diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml index ad85bb21ab73..ba70402a97c7 100644 --- a/_topic_maps/_topic_map_rosa.yml +++ b/_topic_maps/_topic_map_rosa.yml @@ -233,21 +233,12 @@ Topics: - Name: Prerequisites checklist for deploying ROSA using STS File: rosa-cloud-expert-prereq-checklist - Name: Detailed requirements for deploying ROSA using STS - File: rosa-classic-aws-prereqs -- Name: Detailed requirements for deploying ROSA with HCP - File: rosa-hcp-aws-prereqs -# Hiding this entry until the HCP migration is completed -# - Name: Detailed requirements for deploying ROSA using STS -# File: rosa-sts-aws-prereqs + File: rosa-sts-aws-prereqs - Name: ROSA Classic IAM role resources File: rosa-sts-ocm-role -- Name: ROSA with HCP IAM roles and resources - File: rosa-hcp-prepare-iam-roles-resources ##### NOTE: THE BELOW IS REMOVED AS PART OF OSDOCS-13310 # - Name: Limits and scalability # File: rosa-limits-scalability -#- Name: ROSA with HCP limits and scalability -# File: rosa-hcp-limits-scalability ##### NOTE: THE ABOVE IS REMOVED AS PART OF OSDOCS-13310F - Name: Planning your environment File: rosa-planning-environment diff --git a/_topic_maps/_topic_map_rosa_hcp.yml b/_topic_maps/_topic_map_rosa_hcp.yml index 7569c09c45b7..f2e0bc71e6f0 100644 --- a/_topic_maps/_topic_map_rosa_hcp.yml +++ b/_topic_maps/_topic_map_rosa_hcp.yml @@ -164,15 +164,10 @@ Topics: - Name: Prerequisites checklist for deploying ROSA with HCP File: rosa-cloud-expert-prereq-checklist - Name: Detailed requirements for deploying ROSA with HCP - File: rosa-hcp-aws-prereqs -# Hiding this entry until the HCP migration is completed -# - Name: Detailed requirements for deploying ROSA with HCP -# File: rosa-sts-aws-prereqs + File: rosa-sts-aws-prereqs - Name: Required IAM roles and resources File: rosa-hcp-prepare-iam-roles-resources ##### NOTE: THE BELOW IS REMOVED AS PART OF OSDOCS-13310 -# - Name: Limits and scalability -# File: rosa-limits-scalability #- Name: ROSA with HCP limits and scalability # File: rosa-hcp-limits-scalability ##### NOTE: THE ABOVE IS REMOVED AS PART OF OSDOCS-13310 @@ -182,8 +177,6 @@ Topics: File: rosa-sts-setting-up-environment - Name: Planning resource usage in your cluster File: rosa-planning-environment -# - Name: Preparing Terraform to install ROSA clusters -# File: rosa-understanding-terraform --- Name: Install ROSA with HCP clusters Dir: rosa_hcp diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc index 64b3b8f95a71..4fe07bc68d00 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc @@ -142,7 +142,7 @@ The default settings are as follows: ** 2 infrastructure nodes ** 2 worker nodes ** No autoscaling -** See the documentation on xref:../../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-ec2-instances_rosa-classic-aws-prereqs[ec2 instances] for more details. +** See the documentation on xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[ec2 instances] for more details. // This link needs to remain hidden until the HCP migration is published // ** See the documentation on xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[ec2 instances] for more details. * Region: As configured for the `aws` CLI diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc index 8f0ea06dcf53..450b1218492b 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc @@ -152,7 +152,7 @@ echo "export PRIVATE_SUBNET_ID=$PRIVATE_SUBNET_ID" + [role="_additional-resources"] .Additional resources -* For more about VPC requirements, see the xref:../../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-vpc_rosa-classic-aws-prereqs[VPC documentation]. +* For more about VPC requirements, see the xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[VPC documentation]. // This link needs to remain hidden until the HCP migration is published // * For more about VPC requirements, see the xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[VPC documentation]. diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc index d4bb68188c50..860cafeacc75 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc @@ -134,7 +134,7 @@ etcd encryption is configured the same as in OpenShift Container Platform. The a Currently, the ROSA CLI does not accept multi-region KMS keys for EBS encryption. This feature is in our backlog for product updates. The ROSA CLI accepts single region KMS keys for EBS encryption if it is defined at cluster creation. == Infrastructure -ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-classic-aws-prereqs[AWS prerequisites]. +ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[AWS prerequisites]. // This section needs to remain hidden until the HCP migration is published // ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[AWS prerequisites]. diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc index 213250fc5247..54ae3e181758 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc @@ -64,7 +64,7 @@ STS roles and policies must be created for each ROSA cluster. To make this easie [id="components-specific-to-rosa-with-sts"] == Components specific to ROSA with STS -* *AWS infrastructure* - This provides the infrastructure required for the cluster. It contains the actual EC2 instances, storage, and networking components. See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see supported instance types for compute nodes and xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-ec2-instances_rosa-classic-aws-prereqs[provisioned AWS infrastructure] for control plane and infrastructure node configuration. +* *AWS infrastructure* - This provides the infrastructure required for the cluster. It contains the actual EC2 instances, storage, and networking components. See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see supported instance types for compute nodes and xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for control plane and infrastructure node configuration. // This section needs to remain hidden until the HCP migration is done // * *AWS infrastructure* - This provides the infrastructure required for the cluster. It contains the actual EC2 instances, storage, and networking components. See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see supported instance types for compute nodes and xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for control plane and infrastructure node configuration. * *AWS STS* - See the credential method section above. diff --git a/modules/mos-network-prereqs-min-bandwidth.adoc b/modules/mos-network-prereqs-min-bandwidth.adoc index 090d50ebb72d..f0d03f9d2a35 100644 --- a/modules/mos-network-prereqs-min-bandwidth.adoc +++ b/modules/mos-network-prereqs-min-bandwidth.adoc @@ -7,13 +7,6 @@ [id="mos-network-prereqs-min-bandwidth_{context}"] = Minimum bandwidth -During cluster deployment, -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -requires a minimum bandwidth of 120{nbsp}Mbps between cluster infrastructure and the public internet or private network locations that provide deployment artifacts and resources. When network connectivity is slower than 120{nbsp}Mbps (for example, when connecting through a proxy) the cluster installation process times out and deployment fails. +During cluster deployment, {product-title} requires a minimum bandwidth of 120{nbsp}Mbps between cluster infrastructure and the public internet or private network locations that provide deployment artifacts and resources. When network connectivity is slower than 120{nbsp}Mbps (for example, when connecting through a proxy) the cluster installation process times out and deployment fails. After cluster deployment, network requirements are determined by your workload. However, a minimum bandwidth of 120{nbsp}Mbps helps to ensure timely cluster and operator upgrades. diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc index d46cb994c9db..b2ddefd4ff99 100644 --- a/modules/osd-aws-privatelink-firewall-prerequisites.adoc +++ b/modules/osd-aws-privatelink-firewall-prerequisites.adoc @@ -7,7 +7,7 @@ :_mod-docs-content-type: PROCEDURE ifdef::openshift-rosa[] [id="rosa-classic-firewall-prerequisites_{context}"] -= Firewall prerequisites for {rosa-classic-short} clusters using STS += Firewall prerequisites for {product-title} clusters using STS endif::openshift-rosa[] ifdef::openshift-dedicated[] [id="osd-aws-privatelink-firewall-prerequisites_{context}"] @@ -108,7 +108,7 @@ endif::[] |`oidc.op1.openshiftapps.com` |443 -|Used by ROSA for STS implementation with managed OIDC configuration. +|Used by {product-title} for STS implementation with managed OIDC configuration. |=== + . Allowlist the following telemetry URLs: diff --git a/modules/rosa-aws-provisioned.adoc b/modules/rosa-aws-provisioned.adoc index dc36b89f22c6..848100873081 100644 --- a/modules/rosa-aws-provisioned.adoc +++ b/modules/rosa-aws-provisioned.adoc @@ -6,14 +6,7 @@ [id="rosa-aws-policy-provisioned_{context}"] = Provisioned AWS Infrastructure -This is an overview of the provisioned {AWS} components on a deployed -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster. +This is an overview of the provisioned {AWS} components on a deployed {product-title} cluster. [id="rosa-ec2-instances_{context}"] == EC2 instances @@ -22,13 +15,7 @@ AWS EC2 instances are required to deploy ifndef::openshift-rosa-hcp[] the control plane and data plane functions for endif::openshift-rosa-hcp[] -ifdef::openshift-rosa[] -{rosa-classic-short}. -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short}. -endif::openshift-rosa-hcp[] - +{product-title}. ifndef::openshift-rosa-hcp[] Instance types can vary for control plane and infrastructure nodes, depending on the worker node count. @@ -213,11 +200,4 @@ can add additional custom security groups during cluster creation. Custom securi * You must create the custom security groups in AWS before you create the cluster. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html[Amazon EC2 security groups for Linux instances]. * You must associate the custom security groups with the VPC that the cluster will be installed into. Your custom security groups cannot be associated with another VPC. -* You might need to request additional quota for your VPC if you are adding additional custom security groups. For information on AWS quota requirements for -ifdef::openshift-rosa[] -{rosa-classic-short}, -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short}, -endif::openshift-rosa-hcp[] -see _Required AWS service quotas_ in _Prepare your environment_. For information on requesting an AWS quota increase, see link:https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase]. +* You might need to request additional quota for your VPC if you are adding additional custom security groups. For information on AWS quota requirements for {product-title} see _Required AWS service quotas_ in _Prepare your environment_. For information on requesting an AWS quota increase, see link:https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase]. diff --git a/modules/rosa-getting-started-install-configure-cli-tools.adoc b/modules/rosa-getting-started-install-configure-cli-tools.adoc index 233c4e6add9d..20c53f09f04b 100644 --- a/modules/rosa-getting-started-install-configure-cli-tools.adoc +++ b/modules/rosa-getting-started-install-configure-cli-tools.adoc @@ -44,7 +44,7 @@ $ aws sts get-caller-identity --output text + . Install and configure the latest ROSA CLI (`rosa`). .. Navigate to link:https://console.redhat.com/openshift/downloads[*Downloads*]. -.. Find *Red Hat OpenShift Service on AWS command line interface (`rosa)* in the list of tools and click *Download*. +.. Find *Red Hat OpenShift Service on AWS command line interface (`rosa`)* in the list of tools and click *Download*. + The `rosa-linux.tar.gz` file is downloaded to your default download location. .. Extract the `rosa` binary file from the downloaded archive. The following example extracts the binary from a Linux tar archive: diff --git a/modules/rosa-hcp-firewall-prerequisites.adoc b/modules/rosa-hcp-firewall-prerequisites.adoc index 3cec00259a4d..3efc7da41617 100644 --- a/modules/rosa-hcp-firewall-prerequisites.adoc +++ b/modules/rosa-hcp-firewall-prerequisites.adoc @@ -6,9 +6,9 @@ //TODO OSDOCS-11789: Why is this a procedure and not a reference? [id="rosa-hcp-firewall-prerequisites_{context}"] -= Firewall prerequisites for {rosa-short} += Firewall prerequisites for {product-title} -* If you are using a firewall to control egress traffic from {rosa-short}, your Virtual Private Cloud (VPC) must be able to complete requests from the cluster to the Amazon S3 service, for example, via an Amazon S3 gateway. +* If you are using a firewall to control egress traffic from {product-title}, your Virtual Private Cloud (VPC) must be able to complete requests from the cluster to the Amazon S3 service, for example, via an Amazon S3 gateway. * You must also configure your firewall to grant access to the following domain and port combinations. //TODO OSDOCS-11789: From your deploy machine? From your cluster? diff --git a/modules/rosa-operator-config.adoc b/modules/rosa-operator-config.adoc index c3ea3ee4a312..f81b6173bb62 100644 --- a/modules/rosa-operator-config.adoc +++ b/modules/rosa-operator-config.adoc @@ -12,11 +12,11 @@ [id="rosa-operator-config_{context}"] = Creating Operator roles and policies -When you deploy a {rosa-short} cluster, you must create the Operator IAM roles. The cluster Operators use the Operator roles and policies to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage and external access to a cluster. +When you deploy a {product-title} cluster, you must create the Operator IAM roles. The cluster Operators use the Operator roles and policies to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage and external access to a cluster. .Prerequisites -* You have completed the AWS prerequisites for {rosa-short}. +* You have completed the AWS prerequisites for {product-title}. * You have installed and configured the latest ROSA CLI (`rosa`), on your installation host. * You created the account-wide AWS roles. @@ -41,11 +41,11 @@ $ rosa create operator-roles --hosted-cp + -- <1> You must supply a prefix when creating these Operator roles. Failing to do so produces an error. See the Additional resources of this section for information on the Operator prefix. -<2> This value is the OIDC configuration ID that you created for your {rosa-short} cluster. +<2> This value is the OIDC configuration ID that you created for your {product-title} cluster. <3> This value is the installer role ARN that you created when you created the ROSA account roles. -- + -You must include the `--hosted-cp` parameter to create the correct roles for {rosa-short} clusters. This command returns the following information. +You must include the `--hosted-cp` parameter to create the correct roles for {product-title} clusters. This command returns the following information. + .Example output + @@ -77,11 +77,11 @@ I: To create a cluster with these roles, run the following command: <2> This field requires you to select an OIDC configuration that you created for your {rosa-short} cluster. -- + -The Operator roles are now created and ready to use for creating your {rosa-short} cluster. +The Operator roles are now created and ready to use for creating your {product-title} cluster. .Verification -* You can list the Operator roles associated with your ROSA account. Run the following command: +* You can list the Operator roles associated with your {product-title} account. Run the following command: + [source,terminal] ---- diff --git a/modules/rosa-planning-environment-application-reqs.adoc b/modules/rosa-planning-environment-application-reqs.adoc index 4697ca5cd9fb..8c25c9e248a1 100644 --- a/modules/rosa-planning-environment-application-reqs.adoc +++ b/modules/rosa-planning-environment-application-reqs.adoc @@ -4,14 +4,7 @@ [id="planning-environment-application-requirements_{context}"] = Planning your environment based on application requirements -This document describes how to plan your -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -environment based on your application requirements. +This document describes how to plan your {product-title} environment based on your application requirements. Consider an example application environment: @@ -72,7 +65,7 @@ Some applications lend themselves well to overcommitted environments, and some d The application pods can access a service either by using environment variables or DNS. If using environment variables, for each active service the variables are injected by the kubelet when a pod is run on a node. A cluster-aware DNS server watches the Kubernetes API for new services and creates a set of DNS records for each one. If DNS is enabled throughout your cluster, then all pods should automatically be able to resolve services by their DNS name. Service discovery using DNS can be used in case you must go beyond 5000 services. When using environment variables for service discovery, if the argument list exceeds the allowed length after 5000 services in a namespace, then the pods and deployments will start failing. -Disable the service links in the deployment’s service specification file to overcome this: +Disable the service links in the deployment's service specification file to overcome this: .Example [source,yaml] diff --git a/modules/rosa-prereq-roles-overview.adoc b/modules/rosa-prereq-roles-overview.adoc index e5d302e7e373..8cce6da9186c 100644 --- a/modules/rosa-prereq-roles-overview.adoc +++ b/modules/rosa-prereq-roles-overview.adoc @@ -6,23 +6,9 @@ [id="rosa-prereq-roles-overview_{context}"] = Overview of required roles -To create and manage your -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster, you must create several account-wide and cluster-wide roles. If you intend to use {cluster-manager} to create or manage your cluster, you need some additional roles. +To create and manage your {product-title} cluster, you must create several account-wide and cluster-wide roles. If you intend to use {cluster-manager} to create or manage your cluster, you need some additional roles. -To create and manage clusters:: Several account-wide roles are required to create and manage -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -clusters. These roles only need to be created once per AWS account, and do not need to be created fresh for each cluster. One or more AWS managed policies are attached to each role to grant that role the required capabilities. You can specify your own prefix, or use the default prefix (`ManagedOpenShift`). +To create and manage clusters:: Several account-wide roles are required to create and manage {product-title} clusters. These roles only need to be created once per AWS account, and do not need to be created fresh for each cluster. One or more AWS managed policies are attached to each role to grant that role the required capabilities. You can specify your own prefix, or use the default prefix (`ManagedOpenShift`). + [NOTE] ==== @@ -30,9 +16,9 @@ Role names are limited to a maximum length of 64 characters in AWS IAM. When the ==== ifdef::openshift-rosa-hcp[] + -For {hcp-title} clusters, you must create the following account-wide roles and attach the indicated AWS managed policies: +For {product-title} clusters, you must create the following account-wide roles and attach the indicated AWS managed policies: + -.Required account roles and AWS policies for {hcp-title} +.Required account roles and AWS policies for {product-title} [options="header"] |=== | Role name | AWS policy names @@ -68,7 +54,7 @@ Role creation does not request your AWS access or secret keys. AWS Security Toke To use Operator-managed cluster capabilities:: Some cluster capabilities, including several capabilities provided by default, are managed using Operators. Cluster-specific Operator roles (`operator-roles` in the ROSA CLI) are required to use these capabilities. These roles are used to obtain the temporary permissions required to carry out cluster operations such as managing back-end storage, ingress, and registry. Obtaining these permissions requires the configuration of an OpenID Connect (OIDC) provider, which connects to AWS Security Token Service (STS) to authenticate Operator access to AWS resources. ifndef::openshift-rosa-hcp[] + -The following Operator roles are required for {rosa-classic-short} clusters: +The following Operator roles are required for {product-title} clusters: ** `openshift-cluster-csi-drivers-ebs-cloud-credentials` ** `openshift-cloud-network-config-controller-cloud-credentials` @@ -81,7 +67,7 @@ The following Operator roles are required for {rosa-classic-short} clusters: endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] + -For {rosa-short} clusters, you must create the following Operator roles and attach the indicated AWS Managed policies: +For {product-title} clusters, you must create the following Operator roles and attach the indicated AWS Managed policies: + .Required Operator roles and AWS Managed policies for {hcp-title} [options="header"] diff --git a/modules/rosa-required-aws-service-quotas.adoc b/modules/rosa-required-aws-service-quotas.adoc index 3245a6342d49..47cd73328053 100644 --- a/modules/rosa-required-aws-service-quotas.adoc +++ b/modules/rosa-required-aws-service-quotas.adoc @@ -6,16 +6,9 @@ [id="rosa-required-aws-service-quotas_{context}"] = Required AWS service quotas -The table below describes the AWS service quotas and levels required to create and run one -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster. Although most default values are suitable for most workloads, you might need to request additional quota for the following cases: +The table below describes the AWS service quotas and levels required to create and run one {product-title} cluster. Although most default values are suitable for most workloads, you might need to request additional quota for the following cases: -* ROSA clusters require a minimum AWS EC2 service quota of +* {product-title} clusters require a minimum AWS EC2 service quota of ifndef::openshift-rosa-hcp[] 100{nbsp}vCPUs endif::[] @@ -35,7 +28,7 @@ The AWS SDK allows ROSA to check quotas, but the AWS SDK calculation does not ac If you need to modify or increase a specific AWS quota, see Amazon's documentation on link:https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html[requesting a quota increase]. Large quota requests are submitted to Amazon Support for review, and can take some time to be approved. If your quota request is urgent, contact AWS Support. -.ROSA-required service quota +.{product-title}-required service quota [options="header"] |=== @@ -74,7 +67,7 @@ ifndef::openshift-rosa-hcp[] 300 endif::[] ifdef::openshift-rosa-hcp[] -:fn-hcp-storage-quota: footnote:[The default quota of 50{nbsp}TiB is more than {hcp-title} clusters require; however, because AWS cost is based on usage rather than quota, Red{nbsp}Hat recommends using the default quota.] +:fn-hcp-storage-quota: footnote:[The default quota of 50{nbsp}TiB is more than {product-title} clusters require; however, because AWS cost is based on usage rather than quota, Red{nbsp}Hat recommends using the default quota.] 1{fn-hcp-storage-quota} endif::[] a| The maximum aggregated amount of storage, in TiB, that can be provisioned across General Purpose SSD (gp3) volumes in this Region. diff --git a/modules/rosa-requirements-deploying-in-opt-in-regions.adoc b/modules/rosa-requirements-deploying-in-opt-in-regions.adoc index af33a260d5e9..914e42140ae1 100644 --- a/modules/rosa-requirements-deploying-in-opt-in-regions.adoc +++ b/modules/rosa-requirements-deploying-in-opt-in-regions.adoc @@ -5,14 +5,7 @@ [id="rosa-requirements-deploying-in-opt-in-regions_{context}"] = Requirements for deploying a cluster in an opt-in region -An AWS opt-in region is a region that is not enabled in your AWS account by default. If you want to deploy a -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster that uses the AWS Security Token Service (STS) in an opt-in region, you must meet the following requirements: +An AWS opt-in region is a region that is not enabled in your AWS account by default. If you want to deploy a {product-title} cluster that uses the AWS Security Token Service (STS) in an opt-in region, you must meet the following requirements: * The region must be enabled in your AWS account. For more information about enabling opt-in regions, see link:https://docs.aws.amazon.com/general/latest/gr/rande-manage.html[Managing AWS Regions] in the AWS documentation. * The security token version in your AWS account must be set to version 2. You cannot use version 1 security tokens for opt-in regions. diff --git a/modules/rosa-setting-the-aws-security-token-version.adoc b/modules/rosa-setting-the-aws-security-token-version.adoc index 0e6c0d11739e..34194107292f 100644 --- a/modules/rosa-setting-the-aws-security-token-version.adoc +++ b/modules/rosa-setting-the-aws-security-token-version.adoc @@ -6,14 +6,7 @@ [id="rosa-setting-the-aws-security-token-version_{context}"] = Setting the AWS security token version -If you want to create a -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster with the AWS Security Token Service (STS) in an AWS opt-in region, you must set the security token version to version 2 in your AWS account. +If you want to create a {product-title} cluster with the AWS Security Token Service (STS) in an AWS opt-in region, you must set the security token version to version 2 in your AWS account. .Prerequisites diff --git a/modules/rosa-sts-about-ocm-role.adoc b/modules/rosa-sts-about-ocm-role.adoc index 1ce1f10f4497..7a93003fdede 100644 --- a/modules/rosa-sts-about-ocm-role.adoc +++ b/modules/rosa-sts-about-ocm-role.adoc @@ -5,7 +5,7 @@ [id="rosa-sts-about-ocm-role_{context}"] = About the ocm-role IAM resource -You must create the `ocm-role` IAM resource to enable a Red{nbsp}Hat organization of users to create {rosa-classic-short} clusters. Within the context of linking to AWS, a Red{nbsp}Hat organization is a single user within {cluster-manager}. +You must create the `ocm-role` IAM resource to enable a Red{nbsp}Hat organization of users to create {product-title} clusters. Within the context of linking to AWS, a Red{nbsp}Hat organization is a single user within {cluster-manager}. Some considerations for your `ocm-role` IAM resource are: diff --git a/modules/rosa-sts-about-user-role.adoc b/modules/rosa-sts-about-user-role.adoc index dde41c9134af..516e78f28017 100644 --- a/modules/rosa-sts-about-user-role.adoc +++ b/modules/rosa-sts-about-user-role.adoc @@ -5,7 +5,7 @@ [id="rosa-sts-about-user-role_{context}"] = About the user-role IAM role -You need to create a `user-role` IAM role per web UI user to enable those users to create ROSA clusters. +You need to create a `user-role` IAM role per web UI user to enable those users to create {product-title} clusters. Some considerations for your `user-role` IAM role are: diff --git a/modules/rosa-sts-aws-requirements-association-concept.adoc b/modules/rosa-sts-aws-requirements-association-concept.adoc index 65aead057d69..85ed901d9a66 100644 --- a/modules/rosa-sts-aws-requirements-association-concept.adoc +++ b/modules/rosa-sts-aws-requirements-association-concept.adoc @@ -6,13 +6,6 @@ [id="rosa-associating-concept_{context}"] = AWS account association -When you provision -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -using {cluster-manager} (`console.redhat.com`), you must associate the `ocm-role` and `user-role` IAM roles with your AWS account using your Amazon Resource Name (ARN). This association process is also known as _account linking_. +When you provision {product-title} using {cluster-manager} (`console.redhat.com`), you must associate the `ocm-role` and `user-role` IAM roles with your AWS account using your Amazon Resource Name (ARN). This association process is also known as _account linking_. The `ocm-role` ARN is stored as a label in your Red{nbsp}Hat organization while the `user-role` ARN is stored as a label inside your Red{nbsp}Hat user account. Red{nbsp}Hat uses these ARN labels to confirm that the user is a valid account holder and that the correct permissions are available to perform provisioning tasks in the AWS account. diff --git a/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc b/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc index 940791dbda04..09408ab77c5a 100644 --- a/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc +++ b/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc @@ -9,7 +9,7 @@ = Permission boundaries for the installer role You can apply a policy as a _permissions boundary_ on an installer role. -You can use an AWS-managed policy or a customer-managed policy to set the boundary for an Amazon Web Services (AWS) Identity and Access Management (IAM) entity (user or role). The combination of policy and boundary policy limits the maximum permissions for the user or role. ROSA includes a set of three prepared permission boundary policy files, with which you can restrict permissions for the installer role since changing the installer policy itself is not supported. +You can use an AWS-managed policy or a customer-managed policy to set the boundary for an Amazon Web Services (AWS) Identity and Access Management (IAM) entity (user or role). The combination of policy and boundary policy limits the maximum permissions for the user or role. {product-title} includes a set of three prepared permission boundary policy files, with which you can restrict permissions for the installer role since changing the installer policy itself is not supported. [NOTE] ==== @@ -18,17 +18,10 @@ This feature is only supported on {rosa-classic-short} clusters. The permission boundary policy files are as follows: -* The _Core_ boundary policy file contains the minimum permissions needed for ROSA installer to install an -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster. +* The _Core_ boundary policy file contains the minimum permissions needed for ROSA installer to install an {product-title} cluster. The installer does not have permissions to create a virtual private cloud (VPC) or PrivateLink (PL). A VPC needs to be provided. -* The _VPC_ boundary policy file contains the minimum permissions needed for ROSA installer to create/manage the VPC. It does not include permissions for PL or core installation. If you need to install a cluster with enough permissions for the installer to install the cluster and create/manage the VPC, but you do not need to set up PL, then use the core and VPC boundary files together with the installer role. -* The _PrivateLink (PL)_ boundary policy file contains the minimum permissions needed for ROSA installer to create the AWS PL with a cluster. It does not include permissions for VPC or core installation. Provide a pre-created VPC for all PL clusters during installation. +* The _VPC_ boundary policy file contains the minimum permissions needed for {product-title} installer to create/manage the VPC. It does not include permissions for PL or core installation. If you need to install a cluster with enough permissions for the installer to install the cluster and create/manage the VPC, but you do not need to set up PL, then use the core and VPC boundary files together with the installer role. +* The _PrivateLink (PL)_ boundary policy file contains the minimum permissions needed for {product-title} installer to create the AWS PL with a cluster. It does not include permissions for VPC or core installation. Provide a pre-created VPC for all PL clusters during installation. When using the permission boundary policy files, the following combinations apply: @@ -44,14 +37,7 @@ When using the permission boundary policy files, the following combinations appl ** You must have a customer-provided VPC. ** This is for a private cluster with PL. -This example procedure is applicable for an installer role and policy with the most restriction of permissions, using only the _core_ installer permission boundary policy for -ifdef::openshift-rosa[] -{rosa-classic-short}. -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short}. -endif::openshift-rosa-hcp[] -You can complete this with the AWS console or the AWS CLI. This example uses the AWS CLI and the following policy: +This example procedure is applicable for an installer role and policy with the most restriction of permissions, using only the _core_ installer permission boundary policy for {product-title}. You can complete this with the AWS console or the AWS CLI. This example uses the AWS CLI and the following policy: .`sts_installer_core_permission_boundary_policy.json` [%collapsible] @@ -134,8 +120,6 @@ $ aws iam get-role --role-name ManagedOpenShift-Installer-Role \ ---- PERMISSIONSBOUNDARY arn:aws:iam:::policy/rosa-core-permissions-boundary-policy Policy ---- -+ - + For more examples of PL and VPC permission boundary policies see: + diff --git a/modules/rosa-sts-aws-requirements-creating-multi-association.adoc b/modules/rosa-sts-aws-requirements-creating-multi-association.adoc index 6e1819916daf..e3393b064a13 100644 --- a/modules/rosa-sts-aws-requirements-creating-multi-association.adoc +++ b/modules/rosa-sts-aws-requirements-creating-multi-association.adoc @@ -7,14 +7,7 @@ [id="rosa-associating-multiple-account_{context}"] = Associating multiple AWS accounts with your Red{nbsp}Hat organization -You can associate multiple AWS accounts with your Red{nbsp}Hat organization. Associating multiple accounts lets you create -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -clusters on any of the associated AWS accounts from your Red{nbsp}Hat organization. +You can associate multiple AWS accounts with your Red{nbsp}Hat organization. Associating multiple accounts lets you create {product-title} clusters on any of the associated AWS accounts from your Red{nbsp}Hat organization. With this capability, you can create clusters on different AWS profiles according to characteristics that make sense for your business, for example, by using one AWS profile for each region to create region-bound environments. @@ -24,13 +17,7 @@ With this capability, you can create clusters on different AWS profiles accordin * You are using {cluster-manager-url} to create clusters. * You have the permissions required to install AWS account-wide roles. * You have installed and configured the latest AWS (`aws`) and ROSA (`rosa`) CLIs on your installation host. -* You have created the `ocm-role` and `user-role` IAM roles for -ifdef::openshift-rosa[] -{rosa-classic-short}. -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short}. -endif::openshift-rosa-hcp[] +* You have created the `ocm-role` and `user-role` IAM roles for {product-title}. .Procedure diff --git a/modules/rosa-sts-aws-requirements-support-req.adoc b/modules/rosa-sts-aws-requirements-support-req.adoc index 7ba7d1f20b81..d44e268a48b9 100644 --- a/modules/rosa-sts-aws-requirements-support-req.adoc +++ b/modules/rosa-sts-aws-requirements-support-req.adoc @@ -7,11 +7,4 @@ * Red{nbsp}Hat recommends that the customer have at least link:https://aws.amazon.com/premiumsupport/plans/[Business Support] from AWS. * Red{nbsp}Hat may have permission from the customer to request AWS support on their behalf. * Red{nbsp}Hat may have permission from the customer to request AWS resource limit increases on the customer's account. -* Red{nbsp}Hat manages the restrictions, limitations, expectations, and defaults for all -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -clusters in the same manner, unless otherwise specified in this requirements section. +* Red{nbsp}Hat manages the restrictions, limitations, expectations, and defaults for all {product-title} clusters in the same manner, unless otherwise specified in this requirements section. diff --git a/modules/rosa-sts-setting-up-environment.adoc b/modules/rosa-sts-setting-up-environment.adoc index 63e710914e41..f095ea33fc6f 100644 --- a/modules/rosa-sts-setting-up-environment.adoc +++ b/modules/rosa-sts-setting-up-environment.adoc @@ -6,19 +6,12 @@ [id="rosa-sts-setting-up-environment_{context}"] = Setting up the environment for STS -Before you create a -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster that uses the AWS Security Token Service (STS), complete the following steps to set up your environment. +Before you create a {product-title} cluster that uses the AWS Security Token Service (STS), complete the following steps to set up your environment. .Prerequisites * Review and complete the deployment prerequisites and policies. -* Create a link:https://cloud.redhat.com[Red{nbsp}Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA. +* Create a link:https://cloud.redhat.com[Red{nbsp}Hat account], if you do not already have one. Then, check your email for a verification link. You will need these credentials to install {product-title}. .Procedure @@ -28,9 +21,9 @@ It is recommended to use a dedicated AWS account to run production clusters. If + If you are using AWS Organizations and you need to have a service control policy (SCP) applied to the AWS account you plan to use, these policies must not be more restrictive than the roles and policies required by the cluster. + -. Enable the ROSA service in the AWS Management Console. +. Enable {product-title} in the AWS Management Console. .. Sign in to your link:https://console.aws.amazon.com/rosa/home[AWS account]. -.. To enable ROSA, go to the link:https://console.aws.amazon.com/rosa/[ROSA service] and select *Enable OpenShift*. +.. To enable {product-title}, go to the link:https://console.aws.amazon.com/rosa/[ROSA service] and select *Enable OpenShift*. . Install and configure the AWS CLI. .. Follow the AWS command-line interface documentation to link:https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html[install] and link:https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html[configure] the AWS CLI for your operating system. @@ -44,7 +37,7 @@ Specify the correct `aws_access_key_id` and `aws_secret_access_key` in the `.aws You can use the environment variable to set the default AWS region. ==== + -The ROSA service evaluates regions in the following priority order: +{product-title} evaluates regions in the following priority order: + ... The region specified when running the `rosa` command with the `--region` flag. ... The region set in the `AWS_DEFAULT_REGION` environment variable. See link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html[Environment variables to configure the AWS CLI] in the AWS documentation. @@ -83,8 +76,7 @@ $ rosa .Example output [source,terminal] ---- -Command-line tool for Red Hat OpenShift Service on AWS. -For further documentation visit https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws +Command-line tool for {product-title}. For further documentation visit https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws Usage: rosa [command] @@ -158,14 +150,7 @@ To login to your Red Hat account, get an offline access token at https://console I: Logged in as '' on 'https://api.openshift.com' ---- -. Verify that your AWS account has the necessary quota to deploy a -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster. +. Verify that your AWS account has the necessary quota to deploy a {product-title} cluster. + [source,terminal] ---- diff --git a/networking/network_security/network-verification.adoc b/networking/network_security/network-verification.adoc index 643b9424c358..a87859b53e9c 100644 --- a/networking/network_security/network-verification.adoc +++ b/networking/network_security/network-verification.adoc @@ -41,9 +41,7 @@ ifdef::openshift-dedicated[] * Egress is available to the required domain and port combinations that are specified in the xref:../../osd_planning/aws-ccs.adoc#osd-aws-privatelink-firewall-prerequisites_aws-ccs[AWS firewall prerequisites] section. endif::openshift-dedicated[] ifdef::openshift-rosa[] -* Egress is available to the required domain and port combinations that are specified in the xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites] section. -// This link needs to reamin hidden until the HCP migration is published -// * Egress is available to the required domain and port combinations that are specified in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] section. +* Egress is available to the required domain and port combinations that are specified in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] section. endif::openshift-rosa[] include::modules/automatic-network-verification-bypassing.adoc[leveloffset=+1] diff --git a/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc b/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc index bbf334246bab..9e960d2d9bd2 100644 --- a/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc +++ b/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc @@ -33,9 +33,7 @@ include::modules/cluster-wide-proxy-preqs.adoc[leveloffset=+1] .Additional resources ifdef::openshift-rosa[] -* For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prerequisites[AWS prerequisites for ROSA with STS]. -// This section needs to remain hidden until the HCP migration is completed -// * For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[AWS prerequisites for ROSA with STS]. +* For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[AWS prerequisites for ROSA with STS]. * For the installation prerequisites for ROSA clusters that do not use STS, see xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#prerequisites[AWS prerequisites for ROSA]. endif::openshift-rosa[] ifdef::openshift-dedicated[] diff --git a/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc b/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc index 19d8c3d8cb1e..7f634278d4f3 100644 --- a/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc +++ b/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc @@ -39,9 +39,7 @@ ROSA policies grant cluster software components with least-privilege permissions [id="components-specific-to-rosa-hcp-with-sts"] == Components of {hcp-title} -* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-hcp-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-ec2-instances_rosa-hcp-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. -// This link remains hidden until the migration is completed -//* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-hcp-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. +* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-hcp-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. * *AWS STS* - A method for granting short-term, dynamic tokens to provide users the necessary permissions to temporarily interact with your AWS account resources. * *OpenID Connect (OIDC)* - A mechanism for cluster Operators to authenticate with AWS, assume the cluster roles through a trust policy, and obtain temporary credentials from AWS IAM STS to make the required API calls. * *Roles and policies* - The roles and policies used by {hcp-title} can be divided into account-wide roles and policies and Operator roles and policies. diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc index 11221792e79d..7a35266f2dd6 100644 --- a/rosa_architecture/rosa-sts-about-iam-resources.adoc +++ b/rosa_architecture/rosa-sts-about-iam-resources.adoc @@ -61,7 +61,7 @@ endif::openshift-rosa-hcp[] If you create ROSA clusters by using {cluster-manager-url}, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. ifndef::openshift-rosa-hcp[] - For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-associating-account_rosa-classic-aws-prereqs[Associating your AWS account]. + For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. // This section needs to remain hidden until the migration is completed // For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. endif::openshift-rosa-hcp[] @@ -89,7 +89,7 @@ include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2] AWS IAM roles link to your AWS account to create and manage the clusters. ifndef::openshift-rosa-hcp[] -For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-associating-account_rosa-classic-aws-prereqs[Associating your AWS account]. +For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. // This section needs to remain hidden until the migration is completed // For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. endif::openshift-rosa-hcp[] diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc index 5d789c425b90..b7421594d906 100644 --- a/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc +++ b/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc @@ -13,9 +13,7 @@ include::modules/rosa-policy-responsibilities.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources ifdef::openshift-rosa[] -* xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] -// This link must remain hidden and changed until the migration is completed -// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] endif::openshift-rosa[] ifdef::openshift-dedicated[] * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] @@ -45,19 +43,11 @@ include::modules/rosa-policy-change-management.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources ifdef::openshift-rosa-hcp[] -* xref:../../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[Firewall prerequisites for {hcp-title}] -// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[Firewall prerequisites for {hcp-title}] +* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {product-title}] endif::openshift-rosa-hcp[] ifdef::openshift-rosa[] -* xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] endif::openshift-rosa[] -// These links need to remain hidden until HCP is published -// ifdef::openshift-rosa-hcp[] -// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {hcp-title}] -// endif::openshift-rosa-hcp[] -// ifdef::openshift-rosa[] -// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] -// endif::openshift-rosa[] ifdef::openshift-dedicated[] * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] endif::openshift-dedicated[] diff --git a/rosa_cluster_admin/rosa-cluster-notifications.adoc b/rosa_cluster_admin/rosa-cluster-notifications.adoc index d3b068712484..f66b5a2d6b8a 100644 --- a/rosa_cluster_admin/rosa-cluster-notifications.adoc +++ b/rosa_cluster_admin/rosa-cluster-notifications.adoc @@ -62,9 +62,7 @@ include::modules/managed-cluster-remove-notification-contacts.adoc[leveloffset=+ ifndef::openshift-rosa-hcp[] * Ensure that your firewall is configured according to the documented prerequisites: ifdef::openshift-rosa[] -** xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] -// This link needs to remain hidden until the HCP migration is published -// ** xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +** xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {product-title} clusters using STS] endif::openshift-rosa[] ifdef::openshift-dedicated[] ** xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] diff --git a/rosa_getting_started/rosa-getting-started.adoc b/rosa_getting_started/rosa-getting-started.adoc index 5152112273aa..026e9ed1475e 100644 --- a/rosa_getting_started/rosa-getting-started.adoc +++ b/rosa_getting_started/rosa-getting-started.adoc @@ -24,9 +24,7 @@ You can create a ROSA cluster either with or without the AWS Security Token Serv // Removed as part of OSDOCS-13310, until figures are verified. //xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[limits and scalability] and -* You have reviewed the detailed xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. -// This link must remain hidden until HCP is published -// * You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * You have the xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[AWS service quotas that are required to run a ROSA cluster]. @@ -90,9 +88,7 @@ include::modules/rosa-getting-started-deleting-a-cluster.adoc[leveloffset=+1] [id="additional-resources_{context}"] == Additional resources -* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow] -// This link needs to remain hidden until HCP migration is published -// * For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow] +* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow] * For more information about setting up accounts and ROSA clusters without using AWS STS, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow] diff --git a/rosa_getting_started/rosa-quickstart-guide-ui.adoc b/rosa_getting_started/rosa-quickstart-guide-ui.adoc index 236e62a1a090..37648402e830 100644 --- a/rosa_getting_started/rosa-quickstart-guide-ui.adoc +++ b/rosa_getting_started/rosa-quickstart-guide-ui.adoc @@ -26,9 +26,7 @@ image::291_OpenShift_on_AWS_Intro_1122_docs.png[{product-title}] // Removed as part of OSDOCS-13310, until figures are verified. // xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[limits and scalability] and -* You have reviewed the detailed xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. -// This link is hidden until HCP migration is published -// * You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * You have the xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[AWS service quotas that are required to run a ROSA cluster]. @@ -165,9 +163,7 @@ include::modules/rosa-getting-started-deleting-a-cluster.adoc[leveloffset=+1] [id="additional-resources_{context}"] == Additional resources -* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]. -// This link is hidden until HCP migration is published -// * For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]. +* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]. * For more information about setting up accounts and ROSA clusters without using AWS STS, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]. diff --git a/rosa_getting_started/rosa-sts-getting-started-workflow.adoc b/rosa_getting_started/rosa-sts-getting-started-workflow.adoc index d18ca5407968..e5399c550edb 100644 --- a/rosa_getting_started/rosa-sts-getting-started-workflow.adoc +++ b/rosa_getting_started/rosa-sts-getting-started-workflow.adoc @@ -17,9 +17,7 @@ The AWS Security Token Service (STS) is a global web service that provides short You can follow the workflow stages outlined in this section to set up and access a ROSA cluster that uses STS. -. xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[Complete the AWS prerequisites for ROSA with STS]. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements. -// This link needs to remain hidden until HCP is published -// . xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Complete the AWS prerequisites for ROSA with STS]. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements. +. xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Complete the AWS prerequisites for ROSA with STS]. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements. . xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Review the required AWS service quotas]. To prepare for your cluster deployment, review the AWS service quotas that are required to run a ROSA cluster. . xref:../rosa_planning/rosa-sts-setting-up-environment.adoc#rosa-sts-setting-up-environment[Set up the environment and install ROSA using STS]. Before you create a ROSA with STS cluster, you must enable ROSA in your AWS account, install and configure the required CLI tools, and verify the configuration of the CLI tools. You must also verify that the AWS Elastic Load Balancing (ELB) service role exists and that the required AWS resource quotas are available. . xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Create a ROSA cluster with STS quickly] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[create a cluster using customizations]. Use the ROSA CLI (`rosa`) or {cluster-manager-first} to create a cluster with STS. You can create a cluster quickly by using the default options, or you can apply customizations to suit the needs of your organization. diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc index 5e6520ed5e51..b92199eb816f 100644 --- a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc +++ b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc @@ -22,16 +22,13 @@ ifdef::openshift-rosa[] xref:../rosa_install_access_delete_clusters/rosa-sts-config-identity-providers.adoc#rosa-sts-config-identity-providers[Configuring identity providers] endif::openshift-rosa[] +ifdef::openshift-rosa-hcp[] [role="_additional-resources"] [id="additional-resources_rosa-hcp-aws-privatelink-creating-cluster"] == Additional resources -* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS PrivateLink firewall prerequisites] -// Commenting out until pruning of other books is complete as these are breaking the build for Pruning Support task -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[AWS PrivateLink firewall prerequisites] -//* xref:../rosa_getting_started/rosa-sts-getting-started-workflow.adoc#rosa-sts-overview-of-the-deployment-workflow[Overview of the ROSA with STS deployment workflow] -//* xref:../rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc#rosa-sts-deleting-cluster[Deleting a ROSA cluster] -//* xref:../architecture/rosa-architecture-models.adoc#rosa-architecture-models[ROSA architecture models] -ifdef::openshift-rosa-hcp[] -* xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[AWS PrivateLink firewall prerequisites] +* xref:../rosa_hcp/rosa-hcp-deleting-cluster.adoc#rosa-hcp-deleting-cluster[Deleting a {product-title} cluster] +* xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-hcp-architecture_rosa-architecture-models[{product-title} architecture models] +* xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting {product-title} cluster installations] endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc index 2ae0f97cc603..7368be74de9a 100644 --- a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc +++ b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc @@ -26,9 +26,7 @@ If you choose to use your own CNI for {product-title} clusters, it is strongly r == Creating a {product-title} cluster without a CNI plugin === Prerequisites -* Ensure that you have completed the xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites]. -// This link needs to remain hidden until HCP is published -// * Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. +* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-prereqs[AWS prerequisites]. * Ensure that you have a configured xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[virtual private cloud] (VPC). diff --git a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc index ba463f092036..c3f7e65b18b3 100644 --- a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc +++ b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc @@ -95,9 +95,7 @@ ifndef::openshift-rosa-hcp[] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] -* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] -// This link needs to be hidden until HCP migration is published -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] endif::openshift-rosa-hcp[] diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc index 6575728254ca..b70602b8ed56 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc @@ -34,9 +34,7 @@ endif::openshift-rosa-hcp[] To create a {product-title} cluster, you must have completed the following steps: ifndef::openshift-rosa-hcp[] -* Completed the xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites] -// This link must remain hidden until HCP migration is published -// * Completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites] +* Completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites] endif::openshift-rosa-hcp[] * xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[Configured virtual private cloud (VPC)] * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles] @@ -82,10 +80,7 @@ include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-c // * To learn more about the default CIDR ranges for {product-title}, see xref:#../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions]. * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] -* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] -// This link needs to be hidden until HCP migration is published -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]] -//* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation. ifdef::openshift-rosa-hcp[] * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations] diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc index b5f7ff032223..e6c519742e82 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc @@ -125,14 +125,14 @@ ifndef::openshift-rosa,openshift-rosa-hcp[] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS] * xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups] -endif::openshift-rosa,openshift-rosa-hcp[] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] * xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] +endif::openshift-rosa,openshift-rosa-hcp[] // This link needs to be hidden until HCP migration is published // * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] ifndef::openshift-rosa,openshift-rosa-hcp[] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting {product-title} installations] * xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS] -endif::openshift-rosa,openshift-rosa-hcp[] \ No newline at end of file diff --git a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc index cf541cefa1c2..e447a59c7224 100644 --- a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc +++ b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc @@ -21,18 +21,11 @@ include::modules/osd-aws-privatelink-config-dns-forwarding.adoc[leveloffset=+1] == Additional resources ifdef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[Firewall prerequisites for {hcp-title}] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {product-title}] endif::openshift-rosa-hcp[] ifdef::openshift-rosa[] -* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {product-title} clusters using STS] endif::openshift-rosa[] -// These links must remain hidden until HCP is migrated -// ifdef::openshift-rosa-hcp[] -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {hcp-title}] -// endif::openshift-rosa-hcp[] -// ifdef::openshift-rosa[] -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] -// endif::openshift-rosa[] ifdef::openshift-dedicated[] * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] endif::openshift-dedicated[] diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc index ca9e895c540d..2ab9f404456d 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc @@ -20,9 +20,7 @@ Alternatively, you can use `manual` mode, which outputs the `aws` commands neede [id="next-steps_{context}"] .Next steps -* Ensure that you have completed the xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites]. -// This link must remain hidden until the HCP migration is completed -// * Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. +* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites]. include::snippets/oidc-cloudfront.adoc[] include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1] include::modules/rosa-sts-understanding-aws-account-association.adoc[leveloffset=+1] @@ -73,9 +71,7 @@ include::modules/rosa-sts-creating-a-cluster-quickly-cli.adoc[leveloffset=+1] * For steps to deploy a ROSA cluster using manual mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations]. * For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS]. * For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]. -* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. -// This link needs to remain hidden until the HCP migration is completed -// * For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes]. * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation. * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations]. diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc index b3168eed819f..5af56d65e055 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc @@ -78,9 +78,7 @@ include::modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc[levelo * For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS]. * For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]. * For an overview of the options that are presented when you create the AWS IAM resources and clusters by using interactive mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc#rosa-sts-interactive-mode-reference[Interactive cluster creation mode reference]. -* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. -// This link needs to remain hidden until the HCP migration is completed -// * For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation. * For more information about etcd encryption, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-etcd-encryption_rosa-service-definition[etcd encryption service definition]. * For information about configuring a proxy with ROSA, see xref:../networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy]. diff --git a/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc b/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc index 729b452ca569..981cf76719f1 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc @@ -20,6 +20,4 @@ include::modules/rosa-sts-interactive-cluster-creation-mode-options.adoc[levelof * For detailed steps to quickly create a ROSA cluster with STS, including the AWS IAM resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Creating a ROSA cluster with STS using the default options]. * For detailed steps to create a ROSA cluster with STS using customizations, including the AWS IAM resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[Creating a ROSA cluster with STS using customizations]. * For more information about etcd encryption, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-etcd-encryption_rosa-service-definition[etcd encryption service definition]. -* For an example VPC architecture, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-vpc_rosa-classic-aws-prereqs[this sample VPC architecture]. -// This link must remain hidden until the HCP migration is completed -// * For an example VPC architecture, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[this sample VPC architecture]. +* For an example VPC architecture, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[this sample VPC architecture]. diff --git a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc index d5cee24b8ce2..d5ad815fe7c4 100644 --- a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc +++ b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc @@ -9,9 +9,7 @@ toc::[] {product-title} (ROSA) provides a model that allows Red{nbsp}Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account. -You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-aws-prereqs_rosa-classic-aws-prereqs[STS-specific requirements]. -// This link must remain hidden until HCP is migrated -// You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-prereqs_rosa-sts-aws-prereqs[STS-specific requirements]. +You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-prereqs_rosa-sts-aws-prereqs[STS-specific requirements]. include::snippets/rosa-sts.adoc[] diff --git a/rosa_planning/rosa-classic-aws-prereqs.adoc b/rosa_planning/rosa-classic-aws-prereqs.adoc deleted file mode 100644 index 1cf9cf2006fc..000000000000 --- a/rosa_planning/rosa-classic-aws-prereqs.adoc +++ /dev/null @@ -1,111 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -include::_attributes/attributes-openshift-dedicated.adoc[] -//title and ID conditions so this can be shared between Classic and HCP docs while it remains accurate for both -:context: rosa-classic-aws-prereqs -[id="rosa-classic-aws-prereqs"] -= Detailed requirements for deploying {rosa-classic-short} using STS - -toc::[] - -{rosa-classic-title} provides a model that allows Red{nbsp}Hat to deploy clusters into a customer's existing Amazon Web Service (AWS) account. - -include::snippets/rosa-sts.adoc[leveloffset=+0] - -Ensure that the following prerequisites are met before installing your cluster. - -[id="rosa-sts-customer-requirements_{context}"] -== Customer requirements when using STS for deployment - -The following prerequisites must be complete before you deploy a {rosa-classic-short} cluster that uses the AWS Security Token Service (STS). - -include::modules/rosa-sts-aws-requirements-account.adoc[leveloffset=+2] - -//Adding conditions around these in case the Additional resources don't get ported to HCP or have different file names / locations; keeping all included for now -[role="_additional-resources"] -[id="additional-resources_aws-account-requirements_{context}"] -.Additional resources -// Removed as part of OSDOCS-13310, until figures are verified. -//* xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability] -* xref:../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-elb-service-role_rosa-troubleshooting-cluster-deployments[Creating the Elastic Load Balancing (ELB) service-linked role] - -//TODO OSDOCS-11789: Nothing in the following module is actually a requirement, it's purely informative/recommended and needs to be re-validated by SRE/Support -include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2] - -//TODO OSDOCS-11789: Need to have this re-validated by SRE/Support -include::modules/rosa-sts-aws-requirements-security-req.adoc[leveloffset=+2] - -//Adding conditions around these in case the Additional resources don't get ported to HCP or have different file names / locations; keeping all included for now -[role="_additional-resources"] -[id="additional-resources_aws-security-requirements_{context}"] -.Additional resources -ifdef::openshift-dedicated[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] -endif::openshift-dedicated[] -ifdef::openshift-rosa[] -* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites] - -// This link needs to remain hidden until the HCP migration is published -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] -endif::openshift-rosa[] - -[id="rosa-ocm-requirements_{context}"] -== Requirements for using {cluster-manager} - -The following configuration details are required only if you use {cluster-manager-url} to manage your clusters. If you use the CLI tools exclusively, then you can disregard these requirements. - -//TODO OSDOCS-11789: when are ocm-role and user-role actually created? Pretty sure this happens as part of the cluster install process, so doesn't need to be done ahead of time?? -include::modules/rosa-sts-aws-requirements-association-concept.adoc[leveloffset=+2] -include::modules/rosa-sts-aws-requirements-creating-association.adoc[leveloffset=+2] - -ifdef::openshift-rosa,openshift-rosa-hcp[] -[discrete] -[role="_additional-resources"] -[id="additional-resources_creating-association_{context}"] -== Additional resources -* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference] -endif::openshift-rosa,openshift-rosa-hcp[] - -include::modules/rosa-sts-aws-requirements-creating-multi-association.adoc[leveloffset=+2] - -include::modules/rosa-requirements-deploying-in-opt-in-regions.adoc[leveloffset=+1] -include::modules/rosa-setting-the-aws-security-token-version.adoc[leveloffset=+2] - -[id="rosa-sts-policy-iam_{context}"] -== Red{nbsp}Hat managed IAM references for AWS - -When you use STS as your cluster credential method, Red{nbsp}Hat is not responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles. - -* To use the `ocm` CLI, you must have an `ocm-role` and `user-role` resource. -See xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-prepare-iam-resources-roles-ocm[Required IAM roles and resources]. -* If you have a single cluster, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference]. -* For each cluster, you must have the necessary Operator roles. See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference]. - -include::modules/rosa-aws-provisioned.adoc[leveloffset=+1] - -[id="rosa-network-prereqs_{context}"] -== Networking prerequisites - -include::modules/mos-network-prereqs-min-bandwidth.adoc[leveloffset=+2] - -[id="osd-aws-privatelink-firewall-prerequisites_rosa-classic-aws-prereqs"] -=== AWS firewall prerequisites - -If you are using a firewall to control egress traffic from your {rosa-classic-short}, you must configure your firewall to grant access to the certain domain and port combinations below. {rosa-classic-short} requires this access to provide a fully managed OpenShift service. - -include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+2] - -[role="_additional-resources"] -.Additional resources -* xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] - -[discrete] -== Next steps -* xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas_rosa-sts-required-aws-service-quotas[Review the required AWS service quotas] - -[discrete] -[role="_additional-resources"] -[id="additional-resources_aws-prerequisites_{context}"] -== Additional resources -* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red{nbsp}Hat OpenShift Service on AWS clusters] -* xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications] -* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types] \ No newline at end of file diff --git a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc index 747ec95042ac..07172eb6329a 100644 --- a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc +++ b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc @@ -2,12 +2,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[] :context: rosa-cloud-expert-prereq-checklist [id="rosa-cloud-expert-prereq-checklist"] -ifndef::openshift-rosa-hcp[] -= Prerequisites checklist for deploying {rosa-classic-short} using STS -endif::[] -ifdef::openshift-rosa-hcp[] -= Prerequisites checklist for deploying {rosa-short} -endif::openshift-rosa-hcp[] += Prerequisites checklist for deploying {product-title} toc::[] @@ -23,17 +18,18 @@ toc::[] // - Diana Sari //--- -This is a high level checklist of prerequisites needed to create a {product-title} cluster ifdef::openshift-rosa[] - with link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[STS] +This is a high level checklist of prerequisites needed to create a {product-title} cluster with link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[STS]. endif::openshift-rosa[] -. +ifdef::openshift-rosa-hcp[] +This is a high level checklist of prerequisites needed to create a {product-title} cluster. +endif::openshift-rosa-hcp[] //TODO OSDOCS-11789: Consider adding the following to a subsection about the initiating/control machine, along with CLI sections? The machine that you run the installation process from must have access to the following: * Amazon Web Services API and authentication service endpoints -* Red Hat OpenShift API and authentication service endpoints (`api.openshift.com` and `sso.redhat.com`) +* Red{nbsp}Hat OpenShift API and authentication service endpoints (`api.openshift.com` and `sso.redhat.com`) * Internet connectivity to obtain installation artifacts during deployment //TODO OSDOCS-13133 update when zero egress is GA: "either during deployment or prior to deploying a cluster with egress zero enabled" @@ -56,15 +52,15 @@ Ensure that you have the following accounts, credentials, and permissions. * Gather the credentials required to log in to your AWS account. * Ensure that your AWS account has sufficient permissions to use the ROSA CLI: xref:../cli_reference/rosa_cli/rosa-cli-permission-examples.adoc#rosa-cli-permission-examples[Least privilege permissions for common ROSA CLI commands] //OSDOCS-11789: Moving these here because it is a permission / account level enablement -* Enable ROSA for your AWS account on the link:https://console.aws.amazon.com/rosa/[AWS console]. +* Enable {product-title} for your AWS account on the link:https://console.aws.amazon.com/rosa/[AWS console]. ** If your account is the management account for your organization (used for AWS billing purposes), you must have `aws-marketplace:Subscribe` permissions available on your account. See _Service control policy (SCP) prerequisites_ for more information, or see the AWS documentation for troubleshooting: link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-troubleshoot.html#error-aws-orgs-scp-denies-permissions[AWS Organizations service control policy denies required AWS Marketplace permissions]. * Ensure you have not enabled restrictive tag policies. For more information, see link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html[Tag policies] in the AWS documentation. === Red{nbsp}Hat account //TODO OSDOCS-11789: Do we need to mention RH Organization here also? -* Create a Red Hat account for the link:https://console.redhat.com/[{hybrid-console}] if you do not already have one. -* Gather the credentials required to log in to your Red Hat account. +* Create a Red{nbsp}Hat account for the link:https://console.redhat.com/[{hybrid-console}] if you do not already have one. +* Gather the credentials required to log in to your Red{nbsp}Hat account. == CLI requirements @@ -98,14 +94,14 @@ $ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.am . Install the ROSA CLI from the link:https://console.redhat.com/openshift/downloads#tool-rosa[web console]. ifdef::openshift-rosa[] -See xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.adoc[Installing the Red{nbsp}Hat OpenShift Service on AWS (ROSA) CLI, rosa] for detailed instructions. +See xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.adoc#rosa-installing-cli[Installing the ROSA CLI, rosa] for detailed instructions. endif::openshift-rosa[] -. Log in to your Red Hat account by running `rosa login` and following the instructions in the command output: +. Log in to your Red{nbsp}Hat account by running `rosa login` and following the instructions in the command output: + [source,terminal] ---- $ rosa login -To login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa +To login to your Red{nbsp}Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa ? Copy the token and paste it here: ---- + @@ -124,16 +120,9 @@ $ rosa whoami === OpenShift CLI (`oc`) -The OpenShift CLI (`oc`) is not required to deploy a -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster, but is a useful tool for interacting with your cluster after it is deployed. +The OpenShift CLI (`oc`) is not required to deploy a {product-title} cluster, but is a useful tool for interacting with your cluster after it is deployed. -. Download and install`oc` from the {cluster-manager} link:https://console.redhat.com/openshift/downloads#tool-oc[Command-line interface (CLI) tools] page, or follow the instructions in xref:../cli_reference/openshift_cli/getting-started-cli.adoc#cli-getting-started[Getting started with the OpenShift CLI]. +. Download and install `oc` from the {cluster-manager} link:https://console.redhat.com/openshift/downloads#tool-oc[Command-line interface (CLI) tools] page, or follow the instructions in xref:../cli_reference/openshift_cli/getting-started-cli.adoc#cli-getting-started[Getting started with the OpenShift CLI]. . Verify that the OpenShift CLI has been installed correctly by running the following command: + [source,terminal] @@ -151,44 +140,22 @@ $ rosa verify openshift-client $ rosa verify quota ---- + -This command only checks the total quota allocated to your account; it does not reflect the amount of quota already consumed from that quota. Running this command is optional because your quota is verified during cluster deployment. However, Red Hat recommends running this command to confirm your quota ahead of time so that deployment is not interrupted by issues with quota availability. +This command only checks the total quota allocated to your account; it does not reflect the amount of quota already consumed from that quota. Running this command is optional because your quota is verified during cluster deployment. However, Red{nbsp}Hat recommends running this command to confirm your quota ahead of time so that deployment is not interrupted by issues with quota availability. ifdef::openshift-rosa[] -* For more information about resources provisioned during {rosa-classic-short} cluster deployment, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-classic-aws-prereqs[Provisioned AWS Infrastructure]. +* For more information about resources provisioned during {product-title} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[Provisioned AWS Infrastructure]. * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -* For more information about resources provisioned during {rosa-short} cluster deployment, see xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-hcp-aws-prereqs[Provisioned AWS Infrastructure]. +* For more information about resources provisioned during {product-title} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-hcp-prereqs[Provisioned AWS Infrastructure]. * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. endif::openshift-rosa-hcp[] -// These links need to remain hidden until HCP is published -// ifdef::openshift-rosa[] -// * For more information about resources provisioned during {rosa-classic-short} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[Provisioned AWS Infrastructure]. -// * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. -// endif::openshift-rosa[] -// ifdef::openshift-rosa-hcp[] -// * For more information about resources provisioned during {rosa-short} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-hcp-prereqs[Provisioned AWS Infrastructure]. -// * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. -// endif::openshift-rosa-hcp[] == Service Control Policy (SCP) prerequisites -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -clusters are hosted in an AWS account within an AWS organizational unit. A link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html[service control policy (SCP)] is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access. +{product-title} clusters are hosted in an AWS account within an AWS organizational unit. A link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html[service control policy (SCP)] is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access. * Ensure that your organization's SCPs are not more restrictive than the roles and policies required by the cluster. For more information, see the xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-minimum-scp_rosa-sts-about-iam-resources[Minimum set of effective permissions for SCPs]. -* When you create a -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -cluster, an associated AWS OpenID Connect (OIDC) identity provider is created. +* When you create a {product-title} cluster, an associated AWS OpenID Connect (OIDC) identity provider is created. == Networking prerequisites @@ -201,19 +168,11 @@ include::modules/mos-network-prereqs-min-bandwidth.adoc[leveloffset=+2] //TODO OSDOCS-11789: Are these things that your cluster needs access to, or your deploying machine needs access to? * Configure your firewall to allow access to the domains and ports listed in ifdef::openshift-rosa[] -xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites]. +xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites]. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS firewall prerequisites] +xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] endif::openshift-rosa-hcp[] -// These links need to remain hidden until HCP is published -// * Configure your firewall to allow access to the domains and ports listed in -// ifdef::openshift-rosa[] -// xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites]. -// endif::openshift-rosa[] -// ifdef::openshift-rosa-hcp[] -// xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] -// endif::openshift-rosa-hcp[] //Moving up prereqs that are actually required for deployment ifdef::openshift-rosa[] @@ -241,13 +200,13 @@ xref:../networking/ovn_kubernetes_network_provider/configuring-cluster-wide-prox [NOTE] ==== -You can install a non-PrivateLink {rosa-classic-short} cluster in a pre-existing BYO VPC. +You can install a non-PrivateLink {product-title} cluster in a pre-existing BYO VPC. ==== endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] === Create VPC before cluster deployment -{rosa-short} clusters must be deployed into an existing AWS Virtual Private Cloud (VPC). +{product-title} clusters must be deployed into an existing AWS Virtual Private Cloud (VPC). include::snippets/rosa-existing-vpc-requirements.adoc[leveloffset=+0] @@ -270,29 +229,18 @@ ifdef::openshift-rosa[] For more details see the detailed requirements for xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups]. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -For more details see the detailed requirements for xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-security-groups_rosa-hcp-aws-prereqs[Security groups]. +For more details see the detailed requirements for xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-security-groups_rosa-hcp-prereqs[Security groups]. endif::openshift-rosa-hcp[] -// This must remain hidden until HCP is published -// ifdef::openshift-rosa-hcp[] -// For more details see the detailed requirements for xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-security-groups_rosa-hcp-prereqs[Security groups]. -// endif::openshift-rosa-hcp[] === Custom DNS and domains You can configure a custom domain name server and custom domain name for your cluster. To do so, complete the following prerequisites before you create the cluster: //TODO OSDOCS-11789: Needs verification from mmcneill -* By default, -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -clusters require you to set the `domain name servers` option to `AmazonProvidedDNS` to ensure successful cluster creation and operation. -* To use a custom DNS server and domain name for your cluster, the ROSA installer must be able to use VPC DNS with default DHCP options so that it can resolve internal IPs and services. This means that you must create a custom DHCP option set to forward DNS lookups to your DNS server, and associate this option set with your VPC before you create the cluster. +* By default, {product-title} clusters require you to set the `domain name servers` option to `AmazonProvidedDNS` to ensure successful cluster creation and operation. +* To use a custom DNS server and domain name for your cluster, the {product-title} installer must be able to use VPC DNS with default DHCP options so that it can resolve internal IPs and services. This means that you must create a custom DHCP option set to forward DNS lookups to your DNS server, and associate this option set with your VPC before you create the cluster. ifdef::openshift-rosa[] -For more information, see xref:../cloud_experts_tutorials/cloud-experts-custom-dns-resolver.adoc#cloud-experts-custom-dns-resolver[Deploying ROSA with a custom DNS resolver]. +For more information, see xref:../cloud_experts_tutorials/cloud-experts-custom-dns-resolver.adoc#cloud-experts-custom-dns-resolver[Deploying {product-title} with a custom DNS resolver]. endif::openshift-rosa[] * Confirm that your VPC is using VPC Resolver by running the following command: + diff --git a/rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc b/rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc index f02323a36f97..c9330c6b127e 100644 --- a/rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc +++ b/rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc @@ -14,18 +14,12 @@ include::modules/rosa-prereq-roles-overview.adoc[leveloffset=+1] [role="_additional-resources"] [id="additional-resources_role-overview_{context}"] .Additional resources -ifndef::openshift-rosa-hcp[] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html[AWS IAM account-wide policies for ROSA Classic clusters] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-operator-policies.html[AWS IAM Operator policies for ROSA Classic clusters] -endif::openshift-rosa-hcp[] -ifdef::openshift-rosa-hcp[] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {hcp-title} clusters] -endif::openshift-rosa-hcp[] +* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {product-title} clusters] [id="rosa-prepare-am-resources-roles-account"] == Roles required to create and manage clusters -Several account-wide roles (`account-roles` in the ROSA CLI) are required to create or manage ROSA clusters. These roles must be created using the ROSA CLI (`rosa`), regardless of whether you typically use {cluster-manager} or the ROSA CLI to create and manage your clusters. These roles only need to be created once, and do not need to be created for every cluster you install. +Several account-wide roles (`account-roles` in the ROSA CLI) are required to create or manage {product-title} clusters. These roles must be created using the ROSA CLI (`rosa`), regardless of whether you typically use {cluster-manager} or the ROSA CLI to create and manage your clusters. These roles only need to be created once, and do not need to be created for every cluster you install. //account roles include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2] @@ -33,17 +27,12 @@ include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leve [role="_additional-resources"] [id="additional-resources_account-roles_{context}"] .Additional resources -ifndef::openshift-rosa-hcp[] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html[AWS IAM account-wide policies for ROSA Classic clusters] (AWS documentation) -endif::openshift-rosa-hcp[] -ifdef::openshift-rosa-hcp[] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {hcp-title} clusters] (AWS documentation) -endif::openshift-rosa-hcp[] +* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {product-title} clusters] (AWS documentation) [id="rosa-prepare-iam-resources-oidc"] == Resources required for OIDC authentication -{rosa-short} clusters use OIDC and the AWS Security Token Service (STS) to authenticate Operator access to AWS resources they require to perform their functions. Each production cluster requires its own OIDC configuration. +{product-title} clusters use OIDC and the AWS Security Token Service (STS) to authenticate Operator access to AWS resources they require to perform their functions. Each production cluster requires its own OIDC configuration. include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2] @@ -59,12 +48,7 @@ include::modules/rosa-operator-config.adoc[leveloffset=+2] [role="_additional-resources"] [id="additional-resources_operator-roles_{context}"] .Additional resources -ifndef::openshift-rosa-hcp[] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-operator-policies.html[Required AWS IAM Operator policies for ROSA Classic clusters] (AWS documentation) -endif::openshift-rosa-hcp[] -ifdef::openshift-rosa-hcp[] -* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {hcp-title} clusters] (AWS documentation) -endif::openshift-rosa-hcp[] +* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {product-title} clusters] (AWS documentation) [id="rosa-prepare-iam-resources-roles-ocm"] == Roles required to use {cluster-manager} diff --git a/rosa_planning/rosa-sts-aws-prereqs.adoc b/rosa_planning/rosa-sts-aws-prereqs.adoc index 7ad7358a68a6..ef14ab359c58 100644 --- a/rosa_planning/rosa-sts-aws-prereqs.adoc +++ b/rosa_planning/rosa-sts-aws-prereqs.adoc @@ -1,62 +1,51 @@ :_mod-docs-content-type: ASSEMBLY include::_attributes/attributes-openshift-dedicated.adoc[] -//title and ID conditions so this can be shared between Classic and HCP docs while it remains accurate for both ifdef::openshift-rosa[] -:context: rosa-classic-aws-prereqs -[id="rosa-sts-classic-aws-prereqs"] +:context: rosa-sts-aws-prereqs +[id="rosa-sts-aws-prereqs"] = Detailed requirements for deploying {product-title} using STS endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -:context: rosa-hcp-aws-prereqs -[id="rosa-sts-hcp-aws-prereqs"] +:context: rosa-hcp-prereqs +[id="rosa-hcp-prereqs"] = Detailed requirements for deploying {product-title} endif::openshift-rosa-hcp[] -// This section needs to remain hidden until the HCP migration -// ifndef::openshift-rosa-hcp[] -// :context: rosa-sts-aws-prereqs -// [id="rosa-sts-aws-prereqs"] -// = Detailed requirements for deploying {product-title} using STS -// endif::openshift-rosa-hcp[] -// ifdef::openshift-rosa-hcp[] -// :context: rosa-hcp-prereqs -// [id="rosa-hcp-prereqs"] -// = Detailed requirements for deploying {product-title} -// endif::openshift-rosa-hcp[] toc::[] {product-title} provides a model that allows Red{nbsp}Hat to deploy clusters into a customer's existing Amazon Web Service (AWS) account. -ifndef::openshift-rosa-hcp[] +ifdef::openshift-rosa[] include::snippets/rosa-sts.adoc[leveloffset=+0] -endif::openshift-rosa-hcp[] +endif::openshift-rosa[] Ensure that the following prerequisites are met before installing your cluster. -ifndef::openshift-rosa-hcp[] +ifdef::openshift-rosa[] [id="rosa-sts-customer-requirements_{context}"] -== Customer requirements when using STS for deployment - -The following prerequisites must be complete before you deploy a {rosa-classic-short} cluster that uses the AWS Security Token Service (STS). -endif::openshift-rosa-hcp[] +endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] [id="rosa-hcp-customer-requirements_{context}"] -== Customer requirements for all {rosa-short} clusters - -The following prerequisites must be complete before you deploy a {rosa-short} cluster. +endif::openshift-rosa-hcp[] +== Customer requirements for all {product-title} clusters +ifdef::openshift-rosa[] +The following prerequisites must be complete before you deploy a {product-title} cluster that uses the AWS Security Token Service (STS). +endif::openshift-rosa[] +ifdef::openshift-rosa-hcp[] +The following prerequisites must be complete before you deploy a {product-title} cluster. endif::openshift-rosa-hcp[] -include::modules/rosa-sts-aws-requirements-account.adoc[leveloffset=+2] +include::modules/rosa-sts-aws-requirements-account.adoc[leveloffset=+1] //Adding conditions around these in case the Additional resources don't get ported to HCP or have different file names / locations; keeping all included for now -ifndef::openshift-rosa-hcp[] +ifdef::openshift-rosa[] [role="_additional-resources"] [id="additional-resources_aws-account-requirements_{context}"] .Additional resources // Removed as part of OSDOCS-13310, until figures are verified. //* xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability] * xref:../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-elb-service-role_rosa-troubleshooting-cluster-deployments[Creating the Elastic Load Balancing (ELB) service-linked role] -endif::openshift-rosa-hcp[] +endif::openshift-rosa[] //TODO OSDOCS-11789: Nothing in the following module is actually a requirement, it's purely informative/recommended and needs to be re-validated by SRE/Support include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2] @@ -72,18 +61,11 @@ ifdef::openshift-dedicated[] * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] endif::openshift-dedicated[] ifdef::openshift-rosa[] -* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS firewall prerequisites] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] endif::openshift-rosa-hcp[] -// These need to remain hidden until the HCP migration is completed -// ifdef::openshift-rosa[] -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] -// endif::openshift-rosa[] -// ifdef::openshift-rosa-hcp[] -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] -// endif::openshift-rosa-hcp[] [id="rosa-ocm-requirements_{context}"] == Requirements for using {cluster-manager} @@ -117,9 +99,9 @@ endif::openshift-rosa-hcp[] Red{nbsp}Hat is not responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles. * To use the `ocm` CLI, you must have an `ocm-role` and `user-role` resource. -ifndef::openshift-rosa-hcp[] +ifdef::openshift-rosa[] See xref:../rosa_planning/rosa-sts-ocm-role.adoc#rosa-sts-ocm-role[OpenShift Cluster Manager IAM role resources]. -endif::openshift-rosa-hcp[] +endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] See xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-prepare-iam-resources-roles-ocm[Required IAM roles and resources]. endif::openshift-rosa-hcp[] @@ -136,21 +118,7 @@ include::modules/mos-network-prereqs-min-bandwidth.adoc[leveloffset=+2] [id="osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs"] === AWS firewall prerequisites -If you are using a firewall to control egress traffic from your -ifdef::openshift-rosa[] -{rosa-classic-short}, -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short}, -endif::openshift-rosa-hcp[] -you must configure your firewall to grant access to the certain domain and port combinations below. -ifdef::openshift-rosa[] -{rosa-classic-short} -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -{rosa-short} -endif::openshift-rosa-hcp[] -requires this access to provide a fully managed OpenShift service. +If you are using a firewall to control egress traffic from your {product-title} cluster, you must configure your firewall to grant access to the certain domain and port combinations below. {product-title} requires this access to provide a fully managed OpenShift service. include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+2] ifdef::openshift-rosa-hcp[] @@ -172,7 +140,7 @@ endif::openshift-rosa[] [id="additional-resources_aws-prerequisites_{context}"] == Additional resources ifdef::openshift-rosa[] -* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red{nbsp}Hat OpenShift Service on AWS clusters] +* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all {product-title} clusters] * xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications] * xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types] endif::openshift-rosa[] diff --git a/rosa_planning/rosa-sts-ocm-role.adoc b/rosa_planning/rosa-sts-ocm-role.adoc index b10f5738e914..045a245d20fe 100644 --- a/rosa_planning/rosa-sts-ocm-role.adoc +++ b/rosa_planning/rosa-sts-ocm-role.adoc @@ -2,7 +2,7 @@ include::_attributes/attributes-openshift-dedicated.adoc[] :context: rosa-sts-ocm-role [id="rosa-sts-ocm-role"] -= ROSA IAM role resources += {product-title} IAM role resources toc::[] @@ -11,24 +11,18 @@ You must create several role resources on your AWS account in order to create an include::modules/rosa-prereq-roles-overview.adoc[leveloffset=+1] .Additional resources -ifndef::openshift-rosa-hcp[] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies[Account-wide IAM role and policy reference] -endif::openshift-rosa-hcp[] -ifdef::openshift-rosa[] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference] -endif::openshift-rosa[] //Roles required to use {cluster-manager} include::modules/rosa-sts-about-ocm-role.adoc[leveloffset=+1] -ifdef::openshift-rosa[] [discrete] [id="additional-resources-about-ocm-role"] [role="_additional-resources"] == Additional resources * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-understanding-ocm-role[Understanding the {cluster-manager} role] -endif::openshift-rosa[] include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2] @@ -53,22 +47,12 @@ If you unlink or delete your `user-role` IAM role prior to deleting your cluster include::modules/rosa-sts-aws-requirements-association-concept.adoc[leveloffset=+1] include::modules/rosa-sts-aws-requirements-creating-association.adoc[leveloffset=+2] include::modules/rosa-sts-aws-requirements-creating-multi-association.adoc[leveloffset=+2] - -ifndef::openshift-rosa-hcp[] include::modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc[leveloffset=+1] -endif::openshift-rosa-hcp[] [role="_additional-resources"] == Additional resources * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities (AWS documentation)] -ifdef::openshift-rosa[] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-sts-creating-a-cluster-quickly[Creating the account-wide STS roles and policies] -endif::openshift-rosa[] -ifdef::openshift-rosa-hcp[] -* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Creating account-wide roles and policies] -endif::openshift-rosa-hcp[] * xref:../support/troubleshooting/rosa-troubleshooting-iam-resources.adoc#rosa-sts-ocm-roles-and-permissions-troubleshooting[Troubleshooting IAM roles] ifdef::openshift-rosa[] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies[Account-wide IAM role and policy reference] -endif::openshift-rosa[] - diff --git a/rosa_planning/rosa-sts-setting-up-environment.adoc b/rosa_planning/rosa-sts-setting-up-environment.adoc index abd701f80bcc..0f6752d1bd5b 100644 --- a/rosa_planning/rosa-sts-setting-up-environment.adoc +++ b/rosa_planning/rosa-sts-setting-up-environment.adoc @@ -30,29 +30,20 @@ endif::openshift-rosa-hcp[] [id="next-steps_rosa-sts-setting-up-environment"] == Next steps ifndef::openshift-rosa-hcp[] -* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Create a ROSA cluster with STS quickly] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[create a cluster using customizations]. +* xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Create a {product-title} cluster with STS quickly] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[create a cluster using customizations]. endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] -* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[Create a ROSA with HCP cluster] +* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[Create a {product-title} cluster] endif::openshift-rosa-hcp[] [id="additional-resources"] [role="_additional-resources"] == Additional resources ifndef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS Prerequisites] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS Prerequisites] * xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas and increase requests] endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc[AWS Prerequisites] -// TODO OSDOCS-11789: AWS quotas for HCP -endif::openshift-rosa-hcp[] -// This section needs to remain hidden until the HCP migration is published -//ifndef::openshift-rosa-hcp[] -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS Prerequisites] -// * xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas and increase requests] -// endif::openshift-rosa-hcp[] -// ifdef::openshift-rosa-hcp[] -// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-prereqs[AWS Prerequisites] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-prereqs[AWS Prerequisites] // // TODO OSDOCS-11789: AWS quotas for HCP -// endif::openshift-rosa-hcp[] +endif::openshift-rosa-hcp[] diff --git a/snippets/rosa-sts.adoc b/snippets/rosa-sts.adoc index 7bb4e6a63e0b..2ce7395abcc7 100644 --- a/snippets/rosa-sts.adoc +++ b/snippets/rosa-sts.adoc @@ -2,5 +2,5 @@ [TIP] ==== -AWS Security Token Service (STS) is the recommended credential mode for installing and interacting with clusters on {rosa-classic-short} because it provides enhanced security. +AWS Security Token Service (STS) is the recommended credential mode for installing and interacting with clusters on {product-title} because it provides enhanced security. ==== diff --git a/support/troubleshooting/rosa-troubleshooting-deployments.adoc b/support/troubleshooting/rosa-troubleshooting-deployments.adoc index bc7bcb98854d..2be82f73db69 100644 --- a/support/troubleshooting/rosa-troubleshooting-deployments.adoc +++ b/support/troubleshooting/rosa-troubleshooting-deployments.adoc @@ -34,11 +34,9 @@ include::modules/rosa-troubleshooting-invalidinstallconfigsubnet-failure-deploym include::modules/rosa-troubleshooting-awsinsufficientpermission-failure-deployment.adoc[leveloffset=+1] - [role="_additional-resources"] .Additional resources -* xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs -* xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-aws-prereqs[AWS prerequisites for {product-title}] +* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Detailed requirements for deploying {product-title} using STS] include::modules/rosa-troubleshooting-deleteiamrole-deployment.adoc[leveloffset=+1] include::modules/rosa-troubleshooting-awsec2quotaexceeded-failure-deployment.adoc[leveloffset=+1] diff --git a/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc b/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc index 91a263e69b26..aaab787721a5 100644 --- a/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc +++ b/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc @@ -13,7 +13,7 @@ include::modules/rosa-verify-hcp-install.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* For information about the prerequisites for installing {product-title} clusters, see xref:../../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[Detailed requirements for deploying {product-title}]. +* For information about the prerequisites for installing {product-title} clusters with {hcp}, see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. include::modules/rosa-troubleshoot-hcp-install.adoc[leveloffset=+1] diff --git a/welcome/cloud-experts-rosa-hcp-sts-explained.adoc b/welcome/cloud-experts-rosa-hcp-sts-explained.adoc index b08d6757e9c7..98acd003d481 100644 --- a/welcome/cloud-experts-rosa-hcp-sts-explained.adoc +++ b/welcome/cloud-experts-rosa-hcp-sts-explained.adoc @@ -37,7 +37,7 @@ Security features for AWS STS include: [id="components-specific-to-rosa-hcp-with-sts"] == Components of {hcp-title} -* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-ec2-instances_rosa-hcp-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. +* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. // This section needs to remain hidden until the HCP migration is completed. // * *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. * *AWS STS* - A method for granting short-term, dynamic tokens to provide users the necessary permissions to temporarily interact with your AWS account resources.