OSDOCS-4745: Installing Nutanix cluster in a restricted env

Author: mjpytlak

_topic_maps/_topic_map.yml

@@ -284,6 +284,8 @@ Topics:
     File: preparing-to-install-on-nutanix
   - Name: Installing a cluster on Nutanix
     File: installing-nutanix-installer-provisioned
+  - Name: Installing a cluster on Nutanix in a restricted network
+    File: installing-restricted-networks-nutanix-installer-provisioned
   - Name: Uninstalling a cluster on Nutanix
     File: uninstalling-cluster-nutanix
 - Name: Installing on bare metal

installing/installing-preparing.adoc

@@ -75,7 +75,7 @@ If you use a user-provisioned installation method, you can configure a proxy for
 
 If you want to prevent your cluster on a public cloud from exposing endpoints externally, you can deploy a private cluster with installer-provisioned infrastructure on xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[AWS], xref:../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Azure], or xref:../installing/installing_gcp/installing-gcp-private.adoc#installing-gcp-private[GCP].
 
-If you need to install your cluster that has limited access to the internet, such as a disconnected or restricted network cluster, you can xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[IBM Z or LinuxONE with {op-system-base} KVM], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], xref:../installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc#installing-restricted-networks-vmc-user-infra[VMC on AWS], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_vmc/installing-restricted-networks-vmc.adoc#installing-restricted-networks-vmc[VMC on AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
+If you need to install your cluster that has limited access to the internet, such as a disconnected or restricted network cluster, you can xref:../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[mirror the installation packages] and install the cluster from them. Follow detailed instructions for user provisioned infrastructure installations into restricted networks for xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp.adoc#installing-restricted-networks-gcp[GCP], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[IBM Z or LinuxONE], xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[IBM Z or LinuxONE with {op-system-base} KVM], xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[IBM Power], xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[vSphere], xref:../installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc#installing-restricted-networks-vmc-user-infra[VMC on AWS], or xref:../installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc#installing-restricted-networks-bare-metal[bare metal]. You can also install a cluster into a restricted network using installer-provisioned infrastructure by following detailed instructions for xref:../installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[AWS], xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[GCP], xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[Nutanix], xref:../installing/installing_vmc/installing-restricted-networks-vmc.adoc#installing-restricted-networks-vmc[VMC on AWS], xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[{rh-openstack}], xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[{rh-virtualization}], and xref:../installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc#installing-restricted-networks-installer-provisioned-vsphere[vSphere].
 
 If you need to deploy your cluster to an xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[AWS GovCloud region], xref:../installing/installing_aws/installing-aws-china.adoc#installing-aws-china-region[AWS China region], or xref:../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Azure government region], you can configure those custom regions during an installer-provisioned infrastructure installation.
 
@@ -196,7 +196,7 @@ ifndef::openshift-origin[]
 |
 |
 |xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[✓]
-|
+|xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[✓]
 |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[✓]
 |xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[✓]
 |xref:../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#ipi-install-installation-workflow[✓]
@@ -363,7 +363,7 @@ ifdef::openshift-origin[]
 |
 |
 |xref:../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-restricted-networks-gcp-installer-provisioned[✓]
-|
+|xref:../installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc#installing-restricted-networks-nutanix-installer-provisioned[✓]
 |xref:../installing/installing_openstack/installing-openstack-installer-restricted.adoc#installing-openstack-installer-restricted[✓]
 |xref:../installing/installing_rhv/installing-rhv-restricted-network.adoc#installing-rhv-restricted-network[✓]
 |

installing/installing_nutanix/installing-restricted-networks-nutanix-installer-provisioned.adoc

@@ -0,0 +1,64 @@
+:_content-type: ASSEMBLY
+[id="installing-restricted-networks-nutanix-installer-provisioned"]
+= Installing a cluster on Nutanix in a restricted network
+include::_attributes/common-attributes.adoc[]
+:context: installing-restricted-networks-nutanix-installer-provisioned
+
+toc::[]
+
+In {product-title} {product-version}, you can install a cluster on Nutanix infrastructure in a restricted network by creating an internal mirror of the installation release content.
+
+== Prerequisites
+
+* You have reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
+* If you use a firewall, you have configured it to xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[grant access] to the sites that {product-title} requires. This includes the use of Telemetry.
+* If your Nutanix environment is using the default self-signed SSL/TLS certificate, replace it with a certificate that is signed by a CA. The installation program requires a valid CA-signed certificate to access to the Prism Central API. For more information about replacing the self-signed certificate, see the  https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v6_1:mul-security-ssl-certificate-pc-t.html[Nutanix AOS Security Guide].
++
+[IMPORTANT]
+====
+Use 2048-bit certificates. The installation fails if you use 4096-bit certificates with Prism Central 2022.x.
+====
+* You have a container image registry, such as Red Hat Quay. If you do not already have a registry, you can create a mirror registry using  xref:../../installing/disconnected_install/installing-mirroring-creating-registry.adoc#installing-mirroring-creating-registry[_mirror registry for Red Hat OpenShift_].
+* You have used the xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[oc-mirror OpenShift CLI (oc) plugin] to mirror all of the required {product-title} content and other images, including the Nutanix CSI Operator, to your mirror registry.
++
+[IMPORTANT]
+====
+Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
+====
+
+include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-adding-nutanix-root-certificates.adoc[leveloffset=+1]
+
+include::modules/installation-nutanix-download-rhcos.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+include::modules/installation-nutanix-config-yaml.adoc[leveloffset=+2]
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/manually-configure-iam-nutanix.adoc[leveloffset=+1]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+== Post installation
+Complete the following steps to complete the configuration of your cluster.
+
+include::modules/olm-restricted-networks-configuring-operatorhub.adoc[leveloffset=+2]
+include::modules/oc-mirror-updating-restricted-cluster-manifests.adoc[leveloffset=+2]
+include::modules/registry-configuring-storage-nutanix.adoc[leveloffset=+2]
+
+include::modules/cluster-telemetry.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+== Additional resources
+
+* xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring]
+
+== Next steps
+* xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opt out of remote health reporting]
+* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

modules/cli-installing-cli.adoc

@@ -48,7 +48,9 @@
 // * installing/installing_rhv/installing-rhv-default.adoc
 // * updating/updating-restricted-network-cluster/restricted-network-update.adoc
 // * microshift_cli_ref/microshift-oc-cli-install.adoc
-//
+// * updating/updating-restricted-network-cluster.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 // AMQ docs link to this; do not change anchor
 
 ifeval::["{context}" == "updating-restricted-network-cluster"]

modules/cluster-telemetry.adoc

@@ -70,6 +70,8 @@
 // * installing/installing_vmc/installing-vmc.adoc
 // * installing/installing_ibm_power/installing-ibm-power.adoc
 // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 :_content-type: CONCEPT
 [id="cluster-telemetry_{context}"]

modules/installation-about-restricted-network.adoc

@@ -12,6 +12,7 @@
 // * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
 // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
 // * installing/installing-rhv-restricted-network.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-ibm-power"]
 :ibm-power:
@@ -37,6 +38,9 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:ipi:
+endif::[]
 
 :_content-type: CONCEPT
 [id="installation-about-restricted-networks_{context}"]
@@ -51,7 +55,7 @@ still require access to its cloud APIs. Some cloud functions, like
 Amazon Web Service's Route 53 DNS and IAM services, require internet access.
 //behind a proxy
 Depending on your network, you might require less internet
-access for an installation on bare metal hardware or on VMware vSphere.
+access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.
 endif::ibm-power[]
 
 To complete a restricted network installation, you must create a registry that
@@ -103,3 +107,6 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :!ipi:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!ipi:
+endif::[]

modules/installation-adding-nutanix-root-certificates.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 :_content-type: PROCEDURE
 [id="installation-adding-nutanix-root-certificates_{context}"]

modules/installation-configuration-parameters.adoc

@@ -53,6 +53,7 @@
 // * installing/installing_azure_stack_hub/installing-azure-stack-hub-default.adoc
 // * installing/installing_azure_stack_hub/installing-azure-stack-hub-customizations.adoc
 // * installing/installing_nutanix/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-alibaba-customizations"]
 :alibabacloud:
@@ -215,6 +216,9 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:nutanix:
+endif::[]
 
 :_content-type: CONCEPT
 [id="installation-configuration-parameters_{context}"]
@@ -2005,3 +2009,6 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :!nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!nutanix:
+endif::[]

modules/installation-configure-proxy.adoc

@@ -57,6 +57,8 @@
 // * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
 // * networking/configuring-a-custom-pki.adoc
 // * installing/installing-rhv-restricted-network.adoc
+// * installing/installing-nutanix-installer-provisioned.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 ifeval::["{context}" == "installing-aws-china-region"]
 :aws:

modules/installation-initializing.adoc

@@ -35,6 +35,7 @@
 // * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
 // * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
 // * installing/installing_nutanix/configuring-iam-nutanix.adoc
+// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
 
 // * installing/installing_gcp/installing-openstack-installer-restricted.adoc
 // Consider also adding the installation-configuration-parameters.adoc module.
@@ -166,6 +167,10 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:nutanix:
+:restricted:
+endif::[]
 
 :_content-type: PROCEDURE
 [id="installation-initializing_{context}"]
@@ -205,7 +210,13 @@ endif::nutanix[]
 * Obtain the {product-title} installation program and the pull secret for your cluster.
 ifdef::restricted[]
 For a restricted network installation, these files are on your mirror host.
+ifndef::nutanix[]
 * Have the `imageContentSources` values that were generated during mirror registry creation.
+endif::nutanix[]
+ifdef::nutanix+restricted[]
+* Have the `imageContentSourcePolicy.yaml` file that was created when you mirrored your registry.
+* Have the location of the {op-system-first} image you download.
+endif::nutanix+restricted[]
 * Obtain the contents of the certificate for your mirror registry.
 ifndef::aws,gcp[]
 * Retrieve a {op-system-first} image and upload it to an accessible location.
@@ -521,6 +532,16 @@ platform:
       clusterOSImage: http://mirror.example.com/images/rhcos-43.81.201912131630.0-vmware.x86_64.ova?sha256=ffebbd68e8a1f2a245ca19522c16c86f67f9ac8e4e0c1f0a812b068b16f7265d
 ----
 endif::vsphere+restricted[]
+ifdef::nutanix+restricted[]
+. In the `install-config.yaml` file, set the value of `platform.nutanix.clusterOSImage` to the image location or name. For example:
++
+[source,yaml]
+----
+platform:
+  nutanix:
+      clusterOSImage: http://mirror.example.com/images/rhcos-47.83.202103221318-0-nutanix.x86_64.qcow2
+----
+endif::nutanix+restricted[]
 ifdef::restricted[]
 . Edit the `install-config.yaml` file to give the additional information that
 is required for an installation in a restricted network.
@@ -585,10 +606,17 @@ imageContentSources:
   source: registry.example.com/ocp/release
 ----
 +
+ifndef::nutanix[]
 For these values, use the `imageContentSources` that you recorded during mirror registry creation.
+endif::nutanix[]
+ifdef::nutanix[]
+For these values, use the `imageContentSourcePolicy.yaml` file that was created when you mirrored the registry.
+endif::nutanix[]
 
+ifndef::nutanix[]
 . Make any other modifications to the `install-config.yaml` file that you require. You can find more information about
 the available parameters in the *Installation configuration parameters* section.
+endif::nutanix[]
 endif::restricted[]
 
 ifdef::nutanix[]
@@ -734,3 +762,7 @@ endif::[]
 ifeval::["{context}" == "installing-nutanix-installer-provisioned"]
 :!nutanix:
 endif::[]
+ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
+:!nutanix:
+:!restricted:
+endif::[]