Merge pull request #68003 from mletalie/OSDOCS-8739

bmcelvee · web-flow · commit 28775946a281 · 2023-11-29T11:31:54.000-05:00
[OSDOCS- 8739]/[OSDOCS-7754] Updating "Creating a cluster on GCP with CCS" and "Creating a cluster on GCP with Google Cloud Marketplace" Docs
diff --git a/modules/deleting-cluster.adoc b/modules/deleting-cluster.adoc
@@ -22,5 +22,5 @@ You can delete your {product-title} cluster in {cluster-manager-first}.
 +
 [NOTE]
 ====
-If you delete a cluster that was installed into a GCP Shared VPC, inform the Shared VPC Admin of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.
+If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.
 ====
diff --git a/modules/osd-create-cluster-ccs.adoc b/modules/osd-create-cluster-ccs.adoc
@@ -135,19 +135,40 @@ endif::osd-on-gcp[]
 .. Select a cloud provider region from the *Region* drop-down menu.
 .. Select a *Single zone* or *Multi-zone* configuration.
 .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
+ifdef::osd-on-gcp[]
+. Optional: Expand *Advanced Encryption* to make changes to encryption settings.
+
+.. Select *Use Custom KMS keys* to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting *Use default KMS Keys*.
++
+[IMPORTANT]
+====
+To use custom KMS keys, the IAM service account `osd-ccs-admin` must be granted the *Cloud KMS CryptoKey Encrypter/Decrypter* role. For more information about granting roles on a resource, see link:https://cloud.google.com/kms/docs/iam#granting_roles_on_a_resource[Granting roles on a resource].
+====
++
+With *Use Custom KMS keys* selected:
+
+... Select a key ring location from the *Key ring location* drop-down menu.
+... Select a key ring from the *Key ring* drop-down menu.
+... Select a key name from the *Key name* drop-down menu.
+... Provide the *KMS Service Account*.
++
+endif::osd-on-gcp[]
 .. Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
 +
 [NOTE]
 ====
 By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
 ====
-.. Optional: Select *Encrypt persistent volumes with customer keys* if you want to provide your own
-ifdef::osd-on-aws[]
-AWS Key Management Service (KMS) key Amazon Resource Name (ARN).
-endif::osd-on-aws[]
++
 ifdef::osd-on-gcp[]
-encryption keys through the Google Cloud Key Management Service.
+.. Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated.
 endif::osd-on-gcp[]
+ifdef::osd-on-aws[]
+.. Optional: Select *Encrypt persistent volumes with customer keys* if you want to provide your own
+AWS Key Management Service (KMS) key Amazon Resource Name (ARN).
+// ifdef::osd-on-gcp[]
+// encryption keys through the Google Cloud Key Management Service.
+// endif::osd-on-gcp[]
 The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
 +
 [IMPORTANT]
@@ -156,7 +177,7 @@ Only persistent volumes (PVs) created from the default storage class are encrypt
 
 PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.
 ====
-
+endif::osd-on-aws[]
 .. Click *Next*.
 
 . On the *Default machine pool* page, select a *Compute node instance type* and a *Compute node count*. The number and types of nodes that are available depend on your {product-title} subscription. If you are using multiple availability zones, the compute node count is per zone.
@@ -221,16 +242,16 @@ ifdef::osd-on-gcp[]
 [IMPORTANT]
 ====
 
-To install a cluster into a Shared VPC, you must use {product-title} version 4.13.15 or above. Additionally, the Shared VPC Admin must enable a project as a host project in their Google Cloud console. For more information, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc[Enable a host project].
+To install a cluster into a Shared VPC, you must use {product-title} version 4.13.15 or above. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc[Enable a host project].
 ====
 
 .. Select *Install into GCP Shared VPC*.
 .. Specify the *Host project ID*. If the specified host project ID is incorrect, cluster creation fails.
 +
 [IMPORTANT]
 ====
-Once you complete the steps within the cluster configuration wizard and click *Create Cluster*, the cluster will go into the "Installation Waiting" state. At this point, you must contact the Shared VPC Admin of the host project, who must assign the dynamically-generated service account the following roles: *Computer Network Administrator*, *Compute Security Administrator*, and *DNS Administrator*.
-The Shared VPC Admin of the host project has 30 days to grant the listed permissions before the cluster creation fails.
+Once you complete the steps within the cluster configuration wizard and click *Create Cluster*, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: *Computer Network Administrator*, *Compute Security Administrator*, and *DNS Administrator*.
+The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails.
 For information about Shared VPC permissions, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#migs-service-accounts[Provision Shared VPC].
 ====
 endif::osd-on-gcp[]
@@ -318,7 +339,7 @@ In the event of critical security concerns that significantly impact the securit
 ifdef::osd-on-gcp[]
 [NOTE]
 ====
-If you delete a cluster that was installed into a GCP Shared VPC, inform the Shared VPC Admin of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.
+If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.
 ====
 endif::osd-on-gcp[]
 
diff --git a/modules/osd-create-cluster-gcp-account.adoc b/modules/osd-create-cluster-gcp-account.adoc
@@ -34,16 +34,36 @@ For more information about service account keys, click the information icon loca
 .. Select a cluster version from the *Version* drop-down menu.
 .. Select a cloud provider region from the *Region* drop-down menu.
 .. Select a *Single zone* or *Multi-zone* configuration.
-.. Select a *Persistent storage* capacity for the cluster. For more information, see the _Storage_ section in the {product-title} service definition.
-.. Specify the number of *Load balancers* that you require for your cluster. For more information, see the _Load balancers_ section in the {product-title} service definition.
 .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
-.. Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
+
+. Optional: Expand *Advanced Encryption* to make changes to encryption settings.
+
+.. Select *Use Custom KMS keys* to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting *Use default KMS Keys*.
++
+[IMPORTANT]
+====
+To use custom KMS keys, the IAM service account `osd-ccs-admin` must be granted the *Cloud KMS CryptoKey Encrypter/Decrypter* role. For more information about granting roles on a resource, see link:https://cloud.google.com/kms/docs/iam#granting_roles_on_a_resource[Granting roles on a resource].
+====
++
+With *Use Custom KMS keys* selected:
+
+... Select a key ring location from the *Key ring location* drop-down menu.
+... Select a key ring from the *Key ring* drop-down menu.
+... Select a key name from the *Key name* drop-down menu.
+... Provide the *KMS Service Account*.
+
++
+.. Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption.
+With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
 +
 [NOTE]
 ====
 By enabling etcd encryption for the key values in etcd, you incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
 ====
-.. Click *Next*.
++
+.. Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated.
++
+. Click *Next*.
 
 . On the *Machine pool* page, select a *Compute node instance type* and a *Compute node count*. The number and types of nodes that are available depend on your {product-title} subscription. If you are using multiple availability zones, the compute node count is per zone.
 +
@@ -52,12 +72,72 @@ By enabling etcd encryption for the key values in etcd, you incur a performance
 After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a created machine pool. You can add machine pools after installation that use a customized instance type. The number and types of nodes available to you depend on your {product-title} subscription.
 ====
 
-. Optional: Expand *Edit node labels* to add labels to your nodes. Click *Add label* to add more node labels and select *Next*.
+. Optional: Expand *Add node labels* to add labels to your nodes. Click *Add additional label* to add more node labels.
+
+. Click *Next*.
 
 . In the *Cluster privacy* dialog, select *Public* or *Private* to use either public or private API endpoints and application routes for your cluster.
++
+. Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC):
+.. Select *Install into an existing VPC*.
+.. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select *Configure a cluster-wide proxy*.
+
++
+. Click *Next*.
++
+
+. Optional: To install the cluster into a GCP Shared VPC:
++
+[IMPORTANT]
+====
 
+To install a cluster into a Shared VPC, you must use {product-title} version 4.13.15 or above. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc[Enable a host project].
+====
+
+.. Select *Install into GCP Shared VPC*.
+.. Specify the *Host project ID*. If the specified host project ID is incorrect, cluster creation fails.
++
+[IMPORTANT]
+====
+Once you complete the steps within the cluster configuration wizard and click *Create Cluster*, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: *Computer Network Administrator*, *Compute Security Administrator*, and *DNS Administrator*.
+The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails.
+For information about Shared VPC permissions, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#migs-service-accounts[Provision Shared VPC].
+====
++
+. If you opted to install the cluster in an existing GCP VPC, provide your *Virtual Private Cloud (VPC) subnet settings* and select *Next*.
+You must have created the Cloud network address translation (NAT) and a Cloud router. See the additional resources for information about Cloud NATs and Google VPCs.
++
+[NOTE]
+====
+You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.
+====
++
+[NOTE]
+====
+If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project.
+====
++
 . Click *Next*.
+. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the *Cluster-wide proxy* page:
++
+--
+.. Enter a value in at least one of the following fields:
+** Specify a valid *HTTP proxy URL*.
+** Specify a valid *HTTPS proxy URL*.
+** In the *Additional trust bundle* field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the {op-system-first} trust bundle.
++
+If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.
++
+[NOTE]
+====
+If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.
+====
+.. Click *Next*.
+--
++
+For more information about configuring a proxy with {product-title}, see _Configuring a cluster-wide proxy_.
 
++
 . In the *CIDR ranges* dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.
 +
 [IMPORTANT]

Original file line number	Diff line number	Diff line change
`@@ -22,5 +22,5 @@ You can delete your {product-title} cluster in {cluster-manager-first}.`
`22`	`22`	`+`
`23`	`23`	`[NOTE]`
`24`	`24`	`====`
`25`		`-If you delete a cluster that was installed into a GCP Shared VPC, inform the Shared VPC Admin of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.`
	`25`	`+If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.`
`26`	`26`	`====`