Merge pull request #83499 from fmcdonal/OSDOCS-12307

EricPonvelle · web-flow · commit 406c4b015b6e · 2024-10-17T10:24:40.000-04:00
OSDOCS-12307: CA Parameters Image registry config to customers
diff --git a/modules/images-configuration-image-registry-settings-hcp.adoc b/modules/images-configuration-image-registry-settings-hcp.adoc
@@ -96,17 +96,25 @@ Audit Log Forwarding:       Disabled
 External Authentication:    Disabled
 Etcd Encryption:            Disabled
 Registry Configuration:
- - Allowed Registries:     <allowed_registry> <1>
- - Insecure Registries:    <insecure_registry> <2>
- - Allowed Registries for Import: <3>
-    - Domain Name:          <domain_name> <4>
-    - Insecure:             true <5>
+ - Allowed Registries: <allowed_registry> <1> <2>
+ - Insecure Registries: <insecure_registry> <3>
+ - Allowed Registries for Import: <4>
+    - Domain Name: <domain_name> <5>
+    - Insecure: true <6>
+ - Platform Allowlist: <platform_allowlist_id> <7>
+    - Registries:      <list_of_registries> <8>
+ - Additional Trusted CA: <9>
+    - <registry_name> : REDACTED
 ----
 <1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
-<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
-<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
-<4> `domainName`: Specifies a domain name for the registry.
-<5> `insecure`: Indicates whether the registry is secure or insecure.
+<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
+<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
+<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
+<5> `domainName`: Specifies a domain name for the registry.
+<6> `insecure`: Indicates whether the registry is secure or insecure.
+<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
+<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
+<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
 
 . List your nodes to check the applied changes by running the following command:
 +
diff --git a/modules/images-configuration-parameters-hcp.adoc b/modules/images-configuration-parameters-hcp.adoc
@@ -32,9 +32,6 @@ Parameters such as `DisableScheduledImport`, `MaxImagesBulkImportedPerRepository
 |`registry-config-additional-trusted-ca`
 |A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
 
-|`registry-config-platform-allowlist`
-|A list of Red{nbsp}Hat registries is automatically allowed. This list can be periodically updated and impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID.
-
 |===
 
 [WARNING]
diff --git a/modules/images-editing-image-registry-settings-hcp.adoc b/modules/images-editing-image-registry-settings-hcp.adoc
@@ -104,14 +104,22 @@ Audit Log Forwarding:       Disabled
 External Authentication:    Disabled
 Etcd Encryption:            Disabled
 Registry Configuration:
- - Allowed Registries:      <allowed_registry> <1>
- - Insecure Registries:     <insecure_registry> <2>
- - Allowed Registries for Import: <3>
-    - Domain Name:          <domain_name> <4>
-    - Insecure:             true <5>
+ - Allowed Registries: <allowed_registry> <1> <2>
+ - Insecure Registries: <insecure_registry> <3>
+ - Allowed Registries for Import: <4>
+    - Domain Name: <domain_name> <5>
+    - Insecure: true <6>
+ - Platform Allowlist: <platform_allowlist_id> <7>
+    - Registries:      <list_of_registries> <8>
+ - Additional Trusted CA: <9>
+    - <registry_name> : REDACTED
 ----
 <1> `Allowed Registries`: A comma-separated list of registries for which image pull and push actions are allowed.
-<2> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
-<3> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
-<4> `domainName`: Specifies a domain name for the registry.
-<5> `insecure`: Indicates whether the registry is secure or insecure.
+<2> `Blocked Registries`: A comma-separated list of registries for which image pull and push actions are blocked. Parameters `allowedRegistries`, `blockedRegistries` are mutually exclusive.
+<3> `Insecure Registries`: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
+<4> `Allowed Registries for Import`: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of `domainName:insecure`.
+<5> `domainName`: Specifies a domain name for the registry.
+<6> `insecure`: Indicates whether the registry is secure or insecure.
+<7> `Platform Allowlist`: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
+<8> `Registries`: The list of registries that needs to be whitelisted for the platform to work.
+<9> `Additional Trusted CA`: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
diff --git a/modules/images-updating-platform-allowlist-hcp.adoc b/modules/images-updating-platform-allowlist-hcp.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration-hcp.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="images-updating-platform-allowlist-hcp_{context}"]
+= Updating platform allowlist for {hcp-title}
+
+A list of Red Hat registries is automatically allowed and it is visible when running rosa describe cluster. This list can be periodically updated to ensure platform can be operated correctly. Impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID. Update or edit the image registry for the cluster by running the following command:
+
+[source,terminal]
+----
+$ rosa edit cluster --registry-config-platform-allowlist <newID>
+----
diff --git a/openshift_images/image-configuration-hcp.adoc b/openshift_images/image-configuration-hcp.adoc
@@ -17,6 +17,8 @@ include::modules/images-configuration-image-registry-settings-hcp.adoc[leveloffs
 
 include::modules/images-editing-image-registry-settings-hcp.adoc[leveloffset=+1]
 
+include::modules/images-updating-platform-allowlist-hcp.adoc[leveloffset=+2]
+
 ifndef::openshift-rosa,openshift-dedicated,openshift-rosa-hcp[]
 [role="_additional-resources"]
 .Additional resources
