From c2a42cff78fd803b55bc427d4b5719989f12d60d Mon Sep 17 00:00:00 2001 From: mletalie Date: Mon, 29 Sep 2025 08:57:50 -0400 Subject: [PATCH] IDMS --- modules/images-registry-mirroring.adoc | 300 ++++++++++++++++++ modules/rosa-create-objects.adoc | 85 ++++- modules/rosa-delete-objects.adoc | 51 ++- modules/rosa-edit-objects.adoc | 53 +++- modules/rosa-list-objects.adoc | 177 +++++++---- ...sa-sts-cluster-terraform-mirror-image.adoc | 64 ++++ .../configuring-samples-operator.adoc | 8 +- openshift_images/image-configuration-hcp.adoc | 8 + .../rosa-sts-about-iam-resources.adoc | 4 +- ...-creating-a-cluster-quickly-terraform.adoc | 7 + rosa_release_notes/rosa-release-notes.adoc | 8 + 11 files changed, 690 insertions(+), 75 deletions(-) create mode 100644 modules/images-registry-mirroring.adoc create mode 100644 modules/rosa-sts-cluster-terraform-mirror-image.adoc diff --git a/modules/images-registry-mirroring.adoc b/modules/images-registry-mirroring.adoc new file mode 100644 index 000000000000..f67c64ad4506 --- /dev/null +++ b/modules/images-registry-mirroring.adoc @@ -0,0 +1,300 @@ +// Module included in the following assemblies: +// +// * openshift_images/image-configuration-hcp.adoc +:_mod-docs-content-type: CONCEPT + +[id="images-registry-mirroring_{context}"] += Image registry mirroring for {product-title} + +You can configure an existing {product-title} cluster to pull images from a mirrored registry by using the `ImageDigestMirrorSet (IDMS)` object. + +[IMPORTANT] +==== +The image mirror configuration feature operates exclusively with image references by digest, meaning that image mirroring will only activate when an image is pulled using its unique and immutable ID. Any image references using a mutable tag are currently not supported by this functionality. +==== + +IDMS defines a set of cluster-wide policies for registry mirroring that makes image downloads faster, more reliable and more secure. It works by intercepting any image pull request that identifies an image by its unique, content-addressable digest. Based on these policies, the IDMS transparently redirects the pull operation from its specified source registry to one or more designated mirror registries. For the developer, this means their request—still pointing to the original source—is automatically fulfilled by a faster, closer mirror, significantly improving deployment speed without requiring any changes to their workflow. + +.Prerequisites + +To configure an existing {product-title} cluster to pull images from a mirrored registry by using the `ImageDigestMirrorSet (IDMS)` object, you must meet the following prerequisites: + +** You have installed and configured the latest {rosa-cli-first} on your installation host. +** You have installed a {product-title} cluster. +** The {product-title} cluster must be in a **Ready** state to create, edit, list, or delete image mirrors. +** You have access to the mirror registries you want to configure. +** You have the required IAM permissions to manage cluster configurations. For more information, see "About IAM resources" in the _Additional resources_ section. + +The benefits of configuring your {product-title} cluster to pull images from a mirrored registry using IDMS include: + +** *Enhanced Security*: By forcing image pulls from a private, mirrored registry, you can scan and approve all images for vulnerabilities before they ever enter your cluster. + +** *Improved Cluster Reliability*: A local mirror guarantees stable and predictable cluster performance by eliminating reliance on public internet pathways. + +** *Guaranteed Image Consistency*: IDMS uses image digests to reference images, which ensures that every node in the cluster pulls the same version of an image, preventing inconsistencies which could lead to deployment failures. + +[id="create-image-mirroring_{context}"] +== Creating an image mirror configuration + +.Procedure + +To create an image mirror configuration for a {product-title} cluster, run the following command: + +[IMPORTANT] +==== +The source registry cannot be modified after creation. You must delete and recreate the image mirror to change the source. +==== + +.Syntax +[source,terminal] +---- +$ rosa create image-mirror [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +a|--cluster +|Required: The name or ID of the cluster the mirror configuration will be applied to. + +|--source +|Required: The source registry that will be mirrored. + +|--mirrors +|Required: List of mirror registries. Mirror registries must be comma-separated. + +|--type=digest +|Optional: Type of image mirror. The `digest` type is set by default and the only available `type` option. + +|--profile +|Optional: Specifies an AWS profile (string) from your credentials file. + +|--region +|Optional:Specifies an AWS region, overriding the AWS_REGION environment variable. +|=== + +.Examples +Creates an image mirror configuration for a cluster named `mycluster`. + + +[source,terminal] +---- +$ rosa create image-mirror --cluster=mycluster \ + --source=registry.example.com/team \ + --mirrors=mirror.corp.com/team,backup.corp.com/team +---- +.Example Output + +[source,terminal] +---- +I: Image mirror with ID 'abc123def456' has been created on cluster 'mycluster' +I: Source: registry.example.com/team +I: Mirrors: [mirror.corp.com/team backup.corp.com/team] +---- +[NOTE] +==== +An ID is automatically generated and assigned to an image mirror during image mirror configuration creation. +==== + +Creates an image mirror configuration with a specific type. + +[NOTE] +==== +The `digest` type is set by default and the only available `type` option. +==== + +[source,terminal] +---- +$ rosa create image-mirror --cluster=mycluster \ + --type=digest --source=docker.io/library \ + --mirrors=internal-registry.company.com/dockerhub +---- + +Creating a single image mirror configuration with multiple mirrors for a cluster. + +[source,terminal] +---- +$ rosa create image-mirror --cluster=mycluster \ + --source=quay.io/openshift \ + --mirrors=mirror1.company.com/openshift,mirror2.company.com/openshift,mirror3.company.com/openshift +---- + +[id="edit-image-mirroring_{context}"] +== Editing an image mirroring configuration + +.Procedure + +To edit an image mirror configuration for a {product-title} cluster, run the following command: + +[NOTE] +==== +When editing an image mirror configuration, the new mirrors list completely replaces the existing mirrors list. +==== + +.Syntax +[source,terminal] +---- +$ rosa edit image-mirror [arguments] +---- +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: The name or ID (string) of the cluster to which the image mirror configuration applies. + +|--mirrors +|Required: New list of mirror registries that replaces current mirror registries. Mirror registries must be comma-separated. + +|--id +|Required: ID of the image mirror configuration to edit. + +|--profile +|Optional: Use a specific AWS profile from your credential file. + +|--region +|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. +|=== + +.Examples +// Based on conversation with PM, these are not necessary b/c we are going to include examples only with the ID to keep things unambiguous. +// Edits an image mirror configuration with a positional argument. + +// [source,terminal] +// ---- +// $ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ +// --mirrors=mirror.corp.com/team,backup.corp.com/team,new-mirror.corp.com/team +// ---- + +// Edits an image mirror configuration using the `--id` flag. + +// [source,terminal] +// ---- +// $ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ +// --mirrors=mirror.corp.com/team,backup.corp.com/team,new-mirror.corp.com/team +// ---- + +Replaces a single mirror on an image mirror configuration. + +[source,terminal] +---- +$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ + --mirrors=single-mirror.company.com/team +---- +.Example Output +[source,terminal] +---- +I: Image mirror 'abc123def456' has been updated on cluster 'mycluster' +I: Source: registry.example.com/team +I: Updated mirrors: [mirror.corp.com/team backup.corp.com/team new-mirror.corp.com/team] +---- + +Replaces all mirrors on an image mirror configuration. + +[source,terminal] +---- +$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ + --mirrors=new-primary.company.com/team,new-secondary.company.com/team +---- + + +[id="list-image-mirroring_{context}"] +== Listing all image mirror configurations +.Procedure + +To list all image mirror configurations for a {product-title} cluster, run the following command: + +.Syntax +[source,terminal] +---- +$ rosa list image-mirrors [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: Name or ID of the cluster. +|--output +|Optional: Output format. Allowed formats are `json`, `yaml` +|--profile +|Optional: Use a specific AWS profile from your credential file. +|--region +|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. +|=== + +.Example + +Lists all image mirror configurations for a cluster. + +[source,terminal] +---- +$ rosa list image-mirrors --cluster=mycluster +---- +.Example Outputs +[source,terminal] +---- +ID TYPE SOURCE MIRRORS +abc123def456 digest registry.example.com/team mirror.corp.com/team, backup.corp.com/ +---- + +[id="delete-image-mirroring_{context}"] +== Deleting an image mirror configuration +[NOTE] +==== +Delete operations require confirmation unless the `--yes` or `--y` argument is used. +==== + +.Procedure + +To delete an image mirror configuration from a {product-title} cluster, run the following command: + +.Syntax +[source,terminal] +---- +$ rosa delete image-mirror [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: The name or ID (string) of the cluster that the image mirror configuration will be deleted from. +|--id +|Required: ID of the image mirror configuration to delete. +|`--yes`, `-y` +|Optional: Automatically answers "yes" to confirm deletion. +|--profile +|Optional: Use a specific AWS profile from your credential file. +|--region +|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. + +|=== +.Examples +Deletes an image mirror configuration without a confirmation prompt. + +[source,terminal] +---- +$ rosa delete image-mirror --cluster=mycluster abc123def456 --yes +---- + +.Example Output +[source,terminal] +---- +I: Image mirror 'abc123def456' has been deleted from cluster 'mycluster' +---- + +Deletes an image mirror configuration with a confirmation prompt. + +[source,terminal] +---- +$ rosa delete image-mirror --cluster=mycluster --id=abc123def456 +---- + diff --git a/modules/rosa-create-objects.adoc b/modules/rosa-create-objects.adoc index 7c1fd939bc33..61d87faa005c 100644 --- a/modules/rosa-create-objects.adoc +++ b/modules/rosa-create-objects.adoc @@ -629,6 +629,83 @@ Add an identity provider following interactive prompts. ---- $ rosa create idp --cluster=mycluster --interactive ---- +ifdef::openshift-rosa-hcp[] +[id="rosa-create-idms_{context}"] +== create image mirror configurations + +[IMPORTANT] +==== +The image mirror configuration feature operates exclusively with image references by digest, meaning that image mirroring will only activate when an image is pulled using its unique and immutable ID. Any image references using a mutable tag is currently not supported by this functionality. + +{product-title} clusters must be in the **Ready** state in order to create an image mirror configuration. +==== +Creates an image mirror configuration for a cluster. + +.Syntax +[source,terminal] +---- +$ rosa create image-mirror [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +a|--cluster +|Required: The name or ID of the cluster the mirror configuration will be applied to. + +|--source +|Required: The source registry that will be mirrored. + +|--mirrors +|Required: List of mirror registries. Mirror registries must be comma-separated. + +|--type=digest +|Optional: Type of image mirror. The `digest` type is set by default and the only available `type` option. + +|--profile +|Optional: Specifies an AWS profile (string) from your credentials file. + +|--region +|Optional:Specifies an AWS region, overriding the AWS_REGION environment variable. + +|=== + +.Examples +Adds an image mirror configuration to a cluster named `mycluster`. + +[IMPORTANT] +==== +The source registry cannot be modified after creation. You must delete and recreate the image mirror to change the source. +==== + +[source,terminal] +---- +$ rosa create image-mirror --cluster=mycluster \ + --source=registry.example.com/team \ + --mirrors=mirror.corp.com/team,backup.corp.com/team +---- + +Adds an image mirror configuration with a specific type to a cluster. + +[source,terminal] +---- +$ rosa create image-mirror --cluster=mycluster \ + --type=digest --source=docker.io/library \ + --mirrors=internal-registry.company.com/dockerhub +---- + +Adds multiple mirror image configurations to a cluster. + +[source,terminal] +---- +$ rosa create image-mirror --cluster=mycluster \ + --source=quay.io/openshift \ + --mirrors=mirror1.company.com/openshift,mirror2.company.com/openshift,mirror3.company.com/openshift +---- + +endif::openshift-rosa-hcp[] [id="rosa-create-ingress_{context}"] == create ingress @@ -700,12 +777,12 @@ $ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz == create kubeletconfig Create a custom `KubeletConfig` object to allow custom configuration of nodes in a -ifdef::temp-ifdef[] +ifdef::openshift-rosa[] cluster. -endif::[] -ifdef::temp-ifdef[] +endif::openshift-rosa[] +ifdef::openshift-rosa-hcp[] machine pool. -endif::[] +endif::openshift-rosa-hcp[] .Syntax [source,terminal] diff --git a/modules/rosa-delete-objects.adoc b/modules/rosa-delete-objects.adoc index d0afbf40513e..ecd235d4f01d 100644 --- a/modules/rosa-delete-objects.adoc +++ b/modules/rosa-delete-objects.adoc @@ -359,7 +359,7 @@ a|-c, --cluster \| |Shows help for this command. |--name -a| +a| ifdef::temp-ifdef[] Optional. endif::[] @@ -422,3 +422,52 @@ Delete the machine pool with the ID `mp-1` from a cluster named `mycluster`. ---- $ rosa delete machinepool --cluster=mycluster mp-1 ---- +ifdef::openshift-rosa-hcp[] +[id="rosa-delete-mirror-set_{context}"] +== delete image mirror configurations +[NOTE] +==== +Delete operations require confirmation unless the `--yes` or `--y` flag is used. +==== + +Deletes existing image mirror configurations. + +.Syntax +[source,terminal] +---- +$ rosa delete image-mirror [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: The name or ID (string) of the cluster that the machine pool will be deleted from. +|--id +|Required: ID of the image mirror configuration to delete. +|`--yes`, `-y` +|Optional: Automatically answer yes to confirm deletion +|--profile +|Optional: Use a specific AWS profile from your credential file. +|--region +|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. + +|=== +.Examples +Deletes a mirror configuration with confirmation prompt. + +[source,terminal] +---- +$ rosa delete image-mirror --cluster=mycluster abc123def456 --yes +---- + +Deletes a mirror configuration without confirmation prompt. + +[source,terminal] +---- +$ rosa delete image-mirror --cluster=mycluster --id=abc123def456 +---- + +endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/modules/rosa-edit-objects.adoc b/modules/rosa-edit-objects.adoc index 852eaa8fe632..d302cb79962c 100644 --- a/modules/rosa-edit-objects.adoc +++ b/modules/rosa-edit-objects.adoc @@ -338,7 +338,6 @@ $ rosa edit machinepool --max-replicas=9 --cluster=mycluster mp1 ---- ifdef::openshift-rosa-hcp[] On {product-title} clusters, edit the `mp1` machine pool to add the following behavior during upgrades: - * Allow up to 2 excess nodes to be provisioned during an upgrade. * Ensure that no more than 3 nodes are unavailable during an upgrade. @@ -353,4 +352,56 @@ Associate a `KubeletConfig` object with an existing `high-pid-pool` machine pool ---- $ rosa edit machinepool -c mycluster --kubelet-configs=set-high-pids high-pid-pool ---- + +[id="rosa-edit-mirror-set_{context}"] +== edit mirror image configurations +Edits the mirror lists in an existing mirror image configuration. +[NOTE] +==== +When editing image mirrors, the new mirrors list completely replaces the existing mirrors list. +==== + +.Syntax +[source,terminal] +---- +$ rosa edit image-mirror [arguments] +---- +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: The name or ID (string) of the cluster to which the ingress will be added. + +|--mirrors +|Required: New list of mirror registries that replaces current mirror registries. Mirror registries must be comma-separated. + +|--id +|Required: ID of the image mirror configuration to edit. + +|--profile +|Optional: Use a specific AWS profile from your credential file. + +|--region +|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. +|=== + +.Examples + +Replaces all mirrors. + +[source,terminal] +---- +$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ + --mirrors=new-primary.company.com/team,new-secondary.company.com/team +---- + +Replaces a single mirror. +[source,terminal] +---- +$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ + --mirrors=single-mirror.company.com/team +---- + endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/modules/rosa-list-objects.adoc b/modules/rosa-list-objects.adoc index a3c2938ff398..5b18cd225216 100644 --- a/modules/rosa-list-objects.adoc +++ b/modules/rosa-list-objects.adoc @@ -121,6 +121,43 @@ $ rosa list clusters [arguments] |--profile |Specifies an AWS profile (string) from your credentials file. |=== +ifdef::openshift-rosa-hcp[] +[id="rosa-list-configured-mirror-sets_{context}"] +== list mirror image configurations + +Lists mirrors within a mirror configuration. + +.Syntax +[source,terminal] +---- +$ rosa list image-mirrors [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: Name or ID of the cluster. +|--output +|Optional: Output format. Allowed formats are `json` and `yaml`. +|--profile +|Optional: Use a specific AWS profile from your credential file. +|--region +|Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. +|=== + +.Example + +Lists image mirrors within the image mirror configuration. + +[source,terminal] +---- +$ rosa list image-mirrors --cluster=mycluster +---- + +endif::openshift-rosa-hcp[] [id="rosa-list-external-auth-provider_{context}"] == list external-auth-provider @@ -273,69 +310,7 @@ List IAM service account roles for a specific namespace in a cluster. $ rosa list iamserviceaccounts --cluster=mycluster --namespace=production ---- -[id="rosa-describe-iamserviceaccount_{context}"] -== describe iamserviceaccount -Show detailed information about an IAM role created for an OpenShift service account. - -.Syntax -[source,terminal] ----- -$ rosa describe iamserviceaccount --cluster= | [arguments] ----- - -.Arguments -[cols="30,70"] -|=== -|Option |Definition - -a|--cluster \| -|Required. The name or ID of the cluster. - -|--name -|The name of the OpenShift service account. Required when `--role-name` is not specified. - -|--namespace -|The OpenShift namespace for the service account. Default: `default` - -|--role-name -|The name of the IAM role to describe. If not specified, the role name will be auto-detected using the service account details. - -|=== - -.Optional arguments inherited from parent commands -[cols="30,70"] -|=== -|Option |Definition - -|--help -|Shows help for this command. - -|--debug -|Enables debug mode. - -|--output -|The output format. Allowed formats are `json` or `yaml`. - -|--profile -|Specifies an AWS profile from your credentials file. - -|=== - -.Examples -Describe an IAM role for a service account named `my-app` in the `default` namespace. - -[source,terminal] ----- -$ rosa describe iamserviceaccount --cluster=mycluster --name=my-app ----- - -Describe an IAM role by specifying the role name directly. - -[source,terminal] ----- -$ rosa describe iamserviceaccount --cluster=mycluster --role-name=my-custom-role ----- [id="rosa-list-ingresses_{context}"] == list ingresses @@ -830,6 +805,71 @@ Describe a cluster named `mycluster`. $ rosa describe cluster --cluster=mycluster ---- +[id="rosa-describe-iamserviceaccount_{context}"] +== describe iamserviceaccount + +Shows detailed information about an IAM role created for an OpenShift service account. + +.Syntax +[source,terminal] +---- +$ rosa describe iamserviceaccount --cluster= | [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +a|--cluster \| +|Required. The name or ID of the cluster. + +|--name +|The name of the OpenShift service account. Required when `--role-name` is not specified. + +|--namespace +|The OpenShift namespace for the service account. Default: `default` + +|--role-name +|The name of the IAM role to describe. If not specified, the role name will be auto-detected using the service account details. + +|=== + +.Optional arguments inherited from parent commands +[cols="30,70"] +|=== +|Option |Definition + +|--help +|Shows help for this command. + +|--debug +|Enables debug mode. + +|--output +|The output format. Allowed formats are `json` or `yaml`. + +|--profile +|Specifies an AWS profile from your credentials file. + +|=== + +.Examples +Describes an IAM role for a service account named `my-app` in the `default` namespace. + +[source,terminal] +---- +$ rosa describe iamserviceaccount --cluster=mycluster --name=my-app +---- + +Describes an IAM role by specifying the role name directly. + +[source,terminal] +---- +$ rosa describe iamserviceaccount --cluster=mycluster --role-name=my-custom-role +---- + + [id="rosa-describe-kubeletconfig_{context}"] == describe kubeletconfig @@ -914,3 +954,16 @@ Describe a machine pool named `mymachinepool` on a cluster named `mycluster`. ---- $ rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool ---- +//Not currently supported in current iteration +// ifdef::openshift-rosa-hcp[] +// [id="rosa-describe-specific-mirror_set_{context}"] +// == describe specific mirror set + +// Describes a specific mirror set. + +// .Syntax +// [source,terminal] +// ---- +// $ rosa describe idms corp-registry --cluster my-cluster +// ---- +// endif::openshift-rosa-hcp[] diff --git a/modules/rosa-sts-cluster-terraform-mirror-image.adoc b/modules/rosa-sts-cluster-terraform-mirror-image.adoc new file mode 100644 index 000000000000..0b6083ae326e --- /dev/null +++ b/modules/rosa-sts-cluster-terraform-mirror-image.adoc @@ -0,0 +1,64 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc + + +// ifeval::["{context}" == "rosa-classic-creating-a-cluster-quickly-terraform"] +// :tf-rosa-classic: +// endif::[] +// ifeval::["{context}" == "rosa-hcp-creating-a-cluster-quickly-terraform"] +// :tf-rosa-hcp: +// endif::[] +:_mod-docs-content-type: CONCEPT + +[id="rosa-sts-cluster-terraform-mirror-image_{context}"] += Configuring image mirroring in Terraform for your {product-title} cluster + +Terraform users can configure an image mirror for {product-title} clusters. This action creates a rule that redirects requests for container images from a public source to your internal corporate registries. + +include::snippets/terraform-modification-disclaimer.adoc[] + +.Procedure + +. Add the following `rhcs_image_mirror` resource block to your Terraform configuration file (for example, `main.tf`), replacing the variable values with your specific requirements. ++ +[source,terminal] +---- +resource "rhcs_image_mirror" "corp_registry_explicit" { + cluster_id = rhcs_cluster_rosa_hcp.my_cluster.id + name = "corp-registry-explicit" + type = "digest" + + source = "registry.example.com/team" + mirrors = [ + "mirror.corp.com/team", + "backup.corp.com/team" + ] + } +---- + +. Initialize the directory by running the following command: + ++ +[source,terminal] +---- +$ terraform init +---- ++ +. Review the execution plan by running the following command: ++ +[source,terminal] +---- +$ terraform plan +---- ++ +. Once you have confirmed that only one resource (`rhcs_image_mirror`) will be added to your {product-title} cluster, and nothing will be changed or destroyed, run the following command to apply the changes: ++ +[source,terminal] +---- +$ terraform apply +---- ++ +. Click **Enter** to approve the changes. + +The `ImageContentSourcePolicy` is now configured on your cluster, and the image mirror will be active. \ No newline at end of file diff --git a/openshift_images/configuring-samples-operator.adoc b/openshift_images/configuring-samples-operator.adoc index fe4c7975ced3..7f06738ef61a 100644 --- a/openshift_images/configuring-samples-operator.adoc +++ b/openshift_images/configuring-samples-operator.adoc @@ -23,7 +23,7 @@ The Cluster Samples Operator, which operates in the `openshift` namespace, insta endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] [IMPORTANT] -.The Cluster Samples Operator is being deprecated +.The Cluster Samples Operator is being deprecated ==== * Starting from {product-title} 4.16, the Cluster Samples Operator is deprecated. No new templates, samples, or non-Source-to-Image (Non-S2I) image streams will be added to the Cluster Samples Operator. However, the existing S2I builder image streams and templates will continue to receive updates until the Cluster Samples Operator is removed in a future release. S2I image streams and templates include: - Ruby @@ -49,13 +49,13 @@ include::modules/samples-operator-overview.adoc[leveloffset=+1] == Additional resources * If the Cluster Samples Operator is removed during installation, you can xref:../openshift_images/samples-operator-alt-registry.adoc#samples-operator-alt-registry[use the Cluster Samples Operator with an alternate registry] so content can be imported, and then set the Cluster Samples Operator to `Managed` to get the samples. -// Restricted network not supported ROSA/OSD +// Restricted network not supported ROSA/OSD ifndef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] * To ensure the Cluster Samples Operator bootstraps as `Removed` in a restricted network installation with initial network access to defer samples installation until you have decided which samples are desired, follow the instructions for xref:../installing/install_config/installing-customizing.adoc#installing-customizing[customizing nodes] to override the Cluster Samples Operator default configuration and initially come up as `Removed`. ** To host samples in your disconnected environment, follow the instructions for xref:../openshift_images/samples-operator-alt-registry.adoc#samples-operator-alt-registry[using the Cluster Samples Operator with an alternate registry]. endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] -// Restricted network not supported ROSA/OSD +// Restricted network not supported ROSA/OSD ifndef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] include::modules/installation-images-samples-disconnected-mirroring-assist.adoc[leveloffset=+2] @@ -71,8 +71,6 @@ endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[] include::modules/images-samples-operator-deprecated-image-stream.adoc[leveloffset=+1] - [role="_additional-resources"] == Additional resources - * For more information about configuring credentials, see xref:../openshift_images/managing_images/using-image-pull-secrets.adoc#using-image-pull-secrets[Using image pull secrets]. diff --git a/openshift_images/image-configuration-hcp.adoc b/openshift_images/image-configuration-hcp.adoc index 81c566feb49f..fe181d958ea4 100644 --- a/openshift_images/image-configuration-hcp.adoc +++ b/openshift_images/image-configuration-hcp.adoc @@ -16,6 +16,14 @@ include::modules/images-configuration-image-registry-settings-hcp.adoc[leveloffs include::modules/images-editing-image-registry-settings-hcp.adoc[leveloffset=+1] + include::modules/images-updating-platform-allowlist-hcp.adoc[leveloffset=+2] +ifdef::openshift-rosa-hcp[] + +include::modules/images-registry-mirroring.adoc[leveloffset=+1] +[role="_additional-resources"] +== Additional resources +* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-hcp-about-iam-resources[About IAM resources] +endif::openshift-rosa-hcp[] \ No newline at end of file diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc index f1e01eaf422f..efaa818421d4 100644 --- a/rosa_architecture/rosa-sts-about-iam-resources.adoc +++ b/rosa_architecture/rosa-sts-about-iam-resources.adoc @@ -5,13 +5,13 @@ // openshift-docs/rosa_architecture/rosa-sts-about-iam-resources.adoc ifndef::openshift-rosa-hcp[] [id="rosa-sts-about-iam-resources"] -= Required IAM resources for STS clusters += About IAM resources for STS clusters include::_attributes/attributes-openshift-dedicated.adoc[] :context: rosa-sts-about-iam-resources endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] [id="rosa-hcp-about-iam-resources"] -= Required IAM resources += About IAM resources include::_attributes/attributes-openshift-dedicated.adoc[] :context: rosa-sts-about-iam-resources endif::openshift-rosa-hcp[] diff --git a/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc b/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc index ceba3451f80d..bc928acd384a 100644 --- a/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc +++ b/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.adoc @@ -29,7 +29,14 @@ The cluster creation process outlined below shows how to use Terraform to create include::modules/rosa-sts-cluster-terraform-setup.adoc[leveloffset=+2] include::modules/rosa-hcp-cluster-terraform-file-creation.adoc[leveloffset=+2] + include::modules/rosa-sts-cluster-terraform-execute.adoc[leveloffset=+2] + +// Commenting this out for now. PM will decide if this is necessary at a later date, and also placement of module. +// ifdef::openshift-rosa-hcp[] +// include::modules/rosa-sts-cluster-terraform-mirror-image.adoc[leveloffset=+2] +// endif::openshift-rosa-hcp[] + include::modules/rosa-sts-cluster-terraform-destroy.adoc[leveloffset=+2] [role="_additional-resources"] diff --git a/rosa_release_notes/rosa-release-notes.adoc b/rosa_release_notes/rosa-release-notes.adoc index 43283adfecc4..48d4809f15c0 100644 --- a/rosa_release_notes/rosa-release-notes.adoc +++ b/rosa_release_notes/rosa-release-notes.adoc @@ -13,7 +13,15 @@ toc::[] [id="rosa-new-changes-and-updates_{context}"] == New changes and updates + +[id="rosa-q4-2025_{context}"] +=== Q4 2025 +ifdef::openshift-rosa-hcp[] +* ** ImageDigestMirrorSets (IDMS) now supported.** +{product-title} now supports ImageDigestMirrorSets (IDMS), enabling clusters to redirect image pulls to a private, mirrored registry. This critical enhancement means customers in air-gapped or restricted networks can host their own mirrors for third-party images while satisfying strict security and compliance requirements. For more information, see xref:../openshift_images/image-configuration-hcp.adoc#images-registry-mirroring_image-configuration-hcp[Image registry mirroring for {product-title}]. +endif::openshift-rosa-hcp[] [id="rosa-q3-2025_{context}"] + === Q3 2025 ifdef::openshift-rosa-hcp[] * ** New cluster deletion policy.**