Merge pull request #77936 from EricPonvelle/OSDOCS-10250_Additional-Principals

OSDOCS#10250: Added information around additional principals

Author: EricPonvelle

images/AWS_cross_account_access.png

@@ -0,0 +1,82 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
+
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-additional-principals-create_{context}"]
+= Adding additional principals while creating your {hcp-title} cluster
+
+Use the `--additional-allowed-principals` argument to permit access through other roles.
+
+.Procedure
+
+. Add the `--additional-allowed-principals` argument to the `rosa create cluster` command, similar to the following:
++
+[source,terminal]
+----
+$ rosa create cluster [...] --additional-allowed-principals <arn_string>
+----
++
+You can use `arn:aws:iam::account_id:role/role_name` to approve a specific role.
+
+. When the cluster creation command runs, you receive a summary of your cluster with the `--additional-allowed-principals` specified:
++
+.Example output
++
+[source,terminal]
+----
+Name:                       mycluster
+Domain Prefix:              mycluster
+Display Name:               mycluster
+ID:                         <cluster-id>
+External ID:                <cluster-id>
+Control Plane:              ROSA Service Hosted
+OpenShift Version:          4.15.17
+Channel Group:              stable
+DNS:                        Not ready
+AWS Account:                <aws_id>
+AWS Billing Account:        <aws_id>
+API URL:
+Console URL:
+Region:                     us-east-2
+Availability:
+ - Control Plane:           MultiAZ
+ - Data Plane:              SingleAZ
+
+Nodes:
+ - Compute (desired):       2
+ - Compute (current):       0
+Network:
+ - Type:                    OVNKubernetes
+ - Service CIDR:            172.30.0.0/16
+ - Machine CIDR:            10.0.0.0/16
+ - Pod CIDR:                10.128.0.0/14
+ - Host Prefix:             /23
+ - Subnets:                 subnet-453e99d40, subnet-666847ce827
+EC2 Metadata Http Tokens:   optional
+Role (STS) ARN:             arn:aws:iam::<aws_id>:role/mycluster-HCP-ROSA-Installer-Role
+Support Role ARN:           arn:aws:iam::<aws_id>:role/mycluster-HCP-ROSA-Support-Role
+Instance IAM Roles:
+ - Worker:                  arn:aws:iam::<aws_id>:role/mycluster-HCP-ROSA-Worker-Role
+Operator IAM Roles:
+ - arn:aws:iam::<aws_id>:role/mycluster-kube-system-control-plane-operator
+ - arn:aws:iam::<aws_id>:role/mycluster-openshift-cloud-network-config-controller-cloud-creden
+ - arn:aws:iam::<aws_id>:role/mycluster-openshift-image-registry-installer-cloud-credentials
+ - arn:aws:iam::<aws_id>:role/mycluster-openshift-ingress-operator-cloud-credentials
+ - arn:aws:iam::<aws_id>:role/mycluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
+ - arn:aws:iam::<aws_id>:role/mycluster-kube-system-kms-provider
+ - arn:aws:iam::<aws_id>:role/mycluster-kube-system-kube-controller-manager
+ - arn:aws:iam::<aws_id>:role/mycluster-kube-system-capa-controller-manager
+Managed Policies:           Yes
+State:                      waiting (Waiting for user action)
+Private:                    No
+Delete Protection:          Disabled
+Created:                    Jun 25 2024 13:36:37 UTC
+User Workload Monitoring:   Enabled
+Details Page:               https://console.redhat.com/openshift/details/s/Bvbok4O79q1Vg8
+OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/vhufi5lap6vbl3jlq20e (Managed)
+Audit Log Forwarding:       Disabled
+External Authentication:    Disabled
+Additional Principals:      arn:aws:iam::<aws_id>:role/additional-user-role
+----

modules/rosa-additional-principals-create.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
+
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-additional-principals-edit_{context}"]
+= Adding additional principals to your existing {hcp-title} cluster
+
+You can add additional principals to your cluster by using the command line interface (CLI).
+
+.Procedure
+
+* Run the following command to edit your cluster and add an additional principal who can access this cluster's endpoint:
++
+[source,terminal]
+----
+$ rosa edit cluster -c <cluster_name> --additional-allowed-principals <arn_string>
+----
++
+You can use `arn:aws:iam::account_id:role/role_name` to approve a specific role.

modules/rosa-additional-principals-edit.adoc

@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="rosa-additional-principals-overview_{context}"]
+= Additional principals on your {hcp-title} cluster
+
+You can allow AWS Identity and Access Management (IAM) roles as additional principals to connect to your cluster's private API server endpoint.
+
+You can access your {hcp-title} cluster's API Server endpoint from either the public internet or the interface endpoint that was created within the VPC private subnets. By default, you can privately access your {hcp-title} API Server by using the `-kube-system-kube-controller-manager` Operator role. To be able to access ROSA with HCP API server from another account directly without using the primary account where cluster is installed, you must include cross-account IAM roles as additional principals. This feature allows you to simplify your network architecture and reduce data transfer costs by avoiding peering or attaching cross-account VPCs to cluster's VPC.
+
+image::AWS_cross_account_access.png[Overview of AWS cross account access]
+
+In this diagram, the cluster creating account is designated as Account A. This account designates that another account, Account B, should have access to the API server.
+
+[NOTE]
+====
+After you have configured additional allowed principals, you must create the interface VPC endpoint in the VPC from where you want to access the cross-account {hcp-title} API server. Then, create a private hosted zone in Route53 to route calls made to cross-account {hcp-title} API server to pass through the created VPC endpoint.
+====

modules/rosa-additional-principals-overview.adoc

@@ -192,6 +192,9 @@ $ rosa create cluster --cluster-name=<cluster_name> [arguments]
 |--additional-control-plane-security-group-ids <sec_group_id>
 |The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements for _Security groups_ under _Additional resources_.
 
+|--additional-allowed-principals <arn>
+|A comma-separated list of additional allowed principal ARNs to be added to the hosted control plane's VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted.
+
 a|--cluster-name <cluster_name>
 |Required. The name of the cluster. When used with the `create cluster` command, this argument is used to set the cluster name and can hold up to 54 characters. The value for this argument must be unique within your organization.
 

modules/rosa-create-objects.adoc

@@ -25,6 +25,9 @@ $ rosa edit cluster --cluster=<cluster_name> | <cluster_id> [arguments]
 |===
 |Option |Definition
 
+|--additional-allowed-principals <arn>
+|A comma-separated list of additional allowed principal ARNs to be added to the Hosted Control Plane's VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted.
+
 |--cluster
 |Required: The name or ID (string) of the cluster to edit.
 

modules/rosa-edit-objects.adoc

@@ -12,6 +12,9 @@ This document describes how to create a {hcp-title-first} private cluster.
 //include::modules/osd-aws-privatelink-required-resources.adoc[leveloffset=+1]
 include::modules/rosa-hcp-aws-private-create-cluster.adoc[leveloffset=+1]
 include::modules/rosa-hcp-aws-private-security-groups.adoc[leveloffset=+1]
+include::modules/rosa-additional-principals-overview.adoc[leveloffset=+1]
+include::modules/rosa-additional-principals-create.adoc[leveloffset=+2]
+include::modules/rosa-additional-principals-edit.adoc[leveloffset=+2]
 
 [id="next-steps_rosa-hcp-aws-private-creating-cluster"]
 == Next steps