Skip to content

OSDOCS-18122 [ROSA] CQA: Vale Checks #109018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eohartman merged 1 commit into from
Mar 27, 2026
Merged

OSDOCS-18122 [ROSA] CQA: Vale Checks #109018

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/deleting-cluster-aws.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Delete your {product-title} cluster from your {AWS} infrastructure to stop incur

.Procedure

. From {cluster-manager-url}, click on the cluster you want to delete.
. From {cluster-manager-url}, click the cluster you want to delete.

. Select *Delete cluster* from the *Actions* list.

Expand Down
71 changes: 37 additions & 34 deletions modules/osd-create-cluster-ccs-aws.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,20 @@
= Creating a cluster on AWS

[role="_abstract"]
Deploy a {product-title} cluster with the Customer Cloud Subscription (CCS) or Red{nbsp}Hat cloud account billing model to get more financial control. By configuring AWS Identity and Access Management (IAM) roles, Virtual Private Clouds (VPC) networking, and PrivateLinks, you integrate your clusters into existing infrastructure while ensuring security.
Deploy a {product-title} cluster with the Customer Cloud Subscription (CCS) or Red{nbsp}Hat cloud account billing model to get more financial control. By configuring AWS Identity and Access Management (IAM) roles, Virtual Private Clouds (VPC) networking, and PrivateLink, you integrate your clusters into existing infrastructure while ensuring security.

.Prerequisites

* You have configured your AWS account for use with {product-title}.
* You have not deployed any services in your AWS account.
* You have configured the AWS account quotas and limits that are required to support the desired cluster size.
* You have an `osdCcsAdmin` AWS Identity and Access Management (IAM) user with the `AdministratorAccess` policy attached.
* You have set up a service control policy (SCP) in your AWS organization. For more information, see _Minimum required service control policy (SCP)_.
You have completed the following tasks:

* Configure your AWS account for use with {product-title}.
* Ensure that you have not deployed any services in your AWS account.
* Configure the AWS account quotas and limits required to support the specified cluster size.
* Create an `osdCcsAdmin` AWS Identity and Access Management (IAM) user with the `AdministratorAccess` policy attached.
* Set up a service control policy (SCP) in your AWS organization. For more information, see _Minimum required service control policy (SCP)_.
* Consider having *Business Support* or higher from AWS.
* If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into. The proxy must also be accessible from the private subnets of the VPC.
* If you are configuring a cluster-wide proxy, verify that the proxy is accessible from the VPC where you installed the cluster.
* Ensure that you can access the proxy from the private subnets of the VPC.

.Procedure

Expand All @@ -34,12 +37,12 @@ Deploy a {product-title} cluster with the Customer Cloud Subscription (CCS) or R
The subscription types that are available to you depend on your {product-title} subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.
====
+
.. Select the *Customer Cloud Subscription* infrastructure type to deploy {product-title} in an existing cloud provider account that you own or select *Red Hat cloud account* infrastructure type to deploy {product-title} in a cloud provider account that is owned by Red Hat.
.. Select the *Customer Cloud Subscription* infrastructure type to deploy {product-title} in an existing cloud provider account that you own or select *Red Hat cloud account* infrastructure type to deploy {product-title} in a Red Hat cloud provider account.
.. Click *Next*.
. Select *Run on Amazon Web Services*. If you are provisioning your cluster in an AWS account, complete the following substeps:
.. Review and complete the listed *Prerequisites*.
.. Select the checkbox to acknowledge that you have read and completed all of the prerequisites.
.. Provide your AWS account details:
.. Give your AWS account details:
... Enter your *AWS account ID*.
... Enter your *AWS access key ID* and *AWS secret access key* for your AWS IAM user account.
+
Expand All @@ -51,13 +54,13 @@ Revoking these credentials in AWS results in a loss of access to any cluster cre
+
[NOTE]
====
Some AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. The SCP is still enforced even if the checks are bypassed.
Some AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. Even when you bypass the checks, the SCP still runs.
====
. Click *Next* to validate your cloud provider account and go to the *Cluster details* page.

. On the *Cluster details* page, provide a name for your cluster and specify the cluster details:
. On the *Cluster details* page, give a name for your cluster and specify the cluster details:
.. Add a *Cluster name*.
.. Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on `openshiftapps.com`. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.
.. Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on `openshiftapps.com`. If the cluster name is less than or equal to 15 characters, then the domain prefix uses that name. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.
+
To customize the subdomain, select the *Create customize domain prefix* checkbox, and enter your domain prefix name in the *Domain prefix* field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation.
.. Select a cluster version from the *Version* drop-down menu.
Expand All @@ -68,34 +71,34 @@ To customize the subdomain, select the *Create customize domain prefix* checkbox
.. Optional: Expand *Advanced Encryption* to make changes to encryption settings.
... Accept the default setting *Use default KMS Keys* to use your default AWS KMS key, or select *Use Custom KMS keys* to use a custom KMS key.
.... With *Use Custom KMS keys* selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the *Key ARN* field.
The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
Use the key to encrypt all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
+
... Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated.
+
[NOTE]
====
If *Enable FIPS cryptography* is selected, *Enable additional etcd encryption* is enabled by default and cannot be disabled. You can select *Enable additional etcd encryption* without selecting *Enable FIPS cryptography*.
If you select *Enable FIPS cryptography*, then by default, you enable *Enable additional etcd encryption* and you cannot disable this feature. You can select *Enable additional etcd encryption* without selecting *Enable FIPS cryptography*.
====
+
... Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
+
[NOTE]
====
By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
By enabling etcd encryption for the key values in etcd, you increase the performance overhead of your workloads by about 20%. The workload increase is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
====
+
.. Click *Next*.

. On the *Default machine pool* page, select a *Compute node instance type* from the drop-down menu.
. Optional: Select the *Enable autoscaling* checkbox to enable autoscaling.
.. Click *Edit cluster autoscaling settings* to make changes to the autoscaling settings.
.. Once you have made your desired changes, click *Close*.
.. Select a minimum and maximum node count. Node counts can be selected by engaging the available plus and minus signs or inputting the desired node count into the number input field.
.. After you make your changes, click *Close*.
.. Select a minimum and maximum node count. Select the node counts by engaging the available plus and minus signs or inputting the node count into the number input field.
. Select a *Compute node count* from the drop-down menu.
+
[NOTE]
====
After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your {product-title} subscription.
After you create your cluster, you can change the number of compute nodes in it, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your {product-title} subscription.
====

. Choose your preference for the Instance Metadata Service (IMDS) type, either using both IMDSv1 and IMDSv2 types or requiring your EC2 instances to use only IMDSv2. You can access instance metadata from a running instance in two ways:
Expand All @@ -105,12 +108,12 @@ After your cluster is created, you can change the number of compute nodes in you
+
[IMPORTANT]
====
The Instance Metadata Service settings cannot be changed after your cluster is created.
After you create your cluster, you cannot change the Instance Metadata Service settings.
====
+
[NOTE]
====
IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can range from a minimum of one second to a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future requests.
IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can range from a minimum of one second to a maximum of six hours. During the specified duration, you can use the same session token for future requests. After the specified duration expires, you must create a new session token to use for future requests.
====
+
For more information regarding IMDS, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data] in the AWS documentation.
Expand All @@ -133,43 +136,43 @@ include::snippets/snip_install-cluster-in-vpc.adoc[]
+
[NOTE]
====
The *Use a PrivateLink* option cannot be changed after a cluster is created.
You cannot change the *Use a PrivateLink* option after you create a cluster.
====
+
.. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select *Configure a cluster-wide proxy*.
--
. If you opted to install the cluster in an existing AWS VPC, provide your *Virtual Private Cloud (VPC) subnet settings* and select *Next*.
. If you opted to install the cluster in an existing AWS VPC, give your *Virtual Private Cloud (VPC) subnet settings* and select *Next*.
You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.
+
[NOTE]
====
You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.
Ensure that you configure the VPC with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, you only need private subnets.
====
+
.. Optional: Expand *Additional security groups* and select additional custom security groups to apply to nodes in the machine pools that are created by default. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.
.. Optional: Expand *Additional security groups* and select additional custom security groups to apply to nodes in the default machine pools. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.
+
By default, the security groups you specify are added for all node types. Clear the *Apply the same security groups to all node types* checkbox to apply different security groups for each node type.
+
For more information, see the requirements for _Security groups_ under _Additional resources_.
. Accept the default application ingress settings, or to create your own custom settings, select *Custom Settings*.
.. Optional: Provide route selector.
.. Optional: Provide excluded namespaces.
.. Optional: Give route selector.
.. Optional: Give excluded namespaces.
.. Select a namespace ownership policy.
.. Select a wildcard policy.
+
For more information about custom application ingress settings, click the information icon provided for each setting.
For more information about custom application ingress settings, click the information icon for each setting.
+
. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the *Cluster-wide proxy* page:
. If you opted to configure a cluster-wide proxy, give your proxy configuration details on the *Cluster-wide proxy* page:
.. Enter a value in at least one of the following fields:
** Specify a valid *HTTP proxy URL*.
** Specify a valid *HTTPS proxy URL*.
** In the *Additional trust bundle* field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required if you use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the {op-system-first} trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the `http-proxy` and `https-proxy` arguments.
** In the *Additional trust bundle* field, give a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. You need an additional trust bundle file if you use a TLS-inspecting proxy unless you have an identity certificate for the proxy, signed by an authority from the {op-system-first} trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the `http-proxy` and `https-proxy` arguments.
+
.. Click *Next*.
+
For more information about configuring a proxy with {product-title}, see _Configuring a cluster-wide proxy_.

. In the *CIDR ranges* dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.
. In the *CIDR ranges* dialog, configure custom classless inter-domain routing (CIDR) ranges or use the designated defaults.
+
[NOTE]
====
Expand All @@ -178,7 +181,7 @@ If you are installing into a VPC, the *Machine CIDR* range must match the VPC su
+
[IMPORTANT]
====
CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.
You cannot change CIDR configurations. Confirm your selections with your network administrator before proceeding.
====
+
. On the *Cluster update strategy* page, configure your update preferences:
Expand All @@ -192,17 +195,17 @@ You can review the end-of-life dates in the update lifecycle documentation for {
====
+
.. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
.. Optional: You can set a grace period for *Node draining* during cluster upgrades. A *1 hour* grace period is set by default.
.. Optional: You can set a grace period for *Node draining* during cluster upgrades. By default, you get a *1 hour* grace period.
.. Click *Next*.
+
[NOTE]
====
If critical security concerns that significantly impact the security or stability of a cluster occur, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see link:https://access.redhat.com/security/updates/classification[Understanding Red Hat security ratings].
If critical security concerns that significantly impact the security or stability of a cluster occur, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates apply within 48 hours after you get customer notifications. For a description of the critical impact security rating, see link:https://access.redhat.com/security/updates/classification[Understanding Red Hat security ratings].
====

. Review the summary of your selections and click *Create cluster* to start the cluster installation. The installation takes approximately 30-40 minutes to complete.
+
. Optional: On the *Overview* tab, you can enable the delete protection feature by selecting *Enable*, which is located directly under *Delete Protection: Disabled*. This will prevent your cluster from being deleted. To disable delete protection, select *Disable*.
. Optional: On the *Overview* tab, you can enable the delete protection feature by going to *Delete Protection: Disabled* and selecting *Enable*. This feature gives your cluster delete protection. To disable delete protection, select *Disable*.
By default, clusters are created with the delete protection feature disabled.

.Verification
Expand Down