gha: use aws sm#4
Merged
Merged
Conversation
so future updates to yaml can be parsed properly
✅ Deploy Preview for rp-cloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
ivotron
approved these changes
Jun 27, 2024
david-yu
added a commit
that referenced
this pull request
May 20, 2026
Critical #1: Partial is shared across AWS/Azure/GCP — content must be provider-neutral. Replaced AWS-specifics in the Console verify section: "PrivateLink endpoint" → "cluster's private endpoint", example IP 172.31.0.97 → 10.0.0.42, "client VPC" → "client network", and dropped the xref to the AWS-only workstation section. AWS UI page now has a short forward link to the workstation section immediately after the partial include. Critical #2: Cloud API flow's connect_console requirement was silent. Added a sentence stating that the Cloud API requires connect_console: true and that the Cloud UI sets it automatically. Removed the now- obsolete "Confirm with engineering" item from the PR test plan. Critical #3: "API gateway access PRIVATE/PUBLIC" is not a documented term anywhere in the repo. Dropped the bullet rather than reintroduce a verbose explanation of networking_config out of scope for this PR. Critical #4: Workstation intro contradicted the partial's PUBLIC bullet. Resolved by Critical #3 (PUBLIC bullet is gone); the workstation intro already scopes to private clusters. Suggestion #6: Widened AWS Client VPN client CIDR from "/22 or larger" to "/22 (minimum) to /12 (maximum)" per AWS's documented constraint. Suggestion #5: Console URL <id> opaque note clarified. NOTE block in the partial now also frames inbound rules as cloud-neutral ("AWS security groups, Azure NSGs, or GCP firewall rules") so the guidance is accurate when the partial renders on non-AWS pages. Skipped (with rationale in reply): Suggestion #7 (Mermaid — style only) and Suggestion #8 (page split — bigger refactor for a follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
micheleRP
pushed a commit
that referenced
this pull request
May 21, 2026
* docs(networking): document Console access over AWS PrivateLink Adds a Console row to the PrivateLink services table and a new "Access Redpanda Console" subsection in the shared partial. Engineering confirmed that DNS for the Console hostname is auto-resolved by the verified private DNS name on the endpoint service, so consumers do not need to create a private hosted zone or override DNS. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(networking): add step-by-step verify for Console over PrivateLink Verified end-to-end against a private BYOC cluster with a PrivateLink endpoint in a consumer VPC: - Cluster DNS publicly returns service-side LB IPs (10.0.x.x). - From inside the consumer VPC, dig returns the endpoint's ENI private IP (e.g. 172.31.0.97) via the verified private DNS name `*.<cluster_domain>` registered on the endpoint service. - curl returns HTTP 200 with title "Redpanda Console" served over HTTPS through the endpoint. Corrects the Console URL form from `console.<cluster_domain>` to `console-<id>.<cluster_domain>` (the random per-cluster id suffix the control plane assigns), and points to the *How to Connect* section as the authoritative source. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(networking): add workstation access via AWS Client VPN Adds a new section to the Cloud UI page describing how to access Redpanda Console for a private BYOC cluster from a workstation outside the client VPC. Verified against a real cluster. Key points captured: - Cluster Console for a private BYOC cluster is not browsable directly; the SPA loads but has no standalone login form. Authentication is handed off from Redpanda Cloud Console. - The cluster Overview page on cloud.redpanda.com is served by the control plane and works without a VPN. - The cluster's left navigation (Topics, Brokers, Consumer groups) is served by Redpanda Console behind PrivateLink, so it only loads when the workstation has a VPN session into the client VPC. - AWS Client VPN settings specific to PrivateLink: client CIDR must not overlap VPC CIDR, DNS server IPs must point at the VPC's resolver (so Console hostnames resolve via the endpoint ENI), split-tunnel enabled. Softens the partial's Console section from "browse to the URL" to a network-path verification, with a forward reference to the workstation flow on the Cloud UI page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(networking): add workstation → cluster network path diagram ASCII diagram in the workstation access section showing the two-hop flow: Client VPN puts the laptop into the client VPC, then PrivateLink carries the connection to the cluster. Clarifies that Client VPN itself does not use PrivateLink — the VPN is just one of several ways a client can reach the VPC, and PrivateLink is the constant once you're inside. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(networking): address PR review feedback - Drop "only" in the workstation intro; Console is reachable through other private routes too (VPC peering, transit gateway). Per @paulzhang97 review. - Widen the Client VPN inbound port range from 30000-30999 to 30000-35999 to cover both seed and per-broker Kafka API and HTTP Proxy ports. Per @paulzhang97 review. - Tighten partial's port 443 SG guidance to scope inbound to client workload sources (consumer VPC CIDR or specific client security groups) and call out that broad source ranges like 0.0.0.0/0 should be avoided. Per @coderabbitai nitpick. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(networking): address review from @micheleRP Critical #1: Partial is shared across AWS/Azure/GCP — content must be provider-neutral. Replaced AWS-specifics in the Console verify section: "PrivateLink endpoint" → "cluster's private endpoint", example IP 172.31.0.97 → 10.0.0.42, "client VPC" → "client network", and dropped the xref to the AWS-only workstation section. AWS UI page now has a short forward link to the workstation section immediately after the partial include. Critical #2: Cloud API flow's connect_console requirement was silent. Added a sentence stating that the Cloud API requires connect_console: true and that the Cloud UI sets it automatically. Removed the now- obsolete "Confirm with engineering" item from the PR test plan. Critical #3: "API gateway access PRIVATE/PUBLIC" is not a documented term anywhere in the repo. Dropped the bullet rather than reintroduce a verbose explanation of networking_config out of scope for this PR. Critical #4: Workstation intro contradicted the partial's PUBLIC bullet. Resolved by Critical #3 (PUBLIC bullet is gone); the workstation intro already scopes to private clusters. Suggestion #6: Widened AWS Client VPN client CIDR from "/22 or larger" to "/22 (minimum) to /12 (maximum)" per AWS's documented constraint. Suggestion #5: Console URL <id> opaque note clarified. NOTE block in the partial now also frames inbound rules as cloud-neutral ("AWS security groups, Azure NSGs, or GCP firewall rules") so the guidance is accurate when the partial renders on non-AWS pages. Skipped (with rationale in reply): Suggestion #7 (Mermaid — style only) and Suggestion #8 (page split — bigger refactor for a follow-up). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(networking): convert workstation network-path diagram to Mermaid Per @micheleRP suggestion #7, switches the ASCII flow diagram to a Mermaid flowchart using the @sntke/antora-mermaid-extension already configured in local-antora-playbook.yml. Preserves the original flow: five top-to-bottom nodes (Workstation → AWS Client VPN endpoint → Client VPC subnet → PrivateLink VPC endpoint ENI → Redpanda cluster VPC → Console load balancer → Redpanda Console), the same edge labels between them, and the two side annotations ("AWS-managed; not PrivateLink" next to the Client VPN endpoint, "PrivateLink begins here" next to the PrivateLink ENI) as parallelogram note shapes attached with dashed links. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Revert "docs(networking): convert workstation network-path diagram to Mermaid" This reverts commit 7bb3423. * docs(networking): lowercase descriptor "Client" → "client" "Client" should not be capitalized in body text when used as a descriptor (client VPN tunnel, client VPN endpoint, client VPC subnet, etc.). The capitalized form is reserved for proper nouns: - "AWS Client VPN" — AWS service name - "AWS VPN Client" — AWS desktop application name - "Client IPv4 CIDR" — AWS UI field label Seven occurrences updated; the three proper-noun forms are preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
fixes: https://redpandadata.atlassian.net/browse/PESDLC-1539
Page previews
N/A
Checks