Merge pull request #32944 from johnwilkins/TELCODOCS-204

Author: adellape

installing/installing_bare_metal_ipi/ipi-install-configuration-files.adoc

@@ -16,6 +16,10 @@ ifeval::[{product-version} >= 4.6]
 include::modules/ipi-install-modifying-install-config-for-no-provisioning-network.adoc[leveloffset=+1]
 endif::[]
 
+ifeval::[{product-version} > 4.7]
+include::modules/ipi-install-configuring-managed-secure-boot-in-the-install-config-file.adoc[leveloffset=+1]
+endif::[]
+
 include::modules/ipi-install-additional-install-config-parameters.adoc[leveloffset=+1]
 
 include::modules/ipi-install-bmc-addressing.adoc[leveloffset=+1]

modules/ipi-install-additional-install-config-parameters.adoc

@@ -17,6 +17,10 @@ and the `bmc` parameter for the `install-config.yaml` file.
 |
 | The domain name for the cluster. For example, `example.com`.
 
+| [[bootmode]] `bootMode`
+| `UEFI`
+| The boot mode for a node. Options are `legacy`, `UEFI`, and `UEFISecureBoot`. If `bootMode` is not set, Ironic sets it while inspecting the node.
+
 | [[sshkey]] `sshKey`
 |
 | The `sshKey` configuration setting contains the key in the `~/.ssh/id_rsa.pub` file required to access the control plane nodes and worker nodes. Typically, this key is from the `provisioner` node.
@@ -85,11 +89,9 @@ controlPlane:
 |Replicas sets the number of control plane (master) nodes included as part of the {product-title} cluster.
 
 ifeval::[{product-version} >= 4.4]
-ifeval::[{product-version} <= 4.6]
 a| [[provisioningNetworkInterface]]`provisioningNetworkInterface` |  | The name of the network interface on control plane nodes connected to the
 provisioning network.
 endif::[]
-endif::[]
 
 
 | `defaultMachinePlatform` | | The default configuration used for machine pools without a platform configuration.
@@ -185,9 +187,9 @@ endif::[]
 |
 | Set this parameter to `Disabled` to disable the requirement for a `provisioning` network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC's must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services.
 ifeval::[{product-version} >= 4.6]
-Set this parameter to `managed`, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.
+Set this parameter to `Managed`, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.
 
-Set this parameter to `unmanaged` to still enable the provisioning network but take care of manual configuration of DHCP. Virtual Media provisioning is recommended but PXE is still available if required.
+Set this parameter to `Unmanaged` to still enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.
 endif::[]
 
 ifeval::[{product-version} == 4.6]

modules/ipi-install-configuring-managed-secure-boot-in-the-install-config-file.adoc

@@ -0,0 +1,31 @@
+// This is included in the following assemblies:
+//
+// installing/installing_bare_metal_ipi/ipi-install-configuration-files.adoc
+[id="configuring-managed-secure-boot-in-the-install-config-file_{context}"]
+
+= Configuring managed Secure Boot in the `install-config.yaml` file (optional)
+
+To enable managed Secure Boot, add the `bootMode` configuration setting to each node:
+
+[source,yaml]
+.Example
+----
+hosts:
+  - name: openshift-master-0
+    role: master
+    bmc:
+      address: ipmi://<out-of-band-ip>
+      username: <user>
+      password: <password>
+    bootMACAddress: <NIC1-mac-address>
+    rootDeviceHints:
+     deviceName: "/dev/sda"
+    bootMode: UEFISecureBoot <1>
+----
+
+<1> The `bootMode` setting is `UEFI` by default. Change it to `UEFISecureBoot` to enable managed Secure Boot.
+
+[NOTE]
+====
+See "Configuring nodes" in the "Prerequisites" to ensure the nodes can support managed Secure Boot. If the nodes do not support managed Secure Boot, see "Configuring nodes for Secure Boot manually" in the "Configuring nodes" section. Configuring Secure Boot manually requires Redfish virtual media.
+====

modules/ipi-install-configuring-nodes.adoc

@@ -27,6 +27,7 @@ NIC1 is a non-routable network (`provisioning`) that is only used for the instal
 ifndef::openshift-origin[The {op-system-base-full} 8.x installation process on the provisioner node might vary. To install {op-system-base-full} 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.]
 ifdef::openshift-origin[The {op-system-first} installation process on the provisioner node might vary. To install {op-system} using a local Satellite server or a PXE server, PXE-enable NIC2.]
 
+
 |===
 |PXE |Boot order
 | NIC1 PXE-enabled `provisioning` network | 1
@@ -61,16 +62,22 @@ NICx is a routable network (`baremetal`) that is used for the installation of th
 endif::[]
 
 ifeval::[{product-version} > 4.6]
-.Configuring nodes for Secure Boot
+[id="configuring-nodes-for-secure-boot_{context}"]
+.Configuring nodes for Secure Boot manually
+
+Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications, and the operating system.
 
-Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications and the operating system. Red Hat only supports Secure Boot when deploying with RedFish Virtual Media.
+[NOTE]
+====
+Red Hat only supports manually configured Secure Boot when deploying with Redfish virtual media.
+====
 
-To enable Secure Boot, refer to the hardware guide for the node. To enable Secure Boot, execute the following:
+To enable Secure Boot manually, refer to the hardware guide for the node and execute the following:
 
 . Boot the node and enter the BIOS menu.
 . Set the node's boot mode to UEFI Enabled.
 . Enable Secure Boot.
-+
+
 [IMPORTANT]
 ====
 Red Hat does not support Secure Boot with self-generated keys.

modules/ipi-install-configuring-the-install-config-file.adoc

@@ -42,39 +42,42 @@ platform:
           username: <user>
           password: <password>
         bootMACAddress: <NIC1-mac-address>
-        hardwareProfile: default
+        rootDeviceHints:
+         deviceName: "/dev/sda"
       - name: <openshift-master-1>
         role: master
         bmc:
           address: ipmi://<out-of-band-ip> <2>
           username: <user>
           password: <password>
         bootMACAddress: <NIC1-mac-address>
-        hardwareProfile: default
+        rootDeviceHints:
+         deviceName: "/dev/sda"
       - name: <openshift-master-2>
         role: master
         bmc:
           address: ipmi://<out-of-band-ip> <2>
           username: <user>
           password: <password>
         bootMACAddress: <NIC1-mac-address>
-        hardwareProfile: default
+        rootDeviceHints:
+         deviceName: "/dev/sda"
       - name: <openshift-worker-0>
         role: worker
         bmc:
           address: ipmi://<out-of-band-ip> <2>
           username: <user>
           password: <password>
         bootMACAddress: <NIC1-mac-address>
-        hardwareProfile: unknown
       - name: <openshift-worker-1>
         role: worker
         bmc:
           address: ipmi://<out-of-band-ip>
           username: <user>
           password: <password>
         bootMACAddress: <NIC1-mac-address>
-        hardwareProfile: unknown
+        rootDeviceHints:
+         deviceName: "/dev/sda"
 pullSecret: '<pull_secret>'
 sshKey: '<ssh_pub_key>'
 ----

modules/ipi-install-node-requirements.adoc

@@ -8,39 +8,52 @@
 
 Installer-provisioned installation involves a number of hardware node requirements:
 
-- **CPU architecture:** All nodes must use `x86_64` CPU architecture.
+- *CPU architecture:* All nodes must use `x86_64` CPU architecture.
 
-- **Similar nodes:** Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.
+- *Similar nodes:* Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory, and storage configuration.
 
 ifeval::[{product-version} < 4.5]
-- **Intelligent Platform Management Interface (IPMI):** Installer-provisioned installation requires IPMI enabled on each node.
+- *Intelligent Platform Management Interface (IPMI):* Installer-provisioned installation requires IPMI enabled on each node.
 endif::[]
 
 ifeval::[{product-version} > 4.4]
-- **Baseboard Management Controller:** The `provisioner` node must be able to access the baseboard management controller (BMC) of each {product-title} cluster node. You may use IPMI, RedFish, or a proprietary protocol.
+- *Baseboard Management Controller:* The `provisioner` node must be able to access the baseboard management controller (BMC) of each {product-title} cluster node. You may use IPMI, Redfish, or a proprietary protocol.
 endif::[]
 
 ifndef::openshift-origin[]
-- **Latest generation:** Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, {op-system-base} 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support {op-system-base} 8 for the `provisioner` node and {op-system} 8 for the control plane and worker nodes.
+- *Latest generation:* Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, {op-system-base} 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support {op-system-base} 8 for the `provisioner` node and {op-system} 8 for the control plane and worker nodes.
 endif::[]
 ifdef::openshift-origin[]
-- **Latest generation:** Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, {op-system-first} ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support {op-system} for the `provisioner` node and {op-system} for the control plane and worker nodes.
+- *Latest generation:* Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, {op-system-first} ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support {op-system} for the `provisioner` node and {op-system} for the control plane and worker nodes.
 endif::[]
 
-- **Registry node:** Optional: If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.
+- *Registry node:* (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.
 
-- **Provisioner node:** Installer-provisioned installation requires one `provisioner` node.
+- *Provisioner node:* Installer-provisioned installation requires one `provisioner` node.
 
-- **Control plane:** Installer-provisioned installation requires three control plane nodes for high availability.
+- *Control plane:* Installer-provisioned installation requires three control plane nodes for high availability.
 
-- **Worker nodes:** While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.
+- *Worker nodes:* While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.
 
-- **Network interfaces:** Each node must have at least one 10GB network interface for the routable `baremetal` network. Each node must have one 10GB network interface for a `provisioning` network *when using the `provisioning` network* for deployment. Using the `provisioning` network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as `eth0` or `eno1`, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.
+- *Network interfaces:* Each node must have at least one 10GB network interface for the routable `baremetal` network. Each node must have one 10GB network interface for a `provisioning` network *when using the `provisioning` network* for deployment. Using the `provisioning` network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as `eth0` or `eno1`, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.
 
 ifeval::[{product-version} > 4.3]
-- **Unified Extensible Firmware Interface (UEFI):** Installer-provisioned installation requires UEFI boot on all {product-title} nodes when using IPv6 addressing on the `provisioning` network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the `provisioning` network NIC, but *omitting the `provisioning` network removes this requirement.*
+- *Unified Extensible Firmware Interface (UEFI):* Installer-provisioned installation requires UEFI boot on all {product-title} nodes when using IPv6 addressing on the `provisioning` network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the `provisioning` network NIC, but omitting the `provisioning` network removes this requirement.
 endif::[]
 
-ifeval::[{product-version} > 4.6]
-- **Secure Boot:** Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications and the operating system. To deploy a {product-title} cluster with Secure Boot, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot **only** when installer-provisioned installation uses Red Fish Virtual Media. Red Hat **does not** support Secure Boot with self-generated keys.
+ifeval::[{product-version} == 4.7]
+- *Secure Boot:* Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications, and the operating system. To deploy an {product-title} cluster with Secure Boot, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot only when installer-provisioned installations use Red Fish Virtual Media. Red Hat does not support Secure Boot with self-generated keys.
+endif::[]
+
+ifeval::[{product-version} > 4.7]
+- *Secure Boot:* Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications, and the operating system. You may deploy with Secure Boot manually or managed.
++
+. *Manually:* To deploy an {product-title} cluster with Secure Boot manually, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot with manually enabled UEFI and Secure Boot only when installer-provisioned installations use Redfish virtual media. See "Configuring nodes for Secure Boot manually" in the "Configuring nodes" section for additional details.
++
+. *Managed:* To deploy an {product-title} cluster with managed Secure Boot, you must set the `bootMode` value to `UEFISecureBoot` in the `install-config.yaml` file. Red Hat only supports installer-provisioned installation with managed Secure Boot on 10th generation HPE hardware and 13th generation Dell hardware running firmware version `2.75.75.75` or greater. Deploying with managed Secure Boot does not require Redfish virtual media. See "Configuring managed Secure Boot" in the "Setting up the environment for an OpenShift installation" section for details.
++
+[NOTE]
+====
+Red Hat does not support Secure Boot with self-generated keys.
+====
 endif::[]