diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 837e21f648f3..2f7f0d985e1b 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -213,6 +213,22 @@ Topics: File: installing-restricted-networks-gcp - Name: Uninstalling a cluster on GCP File: uninstalling-cluster-gcp +- Name: Installing on IBM Cloud + Dir: installing_ibm_cloud_public + Distros: openshift-origin,openshift-enterprise + Topics: + - Name: Preparing to install on IBM Cloud + File: preparing-to-install-on-ibm-cloud + - Name: Configuring an IBM Cloud account + File: installing-ibm-cloud-account + - Name: Configuring IAM for IBM Cloud + File: configuring-iam-ibm-cloud + - Name: Installing a cluster on IBM Cloud with customizations + File: installing-ibm-cloud-customizations + - Name: Installing a cluster on IBM Cloud with network customizations + File: installing-ibm-cloud-network-customizations + - Name: Uninstalling a cluster on IBM Cloud + File: uninstalling-cluster-ibm-cloud - Name: Installing on bare metal Dir: installing_bare_metal Distros: openshift-origin,openshift-enterprise diff --git a/installing/installing-preparing.adoc b/installing/installing-preparing.adoc index dc3a5819b651..9eb8d9aacc7d 100644 --- a/installing/installing-preparing.adoc +++ b/installing/installing-preparing.adoc @@ -24,6 +24,7 @@ If you want to install and manage {product-title} yourself, you can install it o * Google Cloud Platform (GCP) * {rh-openstack-first} * {rh-virtualization-first} +* IBM Cloud * IBM Z and LinuxONE * IBM Z and LinuxONE for {op-system-base-full} KVM * IBM Power @@ -120,10 +121,10 @@ Not all installation options are supported for all platforms, as shown in the fo .Installer-provisioned infrastructure options |=== ifndef::openshift-origin[] -||AWS (x86_64) |AWS (arm64) |Azure |Azure Stack Hub |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |RHV |Bare metal |vSphere |VMC |IBM Z |IBM Power +||AWS (x86_64) |AWS (arm64) |Azure |Azure Stack Hub |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |RHV |Bare metal |vSphere |VMC |IBM Cloud |IBM Z |IBM Power endif::openshift-origin[] ifdef::openshift-origin[] -||AWS |Azure |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |oVirt |Bare metal |vSphere |VMC |IBM Z |IBM Power +||AWS |Azure |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |oVirt |Bare metal |vSphere |VMC |IBM Cloud |IBM Z |IBM Power endif::openshift-origin[] |Default @@ -138,6 +139,7 @@ endif::openshift-origin[] |xref:../installing/installing_bare_metal_ipi/ipi-install-overview.adoc#ipi-install-overview[X] |xref:../installing/installing_vsphere/installing-vsphere-installer-provisioned.adoc#installing-vsphere-installer-provisioned[X] |xref:../installing/installing_vmc/installing-vmc.adoc#installing-vmc[X] +|xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc#installing-ibm-cloud-customizations[X] | | @@ -153,6 +155,7 @@ endif::openshift-origin[] | |xref:../installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc#installing-vsphere-installer-provisioned-customizations[X] |xref:../installing/installing_vmc/installing-vmc-customizations.adoc#installing-vmc-customizations[X] +|xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc#installing-ibm-cloud-customizations[X] | | @@ -168,6 +171,7 @@ endif::openshift-origin[] | |xref:../installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc#installing-vsphere-installer-provisioned-network-customizations[X] |xref:../installing/installing_vmc/installing-vmc-network-customizations.adoc#installing-vmc-network-customizations[X] +|xref:../installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc#installing-ibm-cloud-network-customizations[X] | | @@ -185,6 +189,7 @@ endif::openshift-origin[] |xref:../installing/installing_vmc/installing-restricted-networks-vmc.adoc#installing-restricted-networks-vmc[X] | | +| |Private clusters |xref:../installing/installing_aws/installing-aws-private.adoc#installing-aws-private[X] @@ -200,6 +205,7 @@ endif::openshift-origin[] | | | +| |Existing virtual private networks |xref:../installing/installing_aws/installing-aws-vpc.adoc#installing-aws-vpc[X] @@ -215,6 +221,7 @@ endif::openshift-origin[] | | | +| |Government regions |xref:../installing/installing_aws/installing-aws-government-region.adoc#installing-aws-government-region[X] @@ -230,6 +237,7 @@ endif::openshift-origin[] | | | +| |China regions |xref:../installing/installing_aws/installing-aws-china.adoc#installing-aws-china-region[X] @@ -245,15 +253,16 @@ endif::openshift-origin[] | | | +| |=== .User-provisioned infrastructure options |=== ifndef::openshift-origin[] -||AWS |Azure |Azure Stack Hub |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |RHV |Bare metal (x86_64) |Bare metal (arm64) |vSphere |VMC |IBM Z |IBM Z with {op-system-base} KVM |IBM Power |Platform agnostic +||AWS |Azure |Azure Stack Hub |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |RHV |Bare metal (x86_64) |Bare metal (arm64) |vSphere |VMC |IBM Cloud |IBM Z |IBM Z with {op-system-base} KVM |IBM Power |Platform agnostic endif::openshift-origin[] ifdef::openshift-origin[] -||AWS |Azure |Azure Stack Hub |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |oVirt |Bare metal |vSphere |VMC |IBM Z |IBM Z with {op-system-base} KVM |IBM Power |Platform agnostic +||AWS |Azure |Azure Stack Hub |GCP |{rh-openstack} |{rh-openstack} on SR-IOV |oVirt |Bare metal |vSphere |VMC |IBM Cloud |IBM Z |IBM Z with {op-system-base} KVM |IBM Power |Platform agnostic endif::openshift-origin[] @@ -269,6 +278,7 @@ endif::openshift-origin[] |xref:../installing/installing_bare_metal/installing-bare-metal.adoc#installing-bare-metal[X] |xref:../installing/installing_vsphere/installing-vsphere.adoc#installing-vsphere[X] |xref:../installing/installing_vmc/installing-vmc-user-infra.adoc#installing-vmc-user-infra[X] +| |xref:../installing/installing_ibm_z/installing-ibm-z.adoc#installing-ibm-z[X] |xref:../installing/installing_ibm_z/installing-ibm-z-kvm.adoc#installing-ibm-z-kvm[X] |xref:../installing/installing_ibm_power/installing-ibm-power.adoc#installing-ibm-power[X] @@ -292,6 +302,7 @@ endif::openshift-origin[] | | | +| |Restricted network |xref:../installing/installing_aws/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[X] @@ -305,6 +316,7 @@ endif::openshift-origin[] | |xref:../installing/installing_vsphere/installing-restricted-networks-vsphere.adoc#installing-restricted-networks-vsphere[X] |xref:../installing/installing_vmc/installing-restricted-networks-vmc-user-infra.adoc#installing-restricted-networks-vmc-user-infra[X] +| |xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc#installing-restricted-networks-ibm-z[X] |xref:../installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc#installing-restricted-networks-ibm-z-kvm[X] |xref:../installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc#installing-restricted-networks-ibm-power[X] @@ -326,6 +338,7 @@ endif::openshift-origin[] | | | +| |=== //// diff --git a/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc b/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc new file mode 100644 index 000000000000..8956d5bc5848 --- /dev/null +++ b/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc @@ -0,0 +1,25 @@ +:_content-type: ASSEMBLY +[id="configuring-iam-ibm-cloud"] += Configuring IAM for IBM Cloud +include::modules/common-attributes.adoc[] +:context: configuring-iam-ibm-cloud + +toc::[] + +In environments where the cloud identity and access management (IAM) APIs are not reachable, you must put the Cloud Credential Operator (CCO) into manual mode before you install the cluster. + +include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_configuring-iam-ibm-cloud"] +.Additional resources +* xref:../../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc[About the Cloud Credential Operator] + +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+1] +include::modules/refreshing-service-ids-ibm-cloud.adoc[leveloffset=+1] +//include::modules/manually-maintained-credentials-upgrade.adoc[leveloffset=+1] +// Will need to revisit upgrade scenario for IBM Cloud; not needed until OCP 4.11. Tentative instructions have been added for reference later. + +[id="next-steps_configuring-iam-ibm-cloud"] +== Next steps +* xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc#installing-ibm-cloud-customizations[Installing a cluster on IBM Cloud with customizations] diff --git a/installing/installing_ibm_cloud_public/images b/installing/installing_ibm_cloud_public/images new file mode 120000 index 000000000000..5fa6987088da --- /dev/null +++ b/installing/installing_ibm_cloud_public/images @@ -0,0 +1 @@ +../../images \ No newline at end of file diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc new file mode 100644 index 000000000000..d023496d23b1 --- /dev/null +++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc @@ -0,0 +1,27 @@ +:_content-type: ASSEMBLY +[id="installing-ibm-cloud-account"] += Configuring an IBM Cloud account +include::modules/common-attributes.adoc[] +:context: installing-ibm-cloud-account + +toc::[] + +Before you can install {product-title}, you must configure an IBM Cloud account. + +[id="prerequisites_installing-ibm-cloud-account"] +== Prerequisites + +* You have an IBM Cloud account with a subscription. You cannot install {product-title} on a free or trial IBM Cloud account. + +include::modules/quotas-and-limits-ibm-cloud.adoc[leveloffset=+1] + +include::modules/installation-cis-ibm-cloud.adoc[leveloffset=+1] + +include::modules/installation-ibm-cloud-iam-policies-api-key.adoc[leveloffset=+1] +include::modules/installation-ibm-cloud-creating-api-key.adoc[leveloffset=+2] + +include::modules/installation-ibm-cloud-regions.adoc[leveloffset=+1] + +[id="next-steps_installing-ibm-cloud-account"] +== Next steps +* xref:../../installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc#configuring-iam-ibm-cloud[Configuring IAM for IBM Cloud] diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc new file mode 100644 index 000000000000..fe0710c2e5ee --- /dev/null +++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc @@ -0,0 +1,64 @@ +:_content-type: ASSEMBLY +[id="installing-ibm-cloud-customizations"] += Installing a cluster on IBM Cloud with customizations +include::modules/common-attributes.adoc[] +:context: installing-ibm-cloud-customizations + +toc::[] + +In {product-title} version {product-version}, you can install a customized cluster on infrastructure that the installation program provisions on IBM Cloud. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster. + +[id="prerequisites_installing-ibm-cloud-customizations"] +== Prerequisites + +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. +* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. +* You xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc#installing-ibm-cloud-account[configured an IBM Cloud account] to host the cluster. +* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. +* You configured the `ccoctl` utility before you installed the cluster. For more information, see xref:../../installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc#configuring-iam-ibm-cloud[Configuring IAM for IBM Cloud]. + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +include::modules/installation-obtaining-installer.adoc[leveloffset=+1] + +include::modules/installation-ibm-cloud-export-variables.adoc[leveloffset=+1] + +include::modules/installation-initializing.adoc[leveloffset=+1] + +include::modules/installation-configuration-parameters.adoc[leveloffset=+2] + +include::modules/installation-ibm-cloud-config-yaml.adoc[leveloffset=+2] + +//.Additional resources + +//* ../../machine_management/creating_machinesets/creating-machineset-ibm-cloud.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-ibm-cloud[Enabling customer-managed encryption keys for a machine set] + +include::modules/installation-configure-proxy.adoc[leveloffset=+2] + +include::modules/manually-create-iam-ibm-cloud.adoc[leveloffset=+1] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + +include::modules/cli-installing-cli.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_installing-ibm-cloud-customizations-console"] +.Additional resources +* xref:../../web_console/web-console.adoc#web-console[Accessing the web console] + +include::modules/cluster-telemetry.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_installing-ibm-cloud-customizations-telemetry"] +.Additional resources +* xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] + +[id="next-steps_installing-ibm-cloud-customizations"] +== Next steps +* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]. +* If necessary, you can +xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting]. diff --git a/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc b/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc new file mode 100644 index 000000000000..d0028d7b42e8 --- /dev/null +++ b/installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc @@ -0,0 +1,73 @@ +:_content-type: ASSEMBLY +[id="installing-ibm-cloud-network-customizations"] += Installing a cluster on IBM Cloud with network customizations +include::modules/common-attributes.adoc[] +:context: installing-ibm-cloud-network-customizations + +toc::[] + +In {product-title} version {product-version}, you can install a cluster with a +customized network configuration on infrastructure that the installation program provisions on IBM Cloud. By customizing your network configuration, your cluster can coexist with existing IP address allocations in your environment and integrate with existing MTU and VXLAN configurations. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster. + +You must set most of the network configuration parameters during installation, and you can modify only `kubeProxy` configuration parameters in a running cluster. + +[id="prerequisites_installing-ibm-cloud-network-customizations"] +== Prerequisites + +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. +* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. +* You xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc#installing-ibm-cloud-account[configured an IBM Cloud account] to host the cluster. +* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. +* You configured the `ccoctl` utility before you installed the cluster. For more information, see xref:../../installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc#configuring-iam-ibm-cloud[Configuring IAM for IBM Cloud]. + +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +include::modules/ssh-agent-using.adoc[leveloffset=+1] + +include::modules/installation-obtaining-installer.adoc[leveloffset=+1] + +include::modules/installation-ibm-cloud-export-variables.adoc[leveloffset=+1] + +include::modules/installation-initializing.adoc[leveloffset=+1] + +include::modules/installation-configuration-parameters.adoc[leveloffset=+2] + +include::modules/installation-ibm-cloud-config-yaml.adoc[leveloffset=+2] + +//.Additional resources + +//* ../../machine_management/creating_machinesets/creating-machineset-ibm-cloud.adoc#machineset-enabling-customer-managed-encryption_creating-machineset-ibm-cloud[Enabling customer-managed encryption keys for a machine set] + +include::modules/installation-configure-proxy.adoc[leveloffset=+2] + +include::modules/manually-create-iam-ibm-cloud.adoc[leveloffset=+1] + +// Network Operator specific configuration +include::modules/nw-network-config.adoc[leveloffset=+1] +include::modules/nw-modifying-operator-install-config.adoc[leveloffset=+1] +include::modules/nw-operator-cr.adoc[leveloffset=+1] + +include::modules/installation-launching-installer.adoc[leveloffset=+1] + +include::modules/cli-installing-cli.adoc[leveloffset=+1] + +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_installing-ibm-cloud-network-customizations-console"] +.Additional resources +* xref:../../web_console/web-console.adoc#web-console[Accessing the web console] + +include::modules/cluster-telemetry.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_installing-ibm-cloud-network-customizations-telemetry"] +.Additional resources +* xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] + +[id="next-steps_installing-ibm-cloud-network-customizations"] +== Next steps + +* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]. +* If necessary, you can +xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting]. diff --git a/installing/installing_ibm_cloud_public/modules b/installing/installing_ibm_cloud_public/modules new file mode 120000 index 000000000000..8b0e8540076d --- /dev/null +++ b/installing/installing_ibm_cloud_public/modules @@ -0,0 +1 @@ +../../modules \ No newline at end of file diff --git a/installing/installing_ibm_cloud_public/preparing-to-install-on-ibm-cloud.adoc b/installing/installing_ibm_cloud_public/preparing-to-install-on-ibm-cloud.adoc new file mode 100644 index 000000000000..f77e854ee76d --- /dev/null +++ b/installing/installing_ibm_cloud_public/preparing-to-install-on-ibm-cloud.adoc @@ -0,0 +1,46 @@ +:_content-type: ASSEMBLY +[id="preparing-to-install-on-ibm-cloud"] += Preparing to install on IBM Cloud +include::modules/common-attributes.adoc[] +:context: preparing-to-install-on-ibm-cloud + +toc::[] + +[id="prerequisites_preparing-to-install-on-ibm-cloud"] +== Prerequisites + +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. + +* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. + +[IMPORTANT] +==== +The installation workflows documented in this section are for IBM Cloud VPC infrastructure environments. IBM Cloud Classic is not supported at this time. For more information on the difference between Classic and VPC infrastructures, see IBM's link:https://cloud.ibm.com/docs/cloud-infrastructure?topic=cloud-infrastructure-compare-infrastructure[documentation]. +==== + +[id="requirements-for-installing-ocp-on-ibm-cloud"] +== Requirements for installing {product-title} on IBM Cloud + +Before installing {product-title} on IBM Cloud, you must create a service account and configure an IBM Cloud account. See xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc#installing-ibm-cloud-account[Configuring an IBM Cloud account] for details about creating an account, enabling API services, configuring DNS, IBM Cloud account limits, and supported IBM Cloud regions. + +You must manually manage your cloud credentials when installing a cluster to IBM Cloud. Do this by configuring the Cloud Credential Operator (CCO) for manual mode before you install the cluster. For more information, see xref:../../installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc#configuring-iam-ibm-cloud[Configuring IAM for IBM Cloud]. + +[id="choosing-a-method-to-install-ocp-on-ibm-cloud"] +== Choosing a method to install {product-title} on IBM Cloud + +You can install {product-title} on IBM Cloud using installer-provisioned infrastructure. This process involves using an installation program to provision the underlying infrastructure for your cluster. Installing {product-title} on IBM Cloud using user-provisioned infrastructure is not supported at this time. + +See xref:../../architecture/architecture-installation.adoc#installation-process_architecture-installation[Installation process] for more information about installer-provisioned installation processes. + +[id="choosing-an-method-to-install-ocp-on-ibm-cloud-installer-provisioned"] +=== Installing a cluster on installer-provisioned infrastructure + +You can install a cluster on IBM Cloud infrastructure that is provisioned by the {product-title} installation program by using one of the following methods: + +* **xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc#installing-ibm-cloud-customizations[Installing a customized cluster on IBM Cloud]**: You can install a customized cluster on IBM Cloud infrastructure that the installation program provisions. The installation program allows for some customization to be applied at the installation stage. Many other customization options are available xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-cluster-tasks[post-installation]. + +* **xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc#installing-ibm-cloud-network-customizations[Installing a cluster on IBM Cloud with network customizations]**: You can customize your {product-title} network configuration during installation, so that your cluster can coexist with your existing IP address allocations and adhere to your network requirements. + +[id="next-steps_preparing-to-install-on-ibm-cloud"] +== Next steps +* xref:../../installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc#installing-ibm-cloud-account[Configuring an IBM Cloud account] diff --git a/installing/installing_ibm_cloud_public/uninstalling-cluster-ibm-cloud.adoc b/installing/installing_ibm_cloud_public/uninstalling-cluster-ibm-cloud.adoc new file mode 100644 index 000000000000..ea291c01b668 --- /dev/null +++ b/installing/installing_ibm_cloud_public/uninstalling-cluster-ibm-cloud.adoc @@ -0,0 +1,11 @@ +:_content-type: ASSEMBLY +[id="uninstalling-cluster-ibm-cloud"] += Uninstalling a cluster on IBM Cloud +include::modules/common-attributes.adoc[] +:context: uninstalling-cluster-ibm-cloud + +toc::[] + +You can remove a cluster that you deployed to IBM Cloud. + +include::modules/installation-uninstall-clouds.adoc[leveloffset=+1] diff --git a/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc b/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc index 090d0d3bb2e9..2963046754de 100644 --- a/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc +++ b/modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc @@ -3,6 +3,7 @@ // * installing/installing_aws/manually-creating-iam.adoc // * installing/installing_azure/manually-creating-iam-azure.adoc // * installing/installing_gcp/manually-creating-iam-gcp.adoc +// * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc ifeval::["{context}" == "manually-creating-iam-aws"] :aws: @@ -13,6 +14,9 @@ endif::[] ifeval::["{context}" == "manually-creating-iam-gcp"] :google-cloud-platform: endif::[] +ifeval::["{context}" == "configuring-iam-ibm-cloud"] +:ibm-cloud: +endif::[] [id="alternatives-to-storing-admin-secrets-in-kube-system_{context}"] = Alternatives to storing administrator-level secrets in the kube-system project @@ -53,6 +57,12 @@ If you prefer not to store an administrator-level credential secret in the clust Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them. endif::azure[] +ifdef::ibm-cloud[] +Storing an administrator-level credential secret in the cluster `kube-system` project is not supported for IBM Cloud; therefore, you must set the `credentialsMode` parameter for the CCO to `Manual` when installing {product-title} and manage your cloud credentials manually. + +Using manual mode allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. You can also use this mode if your environment does not have connectivity to the cloud provider public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade. You must also manually supply credentials for every component that requests them. +endif::ibm-cloud[] + ifeval::["{context}" == "manually-creating-iam-aws"] :!aws: endif::[] @@ -62,3 +72,6 @@ endif::[] ifeval::["{context}" == "manually-creating-iam-gcp"] :!google-cloud-platform: endif::[] +ifeval::["{context}" == "configuring-iam-ibm-cloud"] +:!ibm-cloud: +endif::[] diff --git a/modules/cco-ccoctl-configuring.adoc b/modules/cco-ccoctl-configuring.adoc index 5990d29c3246..e198ddab7fd5 100644 --- a/modules/cco-ccoctl-configuring.adoc +++ b/modules/cco-ccoctl-configuring.adoc @@ -1,24 +1,38 @@ // Module included in the following assemblies: // // * authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc +// * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc + +ifeval::["{context}" == "cco-mode-sts"] +:aws-sts: +endif::[] +ifeval::["{context}" == "configuring-iam-ibm-cloud"] +:ibm-cloud: +endif::[] :_content-type: PROCEDURE [id="cco-ccoctl-configuring_{context}"] = Configuring the Cloud Credential Operator utility -To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode with STS, extract and prepare the CCO utility (`ccoctl`) binary. +To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in +ifdef::aws-sts[manual mode with STS,] +ifdef::ibm-cloud[manual mode,] +extract and prepare the CCO utility (`ccoctl`) binary. [NOTE] ==== The `ccoctl` is a Linux binary that must run in a Linux environment. ==== -.Prerequisites - -* Obtain the {product-title} release image. - .Procedure +. Obtain the {product-title} release image: ++ +[source,terminal] +---- +$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}') +---- + . Get the CCO container image from the {product-title} release image: + [source,terminal] @@ -49,10 +63,19 @@ $ chmod 775 ccoctl * To verify that `ccoctl` is ready to use, display the help file: + +ifdef::aws-sts[] [source,terminal] ---- $ ccoctl aws --help ---- +endif::aws-sts[] +ifdef::ibm-cloud[] +[source,terminal] +---- +$ ccoctl ibmcloud --help +---- +endif::ibm-cloud[] +ifndef::ibm-cloud[] + .Output of `ccoctl aws --help`: + @@ -77,3 +100,11 @@ Flags: Use "ccoctl aws [command] --help" for more information about a command. ---- +endif::ibm-cloud[] + +ifeval::["{context}" == "cco-mode-sts"] +:!aws-sts: +endif::[] +ifeval::["{context}" == "configuring-iam-ibm-cloud"] +:!ibm-cloud: +endif::[] \ No newline at end of file diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index c78aa5fc315b..a6da66445d8f 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -26,6 +26,8 @@ // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-user-infra.adoc // * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/install_config/installing-restricted-networks-preparations.adoc // * installing/installing_vmc/installing-vmc-user-infra.adoc // * installing/installing_vmc/installing-vmc.adoc diff --git a/modules/cli-logging-in-kubeadmin.adoc b/modules/cli-logging-in-kubeadmin.adoc index d46a1c24290e..cbc720f0b3e0 100644 --- a/modules/cli-logging-in-kubeadmin.adoc +++ b/modules/cli-logging-in-kubeadmin.adoc @@ -27,6 +27,8 @@ // * installing/installing_gcp_user_infra/installing-gcp-user-infra.adoc // * installing/installing_gcp/installing-restricted-networks-gcp.adoc // * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc diff --git a/modules/cluster-entitlements.adoc b/modules/cluster-entitlements.adoc index 929568d5736c..189a5495d38e 100644 --- a/modules/cluster-entitlements.adoc +++ b/modules/cluster-entitlements.adoc @@ -11,6 +11,8 @@ // * installing/installing_vsphere/installing-vsphere-network-customizations.adoc // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc // * installing/installing_platform_agnostic/installing-platform-agnostic.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc // * installing/installing_ibm_z/installing-ibm-z-kvm.adoc // * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc diff --git a/modules/cluster-telemetry.adoc b/modules/cluster-telemetry.adoc index 2f6ad5967e94..0044329c6d53 100644 --- a/modules/cluster-telemetry.adoc +++ b/modules/cluster-telemetry.adoc @@ -56,6 +56,8 @@ // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-gcp-network-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_vmc/installing-vmc-network-customizations.adoc // * installing/installing_vmc/installing-vmc-customizations.adoc // * installing/installing_vmc/installing-vmc-network-customizations-user-infra.adoc diff --git a/modules/installation-cis-ibm-cloud.adoc b/modules/installation-cis-ibm-cloud.adoc new file mode 100644 index 000000000000..45e15017c537 --- /dev/null +++ b/modules/installation-cis-ibm-cloud.adoc @@ -0,0 +1,68 @@ +// Module included in the following assemblies: +// +// installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc + +:_content-type: PROCEDURE +[id="installation-cis-ibm-cloud_{context}"] += Configuring DNS resolution using Cloud Internet Services + +IBM Cloud Internet Services (CIS) is used by the installation program to configure cluster DNS resolution and provide name lookup for the cluster to external resources. Only public DNS is supported with IBM Cloud. + +[NOTE] +==== +IBM Cloud does not support IPv6, so dual stack or IPv6 environments are not possible. +==== + +You must create a domain zone in CIS in the same account as your cluster. You must also ensure the zone is authoritative for the domain. You can do this using a root domain or subdomain. + +.Prerequisites + +* You have installed the link:https://www.ibm.com/cloud/cli[IBM Cloud CLI]. + +.Procedure + +. If you do not already have an existing domain and registrar, you must acquire them. For more information, see IBM's link:https://cloud.ibm.com/docs/dns?topic=dns-getting-started[documentation]. + +. Create a CIS instance to use with your cluster. + +.. Install the CIS plug-in: ++ +[source,terminal] +---- +$ ibmcloud plugin install cis +---- + +.. Create the CIS instance: ++ +[source,terminal] +---- +$ ibmcloud cis instance-create standard <1> +---- +<1> At a minimum, a `Standard` plan is required for CIS to manage the cluster subdomain and its DNS records. + +. Connect an existing domain to your CIS instance. + +.. Set the context instance for CIS: ++ +[source,terminal] +---- +$ ibmcloud cis instance-set <1> +---- +<1> The instance cloud resource name. + +.. Add the domain for CIS: ++ +[source,terminal] +---- +$ ibmcloud cis domain-add <1> +---- +<1> The fully qualified domain name. You can use either the root domain or subdomain value as the domain name, depending on which you plan to configure. ++ +[NOTE] +==== +A root domain uses the form `openshiftcorp.com`. A subdomain uses the form `clusters.openshiftcorp.com`. +==== + +. Open the link:https://cloud.ibm.com/catalog/services/internet-services[CIS web console], navigate to the *Overview* page, and note your CIS name servers. These name servers will be used in the next step. + +. Configure the name servers for your domains or subdomains at the domain's registrar or DNS provider. For more information, see IBM Cloud's link:https://cloud.ibm.com/docs/cis?topic=cis-getting-started#configure-your-name-servers-with-the-registrar-or-existing-dns-provider[documentation]. diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc index c411bbd5a0c0..7832d8ced2c7 100644 --- a/modules/installation-configuration-parameters.adoc +++ b/modules/installation-configuration-parameters.adoc @@ -21,6 +21,8 @@ // * installing/installing_gcp/installing-gcp-private.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_ibm_power/installing-ibm-power.adoc // * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc // * installing/installing_ibm_z/installing-ibm-z-kvm.adoc @@ -116,6 +118,12 @@ endif::[] ifeval::["{context}" == "installing-aws-customizations"] :aws: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-customizations"] +:ibm-cloud: +endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:ibm-cloud: +endif::[] ifeval::["{context}" == "installing-openstack-installer-custom"] :osp: :osp-custom: @@ -235,7 +243,7 @@ The string must be 14 characters or fewer long. endif::osp[] |`platform` -|The configuration for the specific platform upon which to perform the installation: `aws`, `baremetal`, `azure`, `openstack`, `ovirt`, `vsphere`, or `{}`. For additional information about `platform.` parameters, consult the table for your specific platform that follows. +|The configuration for the specific platform upon which to perform the installation: `aws`, `baremetal`, `azure`, `ibmcloud`, `openstack`, `ovirt`, `vsphere`, or `{}`. For additional information about `platform.` parameters, consult the table for your specific platform that follows. |Object ifndef::openshift-origin[] @@ -499,7 +507,7 @@ accounts for the dramatically decreased machine performance. |`compute.platform` |Required if you use `compute`. Use this parameter to specify the cloud provider to host the worker machines. This parameter value must match the `controlPlane.platform` parameter value. -|`aws`, `azure`, `gcp`, `openstack`, `ovirt`, `vsphere`, or `{}` +|`aws`, `azure`, `gcp`, `ibmcloud`, `openstack`, `ovirt`, `vsphere`, or `{}` |`compute.replicas` |The number of compute machines, which are also known as worker machines, to provision. @@ -545,7 +553,7 @@ accounts for the dramatically decreased machine performance. |`controlPlane.platform` |Required if you use `controlPlane`. Use this parameter to specify the cloud provider that hosts the control plane machines. This parameter value must match the `compute.platform` parameter value. -|`aws`, `azure`, `gcp`, `openstack`, `ovirt`, `vsphere`, or `{}` +|`aws`, `azure`, `gcp`, `ibmcloud`, `openstack`, `ovirt`, `vsphere`, or `{}` |`controlPlane.replicas` |The number of control plane machines to provision. @@ -592,7 +600,7 @@ endif::[] ifndef::aws,azure,gcp[] `Internal` or `External`. The default value is `External`. -Setting this field to `Internal` is not supported on non-cloud platforms. +Setting this field to `Internal` is not supported on non-cloud platforms and IBM Cloud. ifeval::[{product-version} <= 4.7] [IMPORTANT] ==== @@ -1036,6 +1044,40 @@ The GCP Compute Engine System service account email, like ` +controlPlane: <2> <3> + hyperthreading: Enabled <4> + name: master + platform: + ibm-cloud: {} + replicas: 3 +compute: <2> <3> +- hyperthreading: Enabled <4> + name: worker + platform: + ibmcloud: {} + replicas: 3 +metadata: + name: test-cluster <1> +ifdef::without-networking[] +networking: +endif::[] +ifdef::with-networking[] +networking: <2> +endif::[] + clusterNetwork: + - cidr: 10.128.0.0/14 + hostPrefix: 23 + machineNetwork: + - cidr: 10.0.0.0/16 +ifndef::openshift-origin[] + networkType: OpenShiftSDN +endif::openshift-origin[] +ifdef::openshift-origin[] + networkType: OVNKubernetes +endif::openshift-origin[] + serviceNetwork: + - 172.30.0.0/16 +platform: + ibmcloud: + region: us-south <1> +credentialsMode: Manual +publish: External +pullSecret: '{"auths": ...}' <1> +ifndef::openshift-origin[] +fips: false <5> +sshKey: ssh-ed25519 AAAA... <6> +endif::openshift-origin[] +ifdef::openshift-origin[] +sshKey: ssh-ed25519 AAAA... <5> +endif::openshift-origin[] +---- +<1> Required. The installation program prompts you for this value. +<2> If you do not provide these parameters and values, the installation program provides the default value. +<3> The `controlPlane` section is a single mapping, but the compute section is a sequence of mappings. To meet the requirements of the different data structures, the first line of the `compute` section must begin with a hyphen, `-`, and the first line of the `controlPlane` section must not. Although both sections currently define a single machine pool, it is possible that future versions of {product-title} will support defining multiple compute pools during installation. Only one control plane pool is used. +<4> Whether to enable or disable simultaneous multithreading, or `hyperthreading`. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores. You can disable it by setting the parameter value to `Disabled`. If you disable simultaneous multithreading in some cluster machines, you must disable it in all cluster machines. ++ +[IMPORTANT] +==== +If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. Use larger machine types, such as `n1-standard-8`, for your machines if you disable simultaneous multithreading. +==== +ifndef::openshift-origin[] +<5> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead. ++ +[IMPORTANT] +==== +The use of FIPS Validated or Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture. +==== +<6> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. +endif::openshift-origin[] +ifdef::openshift-origin[] +<5> You can optionally provide the `sshKey` value that you use to access the machines in your cluster. +endif::openshift-origin[] ++ +[NOTE] +==== +For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses. +==== + +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:!with-networking: +endif::[] +ifeval::["{context}" != "installing-ibm-cloud-customizations"] +:!without-networking: +endif::[] diff --git a/modules/installation-ibm-cloud-creating-api-key.adoc b/modules/installation-ibm-cloud-creating-api-key.adoc new file mode 100644 index 000000000000..ea861bd57293 --- /dev/null +++ b/modules/installation-ibm-cloud-creating-api-key.adoc @@ -0,0 +1,20 @@ +// Module included in the following assemblies: +// +// installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc + +:_content-type: PROCEDURE +[id="installation-ibm-cloud-creating-api-key_{context}"] += Creating an API key + +You must create a user API key or a service ID API key for your IBM Cloud account. + +.Prerequisites + +* You have assigned the required access policies to your IBM Cloud account. +* You have attached you IAM access policies to an access group, or other appropriate resource. + +.Procedure + +* Create an API key, depending on how you defined your IAM access policies. ++ +For example, if you assigned your access policies to a user, you must create a link:https://cloud.ibm.com/docs/account?topic=account-userapikey[user API key]. If you assigned your access policies to a service ID, you must create a link:https://cloud.ibm.com/docs/account?topic=account-serviceidapikeys[service ID API key]. If your access policies are assigned to an access group, you can use either API key type. For more information on IBM Cloud API keys, see link:https://cloud.ibm.com/docs/account?topic=account-manapikey&interface=ui[Understanding API keys]. diff --git a/modules/installation-ibm-cloud-export-variables.adoc b/modules/installation-ibm-cloud-export-variables.adoc new file mode 100644 index 000000000000..3c08267657d4 --- /dev/null +++ b/modules/installation-ibm-cloud-export-variables.adoc @@ -0,0 +1,28 @@ +// Module included in the following assemblies: +// +// installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc + +:_content-type: PROCEDURE +[id="installation-ibm-cloud-export-variables_{context}"] += Exporting the IBM Cloud API key + +You must set the IBM Cloud API key you created as a global variable; the installation program ingests the variable during startup to set the API key. + +.Prerequisties + +* You have created either a user API key or service ID API key for your IBM Cloud account. + +.Procedure + +* Export your IBM Cloud API key as a global variable: ++ +[source,terminal] +---- +$ export IC_API_KEY= +---- + +[IMPORTANT] +==== +You must set the variable name exactly as specified; the installation program expects the variable name to be present during startup. +==== diff --git a/modules/installation-ibm-cloud-iam-policies-api-key.adoc b/modules/installation-ibm-cloud-iam-policies-api-key.adoc new file mode 100644 index 000000000000..ec1ee13cb391 --- /dev/null +++ b/modules/installation-ibm-cloud-iam-policies-api-key.adoc @@ -0,0 +1,70 @@ +// Module included in the following assemblies: +// +// installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc + +:_content-type: CONCEPT +[id="installation-ibm-cloud-iam-policies-api-key_{context}"] += IBM Cloud IAM Policies and API Key + +To install {product-title} into your IBM Cloud account, the installation program requires an IAM API key, which provides authentication and authorization to access IBM Cloud service APIs. You can use an existing IAM API key that contains the required policies or create a new one. + +For an IBM Cloud IAM overview, see the IBM Cloud link:https://cloud.ibm.com/docs/account?topic=account-iamoverview[documentation]. + +[id="required-access-policies-ibm-cloud_{context}"] +== Required access policies + +You must assign the required access policies to your IBM Cloud account. + +.Required access policies +[cols="1,2,2,2,3",options="header"] +|=== +|Service type |Service |Access policy scope |Platform access |Service access + +|Account management +|IAM Identity Service +|All resources or a subset of resources ^[1]^ +|Editor, Operator, Viewer, Administrator +|Service ID creator + +|Account management ^[2]^ +|Identity and Access Management +|All resources +|Editor, Operator, Viewer, Administrator +| + +|IAM services +|Cloud Object Storage +|All resources or a subset of resources ^[1]^ +|Editor, Operator, Viewer, Administrator +|Reader, Writer, Manager, Content Reader, Object Reader, Object Writer + +|IAM services +|Internet Services +|All resources or a subset of resources ^[1]^ +|Editor, Operator, Viewer, Administrator +|Reader, Writer, Manager + + +|IAM services +|VPC Infrastructure Services +|All resources or a subset of resources ^[1]^ +|Editor, Operator, Viewer, Administrator +|Reader, Writer, Manager +|=== +[.small] +-- +1. The policy access scope should be set based on how granular you want to assign access. The scope can be set to *All resources* or *Resources based on selected attributes*. +2. Optional: This access policy is only required if you want the installation program to create a resource group. For more information on resource groups, see IBM Cloud's link:https://cloud.ibm.com/docs/account?topic=account-rgs[documentation]. +-- +//TODO: IBM confirmed current values in the table above. They hope to provide more guidance on possibly scoping down the permissions (related to resource group actions). + +[id="access-policy-assignment-ibm-cloud_{context}"] +== Access policy assignment + +In IBM Cloud IAM, access policies can be attached to different subjects: + +* Access group (Recommended) +* Service ID +* User + +The recommended method is to define IAM access policies in an link:https://cloud.ibm.com/docs/account?topic=account-groups[access group]. This helps organize all the access required for {product-title} and enables you to onboard users and service IDs to this group. You can also assign access to link:https://cloud.ibm.com/docs/account?topic=account-assign-access-resources[users and service IDs] directly, if desired. diff --git a/modules/installation-ibm-cloud-regions.adoc b/modules/installation-ibm-cloud-regions.adoc new file mode 100644 index 000000000000..ee11a173fe78 --- /dev/null +++ b/modules/installation-ibm-cloud-regions.adoc @@ -0,0 +1,20 @@ +// Module included in the following assemblies: +// +// installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc + +:_content-type: REFERENCE +[id="installation-ibm-cloud-regions_{context}"] += Supported IBM Cloud regions + +You can deploy an {product-title} cluster to the following regions: + +//Not listed for openshift-install: br-sao, in-che, kr-seo + +* `au-syd` (Sydney, Australia) +* `ca-tor` (Toronto, Canada) +* `eu-de` (Frankfurt, Germany) +* `eu-gb` (London, United Kingdom) +* `jp-osa` (Osaka, Japan) +* `jp-tok` (Tokyo, Japan) +* `us-east` (Washington DC, United States) +* `us-south` (Dallas, United States) diff --git a/modules/installation-initializing.adoc b/modules/installation-initializing.adoc index 469acf95ad42..cb4d4c6a5fa4 100644 --- a/modules/installation-initializing.adoc +++ b/modules/installation-initializing.adoc @@ -14,6 +14,8 @@ // * installing/installing_gcp/installing-gcp-user-infra.adoc // * installing/installing_gcp/installing-restricted-networks-gcp.adoc // * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer-restricted.adoc @@ -81,6 +83,12 @@ ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisione :gcp: :restricted: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-customizations"] +:ibm-cloud: +endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:ibm-cloud: +endif::[] ifeval::["{context}" == "installing-openstack-installer-custom"] :osp: endif::[] @@ -148,6 +156,9 @@ endif::azure[] ifdef::gcp[] Google Cloud Platform (GCP). endif::gcp[] +ifdef::ibm-cloud[] +IBM Cloud. +endif::ibm-cloud[] ifdef::osp[] {rh-openstack-first}. endif::osp[] @@ -237,6 +248,12 @@ specified by the service account that you configured. ... Select the base domain to deploy the cluster to. The base domain corresponds to the public DNS zone that you created for your cluster. endif::gcp[] +ifdef::ibm-cloud[] +... Select *ibmcloud* as the platform to target. +... Select the region to deploy the cluster to. +... Select the base domain to deploy the cluster to. The base domain corresponds +to the public DNS zone that you created for your cluster. +endif::ibm-cloud[] ifdef::osp[] ... Select *openstack* as the platform to target. ... Specify the {rh-openstack-first} external network name to use for installing the cluster. @@ -554,6 +571,12 @@ ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisione :!gcp: :!restricted: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-customizations"] +:!ibm-cloud: +endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:!ibm-cloud: +endif::[] ifeval::["{context}" == "installing-openstack-installer-custom"] :!osp: endif::[] diff --git a/modules/installation-launching-installer.adoc b/modules/installation-launching-installer.adoc index 4754bee67adf..e5132d42ddb0 100644 --- a/modules/installation-launching-installer.adoc +++ b/modules/installation-launching-installer.adoc @@ -5,7 +5,6 @@ // * installing/installing_aws/installing-aws-government-region.adoc // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_aws/installing-aws-private.adoc -// * installing/installing_aws/installing-aws-secret-region.adoc // * installing/installing_aws/installing-aws-vpc.adoc // * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc // * installing/installing_azure/installing-azure-customizations.adoc @@ -158,6 +157,10 @@ ifeval::["{context}" == "installing-restricted-networks-vmc"] :custom-config: :vmc: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-customizations"] +:custom-config: +:ibm-cloud: +endif::[] :_content-type: PROCEDURE [id="installation-launching-installer_{context}"] @@ -269,6 +272,9 @@ specified by the service account that you configured. .. Select the base domain to deploy the cluster to. The base domain corresponds to the public DNS zone that you created for your cluster. endif::gcp[] +ifdef::ibm-cloud[] +.. test +endif::ibm-cloud[] ifdef::osp[] .. Select *openstack* as the platform to target. .. Specify the {rh-openstack-first} external network name to use for installing the cluster. @@ -563,3 +569,7 @@ ifeval::["{context}" == "installing-restricted-networks-vmc"] :!custom-config: :!vmc: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-customizations"] +:custom-config: +:ibm-cloud: +endif::[] diff --git a/modules/installation-obtaining-installer.adoc b/modules/installation-obtaining-installer.adoc index 90d7048f57ab..22d22013a44e 100644 --- a/modules/installation-obtaining-installer.adoc +++ b/modules/installation-obtaining-installer.adoc @@ -21,6 +21,8 @@ // * installing/installing_gcp/installing-gcp-private.adoc // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc diff --git a/modules/installation-uninstall-clouds.adoc b/modules/installation-uninstall-clouds.adoc index b0702650a446..cd8dac2f201d 100644 --- a/modules/installation-uninstall-clouds.adoc +++ b/modules/installation-uninstall-clouds.adoc @@ -4,6 +4,7 @@ // * installing/installing_azure/uninstalling-cluster-azure.adoc // * installing/installing_azure/uninstalling-cluster-azure-stack-hub.adoc // * installing/installing_gcp/uninstalling-cluster-gcp.adoc +// * installing/installing_ibm_cloud_public/uninstalling-cluster-ibm-cloud.adoc // * installing/installing_osp/uninstalling-cluster-openstack.adoc // * installing/installing_rhv/uninstalling-cluster-rhv.adoc // * installing/installing_vmc/uninstalling-cluster-vmc.adoc @@ -15,6 +16,9 @@ endif::[] ifeval::["{context}" == "uninstalling-cluster-gcp"] :gcp: endif::[] +ifeval::["{context}" == "uninstalling-cluster-ibm-cloud"] +:ibm-cloud: +endif::[] :_content-type: PROCEDURE [id="installation-uninstall-clouds_{context}"] @@ -42,9 +46,51 @@ endif::gcp[] * Have a copy of the installation program that you used to deploy the cluster. * Have the files that the installation program generated when you created your cluster. +ifdef::ibm-cloud[] +* You have configured the `ccoctl` binary. +* You have installed the IBM Cloud CLI and installed or updated the VPC infrastructure service plug-in. For more information see "Prerequisites" in the link:https://cloud.ibm.com/docs/vpc?topic=vpc-infrastructure-cli-plugin-vpc-reference&interface=ui#cli-ref-prereqs[IBM Cloud VPC CLI documentation]. +endif::ibm-cloud[] .Procedure +ifdef::ibm-cloud[] +. If the following conditions are met, this step is required: +** The installer created a resource group as part of the installation process. +** You or one of your applications created persistent volume claims (PVCs) after the cluster was deployed. + ++ +In which case, the PVCs are not removed when uninstalling the cluster, which might prevent the resource group from being successfully removed. To prevent a failure: + +.. Log in to the IBM Cloud using the CLI. +.. To list the PVCs, run the following command: ++ +[source, terminal] +---- +$ ibmcloud is volumes --resource-group-name +---- ++ +For more information about listing volumes, see the link:https://cloud.ibm.com/docs/vpc?topic=vpc-infrastructure-cli-plugin-vpc-reference&interface=ui#volume-cli[IBM Cloud VPC CLI documentation]. +.. To delete the PVCs, run the following command: ++ +[source, terminal] +---- +$ ibmcloud is volume-delete --force +---- ++ +For more information about deleting volumes, see the link:https://cloud.ibm.com/docs/vpc?topic=vpc-infrastructure-cli-plugin-vpc-reference&interface=ui#volume-delete[IBM Cloud VPC CLI documentation]. + +. Export the IBM Cloud API key that was created as part of the installation process. ++ +[source,terminal] +---- +$ export IC_API_KEY= +---- ++ +[NOTE] +==== +You must set the variable name exactly as specified. The installation program expects the variable name to be present to remove the service IDs that were created when the cluster was installed. +==== +endif::ibm-cloud[] . From the directory that contains the installation program on the computer that you used to install the cluster, run the following command: + [source,terminal] @@ -63,6 +109,18 @@ your cluster. The installation program requires the `metadata.json` file in this directory to delete the cluster. ==== +ifdef::ibm-cloud[] +. Remove the manual CCO credentials that were created for the cluster: ++ +[source,terminal] +---- +$ ccoctl ibmcloud delete-service-id \ + --credentials-requests-dir \ + --name +---- +endif::ibm-cloud[] +// The above CCO credential removal for IBM Cloud is only necessary for manual mode. Future releases that support other credential methods will not require this step. + . Optional: Delete the `` directory and the {product-title} installation program. @@ -72,3 +130,6 @@ endif::[] ifeval::["{context}" == "uninstalling-cluster-gcp"] :!gcp: endif::[] +ifeval::["{context}" == "uninstalling-cluster-ibm-cloud"] +:!ibm-cloud: +endif::[] diff --git a/modules/manually-create-iam-ibm-cloud.adoc b/modules/manually-create-iam-ibm-cloud.adoc new file mode 100644 index 000000000000..2841826a564f --- /dev/null +++ b/modules/manually-create-iam-ibm-cloud.adoc @@ -0,0 +1,124 @@ +// Module included in the following assemblies: +// +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc + +:_content-type: PROCEDURE +[id="manually-create-iam-ibm-cloud_{context}"] += Manually creating IAM for IBM Cloud + +Installing the cluster requires that the Cloud Credential Operator (CCO) operate in manual mode. While the installation program configures the CCO for manual mode, you must specify the identity and access management secrets for you cloud provider. + +You can use the Cloud Credential Operator (CCO) utility (`ccoctl`) to create the required IBM Cloud resources. + +.Prerequisites + +* You have configured the `ccoctl` binary. +* You have an existing `install-config.yaml` file. + +.Procedure + +. Edit the `install-config.yaml` configuration file so that it contains the `credentialsMode` parameter set to `Manual`. ++ +.Example `install-config.yaml` configuration file +[source,yaml] +---- +apiVersion: v1 +baseDomain: cluster1.example.com +credentialsMode: Manual <1> +compute: +- architecture: amd64 + hyperthreading: Enabled +... +---- +<1> This line is added to set the `credentialsMode` parameter to `Manual`. + +. To generate the manifests, run the following command from the directory that contains the installation program: ++ +[source,terminal] +---- +$ openshift-install create manifests --dir +---- + +. From the directory that contains the installation program, obtain the {product-title} release image that your `openshift-install` binary is built to use: ++ +[source,terminal] +---- +$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}') +---- + +. Extract the `CredentialsRequest` objects from the {product-title} release image: ++ +[source,terminal] +---- +$ oc adm release extract --cloud=ibmcloud --credentials-requests $RELEASE_IMAGE \ + --to= <1> +---- +<1> The directory where the credential requests will be stored. ++ +This command creates a YAML file for each `CredentialsRequest` object. ++ +.Sample `CredentialsRequest` object ++ +[source,yaml] +---- + apiVersion: cloudcredential.openshift.io/v1 + kind: CredentialsRequest + metadata: + labels: + controller-tools.k8s.io: "1.0" + name: openshift-image-registry-ibmcos + namespace: openshift-cloud-credential-operator + spec: + secretRef: + name: installer-cloud-credentials + namespace: openshift-image-registry + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: IBMCloudProviderSpec + policies: + - attributes: + - name: serviceName + value: cloud-object-storage + roles: + - crn:v1:bluemix:public:iam::::role:Viewer + - crn:v1:bluemix:public:iam::::role:Operator + - crn:v1:bluemix:public:iam::::role:Editor + - crn:v1:bluemix:public:iam::::serviceRole:Reader + - crn:v1:bluemix:public:iam::::serviceRole:Writer + - attributes: + - name: resourceType + value: resource-group + roles: + - crn:v1:bluemix:public:iam::::role:Viewer +---- + +. Create the service ID for each credential request, assign the policies defined, create an API key in IBM Cloud, and generate the secret: ++ +[source,terminal] +---- +$ ccoctl ibmcloud create-service-id \ + --credentials-requests-dir \ <1> + --name \ <2> + --output-dir + --resource-group-name <3> +---- +<1> The directory where the credential requests are stored. +<2> The name of the {product-title} cluster. +<3> Optional: The name of the resource group used for scoping the access policies. ++ +-- +[NOTE] +==== +If an incorrect resource group name is provided, the installation fails during the bootstrap phase. To find the correct resource group name, run the following command: + +[source,terminal] +---- +$ grep resourceGroupName /manifests/cluster-infrastructure-02-config.yml +---- +==== +-- + +.Verification + +* Ensure that the appropriate secrets were generated in your cluster's `manifests` directory. diff --git a/modules/manually-maintained-credentials-upgrade.adoc b/modules/manually-maintained-credentials-upgrade.adoc index e6fa2dfac4d7..fd6f8c7a43d4 100644 --- a/modules/manually-maintained-credentials-upgrade.adoc +++ b/modules/manually-maintained-credentials-upgrade.adoc @@ -2,32 +2,51 @@ // // * authentication/managing_cloud_provider_credentials/cco-mode-manual.adoc // * authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc +// * installing/installing_ibm_cloud_public/manually-creating-iam-ibm-cloud.adoc // * updating/updating-cluster-within-minor.adoc // * updating/updating-cluster-cli.adoc :_content-type: PROCEDURE + +ifeval::["{context}" == "configuring-iam-ibm-cloud"] +:ibm-cloud: +endif::[] + [id="manually-maintained-credentials-upgrade_{context}"] = Upgrading clusters with manually maintained credentials The Cloud Credential Operator (CCO) `Upgradable` status for a cluster with manually maintained credentials is `False` by default. -* For minor releases, for example, from 4.8 to 4.9, this status prevents you from upgrading until you have addressed any updated permissions and annotated the `CloudCredential` resource to indicate that the permissions are updated as needed for the next version. This annotation changes the `Upgradable` status to `True`. +* For minor releases, for example, from 4.9 to 4.10, this status prevents you from upgrading until you have addressed any updated permissions and annotated the `CloudCredential` resource to indicate that the permissions are updated as needed for the next version. This annotation changes the `Upgradable` status to `True`. -* For z-stream releases, for example, from 4.9.0 to 4.9.1, no permissions are added or changed, so the upgrade is not blocked. +* For z-stream releases, for example, from 4.10.0 to 4.10.1, no permissions are added or changed, so the upgrade is not blocked. Before upgrading a cluster with manually maintained credentials, you must create any new credentials for the release image that you are upgrading to. Additionally, you must review the required permissions for existing credentials and accommodate any new permissions requirements in the new release for those components. +ifdef::ibm-cloud[] +.Prerequisites + +* You have configured the `ccoctl` binary. +endif::ibm-cloud[] + .Procedure . Extract and examine the `CredentialsRequest` custom resource for the new release. + The "Manually creating IAM" section of the installation content for your cloud provider explains how to obtain and use the credentials required for your cloud. + . Update the manually maintained credentials on your cluster: ** Create new secrets for any `CredentialsRequest` custom resources that are added by the new release image. - +ifndef::ibm-cloud[] ** If the `CredentialsRequest` custom resources for any existing credentials that are stored in secrets have changed their permissions requirements, update the permissions as required. +endif::ibm-cloud[] +ifdef::ibm-cloud[] +** If the `CredentialsRequest` custom resources for any existing credentials that are stored in secrets have changed their permissions requirements, create new service IDs and API keys for the credential requests and secret manifests using the `ccoctl` utility. ++ +The "Manually creating IAM for IBM Cloud" section of the installation content for IBM Cloud explains how to use the `ccoctl` utility to create new service IDs. +endif::ibm-cloud[] . When all of the secrets are correct for the new release, indicate that the cluster is ready to upgrade: @@ -61,6 +80,26 @@ It may take several minutes after adding the annotation for the upgradeable stat . To view the CCO status details, click *cloud-credential* in the *Cluster Operators* list. -. If the *Upgradeable* status in the *Conditions* section is *False*, verify that the `upgradeable-to` annotation is free of typographical errors. - +.. If the *Upgradeable* status in the *Conditions* section is *False*, verify that the `upgradeable-to` annotation is free of typographical errors. +ifndef::ibm-cloud[] When the *Upgradeable* status in the *Conditions* section is *True*, you can begin the {product-title} upgrade. +endif::ibm-cloud[] +ifdef::ibm-cloud[] ++ +When the *Upgradeable* status in the *Conditions* section is *True*, you can begin the {product-title} upgrade. + +. Revoke the old service IDs and API Keys: +[source,terminal] ++ +---- +$ ccoctl ibmcloud delete-service-id \ + --credentials-requests-dir \ <1> + --name <2> +---- +<1> The directory where the credential requests are stored. +<2> The name of the {product-title} cluster. +endif::ibm-cloud[] + +ifeval::["{context}" == "configuring-iam-ibm-cloud"] +:!ibm-cloud: +endif::[] diff --git a/modules/nw-modifying-operator-install-config.adoc b/modules/nw-modifying-operator-install-config.adoc index 83fc975aec38..e76f33531174 100644 --- a/modules/nw-modifying-operator-install-config.adoc +++ b/modules/nw-modifying-operator-install-config.adoc @@ -3,6 +3,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_azure/installing-azure-network-customizations.adoc // * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_vmc/installing-vmc-network-customizations-user-infra.adoc // * installing/installing_vsphere/installing-vsphere-network-customizations.adoc // * installing/installing_gcp/installing-gcp-network-customizations.adoc @@ -20,6 +21,9 @@ ifeval::["{context}" == "installing-vmc-network-customizations-user-infra"] :ignition-config: :vmc: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:ibm-cloud: +endif::[] :_content-type: PROCEDURE [id="modifying-nwoperator-config-startup_{context}"] @@ -58,7 +62,9 @@ metadata: spec: ---- -. Specify the advanced network configuration for your cluster in the `cluster-network-03-config.yml` file, such as in the following examples: +. Specify the advanced network configuration for your cluster in the `cluster-network-03-config.yml` file, such as in the following +ifndef::ibm-cloud[examples:] +ifdef::ibm-cloud[example:] + -- .Specify a different VXLAN port for the OpenShift SDN network provider @@ -74,6 +80,7 @@ spec: vxlanPort: 4800 ---- +ifndef::ibm-cloud[] .Enable IPsec for the OVN-Kubernetes network provider [source,yaml] ---- @@ -86,6 +93,7 @@ spec: ovnKubernetesConfig: ipsecConfig: {} ---- +endif::ibm-cloud[] -- . Optional: Back up the `manifests/cluster-network-03-config.yml` file. The @@ -117,3 +125,6 @@ ifeval::["{context}" == "installing-vmc-network-customizations-user-infra"] :!ignition-config: :!vmc: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:!ibm-cloud: +endif::[] diff --git a/modules/nw-network-config.adoc b/modules/nw-network-config.adoc index b4ea8fce7cc6..dd446744ef46 100644 --- a/modules/nw-network-config.adoc +++ b/modules/nw-network-config.adoc @@ -7,6 +7,7 @@ // * installing/installing_aws/installing-aws-network-customizations.adoc // * installing/installing_azure/installing-azure-network-customizations.adoc // * installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_vsphere/installing-vsphere-network-customizations.adoc // * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc // * installing/installing_gcp/installing-gcp-network-customizations.adoc diff --git a/modules/nw-operator-cr.adoc b/modules/nw-operator-cr.adoc index abf09100991a..3e1c99019bc2 100644 --- a/modules/nw-operator-cr.adoc +++ b/modules/nw-operator-cr.adoc @@ -17,6 +17,7 @@ // * networking/cluster-network-operator.adoc // * networking/network_policy/logging-network-policy.adoc // * post_installation_configuration/network-configuration.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // Installation assemblies need different details than the CNO operator does ifeval::["{context}" == "cluster-network-operator"] @@ -26,6 +27,9 @@ endif::[] ifeval::["{context}" == "post-install-network-configuration"] :post-install-network-configuration: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:ibm-cloud: +endif::[] :_content-type: CONCEPT [id="nw-operator-cr_{context}"] @@ -256,6 +260,7 @@ ifdef::operator[] The UDP port for the Geneve overlay network. endif::operator[] +ifndef::ibm-cloud[] |`ipsecConfig` |`object` | @@ -265,6 +270,7 @@ endif::operator[] ifdef::operator[] If the field is present, IPsec is enabled for the cluster. endif::operator[] +endif::ibm-cloud[] |`policyAuditConfig` |`object` @@ -280,6 +286,13 @@ endif::operator[] ==== |==== +ifdef::ibm-cloud[] +[NOTE] +==== +IPsec for the OVN-Kubernetes network provider is not supported when installing a cluster on IBM Cloud. +==== +endif::ibm-cloud[] + // tag::policy-audit[] .`policyAuditConfig` object [cols=".^2,.^2,.^6a",options="header"] @@ -341,7 +354,9 @@ defaultNetwork: ovnKubernetesConfig: mtu: 1400 genevePort: 6081 +ifndef::ibm-cloud[] ipsecConfig: {} +endif::ibm-cloud[] ---- [discrete] @@ -421,3 +436,6 @@ endif::[] ifdef::post-install-network-configuration[] :!post-install-network-configuration: endif::[] +ifeval::["{context}" == "installing-ibm-cloud-network-customizations"] +:!ibm-cloud: +endif::[] diff --git a/modules/quotas-and-limits-ibm-cloud.adoc b/modules/quotas-and-limits-ibm-cloud.adoc new file mode 100644 index 000000000000..c9d9331a5608 --- /dev/null +++ b/modules/quotas-and-limits-ibm-cloud.adoc @@ -0,0 +1,88 @@ +// Module included in the following assemblies: +// +// installing/installing_ibm_cloud_public/installing-ibm-cloud-account.adoc + +:_content-type: CONCEPT +[id="quotas-and-limits-ibm-cloud_{context}"] += Quotas and limits on IBM Cloud + +The {product-title} cluster uses a number of IBM Cloud components, and the default quotas and limits affect your ability to install {product-title} clusters. If you use certain cluster configurations, deploy your cluster in certain regions, or run multiple clusters from your account, you might need to request additional resources for your IBM Cloud account. + +For a comprehensive list of the default IBM Cloud VPC quotas and service limits, see IBM Cloud's documentation for link:https://cloud.ibm.com/docs/vpc?topic=vpc-quotas[Quotas and service limits]. + +[discrete] +== Virtual Private Cloud (VPC) + +Each {product-title} cluster creates its own VPC. The default quota of VPCs per region is 10 and will allow 10 clusters. To have more than 10 clusters in a single region, you must increase this quota. + +[discrete] +== Application load balancer + +By default, each cluster creates three application load balancers (ALBs): + +* Internal load balancer for the master API server +* External load balancer for the master API server +* Load balancer for the router + +You can create additional `LoadBalancer` service objects to create additional ALBs. The default quota of VPC ALBs are 50 per region. To have more than 50 ALBs, you must increase this quota. + +VPC ALBs are supported. Classic ALBs are not supported for IBM Cloud. + +[discrete] +== Floating IP address + +By default, the installation program distributes control plane and compute machines across all availability zones within a region to provision the cluster in a highly available configuration. In each availability zone, a public gateway is created and requires a separate floating IP address. + +The default quota for a floating IP address is 20 addresses per availability zone. The default cluster configuration yields three floating IP addresses: + +* Two floating IP addresses in the `us-east-1` primary zone. The IP address associated with the bootstrap node is removed after installation. +* One floating IP address in the `us-east-2` secondary zone. +* One floating IP address in the `us-east-3` secondary zone. + +IBM Cloud can support up to 19 clusters per region in an account. If you plan to have more than 19 default clusters, you must increase this quota. + +[discrete] +== Virtual Server Instances (VSI) + +By default, a cluster creates VSIs using `bx2-4x16` profiles, which includes the following resources by default: + +* 4 vCPUs +* 16 GB RAM + +// TODO: The quotas and limits in this module will likely need to be tweaked before GA. IBM is still testing and official guidance is a WIP. + +The following nodes are created: + +* One `bx2-4x16` bootstrap machine, which is removed after the installation is complete +* Three `bx2-4x16` control plane nodes +* Three `bx2-4x16` compute nodes + +For more information, see IBM Cloud's documentation on link:https://cloud.ibm.com/docs/vpc?topic=vpc-profiles[supported profiles]. + +.VSI component quotas and limits +[cols="2,2,4,2",options="header"] +|=== +|VSI component |Default IBM Cloud quota |Default cluster configuration |Maximum number of clusters + +|vCPU +|200 vCPUs per region +|28 vCPUs, or 24 vCPUs after bootstrap removal +|8 per region + +|RAM +|1600 GB per region +|112 GB, or 96 GB after bootstrap removal +|16 per region + +|Storage +|18 TB per region +|1050 GB, or 900 GB after bootstrap removal +|19 per region +|=== + +If you plan to exceed the resources stated in the table, you must increase your IBM Cloud account quota. + +[discrete] +== Block Storage Volumes + +For each VPC machine, a block storage device is attached for its boot volume. The default cluster configuration creates seven VPC machines, resulting in seven block storage volumes. Additional Kubernetes persistent volume claims (PVCs) of the IBM Cloud storage class create additional block storage volumes. The default quota of VPC block storage volumes are 300 per region. To have more than 300 volumes, you must increase this quota. diff --git a/modules/refreshing-service-ids-ibm-cloud.adoc b/modules/refreshing-service-ids-ibm-cloud.adoc new file mode 100644 index 000000000000..734baae74b1f --- /dev/null +++ b/modules/refreshing-service-ids-ibm-cloud.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// +// * installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.adoc + +:_content-type: PROCEDURE +[id="refreshing-service-ids-ibm-cloud_{context}"] += Rotating API keys for IBM Cloud + +You can rotate API keys for your existing service IDs and update the corresponding secrets. + +.Prerequisites + +* You have configured the `ccoctl` binary. +* You have existing service IDs in a live {product-title} cluster installed on IBM Cloud. + +.Procedure + +* Use the `ccoctl` utility to rotate your API keys for the service IDs and update the secrets: ++ +[source,terminal] +---- +$ ccoctl ibmcloud refresh-keys \ + --kubeconfig \ <1> + --credentials-requests-dir \ <2> + --name <3> +---- +<1> The `kubeconfig` file associated with the cluster. For example, `/auth/kubeconfig`. +<2> The directory where the credential requests are stored. +<3> The name of the {product-title} cluster. diff --git a/modules/ssh-agent-using.adoc b/modules/ssh-agent-using.adoc index c22f441a6f3d..d77605d2f6a2 100644 --- a/modules/ssh-agent-using.adoc +++ b/modules/ssh-agent-using.adoc @@ -24,6 +24,8 @@ // * installing/installing_gcp/installing-gcp-default.adoc // * installing/installing_gcp/installing-gcp-vpc.adoc // * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.adoc +// * installing/installing_ibm_cloud_public/installing-ibm-cloud-network-customizations.adoc // * installing/installing_openstack/installing-openstack-installer-custom.adoc // * installing/installing_openstack/installing-openstack-installer-kuryr.adoc // * installing/installing_openstack/installing-openstack-installer.adoc diff --git a/modules/supported-platforms-for-openshift-clusters.adoc b/modules/supported-platforms-for-openshift-clusters.adoc index 4973c1bf0b95..5d029a186c00 100644 --- a/modules/supported-platforms-for-openshift-clusters.adoc +++ b/modules/supported-platforms-for-openshift-clusters.adoc @@ -14,6 +14,7 @@ In {product-title} {product-version}, you can install a cluster that uses instal * Microsoft Azure Stack Hub * {rh-openstack-first} version 13 and 16 ** The latest {product-title} release supports both the latest {rh-openstack} long-life release and intermediate release. For complete {rh-openstack} release compatibility, see the link:https://access.redhat.com/articles/4679401[{product-title} on {rh-openstack} support matrix]. +* IBM Cloud * {rh-virtualization-first} * VMware vSphere * VMware Cloud (VMC) on AWS