Merge pull request #55526 from mjpytlak/osdocs-4348

OSDOCS#4348: Installing an IBM Cloud VPC cluster in restricted env

Author: mjpytlak

_topic_maps/_topic_map.yml

@@ -297,6 +297,8 @@ Topics:
     File: installing-ibm-cloud-vpc
   - Name: Installing a private cluster on IBM Cloud
     File: installing-ibm-cloud-private
+  - Name: Installing a cluster on IBM Cloud in a restricted network
+    File: installing-ibm-cloud-restricted
   - Name: Installation configuration parameters for IBM Cloud
     File: installation-config-parameters-ibm-cloud-vpc
   - Name: Uninstalling a cluster on IBM Cloud

installing/installing-preparing.adoc

@@ -77,7 +77,7 @@ If you use a user-provisioned installation method, you can configure a proxy for
 
 If you want to prevent your cluster on a public cloud from exposing endpoints externally, you can deploy a private cluster with installer-provisioned infrastructure on xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[AWS], xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Azure], or xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[GCP].
 
-If you need to install your cluster that has limited access to the internet, such as a disconnected or restricted network cluster, you can xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[{ibm-z-name} or {ibm-linuxone-name}], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[{ibm-z-name} or {ibm-linuxone-name} with {op-system-base} KVM], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[{ibm-power-name}], xref:../installing/installing_vsphere/upi/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[Nutanix], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], and xref:../installing/installing_vsphere/ipi/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
+If you need to install your cluster that has limited access to the internet, such as a disconnected or restricted network cluster, you can xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[{ibm-z-name} or {ibm-linuxone-name}], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[{ibm-z-name} or {ibm-linuxone-name} with {op-system-base} KVM], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[{ibm-power-name}], xref:../installing/installing_vsphere/upi/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#installing-ibm-cloud-restricted[{ibm-cloud-name}], xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[Nutanix], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], and xref:../installing/installing_vsphere/ipi/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
 
 
 If you need to deploy your cluster to an xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[AWS GovCloud region], xref:../installing/installing_aws/installing-aws-china.adoc#installing-aws-china-region[AWS China region], or xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Azure government region], you can configure those custom regions during an installer-provisioned infrastructure installation.
@@ -205,7 +205,7 @@ ifndef::openshift-origin[]
 |xref:../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#ipi-install-installation-workflow[✓]
 |xref:../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#ipi-install-installation-workflow[✓]
 |xref:../installing/installing_vsphere/ipi/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[✓]
-|
+|xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#installing-ibm-cloud-restricted[✓]
 |
 |
 |xref:../installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc#installing-restricted-networks-ibm-power-vs[✓]
@@ -310,7 +310,7 @@ endif::openshift-origin[]
 //This table is for OKD only. A separate table is required because OKD does not support multiple AWS architecture types. Trying to maintain one table using conditions, while convenient, is very fragile and prone to publishing errors.
 ifdef::openshift-origin[]
 |===
-||Alibaba |AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack} |Bare metal |vSphere |VMC |{ibm-cloud-name} |{ibm-z-name} |{ibm-power-name}
+||Alibaba |AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack} |Bare metal |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-power-name}
 
 
 |Default
@@ -365,7 +365,7 @@ ifdef::openshift-origin[]
 |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[✓]
 |
 |xref:../installing/installing_vsphere/ipi/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[✓]
-|
+|xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#installing-ibm-cloud-restricted[✓]
 |
 |
 
@@ -379,7 +379,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 |xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc#installing-ibm-cloud-private[✓]
 |
 |
@@ -394,7 +393,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 |xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc#installing-ibm-cloud-vpc[✓]
 |
 |
@@ -412,7 +410,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 
 |Secret regions
 |
@@ -427,7 +424,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 
 |China regions
 |
@@ -442,7 +438,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 |===
 endif::openshift-origin[]
 
@@ -540,7 +535,7 @@ endif::openshift-origin[]
 //This table is for OKD only. A separate table is required because OKD does not support multiple AWS architecture types. Trying to maintain one table using conditions, while convenient, is very fragile and prone to publishing errors.
 ifdef::openshift-origin[]
 |===
-||Alibaba |AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack}|Bare metal |vSphere |VMC |{ibm-cloud-name} |{ibm-z-name} |{ibm-z-name} with {op-system-base} KVM |{ibm-power-name} |Platform agnostic
+||Alibaba |AWS |Azure |Azure Stack Hub |GCP |Nutanix |{rh-openstack}|Bare metal |vSphere |{ibm-cloud-name} |{ibm-z-name} |{ibm-z-name} with {op-system-base} KVM |{ibm-power-name} |Platform agnostic
 
 
 |Custom
@@ -607,7 +602,6 @@ ifdef::openshift-origin[]
 |
 |
 |
-|
 |===
 endif::openshift-origin[]
 

installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc

@@ -0,0 +1,84 @@
+:_content-type: ASSEMBLY
+[id="installing-ibm-cloud-restricted"]
+= Installing a cluster on IBM Cloud in a restricted network
+include::_attributes/common-attributes.adoc[]
+:context: installing-ibm-cloud-restricted
+
+toc::[]
+
+In {product-title} {product-version}, you can install a cluster in a restricted network by creating an internal mirror of the installation release content that is accessible to an existing Virtual Private Cloud (VPC) on {ibm-cloud-name}.
+
+[id="prerequisites_installing-ibm-cloud-restricted"]
+== Prerequisites
+
+* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* You xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc#installing-ibm-cloud-account[configured an IBM Cloud account] to host the cluster.
+* You have a container image registry that is accessible to the internet and your restricted network. The container image registry should mirror the contents of the {product-registry} and contain the installation media. For more information, see xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin].
+* You have an existing VPC on {ibm-cloud-name} that meets the following requirements:
+** The VPC contains the mirror registry or has firewall rules or a peering connection to access the mirror registry that is hosted elsewhere.
+** The VPC can access {ibm-cloud-name} service endpoints using a public endpoint. If network restrictions limit access to public service endpoints, evaluate those services for alternate endpoints that might be available. For more information see xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#access-to-ibm-service-endpoints_installing-ibm-cloud-restricted[Access to IBM service endpoints].
+
++
+You cannot use the VPC that the installation program provisions by default.
+* If you plan on configuring endpoint gateways to use {ibm-cloud-name} Virtual Private Endpoints, consider the following requirements:
+** Endpoint gateway support is currently limited to the `us-east` and `us-south` regions.
+** The VPC must allow traffic to and from the endpoint gateways. You can use the VPC’s default security group, or a new security group, to allow traffic on port 443. For more information, see xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#installation-ibm-cloud-configure-vpc-for-endpoint-gateways_installing-ibm-cloud-restricted[Allowing endpoint gateway traffic].
+* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
+* You configured the `ccoctl` utility before you installed the cluster. For more information, see xref:../../installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc#configuring-iam-ibm-cloud[Configuring IAM for IBM Cloud VPC].
+
+include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin]
+* xref:../../installing/installing_ibm_cloud_public/installation-config-parameters-ibm-cloud-vpc.adoc#installation-configuration-parameters-additional-ibm-cloud_installation-config-parameters-ibm-cloud-vpc[Additional IBM Cloud configuration parameters]
+
+include::modules/installation-custom-ibm-cloud-vpc.adoc[leveloffset=+1]
+include::modules/installation-ibm-cloud-configure-vpc-for-endpoint-gateways.adoc[leveloffset=+2]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-ibm-cloud-export-variables.adoc[leveloffset=+1]
+
+include::modules/installation-ibm-cloud-download-rhcos.adoc[leveloffset=+1]
+
+include::modules/installation-initializing-manual.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../installing/installing_ibm_cloud_public/installation-config-parameters-ibm-cloud-vpc.adoc#installation-config-parameters-ibm-cloud-vpc[Installation configuration parameters for {ibm-cloud-name}]
+
+include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]
+include::modules/installation-ibm-cloud-config-yaml.adoc[leveloffset=+2]
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/manually-create-iam-ibm-cloud.adoc[leveloffset=+1]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_installing-ibm-cloud-restricted-console"]
+.Additional resources
+* xref:../../web_console/web-console.adoc#web-console[Accessing the web console]
+
+== Post installation
+Complete the following steps to complete the configuration of your cluster.
+
+include::modules/olm-restricted-networks-configuring-operatorhub.adoc[leveloffset=+2]
+include::modules/oc-mirror-updating-restricted-cluster-manifests.adoc[leveloffset=+2]
+
+include::modules/cluster-telemetry.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_installing-ibm-cloud-restricted-telemetry"]
+.Additional resources
+* xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring]
+
+[id="next-steps_installing-ibm-cloud-restricted"]
+== Next steps
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* Optional: xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opt out of remote health reporting].

installing/installing_ibm_cloud_public/preparing-to-install-on-ibm-cloud.adoc

@@ -42,6 +42,8 @@ You can install a cluster on {ibm-cloud-name} infrastructure that is provisioned
 
 * **xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc#installing-ibm-cloud-private[Installing a private cluster on an existing VPC]**: You can install a private cluster on an existing Virtual Private Cloud (VPC). You can use this method to deploy {product-title} on an internal network that is not visible to the internet.
 
+* **xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc#installing-ibm-cloud-restricted[Installing a cluster on IBM Cloud VPC in a restricted network]**: You can install {product-title} on IBM Cloud VPC on installer-provisioned infrastructure by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components.
+
 [id="next-steps_preparing-to-install-on-ibm-cloud"]
 == Next steps
 * xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc#installing-ibm-cloud-account[Configuring an {ibm-cloud-name} account]

modules/cli-installing-cli.adoc

@@ -33,6 +33,7 @@
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
+// * installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
 // * installing/install_config/installing-restricted-networks-preparations.adoc
 // * installing/installing_ibm_z/installing-ibm-z.adoc
 // * openshift_images/samples-operator-alt-registry.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -37,6 +37,7 @@
 // * installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc
 // * installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc
 // * installing/installing_ibm_powervs/installing-ibm-powervs-vpc.adoc
+// * installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
 // * installing/installing_openstack/installing-openstack-installer-custom.adoc
 // * installing/installing_openstack/installing-openstack-installer.adoc
 // * installing/installing_aws/installing-restricted-networks-aws.adoc

modules/cluster-entitlements.adoc

@@ -17,6 +17,7 @@
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
+// * installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
 // * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
 // * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
 // * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
@@ -107,6 +108,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
 :restricted:
 endif::[]
+ifeval::["{context}" == "installing-ibm-cloud-restricted"]
+:restricted:
+endif::[]
 
 :_mod-docs-content-type: CONCEPT
 [id="cluster-entitlements_{context}"]
@@ -178,3 +182,6 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
 :!restricted:
 endif::[]
+ifeval::["{context}" == "installing-ibm-cloud-restricted"]
+:!restricted:
+endif::[]

modules/cluster-telemetry.adoc

@@ -56,6 +56,7 @@
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-vpc.adoc
 // * installing/installing_ibm_cloud_public/installing-ibm-cloud-private.adoc
+// * installing/installing_ibm_cloud_public/installing-ibm-cloud-restricted.adoc
 // * installing/installing_ibm_power/installing-ibm-power.adoc
 // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
 // * installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc