openshift
diff --git a/‎.agent_workspace/rosa-17/writing/step-result.json‎
Lines changed: 14 additions & 0 deletions b/‎.agent_workspace/rosa-17/writing/step-result.json‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎_topic_maps/_topic_map_osd.yml‎
Lines changed: 0 additions & 2 deletions b/‎_topic_maps/_topic_map_osd.yml‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎cloud_experts_osd_tutorials/cloud-experts-osd-create-new-limit-egress.adoc‎
Lines changed: 22 additions & 2 deletions b/‎cloud_experts_osd_tutorials/cloud-experts-osd-create-new-limit-egress.adoc‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎cloud_experts_osd_tutorials/cloud-experts-osd-update-component-routes.adoc‎
Lines changed: 24 additions & 21 deletions b/‎cloud_experts_osd_tutorials/cloud-experts-osd-update-component-routes.adoc‎
Lines changed: 24 additions & 21 deletions
diff --git a/‎cloud_experts_osd_tutorials/osd_index.adoc‎
Lines changed: 0 additions & 14 deletions b/‎cloud_experts_osd_tutorials/osd_index.adoc‎
Lines changed: 0 additions & 14 deletions
diff --git a/‎modules/cloud-experts-osd-limit-egress-ngfw-clean-resources.adoc‎
Lines changed: 33 additions & 46 deletions b/‎modules/cloud-experts-osd-limit-egress-ngfw-clean-resources.adoc‎
Lines changed: 33 additions & 46 deletions
diff --git a/‎modules/cloud-experts-osd-limit-egress-ngfw-create-a-cloud-router.adoc‎
Lines changed: 14 additions & 4 deletions b/‎modules/cloud-experts-osd-limit-egress-ngfw-create-a-cloud-router.adoc‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎modules/cloud-experts-osd-limit-egress-ngfw-create-firewall-rules.adoc‎
Lines changed: 22 additions & 3 deletions b/‎modules/cloud-experts-osd-limit-egress-ngfw-create-firewall-rules.adoc‎
Lines changed: 22 additions & 3 deletions
@@ -0,0 +1,14 @@
+{
+  "schema_version": 1,
+  "step": "writing",
+  "ticket": "ROSA-17",
+  "mode": "update-in-place",
+  "files": [
+    "/home/eponvell/Documents/openshift-docs/rosa_cluster_admin/rosa-nodes-managing-karpenter.adoc",
+    "/home/eponvell/Documents/openshift-docs/modules/rosa-nodes-autonode-about.adoc",
+    "/home/eponvell/Documents/openshift-docs/modules/rosa-nodes-autonode-managing-iam-setup.adoc",
+    "/home/eponvell/Documents/openshift-docs/modules/rosa-nodes-autonode-managing-enable-cli.adoc",
+    "/home/eponvell/Documents/openshift-docs/modules/rosa-nodes-autonode-managing-create-nodepool.adoc",
+    "/home/eponvell/Documents/openshift-docs/modules/rosa-release-notes-Q2-2026.adoc"
+  ]
+}
@@ -85,8 +85,6 @@ Name: Tutorials
 Dir: cloud_experts_osd_tutorials
 Distros: openshift-dedicated
 Topics:
-- Name: Tutorials overview
-  File: osd_index
 - Name: Updating component routes with custom domains and TLS certificates
   File: cloud-experts-osd-update-component-routes
 - Name: Limit egress with Google Cloud Next Generation Firewall
 
@@ -8,9 +8,12 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 toc::[]
 
 [role="_abstract"]
-Use this guide to implement egress restrictions for {product-title} on {GCP} by using {GCP}'s Next Generation Firewall (NGFW). NGFW is a fully distributed firewall service that allows fully qualified domain name (FQDN) objects in firewall policy rules. This is necessary for many of the external endpoints that {product-title} relies on.
+Implement egress restrictions for {product-title} on {GCP} by using Next Generation Firewall (NGFW), which allows fully qualified domain name (FQDN)-based firewall rules required for {product-title} external endpoints.
 
-include::modules/cloud-experts-osd-limit-egress-ngfw-prereqs.adoc[leveloffset=+1]
+[IMPORTANT]
+====
+This content is authored by Red{nbsp}Hat experts but has not yet been tested on every supported configuration.
+====
 
 include::modules/cloud-experts-osd-limit-egress-ngfw-setup-environ.adoc[leveloffset=+1]
 
@@ -30,3 +33,20 @@ include::modules/cloud-experts-osd-limit-egress-ngfw-delete-osd-gcp-cluster.adoc
 
 include::modules/cloud-experts-osd-limit-egress-ngfw-clean-resources.adoc[leveloffset=+1]
 
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* link:https://cloud.google.com/compute/docs/regions-zones[Regions and zones ({GCP})]
+* link:https://cloud.google.com/vpc/docs/create-modify-vpc-networks[Create and manage VPC networks ({GCP})]
+* link:https://cloud.google.com/vpc/docs/subnets[Subnets overview ({GCP})]
+* link:https://cloud.google.com/firewall/docs/about-firewalls[Firewall overview ({GCP})]
+* link:https://cloud.google.com/firewall/docs/use-network-firewall-policies[Use global network firewall policies and rules ({GCP})]
+* link:https://cloud.google.com/nat/docs/overview[Cloud NAT overview ({GCP})]
+* link:https://cloud.google.com/network-connectivity/docs/router[Cloud Router overview ({GCP})]
+* link:https://cloud.google.com/vpc/docs/configure-private-google-access[Configure Private Google Access ({GCP})]
+* link:https://cloud.google.com/dns/docs/zones[DNS zones overview ({GCP})]
+* link:https://cloud.google.com/firewall/docs/firewalls[VPC firewall rules overview ({GCP})]
+* link:https://docs.redhat.com/en/documentation/openshift_dedicated/4/html/planning_your_environment/gcp-ccs#osd-gcp-psc-firewall-prerequisites_gcp-ccs[Firewall prerequisites for {GCP}]
+* link:https://cloud.google.com/firewall/docs/use-network-firewall-policies[Use global network firewall policies and rules]
+* link:https://cloud.google.com/sdk/gcloud/reference[`gcloud` command-line tool reference ({GCP})]
@@ -8,31 +8,34 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 toc::[]
 
 [role="_abstract"]
-This guide demonstrates how to modify the hostname and TLS certificate of the Web console, OAuth server, and Downloads component routes in {product-title} on {GCP} version 4.14 and above.{fn-supported-versions}
-
-The changes that we make to the component routes{fn-term-component-routes} in this guide are described in greater detail in the link:https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#customizing-the-oauth-server-url_configuring-internal-oauth[Customing the internal OAuth server URL], link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/web_console/customizing-web-console#customizing-the-console-route_customizing-web-console[Customing the console route], and link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/web_console/customizing-web-console#customizing-the-download-route_customizing-web-console[Customing the download route] {product-title} documentation.
-
-[id="prerequisites_{context}"]
-== Prerequisites
-* OCM CLI (`ocm`) version 1.0.5 or higher
-* gcloud CLI (`gcloud`)
-* An {product-title} on {GCP} cluster version 4.14 or higher
-// +
-// [NOTE]
-// ====
-// ROSA with HCP is not supported at this time.
-// ====
-// +
-* {oc-first}
-* `jq` CLI
-* Access to the cluster as a user with the `cluster-admin` role.
-* OpenSSL (for generating the demonstration SSL/TLS certificates)
+Change the hostname and Transport Layer Security (TLS) certificate of the web console, OAuth server, and Downloads component routes to use custom domains that align with your organization's branding and security requirements.
+
+[IMPORTANT]
+====
+Red Hat experts authored this content, but it has not yet been tested on every supported configuration.
+====
 
 include::modules/cloud-experts-osd-update-component-routes-environment-setup.adoc[leveloffset=+1]
+
 include::modules/cloud-experts-osd-update-component-routes-find-current-component-routes.adoc[leveloffset=+1]
+
 include::modules/cloud-experts-osd-update-component-routes-create-tls-certificates.adoc[leveloffset=+1]
+
 include::modules/cloud-experts-osd-update-component-routes-add-certificates-as-secrets.adoc[leveloffset=+1]
+
 include::modules/cloud-experts-osd-update-component-routes-find-lb-hostname.adoc[leveloffset=+1]
-include::modules/cloud-experts-osd-update-component-routes-add-component-routes-to-dns.adoc[leveloffset=+1]
+
 include::modules/cloud-experts-osd-update-component-routes-tls-using-ocm-cli.adoc[leveloffset=+1]
-include::modules/cloud-experts-osd-update-component-routes-reset-component-routes-to-default.adoc[leveloffset=+1]
+
+include::modules/cloud-experts-osd-update-component-routes-reset-component-routes-to-default.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/authentication_and_authorization/configuring-internal-oauth#customizing-the-oauth-server-url_configuring-internal-oauth[Customizing the internal OAuth server URL]
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/nodes/working-with-pods#nodes-pods-secrets-creating_nodes-pods-secrets[Creating secrets]
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/web_console/customizing-web-console#customizing-the-console-route_customizing-web-console[Customizing the console route]
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/web_console/customizing-web-console#customizing-the-download-route_customizing-web-console[Customizing the download route]
+* link:https://www.openssl.org/docs/manmaster/man1/openssl-req.html[OpenSSL req command documentation]
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/networking_operators/index#nw-ingress-controller-configuration-parameters_configuring-ingress[Ingress controller configuration parameters]
@@ -3,89 +3,75 @@
 // * cloud_experts_osd_tutorials/cloud-experts-osd-limit-egress-ngfw.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="cloud-experts-osd-limit-egress-ngfw-clean-resource_{context}"]
+[id="cloud-experts-osd-limit-egress-ngfw-clean-resources_{context}"]
 = Cleaning up resources
 
 [role="_abstract"]
-To prevent ongoing charges, after you delete your cluster you must manually delete the {GCP} networking infrastructure you created as part of this tutorial. Deleting the cluster will not automatically remove these underlying resources. You can clean up these resources using a combination of gcloud CLI commands and actions within the {GCP} console.
-
-Before you begin the process of cleaning up the resources you created for this tutorial, run the following commands and complete any prompts.
-
+Delete the {GCP} networking infrastructure after deleting your cluster to prevent ongoing charges. The cluster deletion does not automatically remove virtual private cloud (VPC) networks, subnets, firewall policies, or domain name system (DNS) zones.
 
 .Procedure
-. To authenticate your identity run the following command:
+. Authenticate by running the following command:
 +
 [source,terminal]
 ----
 $ gcloud init
 ----
 +
-. To log in to your {GCP} account, run the following command:
+. Log in to your {GCP} account by running the following command:
 +
 [source,terminal]
 ----
 $ gcloud auth application-default login
 ----
 +
-. To log in to the {cluster-manager} CLI tool, run the following command:
+. Log in to the {cluster-manager} CLI tool by running the following command:
 +
 [source,terminal]
 ----
 $ ocm login --use-auth-code
 ----
 +
-You are now ready to clean up the resources you created as part of this tutorial. To respect resource dependencies, delete them in the reverse order of their creation.
+You can now clean up the resources you created as part of this tutorial. To respect resource dependencies, delete them in the reverse order of their creation.
 
-. Delete the firewall policy's association with the VPC by running the following command:
+. Delete the association of the firewall policy with the VPC by running the following command:
 +
 [source,terminal]
 ----
 $ gcloud compute network-firewall-policies associations delete \
-    --firewall-policy=${prefix} \
-    --network=${prefix}-vpc \
-    --global-firewall-policy
+      --name network-${prefix}-vpc \
+      --firewall-policy=${prefix} \
+      --global-firewall-policy \
+      --project=${project_id}
 ----
 +
 . Delete the global network firewall policy by running the following command:
 +
 [source,terminal]
 ----
-$ gcloud compute network-firewall-policies delete ${prefix} --global
-----
-+
-. A managed DNS zone in {GCP} cannot be deleted until all user-defined record sets are removed. Define variables to target the specific {GCP} project and the managed DNS zone being cleaned up by running the following command:
-+
-[source,terminal]
-----
-$ cat /tmp/delete_records.sh
-PROJECT_ID=<your-project-id>
-ZONE_NAME=<your-managed-zone-name>
+$ gcloud compute network-firewall-policies delete ${prefix} --global --project=${project_id}
 ----
 +
-. List the record sets that are included within the Private DNS zone by running the following command:
+. List and delete all user-defined DNS records from the Private DNS zone:
 +
 [source,terminal]
 ----
-$ gcloud \
-    dns record-sets list \
-    --project=$PROJECT_ID \
-    --zone=$ZONE_NAME \
+$ gcloud dns record-sets list \
+    --project=${project_id} \
+    --zone=${prefix}-googleapis \
     --filter="type!=NS AND type!=SOA" \
-    --format="value(name,type)" | while read name type;
-----
-+
-. Delete the record sets that are included within that Private DNS Zone by running the following command:
-+
-[source,terminal]
-----
-$ gcloud --project=$PROJECT_ID dns record-sets delete "$name" --zone=$ZONE_NAME --type="$type"
+    --format="value(name,type)" | while read name type; do
+  gcloud dns record-sets delete "$name" \
+    --project=${project_id} \
+    --zone=${prefix}-googleapis \
+    --type="$type"
+done
 ----
 +
 . Delete the Private DNS Zone by running the following command:
 +
 [source,terminal]
 ----
-$ gcloud dns managed-zones delete ${prefix}-googleapis
+$ gcloud dns managed-zones delete ${prefix}-googleapis --project=${project_id}
 ----
 +
 . Delete the Cloud NAT gateway:
@@ -94,50 +80,51 @@ $ gcloud dns managed-zones delete ${prefix}-googleapis
 ----
 $ gcloud compute routers nats delete ${prefix}-cloudnat-${region} \
     --router=${prefix}-router \
-    --router-region=${region}
+    --router-region=${region} \
+    --project=${project_id}
 ----
 +
 . Delete the Cloud Router by running the following command:
 +
 [source,terminal]
 ----
-$ gcloud compute routers delete ${prefix}-router --region=${region}
+$ gcloud compute routers delete ${prefix}-router --region=${region} --project=${project_id}
 ----
 +
 . Delete the reserved IP address by running the following command:
 +
 [source,terminal]
 +
 ----
-$ gcloud compute addresses delete ${prefix}-${region}-cloudnatip --region=${region}
+$ gcloud compute addresses delete ${prefix}-${region}-cloudnatip --region=${region} --project=${project_id}
 ----
 +
 . Delete the worker subnet by running the following command:
 +
 [source,terminal]
 +
 ----
-$ gcloud compute networks subnets delete ${prefix}-worker --region=${region}
+$ gcloud compute networks subnets delete ${prefix}-worker --region=${region} --project=${project_id}
 ----
 +
 . Delete the control plane subnet by running the following command:
 +
 [source,terminal]
 +
 ----
-$ gcloud compute networks subnets delete ${prefix}-control-plane --region=${region}
+$ gcloud compute networks subnets delete ${prefix}-control-plane --region=${region} --project=${project_id}
 ----
 +
-. Delete the PSC subnet by running the following command:
+. Delete the Private Service Connect (PSC) subnet by running the following command:
 +
 [source,terminal]
 ----
-$ gcloud compute networks subnets delete ${prefix}-psc --region=${region}
+$ gcloud compute networks subnets delete ${prefix}-psc --region=${region} --project=${project_id}
 ----
 +
 . Delete the VPC by running the following command:
 +
 [source,terminal]
 ----
-$ gcloud compute networks delete ${prefix}-vpc
-----
+$ gcloud compute networks delete ${prefix}-vpc --project=${project_id}
+----
@@ -4,15 +4,14 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="cloud-experts-osd-limit-egress-ngfw-create-a-cloud-router_{context}"]
-= Creating a Cloud Router and a Cloud Network Address Translation gateway
+= Creating a Cloud Router and Cloud network address translation
 
 [role="_abstract"]
-The Network Address Translation (NAT) gateway enables internet connectivity for your private VMs by masquerading all their traffic under a single public IP address. As the designated exit point, it translates their internal IPs for any outbound requests, such as fetching updates. This process effectively grants them access to the internet without ever exposing their private addresses.
+Create a Cloud Router and Cloud network address translation (NAT). Private VMs can use the internet while their private IP addresses stay hidden.
 
 .Procedure
 . Reserve an IP address for Cloud NAT by running the following command:
 +
-
 [source,terminal]
 ----
 $ gcloud compute addresses create ${prefix}-${region}-cloudnatip \
@@ -36,4 +35,15 @@ $ gcloud compute routers nats create ${prefix}-cloudnat-${region} \
     --router=${prefix}-router --router-region ${region} \
     --nat-all-subnet-ip-ranges \
     --nat-external-ip-pool=${prefix}-${region}-cloudnatip
-----
+----
+
+.Verification
+
+* Check that the Cloud Router and NAT gateway exist by running the following command:
++
+[source,terminal]
+----
+$ gcloud compute routers describe ${prefix}-router --region=${region}
+----
++
+The output lists the router and the NAT gateway you created.
@@ -7,10 +7,10 @@
 = Creating the firewall rules
 
 [role="_abstract"]
-You need to create some firewall rules to allow your cluster to access the Web.
+Create firewall rules for egress to private IP ranges and to the {product-title} domains listed in this procedure. Egress to other external destinations does not match these rules and is not permitted.
 
 .Procedure
-. Create a blanket allow rule for private IP (RFC 1918) address space by running the following command:
+. Create a blanket allow rule for private IP (Request for Comments (RFC) 1918) address space by running the following command:
 +
 [source,terminal]
 ----
@@ -27,6 +27,25 @@ $ gcloud compute network-firewall-policies rules create 500 \
 +
 . Create an allow rule for HTTPS (tcp/443) domains required for {product-title} by running the following command:
 +
+[NOTE]
+====
+If you receive an error "Cannot have rules with the same priorities", the rule already exists. You can verify it with:
+
+[source,bash]
+----
+$ gcloud compute network-firewall-policies rules describe 500 --firewall-policy=${prefix} --global-firewall-policy
+$ gcloud compute network-firewall-policies rules describe 600 --firewall-policy=${prefix} --global-firewall-policy
+----
+
+To re-create the rules, first delete them:
+
+[source,bash]
+----
+$ gcloud compute network-firewall-policies rules delete 500 --firewall-policy=${prefix} --global-firewall-policy
+$ gcloud compute network-firewall-policies rules delete 600 --firewall-policy=${prefix} --global-firewall-policy
+----
+====
++
 [source,terminal]
 ----
 $ gcloud compute network-firewall-policies rules create 600 \
@@ -42,5 +61,5 @@ $ gcloud compute network-firewall-policies rules create 600 \
 +
 [IMPORTANT]
 ====
-If there is not a matching rule that allows the traffic, it will be blocked by the firewall. To allow access to other resources, such as internal networks or other external endpoints, create additional rules with a priority of less than 1000. For more information on how to create firewall rules, see  link:https://cloud.google.com/firewall/docs/use-network-firewall-policies[Use global network firewall policies and rules].
+The firewall blocks any traffic if you did not create any matching rules. To allow access to other resources, such as internal networks or other external endpoints, create additional rules with a priority of less than 1000. For more information on how to create firewall rules, see the _Additional resources_.
 ====