Merge pull request #87863 from lahinson/osdocs-11968-hcp-proxy

[OSDOCS-11968]: Proxy docs for HCP

Author: lahinson

_topic_maps/_topic_map.yml

@@ -2573,6 +2573,8 @@ Topics:
   File: hcp-using-feature-gates
 - Name: Observability for hosted control planes
   File: hcp-observability
+- Name: Networking for hosted control planes
+  File: hcp-networking
 - Name: Troubleshooting hosted control planes
   File: hcp-troubleshooting
 - Name: Destroying a hosted cluster

hosted_control_planes/hcp-networking.adoc

@@ -0,0 +1,26 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="hcp-networking"]
+include::_attributes/common-attributes.adoc[]
+= Networking for {hcp}
+:context: hcp-networking
+
+toc::[]
+
+For standalone {product-title}, proxy support is mainly about ensuring that workloads in the cluster are configured to use the HTTP or HTTPS proxy to access external services, honoring the `NO_PROXY` setting if one is configured, and accepting any trust bundle that is configured for the proxy.
+
+For {hcp}, proxy support involves the following additional use cases.
+
+//cp workloads that need to use a proxy to access external services
+include::modules/hcp-proxy-cp-workloads.adoc[leveloffset=+1]
+//workers need a proxy to communicate with ignition endpoint
+include::modules/hcp-proxy-ignition.adoc[leveloffset=+1]
+//workers need proxy to communicate with cp
+include::modules/hcp-proxy-api.adoc[leveloffset=+1]
+//cp workloads that need access to external services and must use the proxy for the management cluster
+include::modules/hcp-proxy-mgmt-cluster.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* xref:../networking/enable-cluster-wide-proxy.adoc#enable-cluster-wide-proxy[Configuring the cluster-wide proxy]

modules/hcp-proxy-api.adoc

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-networking.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-proxy-api_{context}"]
+= Compute nodes that need to access the API server
+
+This use case is relevant to self-managed {hcp}, not to {product-rosa} with {hcp}.
+
+For communication with the control plane, {hcp} uses a local proxy in every compute node that listens on IP address 172.20.0.1 and forwards traffic to the API server. If an external proxy is required to access the API server, that local proxy needs to use the external proxy to send traffic out. When a proxy is not needed, {hcp} uses `haproxy` for the local proxy, which only forwards packets via TCP. When a proxy is needed, {hcp} uses a custom proxy, `control-plane-operator-kubernetes-default-proxy`, to send traffic through the external proxy.

modules/hcp-proxy-cp-workloads.adoc

@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-networking.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-proxy-cp-workloads_{context}"]
+= Control plane workloads that need to access external services
+
+Operators that run in the control plane need to access external services through the proxy that is configured for the hosted cluster. The proxy is usually accessible only through the data plane. The control plane workloads are as follows:
+
+* The Control Plane Operator needs to validate and obtain endpoints from certain identity providers when it creates the OAuth server configuration.
+
+* The OAuth server needs non-LDAP identity provider access.
+
+* The OpenShift API server handles image registry metadata import.
+
+* The Ingress Operator needs access to validate external canary routes.
+
+In a hosted cluster, you must send traffic that originates from the Control Plane Operator, Ingress Operator, OAuth server, and OpenShift API server pods through the data plane to the configured proxy and then to its final destination. 
+
+[NOTE]
+====
+Some operations are not possible when a hosted cluster is reduced to zero compute nodes; for example, when you import OpenShift image streams from a registry that requires proxy access.
+====

modules/hcp-proxy-ignition.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-networking.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-proxy-ignition_{context}"]
+= Compute nodes that need to access an ignition endpoint
+
+When compute nodes need a proxy to access the ignition endpoint, you must configure the proxy in the user-data stub that is configured on the compute node when it is created. For cases where machines need a proxy to access the ignition URL, the proxy configuration is included in the stub.
+
+The stub resembles the following example:
+
+[source,terminal]
+---
+{"ignition":{"config":{"merge":[{"httpHeaders":[{"name":"Authorization","value":"Bearer ..."},{"name":"TargetConfigVersionHash","value":"a4c1b0dd"}],"source":"https://ignition.controlplanehost.example.com/ignition","verification":{}}],"replace":{"verification":{}}},"proxy":{"httpProxy":"http://proxy.example.org:3128", "httpsProxy":"https://proxy.example.org:3129", "noProxy":"host.example.org"},"security":{"tls":{"certificateAuthorities":[{"source":"...","verification":{}}]}},"timeouts":{},"version":"3.2.0"},"passwd":{},"storage":{},"systemd":{}}
+---

modules/hcp-proxy-mgmt-cluster.adoc

@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * hosted_control_planes/hcp-networking.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="hcp-proxy-mgmt-cluster_{context}"]
+= Management clusters that need external access
+
+The HyperShift Operator has a controller that monitors the OpenShift global proxy configuration of the management cluster and sets the proxy environment variables on its own deployment. Control plane deployments that need external access are configured with the proxy environment variables of the management cluster.

networking/enable-cluster-wide-proxy.adoc

@@ -75,4 +75,4 @@ include::modules/nw-verify-proxy-configuration.adoc[leveloffset=+1]
 * xref:../networking/configuring-cluster-network-range.adoc#configuring-cluster-network-range[Configuring the cluster network range]
 * xref:../security/certificates/updating-ca-bundle.adoc#ca-bundle-understanding_updating-ca-bundle[Understanding the CA Bundle certificate]
 * xref:../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificates]
-* link:https://access.redhat.com/solutions/7065528[How is the cluster-wide proxy setting applied to {product-title} nodes?]
+* link:https://access.redhat.com/solutions/7065528[How is the cluster-wide proxy setting applied to {product-title} nodes?]