Skip to content

Commit 55fba43

Browse files
authored
Merge pull request #69087 from stevsmit/OSDOCS-private-installation-azure
Adds procedure to create private cluster with private image registry
2 parents 42057a1 + 7baabff commit 55fba43

File tree

3 files changed

+103
-0
lines changed

3 files changed

+103
-0
lines changed

installing/installing_azure/installing-azure-private.adoc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,13 @@ include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]
8989
// Additional steps for the Cloud Credential Operator utility (`ccoctl`)
9090
include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]
9191

92+
include::modules/installing-private-image-registry-private-azure.adoc[leveloffset=+1]
93+
94+
[role="_additional-resources"]
95+
.Additional resources
96+
97+
* For the list of permissions needed to create a private storage endpoint, see xref:../../installing/installing_azure/installing-azure-account.adoc#minimum-required-permissions-ipi-azure_installing-azure-account[Required Azure permissions for installer-provisioned infrastructure].
98+
9299
include::modules/installation-launching-installer.adoc[leveloffset=+1]
93100

94101
include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
// Module included in the following assemblies:
2+
//
3+
//* registry/configuring_registry_storage-azure.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="installing-private-image-registry-private-azure"]
7+
= Optional: Preparing a private Microsoft Azure cluster for a private image registry
8+
9+
By installing a private image registry on a private Microsoft Azure cluster, you can create private storage endpoints. Private storage endpoints disable public facing endpoints to the registry's storage account, adding an extra layer of security to your {product-title} deployment.
10+
Use the following guide to prepare your private Microsoft Azure cluster for installation with a private image registry.
11+
12+
.Prerequisites
13+
14+
* You have access to an {product-title} account with cluster administrator access.
15+
16+
* You have installed the OpenShift CLI (oc).
17+
18+
* You have prepared an `install-config.yaml` that includes the following information:
19+
** The `publish` field is set to `Internal`
20+
21+
* You have set the permissions for creating a private storage endpoint. For more information, see "Azure permissions for installer-provisioned infrastructure".
22+
23+
.Procedure
24+
25+
. If you have not previously created installation manifest files, do so by running the following command:
26+
+
27+
[source,terminal]
28+
----
29+
$ ./openshift-install create manifests --dir <installation_directory>
30+
----
31+
+
32+
This command displays the following messages:
33+
+
34+
.Example output
35+
[source,terminal]
36+
----
37+
INFO Consuming Install Config from target directory
38+
INFO Manifests created in: <installation_directory>/manifests and <installation_directory>/openshift
39+
----
40+
41+
. Create an image registry configuration object and pass in the `networkResourceGroupName`, `subnetName`, and `vnetName` provided by Microsoft Azure. For example:
42+
+
43+
[source,terminal]
44+
----
45+
$ touch imageregistry-config.yaml
46+
----
47+
+
48+
[source,yaml]
49+
----
50+
apiVersion: imageregistry.operator.openshift.io/v1
51+
kind: Config
52+
metadata:
53+
name: cluster
54+
spec:
55+
managementState: "Managed"
56+
replicas: 2
57+
rolloutStrategy: RollingUpdate
58+
storage:
59+
azure:
60+
networkAccess:
61+
internal:
62+
networkResourceGroupName: <vnet_resource_group> <1>
63+
subnetName: <subnet_name> <2>
64+
vnetName: <vnet_name> <3>
65+
type: Internal
66+
----
67+
<1> Optional. If you have an existing VNet and subnet setup, replace `<vnet_resource_group>` with the resource group name that contains the existing virtual network (VNet).
68+
<2> Optional. If you have an existing VNet and subnet setup, replace `<subnet_name>` with the name of the existing compute subnet within the specified resource group.
69+
<3> Optional. If you have an existing VNet and subnet setup, replace `<vnet_name>` with the name of the existing virtual network (VNet) in the specified resource group.
70+
+
71+
[NOTE]
72+
====
73+
The `imageregistry-config.yaml` file is consumed during the installation process. If desired, you must back it up before installation.
74+
====
75+
76+
. Move the `imageregistry-config.yaml` file to the `<installation_directory/manifests>` folder by running the following command:
77+
+
78+
[source,terminal]
79+
----
80+
$ mv imageregistry-config.yaml <installation_directory/manifests/>
81+
----
82+
83+
.Next steps
84+
85+
* After you have moved the `imageregistry-config.yaml` file to the `<installation_directory/manifests>` folder and set the required permissions, proceed to "Deploying the cluster".

modules/minimum-required-permissions-ipi-azure.adoc

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,17 @@ The following permissions are not required to create the private {product-title}
146146
* `Microsoft.Storage/storageAccounts/write`
147147
====
148148
149+
.Optional permissions for creating a private storage endpoint for the image registry
150+
[%collapsible]
151+
====
152+
* `Microsoft.Network/privateEndpoints/write`
153+
* `Microsoft.Network/privateEndpoints/read`
154+
* `Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write`
155+
* `Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read`
156+
* `Microsoft.Network/privateDnsZones/join/action`
157+
* `Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action`
158+
====
159+
149160
.Optional permissions for creating marketplace virtual machine resources
150161
[%collapsible]
151162
====

0 commit comments

Comments
 (0)