From 1a99dc20f54ceaa6217c0ada31f42e367e48739a Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Tue, 17 Dec 2024 12:05:21 -0700 Subject: [PATCH 1/7] Add Helm to firewall openings table --- docs/partials/install/_firewall-openings.mdx | 88 +++++++++++++++++--- 1 file changed, 77 insertions(+), 11 deletions(-) diff --git a/docs/partials/install/_firewall-openings.mdx b/docs/partials/install/_firewall-openings.mdx index dfa0dda490..7a26122073 100644 --- a/docs/partials/install/_firewall-openings.mdx +++ b/docs/partials/install/_firewall-openings.mdx @@ -4,17 +4,83 @@ For services hosted at domains owned by Replicated, the table below includes a l For third-party services hosted at domains not owned by Replicated, the table below lists the required domains. Consult the third-party's documentation for the IP address range for each domain, as needed. -| Host | Embedded Cluster | KOTS Existing Cluster | kURL Clusters | Description | -|--------|------------------|-------------------|-------------------|-------------| -| Docker Hub | Not Required | Required | Required | Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.` | -| `replicated.app` | Required | Required | Required |

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

| -| `proxy.replicated.com` | Required | Required*| Required*|

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

| -| `registry.replicated.com` | Required** | Required** | Required** |

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

-| `kots.io` | Not Required | Required | Not Required | Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.| -| `github.com ` | Not Required | Required | Not Required | Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation. | -| `k8s.kurl.sh`
`s3.kurl.sh` | Not Required | Not Required | Required |

kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.

The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.

| -| `amazonaws.com` | Not Required | Not Required | Required | `tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.| + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
HostEmbedded ClusterHelmKOTS Existing ClusterkURLDescription
Docker HubNot RequiredNot RequiredRequiredRequiredSome dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`
`replicated.app`RequiredRequired***RequiredRequired

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`proxy.replicated.com`RequiredRequiredRequired*Required*

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`registry.replicated.com`Required**RequiredRequired**Required**

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`kots.io`Not RequiredNot RequiredRequiredNot RequiredRequests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.
`github.com `Not RequiredNot RequiredRequiredNot RequiredRequests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.

`k8s.kurl.sh`

`s3.kurl.sh`

Not RequiredNot RequiredNot RequiredRequired

kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.

The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.

`amazonaws.com`Not RequiredNot RequiredNot RequiredRequired`tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.
* Required only if the application uses the Replicated proxy registry. Contact your software vendor for more information. -** Required only if the application uses the Replicated registry. Contact your software vendor for more information. \ No newline at end of file +** Required only if the application uses the Replicated registry. Contact your software vendor for more information. + +*** Required only if the Replicated SDK if included as a dependency of the application Helm chart. For more information, see [About the Replicated SDK](/vendor/replicated-sdk-overview). \ No newline at end of file From e74ff0b5b3a43684f12eed0c1a82f17dcc36b8dc Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Tue, 17 Dec 2024 12:30:44 -0700 Subject: [PATCH 2/7] add firewall reqs to helm install --- ...all-with-helm.md => install-with-helm.mdx} | 29 +++++++++++++++++++ docs/vendor/security-firewall-openings.mdx | 5 ++++ sidebars.js | 1 + 3 files changed, 35 insertions(+) rename docs/vendor/{install-with-helm.md => install-with-helm.mdx} (63%) create mode 100644 docs/vendor/security-firewall-openings.mdx diff --git a/docs/vendor/install-with-helm.md b/docs/vendor/install-with-helm.mdx similarity index 63% rename from docs/vendor/install-with-helm.md rename to docs/vendor/install-with-helm.mdx index 477d87f648..1618607866 100644 --- a/docs/vendor/install-with-helm.md +++ b/docs/vendor/install-with-helm.mdx @@ -10,6 +10,35 @@ Before you install, complete the following prerequisites: +## Firewall Openings Requirements + +The domains for the services listed below need to be accessible from servers performing online (internet-connected) installations: + +:::note +No outbound internet access is required for air gap installations. +::: + + + + + + + + + + + + + + + + + + +
DomainDescription
`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`registry.replicated.com`

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`replicated.app` *

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

+ +* Required only if the Replicated SDK if included as a dependency of the application Helm chart. For more information, see [About the Replicated SDK](/vendor/replicated-sdk-overview). + ## Install To install a Helm chart: diff --git a/docs/vendor/security-firewall-openings.mdx b/docs/vendor/security-firewall-openings.mdx new file mode 100644 index 0000000000..5e5c5f47ef --- /dev/null +++ b/docs/vendor/security-firewall-openings.mdx @@ -0,0 +1,5 @@ +import FirewallOpenings from "../partials/install/_firewall-openings.mdx" + +# Firewall Openings for Online Installations with Replicated + + \ No newline at end of file diff --git a/sidebars.js b/sidebars.js index b68cd8ad93..e49e5c44c8 100644 --- a/sidebars.js +++ b/sidebars.js @@ -833,6 +833,7 @@ const sidebars = { }, 'enterprise/sbom-validating', 'vendor/replicated-sdk-slsa-validating', + 'vendor/security-firewall-openings', ], }, From 27ae9b63051dbab88b443664a07a209f680086f2 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Wed, 18 Dec 2024 09:09:23 -0700 Subject: [PATCH 3/7] remove separate firewalls topic --- docs/vendor/security-firewall-openings.mdx | 5 ----- sidebars.js | 1 - 2 files changed, 6 deletions(-) delete mode 100644 docs/vendor/security-firewall-openings.mdx diff --git a/docs/vendor/security-firewall-openings.mdx b/docs/vendor/security-firewall-openings.mdx deleted file mode 100644 index 5e5c5f47ef..0000000000 --- a/docs/vendor/security-firewall-openings.mdx +++ /dev/null @@ -1,5 +0,0 @@ -import FirewallOpenings from "../partials/install/_firewall-openings.mdx" - -# Firewall Openings for Online Installations with Replicated - - \ No newline at end of file diff --git a/sidebars.js b/sidebars.js index e49e5c44c8..b68cd8ad93 100644 --- a/sidebars.js +++ b/sidebars.js @@ -833,7 +833,6 @@ const sidebars = { }, 'enterprise/sbom-validating', 'vendor/replicated-sdk-slsa-validating', - 'vendor/security-firewall-openings', ], }, From 7dfdbabeb9fa3203bacdd108f5d2c2d2431a5c18 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Wed, 18 Dec 2024 09:42:28 -0700 Subject: [PATCH 4/7] split up the firewalls table --- .../installing-embedded-requirements.mdx | 5 ++- .../installing-general-requirements.mdx | 5 ++- .../installing-kurl-requirements.mdx | 5 ++- .../install/_firewall-openings-ec.mdx | 20 +++++++++++ .../install/_firewall-openings-helm.mdx | 20 +++++++++++ .../install/_firewall-openings-intro.mdx | 5 +++ .../install/_firewall-openings-kots.mdx | 34 ++++++++++++++++++ .../install/_firewall-openings-kurl.mdx | 34 ++++++++++++++++++ docs/partials/install/_firewall-openings.mdx | 8 ++--- docs/vendor/install-with-helm.mdx | 35 ++++--------------- 10 files changed, 136 insertions(+), 35 deletions(-) create mode 100644 docs/partials/install/_firewall-openings-ec.mdx create mode 100644 docs/partials/install/_firewall-openings-helm.mdx create mode 100644 docs/partials/install/_firewall-openings-intro.mdx create mode 100644 docs/partials/install/_firewall-openings-kots.mdx create mode 100644 docs/partials/install/_firewall-openings-kurl.mdx diff --git a/docs/enterprise/installing-embedded-requirements.mdx b/docs/enterprise/installing-embedded-requirements.mdx index 57ea034cec..d99a0c7306 100644 --- a/docs/enterprise/installing-embedded-requirements.mdx +++ b/docs/enterprise/installing-embedded-requirements.mdx @@ -1,6 +1,7 @@ import EmbeddedClusterRequirements from "../partials/embedded-cluster/_requirements.mdx" import EmbeddedClusterPortRequirements from "../partials/embedded-cluster/_port-reqs.mdx" -import FirewallOpenings from "../partials/install/_firewall-openings.mdx" +import FirewallOpenings from "../partials/install/_firewall-openings-ec.mdx" +import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # Embedded Cluster Installation Requirements @@ -16,4 +17,6 @@ This topic lists the installation requirements for Replicated Embedded Cluster. ## Firewall Openings for Online Installations + + \ No newline at end of file diff --git a/docs/enterprise/installing-general-requirements.mdx b/docs/enterprise/installing-general-requirements.mdx index 0f1d81b85a..aa265529b4 100644 --- a/docs/enterprise/installing-general-requirements.mdx +++ b/docs/enterprise/installing-general-requirements.mdx @@ -1,6 +1,7 @@ import DockerCompatibility from "../partials/image-registry/_docker-compatibility.mdx" import KubernetesCompatibility from "../partials/install/_kubernetes-compatibility.mdx" -import FirewallOpenings from "../partials/install/_firewall-openings.mdx" +import FirewallOpenings from "../partials/install/_firewall-openings-kots.mdx" +import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # KOTS Installation Requirements @@ -268,4 +269,6 @@ KOTS has been tested for compatibility with the following registries: ## Firewall Openings for Online Installations + + diff --git a/docs/enterprise/installing-kurl-requirements.mdx b/docs/enterprise/installing-kurl-requirements.mdx index 2c75ecca41..117c1dbc00 100644 --- a/docs/enterprise/installing-kurl-requirements.mdx +++ b/docs/enterprise/installing-kurl-requirements.mdx @@ -1,4 +1,5 @@ -import FirewallOpenings from "../partials/install/_firewall-openings.mdx" +import FirewallOpenings from "../partials/install/_firewall-openings-kurl.mdx" +import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # kURL Installation Requirements @@ -35,4 +36,6 @@ You must meet the additional kURL system requirements when applicable: ## Firewall Openings for Online Installations + + \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-ec.mdx b/docs/partials/install/_firewall-openings-ec.mdx new file mode 100644 index 0000000000..ed45921025 --- /dev/null +++ b/docs/partials/install/_firewall-openings-ec.mdx @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + +
DomainDescription
`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` *

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

+ +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-helm.mdx b/docs/partials/install/_firewall-openings-helm.mdx new file mode 100644 index 0000000000..1798192d61 --- /dev/null +++ b/docs/partials/install/_firewall-openings-helm.mdx @@ -0,0 +1,20 @@ + + + + + + + + + + + + + + + + + +
DomainDescription
`replicated.app` *

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com`

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

+ +* Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) if included as a dependency of the application Helm chart. \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-intro.mdx b/docs/partials/install/_firewall-openings-intro.mdx new file mode 100644 index 0000000000..538a0d7254 --- /dev/null +++ b/docs/partials/install/_firewall-openings-intro.mdx @@ -0,0 +1,5 @@ +The domains for the services listed in the table below need to be accessible from servers performing online installations. No outbound internet access is required for air gap installations. + +For services hosted at domains owned by Replicated, the table below includes a link to the list of IP addresses for the domain at [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json) in GitHub. Note that the IP addresses listed in the `replicatedhq/ips` repository also include IP addresses for some domains that are _not_ required for installation. + +For any third-party services hosted at domains not owned by Replicated, consult the third-party's documentation for the IP address range for each domain, as needed. \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-kots.mdx b/docs/partials/install/_firewall-openings-kots.mdx new file mode 100644 index 0000000000..403128363c --- /dev/null +++ b/docs/partials/install/_firewall-openings-kots.mdx @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DomainDescription
Docker Hub

Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`

`proxy.replicated.com` *

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` **

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`kots.io`

Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

`github.com`Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.
+ +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). + +** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-kurl.mdx b/docs/partials/install/_firewall-openings-kurl.mdx new file mode 100644 index 0000000000..75b5a7b5ed --- /dev/null +++ b/docs/partials/install/_firewall-openings-kurl.mdx @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DomainDescription
Docker Hub

Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`

`proxy.replicated.com` *

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` **

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`k8s.kurl.sh`

`s3.kurl.sh`

kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.

The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.

`amazonaws.com``tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.
+ +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). + +** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings.mdx b/docs/partials/install/_firewall-openings.mdx index 7a26122073..53c4489565 100644 --- a/docs/partials/install/_firewall-openings.mdx +++ b/docs/partials/install/_firewall-openings.mdx @@ -54,7 +54,7 @@ For third-party services hosted at domains not owned by Replicated, the table be Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA. - `github.com ` + `github.com` Not Required Not Required Required @@ -79,8 +79,8 @@ For third-party services hosted at domains not owned by Replicated, the table be -* Required only if the application uses the Replicated proxy registry. Contact your software vendor for more information. +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). -** Required only if the application uses the Replicated registry. Contact your software vendor for more information. +** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). -*** Required only if the Replicated SDK if included as a dependency of the application Helm chart. For more information, see [About the Replicated SDK](/vendor/replicated-sdk-overview). \ No newline at end of file +*** Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) if included as a dependency of the application Helm chart. \ No newline at end of file diff --git a/docs/vendor/install-with-helm.mdx b/docs/vendor/install-with-helm.mdx index 1618607866..04fe0e7f03 100644 --- a/docs/vendor/install-with-helm.mdx +++ b/docs/vendor/install-with-helm.mdx @@ -1,4 +1,6 @@ import Prerequisites from "../partials/helm/_helm-install-prereqs.mdx" +import FirewallOpenings from "../partials/install/_firewall-openings-helm.mdx" +import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # Installing with Helm @@ -10,34 +12,11 @@ Before you install, complete the following prerequisites: -## Firewall Openings Requirements - -The domains for the services listed below need to be accessible from servers performing online (internet-connected) installations: - -:::note -No outbound internet access is required for air gap installations. -::: - - - - - - - - - - - - - - - - - - -
DomainDescription
`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`registry.replicated.com`

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`replicated.app` *

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

- -* Required only if the Replicated SDK if included as a dependency of the application Helm chart. For more information, see [About the Replicated SDK](/vendor/replicated-sdk-overview). +## Firewall Openings for Online Installations + + + + ## Install From 23552d238852b4b7a1ef81c29b2ef6244afc6b96 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Wed, 18 Dec 2024 09:47:25 -0700 Subject: [PATCH 5/7] typo --- docs/partials/install/_firewall-openings-helm.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/partials/install/_firewall-openings-helm.mdx b/docs/partials/install/_firewall-openings-helm.mdx index 1798192d61..aea848d152 100644 --- a/docs/partials/install/_firewall-openings-helm.mdx +++ b/docs/partials/install/_firewall-openings-helm.mdx @@ -17,4 +17,4 @@ -* Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) if included as a dependency of the application Helm chart. \ No newline at end of file +* Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) is included as a dependency of the application Helm chart. \ No newline at end of file From 01711ec55488f8f72f34827c06cc02a75915389d Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Wed, 18 Dec 2024 09:59:57 -0700 Subject: [PATCH 6/7] edit headings --- docs/enterprise/installing-embedded-requirements.mdx | 2 +- docs/enterprise/installing-general-requirements.mdx | 2 +- docs/enterprise/installing-kurl-requirements.mdx | 2 +- docs/vendor/install-with-helm.mdx | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/enterprise/installing-embedded-requirements.mdx b/docs/enterprise/installing-embedded-requirements.mdx index d99a0c7306..8ddede3d58 100644 --- a/docs/enterprise/installing-embedded-requirements.mdx +++ b/docs/enterprise/installing-embedded-requirements.mdx @@ -15,7 +15,7 @@ This topic lists the installation requirements for Replicated Embedded Cluster. -## Firewall Openings for Online Installations +## Firewall Openings for Online Installations with Embedded Cluster {#firewall} diff --git a/docs/enterprise/installing-general-requirements.mdx b/docs/enterprise/installing-general-requirements.mdx index aa265529b4..f54a5ffbbf 100644 --- a/docs/enterprise/installing-general-requirements.mdx +++ b/docs/enterprise/installing-general-requirements.mdx @@ -267,7 +267,7 @@ KOTS has been tested for compatibility with the following registries: -## Firewall Openings for Online Installations +## Firewall Openings for Online Installations with KOTS in an Existing Cluster {#firewall} diff --git a/docs/enterprise/installing-kurl-requirements.mdx b/docs/enterprise/installing-kurl-requirements.mdx index 117c1dbc00..4a5f75ad74 100644 --- a/docs/enterprise/installing-kurl-requirements.mdx +++ b/docs/enterprise/installing-kurl-requirements.mdx @@ -34,7 +34,7 @@ You must meet the additional kURL system requirements when applicable: - **Cloud Disk Performance**: For a list of cloud VM instance and disk combinations that are known to provide sufficient performance for etcd and pass the write latency preflight, see [Cloud Disk Performance](https://kurl.sh/docs/install-with-kurl/system-requirements#cloud-disk-performance) in the kURL documentation. -## Firewall Openings for Online Installations +## Firewall Openings for Online Installations with kURL {#firewall} diff --git a/docs/vendor/install-with-helm.mdx b/docs/vendor/install-with-helm.mdx index 04fe0e7f03..e9ea74c273 100644 --- a/docs/vendor/install-with-helm.mdx +++ b/docs/vendor/install-with-helm.mdx @@ -12,7 +12,7 @@ Before you install, complete the following prerequisites: -## Firewall Openings for Online Installations +## Firewall Openings for Online Installations with Helm {#firewall} From fa31f3b1b03ef55ea73bef188529ccae121e5f0c Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Wed, 18 Dec 2024 10:11:09 -0700 Subject: [PATCH 7/7] adjust partials --- .../installing-embedded-requirements.mdx | 22 ++++++++++-- .../installing-general-requirements.mdx | 36 +++++++++++++++++-- .../installing-kurl-requirements.mdx | 36 +++++++++++++++++-- .../install/_firewall-openings-ec.mdx | 20 ----------- .../install/_firewall-openings-helm.mdx | 20 ----------- .../install/_firewall-openings-kots.mdx | 34 ------------------ .../install/_firewall-openings-kurl.mdx | 34 ------------------ docs/vendor/install-with-helm.mdx | 22 ++++++++++-- 8 files changed, 108 insertions(+), 116 deletions(-) delete mode 100644 docs/partials/install/_firewall-openings-ec.mdx delete mode 100644 docs/partials/install/_firewall-openings-helm.mdx delete mode 100644 docs/partials/install/_firewall-openings-kots.mdx delete mode 100644 docs/partials/install/_firewall-openings-kurl.mdx diff --git a/docs/enterprise/installing-embedded-requirements.mdx b/docs/enterprise/installing-embedded-requirements.mdx index 8ddede3d58..d243fcbe93 100644 --- a/docs/enterprise/installing-embedded-requirements.mdx +++ b/docs/enterprise/installing-embedded-requirements.mdx @@ -1,6 +1,5 @@ import EmbeddedClusterRequirements from "../partials/embedded-cluster/_requirements.mdx" import EmbeddedClusterPortRequirements from "../partials/embedded-cluster/_port-reqs.mdx" -import FirewallOpenings from "../partials/install/_firewall-openings-ec.mdx" import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # Embedded Cluster Installation Requirements @@ -19,4 +18,23 @@ This topic lists the installation requirements for Replicated Embedded Cluster. - \ No newline at end of file + + + + + + + + + + + + + + + + + +
DomainDescription
`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` *

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

+ +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). \ No newline at end of file diff --git a/docs/enterprise/installing-general-requirements.mdx b/docs/enterprise/installing-general-requirements.mdx index f54a5ffbbf..2c5a59971f 100644 --- a/docs/enterprise/installing-general-requirements.mdx +++ b/docs/enterprise/installing-general-requirements.mdx @@ -1,6 +1,5 @@ import DockerCompatibility from "../partials/image-registry/_docker-compatibility.mdx" import KubernetesCompatibility from "../partials/install/_kubernetes-compatibility.mdx" -import FirewallOpenings from "../partials/install/_firewall-openings-kots.mdx" import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # KOTS Installation Requirements @@ -271,4 +270,37 @@ KOTS has been tested for compatibility with the following registries: - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DomainDescription
Docker Hub

Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`

`proxy.replicated.com` *

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` **

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`kots.io`

Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

`github.com`Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.
+ +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). + +** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). diff --git a/docs/enterprise/installing-kurl-requirements.mdx b/docs/enterprise/installing-kurl-requirements.mdx index 4a5f75ad74..c3a17222fb 100644 --- a/docs/enterprise/installing-kurl-requirements.mdx +++ b/docs/enterprise/installing-kurl-requirements.mdx @@ -1,4 +1,3 @@ -import FirewallOpenings from "../partials/install/_firewall-openings-kurl.mdx" import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # kURL Installation Requirements @@ -38,4 +37,37 @@ You must meet the additional kURL system requirements when applicable: - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DomainDescription
Docker Hub

Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`

`proxy.replicated.com` *

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` **

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`k8s.kurl.sh`

`s3.kurl.sh`

kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.

The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.

`amazonaws.com``tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.
+ +* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). + +** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-ec.mdx b/docs/partials/install/_firewall-openings-ec.mdx deleted file mode 100644 index ed45921025..0000000000 --- a/docs/partials/install/_firewall-openings-ec.mdx +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - - - - - - - - -
DomainDescription
`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` *

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

- -* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-helm.mdx b/docs/partials/install/_firewall-openings-helm.mdx deleted file mode 100644 index aea848d152..0000000000 --- a/docs/partials/install/_firewall-openings-helm.mdx +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - - - - - - - - -
DomainDescription
`replicated.app` *

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com`

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

- -* Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) is included as a dependency of the application Helm chart. \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-kots.mdx b/docs/partials/install/_firewall-openings-kots.mdx deleted file mode 100644 index 403128363c..0000000000 --- a/docs/partials/install/_firewall-openings-kots.mdx +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DomainDescription
Docker Hub

Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`

`proxy.replicated.com` *

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` **

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`kots.io`

Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

`github.com`Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.
- -* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). - -** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). \ No newline at end of file diff --git a/docs/partials/install/_firewall-openings-kurl.mdx b/docs/partials/install/_firewall-openings-kurl.mdx deleted file mode 100644 index 75b5a7b5ed..0000000000 --- a/docs/partials/install/_firewall-openings-kurl.mdx +++ /dev/null @@ -1,34 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DomainDescription
Docker Hub

Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`

`proxy.replicated.com` *

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com` **

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`k8s.kurl.sh`

`s3.kurl.sh`

kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.

The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.

`amazonaws.com``tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.
- -* Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about). - -** Required only if the application uses the [Replicated registry](/vendor/private-images-replicated). \ No newline at end of file diff --git a/docs/vendor/install-with-helm.mdx b/docs/vendor/install-with-helm.mdx index e9ea74c273..ad8deb9792 100644 --- a/docs/vendor/install-with-helm.mdx +++ b/docs/vendor/install-with-helm.mdx @@ -1,5 +1,4 @@ import Prerequisites from "../partials/helm/_helm-install-prereqs.mdx" -import FirewallOpenings from "../partials/install/_firewall-openings-helm.mdx" import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx" # Installing with Helm @@ -16,7 +15,26 @@ Before you install, complete the following prerequisites: - + + + + + + + + + + + + + + + + + +
DomainDescription
`replicated.app` *

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.

`registry.replicated.com`

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.

+ +* Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) is included as a dependency of the application Helm chart. ## Install