OSDOCS-3798 - Removing OCM CLI references and adding proxy content fo…

…r OSD and ROSA
openshift · Sep 6, 2022 · e084702 · e084702
1 parent 751a4a0
commit e084702
Show file tree

Hide file tree

Showing 23 changed files with 416 additions and 220 deletions.
diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml
@@ -204,7 +204,7 @@ Topics:
   Topics:
   - Name: Enabling multicast for a project
     File: enabling-multicast
-- Name: Configuring a cluster-wide proxy during installation
+- Name: Configuring a cluster-wide proxy
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions

diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -308,7 +308,7 @@ Topics:
   Topics:
   - Name: Enabling multicast for a project
     File: enabling-multicast
-- Name: Configuring a cluster-wide proxy during installation
+- Name: Configuring a cluster-wide proxy
   File: configuring-cluster-wide-proxy
 - Name: CIDR range definitions
   File: cidr-range-definitions

diff --git a/adding_service_cluster/adding-service.adoc b/adding_service_cluster/adding-service.adoc
@@ -6,6 +6,12 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
+You can add, access, and remove add-on services for your {product-title} 
+ifdef::openshift-rosa[]
+(ROSA) 
+endif::openshift-rosa[]
+cluster by using {cluster-manager-first}.
+
 ifdef::openshift-rosa[]
 == Prerequisites
 * For the Amazon CloudWatch service, you must first install the `cluster-logging-operator` using the `rosa` CLI.
@@ -14,7 +20,7 @@ endif::[]
 include::modules/adding-service-existing.adoc[leveloffset=+1]
 include::modules/access-service.adoc[leveloffset=+1]
 include::modules/deleting-service.adoc[leveloffset=+1]
-include::modules/deleting-service-cli.adoc[leveloffset=+1]
+//include::modules/deleting-service-cli.adoc[leveloffset=+1]
 
 ifdef::openshift-rosa[]
 [role="_additional-resources"]

diff --git a/modules/access-service.adoc b/modules/access-service.adoc
@@ -5,9 +5,13 @@
 :_content-type: PROCEDURE
 [id="access-service_{context}"]
 
-= Accessing installed services on your cluster
+= Accessing installed add-on services on your cluster
 
-After you successfully install a service on your cluster, you can access the service through the OpenShift console.
+After you successfully install an add-on service on your {product-title} 
+ifdef::openshift-rosa[]
+(ROSA) 
+endif::openshift-rosa[]
+cluster, you can access the service by using the OpenShift web console.
 
 .Prerequisites
 
@@ -21,9 +25,9 @@ After you successfully install a service on your cluster, you can access the ser
 
 . Navigate to the *Add-ons* tab, and locate the installed service that you want to access.
 
-. Click *View on console* from the service option to open the OpenShift console.
+. Click *View on console* from the service option to open the OpenShift web console.
 
-. Enter your credentials to log in to the OpenShift console.
+. Enter your credentials to log in to the OpenShift web console.
 
 . Click the *Red Hat Applications* menu by clicking the three-by-three matrix icon in the upper right corner of the main screen.
 

diff --git a/modules/adding-service-existing.adoc b/modules/adding-service-existing.adoc
@@ -5,11 +5,13 @@
 :_content-type: PROCEDURE
 [id="adding-service-existing_{context}"]
 
-= Adding a service to a cluster
-
-
-You can add a service to an existing {product-title} cluster through {cluster-manager-first}.
+= Adding an add-on service to a cluster
 
+You can add an add-on service to an existing {product-title} 
+ifdef::openshift-rosa[]
+(ROSA) 
+endif::openshift-rosa[]
+cluster by using {cluster-manager-first}.
 
 .Prerequisites
 

diff --git a/modules/cluster-wide-proxy-preqs.adoc b/modules/cluster-wide-proxy-preqs.adoc
@@ -2,31 +2,36 @@
 //
 // * networking/configuring-cluster-wide-proxy.adoc
 
-:_content-type: PROCEDURE
+:_content-type: CONCEPT
 [id="cluster-wide-proxy-prereqs_{context}"]
 = Prerequisites for configuring a cluster-wide proxy
 
-To configure a cluster-wide proxy, you must meet the following requirements. These requirements are valid for both fresh installation and post installation proxy configuration.
+To configure a cluster-wide proxy, you must meet the following requirements. These requirements are valid when you configure a proxy during installation or post-installation.
 
+[discrete]
 [id="cluster-wide-proxy-general-prereqs_{context}"]
 == General requirements
 
 * You are the cluster owner.
 * Your account has sufficient privileges.
-* You have added the `ec2.<region>.amazonaws.com`, `elasticloadbalancing.<region>.amazonaws.com`, and `s3.<region>.amazonaws.com` endpoints to your virtual private cloud (VPC) endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works on the container level, not the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not sufficient.
 ifdef::openshift-rosa[]
-* You have the `rosa` CLI installed and configured.
-endif::[]
+* You have an existing Virtual Private Cloud (VPC) for your cluster.
+endif::openshift-rosa[]
 ifdef::openshift-dedicated[]
-* You must have a Customer Cloud Subscription (CCS) cluster with a VPC that the proxy can access.
-* You have the `ocm` CLI installed and configured.
-endif::[]
+* You have an existing Virtual Private Cloud (VPC) for your cluster.
+* You are using the Customer Cloud Subscription (CCS) model for your cluster.
+endif::openshift-dedicated[]
+* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy is also accessible from the VPC for the cluster and from the private subnets of the VPC.
+* You have added the `ec2.<region>.amazonaws.com`, `elasticloadbalancing.<region>.amazonaws.com`, and `s3.<region>.amazonaws.com` endpoints to your VPC endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works at the container level and not at the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not enough.
 
+[discrete]
 [id="cluster-wide-proxy-network-prereqs_{context}"]
 == Network requirements
 
 * If your proxy re-encyrpts egress traffic, you must create exclusions to the domain and port combinations. The following table offers guidance into these exceptions.
-** Allowlist the following OpenShift URLs for re-encryption.
++
+--
+** Add the following OpenShift URLs to your allowlist for re-encryption.
 +
 [cols="6,1,6",options="header"]
 |===
@@ -40,7 +45,7 @@ endif::[]
 |The https://cloud.redhat.com/openshift site uses authentication from sso.redhat.com to download the cluster pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, and chargeback reporting.
 |===
 +
-** Allowlist the following site reliability engineering (SRE) and management URLs for re-encryption.
+** Add the following site reliability engineering (SRE) and management URLs to your allowlist for re-encryption.
 +
 [cols="6,1,6",options="header"]
 |===
@@ -70,3 +75,11 @@ endif::[]
 |https/443
 |Used by the splunk-forwarder-operator as a log forwarding endpoint to be used by Red Hat SRE for log-based alerting.
 |===
+--
++
+[IMPORTANT]
+====
+The use of a proxy server to perform TLS re-encryption is currently not supported if the server is acting as a transparent forward proxy where it is not configured on-cluster via the `--http-proxy` or `--https-proxy` arguments.
+
+A transparent forward proxy intercepts the cluster traffic, but it is not actually configured on the cluster itself.
+====
diff --git a/modules/cluster-wide-proxy-updates.adoc b/modules/cluster-wide-proxy-updates.adoc
diff --git a/modules/cluster-wide-proxy.adoc b/modules/cluster-wide-proxy.adoc
diff --git a/modules/configuring-a-proxy-after-installation-cli.adoc b/modules/configuring-a-proxy-after-installation-cli.adoc
@@ -0,0 +1,82 @@
+// Module included in the following assemblies:
+//
+// * networking/configuring-cluster-wide-proxy.adoc
+
+:_content-type: PROCEDURE
+[id="configuring-a-proxy-after-installation-cli_{context}"]
+= Configuring a proxy after installation using the CLI
+
+You can use the {product-title} (ROSA) CLI (`rosa`) to add a cluster-wide proxy configuration to an existing ROSA cluster in a Virtual Private Cloud (VPC).
+
+You can also use `rosa` to update an existing cluster-wide proxy configuration. For example, you might need to update the network address for the proxy or replace the additional trust bundle if any of the certificate authorities for the proxy expire.
+
+[IMPORTANT]
+====
+The cluster applies the proxy configuration to the control plane and compute nodes. While applying the configuration, each cluster node is temporarily placed in an unschedulable state and drained of its workloads. Each node is restarted as part of the process.
+====
+
+.Prerequisites
+
+* You have installed and configured the latest ROSA (`rosa`) and OpenShift (`oc`) CLIs on your installation host.
+* You have a ROSA cluster that is deployed in a VPC.
+
+.Procedure
+
+* Edit the cluster configuration to add or update the cluster-wide proxy details:
++
+[source,terminal]
+----
+$ rosa edit cluster \
+ --cluster $CLUSTER_NAME \
+ --additional-trust-bundle-file <path_to_ca_bundle_file> \ <1> <2> <3>
+ --http-proxy http://<username>:<password>@<ip>:<port> \ <1> <4>
+ --https-proxy http(s)://<username>:<password>@<ip>:<port> <1> <4>
+----
+<1> The `additional-trust-bundle-file`, `http-proxy`, and `https-proxy` arguments are all optional.
+<2> If you use the `additional-trust-bundle-file` argument without an `http-proxy` or `https-proxy` argument, the trust bundle is added to the trust store and used to verify cluster system egress traffic. In that scenario, the bundle is not configured to be used with a proxy.
+<3> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
+<4> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
++
+[NOTE]
+====
+You should not attempt to change the proxy or additional trust bundle configuration on the cluster directly. These changes must be applied by using the ROSA CLI (`rosa`) or {cluster-manager-first}. Any changes that are made directly to the cluster will be reverted automatically.
+====
+
+.Verification
+
+. List the status of the machine config pools and verify that they are updated:
++
+[source,terminal]
+----
+$ oc get machineconfigpools
+----
++
+.Example output
+[source,terminal]
+----
+NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+master   rendered-master-d9a03f612a432095dcde6dcf44597d90   True      False      False      3              3                   3                     0                      31h
+worker   rendered-worker-f6827a4efe21e155c25c21b43c46f65e   True      False      False      6              6                   6                     0                      31h
+----
+
+. Display the proxy configuration for your cluster and verify that the details are as expected:
++
+[source,terminal]
+----
+$ oc get proxy cluster -o yaml
+----
++
+.Example output
+[source,terminal]
+----
+apiVersion: config.openshift.io/v1
+kind: Proxy
+spec:
+  httpProxy: http://proxy.host.domain:<port>
+  httpsProxy: https://proxy.host.domain:<port>
+  <...more...>
+status:
+  httpProxy: http://proxy.host.domain:<port>
+  httpsProxy: https://proxy.host.domain:<port>
+  <...more...>
+----