Merge pull request #108102 from EricPonvelle/OSDOCS-17466_FIPS_cryptography_2

OSDOCS-17466: Added FIPS encryption documentation

Author: EricPonvelle

_topic_maps/_topic_map_rosa_hcp.yml

@@ -194,6 +194,8 @@ Topics:
     File: rosa-hcp-creating-a-cluster-quickly-terraform
 - Name: Creating ROSA clusters using a custom AWS KMS encryption key
   File: rosa-hcp-creating-cluster-with-aws-kms-key
+- Name: Deploying Red Hat OpenShift Service on AWS clusters using FIPS encryption
+  File: rosa-hcp-creating-cluster-with-fips-encryption
 - Name: Configuring a shared virtual private cloud for ROSA clusters
   File: rosa-hcp-shared-vpc-config
 - Name: Creating a private cluster on ROSA

modules/aws-encryption-key.adoc

@@ -0,0 +1,140 @@
+// Module included in the following assemblies:
+//
+// * observability/monitoring/enabling-monitoring-for-user-defined-projects.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="aws-encryption-key_{context}"]
+= Create an AWS KMS encryption key
+
+[role="_abstract"]
+Using your AWS account and the `aws` CLI tool, you can create an AWS KMS encryption key to encypt your resources.
+
+.Procedure
+
+. Set the AWS region where you installed your VPC by running the following command:
++
+[NOTE]
+====
+You should use the same region where you installed your VPC.
+====
++
+[source,terminal]
+----
+$ AWS_REGION=<aws_region>
+----
+
+. Create a custom AWS customer-managed KMS key by running the following command:
++
+[source,terminal]
+----
+$ KMS_ARN=$(aws kms create-key --region $AWS_REGION --description 'Custom ROSA Encryption Key' --tags TagKey=red-hat,TagValue=true --query KeyMetadata.Arn --output text)
+----
++
+This command saves the Amazon Resource Name (ARN) output of this custom key for further steps.
++
+[NOTE]
+====
+Customers must provide the `--tags TagKey=red-hat,TagValue=true` argument that is required for a customer KMS key.
+====
+
+. Verify the KMS key has been created by running the following command:
++
+[source,terminal]
+----
+$ echo $KMS_ARN
+----
+
+. Set your AWS account ID to an environment variable by running the following command:
++
+[source,terminal]
+----
+$ AWS_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
+----
+
+. Create your AWS key policy by running the following command.
++
+[NOTE]
+====
+If you use the default prefix, you need to modify the following code sample where you see `{PREFIX}-` to `ManagedOpenShift-`.
+====
++
+[source,terminal]
+----
+cat << EOF > rosa-key-policy.json
+{
+    "Version": "2012-10-17",
+    "Id": "key-rosa-policy-1",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${AWS_ACCOUNT}:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow ROSA use of the key",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Support-Role",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Installer-Role",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Worker-Role",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-openshift-cluster-csi-drivers-ebs-cloud-credentials",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-kube-system-kms-provider"
+                ]
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistent resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Support-Role",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Installer-Role",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Worker-Role",
+                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-openshift-cluster-csi-drivers-ebs-cloud-credentials"
+                ]
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        }
+    ]
+}
+EOF
+----
+
+. Confirm the details of the policy file created by running the following command:
++
+[source,terminal]
+----
+$ cat rosa-key-policy.json
+----
+
+. Apply the newly generated key policy to the custom KMS key by running the following command:
++
+[source,terminal]
+----
+aws kms put-key-policy --key-id $KMS_ARN --policy file://rosa-key-policy.json --policy-name default
+----
++
+You can now create your cluster using this AWS KMS encryption key.

modules/creating-cluster-with-fips-encryption.adoc

@@ -0,0 +1,106 @@
+// Module included in the following assemblies:
+//
+// * observability/monitoring/enabling-monitoring-for-user-defined-projects.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="creating-cluster-with-fips-encryption_{context}"]
+= Creating a {product-title} cluster using a custom AWS KMS key
+
+[role="_abstract"]
+You can create a {product-title} cluster with Federal Information Processing Standards (FIPS) encryption that uses a customer-provided KMS key to encrypt either node root volumes, the etcd database, or both. A different KMS key ARN can be provided for each option.
+
+[NOTE]
+====
+{product-title} does not automatically configure the `default` storage class to encrypt persistent volumes with the customer-provided KMS key. This is something that can be configured in-cluster after installation.
+====
+
+.Procedure
+
+. Verify the KMS key has been created by running the following command:
++
+[source,terminal]
+----
+$ echo $KMS_ARN
+----
+
+. Confirm the details of the policy file created by running the following command:
++
+[source,terminal]
+----
+$ cat rosa-key-policy.json
+----
+
+. Create the cluster by running the following command:
++
+--
+include::snippets/rosa-long-cluster-name.adoc[]
+--
++
+[source,terminal]
+----
+$ rosa create cluster \
+--cluster-name ${PREFIX}-test \
+--hosted-cp \
+--machine-cidr 10.0.0.0/16 \
+--oidc-config-id $OIDC_CONFIG \
+--mode auto \
+--region $AWS_REGION \
+--replicas 2 \
+--operator-roles-prefix $PREFIX \
+--installer-role-arn "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Installer-Role" \
+--support-role-arn "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Support-Role" \
+--worker-iam-role-arn "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Worker-Role" \
+--subnet-ids <subnet-ids> \
+--etcd-encryption \
+--etcd-encryption-kms-arn $KMS_ARN \
+--fips
+----
++
+--
+where:
+
+`--subnet-ids`:: These subnet IDs should be at least one private subnet ID and public subnet ID.
+`--kms-key-arn`:: This KMS key ARN is used to encrypt all worker node root volumes. It is not required if only etcd database encryption is needed.
+`--etcd-encryption-kms-arn`:: This KMS key ARN is used to encrypt the etcd database. The etcd database is always encrypted by default with an AES cipher block, but can be encrypted instead with a KMS key. It is not required if only node root volume encryption is needed.
+--
+
+.Verification
+
+. Log in to your cluster as an admin user.
+. Set the node name as a variable by running the following command:
++
+[source,terminal]
+----
+$ NODE=$(oc get nodes --no-headers | awk '$2=="Ready"{print $1; exit}')
+----
+
+. Check your cluster's FIPS status by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/${NODE} --to-namespace=default -- chroot /host bash -c 'set -x; \
+fips-mode-setup --check; \
+update-crypto-policies --show; \
+cat /etc/system-fips; \
+cat /proc/sys/crypto/fips_enabled; \
+sysctl crypto.fips_enabled'
+----
++
+.Example output
+[source,terminal]
+----
+Starting pod/ip-10-0-1-162us-east-2computeinternal-debug-86cnb ...
+To use host binaries, run `chroot /host`
++ fips-mode-setup --check
+FIPS mode is enabled.
++ update-crypto-policies --show
+FIPS
++ cat /etc/system-fips
+# FIPS module installation complete
++ cat /proc/sys/crypto/fips_enabled
+1
++ sysctl crypto.fips_enabled
+crypto.fips_enabled = 1
+
+Removing debug pod ...
+----

modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc

@@ -9,6 +9,9 @@
 ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
 :egress-lockdown:
 endif::[]
+ifeval::["{context}" == "rosa-hcp-creating-cluster-with-fips-encryption"]
+:fips:
+endif::[]
 
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-sts-creating-account-wide-sts-roles-and-policies_{context}"]
@@ -19,25 +22,35 @@ Account-wide roles, like,  `account-roles` in the {rosa-cli-first} are required
 
 [NOTE]
 ====
-Specific AWS-managed policies for {product-title} must be attached to each role. Customer-managed policies must not be used with these required account roles. For more information regarding AWS-managed policies for {product-title} clusters, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol-account-policies.html[AWS managed policies for ROSA].
+Specific AWS-managed policies for {product-title} must be attached to each role. Customer-managed policies must not be used with these required account roles. For more information regarding AWS-managed policies for {product-title} clusters, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol-account-policies.html[AWS managed policies for {product-title}].
 ====
 
 .Prerequisites
 
 * You have completed the AWS prerequisites for {product-title}.
 * You have available AWS service quotas.
 * You have enabled the {product-title} in the AWS Console.
-* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
-* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
+* You have installed and configured the latest {rosa-cli-first} on your installation host.
+* You have logged in to your Red{nbsp}Hat account by using the {rosa-cli}.
 
 .Procedure
 
 . If they do not exist in your AWS account, create the required account-wide STS roles and attach the policies by running the following command:
 +
+ifndef::fips[]
 [source,terminal]
 ----
 $ rosa create account-roles --hosted-cp
 ----
+endif::fips[]
+ifdef::fips[]
+[source,terminal]
+----
+$ export PREFIX=<custom_prefix>; rosa create account-roles --hosted-cp --prefix $PREFIX
+----
++
+When using FIPS encryption, you need to set a custom prefix instead of using the default `ManagedOpenShift` prefix.
+endif::fips[]
 
 ifdef::egress-lockdown[]
 . Ensure that the your worker role has the correct AWS policy by running the following command:
@@ -54,6 +67,7 @@ $ aws iam attach-role-policy \
 --
 endif::egress-lockdown[]
 
+ifndef::fips[]
 . Optional: Set your prefix as an environmental variable by running the following command:
 +
 [source,terminal]
@@ -74,9 +88,16 @@ For example:
 ----
 ManagedOpenShift
 ----
-+
-For more information regarding AWS managed IAM policies for {product-title}, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol.html[AWS managed IAM policies for ROSA].
+endif::fips[]
+
+[role="_additional-resources"]
+.Additional resources
 
+* link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol.html[AWS managed IAM policies for {product-title}]
+
+ifeval::["{context}" == "rosa-hcp-creating-cluster-with-fips-encryption"]
+:!fips:
+endif::[]
 ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
 :!egress-lockdown:
 endif::[]

modules/rosa-hcp-creating-vpc.adoc

@@ -11,7 +11,6 @@
 You must have an AWS Virtual Private Cloud (VPC) to create a {product-title} cluster. You can use the following methods to create a VPC:
 
 * Create a VPC using the {rosa-cli}
-* Create a VPC by using a Terraform template
 * Manually create the VPC resources in the AWS console
 
 [NOTE]

modules/rosa-operator-config.adoc

@@ -7,6 +7,10 @@
 // * rosa_hcp/rosa-hcp-egress-zero-install.adoc
 // * rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc
 
+ifeval::["{context}" == "rosa-hcp-creating-cluster-with-fips-encryption"]
+:fips:
+endif::[]
+
 :_mod-docs-content-type: PROCEDURE
 [id="rosa-operator-config_{context}"]
 = Creating Operator roles and policies
@@ -21,8 +25,18 @@ When you deploy a {product-title} cluster, you must create the Operator IAM role
 * You created the account-wide AWS roles.
 
 .Procedure
-
-* To create your Operator roles, run the following command:
+ifdef::fips[]
+. To create your Operator roles, run the following command:
++
+[source,terminal]
+----
+$ rosa create operator-roles --hosted-cp --prefix=$PREFIX --oidc-config-id=$OIDC_ID 
+----
++
+The Operator roles are now created and ready to use for creating your {product-title} cluster.
+endif::fips[]
+ifndef::fips[]
+. To create your Operator roles, run the following command:
 +
 [source,terminal]
 ----
@@ -82,6 +96,7 @@ where:
 --
 +
 The Operator roles are now created and ready to use for creating your {product-title} cluster.
+endif::fips[]
 
 .Verification
 
@@ -112,4 +127,8 @@ ROLE NAME                                                         ROLE ARN
 <prefix>-openshift-ingress-operator-cloud-credentials              arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials              4.13     No
 ----
 +
-After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics.
+After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics.
+
+ifeval::["{context}" == "rosa-hcp-creating-cluster-with-fips-encryption"]
+:!fips:
+endif::[]