OSDOCS-11830 Split Networking content for ROSA with HCP

Author: laubai

_topic_maps/_topic_map_rosa_hcp.yml

@@ -853,6 +853,84 @@ Topics:
 #  - Name: Advanced OADP features and functionalities
 #    File: oadp-advanced-topics
 ---
+Name: Networking
+Dir: networking
+Distros: openshift-rosa-hcp
+Topics:
+- Name: About networking
+  File: about-managed-networking
+- Name: Networking Operators
+  Dir: networking_operators
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: AWS Load Balancer Operator
+    File: aws-load-balancer-operator
+  - Name: DNS Operator in Red Hat OpenShift Service on AWS
+    File: dns-operator
+# TODO OSDOCS-11830: Unable to locate in OperatorHub for ROSA with HCP cluster
+#  - Name: Ingress Operator in Red Hat OpenShift Service on AWS
+#    File: ingress-operator
+  - Name: Ingress Node Firewall Operator in Red Hat OpenShift Service on AWS
+    File: ingress-node-firewall-operator
+- Name: Network verification
+  File: network-verification
+- Name: Configuring a cluster-wide proxy during installation
+  File: configuring-cluster-wide-proxy
+- Name: CIDR range definitions
+  File: cidr-range-definitions
+- Name: Network security
+  Dir: network_security
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Admin network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
+  - Name: Network policy
+    Dir: network_policy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  # Included for OSDOCS-13465
+  - Name: Audit logging for network security
+    File: logging-network-security
+- Name: Configuring the primary cluster network
+  Dir: ovn_kubernetes_network_provider
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: About the OVN-Kubernetes network plugin
+    File: about-ovn-kubernetes
+  - Name: Configuring an egress IP address
+    File: configuring-egress-ips-ovn
+# OpenShift SDN not supported for HCP
+- Name: Configuring Routes
+  Dir: routes
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Route configuration
+    File: route-configuration
+  - Name: Secured routes
+    File: secured-routes
+---
 Name: Nodes
 Dir: nodes
 Distros: openshift-rosa-hcp

cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc

@@ -20,18 +20,10 @@ toc::[]
 
 include::snippets/mobb-support-statement.adoc[leveloffset=+1]
 
-ifndef::openshift-rosa-hcp[]
 [TIP]
 ====
 Load Balancers created by the AWS Load Balancer Operator cannot be used for xref:../networking/routes/route-configuration.adoc#route-configuration[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
 ====
-endif::openshift-rosa-hcp[]
-ifdef::openshift-rosa-hcp[]
-[TIP]
-====
-Load Balancers created by the AWS Load Balancer Operator cannot be used for link:https://docs.openshift.com/rosa/networking/routes/route-configuration.html[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
-====
-endif::openshift-rosa-hcp[]
 
 The link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/[AWS Load Balancer Controller] manages AWS Elastic Load Balancers for a {product-title} (ROSA) cluster. The controller provisions link:https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html[AWS Application Load Balancers (ALB)] when you create Kubernetes Ingress resources and link:https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html[AWS Network Load Balancers (NLB)] when implementing Kubernetes Service resources with a type of LoadBalancer.
 
@@ -54,11 +46,12 @@ AWS ALBs require a multi-AZ cluster, as well as three public subnets split acros
 
 ifndef::openshift-rosa-hcp[]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[A multi-AZ ROSA classic cluster]
+* BYO VPC cluster
+//Moved inside ifndef since this is always true for HCP clusters
 endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa-hcp[]
-* link:https://docs.openshift.com/rosa-hcp/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.html[A multi-AZ ROSA cluster]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[A multi-AZ {hcp-title} cluster]
 endif::openshift-rosa-hcp[]
-* BYO VPC cluster
 * AWS CLI
 * OC CLI
 
@@ -123,6 +116,7 @@ $ aws ec2 create-tags \
      --tags Key=kubernetes.io/role/internal-elb,Value='' \
      --region ${REGION}
 ----
+//subnets are tagged already after rosa create network
 
 [id="installation_{context}"]
 == Installation
@@ -355,6 +349,8 @@ $ curl "http://${INGRESS}"
 ----
 Hello OpenShift!
 ----
+//TODO OSDOCS-11830: Couldn't get either of these validation checks to work, Andy R indicated that the related error seems to be that user is not authorized to do operation elasticloadbalancing:AddTags because "no identity based policy allows elasticloadbalancing:AddTags" however the linked policy does seem to allow that as far as I can tell: https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
+// That said, I'm not sure we should be getting our example policy from the rh-mobb repo
 
 . Deploy an AWS NLB for your hello world application:
 +

modules/cluster-wide-proxy-preqs.adoc

@@ -21,7 +21,7 @@ ifdef::openshift-dedicated[]
 * You have an existing Virtual Private Cloud (VPC) for your cluster.
 * You are using the Customer Cloud Subscription (CCS) model for your cluster.
 endif::openshift-dedicated[]
-* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy is also accessible from the VPC for the cluster and from the private subnets of the VPC.
+* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy must also be accessible from the VPC for the cluster and from the private subnets of the VPC.
 * You have added the following endpoints to your VPC endpoint:
 ** `ec2.<aws_region>.amazonaws.com`
 ** `elasticloadbalancing.<aws_region>.amazonaws.com`

modules/running-network-verification-manually-ocm.adoc

@@ -33,6 +33,7 @@ ROSA
 endif::openshift-rosa[]
 cluster.
 * You are the cluster owner or you have the cluster editor role.
+//TODO OSDOCS-11830 I am both of these things and I can't see anything related to this in OCM; is this only available after a specific version? upgrading test cluster to see if this appears for later cluster versions
 
 .Procedure
 

networking/about-managed-networking.adoc

@@ -10,42 +10,28 @@ toc::[]
 
 The following are some of the most commonly used {openshift-networking} features available on your cluster:
 
-* Cluster Network Operator for network plugin management
-+
+* Cluster Network Operator for network plugin management.
+
+ifdef::openshift-rosa-hcp[]
+* Primary cluster network provided by xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes], the default Container Network Interface (CNI) plugin.
+endif::openshift-rosa-hcp[]
+
+ifndef::openshift-rosa-hcp[]
 * Primary cluster network provided by either of the following Container Network Interface (CNI) plugins:
 +
 ** xref:../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[OVN-Kubernetes network plugin], which is the default CNI plugin.
 ** {OCP-short} SDN network plugin, which was deprecated in {OCP-short} 4.16 and removed in {OCP-short} 4.17.
 
-ifdef::openshift-rosa[]
-
-[IMPORTANT]
-====
-Before upgrading {rosa-classic} clusters that are configured with the OpenShift SDN network plugin to version 4.17, you must migrate to the OVN-Kubernetes network plugin. For more information, see _Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin_ in the  _Additional resources_ section.
-====
-endif::openshift-rosa[]
-
-ifdef::openshift-dedicated[]
-
+ifdef::openshift-rosa,openshift-dedicated[]
 [IMPORTANT]
 ====
-Before upgrading {product-title} clusters that are configured with the OpenShift SDN network plugin to version 4.17, you must migrate to the OVN-Kubernetes network plugin. For more information, see _Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin_ in the  _Additional resources_ section.
+Before upgrading {rosa-classic} clusters that are configured with the OpenShift SDN network plugin to version 4.17, you must migrate to the OVN-Kubernetes network plugin. For more information, see _Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin_.
 ====
-endif::openshift-dedicated[]
-
 
 [discrete]
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
 == Additional resources
-
 * link:https://access.redhat.com/articles/7065170[{OCP-short} SDN CNI removal in OCP 4.17]
-ifdef::openshift-rosa[]
 * xref:../networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc#migrate-from-openshift-sdn[Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin]
-endif::openshift-rosa[]
-
-ifdef::openshift-dedicated[]
-
-* xref:../networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn-osd.adoc#migrate-from-openshift-sdn-osd[Migrating from the OpenShift SDN network plugin to the OVN-Kubernetes network plugin]
-endif::openshift-dedicated[]
-
+endif::openshift-rosa,openshift-dedicated[]

networking/cidr-range-definitions.adoc

@@ -2,9 +2,9 @@
 [id="cidr-range-definitions"]
 = CIDR range definitions
 include::_attributes/common-attributes.adoc[]
-ifdef::openshift-dedicated,openshift-rosa[]
+ifdef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 include::_attributes/attributes-openshift-dedicated.adoc[]
-endif::openshift-dedicated,openshift-rosa[]
+endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
 :context: cidr-range-definitions
 
 toc::[]
@@ -27,9 +27,9 @@ The following subnet types and are mandatory for a cluster that uses OVN-Kuberne
 You can change the join, masquerade, and transit CIDR ranges for your cluster as a post-installation task.
 ====
 
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 When specifying subnet CIDR ranges, ensure that the subnet CIDR range is within the defined Machine CIDR. You must verify that the subnet CIDR ranges allow for enough IP addresses for all intended workloads depending on which platform the cluster is hosted.
-endif::[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 
 OVN-Kubernetes, the default network provider in {product-title} 4.14 and later versions, internally uses the following IP address subnet ranges:
 
@@ -39,18 +39,19 @@ OVN-Kubernetes, the default network provider in {product-title} 4.14 and later v
 * `V6TransitSwitchSubnet`: `fd97::/64`
 * `defaultV4MasqueradeSubnet`: `169.254.0.0/17`
 * `defaultV6MasqueradeSubnet`: `fd69::/112`
+// TODO OSDOCS-11830 validate for HCP clusters
 
 [IMPORTANT]
 ====
 The previous list includes join, transit, and masquerade IPv4 and IPv6 address subnets. If your cluster uses OVN-Kubernetes, do not include any of these IP address subnet ranges in any other CIDR definitions in your cluster or infrastructure.
 ====
 
-ifndef::openshift-rosa,openshift-dedicated[]
+ifndef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 [role="_additional-resources"]
 .Additional resources
 
 * For more information about configuring join subnets or transit subnets, see xref:../networking/ovn_kubernetes_network_provider/configure-ovn-kubernetes-subnets.adoc#configure-ovn-kubernetes-subnets[Configuring OVN-Kubernetes internal IP address subnets].
-endif::[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 
 [id="machine-cidr-description"]
 == Machine CIDR
@@ -62,33 +63,35 @@ In the Machine classless inter-domain routing (CIDR) field, you must specify the
 Machine CIDR ranges cannot be changed after creating your cluster.
 ====
 
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 This range must encompass all CIDR address ranges for your virtual private cloud (VPC) subnets. Subnets must be contiguous. A minimum IP address range of 128 addresses, using the subnet prefix `/25`, is supported for single availability zone deployments. A minimum address range of 256 addresses, using the subnet prefix `/24`, is supported for deployments that use multiple availability zones.
-endif::openshift-rosa,openshift-dedicated[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
+//TODO OSDOCS-11830 does this mean that machine CIDR can onky be in /25 and /24?
 
 The default is `10.0.0.0/16`. This range must not conflict with any connected networks.
 
-ifdef::openshift-rosa[]
+ifdef::openshift-rosa,openshift-rosa-hcp[]
 [NOTE]
 ====
 When using {hcp-title}, the static IP address `172.20.0.1` is reserved for the internal Kubernetes API address. The machine, pod, and service CIDRs ranges must not conflict with this IP address.
 ====
-endif::[]
+endif::openshift-rosa,openshift-rosa-hcp[]
 
-ifndef::openshift-rosa,openshift-dedicated[]
+
+ifndef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 [role="_additional-resources"]
 .Additional resources
 
 * xref:../networking/networking_operators/cluster-network-operator.adoc#nw-operator-cr_cluster-network-operator[Cluster Network Operator configuration]
-endif::[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 
 
 [id="service-cidr-description"]
 == Service CIDR
 In the Service CIDR field, you must specify the IP address range for services.
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 It is recommended, but not required, that the address block is the same between clusters. This will not create IP address conflicts.
-endif::openshift-rosa,openshift-dedicated[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 The range must be large enough to accommodate your workload. The address block must not overlap with any external service accessed from within the cluster. The default is `172.30.0.0/16`.
 
 [id="pod-cidr-description"]
@@ -98,9 +101,9 @@ In the pod CIDR field, you must specify the IP address range for pods.
 ifdef::openshift-enterprise[]
 The pod CIDR is the same as the `clusterNetwork` CIDR and the cluster CIDR.
 endif::openshift-enterprise[]
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 It is recommended, but not required, that the address block is the same between clusters. This will not create IP address conflicts.
-endif::openshift-rosa,openshift-dedicated[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 The range must be large enough to accommodate your workload. The address block must not overlap with any external service accessed from within the cluster. The default is `10.128.0.0/14`.
 ifdef::openshift-enterprise[]
 You can expand the range after cluster installation.
@@ -115,9 +118,9 @@ endif::openshift-enterprise[]
 == Host Prefix
 In the Host Prefix field, you must specify the subnet prefix length assigned to pods scheduled to individual machines. The host prefix determines the pod IP address pool for each machine.
 
-ifdef::openshift-rosa,openshift-dedicated[]
+ifdef::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 For example, if the host prefix is set to `/23`, each machine is assigned a `/23` subnet from the pod CIDR address range. The default is `/23`, allowing 512 cluster nodes, and 512 pods per node (both of which are beyond our maximum supported).
-endif::openshift-rosa,openshift-dedicated[]
+endif::openshift-rosa,openshift-rosa-hcp,openshift-dedicated[]
 
 ifdef::openshift-enterprise[]
 For example, if the host prefix is set to `/23`, each machine is assigned a `/23` subnet from the pod CIDR address range. The default is `/23`, allowing 510 cluster nodes, and 510 pod IP addresses per node.

networking/configuring-cluster-wide-proxy.adoc

@@ -11,6 +11,9 @@ If you are using an existing Virtual Private Cloud (VPC), you can configure a cl
 ifdef::openshift-rosa[]
 a {product-title} (ROSA)
 endif::openshift-rosa[]
+ifdef::openshift-rosa-hcp[]
+a {hcp-title-first} ({hcp-title})
+endif::openshift-rosa-hcp[]
 ifdef::openshift-dedicated[]
 an {product-title}
 endif::openshift-dedicated[]
@@ -32,6 +35,9 @@ include::modules/cluster-wide-proxy-preqs.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
+ifdef::openshift-rosa-hcp[]
+* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-prereqs[Prerequisites for {hcp-title}]
+endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa[]
 * For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[AWS prerequisites for ROSA with STS].
 * For the installation prerequisites for ROSA clusters that do not use STS, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#prerequisites[AWS prerequisites for ROSA].
@@ -50,16 +56,20 @@ You can configure an HTTP or HTTPS proxy when you install an {product-title} wit
 
 include::modules/configuring-a-proxy-during-installation-ocm.adoc[leveloffset=+1]
 endif::openshift-dedicated[]
-ifdef::openshift-rosa[]
+ifdef::openshift-rosa,openshift-rosa-hcp[]
+// TODO OSDOCS-11830 confirm that these steps are identical for HCP clusters
 You can configure an HTTP or HTTPS proxy when you install a {product-title} (ROSA) cluster into an existing Virtual Private Cloud (VPC). You can configure the proxy during installation by using {cluster-manager-first} or the ROSA CLI (`rosa`).
 
 include::modules/configuring-a-proxy-during-installation-ocm.adoc[leveloffset=+2]
 include::modules/configuring-a-proxy-during-installation-cli.adoc[leveloffset=+2]
-endif::openshift-rosa[]
+endif::openshift-rosa,openshift-rosa-hcp[]
 
 [role="_additional-resources"]
 .Additional resources
 
+ifdef::openshift-rosa-hcp[]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[Creating a {hcp-title} cluster]
+endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa[]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-ocm_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations by using OpenShift Cluster Manager]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-cli_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations using the CLI]
@@ -77,7 +87,7 @@ You can configure an HTTP or HTTPS proxy after you install an {product-title} wi
 
 include::modules/configuring-a-proxy-after-installation-ocm.adoc[leveloffset=+1]
 endif::openshift-dedicated[]
-ifdef::openshift-rosa[]
+ifdef::openshift-rosa,openshift-rosa-hcp[]
 You can configure an HTTP or HTTPS proxy after you install a {product-title} (ROSA) cluster into an existing Virtual Private Cloud (VPC). You can configure the proxy after installation by using {cluster-manager-first} or the ROSA CLI (`rosa`).
 
 include::modules/configuring-a-proxy-after-installation-ocm.adoc[leveloffset=+2]
@@ -90,4 +100,4 @@ You can remove your cluster-wide proxy by using the ROSA CLI. After removing the
 
 include::modules/nw-rosa-proxy-remove-cli.adoc[leveloffset=+2]
 include::modules/configmap-removing-ca.adoc[leveloffset=+2]
-endif::openshift-rosa[]
+endif::openshift-rosa,openshift-rosa-hcp[]