[OSDOCS-6942]:OSD on GCP can be installed into Shared VPC (XPN)

[mletalie]

Version(s):

4.14+
Issue:

https://issues.redhat.com/browse/OSDOCS-6942
Link to docs preview:

https://66312--docspreview.netlify.app/openshift-dedicated/latest/osd_install_access_delete_cluster/creating-a-gcp-cluster#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp
(Scroll to step 15. Changes happen between steps 15-17, and a note is added after step 20).

https://66312--docspreview.netlify.app/openshift-dedicated/latest/osd_install_access_delete_cluster/osd-deleting-a-cluster
Note at end of steps.
QE review:

• QE has approved this change.

Additional information:

[ocpdocs-previewbot]

🤖 Updated build preview is available at:
https://66312--docspreview.netlify.app

Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/31688

[mletalie]

Hello @svmrh,
Please see the draft for this topic here (starting on step 15) https://66312--docspreview.netlify.app/openshift-dedicated/latest/osd_install_access_delete_cluster/creating-a-gcp-cluster#osd-create-gcp-cluster-ccs_osd-creating-a-cluster-on-gcp

Questions:

1. Do you think we need a link in the first "Important" note that points users to info regarding enabling a project as a host project?

2. In the second "Important" note, it states "...who must grant the service account..." Do we need to specify that the service account is auto-generated once the steps in the wizard are completed (I think that is the case from watching the demo) and that service account ID needs to be given to the host project administrator so they can grant those permissions to that service account?

3. Do you think that the placement of this "Important" note is correct, or would it make more sense at the end of the steps in the docs?

4. Do you think in step 16 we need to change the first sentence to reflect the option we have added (ie shared GPC VPC)? Maybe not necessary, b/c user has to have opted to install the cluster in an existing GCP VPC to access installing the cluster in a shared VPC...but let me know what you think.

5. Overall, do think anymore specific information needs to be added for user to use this feature? Not sure if we need to go deeper into the specifics given we are linking out to Google docs that are overall pretty informative.

Thanks for your help!

[svmrh]

@mletalie : Thanks for putting this together.

1. The placement of the first "IMPORTANT" note if fine. Yes, it will be good to point users to the GCP documentation on Shared VPC. Here's the link to GCP documentation explaining the steps to enable a host project.
   https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc

Do you think it makes sense to also add a link to general overview on what is Shared VPC in Google Cloud?
https://cloud.google.com/vpc/docs/shared-vpc

2. For the IMPORTANT note in 15.b, can we make it explicit that the cluster admin has to complete the steps within the cluster configuration wizard and hit submit. I have made minor edits. Please check if it looks okay

Once you complete the steps within the cluster configuration wizard and click "Create Cluster", the cluster will go into "Installation Pending" state. At this point, you must contact the VPC administrator of the host project, who must grant the dynamically generated service account the following permissions: Computer Network Administrator, Compute Security Administrator, and DNS Administrator. The administrator has 30 days to grant the listed permissions before the cluster creation fails. For information about shared GPC VPC permissions, see Provision shared VPC.

3. the placement of the second IMPORTANT note is fine here (i.e. in step 15.b). Placing it towards the end of all the steps (i.e. after step 20) might be a little off context. What are your thoughts?

4. Yeah, no need of adding references to the Shared VPC option in step 16. This is because the users can install into an existing VPC (i.e. do step 16) and still skip the Shared VPC configuration.

Let's share this MR in tomorrow's (Thursday, Oct 19th) team meeting and request everyone to review changes.

[mletalie]

@mletalie : Thanks for putting this together.

1. The placement of the first "IMPORTANT" note if fine. Yes, it will be good to point users to the GCP documentation on Shared VPC. Here's the link to GCP documentation explaining the steps to enable a host project.
   https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc

Do you think it makes sense to also add a link to general overview on what is Shared VPC in Google Cloud? https://cloud.google.com/vpc/docs/shared-vpc

2. For the IMPORTANT note in 15.b, can we make it explicit that the cluster admin has to complete the steps within the cluster configuration wizard and hit submit. I have made minor edits. Please check if it looks okay

Once you complete the steps within the cluster configuration wizard and click "Create Cluster", the cluster will go into "Installation Pending" state. At this point, you must contact the VPC administrator of the host project, who must grant the dynamically generated service account the following permissions: Computer Network Administrator, Compute Security Administrator, and DNS Administrator. The administrator has 30 days to grant the listed permissions before the cluster creation fails. For information about shared GPC VPC permissions, see Provision shared VPC.

3. the placement of the second IMPORTANT note is fine here (i.e. in step 15.b). Placing it towards the end of all the steps (i.e. after step 20) might be a little off context. What are your thoughts?
4. Yeah, no need of adding references to the Shared VPC option in step 16. This is because the users can install into an existing VPC (i.e. do step 16) and still skip the Shared VPC configuration.

Let's share this MR in tomorrow's (Thursday, Oct 19th) team meeting and request everyone to review changes.

Thanks @svmrh, will take a look at your responses and get back to you ASAP. Appreciate it!

[mletalie]

Hello @svmrh,
Thanks again for feedback. See responses below:

@mletalie : Thanks for putting this together.

1. The placement of the first "IMPORTANT" note if fine. Yes, it will be good to point users to the GCP documentation on Shared VPC. Here's the link to GCP documentation explaining the steps to enable a host project.
   https://cloud.google.com/vpc/docs/provisioning-shared-vpc#set-up-shared-vpc
   DONE
   Do you think it makes sense to also add a link to general overview on what is Shared VPC in Google Cloud? https://cloud.google.com/vpc/docs/shared-vpc

2. For the IMPORTANT note in 15.b, can we make it explicit that the cluster admin has to complete the steps within the cluster configuration wizard and hit submit. I have made minor edits. Please check if it looks okay

Once you complete the steps within the cluster configuration wizard and click "Create Cluster", the cluster will go into "Installation Pending" state. At this point, you must contact the VPC administrator of the host project, who must grant the dynamically generated service account the following permissions: Computer Network Administrator, Compute Security Administrator, and DNS Administrator. The administrator has 30 days to grant the listed permissions before the cluster creation fails. For information about shared GPC VPC permissions, see Provision shared VPC.
DONE

3. the placement of the second IMPORTANT note is fine here (i.e. in step 15.b). Placing it towards the end of all the steps (i.e. after step 20) might be a little off context. What are your thoughts?
   I think it is good as is. Thanks!
4. Yeah, no need of adding references to the Shared VPC option in step 16. This is because the users can install into an existing VPC (i.e. do step 16) and still skip the Shared VPC configuration.
   Sounds good. Appreciate the clarity!
   Let's share this MR in tomorrow's (Thursday, Oct 19th) team meeting and request everyone to review changes.

Thanks @svmrh, will take a look at your responses and get back to you ASAP. Appreciate it!

Thanks @svmrh, please see comments above. Appreciate it!

[mletalie]

Hello reviewers, please see https://redhat-internal.slack.com/archives/D04KG1N67MZ/p1698090978994849 which describes why I needed to conditionalize out the hyperlink to keep the build from breaking.

[mletalie]

Hello @jianli-wei, when you get a moment can you please review the doc changes brought forth in these docs? Thanks!

[svmrh]

LGTM.

A few minor comments -

1. Does it makes sense to repeat this note on Deleting an OpenShift Dedicated cluster page as well?
   

2. @ckandag - Should we tweak step 16 a little to say something like "If you are installing into a GCP shared VPC, the VPC name and subnets are being shared from the host project..."
   

@jianli-wei - can you please review the doc changes and give a QE 👍

Thanks @mletalie for driving the documentation changes for this feature.

[jianli-wei]

In fact, the service account itself would be deleted during the cluster deletion. So suggest to put it like below,

... you must inform the VPC owner of the host project to remove the IAM policy binding of the service account and its binding roles in the host project.

[mletalie]

In fact, the service account itself would be deleted during the cluster deletion. So suggest to put it like below,

... you must inform the VPC owner of the host project to remove the IAM policy binding of the service account and its binding roles in the host project.

Thanks @jianli-wei,
I applied your suggestion with just a slight tweak in wording to fit the narrative prior to that note. Thanks for the clarity.

[mletalie]

LGTM.

A few minor comments -

1. Does it makes sense to repeat this note on Deleting an OpenShift Dedicated cluster page as well?
   
2. @ckandag - Should we tweak step 16 a little to say something like "If you are installing into a GCP shared VPC, the VPC name and subnets are being shared from the host project..."
   

@jianli-wei - can you please review the doc changes and give a QE 👍

Thanks @mletalie for driving the documentation changes for this feature.

Hello @svmrh,
For point #1, I have added a note to that doc:

For point #2, I have added a note:

[svmrh]

Thanks @mletalie and @jianli-wei

[svmrh]

Do not publish these changes just yet.

• Engineering team is facing issues provisioning an OSD cluster into GCP Shared VPC with 4.14.x images (no issues seen in case of 4.13.x images). So, until this is resolved, do not publish the content changes for this feature.
• Slack thread used for triaging this issue: https://redhat-internal.slack.com/archives/CCX9DB894/p1698949140705799

[svmrh]

[Thursday, Nov 2nd 2:55pm PT] Update:
The issue has been resolved. After applying the fix, 4.14 OSD cluster install into a GCP Shared VPC was successful. But given the last minute hiccup, the plan is to go GA on Monday.

We will wait for QE to run sanity tests in production env and confirm if everything looks good.

I will update this thread on Monday once everything looks good.

[jneczypor]

I took a look and added comments for a few changes. LGTM!

[EricPonvelle]

I just had one small follow up, but looks good.

[mletalie]

/remove-label peer-review-needed

[mletalie]

/label peer-review-done

[svmrh]

Both backend and UI changes for this feature are enabled in production. Even the feature flag is removed for all orgs. Please kickoff the process for publishing the content updates for XCMSTRAT-91

[EricPonvelle]

/lgtm

[EricPonvelle]

/cherrypick enterprise-4.14

[EricPonvelle]

/cherrypick enterprise-4.15

[openshift-cherrypick-robot]

@EricPonvelle: new pull request created: #67537

In response to this:

/cherrypick enterprise-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@EricPonvelle: new pull request created: #67538

In response to this:

/cherrypick enterprise-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.