Merge pull request #69024 from stevsmit/OSDOCS-8925

Adds procedures for configuring private storage endpoints with Azure

Author: stevsmit

modules/configuring-private-storage-endpoint-azure-user-provided-vnet-subnet.adoc

@@ -0,0 +1,117 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/configuring-private-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-private-storage-endpoint-azure-user-provided-vnet-subnet_{context}"]
+= Configuring a private storage endpoint on Azure with user-provided VNet and subnet names
+
+Use the following procedure to configure a storage account that has public network access disabled and is exposed behind a private storage endpoint on Azure.
+
+.Prerequisites
+
+* You have configured the image registry to run on Azure.
+* You must know the VNet and subnet names used for your Azure environment.
+* If your network was configured in a separate resource group in Azure, you must also know its name.
+
+.Procedure 
+
+. Edit the Image Registry Operator `config` object and configure the private endpoint using your VNet and subnet names:
++
+[source,terminal]
+----
+$ oc edit configs.imageregistry/cluster
+----
++
+[source,terminal]
+----
+# ...
+spec:
+  # ...
+   storage:
+      azure:
+        # ...
+        networkAccess:
+          type: Internal
+          internal:
+            subnetName: <subnet_name>
+            vnetName: <vnet_name>
+            networkResourceGroupName: <network_resource_group_name>
+# ...
+----
+
+. Optional: Enter the following command to confirm that the Operator has completed provisioning. This might take a few minutes. 
++
+[source,terminal]
+----
+$ oc get configs.imageregistry/cluster -o=jsonpath="{.spec.storage.azure.privateEndpointName}" -w
+----
++
+[NOTE]
+====
+When redirect is enabled, pulling images from outside of the cluster will not work.
+====
+
+.Verification
+
+. Fetch the registry service name by running the following command:
++
+[source,terminal]
+----
+$ oc registry info --internal=true
+----
++
+.Example output
++
+[source,terminal]
+----
+image-registry.openshift-image-registry.svc:5000
+----
+
+. Enter debug mode by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+. Run the suggested `chroot` command. For example:
++
+[source,terminal]
+----
+$ chroot /host
+----
+
+. Enter the following command to log in to your container registry:
++
+[source,terminal]
+----
+$ podman login --tls-verify=false -u unused -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
+----
++
+.Example output
++
+[source,terminal]
+----
+Login Succeeded!
+----
+
+. Enter the following command to verify that you can pull an image from the registry:
++
+[source,terminal]
+----
+$ podman pull --tls-verify=false image-registry.openshift-image-registry.svc:5000/openshift/tools
+----
++
+.Example output
++
+[source,terminal]
+----
+Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/tools/openshift/tools...
+Getting image source signatures
+Copying blob 6b245f040973 done
+Copying config 22667f5368 done
+Writing manifest to image destination
+Storing signatures
+22667f53682a2920948d19c7133ab1c9c3f745805c14125859d20cede07f11f9
+----

modules/configuring-private-storage-endpoint-azure-vnet-subnet-iro-discovery.adoc

@@ -0,0 +1,121 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/configuring-private-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-private-storage-endpoint-azure-vnet-subnet-iro-discovery_{context}"]
+= Configuring a private storage endpoint on Azure by enabling the Image Registry Operator to discover VNet and subnet names
+
+The following procedure shows you how to set up a private storage endpoint on Azure by configuring the Image Registry Operator to discover VNet and subnet names.
+
+.Prerequisites 
+
+* You have configured the image registry to run on Azure.
+* Your network has been set up using the Installer Provisioned Infrastructure installation method. 
++
+For users with a custom network setup, see "Configuring a private storage endpoint on Azure with user-provided VNet and subnet names". 
+
+.Procedure 
+
+. Edit the Image Registry Operator `config` object and set `networkAccess.type` to `Internal`:
++
+[source,terminal]
+----
+$ oc edit configs.imageregistry/cluster
+----
++
+[source,terminal]
+----
+# ...
+spec:
+  # ...
+   storage:
+      azure:
+        # ...
+        networkAccess:
+          type: Internal
+# ...
+----
+
+. Optional: Enter the following command to confirm that the Operator has completed provisioning. This might take a few minutes. 
++
+[source,terminal]
+----
+$ oc get configs.imageregistry/cluster -o=jsonpath="{.spec.storage.azure.privateEndpointName}" -w
+----
+
+. Optional: If the registry is exposed by a route, and you are configuring your storage account to be private, you must disable redirect if you want pulls external to the cluster to continue to work. Enter the following command to disable redirect on the Image Operator configuration:
++
+[source,terminal]
+----
+$ oc patch configs.imageregistry cluster --type=merge -p '{"spec":{"disableRedirect": true}}'
+----
++
+[NOTE]
+====
+When redirect is enabled,  pulling images from outside of the cluster will not work.
+====
+
+.Verification
+
+. Fetch the registry service name by running the following command:
++
+[source,terminal]
+----
+$ oc registry info --internal=true
+----
++
+.Example output
++
+[source,terminal]
+----
+image-registry.openshift-image-registry.svc:5000
+----
+
+. Enter debug mode by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+. Run the suggested `chroot` command. For example:
++
+[source,terminal]
+----
+$ chroot /host
+----
+
+. Enter the following command to log in to your container registry:
++
+[source,terminal]
+----
+$ podman login --tls-verify=false -u unused -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
+----
++
+.Example output
++
+[source,terminal]
+----
+Login Succeeded!
+----
+
+. Enter the following command to verify that you can pull an image from the registry:
++
+[source,terminal]
+----
+$ podman pull --tls-verify=false image-registry.openshift-image-registry.svc:5000/openshift/tools
+----
++
+.Example output
++
+[source,terminal]
+----
+Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/tools/openshift/tools...
+Getting image source signatures
+Copying blob 6b245f040973 done
+Copying config 22667f5368 done
+Writing manifest to image destination
+Storing signatures
+22667f53682a2920948d19c7133ab1c9c3f745805c14125859d20cede07f11f9
+----

modules/disabling-redirect-private-storage-endpoint-azure.adoc

@@ -0,0 +1,79 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/configuring-private-cluster.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="disabling-redirect-private-storage-endpoint-azure_{context}"]
+= Optional: Disabling redirect when using a private storage endpoint on Azure
+
+By default, redirect is enabled when using the image registry. Redirect allows off-loading of traffic from the registry pods into the object storage, which makes pull faster. When redirect is enabled and the storage account is private, users from outside of the cluster are unable to pull images from the registry. 
+
+In some cases, users might want to disable redirect so that users from outside of the cluster can pull images from the registry. 
+
+Use the following procedure to disable redirect.
+
+.Prerequisites
+
+* You have configured the image registry to run on Azure.
+* You have configured a route.
+
+.Procedure
+
+* Enter the following command to disable redirect on the image 
+registry configuration:
++
+[source,terminal]
+----
+$ oc patch configs.imageregistry cluster --type=merge -p '{"spec":{"disableRedirect": true}}'
+----
+
+.Verification
+
+. Fetch the registry service name by running the following command:
++
+[source,terminal]
+----
+$ oc registry info
+----
++
+.Example output
++
+[source,terminal]
+----
+default-route-openshift-image-registry.<cluster_dns>
+----
+
+. Enter the following command to log in to your container registry:
++
+[source,terminal]
+----
+$ podman login --tls-verify=false -u unused -p $(oc whoami -t) default-route-openshift-image-registry.<cluster_dns>
+----
++
+.Example output
++
+[source,terminal]
+----
+Login Succeeded!
+----
+
+. Enter the following command to verify that you can pull an image from the registry:
++
+[source,terminal]
+----
+$ podman pull --tls-verify=false default-route-openshift-image-registry.<cluster_dns>
+/openshift/tools
+----
++
+.Example output
++
+[source,terminal]
+----
+Trying to pull default-route-openshift-image-registry.<cluster_dns>/openshift/tools...
+Getting image source signatures
+Copying blob 6b245f040973 done
+Copying config 22667f5368 done
+Writing manifest to image destination
+Storing signatures
+22667f53682a2920948d19c7133ab1c9c3f745805c14125859d20cede07f11f9
+----

modules/registry-configuring-private-storage-endpoint-azure.adoc

@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * post_installation_configuration/configuring-private-cluster.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="registry-configuring-private-storage-endpoint-azure_{context}"]
+= Configuring a private storage endpoint on Azure
+
+You can leverage the Image Registry Operator to use private endpoints on Azure, which enables seamless configuration of private storage accounts when {product-title} is deployed on private Azure clusters. This allows you to deploy the image registry without exposing public-facing storage endpoints.
+
+You can configure the Image Registry Operator to use private storage endpoints on Azure in one of two ways:
+
+* By configuring the Image Registry Operator to discover the VNet and subnet names
+
+* With user-provided Azure Virtual Network (VNet) and subnet names
+
+[id="limitations-configuring-private-storage-endpoint-azure"]
+== Limitations for configuring a private storage endpoint on Azure 
+
+The following limitations apply when configuring a private storage endpoint on Azure:
+
+* When configuring the Image Registry Operator to use a private storage endpoint, public network access to the storage account is disabled. Consequently, pulling images from the registry outside of {product-title} only works by setting `disableRedirect: true` in the registry Operator configuration. With redirect enabled, the registry redirects the client to pull images directly from the storage account, which will no longer work due to disabled public network access. For more information, see "Disabling redirect when using a private storage endpoint on Azure".
+
+* This operation cannot be undone by the Image Registry Operator.

post_installation_configuration/configuring-private-cluster.adoc

@@ -17,3 +17,11 @@ include::modules/private-clusters-setting-ingress-private.adoc[leveloffset=+1]
 include::modules/private-clusters-setting-api-private.adoc[leveloffset=+1]
 
 include::modules/nw-ingresscontroller-change-internal.adoc[leveloffset=+2]
+
+include::modules/registry-configuring-private-storage-endpoint-azure.adoc[leveloffset=+1]
+
+include::modules/configuring-private-storage-endpoint-azure-vnet-subnet-iro-discovery.adoc[leveloffset=+2]
+
+include::modules/configuring-private-storage-endpoint-azure-user-provided-vnet-subnet.adoc[leveloffset=+2]
+
+include::modules/disabling-redirect-private-storage-endpoint-azure.adoc[leveloffset=+2]