Classified Provisioning Docs

docs/classified-provisioning-docs/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "Classified Provisioning",
+  "position": 6,
+  "link": {
+    "type": "generated-index",
+    "description": "Native Rancher Provisioning on AWS C2S/SC2S Environments"
+  }
+}

docs/classified-provisioning-docs/installation.md

@@ -0,0 +1,77 @@
+# Installation
+
+## Bundle Artifacts in Connected Environment
+
+In a connected environment, utilize the `hauler` CLI to verify and collect the Classified Provisioning images from the Carbide registry.
+
+1. Download the Carbide public key.
+
+    ```bash
+    wget -O /tmp/carbide-key.pub https://github.com/rancherfederal/carbide-releases/releases/download/0.1.1/carbide-key.pub
+    ```
+
+1. Create the Hauler manifest file.
+
+    ```bash
+    cat <<EOT > /tmp/manifest.yaml
+    apiVersion: content.hauler.cattle.io/v1alpha1
+    kind: Images
+    metadata:
+      name: carbide-rancher-extra
+      annotations:
+        hauler.dev/version: "v2.8.5-carbide-1"
+        hauler.dev/key: "/tmp/carbide-key.pub"
+    spec:
+      images:
+        - name: "rgcrprod.azurecr.us/rancher/machine:v0.15.0-rancher112-carbide-1"
+        - name: "rgcrprod.azurecr.us/rancher/rancher:v2.8.5-carbide-1"
+        - name: "rgcrprod.azurecr.us/rancher/rancher-agent:v2.8.5-carbide-1"
+EOT
+    ```
+
+    **NOTE**: If deploying to a different architecture than the server used to pull your images, be sure to set the `hauler.dev/platform` annotation. For instance:
+
+    ```yaml
+    apiVersion: content.hauler.cattle.io/v1alpha1
+    kind: Images
+    metadata:
+      name: carbide-rancher-extra
+      annotations:
+        hauler.dev/version: "v2.8.5-carbide-1"
+        hauler.dev/key: "/tmp/carbide-key.pub"
+        hauler.dev/platform: "linux/amd64"
+    ...
+    ```
+
+2. Login into the Carbide registry, then validate & pull the images to the local Hauler store.
+
+    ```bash
+    hauler login rgcrprod.azurecr.us -u USERNAME_PLACEHOLDER -p PASSWORD_PLACEHOLDER
+    hauler store sync --files /tmp/manifest.yaml
+    hauler store save
+    ```
+
+3. Move the resulting `haul.tar.zst` file into your air-gapped, classified environment. 
+
+## Copy Files to Your Classified Registry
+
+1. Copy the `haul.tar.zst` and the `hauler` CLI to a server in your classified environment. Ensure `hauler` is added to your PATH.
+
+2. Load the bundle to the local store & copy the images to your registry.
+
+    ```bash
+    hauler store load haul.tar.zst
+    hauler store copy -u john.doe -p password registry://registry.url.example.com
+    ```
+
+## Update Your Rancher Installation
+
+1. Using `helm` and the [airgapped Rancher chart tarball](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/install-rancher-ha), upgrade your existing Rancher installation with the new tag.
+
+    ```bash
+    helm upgrade -n cattle-system --reuse-values --set rancherImageTag=v2.8.5-carbide-1 rancher rancher-2.8.5.tgz
+    ```
+
+\
+For more information about Air-gaped Installation of Rancher, see the [Rancher air-gapped](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install) docs.
+

docs/classified-provisioning-docs/introduction.md

@@ -0,0 +1,24 @@
+# Introduction
+
+In classified regions of AWS, the ability to natively provision RKE2 clusters through the Rancher MCM provides a lot of benefits in comparison to importing clusters.
+
+| Feature/Functionality | Imported Cluster | Native Provisioned Cluster |
+|-|-|-|
+| Cluster Access with `kubectl` or `kubeconfig` | ✓ | ✓ |
+| Cluster Access Management (RBAC) | ✓ | ✓ |
+| Managing Projects, Namespaces, & Workloads | ✓ | ✓ |
+| Managing Persistent Volumes & Storage Classes | ✓ | ✓ |
+| Use of Rancher App Catalog(s) | ✓ | ✓ |
+| Configuring Infrastructure Tools (Monitoring, Logging, Istio, etc.) | ✓ | ✓ |
+| Managing & Running Security Scans | ✓ | ✓ |
+| Modifying Cluster Configuration | | ✓ |
+| Automated Cluster Kubernetes Version Upgrades | | ✓ |
+| Cluster Node Management (Adding/Removing/Scaling) | | ✓ |
+| Cluster Node Access via Shell (SSH) | | ✓ |
+| Automated Cluster Certificate Rotation | | ✓ |
+| Automated Cluster Encryption Key Rotation | | ✓ |
+| Ability to Snapshot, Backup, & Restore | | ✓ |
+| Configuring PSS/PSA/PSP | | ✓ |
+
+
+Classified Provisioning provides the ability to natively provision clusters through Rancher onto the same AWS account that Rancher is running in through the use of IAM roles attached to the instances running Rancher. This greatly simplifies Day 2 Operations and enables a seamless experience in any environment.

docs/classified-provisioning-docs/prereqs.md

@@ -0,0 +1,105 @@
+# Prerequisites
+
+In order to utilize Classified Provisioning in SC2S/C2S, you will need the following prerequisites.
+
+## Tools
+
+The following tools are required to package Classified Provisioning artifacts and install/upgrade Rancher.
+
+- [Hauler](https://rancherfederal.github.io/hauler-docs/docs/introduction/install)
+- [Helm](https://helm.sh/docs/intro/install)
+- [Rancher](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade) (v2.7.13, v2.7.14, v2.8.4 or greater)
+
+## IAM Role & Instance Profile
+
+The following IAM role needs to be created in the account and accessible to attach to the EC2 instances running Rancher MCM, substituting the AWS region and AWS account ID for the placeholders:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "RancherAWSEC2Permissions",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:Describe*",
+                "ec2:ImportKeyPair",
+                "ec2:CreateKeyPair",
+                "ec2:CreateSecurityGroup",
+                "ec2:CreateTags",
+                "ec2:DeleteKeyPair",
+                "ec2:ModifyInstanceMetadataOptions"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "RancherAWSKMSPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt",
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:Encrypt",
+                "kms:DescribeKey",
+                "kms:CreateGrant",
+                "ec2:DetachVolume",
+                "ec2:AttachVolume",
+                "ec2:DeleteSnapshot",
+                "ec2:DeleteTags",
+                "ec2:CreateTags",
+                "ec2:CreateVolume",
+                "ec2:DeleteVolume",
+                "ec2:CreateSnapshot"
+            ],
+            "Resource": [
+              "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:volume/*",
+              "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:instance/*",
+              "arn:aws:ec2:AWS_REGION_PLACEHOLDER':AWS_ACCOUNT_ID_PLACEHOLDER:snapshot/*",
+              "arn:aws:kms:AWS_REGION_PLACEHOLDER':AWS_ACCOUNT_ID_PLACEHOLDER:key/*"
+            ]
+        },
+        {
+            "Sid": "RancherAWSPassRolePermissions",
+            "Effect": "Allow",
+            "Action": [
+				"iam:PassRole",
+				"ec2:RunInstances",
+				"ec2:DetachVolume",
+				"ec2:AttachVolume",
+				"ec2:DeleteSnapshot",
+				"ec2:DeleteTags",
+				"ec2:CreateTags",
+				"ec2:CreateVolume",
+				"ec2:DeleteVolume",
+				"ec2:CreateSnapshot"
+            ],
+            "Resource": [
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER::image/ami-*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:instance/*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:placement-group/*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:volume/*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:subnet/*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:key-pair/*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:network-interface/*",
+                "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:security-group/*",
+                "arn:aws:iam::AWS_ACCOUNT_ID_PLACEHOLDER:role/*"
+            ]
+        },
+        {
+            "Sid": "RancherAWSEC2ScopedPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:RebootInstances",
+                "ec2:TerminateInstances",
+                "ec2:StartInstances",
+                "ec2:StopInstances"
+            ],
+            "Resource": "arn:aws:ec2:AWS_REGION_PLACEHOLDER:AWS_ACCOUNT_ID_PLACEHOLDER:instance/*"
+        }
+    ]
+}
+```
+
+This role needs to then be attached to all EC2 instances that Rancher MCM is running on.
+
+![Modify IAM Role](/img/classified-provisioning/modify-iam-role.png)

docs/classified-provisioning-docs/usage.md

@@ -0,0 +1,40 @@
+# Usage
+
+## Creating a Carbide Cloud Credential
+
+1. In the Rancher MCM's menu, access Cloud Credentials (`Cluster Management` -> `Cloud Credentials`)
+
+2. Select `Create` and choose `Amazon`.
+
+3. Choose a name, enable the `Carbide Instance Credential`, select the default region for your environment, and click `Create`.
+
+    ![Create Carbide Cloud Credential](/img/classified-provisioning/create-carbide-cloud-creds.png)
+
+## Creating a Classified Cluster
+
+1. In the Rancher MCM's menu, access `Cluster Management` and click `Create`. Ensure the `RKE2/K3s` toggle is enabled and select `Amazon EC2`.
+
+2. Select the Cloud Credentials created in the previous step, then add node pools as you normally would for provisioning a cluster from Rancher.
+
+
+    **NOTE**: In SC2S/C2S, it is **required** for you to enter an `AMI ID` and the respective `SSH User` for that AMI ID under the `Advanced` settings.
+
+    **NOTE**: In SC2S/C2S, not all Instance Types are available. Ensure you are leverage an Instance Type that is **available in your environment**. This list will be dynamic in the future.
+
+    **NOTE**: If no security group is provided, Rancher will attempt to create a Security Group. If the ability to create Security Groups is limited, have a Security Group created by your Account Manager/Broker that has the [appropriate port configuration](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements) and select that existing Security Group in the `Advanced` settings.
+
+    ![Create RKE2 Cluster in C2S](/img/classified-provisioning/create-carbide-cloud-creds.png)
+
+    For more information on provisioning an RKE2/K3s cluster on Amazon EC2s, see the [Rancher docs](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider/create-an-amazon-ec2-cluster).
+
+### Registry Configuration
+
+When using a private registry, downstream clusters need to be configured to have the right authentication and certificate information to access that registry via the [registries.yaml](https://docs.rke2.io/install/containerd_registry_configuration) file. Rancher provisioned clusters can be configured through the UI to generate.
+
+1. Under the `Cluster Configuration` section when provisioning a cluster, select the `Registries` section.
+
+2. Enter the registry domain in the `Container Registry` box, and either select existing registry credentials or create new credentials for authentication to the registry.
+
+3. If advanced configuration (mirroring, certificates, additional authentication), add those to the advanced settings.
+
+For more information, see the [RKE2 Containerd Registry Configuration](https://docs.rke2.io/install/containerd_registry_configuration) documentation.

sidebars.js

@@ -81,6 +81,17 @@ const sidebars = {
         },
       ],
     },
+    {
+      type: 'category',
+      label: 'Classified Provisioning',
+      collapsed: false,
+      items: [
+        'classified-provisioning-docs/introduction',
+        'classified-provisioning-docs/prereqs',
+        'classified-provisioning-docs/installation',
+        'classified-provisioning-docs/usage',
+      ],
+    },
     {
       type: 'category',
       label: 'STIGATRON',

src/css/custom.css

@@ -74,3 +74,8 @@
   font-family: nasalization;
   color: red;
 }
+
+table td{
+  text-align: center;
+  font-weight: bold;
+}