Merge pull request #16820 from openshift-cherrypick-robot/cherry-pick-16232-to-enterprise-4.2

[enterprise-4.2] osdocs-635 draft of GCP account config

Author: kalexand-rh

_topic_map.yml

@@ -107,8 +107,8 @@ Topics:
 - Name: Installing on GCP
   Dir: installing_gcp
   Topics:
-#  - Name: Configuring an GCP account
-#    File: installing-gcp-account
+  - Name: Configuring an GCP account
+    File: installing-gcp-account
   - Name: Installing a cluster quickly on GCP
     File: installing-gcp-default
   - Name: Installing a cluster on GCP with customizations

installing/installing_gcp/installing-gcp-account.adoc

@@ -1,26 +1,29 @@
 [id="installing-gcp-account"]
-= Configuring a GCP account
+= Configuring a GCP project
 include::modules/common-attributes.adoc[]
 :context: installing-gcp-account
 
 toc::[]
 
-Before you can install {product-title}, you must configure an
-Google Cloud Platform (GCP) account.
+Before you can install {product-title}, you must configure a
+Google Cloud Platform (GCP) project to host it.
 
-//include::modules/installation-aws-route53.adoc[leveloffset=+1]
+include::modules/installation-gcp-dns.adoc[leveloffset=+1]
 
-//include::modules/installation-aws-limits.adoc[leveloffset=+1]
+include::modules/installation-gcp-limits.adoc[leveloffset=+1]
 
-//include::modules/installation-aws-permissions.adoc[leveloffset=+1]
+include::modules/installation-gcp-service-account.adoc[leveloffset=+1]
+include::modules/installation-gcp-permissions.adoc[leveloffset=+2]
 
-//include::modules/installation-aws-iam-user.adoc[leveloffset=+1]
+include::modules/installation-gcp-enabling-api-services.adoc[leveloffset=+1]
 
-//include::modules/installation-aws-regions.adoc[leveloffset=+1]
+include::modules/installation-gcp-regions.adoc[leveloffset=+1]
 
+////
 .Next steps
 
 * Install an {product-title} cluster. You can
 xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installing-gcp-customizations[install a customized cluster]
 or xref:../../installing/installing_gcp/installing-gcp-default.adoc#installing-gcp-default[quickly install a cluster]
 with default options.
+////

modules/installation-gcp-dns.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="installation-gcp-dns_{context}"]
+= Configuring DNS for GCP
+
+To install {product-title}, the Google Cloud Platform (GCP) account you use must
+have a dedicated public hosted zone in the same project that you host the
+{product-title} cluster. This zone must be authoritative for the domain. The
+DNS service provides cluster DNS resolution and name lookup for external
+connections to the cluster.
+
+.Procedure
+
+. Create a project to host your {product-title} cluster. See
+link:https://cloud.google.com/resource-manager/docs/creating-managing-projects[Creating and Managing Projects]
+in the GCP documentation.
+
+. Identify your domain, or subdomain, and registrar. You can transfer an existing domain and
+registrar or obtain a new one through GCP or another source.
++
+[NOTE]
+====
+If you purchase a new domain, it can take time for the relevant DNS
+changes to propagate. For more information about purchasing domains
+through Google, see link:https://domains.google/[Google Domains].
+====
+
+. Create a public hosted zone for your domain or subdomain. See
+link:https://cloud.google.com/dns/zones/#creating_public_zones[Creating public zones]
+in the GCP documentation.
++
+Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain,
+such as `clusters.openshiftcorp.com`.
+
+. Extract the new authoritative name servers from the hosted zone records. See
+link:https://cloud.google.com/dns/docs/update-name-servers#look_up_your_name_servers[Look up your Cloud DNS name servers]
+in the GCP documentation.
++
+You typically have four name servers.
+
+. Update the registrar records for the name servers that your domain
+uses. For example, if you registered your domain to Google Domains, see the
+following topic in the Google Domains Help:
+link:https://support.google.com/domains/answer/3290309?hl=en[How to switch to custom name servers].
+
+. If you use a subdomain, follow your company's procedures to add its delegation
+records to the parent domain.

modules/installation-gcp-enabling-api-services.adoc

@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="installation-gcp-enabling-api-services_{context}"]
+= Enabling API services in GCP
+
+Your Google Cloud Platform (GCP) project requires access to several API services
+to complete {product-title} installation.
+
+.Prerequisites
+
+* You created a project to host your cluster.
+
+.Procedure
+
+* Enable the following required API services in the project that hosts your
+cluster. See
+link:https://cloud.google.com/service-usage/docs/enable-disable#enabling[Enabling services]
+in the GCP documentation.
++
+.Required API services
+[cols="2a,3a",options="header"]
+|===
+|API service |Console service name
+|Compute Engine API
+|`compute.googleapis.com`
+
+|Google Cloud APIs
+|`cloudapis.googleapis.com`
+
+|Cloud Resource Manager API
+|`cloudresourcemanager.googleapis.com`
+
+|Google DNS API
+|`dns.googleapis.com`
+
+|IAM Service Account Credentials API
+|`iamcredentials.googleapis.com`
+
+|Identity and Access Management (IAM API)
+|`iam.googleapis.com`
+
+|Service Management API
+|`servicemanagement.googleapis.com`
+
+|Service Usage API
+|`serviceusage.googleapis.com`
+
+|Google Cloud Storage JSON API
+|`storage-api.googleapis.com`
+
+|Cloud Storage
+|`storage-component.googleapis.com`
+|===

modules/installation-gcp-limits.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="installation-gcp-limits_{context}"]
+= GCP account limits
+
+The {product-title} cluster uses a number of Google Cloud Platform (GCP)
+components, but the default
+link:https://cloud.google.com/docs/quota[Quotas]
+do not affect your ability to install a default {product-title} cluster.
+
+A default cluster, which contains three compute and three control plane machines,
+uses the following resources. Note that some resources are required only during
+the bootstrap process and are removed after the cluster deploys.
+
+.GCP resources used in a default cluster
+
+[cols="2a,2a,2a,2a,2a",options="header"]
+|===
+|Service
+|Component
+|Location
+|Total resources required
+|Resources removed after bootstrap
+
+|Service account |IAM	|Global	|5 |0
+|Firewall Rules	|Compute	|Global	|35 |1
+|Forwarding Rules	|Compute	|Global	|3	|0
+|In-use IP addresses global	|Compute	|Global	|4	|1
+|Health checks	|Compute	|Global	|3	|0
+|Images	|Compute	|Global	|1	|0
+|Networks	|Compute	|Global	|1	|0
+|Static IP addresses	|Compute	|Region	|4	|1
+|Routers	|Compute	|Global	|1	|0
+|Routes	|Compute	|Global	|3	|0
+|Subnetworks	|Compute	|Global	|2	|0
+|Target Pools	|Compute	|Global	|3	|0
+|CPUs	|Compute	|Region	|28	|4
+|Persistent Disk SSD (GB)	|Compute	|Region	|896	|128
+
+|===

modules/installation-gcp-permissions.adoc

@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="installation-gcp-permissions_{context}"]
+= Required GCP permissions
+
+When you attach the `Owner` role to the service account that you create, you
+grant that service account all permissions, including those that are required to
+install {product-title}. To deploy an {product-title} cluster, the service
+account requires the following permissions:
+
+.Required roles for the installer
+* Compute Admin
+* DNS Administrator
+* Security Admin
+* Service Account Admin
+* Service Account User
+* Storage Admin
+
+.Optional roles
+For the cluster to create new limited credentials for its Operators, add
+the following role:
+
+* Service Account Key Admin
+
+The roles are applied to the service accounts that the control plane and compute
+machines use:
+
+.GCP service account permissions
+[cols="2a,2a",options="header"]
+|===
+
+|Account
+|Roles
+
+.5+|Control Plane
+|`roles/compute.instanceAdmin`
+|`roles/network.admin`
+|`roles/compute.securityAdmin`
+|`roles/storage.admin`
+|`roles/iam.serviceAccountUser`
+
+.2+|Compute
+|`roles/compute.viewer`
+|`roles/storage.admin`
+|===

modules/installation-gcp-regions.adoc

@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="installation-gcp-regions_{context}"]
+= Supported GCP regions
+
+You can deploy an {product-title} cluster to the following Google Cloud Platform (GCP)
+regions:
+
+* asia-east1 (Changhua County, Taiwan)
+* asia-east2 (Hong Kong)
+* asia-northeast1 (Tokyo, Japan)
+* asia-northeast2 (Osaka, Japan)
+* asia-south1 (Mumbai, India)
+* asia-southeast1 (Jurong West, Singapore)
+* australia-southeast1 (Sydney, Australia)
+* europe-north1 (Hamina, Finland)
+* europe-west1 (St. Ghislain, Belgium)
+* europe-west2 (London, England, UK)
+* europe-west3 (Frankfurt, Germany)
+* europe-west4 (Eemshaven, Netherlands)
+* europe-west6 (Zürich, Switzerland)
+* northamerica-northeast1 (Montréal, Québec, Canada)
+* southamerica-east1 (São Paulo, Brazil)
+* us-central1 (Council Bluffs, Iowa, USA)
+* us-east1 (Moncks Corner, South Carolina, USA)
+* us-east4 (Ashburn, Northern Virginia, USA)
+* us-west1 (The Dalles, Oregon, USA)
+* us-west2 (Los Angeles, California, USA)

modules/installation-gcp-service-account.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="installation-gcp-service-account_{context}"]
+= Creating a service account in GCP
+
+{product-title} requires a Google Cloud Platform (GCP) service account.
+
+.Prerequisites
+
+* You created a project to host your cluster.
+
+.Procedure
+
+. Create a new service account in the project that you use to host your
+{product-title} cluster. See
+link:https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account[Creating a service account]
+in the GCP documentation.
+
+. Grant the service account the appropriate permissions. You can either
+grant the individual permissions that follow or assign the `Owner` role to it.
+See link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[Granting roles to a service account for specific resources]
+
+. Create the service account key.
+See link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Creating service account keys]
+in the GCP documentation.
++
+The service account key is required to create a cluster.