OSDOCS-11830 Split Networking content for ROSA with HCP

Author: laubai

_topic_maps/_topic_map_rosa_hcp.yml

@@ -1012,6 +1012,84 @@ Topics:
 #  - Name: Advanced OADP features and functionalities
 #    File: oadp-advanced-topics
 ---
+Name: Networking
+Dir: networking
+Distros: openshift-rosa-hcp
+Topics:
+- Name: About networking
+  File: about-managed-networking
+- Name: Networking Operators
+  Dir: networking_operators
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: AWS Load Balancer Operator
+    File: aws-load-balancer-operator
+  - Name: DNS Operator in Red Hat OpenShift Service on AWS
+    File: dns-operator
+# TODO OSDOCS-11830: Unable to locate in OperatorHub for ROSA with HCP cluster
+#  - Name: Ingress Operator in Red Hat OpenShift Service on AWS
+#    File: ingress-operator
+  - Name: Ingress Node Firewall Operator in Red Hat OpenShift Service on AWS
+    File: ingress-node-firewall-operator
+- Name: Network verification
+  File: network-verification
+- Name: Configuring a cluster-wide proxy during installation
+  File: configuring-cluster-wide-proxy
+- Name: CIDR range definitions
+  File: cidr-range-definitions
+- Name: Network security
+  Dir: network_security
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  # Included for OSDOCS-13465
+  - Name: Audit logging for network security
+    File: logging-network-security
+- Name: Configuring the primary cluster network
+  Dir: ovn_kubernetes_network_provider
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: About the OVN-Kubernetes network plugin
+    File: about-ovn-kubernetes
+  - Name: Configuring an egress IP address
+    File: configuring-egress-ips-ovn
+# OpenShift SDN not supported for HCP
+- Name: Configuring Routes
+  Dir: routes
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Route configuration
+    File: route-configuration
+  - Name: Secured routes
+    File: secured-routes
+---
 Name: Nodes
 Dir: nodes
 Distros: openshift-rosa-hcp

cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc

@@ -20,18 +20,10 @@ toc::[]
 
 include::snippets/mobb-support-statement.adoc[leveloffset=+1]
 
-ifndef::openshift-rosa-hcp[]
 [TIP]
 ====
 Load Balancers created by the AWS Load Balancer Operator cannot be used for xref:../networking/routes/route-configuration.adoc#route-configuration[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
 ====
-endif::openshift-rosa-hcp[]
-ifdef::openshift-rosa-hcp[]
-[TIP]
-====
-Load Balancers created by the AWS Load Balancer Operator cannot be used for link:https://docs.openshift.com/rosa/networking/routes/route-configuration.html[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
-====
-endif::openshift-rosa-hcp[]
 
 The link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/[AWS Load Balancer Controller] manages AWS Elastic Load Balancers for a {product-title} (ROSA) cluster. The controller provisions link:https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html[AWS Application Load Balancers (ALB)] when you create Kubernetes Ingress resources and link:https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html[AWS Network Load Balancers (NLB)] when implementing Kubernetes Service resources with a type of LoadBalancer.
 
@@ -54,11 +46,12 @@ AWS ALBs require a multi-AZ cluster, as well as three public subnets split acros
 
 ifndef::openshift-rosa-hcp[]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[A multi-AZ ROSA classic cluster]
+* BYO VPC cluster
+//Moved inside ifndef since this is always true for HCP clusters
 endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa-hcp[]
-* link:https://docs.openshift.com/rosa-hcp/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.html[A multi-AZ ROSA cluster]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[A multi-AZ {hcp-title} cluster]
 endif::openshift-rosa-hcp[]
-* BYO VPC cluster
 * AWS CLI
 * OC CLI
 
@@ -123,6 +116,7 @@ $ aws ec2 create-tags \
      --tags Key=kubernetes.io/role/internal-elb,Value='' \
      --region ${REGION}
 ----
+//subnets are tagged already after rosa create network
 
 [id="installation_{context}"]
 == Installation
@@ -355,6 +349,8 @@ $ curl "http://${INGRESS}"
 ----
 Hello OpenShift!
 ----
+//TODO OSDOCS-11830: Couldn't get either of these validation checks to work, Andy R indicated that the related error seems to be that user is not authorized to do operation elasticloadbalancing:AddTags because "no identity based policy allows elasticloadbalancing:AddTags" however the linked policy does seem to allow that as far as I can tell: https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
+// That said, I'm not sure we should be getting our example policy from the rh-mobb repo
 
 . Deploy an AWS NLB for your hello world application:
 +

modules/albo-installation.adoc

@@ -21,6 +21,7 @@ $ oc new-project aws-load-balancer-operator
 You can find the AWS IAM policy from link:https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json[the upstream AWS Load Balancer Controller policy]. This policy includes all of the permissions you needed by the Operator to function.
 ====
 +
+// TODO OSDOCS-11830 This policy looks like we can add tags but the deployment still complains of having no identity based policy that allows it
 [source,terminal]
 ----
 $ POLICY_ARN=$(aws iam list-policies --query \
@@ -66,12 +67,12 @@ EOF
 +
 [source,terminal]
 ----
-$ ROLE_ARN=$(aws iam create-role --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-alb-operator" \
    --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
    --query Role.Arn --output text)
 $ echo $ROLE_ARN
 
-$ aws iam attach-role-policy --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+$ aws iam attach-role-policy --role-name "${CLUSTER_NAME}-alb-operator" \
      --policy-arn $POLICY_ARN
 ----
 +
@@ -173,6 +174,7 @@ $ oc new-project hello-world
 ----
 $ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift
 ----
+// TODO OSDOCS-11830 At this point "oc status" shows me a URL that I can curl to get "Hello OpenShift!"
 +
 . Configure a NodePort service for the AWS ALB to connect to:
 +

modules/aws-installing-an-aws-load-balancer-operator.adoc

@@ -15,7 +15,9 @@ You can install an AWS Load Balancer Operator and an AWS Load Balancer Controlle
 * You have access to modify the VPC and subnets of the created ROSA cluster.
 * You have installed the ROSA CLI (`rosa`).
 * You have installed the Amazon Web Services (AWS) CLI.
+ifndef::openshift-rosa-hcp[]
 * You are using {product-title} 4.13 or later.
+endif::openshift-rosa-hcp[]
 
 [IMPORTANT]
 ====
@@ -55,7 +57,7 @@ or
 $ oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}"
 ----
 +
-.. Locate the OIDC Amazon Resource Name (ARN) information on the AWS Web Console by navigating to *IAM*  *Access management* *Identity providers*. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`. 
+.. Locate the OIDC Amazon Resource Name (ARN) information on the AWS Web Console by navigating to *IAM*  *Access management*  *Identity providers*. An OIDC ARN example is `arn:aws:iam::777777777777:oidc-provider/<oidc_dns_url>`. 
 +
 .. Save the output from the commands. You will use this information in future steps within this procedure.
 
@@ -81,7 +83,7 @@ $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}" <1>
 ----
 <1> Replace `{AWS_AccountNo}` with your AWS account number and `{Cluster_OIDC_Endpoint}` with the OIDC DNS identified earlier in this procedure.
 +
-.. Verify that the trsut policy was assigned to the AWS IAM role.
+.. Verify that the trust policy was assigned to the AWS IAM role.
 +
 .Example output
 [source,terminal,subs="quotes,verbatim"]
@@ -159,7 +161,15 @@ $ aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-a
 [source,terminal]
 ----
 $ IDP='{Cluster_OIDC_Endpoint}'
+----
++
+[source,terminal]
+----
 $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}"
+----
++
+[source,terminal]
+----
 $ cat <<EOF > albo-controller-trusted-policy.json
 {
     "Version": "2012-10-17",
@@ -236,6 +246,7 @@ Internet-facing and internal load balancers will be created within the AWS Avail
 ====
 ELBv2 resources (such as ALBs and NLBs) created by AWS Load Balancer Operator do not inherit custom tags set for ROSA clusters. You must set tags separately for these resources.
 ====
+// TODO OSDOCS-11830: Is the above still true?
 
 . Create the AWS Load Balancer Operator by completing the following steps:
 +

modules/cluster-wide-proxy-preqs.adoc

@@ -21,7 +21,7 @@ ifdef::openshift-dedicated[]
 * You have an existing Virtual Private Cloud (VPC) for your cluster.
 * You are using the Customer Cloud Subscription (CCS) model for your cluster.
 endif::openshift-dedicated[]
-* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy is also accessible from the VPC for the cluster and from the private subnets of the VPC.
+* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy must also be accessible from the VPC for the cluster and from the private subnets of the VPC.
 * You have added the following endpoints to your VPC endpoint:
 ** `ec2.<aws_region>.amazonaws.com`
 ** `elasticloadbalancing.<aws_region>.amazonaws.com`

modules/mos-aws-load-balancer-operator-install.adoc

@@ -0,0 +1,60 @@
+
+:_mod-docs-content-type: PROCEDURE
+[id="mos-aws-load-balancer-operator-install_{context}"]
+= Installing AWS Load Balancer Operator
+
+// TODO OSDOCS-11830 until this is validated
+[WARNING]
+====
+The instructions in this section have not yet been validated against all supported environments. Do not use these instructions for production environments.
+====
+
+//Replaces Creating an IAM role for the ALB Operator and Creating an IAM role for the ALB Controller using the ccoctl tool
+
+
+
+
+// TODO OSDOCS-11830 Create IAM role for ALBO without ccoctl
+// Verify tutorial method here: https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/tutorials/cloud-experts-aws-load-balancer-operator
+// Know your variables: rosa cluster name, region, OIDC endpoint, AWS account ID, VPC ID, public subnet ID/s, private subnet ID/s
+// Tag VPC with kubernetes.io/cluster/<cluster-id>:owned - is this necessary or just useful?
+// Tag private subnets with internal-elb, tag public subnets with elb - these appear to be done automatically when creating a VPC with rosa create network
+//Hidden prereq? need to create VPC and cluster across multiple regions
+
+
+
+//= Configuring AWS Load Balancer Operator for Managed OpenShift clusters
+
+//. Gather the following information for your cluster:
+//** Cluster infrastructure ID
+//** OIDC Endpoint URL
+//** OIDC Provider ARN
+
+//(The following is what you are doing with ccoctl, without being in your project or logged on to your console)
+// remote resources for credential requests:
+//Operator: https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
+//Controller: https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/main/hack/controller/controller-credentials-request.yaml
+
+//. Create the required IAM policy for the ALB Operator
+//.. Log in to the cluster as a user with the dedicated-admin role.
+//.. Create a new project named aws-load-balancer-operator (required name or any name?)
+//.. Create the trust policy for the ALBO, using the OIDC Endpoint URL and the OIDC Provider ARN for your cluster.
+//.. Create a new albo-operator role and assign it the ALBO trust policy.
+//.. Attach the https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/release-1.1/hack/operator-permission-policy.json permission policy to the new role
+//. Create the required IAM policy for the ALB Controller
+//.. (very similar steps to above)
+// (The above is all that you are doing with ccoctl, without being in your project or logged on to your openshift console at all?)
+
+//. HCP: Add tags to ensure discovery?
+//. Create the OperatorGroup - why
+//. Create the Subscription - why
+//. Create the ALB Controller - why
+
+// Installing file networking/networking_operators/modules/aws-installing-an-aws-load-balancer-operator.adoc covers:
+// Create a new project for the operator
+// Create the trust policy for the operator
+// Create a role using the trust policy for the operator
+// Assign the policy to the operator role?
+// Create a trust policy for the controller
+// Create a role based on the controller trust policy
+// Assign the policy to the controller role?

modules/running-network-verification-manually-ocm.adoc

@@ -33,6 +33,7 @@ ROSA
 endif::openshift-rosa[]
 cluster.
 * You are the cluster owner or you have the cluster editor role.
+//TODO OSDOCS-11830 I am both of these things and I can't see anything related to this in OCM; is this only available after a specific version? upgrading test cluster to see if this appears for later cluster versions
 
 .Procedure
 

networking/about-managed-networking.adoc

@@ -10,42 +10,31 @@ toc::[]
 
 The following are some of the most commonly used {openshift-networking} features available on your cluster:
 
-* Cluster Network Operator for network plugin management
-+
+* Cluster Network Operator for network plugin management.
+
+ifdef::openshift-rosa-hcp[]
+* Primary cluster network provided by xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes], the default Container Network Interface (CNI) plugin.
+endif::openshift-rosa-hcp[]
+
+ifndef::openshift-rosa-hcp[]
 * Primary cluster network provided by either of the following Container Network Interface (CNI) plugins:
 +
 ** xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin], which is the default CNI plugin.
 ** {OCP-short} SDN network plugin, which was deprecated in {OCP-short} 4.16 and removed in {OCP-short} 4.17.
+endif::openshift-rosa-hcp[]
 
-ifdef::openshift-rosa[]
-
+ifdef::openshift-rosa,openshift-dedicated[]
 [IMPORTANT]
 ====
-Before upgrading {rosa-classic} clusters that are configured with the OpenShift SDN network plugin to version 4.17, you must migrate to the OVN-Kubernetes network plugin. For more information, see _Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin_ in the  _Additional resources_ section.
+Before upgrading {rosa-classic} clusters that are configured with the OpenShift SDN network plugin to version 4.17, you must migrate to the OVN-Kubernetes network plugin. For more information, see _Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin_.
 ====
-endif::openshift-rosa[]
-
-ifdef::openshift-dedicated[]
-
-[IMPORTANT]
-====
-Before upgrading {product-title} clusters that are configured with the OpenShift SDN network plugin to version 4.17, you must migrate to the OVN-Kubernetes network plugin. For more information, see _Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin_ in the  _Additional resources_ section.
-====
-endif::openshift-dedicated[]
-
 
 [discrete]
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
 == Additional resources
-
 * link:https://access.redhat.com/articles/7065170[{OCP-short} SDN CNI removal in OCP 4.17]
+endif::openshift-rosa,openshift-dedicated[]
 ifdef::openshift-rosa[]
 * xref:../networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc#migrate-from-openshift-sdn[Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin]
-endif::openshift-rosa[]
-
-ifdef::openshift-dedicated[]
-
-* xref:../networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn-osd.adoc#migrate-from-openshift-sdn-osd[Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin]
-endif::openshift-dedicated[]
-
+endif::openshift-rosa[]