Merge pull request #71284 from smunje1/OSDOCS-9495

OSDOCS-9495

Author: jldohmann

_topic_maps/_topic_map_rosa.yml

@@ -1017,7 +1017,7 @@ Topics:
   Distros: openshift-rosa
   Topics:
   - Name: Custom domains for applications
-    File: osd-config-custom-domains-applications
+    File: rosa-config-custom-domains-applications
 # - Name: Application GitOps workflows
 #   File: rosa-app-gitops-workflows
 # - Name: Application logging

applications/deployments/rosa-config-custom-domains-applications.adoc

@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-config-custom-domains-applications"]
+= Custom domains for applications
+include::_attributes/attributes-openshift-dedicated.adoc[]
+:context: rosa-config-custom-domains-applications
+
+toc::[]
+
+[NOTE]
+====
+Starting with {product-title} 4.14, the Custom Domain Operator is deprecated. To manage Ingress in {product-title} 4.14, use the Ingress Operator. The functionality is unchanged for {product-title} 4.13 and earlier versions.
+====
+
+You can configure a custom domain for your applications. Custom domains are specific wildcard domains that can be used with {product-title} applications. 
+
+include::modules/rosa-applications-config-custom-domains.adoc[leveloffset=+1]
+include::modules/rosa-applications-renew-custom-domains.adoc[leveloffset=+1]

cloud_experts_tutorials/cloud-experts-configure-custom-tls-ciphers.adoc

@@ -66,11 +66,11 @@ Modify this command to meet your specific business requirements.
 ====
 +
 Before creating the CronJob, apply the `tlsSecurityProfile` configuration to validate changes.
-This process depends on if you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator].
+This process depends on if you are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator].
 +
-.. Clusters not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
+.. Clusters not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
 +
-If you are only using the default Ingress Controller, and not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], run the following command to patch the Ingress Controller:
+If you are only using the default Ingress Controller, and not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator], run the following command to patch the Ingress Controller:
 +
 [source,terminal]
 ----
@@ -87,9 +87,9 @@ Once you run the command, you will receive a response that looks like this:
 ingresscontroller.operator.openshift.io/default patched
 ----
 +
-.. Clusters using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
+.. Clusters using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
 +
-Customers who are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator] need to loop through each of their Ingress Controllers to patch each one.
+Customers who are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator] need to loop through each of their Ingress Controllers to patch each one.
 To patch all of your cluster's Ingress Controllers, run the following command:
 +
 [source,terminal]
@@ -111,11 +111,11 @@ ingresscontroller.operator.openshift.io/custom2 patched
 +
 Occasionally, the cluster's Ingress Controllers can get recreated. In these cases, the Ingress Controller will likely not retain the `tlsSecurityProfile` changes that were applied.
 To ensure this does not happen, create a CronJob that goes through and updates the cluster's Ingress Controllers.
-This process depends on if you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator].
+This process depends on if you are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator].
 +
-.. Clusters not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
+.. Clusters not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
 +
-If you are not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], create the CronJob by running the following command:
+If you are not using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator], create the CronJob by running the following command:
 +
 [source,terminal]
 ----
@@ -156,9 +156,9 @@ ingresscontroller.operator.openshift.io/default patched (no change)
 ----
 ====
 +
-.. Clusters using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
+.. Clusters using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator]:
 +
-If you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], the CronJob needs to loop through and patch each Ingress Controller.
+If you are using the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-config-custom-domains-applications[Custom Domain Operator], the CronJob needs to loop through and patch each Ingress Controller.
 To create this CronJob, run the following command:
 +
 [source,terminal]

cloud_experts_tutorials/cloud-experts-external-dns.adoc

@@ -23,7 +23,7 @@ toc::[]
 Starting with {product-title} 4.14, the Custom Domain Operator is deprecated. To manage Ingress in {product-title} 4.14, use the Ingress Operator. The functionality is unchanged for {product-title} 4.13 and earlier versions.
 ====
 
-Configuring the xref:../applications/deployments/osd-config-custom-domains-applications.adoc[Custom Domain Operator] requires a wildcard CNAME DNS record in your Amazon Route 53 hosted zone. If you do not want to use a wildcard record, you can use the `External DNS` Operator to create individual entries for routes.
+Configuring the xref:../applications/deployments/rosa-config-custom-domains-applications.adoc[Custom Domain Operator] requires a wildcard CNAME DNS record in your Amazon Route 53 hosted zone. If you do not want to use a wildcard record, you can use the `External DNS` Operator to create individual entries for routes.
 
 Use this tutorial to deploy and configure the `External DNS` Operator with a custom domain in {product-title} (ROSA).
 

modules/osd-applications-config-custom-domains.adoc

@@ -1,4 +1,4 @@
-// Module included in the following assemblies for OSD and ROSA:
+// Module included in the following assembly for OSD:
 //
 // * applications/deployments/osd-config-custom-domains-applications.adoc
 

modules/osd-applications-renew-custom-domains.adoc

@@ -1,4 +1,4 @@
-// Module included in the following assemblies for OSD and ROSA:
+// Module included in the following assembly for OSD:
 //
 // * applications/deployments/osd-config-custom-domains-applications.adoc
 

modules/rosa-applications-config-custom-domains.adoc

@@ -0,0 +1,128 @@
+// Module included in the following assembly for ROSA:
+//
+// * applications/deployments/rosa-config-custom-domains-applications.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-applications-config-custom-domains_{context}"]
+= Configuring custom domains for applications
+
+The top-level domains (TLDs) are owned by the customer that is operating the {product-title} cluster. The Custom Domains Operator sets up a new ingress controller with a custom certificate as a second day operation. The public DNS record for this ingress controller can then be used by an external DNS to create a wildcard CNAME record for use with a custom domain.
+
+[NOTE]
+====
+Custom API domains are not supported because Red Hat controls the API domain. However, customers can change their application domains. For private custom domains with a private `IngressController`, set `.spec.scope` to `Internal` in the `CustomDomain` CR.
+====
+
+.Prerequisites
+
+* A user account with `dedicated-admin` privileges
+* A unique domain or wildcard domain, such as `*.apps.<company_name>.io`
+* A custom certificate or wildcard custom certificate, such as `CN=*.apps.<company_name>.io`
+* Access to a cluster with the latest version of the `oc` CLI installed
+
+[IMPORTANT]
+Do not use the reserved names `default` or `apps*`, such as `apps` or `apps2`, in the `metadata/name:` section of the `CustomDomain` CR.
+
+.Procedure
+
+. Create a new TLS secret from a private key and a public certificate, where `fullchain.pem` and `privkey.pem` are your public or private wildcard certificates.
++
+.Example
+[source,terminal]
+----
+$ oc create secret tls <name>-tls --cert=fullchain.pem --key=privkey.pem -n <my_project>
+----
+
+. Create a new `CustomDomain` custom resource (CR):
++
+.Example `<company_name>-custom-domain.yaml`
+[source,yaml]
+----
+apiVersion: managed.openshift.io/v1alpha1
+kind: CustomDomain
+metadata:
+  name: <company_name>
+spec:
+  domain: apps.<company_name>.io <1>
+  scope: External
+  loadBalancerType: Classic <2>
+  certificate:
+    name: <name>-tls <3>
+    namespace: <my_project>
+  routeSelector: <4>
+    matchLabels:
+     route: acme
+  namespaceSelector: <5>
+    matchLabels:
+     type: sharded
+----
+<1> The custom domain.
+<2> The type of load balancer for your custom domain. This type can be the default `classic` or `NLB` if you use a network load balancer.
+<3> The secret created in the previous step.
+<4> Optional: Filters the set of routes serviced by the CustomDomain ingress. If no value is provided, the default is no filtering.
+<5> Optional: Filters the set of namespaces serviced by the CustomDomain ingress. If no value is provided, the default is no filtering.
+
+. Apply the CR:
++
+.Example
+[source,terminal]
+----
+$ oc apply -f <company_name>-custom-domain.yaml
+----
+
+. Get the status of your newly created CR:
++
+[source,terminal]
+----
+$ oc get customdomains
+----
++
+.Example output
+[source,terminal]
+----
+NAME               ENDPOINT                                                    DOMAIN                       STATUS
+<company_name>     xxrywp.<company_name>.cluster-01.opln.s1.openshiftapps.com  *.apps.<company_name>.io     Ready
+----
+
+ifdef::openshift-rosa[]
+. Using the endpoint value, add a new wildcard CNAME recordset to your managed DNS provider, such as Route53.
+endif::openshift-rosa[]
+ifndef::openshift-rosa[]
+. Using the endpoint value, add a new wildcard CNAME recordset to your managed DNS provider, such as Route53, Azure DNS, or Google DNS.
+endif::openshift-rosa[]
+
++
+.Example
++
+[source,terminal]
+----
+*.apps.<company_name>.io -> xxrywp.<company_name>.cluster-01.opln.s1.openshiftapps.com
+----
+
+. Create a new application and expose it:
++
+.Example
+[source,terminal]
+----
+$ oc new-app --docker-image=docker.io/openshift/hello-openshift -n my-project
+----
++
+[source,terminal]
+----
+$ oc create route <route_name> --service=hello-openshift hello-openshift-tls --hostname hello-openshift-tls-my-project.apps.<company_name>.io -n my-project
+----
++
+[source,terminal]
+----
+$ oc get route -n my-project
+----
++
+[source,terminal]
+----
+$ curl https://hello-openshift-tls-my-project.apps.<company_name>.io
+Hello OpenShift!
+----
+
+.Troubleshooting
+* link:https://access.redhat.com/solutions/5419501[Error creating TLS secret]
+* link:https://access.redhat.com/solutions/6546011[Troubleshooting: CustomDomain in NotReady state]

modules/rosa-applications-renew-custom-domains.adoc

@@ -0,0 +1,38 @@
+// Module included in the following assembly for ROSA:
+//
+// * applications/deployments/rosa-config-custom-domains-applications.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-applications-renew-custom-domains_{context}"]
+= Renewing a certificate for custom domains
+
+You can renew certificates with the Custom Domains Operator (CDO) by using the `oc` CLI tool.
+
+//s a customer of OSD/ROSA, I would like instructions on how to renew certificates with Custom Domains Operator (CDO).
+.Prerequisites
+* You have the latest version `oc` CLI tool installed.
+
+.Procedure
+. Create new secret
++
+[source,terminal]
+----
+$ oc create secret tls <secret-new> --cert=fullchain.pem --key=privkey.pem -n <my_project>
+----
+
+. Patch CustomDomain CR
++
+[source,terminal]
+----
+$ oc patch customdomain <company_name> --type='merge' -p '{"spec":{"certificate":{"name":"<secret-new>"}}}'
+----
+
+. Delete old secret
++
+[source,terminal]
+----
+$ oc delete secret <secret-old> -n <my_project>
+----
+
+.Troubleshooting
+* link:https://access.redhat.com/solutions/5419501[Error creating TLS secret]

rosa_planning/rosa-hcp-prereqs.adoc

@@ -32,7 +32,7 @@ include::modules/rosa-sts-aws-requirements-access-req.adoc[leveloffset=+2]
 [role="_additional-resources"]
 [id="additional-resources_aws-access-requirements_{context}"]
 .Additional resources
-* See xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-applications-config-custom-domains[Configuring custom domains for applications]
+* See xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications]
 
 include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2]
 include::modules/rosa-sts-aws-requirements-security-req.adoc[leveloffset=+2]
@@ -82,5 +82,5 @@ include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+1]
 [id="additional-resources_aws-prerequisites_{context}"]
 == Additional resources
 * xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red Hat OpenShift Service on AWS clusters]
-* xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-applications-config-custom-domains[Configuring custom domains for applications]
+* xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications]
 * xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types]

rosa_planning/rosa-sts-aws-prereqs.adoc

@@ -34,7 +34,7 @@ include::modules/rosa-sts-aws-requirements-access-req.adoc[leveloffset=+2]
 [role="_additional-resources"]
 [id="additional-resources_aws-access-requirements_{context}"]
 .Additional resources
-* See xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-applications-config-custom-domains[Configuring custom domains for applications]
+* See xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications]
 
 include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2]
 include::modules/rosa-sts-aws-requirements-security-req.adoc[leveloffset=+2]
@@ -84,5 +84,5 @@ include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+1]
 [id="additional-resources_aws-prerequisites_{context}"]
 == Additional resources
 * xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red Hat OpenShift Service on AWS clusters]
-* xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-applications-config-custom-domains[Configuring custom domains for applications]
+* xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications]
 * xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types]