resolved conflict

fmcdonal · fmcdonal · commit 00027e95e86e · 2024-10-17T14:41:56.000+01:00
updated blocked parameters and ca file in output

hcp topic map suppotr gather data conflict resolved

resolved callout

applied new trusted ca and config platform allowlist on editing command and not configuring

applied ying suggestions about platform in example outputs

applied maggie suggestions

created new module for platform allowlist

removed  platform allowlist from parameters file

removed  plus sign from parameters file

added platform list in create and edit workflow outputs

removed line from platform allowed
diff --git a/modules/images-configuration-image-registry-settings-hcp.adoc b/modules/images-configuration-image-registry-settings-hcp.adoc
@@ -96,17 +96,25 @@ Audit Log Forwarding:       Disabled
 External Authentication:    Disabled
 Etcd Encryption:            Disabled
 Registry Configuration:
- - Allowed Registries:     <allowed_registry> <1>
- - Insecure Registries:    <insecure_registry> <2>
- - Allowed Registries for Import: <3>
-    - Domain Name:          <domain_name> <4>
-    - Insecure:             true <5>
+ - Allowed Registries: <allowed_registry> <1> <2>
+ - Insecure Registries: <insecure_registry> <3>
+ - Allowed Registries for Import: <4>
+    - Domain Name: <domain_name> <5>
+    - Insecure: true <6>
+ - Platform Allowlist: <platform_allowlist_id> <7>
+    - Registries:      <list_of_registries> <8>
+ - Additional Trusted CA: <9>
+    - <registry_name> : REDACTED
 ----
 <1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
-<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
-<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
-<4> `domainName`: Specifies a domain name for the registry.
-<5> `insecure`: Indicates whether the registry is secure or insecure.
+<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
+<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
+<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
+<5> `domainName`: Specifies a domain name for the registry.
+<6> `insecure`: Indicates whether the registry is secure or insecure.
+<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
+<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
+<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
 
 . List your nodes to check the applied changes by running the following command:
 +
diff --git a/modules/images-configuration-parameters-hcp.adoc b/modules/images-configuration-parameters-hcp.adoc
@@ -32,9 +32,6 @@ Parameters such as `DisableScheduledImport`, `MaxImagesBulkImportedPerRepository
 |`registry-config-additional-trusted-ca`
 |A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
 
-|`registry-config-platform-allowlist`
-|A list of Red{nbsp}Hat registries is automatically allowed. This list can be periodically updated and impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID.
-
 |===
 
 [WARNING]
diff --git a/modules/images-editing-image-registry-settings-hcp.adoc b/modules/images-editing-image-registry-settings-hcp.adoc
@@ -104,14 +104,22 @@ Audit Log Forwarding:       Disabled
 External Authentication:    Disabled
 Etcd Encryption:            Disabled
 Registry Configuration:
- - Allowed Registries:      <allowed_registry> <1>
- - Insecure Registries:     <insecure_registry> <2>
- - Allowed Registries for Import: <3>
-    - Domain Name:          <domain_name> <4>
-    - Insecure:             true <5>
+ - Allowed Registries: <allowed_registry> <1> <2>
+ - Insecure Registries: <insecure_registry> <3>
+ - Allowed Registries for Import: <4>
+    - Domain Name: <domain_name> <5>
+    - Insecure: true <6>
+ - Platform Allowlist: <platform_allowlist_id> <7>
+    - Registries:      <list_of_registries> <8>
+ - Additional Trusted CA: <9>
+    - <registry_name> : REDACTED
 ----
 <1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
-<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
-<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
-<4> `domainName`: Specifies a domain name for the registry.
-<5> `insecure`: Indicates whether the registry is secure or insecure.
+<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
+<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
+<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
+<5> `domainName`: Specifies a domain name for the registry.
+<6> `insecure`: Indicates whether the registry is secure or insecure.
+<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
+<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
+<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
diff --git a/modules/images-updating-platform-allowlist-hcp.adoc b/modules/images-updating-platform-allowlist-hcp.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration-hcp.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="images-updating-platform-allowlist-hcp_{context}"]
+= Updating platform allowlist for {hcp-title}
+
+A list of Red Hat registries is automatically allowed and it is visible when running rosa describe cluster. This list can be periodically updated to ensure platform can be operated correctly. Impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID. Update or edit the image registry for the cluster by running the following command:
+
+[source,terminal]
+----
+$ rosa edit cluster --registry-config-platform-allowlist <newID>
+----
diff --git a/openshift_images/image-configuration-hcp.adoc b/openshift_images/image-configuration-hcp.adoc
@@ -17,6 +17,8 @@ include::modules/images-configuration-image-registry-settings-hcp.adoc[leveloffs
 
 include::modules/images-editing-image-registry-settings-hcp.adoc[leveloffset=+1]
 
+include::modules/images-updating-platform-allowlist-hcp.adoc[leveloffset=+2]
+
 ifndef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
 [role="_additional-resources"]
 .Additional resources
