Skip to content

Commit 7c4ffd6

Browse files
authored
Merge pull request #82690 from AedinC/OSDOCS-12181
OSDOCS-12181:Added FIPS cryptography option in create classic cluster ROSA CLI workflow.
2 parents 9765495 + 63d5153 commit 7c4ffd6

File tree

1 file changed

+12
-8
lines changed

1 file changed

+12
-8
lines changed

modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -237,24 +237,27 @@ I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role for th
237237
? Multiple availability zones (optional): No <9>
238238
? AWS region: us-east-1
239239
? PrivateLink cluster (optional): No
240+
? Machine CIDR: 10.0.0.0/16
241+
? Service CIDR: 172.30.0.0/16
242+
? Pod CIDR: 10.128.0.0/14
240243
? Install into an existing VPC (optional): Yes <10>
244+
? Subnet IDs (optional):
241245
? Select availability zones (optional): No
242246
? Enable Customer Managed key (optional): No <11>
243247
? Compute nodes instance type (optional):
244248
? Enable autoscaling (optional): No
245249
? Compute nodes: 2
250+
? Worker machine pool labels (optional):
251+
? Host prefix: 23
246252
? Additional Security Group IDs (optional): <12>
247253
? > [*] sg-0e375ff0ec4a6cfa2 ('sg-1')
248254
? > [ ] sg-0e525ef0ec4b2ada7 ('sg-2')
249-
? Machine CIDR: 10.0.0.0/16
250-
? Service CIDR: 172.30.0.0/16
251-
? Pod CIDR: 10.128.0.0/14
252-
? Host prefix: 23
253-
? Encrypt etcd data (optional): No <13>
255+
? Enable FIPS support: No <13>
256+
? Encrypt etcd data: No <14>
254257
? Disable Workload monitoring (optional): No
255258
I: Creating cluster '<cluster_name>'
256259
I: To create this cluster again in the future, you can run:
257-
rosa create cluster --cluster-name <cluster_name> --role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role --operator-roles-prefix <cluster_name>-<random_string> --region us-east-1 --version 4.17.0 --additional-compute-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-infra-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-control-plane-security-group-ids sg-0e375ff0ec4a6cfa2 --replicas 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 <14>
260+
rosa create cluster --cluster-name <cluster_name> --role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role --operator-roles-prefix <cluster_name>-<random_string> --region us-east-1 --version 4.17.0 --additional-compute-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-infra-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-control-plane-security-group-ids sg-0e375ff0ec4a6cfa2 --replicas 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 <15>
258261
I: To view a list of clusters and their status, run 'rosa list clusters'
259262
I: Cluster '<cluster_name>' has been created.
260263
I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
@@ -308,14 +311,15 @@ PVs created by using any other storage class are still encrypted, but the PVs ar
308311
====
309312
310313
<12> Optional: You can select additional custom security groups to use in your cluster. You must have already created the security groups and associated them with the VPC you selected for this cluster. You cannot add or edit security groups for the default machine pools after you create the machine pool. For more information, see the requirements for _Security groups_ under _Additional resources_.
311-
<13> Optional: Enable this option only if your use case requires etcd key value encryption in addition to the control plane storage encryption that encrypts the etcd volumes by default. With this option, the etcd key values are encrypted but not the keys.
314+
<13> Optional: Enable this option if you require your cluster to be FIPS validated. Selecting this option means the encrypt etcd data option is enabled by default and cannot be disabled. You can encrypt etcd data without enabling FIPS support.
315+
<14> Optional: Enable this option if your use case only requires etcd key value encryption in addition to the control plane storage encryption that encrypts the etcd volumes by default. With this option, the etcd key values are encrypted but not the keys.
312316
+
313317
[IMPORTANT]
314318
====
315319
By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red{nbsp}Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
316320
====
317321
+
318-
<14> The output includes a custom command that you can run to create a cluster with the same configuration in the future.
322+
<15> The output includes a custom command that you can run to create another cluster with the same configuration.
319323
--
320324
+
321325
As an alternative to using the `--interactive` mode, you can specify the customization options directly when you run the `rosa create cluster` command. Run the `rosa create cluster --help` command to view a list of available CLI options, or see _create cluster_ in _Managing objects with the ROSA CLI_.

0 commit comments

Comments
 (0)