OSDOCS#4348: Installing an IBM Cloud VPC cluster in restricted env

[mjpytlak]

Version(s):
4.15+

Issue:
This issue addresses osdocs-4348.

Link to docs preview:
Installing a cluster on IBM Cloud VPC in a restricted network

A significant amount of the content in this topic is reused from existing approved IBM Cloud VPC doc. The following preview links are for areas where notable new content was added in support of a restricted installation:

• Supported installation methods for different platforms (Updated support matrix to include a restricted installation)
• Prerequisites (updated to list using oc-mirror to mirror install media as a prereq)
• Required internet access and an installation host
• Access to IBM service endpoints
• Allowing endpoint gateway traffic
• Downloading the RHCOS cluster image
• Manually creating the installation configuration file
• Sample customized install-config.yaml file for IBM Cloud VPC (added private endpoints as 9th annotation)
• Disabling the default OperatorHub catalog sources
• Installing the policy resources into the cluster
• Additional IBM Cloud configuration parameters (added serviceEndpoints)

QE review:

• QE has approved this change.

[openshift-ci-robot]

@mjpytlak: This pull request references OSDOCS-4348 which is a valid jira issue.

In response to this:

Version(s):
4.13+

Issue:
This issue addresses osdocs-4348.

Link to docs preview:

QE review:

• QE has approved this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@mjpytlak: This pull request references OSDOCS-4348 which is a valid jira issue.

In response to this:

Version(s):
4.13+

Issue:
This issue addresses osdocs-4348.

Link to docs preview:

QE review:

• QE has approved this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ocpdocs-previewbot]

🤖 Mon Feb 05 21:08:48 - Prow CI generated the docs preview: https://55526--ocpdocs-pr.netlify.app

[openshift-ci-robot]

@mjpytlak: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

In response to this:

Version(s):
4.13+

Issue:
This issue addresses osdocs-4348.

Link to docs preview:

QE review:

• QE has approved this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mjpytlak]

@MayXuQQ @jeffnowicki Ready for SME and QE review. PTAL. Thanks in advance.

[MayXuQQ]

@mjpytlak now the test blocked by OCPBUGS-2363

[kalexand-rh]

The branch/enterprise-4.14 label has been added to this PR.

This is because your PR targets the main branch and is labeled for enterprise-4.13. And any PR going into main must also target the latest version branch (enterprise-4.14).

If the update in your PR does NOT apply to version 4.14 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[kalexand-rh]

/remove-lifecycle stale

[jeffnowicki]

most looks good, the only comment is about the available region to run the restricted installation on IBMCloud, which is mentioned in #55526 (comment)

For now, per my testing, only us-east region supports the VPE for all the listed private endpoints.

serviceEndpoints:
  - name: IAM
    url: <iam_private_endpoint_url>
  - name: VPC
    url: <vpc_private_endpoint_url>
  - name: ResourceController
    url: <resource_controller_private_endpoint_url>
  - name: ResourceManager
    url: <resource_manager_private_endpoint_url>
  - name: DNSServices
    url: <dns_services_private_endpoint_url>
  - name: COS
    url: <cos_private_endpoint_url>
  - name: GlobalSearch
    url: <global_search_private_endpoint_url>
  - name: GlobalTagging
    url: <global_tagging_private_endpoint_url>

So I suggest to add a NOTE for that, e.g: https://github.com/openshift/openshift-docs/pull/55526/files#diff-f4e400c4dd55ea0769811aa54453b3a4393d1db5fe828272f880b574bceb69caR385 or some other place.

@jianlinliu IBM Cloud private service endpoints (regardless of region) resolve to the same private internal network. So regardless of region you are deploying your cluster, you can pick any available private service endpoint. Selecting one in same (if available) or nearest geographic location would be preferable to minimize network latency. I'm uncertain at the moment, why your test failed.

[jeffnowicki]

@cjschaef and I will re-evaluate services and their private service endpoints and whether there are some that have region-based restrictions.

[jianlinliu]

regardless of region you are deploying your cluster, you can pick any available private service endpoint. Selecting one in
same (if available) or nearest geographic location would be preferable to minimize network latency. I'm uncertain at the > moment, why your test failed.

@jeffnowicki @mjpytlak I think VPEs are supposed to be not regionally bound, but sounds there is some limit from IBMCloud provider. Let me take an example to make it be clear.

Assuming a user is installing a disconnected cluster in eu-gb region following the guide, the user need to override ResourceController endpoint to use a private url - https://private.resource-controller.cloud.ibm.com/, right? If true, how can I create the VPE (I did not see the service-controller service is listed on https://cloud.ibm.com/vpc-ext/provision/endpointGateway when eu-gb region is selected)?

[mjpytlak]

@jianlinliu - @jeffnowicki and I had a chance to connect on our guidance around service endpoints. And after he and Chris discussed it more, Jeff requested that the latest updates be made. You can find them here [1]

[1] 3c01958

[jeffnowicki]

@jianlinliu IBM Cloud is migrating off of "Cloud (aka classic) Service Endpoints" to "Virtual Private Endpoints". While CSE private endpoints are not necessarily regionally bound, VPE private endpoints are. With that being the case, a disconnected/restricted network installation will be constrained to those those regions that have VPE enablement for all required services. The current enabled regions are noted in the doc update @mjpytlak made. Over time, more regions will be enabled.

[jianlinliu]

@mjpytlak @jeffnowicki can you confirm eu-de region here? When I am installing a disconnected cluster in eu-de region, then overriding ResourceController serviceEndpoints to https://private.resource-controller.cloud.ibm.com/, but I did not find a endpoint gateway targeted to ``private.resource-controller.cloud.ibm.comin the output ofibmcloud is endpoint-gateway-targets --output JSON` against `eu-de` region.

[jeffnowicki]

can you confirm eu-de region here? When I am installing a disconnected cluster in eu-de region, then overriding ResourceController serviceEndpoints to https://private.resource-controller.cloud.ibm.com/, but I did not find a endpoint gateway targeted to ``private.resource-controller.cloud.ibm.com in the output ofibmcloud is endpoint-gateway-targets --output JSON` against `eu-de` region.

@jianlinliu you are correct, I confirmed that is the one service in eu-de that's missing a private endpoint and would be needed for a "fully disconnected" cluster installation.

@mjpytlak - please remove mention of eu-de from that section of the docs.

fyi @cjschaef

[mjpytlak]

please remove mention of eu-de from that section of the docs.

Removed. Thank you.

[jeffnowicki]

Followup approval and based on recent changes due to service endpoint (private) restrictions across regions.

• lgtm
• ibm-approved

[jianlinliu]

/lgtm

[bscott-rh]

Left a few nits and suggestions, otherwise LGTM.

/remove-label peer-review-in-progress
/remove-label peer-review-needed
/label peer-review-done

[bscott-rh]

Suggested change

	ifeval::["{context}" == "installing-ibm-cloud-restricted"]
	:ibm-cloud:
	endif::[]
	ifeval::["{context}" == "installing-ibm-cloud-restricted"]
	:ibm-cloud:
	:ipi:
	endif::[]

Can remove lines 47-49 by putting both conditions in this ifeval

[mjpytlak]

Agreed good catch.

[bscott-rh]

Suggested change

	* Download the installation program, the the OpenShift CLI (`oc`), and the CCO utility (`ccoctl`).
	* Download the installation program, the OpenShift CLI (`oc`), and the CCO utility (`ccoctl`).

[mjpytlak]

Per the usual, eagle eye.

[bscott-rh]

Suggested change

	If you are specifying an {ibm-name} Key Protect for {ibm-cloud-name} root key as part of the installation process, the service endpoint for Key Protect is also a required.
	If you are specifying an {ibm-name} Key Protect for {ibm-cloud-name} root key as part of the installation process, the service endpoint for Key Protect is also required.

[bscott-rh]

Do we need to explain how/where to find docs on how to override the default behavior?

[mjpytlak]

Not sure I follow. The very next paragraph states that you update install-config.yaml with the URI of an alternate service endpoint.

[bscott-rh]

You're right! I left this review comment before I got to the next section

[bscott-rh]

Suggested change

	ifeval::["{context}" == "installing-ibm-cloud-restricted"]
	:!ibm-cloud:
	endif::[]
	ifeval::["{context}" == "installing-ibm-cloud-restricted"]
	:!ibm-cloud:
	:!ipi:
	endif::[]

Can combine these conditionals and remove lines 169-171.

[bscott-rh]

Suggested change

	* You have installed the {ibm-cloud-name} Command Line Interface (`ibmcloud`).
	* You have installed the {ibm-cloud-name} Command Line Interface utility (`ibmcloud`).

I'm not sure if this is new content in this PR or reused from other areas.

[mjpytlak]

Net new. I updated it. Thanks.

[bscott-rh]

Suggested change

	The installation program requires the {op-system-first} image to install the cluster. While optional, downloading the {op-system-first} before deploying, removes the need for internet access when creating the cluster.
	The installation program requires the {op-system-first} image to install the cluster. While optional, downloading the {op-system-first} before deploying removes the need for internet access when creating the cluster.

[bscott-rh]

Suggested change

	If you choose to leave the default value of `External`, your network must be able to access the public endpoint for {ibm-cloud-name} Internet Services (CIS). CIS is not enabled for Virtual Private Endpoints.
	If you use the default value of `External`, your network must be able to access the public endpoint for {ibm-cloud-name} Internet Services (CIS). CIS is not enabled for Virtual Private Endpoints.

minimalism nit

[bscott-rh]

Suggested change

	.. Define the network and subnets for the VPC to install the cluster in under the parent `platform.ibmcloud` field:
	.. Define the VPC network and subnets for the cluster to use under the parent `platform.ibmcloud` field:

Tried rewording this because "in under" felt awkward.

[mjpytlak]

Yeah. This is language that is used for every restricted installation assembly. I agree it reads a little awkward, but I am not sure if your suggestion changes the technical accuracy. I am inclined to leave this one alone.

[bscott-rh]

Suggested change

	If you choose to leave the default value of `External`, your network must be able to access the public endpoint for {ibm-cloud-name} Internet Services (CIS). CIS is not enabled for Virtual Private Endpoints.
	If you use the default value of `External`, your network must be able to access the public endpoint for {ibm-cloud-name} Internet Services (CIS). CIS is not enabled for Virtual Private Endpoints.

minimalism nit

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@mjpytlak: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[mjpytlak]

/cherrypick enterprise-4.15

[openshift-cherrypick-robot]

@mjpytlak: new pull request created: #71227

In response to this:

/cherrypick enterprise-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.