OSDOCS-11830 Split Networking content for ROSA with HCP

Author: laubai

_topic_maps/_topic_map_rosa_hcp.yml

@@ -1012,6 +1012,84 @@ Topics:
 #  - Name: Advanced OADP features and functionalities
 #    File: oadp-advanced-topics
 ---
+Name: Networking
+Dir: networking
+Distros: openshift-rosa-hcp
+Topics:
+- Name: About networking
+  File: about-managed-networking
+- Name: Networking Operators
+  Dir: networking_operators
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: AWS Load Balancer Operator
+    File: aws-load-balancer-operator
+  - Name: DNS Operator in Red Hat OpenShift Service on AWS
+    File: dns-operator
+# TODO OSDOCS-11830: Unable to locate in OperatorHub for ROSA with HCP cluster
+#  - Name: Ingress Operator in Red Hat OpenShift Service on AWS
+#    File: ingress-operator
+  - Name: Ingress Node Firewall Operator in Red Hat OpenShift Service on AWS
+    File: ingress-node-firewall-operator
+- Name: Network verification
+  File: network-verification
+- Name: Configuring a cluster-wide proxy during installation
+  File: configuring-cluster-wide-proxy
+- Name: CIDR range definitions
+  File: cidr-range-definitions
+- Name: Network security
+  Dir: network_security
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  # Included for OSDOCS-13465
+  - Name: Audit logging for network security
+    File: logging-network-security
+- Name: Configuring the primary cluster network
+  Dir: ovn_kubernetes_network_provider
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: About the OVN-Kubernetes network plugin
+    File: about-ovn-kubernetes
+  - Name: Configuring an egress IP address
+    File: configuring-egress-ips-ovn
+# OpenShift SDN not supported for HCP
+- Name: Configuring Routes
+  Dir: routes
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Route configuration
+    File: route-configuration
+  - Name: Secured routes
+    File: secured-routes
+---
 Name: Nodes
 Dir: nodes
 Distros: openshift-rosa-hcp

cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc

@@ -20,18 +20,10 @@ toc::[]
 
 include::snippets/mobb-support-statement.adoc[leveloffset=+1]
 
-ifndef::openshift-rosa-hcp[]
 [TIP]
 ====
 Load Balancers created by the AWS Load Balancer Operator cannot be used for xref:../networking/routes/route-configuration.adoc#route-configuration[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
 ====
-endif::openshift-rosa-hcp[]
-ifdef::openshift-rosa-hcp[]
-[TIP]
-====
-Load Balancers created by the AWS Load Balancer Operator cannot be used for link:https://docs.openshift.com/rosa/networking/routes/route-configuration.html[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
-====
-endif::openshift-rosa-hcp[]
 
 The link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/[AWS Load Balancer Controller] manages AWS Elastic Load Balancers for a {product-title} (ROSA) cluster. The controller provisions link:https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html[AWS Application Load Balancers (ALB)] when you create Kubernetes Ingress resources and link:https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html[AWS Network Load Balancers (NLB)] when implementing Kubernetes Service resources with a type of LoadBalancer.
 
@@ -54,11 +46,12 @@ AWS ALBs require a multi-AZ cluster, as well as three public subnets split acros
 
 ifndef::openshift-rosa-hcp[]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[A multi-AZ ROSA classic cluster]
+* BYO VPC cluster
+//Moved inside ifndef since this is always true for HCP clusters
 endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa-hcp[]
-* link:https://docs.openshift.com/rosa-hcp/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.html[A multi-AZ ROSA cluster]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[A multi-AZ {hcp-title} cluster]
 endif::openshift-rosa-hcp[]
-* BYO VPC cluster
 * AWS CLI
 * OC CLI
 
@@ -123,6 +116,7 @@ $ aws ec2 create-tags \
      --tags Key=kubernetes.io/role/internal-elb,Value='' \
      --region ${REGION}
 ----
+//subnets are tagged already after rosa create network
 
 [id="installation_{context}"]
 == Installation
@@ -355,6 +349,8 @@ $ curl "http://${INGRESS}"
 ----
 Hello OpenShift!
 ----
+//TODO OSDOCS-11830: Couldn't get either of these validation checks to work, Andy R indicated that the related error seems to be that user is not authorized to do operation elasticloadbalancing:AddTags because "no identity based policy allows elasticloadbalancing:AddTags" however the linked policy does seem to allow that as far as I can tell: https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
+// That said, I'm not sure we should be getting our example policy from the rh-mobb repo
 
 . Deploy an AWS NLB for your hello world application:
 +

modules/albo-installation.adoc

@@ -21,6 +21,7 @@ $ oc new-project aws-load-balancer-operator
 You can find the AWS IAM policy from link:https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json[the upstream AWS Load Balancer Controller policy]. This policy includes all of the permissions you needed by the Operator to function.
 ====
 +
+// TODO OSDOCS-11830 This policy looks like we can add tags but the deployment still complains of having no identity based policy that allows it
 [source,terminal]
 ----
 $ POLICY_ARN=$(aws iam list-policies --query \
@@ -36,7 +37,7 @@ $ if [[ -z "${POLICY_ARN}" ]]; then
 fi
 $ echo $POLICY_ARN
 ----
-+
+
 . Create an AWS IAM trust policy for AWS Load Balancer Operator:
 +
 [source,terminal]
@@ -61,20 +62,20 @@ $ cat <<EOF > "${SCRATCH}/trust-policy.json"
 }
 EOF
 ----
-+
+
 . Create an AWS IAM role for the AWS Load Balancer Operator:
 +
 [source,terminal]
 ----
-$ ROLE_ARN=$(aws iam create-role --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-alb-operator" \
    --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
    --query Role.Arn --output text)
 $ echo $ROLE_ARN
 
-$ aws iam attach-role-policy --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+$ aws iam attach-role-policy --role-name "${CLUSTER_NAME}-alb-operator" \
      --policy-arn $POLICY_ARN
 ----
-+
+
 . Create a secret for the AWS Load Balancer Operator to assume our newly created AWS IAM role:
 +
 [source,terminal]
@@ -92,7 +93,7 @@ stringData:
     web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 EOF
 ----
-+
+
 . Install the AWS Load Balancer Operator:
 +
 [source,terminal]
@@ -120,7 +121,7 @@ spec:
   startingCSV: aws-load-balancer-operator.v1.0.0
 EOF
 ----
-+
+
 . Deploy an instance of the AWS Load Balancer Controller using the Operator:
 +
 [NOTE]
@@ -140,16 +141,17 @@ spec:
     name: aws-load-balancer-operator
 EOF
 ----
-+
+
 . Check the that the Operator and controller pods are both running:
 +
 [source,terminal]
 ----
 $ oc -n aws-load-balancer-operator get pods
 ----
 +
-You should see the following, if not wait a moment and retry:
+If you do not see output similar to the following, wait a few moments and retry.
 +
+.Example output
 [source,terminal]
 ----
 NAME                                                             READY   STATUS    RESTARTS   AGE
@@ -166,14 +168,15 @@ aws-load-balancer-operator-controller-manager-577d9ffcb9-w6zqn   2/2     Running
 ----
 $ oc new-project hello-world
 ----
-+
+
 . Deploy a hello world application:
 +
 [source,terminal]
 ----
 $ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift
 ----
-+
+// TODO OSDOCS-11830 At this point "oc status" shows me a URL that I can curl to get "Hello OpenShift!"
+
 . Configure a NodePort service for the AWS ALB to connect to:
 +
 [source,terminal]
@@ -194,7 +197,7 @@ spec:
     deployment: hello-openshift
 EOF
 ----
-+
+
 . Deploy an AWS ALB using the AWS Load Balancer Operator:
 +
 [source,terminal]
@@ -221,7 +224,8 @@ spec:
                   number: 80
 EOF
 ----
-+
+
+// TODO OSDOCS_11830 At this point I can see the ingress has been created but there is no LB in the status block, just an empty loadBalancer array - nothing after this point works as indicated for HCP
 . Curl the AWS ALB Ingress endpoint to verify the hello world application is accessible:
 +
 [NOTE]

modules/aws-installing-an-aws-load-balancer-operator.adoc

@@ -15,7 +15,9 @@ You can install an AWS Load Balancer Operator and an AWS Load Balancer Controlle
 * You have access to modify the VPC and subnets of the created ROSA cluster.
 * You have installed the ROSA CLI (`rosa`).
 * You have installed the Amazon Web Services (AWS) CLI.
+ifndef::openshift-rosa-hcp[]
 * You are using {product-title} 4.13 or later.
+endif::openshift-rosa-hcp[]
 
 [IMPORTANT]
 ====
@@ -55,7 +57,7 @@ or
 $ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}"
 ----
 +
-.. Locate the OIDC Amazon Resource Name (ARN) information on the AWS Web Console by navigating to *IAM*  *Access management* *Identity providers*. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`. 
+.. Locate the OIDC Amazon Resource Name (ARN) information on the AWS Web Console by navigating to *IAM*  *Access management*  *Identity providers*. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`. 
 +
 .. Save the output from the commands. You will use this information in future steps within this procedure.
 
@@ -81,7 +83,7 @@ $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}" <1>
 ----
 <1> Replace `{AWS_AccountNo}` with your AWS account number and `{Cluster_OIDC_Endpoint}` with the OIDC DNS identified earlier in this procedure.
 +
-.. Verify that the trsut policy was assigned to the AWS IAM role.
+.. Verify that the trust policy was assigned to the AWS IAM role.
 +
 .Example output
 [source,terminal,subs="quotes,verbatim"]
@@ -159,7 +161,15 @@ $ aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-a
 [source,terminal]
 ----
 $ IDP='{Cluster_OIDC_Endpoint}'
+----
++
+[source,terminal]
+----
 $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}"
+----
++
+[source,terminal]
+----
 $ cat <<EOF > albo-controller-trusted-policy.json
 {
     "Version": "2012-10-17",
@@ -236,6 +246,7 @@ Internet-facing and internal load balancers will be created within the AWS Avail
 ====
 ELBv2 resources (such as ALBs and NLBs) created by AWS Load Balancer Operator do not inherit custom tags set for ROSA clusters. You must set tags separately for these resources.
 ====
+// TODO OSDOCS-11830: Is the above still true?
 
 . Create the AWS Load Balancer Operator by completing the following steps:
 +

modules/cluster-wide-proxy-preqs.adoc

@@ -21,7 +21,7 @@ ifdef::openshift-dedicated[]
 * You have an existing Virtual Private Cloud (VPC) for your cluster.
 * You are using the Customer Cloud Subscription (CCS) model for your cluster.
 endif::openshift-dedicated[]
-* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy is also accessible from the VPC for the cluster and from the private subnets of the VPC.
+* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy must also be accessible from the VPC for the cluster and from the private subnets of the VPC.
 * You have added the following endpoints to your VPC endpoint:
 ** `ec2.<aws_region>.amazonaws.com`
 ** `elasticloadbalancing.<aws_region>.amazonaws.com`

modules/mos-aws-load-balancer-operator-install.adoc

@@ -0,0 +1,60 @@
+
+:_mod-docs-content-type: PROCEDURE
+[id="mos-aws-load-balancer-operator-install_{context}"]
+= Installing AWS Load Balancer Operator
+
+// TODO OSDOCS-11830 until this is validated
+[WARNING]
+====
+The instructions in this section have not yet been validated against all supported environments. Do not use these instructions for production environments.
+====
+
+//Replaces Creating an IAM role for the ALB Operator and Creating an IAM role for the ALB Controller using the ccoctl tool
+
+
+
+
+// TODO OSDOCS-11830 Create IAM role for ALBO without ccoctl
+// Verify tutorial method here: https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/tutorials/cloud-experts-aws-load-balancer-operator
+// Know your variables: rosa cluster name, region, OIDC endpoint, AWS account ID, VPC ID, public subnet ID/s, private subnet ID/s
+// Tag VPC with kubernetes.io/cluster/<cluster-id>:owned - is this necessary or just useful?
+// Tag private subnets with internal-elb, tag public subnets with elb - these appear to be done automatically when creating a VPC with rosa create network
+//Hidden prereq? need to create VPC and cluster across multiple regions
+
+
+
+//= Configuring AWS Load Balancer Operator for Managed OpenShift clusters
+
+//. Gather the following information for your cluster:
+//** Cluster infrastructure ID
+//** OIDC Endpoint URL
+//** OIDC Provider ARN
+
+//(The following is what you are doing with ccoctl, without being in your project or logged on to your console)
+// remote resources for credential requests:
+//Operator: https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
+//Controller: https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
+
+//. Create the required IAM policy for the ALB Operator
+//.. Log in to the cluster as a user with the dedicated-admin role.
+//.. Create a new project named aws-load-balancer-operator (required name or any name?)
+//.. Create the trust policy for the ALBO, using the OIDC Endpoint URL and the OIDC Provider ARN for your cluster.
+//.. Create a new albo-operator role and assign it the ALBO trust policy.
+//.. Attach the https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/release-1.1/hack/operator-permission-policy.json permission policy to the new role
+//. Create the required IAM policy for the ALB Controller
+//.. (very similar steps to above)
+// (The above is all that you are doing with ccoctl, without being in your project or logged on to your openshift console at all?)
+
+//. HCP: Add tags to ensure discovery?
+//. Create the OperatorGroup - why
+//. Create the Subscription - why
+//. Create the ALB Controller - why
+
+// Installing file networking/networking_operators/modules/aws-installing-an-aws-load-balancer-operator.adoc covers:
+// Create a new project for the operator
+// Create the trust policy for the operator
+// Create a role using the trust policy for the operator
+// Assign the policy to the operator role?
+// Create a trust policy for the controller
+// Create a role based on the controller trust policy
+// Assign the policy to the controller role?

modules/rosa-create-objects.adoc

@@ -889,7 +889,7 @@ $ rosa create network [flags]
 |Option |Definition
 
 |<template-name>
-|Allows you to use a custom template. Templates must be in the template folder, structured as `templates/<template-name>/cloudformation.yaml`. If no template name is provided, the command uses the default template. For binary builds, this template directory must be referenced manually after it is downloaded.
+|Allows you to use a custom template. Templates must be in the template folder, structured as `templates/<templat// TODO This section could be more useful about the parametere-name>/cloudformation.yaml`. If no template name is provided, the command uses the default template. For binary builds, this template directory must be referenced manually after it is downloaded.
 
 |===
 
@@ -915,6 +915,7 @@ include::https://raw.githubusercontent.com/openshift/rosa/refs/heads/master/cmd/
 
 |--param <various>
 |Available parameters depend on the template. Use `--help` when in the template directory to find available parameters.
+// TODO OSDOCS-11830 Suggest adding more parameters here, at least some related to setting up multiple AZs
 
 |--mode=manual
 |Provides AWS commands to create the network stack.