Merge pull request #83582 from mletalie/OSDOCS-9401

EricPonvelle · web-flow · commit 161d0f07833d · 2024-11-12T11:44:07.000-05:00
[OSDOCS-9401]:Document support for Private Service Connect on OSD-GCP
diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml
@@ -121,6 +121,8 @@ Distros: openshift-dedicated
 Topics:
 - Name: Creating a cluster on AWS
   File: creating-an-aws-cluster
+- Name: Creating a GCP Private Service Connect enabled private cluster
+  File: creating-a-gcp-psc-enabled-private-cluster
 - Name: Creating a cluster on GCP
   File: creating-a-gcp-cluster
 - Name: Configuring your identity providers
diff --git a/images/psc-arch-overview.png b/images/psc-arch-overview.png
diff --git a/modules/private-service-connect-create.adoc b/modules/private-service-connect-create.adoc
@@ -0,0 +1,10 @@
+// Module included in the following assemblies:
+//
+// * osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="private-service-connect-create"]
+= Creating a private cluster with Private Service Connect
+
+Private Service Connect is supported with the Customer Cloud Subscription (CCS) infrastructure type only. To create an {product-title} on {GCP} using PSC, see
+ xref:../osd_install_access_delete_cluster/creating-a-gcp-cluster.adoc#osd-create-cluster-gcp-account_osd-creating-a-cluster-on-gcp[Creating a cluster on GCP with Google Cloud Marketplace].
diff --git a/modules/private-service-connect-overview.adoc b/modules/private-service-connect-overview.adoc
@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="private-service-connect-overview"]
+= Private Service Connect overview
+Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. Users that implement PSC as part of their network connectivity can deploy {product-title} clusters in a private and secured environment within {GCP} without any public facing cloud resources.
+For more information on PSC, see link:https://cloud.google.com/vpc/docs/private-service-connect[Private Service Connect].
+
+[IMPORTANT]
+====
+Private Service Connect is supported by the Customer Cloud Subscription (CCS) infrastructure type only.
+====
+
+[id="psc-architecture_{context}"]
+== Private Service Connect architecture
+
+The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers.
+
+The following image depicts how Red HAT SREs and other internal resources access and support clusters created using PSC.
+
+* A unique PSC Service Attachment is created for each OSD cluster in the customer GCP project. The PSC Service Attachment points to the cluster API server load balancer created in the customer GCP project.
+
+* Similar to Service Attachments, a unique PSC Service Endpoint is created in the Red Hat Management GCP project for each OSD cluster.
+
+* A dedicated subnet for GCP Private Service Connect is created in the cluster’s network within the customer GCP project. This is a special subnet type where the producer services are published via PSC Service Attachments. This subnet is used to Source NAT (SNAT) incoming requests to the cluster API server. Additionally, the PSC subnet must be within the Machine CIDR range and cannot be used in more than one Service Attachment.
+
+* Red Hat internal resources and SREs access private OSD clusters using the connectivity between a PSC Endpoint and Service Attachment. Even though the traffic transits multiple VPC networks, it remains entirely within Google Cloud.
+
+* Access to PSC Service Attachments is possible only via the Red Hat Management project.
+
+.PSC architecture overview
+image::psc-arch-overview.png[PSC architecture overview]
diff --git a/modules/private-service-connect-prereqs.adoc b/modules/private-service-connect-prereqs.adoc
@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="private-service-connect-prereqs"]
+= Prerequisites
+
+In addition to the prerequisites that you need to complete before deploying any {product-title} on {GCP} cluster, you must also complete the following prerequisites to deploy a private cluster using Private Service Connect (PSC):
+
+* A pre-created Virtual Private Cloud (VPC) with the following subnets in the same {GCP} region where your cluster will be deployed:
+
+** A control plane subnet
+** A worker subnet
+** A subnet used for the PSC service attachment with the purpose set to Private Service Connect.
++
+[IMPORTANT]
+====
+The subnet mask for the PSC service attachment must be /29 or larger and must be dedicated to an individual {product-title} cluster. Additionally, the subnet must be contained within the Machine CIDR range used while provisioning the {product-title} cluster.
+====
++
+For information on how to create a VPC on {GCP}, see link:https://cloud.google.com/vpc/docs/create-modify-vpc-networks[Create and manage VPC networks] in the Google Cloud documentation.
+
+* Provide a path from the OpenShift Dedicated cluster to the internet for the domains and ports listed in the _GCP firewall prerequisites_ in the _Additional resources_ section.
+
+* Enabled link:https://console.cloud.google.com/marketplace/product/google/iap.googleapis.com?q=search&referrer=search&hl=en&project=openshift-gce-devel[Cloud Identity-Aware Proxy API] at the {GCP} project level.
+
+In addition to the requirements listed above, clusters configured with the **Service Account authentication type** must grant the `IAP-Secured Tunnel User` role to `osd-ccs-admin` service account.
+
+For more information on the prerequisites that must be completed before deploying an {product-title} on {GCP}, see _Additional resources_.
+
+// [id="prereqs-wif-authentication_{context}"]
+// == Requirements when using Workload Identity Federation authentication type
+
+// [id="prereqs-sa-authentication_{context}"]
+// == Requirements when using Service Account as the authentication type
+
diff --git a/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc b/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.adoc
@@ -0,0 +1,22 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="osd-creating-a-gcp-psc"]
+= Creating a GCP Private Service Connect enabled private cluster
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: osd-creating-a-gcp-psc-enabled-private-cluster
+
+toc::[]
+You can create a private {product-title} cluster on {GCP} using Google Cloud's security-enhanced networking feature Private Service Connect (PSC).
+
+include::modules/private-service-connect-overview.adoc[leveloffset=+1]
+
+include::modules/private-service-connect-prereqs.adoc[leveloffset=+1]
+
+include::modules/private-service-connect-create.adoc[leveloffset=+1]
+
+
+[id="additional-resources_{context}"]
+== Additional resources
+For information on {product-title} on {GCP} cluster prerequisites, see xref:../osd_planning/gcp-ccs.adoc#ccs-gcp-customer-requirements_gcp-ccs[Customer Requirements].
+
+For information about configuring your firewalls , see xref:../osd_planning/gcp-ccs.adoc#osd-gcp-psc-firewall-prerequisites_gcp-ccs[GCP firewall prerequisites].
+//Once  https://issues.redhat.com/browse/OSDOCS-7329 goes live, put link directly to this topic.
