diff --git a/hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc b/hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc index a9e08b3be27b..4a5ee3a37e3c 100644 --- a/hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc +++ b/hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc @@ -50,19 +50,24 @@ include::modules/hcp-aws-deploy-hc.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources - * xref:../../hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc#hcp-enable-arm-amd_hcp-deploy-aws[Running hosted clusters on an ARM64 architecture] +include::modules/hcp-access-hc-aws.adoc[leveloffset=+2] + include::modules/hcp-access-pub-hc-aws.adoc[leveloffset=+2] include::modules/hcp-access-pub-hc-aws-cli.adoc[leveloffset=+2] +include::modules/hcp-custom-cert.adoc[leveloffset=+1] + include::modules/hc-create-aws-multi-zones.adoc[leveloffset=+1] include::modules/hcp-create-hc-multi-zone-aws-creds.adoc[leveloffset=+2] include::modules/hcp-enable-arm-amd.adoc[leveloffset=+1] + include::modules/hcp-create-hc-arm64-aws.adoc[leveloffset=+2] + include::modules/hcp-create-np-arm64-aws.adoc[leveloffset=+2] [role="_additional-resources"] diff --git a/hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc b/hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc index 72d03ba4e444..792f06f63eab 100644 --- a/hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc +++ b/hosted_control_planes/hcp-deploy/hcp-deploy-bm.adoc @@ -73,4 +73,6 @@ include::modules/hcp-bm-hc-mirror.adoc[leveloffset=+2] * To add hosts to the host inventory by using the Discovery Image, see link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#add-host-host-inventory[Adding hosts to the host inventory by using the Discovery Image]. * To extract the {product-title} release image digest, see link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#configure-hosted-disconnected-digest-image[Extracting the {product-title} release image digest]. -include::modules/hcp-bm-verify.adoc[leveloffset=+1] \ No newline at end of file +include::modules/hcp-bm-verify.adoc[leveloffset=+1] + +include::modules/hcp-custom-cert.adoc[leveloffset=+1] \ No newline at end of file diff --git a/hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc b/hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc index cdd168f9c9dc..662ce25cb738 100644 --- a/hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc +++ b/hosted_control_planes/hcp-deploy/hcp-deploy-non-bm.adoc @@ -25,6 +25,7 @@ A _hosted cluster_ is an {product-title} cluster with its API endpoint and contr The hosted cluster is automatically imported as a managed cluster. If you want to disable this automatic import feature, see "Disabling the automatic import of hosted clusters into {mce-short}". include::modules/hcp-non-bm-prepare.adoc[leveloffset=+1] + include::modules/hcp-non-bm-prereqs.adoc[leveloffset=+2] [role="_additional-resources"] @@ -35,6 +36,7 @@ include::modules/hcp-non-bm-prereqs.adoc[leveloffset=+2] * link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#enable-cim[Enabling the central infrastructure management service] include::modules/hcp-non-bm-firewall-port-svc-reqs.adoc[leveloffset=+2] + include::modules/hcp-non-bm-infra-reqs.adoc[leveloffset=+2] [role="_additional-resources"] @@ -53,6 +55,7 @@ include::modules/hcp-non-bm-infra-reqs.adoc[leveloffset=+2] * link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#ansible-config-hosted-cluster[Configuring Ansible Automation Platform jobs to run on hosted clusters] include::modules/hcp-non-bm-dns.adoc[leveloffset=+1] + include::modules/hcp-non-bm-hc.adoc[leveloffset=+1] [role="_additional-resources"] @@ -79,3 +82,5 @@ include::modules/hcp-bm-hc-mirror.adoc[leveloffset=+2] * To extract the {product-title} release image digest, see link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/clusters/cluster_mce_overview#configure-hosted-disconnected-digest-image[Extracting the {product-title} release image digest]. include::modules/hcp-non-bm-verify.adoc[leveloffset=+1] + +include::modules/hcp-custom-cert.adoc[leveloffset=+1] \ No newline at end of file diff --git a/hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc b/hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc index 15270d2dfd47..5f45fb412152 100644 --- a/hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc +++ b/hosted_control_planes/hcp-deploy/hcp-deploy-virt.adoc @@ -98,3 +98,5 @@ include::modules/hcp-virt-add-node.adoc[leveloffset=+2] * To scale down the data plane to zero, see link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/hosted_control_planes/troubleshooting-hosted-control-planes#scale-down-data-plane_hcp-troubleshooting[Scaling down the data plane to zero]. include::modules/hcp-virt-verify-hc.adoc[leveloffset=+1] + +include::modules/hcp-custom-cert.adoc[leveloffset=+1] \ No newline at end of file diff --git a/modules/hcp-access-hc-aws.adoc b/modules/hcp-access-hc-aws.adoc index e4733c36b389..1edf456ea7da 100644 --- a/modules/hcp-access-hc-aws.adoc +++ b/modules/hcp-access-hc-aws.adoc @@ -3,7 +3,7 @@ // * hosted-control-planes/hcp-deploy/hcp-deploy-aws.adoc :_mod-docs-content-type: PROCEDURE -[id="hcp-create-private-hc-aws_{context}"] +[id="hcp-access-hc-aws_{context}"] = Accessing a hosted cluster on {aws-short} You can access the hosted cluster by getting the `kubeconfig` file and the `kubeadmin` credentials directly from resources. diff --git a/modules/hcp-aws-create-secret-s3.adoc b/modules/hcp-aws-create-secret-s3.adoc index ef062a731764..f0bc9c0d074a 100644 --- a/modules/hcp-aws-create-secret-s3.adoc +++ b/modules/hcp-aws-create-secret-s3.adoc @@ -18,16 +18,16 @@ $ aws s3api create-bucket --bucket \// <1> --create-bucket-configuration LocationConstraint= \// <2> --region <2> ---- -+ <1> Replace `` with the name of the S3 bucket you are creating. <2> To create the bucket in a region other than the `us-east-1` region, include this line and replace `` with the region you want to use. To create a bucket in the `us-east-1` region, omit this line. + + [source,terminal] ---- $ aws s3api delete-public-access-block --bucket <1> ---- -+ <1> Replace `` with the name of the S3 bucket you are creating. + + [source,terminal] ---- @@ -43,15 +43,14 @@ $ echo '{ ] }' | envsubst > policy.json ---- -+ <1> Replace `` with the name of the S3 bucket you are creating. + + [source,terminal] ---- $ aws s3api put-bucket-policy --bucket \// <1> --policy file://policy.json ---- -+ <1> Replace `` with the name of the S3 bucket you are creating. + [NOTE] diff --git a/modules/hcp-custom-cert.adoc b/modules/hcp-custom-cert.adoc new file mode 100644 index 000000000000..c31af3491e21 --- /dev/null +++ b/modules/hcp-custom-cert.adoc @@ -0,0 +1,71 @@ +// Module included in the following assemblies: +// +// * hosted-control-planes/hcp-deploy/hcp-deploy-aws.adoc +// * hosted-control-planes/hcp-deploy/hcp-deploy-bm.adoc +// * hosted-control-planes/hcp-deploy/hcp-deploy-non-bm.adoc +// * hosted-control-planes/hcp-deploy/hcp-deploy-virt.adoc + +:_mod-docs-content-type: PROCEDURE +[id="hcp-custom-cert_{context}"] += Configuring a custom API server certificate in a hosted cluster + +To configure a custom certificate for the API server, specify the certificate details in the `spec.configuration.apiServer` section of your `HostedCluster` configuration. + +You can configure a custom certificate during either day-1 or day-2 operations. However, because the service publishing strategy is immutable after you set it during hosted cluster creation, you must know what the hostname is for the Kubernetes API server that you plan to configure. + +.Prerequisites + +* You created a Kubernetes secret that contains your custom certificate in the management cluster. The secret contains the following keys: + + ** `tls.crt`: The certificate + ** `tls.key`: The private key + +* If your `HostedCluster` configuration includes a service publishing strategy that uses a load balancer, ensure that the Subject Alternative Names (SANs) of the certificate do not conflict with the internal API endpoint (`api-int`). The internal API endpoint is automatically created and managed by your platform. If you use the same hostname in both the custom certificate and the internal API endpoint, routing conflictcs can occur. The only exception to this rule is when you use {aws-short} as the provider with either `Private` or `PublicAndPrivate` configurations. In those cases, the SAN conflict is managed by the platform. + +* The certificate must be valid for the external API endpoint. + +* The validity period of the certificate aligns with your cluster's expected life cycle. + +.Procedure + +. Create a secret with your custom certificate by entering the following command: ++ +[source,terminal] +---- +$ oc create secret tls sample-hosted-kas-custom-cert \ + --cert=path/to/cert.crt \ + --key=path/to/key.key \ + -n +---- + +. Update your `HostedCluster` configuration with the custom certificate details, as shown in the following example: ++ +[source,yaml] +---- +spec: + configuration: + apiServer: + servingCerts: + namedCertificates: + - names: <1> + - api-custom-cert-sample-hosted.sample-hosted.example.com + servingCertificate: <2> + name: sample-hosted-kas-custom-cert +---- +<1> The list of DNS names that the certificate is valid for. +<2> The name of the secret that contains the custom certificate. + +. Apply the changes to your `HostedCluster` configuration by entering the following command: ++ +[source,terminal] +---- +$ oc apply -f .yaml +---- + +.Verification + +* Check the API server pods to ensure that the new certificate is mounted. + +* Test the conncetion to the API server by using the custom domain name. + +* Verify the certificate details in your browser or by using tools such as `openssl`. \ No newline at end of file