openshift-docs
openshift-docs copied to clipboard
openshift
[OSDOCS-9401]:Document support for Private Service Connect on OSD-GCP
Version(s):
4.17+ Issue:
https://issues.redhat.com/browse/OSDOCS-9401 Link to docs preview:
QE review:
- [ ] QE has approved this change.
Additional information:
🤖 Mon Nov 11 22:59:25 - Prow CI generated the docs preview:
https://83582--ocpdocs-pr.netlify.app/openshift-dedicated/latest/osd_install_access_delete_cluster/creating-a-gcp-psc-enabled-private-cluster.html
@mletalie , @AedinC : Sharing my review comments. Sorry for the delay.
The description for Private Service Connect architecture needs a little rewording. How about the following? @michaelryanmcneill , @ckandag : can you please check if this looks okay?
Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers.
The following image depicts how Red Hat SREs and other internal resources access private OSD clusters over a secured, private connectivity facilitated by PSC.
- A unique PSC Service Attachment is created for each OSD cluster in the customer GCP project. The PSC Service Attachment points to the cluster API server load balancer created in the customer GCP project.
- Similar to Service Attachments, a unique PSC Service Endpoint is created in the Red Hat Management GCP project for each OSD cluster.
- A dedicated subnet for GCP Private Service Connect is created in the cluster’s network within the customer GCP project. This is a special subnet type where the producer services are published via PSC Service Attachments. This subnet is used to Source NAT (SNAT) incoming requests to the cluster API server. Additionally, the PSC subnet must be within the MachineCIDR range and cannot be used in more than one Service Attachment
- Red Hat internal resources and SREs access private OSD clusters using the connectivity between a PSC Endpoint and Service Attachment. Even though the traffic transits multiple VPC networks, it remains entirely within Google Cloud.
- The access to PSC Service Attachments is possible only via the Red Hat Management project.
"Figure 1. PSC architecture overview" diagram looks okay.
In Creating a private cluster with Private Service Connect section
- "Private Service Connect is supported with the Customer Cloud Subscription (CCS) model only". Let's refer CCS as the infrastructure type. This will make it consistent with the IMPORTANT note mentioned at the top of the page - "Private Service Connect is supported by the Customer Cloud Subscription (CCS) infrastructure type only."
The Prerequisites section looks okay. However, the Customer Requirements referenced in the Additional Resources should also include the following with a note below the respective tables that these are only required when deploying private OSD clusters with Private Service Connect
- Cloud Identity-Aware Proxy API in Table 1. Required API services
- IAP-Secured Tunnel User role in Table 2. Required roles
Add "private"
Creating a GCP Private Service Connect enabled private cluster You can create a private OpenShift Dedicated cluster on Google Cloud Platform (GCP) using Google Cloud’s security-enhanced networking feature Private Service Connect (PSC).
All sub-topics under Creating a cluster on GCP must be updated to include the PSC configuration steps when "Private" is chosen on the "Network configuration" page of the OCM UI. The UI screens are available in OCM stage as well as in OCM prod (for select internal ocm orgs). The UI screens can be reviewed via the OSD cluster wizard in stage: https://console.dev.redhat.com/openshift/create/osd
Note: the cluster installation steps must be updated for both authentication types - service account and workload identity federation.
Creating a private cluster with Private Service Connect To create an OpenShift Dedicated on Google Cloud Platform (GCP) using PSC, see Creating a cluster on GCP with Google Cloud Marketplace.
The "GCP firewall prerequisites" link doesn't point to the correct page.
For information about configuring your firewalls , see GCP firewall prerequisites.
Regarding my previous comment - I realized the PSC steps are handled in a separate OSDOCS ticket/PR: https://github.com/openshift/openshift-docs/pull/84143. Added some comments to this PR.
@mletalie , @AedinC : Sharing my review comments. Sorry for the delay.
The description for Private Service Connect architecture needs a little rewording. How about the following? @michaelryanmcneill , @ckandag : can you please check if this looks okay?
Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers.
The following image depicts how Red Hat SREs and other internal resources access private OSD clusters over a secured, private connectivity facilitated by PSC.
- A unique PSC Service Attachment is created for each OSD cluster in the customer GCP project. The PSC Service Attachment points to the cluster API server load balancer created in the customer GCP project.
- Similar to Service Attachments, a unique PSC Service Endpoint is created in the Red Hat Management GCP project for each OSD cluster.
- A dedicated subnet for GCP Private Service Connect is created in the cluster’s network within the customer GCP project. This is a special subnet type where the producer services are published via PSC Service Attachments. This subnet is used to Source NAT (SNAT) incoming requests to the cluster API server. Additionally, the PSC subnet must be within the MachineCIDR range and cannot be used in more than one Service Attachment
- Red Hat internal resources and SREs access private OSD clusters using the connectivity between a PSC Endpoint and Service Attachment. Even though the traffic transits multiple VPC networks, it remains entirely within Google Cloud.
- The access to PSC Service Attachments is possible only via the Red Hat Management project.
"Figure 1. PSC architecture overview" diagram looks okay.
In Creating a private cluster with Private Service Connect section
- "Private Service Connect is supported with the Customer Cloud Subscription (CCS) model only". Let's refer CCS as the infrastructure type. This will make it consistent with the IMPORTANT note mentioned at the top of the page - "Private Service Connect is supported by the Customer Cloud Subscription (CCS) infrastructure type only."
The Prerequisites section looks okay. However, the Customer Requirements referenced in the Additional Resources should also include the following with a note below the respective tables that these are only required when deploying private OSD clusters with Private Service Connect This is addressed in this PR, and will be visible once PR is merged.
- Cloud Identity-Aware Proxy API in Table 1. Required API services
- IAP-Secured Tunnel User role in Table 2. Required roles
The "GCP firewall prerequisites" link doesn't point to the correct page.
For information about configuring your firewalls , see GCP firewall prerequisites.
Will be able to directly point to that link once PR is published. https://issues.redhat.com/browse/OSDOCS-7329. Until then, we can only point to the main page where that topic is located.
@mletalie: all tests passed!
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
@EricPonvelle: new pull request created: #84826
In response to this:
/cherrypick enterprise-4.17
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@EricPonvelle: new pull request created: #84827
In response to this:
/cherrypick enterprise-4.18
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.