Merge pull request #69087 from stevsmit/OSDOCS-private-installation-azure

stevsmit · web-flow · commit 55fba4351f0e · 2024-01-10T14:33:20.000-05:00
Adds procedure to create private cluster with private image registry
diff --git a/installing/installing_azure/installing-azure-private.adoc b/installing/installing_azure/installing-azure-private.adoc
@@ -89,6 +89,13 @@ include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]
 // Additional steps for the Cloud Credential Operator utility (`ccoctl`)
 include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]
 
+include::modules/installing-private-image-registry-private-azure.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For the list of permissions needed to create a private storage endpoint, see xref:../../installing/installing_azure/installing-azure-account.adoc#minimum-required-permissions-ipi-azure_installing-azure-account[Required Azure permissions for installer-provisioned infrastructure].
+
 include::modules/installation-launching-installer.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
diff --git a/modules/installing-private-image-registry-private-azure.adoc b/modules/installing-private-image-registry-private-azure.adoc
@@ -0,0 +1,85 @@
+// Module included in the following assemblies:
+//
+//* registry/configuring_registry_storage-azure.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-private-image-registry-private-azure"]
+= Optional: Preparing a private Microsoft Azure cluster for a private image registry
+
+By installing a private image registry on a private Microsoft Azure cluster, you can create private storage endpoints. Private storage endpoints disable public facing endpoints to the registry's storage account, adding an extra layer of security to your {product-title} deployment.
+Use the following guide to prepare your private Microsoft Azure cluster for installation with a private image registry.
+
+.Prerequisites
+
+* You have access to an {product-title} account with cluster administrator access.
+
+* You have installed the OpenShift CLI (oc).
+
+* You have prepared an `install-config.yaml` that includes the following information:
+** The `publish` field is set to `Internal`
+
+* You have set the permissions for creating a private storage endpoint. For more information, see "Azure permissions for installer-provisioned infrastructure".
+
+.Procedure
+
+. If you have not previously created installation manifest files, do so by running the following command:
++
+[source,terminal]
+----
+$ ./openshift-install create manifests --dir <installation_directory>
+----
++
+This command displays the following messages:
++
+.Example output
+[source,terminal]
+----
+INFO Consuming Install Config from target directory
+INFO Manifests created in: <installation_directory>/manifests and <installation_directory>/openshift
+----
+
+. Create an image registry configuration object and pass in the `networkResourceGroupName`, `subnetName`, and `vnetName` provided by Microsoft Azure. For example:
++
+[source,terminal]
+----
+$ touch imageregistry-config.yaml
+----
++
+[source,yaml]
+----
+apiVersion: imageregistry.operator.openshift.io/v1
+kind: Config
+metadata:
+  name: cluster
+spec:
+  managementState: "Managed"
+  replicas: 2
+  rolloutStrategy: RollingUpdate
+  storage:
+    azure:
+      networkAccess:
+        internal:
+          networkResourceGroupName: <vnet_resource_group> <1>
+          subnetName: <subnet_name> <2>
+          vnetName: <vnet_name> <3>
+        type: Internal 
+----
+<1> Optional. If you have an existing VNet and subnet setup, replace `<vnet_resource_group>` with the resource group name that contains the existing virtual network (VNet).
+<2> Optional. If you have an existing VNet and subnet setup, replace `<subnet_name>` with the name of the existing compute subnet within the specified resource group.
+<3> Optional. If you have an existing VNet and subnet setup, replace `<vnet_name>` with the name of the existing virtual network (VNet) in the specified resource group.
++
+[NOTE]
+====
+The `imageregistry-config.yaml` file is consumed during the installation process. If desired, you must back it up before installation.
+====
+
+. Move the `imageregistry-config.yaml` file to the `<installation_directory/manifests>` folder by running the following command:
++
+[source,terminal]
+----
+$ mv imageregistry-config.yaml <installation_directory/manifests/>
+----
+
+.Next steps
+
+* After you have moved the `imageregistry-config.yaml` file to the `<installation_directory/manifests>` folder and set the required permissions, proceed to "Deploying the cluster".
diff --git a/modules/minimum-required-permissions-ipi-azure.adoc b/modules/minimum-required-permissions-ipi-azure.adoc
@@ -146,6 +146,17 @@ The following permissions are not required to create the private {product-title}
 * `Microsoft.Storage/storageAccounts/write`
 ====
 
+.Optional permissions for creating a private storage endpoint for the image registry
+[%collapsible]
+====
+* `Microsoft.Network/privateEndpoints/write`
+* `Microsoft.Network/privateEndpoints/read`
+* `Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write`
+* `Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read`
+* `Microsoft.Network/privateDnsZones/join/action`
+* `Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action`
+====
+
 .Optional permissions for creating marketplace virtual machine resources
 [%collapsible]
 ====
