doc: create markdown doc for supported variations

ibm_catalog.json

@@ -222,7 +222,7 @@
               {
                 "diagram": {
                   "caption": "Red Hat OpenShift cluster topology",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/refs/heads/main/reference-architecture/deployable-architecture-ocp-cluster.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/refs/heads/main/reference-architectures/deployable-architecture-ocp-cluster.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "This architecture supports creation of <b>Red Hat OpenShift cluster</b> within a Virtual Private Cloud (VPC).<br><br>You can create a fully-configured <b>VPC</b> by selecting the [Cloud automation for VPC](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-vpc-2af61763-f8ef-4527-a815-b92166f29bc8-global) dependency or you can use an existing VPC if any. The VPC can be provisioned either in a single-zone or multi-zone configuration, depending on your availability requirements. By default, the VPC addon provisions a three-zone VPC, forming the foundation for your OpenShift cluster. This cluster includes a single worker pool distributed across all three zones, with two worker nodes per zone. If you need additional worker pools, you can easily configure them using the <b>additional_worker_pools</b> variable.<br><br>A <b>Cloud Object Storage (COS)</b> instance is required for this topology. Within this instance, an Object Storage bucket will be created, which serves as the internal registry storage for the OpenShift cluster. The [Cloud automation for Object Storage](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-cos-68921490-2778-4930-ac6d-bae7be6cd958-global) architecture supports the creation of COS instance. Additionally, <b>Key Management Services(KMS)</b> is used to encrypt the cluster and the boot volumes used by the cluster to enhance security.<br><br>For logging and monitoring needs, you can enable <b>Observability</b> for your cluster. [Cloud automation for Observability](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-observability-a3137d28-79e0-479d-8a24-758ebd5a0eab-global) provides advanced monitoring, logging, and operational insights into the performance and health of your deployment.<br><br><b>Secrets Manager</b> Integration can also be enabled using [Cloud automation for Secrets Manager](https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-secrets-manager-6d6ebc76-7bbd-42f5-8bc7-78f4fabd5944-global) for centrally managing Ingress subdomain certificates, ensuring secure management of sensitive credentials.<br><br>This architecture provides a robust and secure foundation for deploying and managing your Red Hat OpenShift cluster, enabling seamless integration, enhanced security, and comprehensive monitoring for your cloud-native applications."
@@ -1175,7 +1175,7 @@
               {
                 "diagram": {
                   "caption": "Red Hat OpenShift cluster topology - Quickstart",
-                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/refs/heads/main/reference-architecture/deployable-architecture-ocp-cluster-qs.svg",
+                  "url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/refs/heads/main/reference-architectures/deployable-architecture-ocp-cluster-qs.svg",
                   "type": "image/svg+xml"
                 },
                 "description": "This deployable architecture enables deployment of a <b>Red Hat OpenShift cluster</b> within an IBM Cloud Virtual Private Cloud (VPC). It provisions the OpenShift cluster and its foundational VPC infrastructure with a limited set of essential options for rapid and streamlined setup. Additionally, the deployment creates an <b>Object Storage bucket</b> that serves as the internal container image registry for the OpenShift cluster. Thus, it helps ensure seamless storage integration.<br><br>Users can select from predefined cluster sizes — <b>mini (default), small, medium, and large.</b> Each size determines the number of availability zones, worker nodes per zone, and the <b>machine type</b> (worker node flavor). [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/quickstart/DA_docs.md).<br><br>By default, the architecture provisions a <b>two-zone VPC</b>, forming the foundation for the OpenShift cluster. The cluster comprises a single worker pool distributed across these zones, with <b>two worker nodes per zone</b> in the mini configuration.<br><br>This streamlined architecture balances ease of use with flexibility, enabling rapid OpenShift cluster deployments with the infrastructure, integrated storage services, and right-sized compute resources of IBM Cloud."

reference-architectures/deploy-arch-ibm-ocp-fully-configurable.md

@@ -0,0 +1,197 @@
+---
+
+copyright:
+  years: 2025
+lastupdated: "2025-09-03"
+
+keywords:
+
+subcollection: deployable-reference-architectures
+
+authors:
+  - name: "Prateek Sharma"
+
+# The release that the reference architecture describes
+version: 3.55.6
+
+# Whether the reference architecture is published to Cloud Docs production.
+# When set to false, the file is available only in staging. Default is false.
+production: true
+
+# Use if the reference architecture has deployable code.
+# Value is the URL to land the user in the IBM Cloud catalog details page for the deployable architecture.
+# See https://test.cloud.ibm.com/docs/get-coding?topic=get-coding-deploy-button
+deployment-url: https://cloud.ibm.com/catalog/7a4d68b4-cf8b-40cd-a3d1-f49aff526eb3/architecture/deploy-arch-ibm-ocp-vpc-1728a4fd-f561-4cf9-82ef-2b1eeb5da1a8-global
+
+docs: https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/reference-architectures/deploy-arch-ibm-ocp-fully-configurable.md
+
+image_source: https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/reference-architectures/deployable-architecture-ocp-cluster.svg
+
+related_links:
+  - title: "Landing zone for containerized applications with OpenShift"
+    url: "https://cloud.ibm.com/docs/deployable-reference-architectures?topic=deployable-reference-architectures-ocp-fully-configurable"
+    description: "A deployable architecture that delivers a scalable and flexible Red Hat OpenShift environment on IBM Cloud Virtual Private Cloud (VPC), with seamless integration to security, observability, and other foundational services for containerized workloads."
+
+use-case: Cybersecurity
+industry: Banking,FinancialSector
+compliance: FedRAMP
+
+content-type: reference-architecture
+
+---
+
+{{site.data.keyword.attribute-definition-list}}
+
+# Landing zone for containerized applications with OpenShift - Standard - Integrated setup with configurable services
+{: #ocp-fully-configurable}
+{: toc-content-type="reference-architecture"}
+{: toc-industry="Banking,FinancialSector"}
+{: toc-use-case="Cybersecurity"}
+{: toc-compliance="FedRAMP"}
+{: toc-version="1.1.0"}
+
+Landing zone for containerized applications with OpenShift provides a scalable, secure, and production-ready foundation for deploying containerized applications on IBM Cloud. It comes integrated by default with several IBM Cloud services to enhance security, observability, and compliance. Data encryption is enforced using Key Protect and Key Management Services (KMS), while Cloud Object Storage (COS) supports persistent storage and acts as the internal image registry. Secrets Manager is used to securely manage sensitive credentials and certificates, ensuring tighter control over access and authentication. Observability is delivered through Cloud Monitoring, Cloud Logs, and Activity Tracker, while regulatory compliance is supported via Security and Compliance Center and Workload Protection. These integrated capabilities work together to deliver a resilient and well-governed OpenShift environment.
+
+The solution provisions a Red Hat OpenShift cluster within an IBM Cloud VPC, using a default three-zone configuration for high availability. It deploys a single worker pool across all zones, with two worker nodes per zone by default, and allows easy scaling through configurable variables. Cluster and boot volume encryption are enforced, and a dedicated object storage bucket is required to host the internal image registry. This setup ensures strong data protection and infrastructure reliability from the start.
+
+While this architecture is designed to function independently, it also serves as a flexible foundation for more advanced use cases. It supports seamless integration with Cloud Automation for Red Hat OpenShift AI, enabling organizations to deploy AI-driven workloads and accelerate innovation. With its secure, extensible design and managed cloud services, the solution helps enterprises reduce operational complexity and deliver critical applications faster within a governed Red Hat OpenShift ecosystem.
+
+## Architecture diagram
+{: #ra-ocp-fully-configurable-architecture-diagram}
+
+![Architecture diagram for the Standard - Integrated setup with configurable services variation of Landing zone for containerized applications with OpenShift](deployable-architecture-ocp-cluster.svg "Architecture diagram of Standard - Integrated setup with configurable services variation of Landing zone for containerized applications with OpenShift deployable architecture"){: caption="Figure 1. Standard - Integrated setup with configurable services variation of Landing zone for containerized applications with OpenShift" caption-side="bottom"}{: external download="deployable-architecture-ocp-cluster.svg"}
+
+## Design concepts
+{: #ra-ocp-fully-configurable-design-concepts}
+
+![Design requirements for Landing zone for containerized applications with OpenShift](heat-map-deploy-arch-ocp-fully-configurable.svg "Design concepts"){: caption="Figure 2. Scope of the design concepts" caption-side="bottom"}
+
+## Requirements
+{: #ra-ocp-fully-configurable-requirements}
+
+The following table outlines the requirements that are addressed in this architecture.
+
+| Aspect | Requirements |
+|---|---|
+| Compute | Openshift cluster with minimal machine size and nodes, suitable for low-cost demonstration and development |
+| Storage | Openshift cluster registry backup (required) |
+| Networking | * Multiple VPCs for network isolation. \n * All public inbound and outbound traffic allowed to VPCs. \n * Administration of cluster allowed from public endpoint and web console. \n * Load balancer for cluster workload services. \n * Outbound internet access from cluster. \n * Private network connection between VPCs. |
+| Security | * Encryption of all application data in transit and at rest to protect it from unauthorized disclosure. \n * Storage and management of all encryption keys. \n * Protect cluster administration access through IBM Cloud security protocols. |
+| Service Management | Automated deployment of infrastructure with IBM Cloud catalog |
+{: caption="Table 1. Requirements" caption-side="bottom"}
+
+## Components
+{: #ra-ocp-fully-configurable-components}
+
+The following table outlines the products or services used in the architecture for each aspect.
+
+| Aspects | Architecture components | How the component is used |
+|---|---|---|
+| Compute | Red Hat OpenShift Container Platform | Container execution |
+| Storage | IBM Cloud Object Storage | Registry backup for Red Hat OpenShift |
+| Networking | * VPC Load Balancer \n * Public Gateway \n * Transit Gateway | * Application load balancing for cluster workloads (automatically created by Red Hat OpenShift service for multi-zone cluster) \n * Cluster access to the internet \n * Private network connectivity between management and workload VPCs |
+| Security | * IAM \n * Key Protect | * IBM Cloud Identity and Access Management \n * Management of encryption keys used by Red Hat OpenShift Container Platform |
+{: caption="Table 2. Components" caption-side="bottom"}
+
+### Cluster architecture decisions
+{: #ra-ocp-fully-configurable-components-cluster}
+
+| Requirement | Component | Reasons for choice | Alternative choice |
+|-------------|-----------|--------------------|--------------------|
+| * High availability across zones \n * Fault tolerance for workloads | Multi-zone Red Hat OpenShift cluster | Provides built-in resiliency by distributing worker nodes across three zones | Deploy single-zone clusters with lower availability |
+| * Scalable worker infrastructure \n * Cost optimization | Worker pools with configurable node counts | Flexibility to scale nodes horizontally and vertically | Fixed-size clusters with no scaling options |
+| * Persistent storage for internal registry | Cloud Object Storage | Highly durable, encrypted, and cost-efficient storage | File or block storage solutions with higher cost |
+
+{: caption="Cluster architecture decisions" caption-side="bottom"}
+
+### Networking architecture decisions
+{: #ra-ocp-fully-configurable-components-networking}
+
+| Requirement | Component | Reasons for choice | Alternative choice |
+|-------------|-----------|--------------------|--------------------|
+| * Enable application traffic distribution \n * Support external workloads | VPC Load Balancer | Provides managed ingress and load balancing | Third-party ingress controllers |
+| * Secure connectivity to the internet | Public gateways | Allow outbound connectivity for cluster nodes | Private-only clusters with no internet access |
+| * Multi-VPC communication \n * Hub-and-spoke models | Transit Gateway | Provides secure, private connectivity across VPCs | Use VPN gateways or Direct Link |
+
+{: caption="Networking architecture decisions" caption-side="bottom"}
+
+### Security and compliance architecture decisions
+{: #ra-ocp-fully-configurable-components-security}
+
+| Requirement | Component | Reasons for choice | Alternative choice |
+|-------------|-----------|--------------------|--------------------|
+| * Encryption of data at rest \n * Key lifecycle management | Key Protect | Centralized management of encryption keys | Bring Your Own Key (BYOK) solutions |
+| * Secure secrets and credentials management | Secrets Manager | Centralized storage and rotation of sensitive credentials | Store secrets directly in OpenShift etcd |
+| * Strong authentication and authorization | IAM | Fine-grained access control across users and services | Local OpenShift RBAC only |
+
+{: caption="Security and compliance architecture decisions" caption-side="bottom"}
+
+### Flexibility and customization architecture decisions
+{: #ra-ocp-fully-configurable-components-flexibility}
+
+| Requirement | Component | Reasons for choice | Alternative choice |
+|-------------|-----------|--------------------|--------------------|
+| * Support scaling workloads \n * Enable hybrid deployments | Configurable worker pools | Scale worker nodes to match workload demand | Static cluster sizes |
+| * Meet diverse compliance requirements \n * Enable observability integration | Cloud Monitoring, Cloud Logs, Activity Tracker | Provides enterprise-grade visibility and compliance reporting | Third-party monitoring tools |
+| * Enable AI-ready workloads | Integration with Cloud Automation for Red Hat OpenShift AI | Prepares foundation for AI/ML use cases | Manual setup of AI services |
+
+{: caption="Flexibility and customization architecture decisions" caption-side="bottom"}
+
+## Key features
+{: #ra-ocp-fully-configurable-features}
+
+The Standard - Integrated setup with configurable services variation of Landing zone for containerized applications with OpenShift provides comprehensive capabilities across:
+
+## Red Hat OpenShift Cluster
+
+- **Cluster creation and configuration**: Creates a Red Hat OpenShift cluster on IBM Cloud to manage containerized applications at scale.
+- **Enterprise-grade features**: Integrated security, scalability, automation, and compliance-ready capabilities.
+- **Multi-zone deployment**: By default, deployed across three zones for high availability.
+
+## Worker pools
+
+- **Customizable worker pools**: Group and manage worker nodes with similar compute configurations.
+- **Scalability**: Supports horizontal scaling of worker pools and adjustment of machine profiles.
+- **High availability**: Worker nodes can be distributed across multiple zones for resilience.
+
+## Access endpoints
+
+- **Public and Private connectivity**: Offers private and public service endpoints.
+- **Enhanced security**: Private-only endpoints can be enabled to restrict access to trusted networks.
+- **Administrative flexibility**: Secure cluster management via CLI, API, or web console.
+
+## Ingress controller
+
+- **Traffic management**: Deploys ingress controllers to route external traffic to the correct workloads.
+- **TLS termination**: Supports secure HTTPS traffic termination at ingress.
+- **Extensibility**: Configurable for custom ingress domains and certificates.
+
+## Object Storage
+
+- **Cluster registry storage**: Configures IBM Cloud Object Storage buckets for OpenShift’s internal image registry.
+- **Flexible provisioning**: Use an existing COS instance or create a new one automatically.
+- **Resilience**: Supports durable storage with regional resiliency.
+
+## KMS encryption
+
+- **Boot volume and cluster encryption**: Optionally integrates with Key Protect or Hyper Protect Crypto Services.
+- **Flexible key options**: Supports creating new encryption keys or using existing ones.
+- **Compliance support**: Ensures data at rest is protected in line with regulatory standards.
+
+## Secrets Manager
+
+- **Centralized credential management**: Optionally integrates with IBM Cloud Secrets Manager.
+- **Certificate lifecycle management**: Store and manage ingress subdomain TLS certificates.
+- **Enhanced governance**: Fine-grained access controls for secret usage.
+
+## Observability
+
+- **Integrated logging and monitoring**: Optional setup with Cloud Monitoring, Cloud Logs, and Activity Tracker.
+- **Event routing**: Centralize cluster and workload events for compliance and operations.
+- **Scalable telemetry**: Ready to integrate with enterprise observability stacks.
+
+### Kube Audit
+
+- **API activity monitoring**: Captures Kubernetes API server events such as user actions and configuration changes.
+- Compliance assurance: Provides audit trails aligned with FedRAMP and enterprise security requirements.
+- Centralized visibility: Events routed to observability and SIEM platforms for investigation.