:
+
+* A namespace
+* A secret with your pull secret
+* A `HostedCluster`
+* A `NodePool`
+* Three AWS STS secrets for control plane components
+* One SSH key secret if you specified the `--generate-ssh` flag.
diff --git a/modules/hcp-managed-aws-iam-separate.adoc b/modules/hcp-managed-aws-iam-separate.adoc
@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id=" hcp-managed-aws-iam-separate_{context}"]
+= Creating the {aws-short} IAM resources
+
+In {aws-first}, you must create the following IAM resources:
+
+* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[An OpenID Connect (OIDC) identity provider in IAM], which is required to enable STS authentication.
+* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html[Seven roles], which are separate for every component that interacts with the provider, such as the Kubernetes controller manager, cluster API provider, and registry
+* The link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html[instance profile], which is the profile that is assigned to all worker instances of the cluster