Merge pull request #94345 from mletalie/OSDOCS-14845

[OSDOCS-14845]OSDOCS Story [Virt on OSD] Secure Boot on per machine pool basis

Author: bmcelvee

modules/create-wif-cluster-ocm.adoc

@@ -55,14 +55,18 @@ Workload Identity Federation (WIF) is only supported on {product-title} version
 .. Select a cloud provider region from the *Region* drop-down menu.
 .. Select a *Single zone* or *Multi-zone* configuration.
 +
-.. Optional: Select *Enable Secure Boot support for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs].
+.. Optional: Select *Enable Secure Boot support for Shielded VMs* to use Shielded VMs when installing your cluster. Once you create your cluster, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs].
 +
 [IMPORTANT]
 ====
 To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints].
 ====
 +
-
+[IMPORTANT]
+====
+*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation.
+====
++
 .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
 
 . Optional: Expand *Advanced Encryption* to make changes to encryption settings.

modules/creating-a-machine-pool-ocm.adoc

@@ -146,8 +146,22 @@ Your Amazon EC2 Spot Instances might be interrupted at any time. Use Amazon EC2
 ====
 If you select *Use Amazon EC2 Spot Instances* for a machine pool, you cannot disable the option after the machine pool is created.
 ====
++
 endif::openshift-rosa-hcp[]
-
+ifdef::openshift-dedicated[]
+. Optional: By default, {product-title} on {GCP} instances in the machine pools inherit the Shielded VM settings at the cluster level. You can override the cluster level Shielded VM settings at the machine pool level by selecting or clearing the *Enable Secure Boot support for Shielded VMs* checkbox.
++
+[IMPORTANT]
+====
+Once a machine pool is created, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed.
+====
++
+[IMPORTANT]
+====
+*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation.
+====
+endif::openshift-dedicated[]
++
 . Click *Add machine pool* to create the machine pool.
 
 .Verification

modules/osd-create-cluster-ccs.adoc

@@ -59,14 +59,23 @@ Clusters configured with Private Service Connect (PSC) are only supported on Ope
 .. Select a *Single zone* or *Multi-zone* configuration.
 +
 
-.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs].
+.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. Once you create your cluster, the *Enable Secure Boot for Shielded VMs* setting cannot be changed. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs].
 +
 [IMPORTANT]
 ====
 To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints].
 ====
+// +
+// [IMPORTANT]
+// ====
+// Once a machine pool is saved, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed.
+// ====
++
+[IMPORTANT]
+====
+*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation.
+====
 +
-
 .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
 
 . Optional: Expand *Advanced Encryption* to make changes to encryption settings.

modules/osd-create-cluster-red-hat-account.adoc

@@ -39,13 +39,18 @@ To customize the subdomain, select the *Create custom domain prefix* checkbox, a
 .. Select a *Persistent storage* capacity for the cluster. For more information, see the _Storage_ section in the {product-title} service definition.
 .. Specify the number of *Load balancers* that you require for your cluster. For more information, see the _Load balancers_ section in the {product-title} service definition.
 +
-.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs].
+.. Optional: Select *Enable Secure Boot support for Shielded VMs* to use Shielded VMs when installing your cluster. Once you create your cluster, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs].
 +
 [IMPORTANT]
 ====
 To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints].
 ====
 +
+[IMPORTANT]
+====
+*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation.
+====
++
 .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
 . Optional: Expand *Advanced Encryption* to make changes to encryption settings.
 +

osd_whats_new/osd-whats-new.adoc

@@ -22,6 +22,10 @@ With its foundation in Kubernetes, {product-title} is a complete {OCP} cluster p
 // re-add once upgrade to 4.19 is available
 // For more information about upgrading to this latest version, see xref:../upgrading/osd-upgrades.adoc#osd-upgrades[Red Hat OpenShift Dedicated cluster upgrades].
 
+* **Support for enabling and disabling Secure Boot for Shielded VMs on a per machine basis.**
+{product-title} on {GCP} users can now enable or disable Secure Boot for Shielded VMs on a per machine basis. For more information, see xref:../osd_cluster_admin/osd_nodes/osd-managing-worker-nodes.adoc#osd-managing-worker-nodes[Managing compute nodes].
+
+
 [id="osd-q1-2025_{context}"]
 === Q1 2025
 

snippets/shieldedvm-baremetal-support.adoc

@@ -0,0 +1,18 @@
+// Text snippet included in the following assemblies: (1)
+//
+// * rosa_cluster_admin/rosa-configuring-pid-limits.adoc
+//
+// Text snippet included in the following modules:    (2)
+//
+// * modules/setting-higher-pid-limit-on-existing-cluster.adoc
+
+:_mod-docs-content-type: SNIPPET
+
+// Snippet that notifies user that Shielded VM is not supported for clusters created using bare metal instance types.
+
+[IMPORTANT]
+====
+[subs="attributes+"]
+Shielded VM is not supported for {product-title} on {GCP} clusters using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation.
+====
+// Undefine {FeatureName} attribute, so that any mistakes are easily spotted