testing and updating AWS / ROSA VPN doc

[kmcolli]

Front Matter & Title

• Title: Changed from "PrivateLink ROSA Cluster" to "Private ROSA Cluster"
• Validation: Added validated_version: "4.21"
• Authors: Reformatted from single line to list format

Introduction

• Replaced brief paragraph with comprehensive 2-paragraph introduction explaining:
  • Security benefits of private ROSA deployment
  • Traditional bastion host limitations
  • AWS Client VPN as streamlined alternative

Prerequisites

• Expanded from 2 items to detailed list including:
  • Separate links for ROSA HCP and ROSA Classic private cluster creation
  • AWS CLI, jq, and rosa CLI requirements
  • Platform-specific VPN client software (macOS, Linux, Windows)

Certificate Generation (Critical Fix)

• Server Certificate: Added Subject Alternative Name (SAN) requirement
  • Previous: ./easyrsa build-server-full server nopass
  • Updated: ./easyrsa --subject-alt-name="DNS:vpn.$ROSA_CLUSTER_NAME.local" build-server-full server nopass
• Client Certificate: Changed name from aws to client for consistency

VPN Endpoint Setup

• New: Added wait loop after subnet association (3-5 minute wait)
• Includes status monitoring with timestamps

Security Groups (New Section)

• Added "Configure Security Groups for Private ROSA HCP Clusters" section
• Explains VPC endpoint security group requirements
• Automated commands to configure security groups for VPN client access

DNS Configuration (Enhanced)

• Automated DNS server and domain detection
• Added dhcp-option DNS and dhcp-option DOMAIN to config file
• New: Detailed macOS/Viscosity DNS configuration with two modes:
  • Option 1: Full DNS Mode (recommended for simplicity)
  • Option 2: Split DNS Mode (advanced)
• Added troubleshooting note about macOS DNS resolver priority

Verification Section (New)

• DNS resolution testing
• API endpoint health check (curl /healthz)
• Cluster login verification

Troubleshooting Section (New)

• DNS resolution issues: macOS DNS mode, flush cache, verify settings
• API connectivity problems: Security group checks, direct IP testing
• Certificate import failures: SAN verification, cert/key matching
• TLS negotiation errors: Config validation, format checking

Cleanup Section (New)

• Complete teardown procedure:
  • Disassociate target networks with wait loop
  • Delete VPN endpoint
  • Delete ACM certificates
  • Optional: Remove easy-rsa directory

Impact

• Lines changed: +296 additions, -23 deletions
• File: content/rosa/vpn/index.md
• Result: Production-tested guide validated on OpenShift 4.21

[netlify]

✅ Deploy Preview for rh-cloud-experts ready!

Name	Link
🔨 Latest commit	c17303c
🔍 Latest deploy log	https://app.netlify.com/projects/rh-cloud-experts/deploys/6a18f172058af600098d49e3
😎 Deploy Preview	https://deploy-preview-933--rh-cloud-experts.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kumuduh]

validated