diff --git a/Makefile b/Makefile index 2dc38e9138..5faf1cecf1 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ TOOLS_DIR_DEPS := $(TOOLS_DIR)/go.sum $(TOOLS_DIR)/go.mod $(TOOLS_DIR)/Makefile TOOLS_BIN_DIR := $(TOOLS_DIR)/bin -API_DIRS := cmd/clusterawsadm/api api exp/api controlplane/eks/api bootstrap/eks/api iam/api +API_DIRS := cmd/clusterawsadm/api api exp/api controlplane/eks/api bootstrap/eks/api iam/api controlplane/rosa/api API_FILES := $(foreach dir, $(API_DIRS), $(call rwildcard,../../$(dir),*.go)) BIN_DIR := bin @@ -229,6 +229,7 @@ generate-go-apis: ## Alias for .build/generate-go-apis paths=./$(EXP_DIR)/controllers/... \ paths=./bootstrap/eks/controllers/... \ paths=./controlplane/eks/controllers/... \ + paths=./controlplane/rosa/controllers/... \ output:crd:dir=config/crd/bases \ object:headerFile=./hack/boilerplate/boilerplate.generatego.txt \ crd:crdVersions=v1 \ diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index ef3db43caa..1b8b24762e 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -21,6 +21,8 @@ resources: - bases/infrastructure.cluster.x-k8s.io_awsmanagedclusters.yaml - bases/bootstrap.cluster.x-k8s.io_eksconfigs.yaml - bases/bootstrap.cluster.x-k8s.io_eksconfigtemplates.yaml +- bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml +- bases/infrastructure.cluster.x-k8s.io_rosaclusters.yaml # +kubebuilder:scaffold:crdkustomizeresource patchesStrategicMerge: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index b949147d8a..f2d4021498 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -19,7 +19,7 @@ spec: containers: - args: - "--leader-elect" - - "--feature-gates=EKS=${CAPA_EKS:=true},EKSEnableIAM=${CAPA_EKS_IAM:=false},EKSAllowAddRoles=${CAPA_EKS_ADD_ROLES:=false},EKSFargate=${EXP_EKS_FARGATE:=false},MachinePool=${EXP_MACHINE_POOL:=false},EventBridgeInstanceState=${EVENT_BRIDGE_INSTANCE_STATE:=false},AutoControllerIdentityCreator=${AUTO_CONTROLLER_IDENTITY_CREATOR:=true},BootstrapFormatIgnition=${EXP_BOOTSTRAP_FORMAT_IGNITION:=false},ExternalResourceGC=${EXP_EXTERNAL_RESOURCE_GC:=false},AlternativeGCStrategy=${EXP_ALTERNATIVE_GC_STRATEGY:=false},TagUnmanagedNetworkResources=${TAG_UNMANAGED_NETWORK_RESOURCES:=true}" + - "--feature-gates=EKS=${CAPA_EKS:=true},EKSEnableIAM=${CAPA_EKS_IAM:=false},EKSAllowAddRoles=${CAPA_EKS_ADD_ROLES:=false},EKSFargate=${EXP_EKS_FARGATE:=false},MachinePool=${EXP_MACHINE_POOL:=false},EventBridgeInstanceState=${EVENT_BRIDGE_INSTANCE_STATE:=false},AutoControllerIdentityCreator=${AUTO_CONTROLLER_IDENTITY_CREATOR:=true},BootstrapFormatIgnition=${EXP_BOOTSTRAP_FORMAT_IGNITION:=false},ExternalResourceGC=${EXP_EXTERNAL_RESOURCE_GC:=false},AlternativeGCStrategy=${EXP_ALTERNATIVE_GC_STRATEGY:=false},TagUnmanagedNetworkResources=${TAG_UNMANAGED_NETWORK_RESOURCES:=true},ROSA=${EXP_ROSA:=false}" - "--v=${CAPA_LOGLEVEL:=0}" - "--metrics-bind-addr=0.0.0.0:8080" image: controller:latest diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7cab425197..c7faf0f437 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -135,6 +135,17 @@ rules: - get - patch - update +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - rosacontrolplanes + verbs: + - delete + - get + - list + - patch + - update + - watch - apiGroups: - controlplane.cluster.x-k8s.io resources: @@ -144,6 +155,14 @@ rules: - get - list - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - rosacontrolplanes/status + verbs: + - get + - patch + - update - apiGroups: - "" resources: diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go index d18c5baf93..cd55018258 100644 --- a/controlplane/rosa/controllers/rosacontrolplane_controller.go +++ b/controlplane/rosa/controllers/rosacontrolplane_controller.go @@ -46,7 +46,6 @@ import ( ) const ( - ocmAPIUrl = "https://api.stage.openshift.com" rosaCreatorArnProperty = "rosa_creator_arn" rosaControlPlaneKind = "ROSAControlPlane" @@ -99,6 +98,8 @@ func (r *ROSAControlPlaneReconciler) SetupWithManager(ctx context.Context, mgr c // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools,verbs=get;list;watch +// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=rosacontrolplanes,verbs=get;list;watch;update;patch;delete +// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=rosacontrolplanes/status,verbs=get;update;patch // Reconcile will reconcile RosaControlPlane Resources. func (r *ROSAControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, reterr error) { @@ -291,6 +292,10 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc // Create the connection, and remember to close it: token := os.Getenv("OCM_TOKEN") + ocmAPIUrl := os.Getenv("OCM_API_URL") + if ocmAPIUrl == "" { + ocmAPIUrl = "https://api.openshift.com" + } connection, err := sdk.NewConnectionBuilder(). Logger(ocmLogger). Tokens(token). @@ -338,6 +343,10 @@ func (r *ROSAControlPlaneReconciler) reconcileDelete(_ context.Context, rosaScop // Create the connection, and remember to close it: // TODO: token should be read from a secret: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/4460 token := os.Getenv("OCM_TOKEN") + ocmAPIUrl := os.Getenv("OCM_API_URL") + if ocmAPIUrl == "" { + ocmAPIUrl = "https://api.openshift.com" + } connection, err := sdk.NewConnectionBuilder(). Logger(ocmLogger). Tokens(token). diff --git a/docs/book/src/SUMMARY_PREFIX.md b/docs/book/src/SUMMARY_PREFIX.md index 01a67be166..765c63312b 100644 --- a/docs/book/src/SUMMARY_PREFIX.md +++ b/docs/book/src/SUMMARY_PREFIX.md @@ -21,6 +21,9 @@ - [Using EKS Addons](./topics/eks/addons.md) - [Enabling Encryption](./topics/eks/encryption.md) - [Cluster Upgrades](./topics/eks/cluster-upgrades.md) + - [ROSA Support](./topics/rosa/index.md) + - [Enabling ROSA Support](./topics/rosa/enabling.md) + - [Creating a cluster](./topics/rosa/creating-a-cluster.md) - [Bring Your Own AWS Infrastructure](./topics/bring-your-own-aws-infrastructure.md) - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md) - [Using external cloud provider with EBS CSI driver](./topics/external-cloud-provider-with-ebs-csi-driver.md) diff --git a/docs/book/src/crd/index.md b/docs/book/src/crd/index.md index 11689384ec..71dccd1323 100644 --- a/docs/book/src/crd/index.md +++ b/docs/book/src/crd/index.md @@ -1244,6 +1244,17 @@ create S3 Buckets for workload clusters. TODO: This field could be a pointer, but it seems it breaks setting default values?
+allowAssumeRole
AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies
+allowAssumeRole
AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies
+configuration
Configuration of the EKS addon
+conflictResolution
partition
Partition is the AWS security partition being used. Defaults to “aws”
+sshKeyName
disableVPCCNI
DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the -Amazon VPC CNI is automatically installed into the cluster. For clusters where you want -to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI -should be deleted. You cannot set this to true if you are using the -Amazon VPC CNI addon.
-vpcCni
partition
Partition is the AWS security partition being used. Defaults to “aws”
+sshKeyName
disableVPCCNI
DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the -Amazon VPC CNI is automatically installed into the cluster. For clusters where you want -to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI -should be deleted. You cannot set this to true if you are using the -Amazon VPC CNI addon.
-vpcCni
configuration
Configuration of the EKS addon
+conflictResolution
disable
Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the +Amazon VPC CNI is automatically installed into the cluster. For clusters where you want +to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI +should be deleted. You cannot set this to true if you are using the +Amazon VPC CNI addon.
+env
partition
Partition is the AWS security partition being used. Defaults to “aws”
+sshKeyName
partition
Partition is the AWS security partition being used. Defaults to “aws”
+sshKeyName
partition
Partition is the AWS security partition being used. Defaults to “aws”
+sshKeyName
scheme
healthCheckProtocol
HealthCheckProtocol sets the protocol type for classic ELB health check target -default value is ClassicELBProtocolSSL
+HealthCheckProtocol sets the protocol type for ELB health check target +default value is ELBProtocolSSL
additionalListeners
AdditionalListeners sets the additional listeners for the control plane load balancer. +This is only applicable to Network Load Balancer (NLB) types for the time being.
+ingressRules
IngressRules sets the ingress rules for the control plane load balancer.
+loadBalancerType
LoadBalancerType sets the type for a load balancer. The default type is classic.
+disableHostsRewrite
DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB’s address as 127.0.0.1 to the hosts +file of each instance. This is by default, false.
+preserveClientIP
PreserveClientIP lets the user control if preservation of client ips must be retained or not. +If this is enabled 6443 will be opened to 0.0.0.0/0.
+instanceMetadataOptions
InstanceMetadataOptions is the metadata options for the EC2 instance.
+ami
failureDomain
FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. -For this infrastructure provider, the ID is equivalent to an AWS Availability Zone. -If multiple subnets are matched for the availability zone, the first one returned is picked.
-subnet
placementGroupName
PlacementGroupName specifies the name of the placement group in which to launch the instance.
+tenancy
instanceMetadataOptions
InstanceMetadataOptions is the metadata options for the EC2 instance.
+ami
failureDomain
FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. -For this infrastructure provider, the ID is equivalent to an AWS Availability Zone. -If multiple subnets are matched for the availability zone, the first one returned is picked.
-subnet
tenancy
placementGroupName
Tenancy indicates if instance should run on shared or single-tenant hardware.
+PlacementGroupName specifies the name of the placement group in which to launch the instance.
+
tenancy
Tenancy indicates if instance should run on shared or single-tenant hardware.
+(Appears on:AWSMachine)
@@ -17841,6 +18024,20 @@ string
instanceMetadataOptions
InstanceMetadataOptions is the metadata options for the EC2 instance.
+ami
failureDomain
FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. -For this infrastructure provider, the ID is equivalent to an AWS Availability Zone. -If multiple subnets are matched for the availability zone, the first one returned is picked.
-subnet
placementGroupName
PlacementGroupName specifies the name of the placement group in which to launch the instance.
+tenancy
-
AWSMachineTemplateWebhook implements a custom validation webhook for AWSMachineTemplate.
+AWSMachineTemplateWebhook implements a custom validation webhook for AWSMachineTemplate. +Note: we use a custom validator to access the request context for SSA of AWSMachineTemplate.
--(Appears on:AWSMachineSpec, AWSLaunchTemplate, AWSMachinePoolSpec, AWSLaunchTemplate, AWSMachinePoolSpec) +
AWSManagedCluster is the Schema for the awsmanagedclusters API
+ +Field | +Description | +||
---|---|---|---|
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||
+spec + + +AWSManagedClusterSpec + + + |
+
+ + +
|
+||
+status + + +AWSManagedClusterStatus + + + |
++ | +
+(Appears on:AWSManagedCluster)
-
AWSResourceReference is a reference to a specific AWS resource by ID or filters. -Only one of ID or Filters may be specified. Specifying more than one will result in -a validation error.
+AWSManagedClusterSpec defines the desired state of AWSManagedCluster
-id + controlPlaneEndpoint -string + +Cluster API api/v1beta1.APIEndpoint + |
(Optional)
- ID of resource +ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. |
+(Appears on:AWSManagedCluster) +
++
AWSManagedClusterStatus defines the observed state of AWSManagedCluster
+ +Field | +Description | +
---|---|
-arn + ready + +bool + + |
+
+(Optional)
+ Ready is when the AWSManagedControlPlane has a API server URL. + |
+
+failureDomains + + +Cluster API api/v1beta1.FailureDomains + + + |
+
+(Optional)
+ FailureDomains specifies a list fo available availability zones that can be used + |
+
+(Appears on:AWSMachineSpec, AWSLaunchTemplate, AWSMachinePoolSpec, AWSLaunchTemplate, AWSMachinePoolSpec) +
++
AWSResourceReference is a reference to a specific AWS resource by ID or filters. +Only one of ID or Filters may be specified. Specifying more than one will result in +a validation error.
+ +Field | +Description | +||||
---|---|---|---|---|---|
+id string |
(Optional)
- ARN of resource. -Deprecated: This field has no function and is going to be removed in the next release. +ID of resource |
||||
Field | +Description | +
---|---|
+port + +int64 + + |
+
+ Port sets the port for the additional listener. + |
+
+protocol + + +ELBProtocol + + + |
+
+ Protocol sets the protocol for the additional listener. +Currently only TCP is supported. + |
+
@@ -18653,13 +19028,13 @@ The source for the rule will be set to control plane and worker security group I
-(Appears on:NetworkStatus) +(Appears on:LoadBalancer)
-
ClassicELB defines an AWS classic load balancer.
+ClassicELBAttributes defines extra attributes associated with a classic load balancer.
-name + idleTimeout -string + +time.Duration + |
-(Optional)
- The name of the load balancer. It must be unique within the set of load balancers -defined in the region. It also serves as identifier. +IdleTimeout is time that the connection is allowed to be idle (no data +has been sent over the connection) before it is closed by the load balancer. |
-dnsName + crossZoneLoadBalancing -string +bool |
- DNSName is the dns name of the load balancer. - |
-
-scheme - - -ClassicELBScheme - - - |
-
- Scheme is the load balancer scheme, either internet-facing or private. - |
-
-availabilityZones - -[]string - - |
-
- AvailabilityZones is an array of availability zones in the VPC attached to the load balancer. - |
-
-subnetIds - -[]string - - |
-
- SubnetIDs is an array of subnets in the VPC attached to the load balancer. - |
-
-securityGroupIds - -[]string - - |
-
- SecurityGroupIDs is an array of security groups assigned to the load balancer. - |
-
-listeners - - -[]ClassicELBListener - - - |
-
- Listeners is an array of classic elb listeners associated with the load balancer. There must be at least one. - |
-
-healthChecks - - -ClassicELBHealthCheck - - - |
-
- HealthCheck is the classic elb health check associated with the load balancer. - |
-
-attributes - - -ClassicELBAttributes - - - |
-
- Attributes defines extra attributes associated with the load balancer. - |
-
-tags - -map[string]string - - |
-
- Tags is a map of tags associated with the load balancer. - |
-
-(Appears on:ClassicELB) -
--
ClassicELBAttributes defines extra attributes associated with a classic load balancer.
- -Field | -Description | -
---|---|
-idleTimeout - - -time.Duration - - - |
-
- IdleTimeout is time that the connection is allowed to be idle (no data -has been sent over the connection) before it is closed by the load balancer. - |
-
-crossZoneLoadBalancing - -bool - - |
-
-(Optional)
- CrossZoneLoadBalancing enables the classic load balancer load balancing. +(Optional) +CrossZoneLoadBalancing enables the classic load balancer load balancing. |
protocol - -ClassicELBProtocol + +ELBProtocol |
@@ -18949,8 +19186,8 @@ int64
instanceProtocol - -ClassicELBProtocol + +ELBProtocol |
@@ -18969,22 +19206,6 @@ int64
string
alias)-(Appears on:AWSLoadBalancerSpec, ClassicELBListener) -
--
ClassicELBProtocol defines listener protocols for a classic load balancer.
- -string
alias)-(Appears on:AWSLoadBalancerSpec, ClassicELB) -
--
ClassicELBScheme defines the scheme of a classic load balancer.
-@@ -19068,6 +19289,22 @@ will use AWS Secrets Manager instead.
EKSAMILookupType specifies which AWS AMI to use for a AWSMachine and AWSMachinePool.
+string
alias)+(Appears on:AWSLoadBalancerSpec, AdditionalListenerSpec, ClassicELBListener, Listener, TargetGroupSpec) +
++
ELBProtocol defines listener protocols for a load balancer.
+ +string
alias)+(Appears on:AWSLoadBalancerSpec, LoadBalancer) +
++
ELBScheme defines the scheme of a load balancer.
+@@ -19108,6 +19345,71 @@ string
string
alias)+
+string
alias)+(Appears on:InstanceMetadataOptions) +
++
HTTPTokensState describes the state of InstanceMetadataOptions.HTTPTokensState
+ ++
IPAMPool defines the IPAM pool to be used for VPC.
+ +Field | +Description | +
---|---|
+id + +string + + |
+
+ ID is the ID of the IPAM pool this provider should use to create VPC. + |
+
+name + +string + + |
+
+ Name is the name of the IPAM pool this provider should use to create VPC. + |
+
+netmaskLength + +int64 + + |
+
+ The netmask length of the IPv4 CIDR you want to allocate to VPC from +an Amazon VPC IP Address Manager (IPAM) pool. +Defaults to /16 for IPv4 if not specified. + |
+
@@ -19133,7 +19435,8 @@ string
CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6.
+CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6. +Mutually exclusive with IPAMPool.
PoolID is the IP pool which must be defined in case of BYO IP is defined.
+PoolID is the IP pool which must be defined in case of BYO IP is defined. +Must be specified if CidrBlock is set. +Mutually exclusive with IPAMPool.
EgressOnlyInternetGatewayID is the id of the egress only internet gateway associated with an IPv6 enabled VPC.
ipamPool
IPAMPool defines the IPAMv6 pool to be used for VPC. +Mutually exclusive with CidrBlock.
++(Appears on:AWSLoadBalancerSpec, NetworkSpec) +
+
IngressRule defines an AWS ingress rule for security groups.
+ Description provides extended information about the ingress rule. |
|
+ Protocol is the protocol for the ingress rule. Accepted values are “-1” (all), “4” (IP in IP),“tcp”, “udp”, “icmp”, and “58” (ICMPv6), “50” (ESP). |
|
+ FromPort is the start of port range. |
|
+ ToPort is the end of port range. |
|
+sourceSecurityGroupRoles + + +[]SecurityGroupRole + + + |
+
+(Optional)
+ The security group role to allow access from. Cannot be specified with CidrBlocks. +The field will be combined with source security group IDs if specified. + |
+
placementGroupName
PlacementGroupName specifies the name of the placement group in which to launch the instance.
+tenancy
IDs of the instance’s volumes
instanceMetadataOptions
InstanceMetadataOptions is the metadata options for the EC2 instance.
+string
alias)-(Appears on:AWSMachineStatus, Instance) +(Appears on:AWSMachineSpec, Instance, AWSLaunchTemplate) +
++
InstanceMetadataOptions describes metadata options for the EC2 instance.
+ +Field | +Description | +
---|---|
+httpEndpoint + + +InstanceMetadataState + + + |
+
+ Enables or disables the HTTP metadata endpoint on your instances. +If you specify a value of disabled, you cannot access your instance metadata. +Default: enabled + |
+
+httpPutResponseHopLimit + +int64 + + |
+
+ The desired HTTP PUT response hop limit for instance metadata requests. The +larger the number, the further instance metadata requests can travel. +Default: 1 + |
+
+httpTokens + + +HTTPTokensState + + + |
+
+ The state of token usage for your instance metadata requests. +If the state is optional, you can choose to retrieve instance metadata with +or without a session token on your request. If you retrieve the IAM role +credentials without a token, the version 1.0 role credentials are returned. +If you retrieve the IAM role credentials using a valid session token, the +version 2.0 role credentials are returned. +If the state is required, you must send a session token with any instance +metadata retrieval requests. In this state, retrieving the IAM role credentials +always returns the version 2.0 credentials; the version 1.0 credentials are +not available. +Default: optional + |
+
+instanceMetadataTags + + +InstanceMetadataState + + + |
+
+ Set to enabled to allow access to instance tags from the instance metadata. +Set to disabled to turn off access to instance tags from the instance metadata. +For more information, see Work with instance tags using the instance metadata +(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). +Default: disabled + |
+
string
alias)+(Appears on:InstanceMetadataOptions) +
++
InstanceMetadataState describes the state of InstanceMetadataOptions.HttpEndpoint and InstanceMetadataOptions.InstanceMetadataTags
+ +string
alias)+(Appears on:AWSMachineStatus, Instance)
InstanceState describes the state of an AWS instance.
++(Appears on:LoadBalancer) +
++
Listener defines an AWS network load balancer listener.
+ +Field | +Description | +
---|---|
+protocol + + +ELBProtocol + + + |
++ | +
+port + +int64 + + |
++ | +
+targetGroup + + +TargetGroupSpec + + + |
++ | +
+(Appears on:NetworkStatus) +
++
LoadBalancer defines an AWS load balancer.
+ +Field | +Description | +
---|---|
+arn + +string + + |
+
+ ARN of the load balancer. Unlike the ClassicLB, ARN is used mostly +to define and get it. + |
+
+name + +string + + |
+
+(Optional)
+ The name of the load balancer. It must be unique within the set of load balancers +defined in the region. It also serves as identifier. + |
+
+dnsName + +string + + |
+
+ DNSName is the dns name of the load balancer. + |
+
+scheme + + +ELBScheme + + + |
+
+ Scheme is the load balancer scheme, either internet-facing or private. + |
+
+availabilityZones + +[]string + + |
+
+ AvailabilityZones is an array of availability zones in the VPC attached to the load balancer. + |
+
+subnetIds + +[]string + + |
+
+ SubnetIDs is an array of subnets in the VPC attached to the load balancer. + |
+
+securityGroupIds + +[]string + + |
+
+ SecurityGroupIDs is an array of security groups assigned to the load balancer. + |
+
+listeners + + +[]ClassicELBListener + + + |
+
+ ClassicELBListeners is an array of classic elb listeners associated with the load balancer. There must be at least one. + |
+
+healthChecks + + +ClassicELBHealthCheck + + + |
+
+ HealthCheck is the classic elb health check associated with the load balancer. + |
+
+attributes + + +ClassicELBAttributes + + + |
+
+ ClassicElbAttributes defines extra attributes associated with the load balancer. + |
+
+tags + +map[string]string + + |
+
+ Tags is a map of tags associated with the load balancer. + |
+
+elbListeners + + +[]Listener + + + |
+
+ ELBListeners is an array of listeners associated with the load balancer. There must be at least one. + |
+
+elbAttributes + +map[string]*string + + |
+
+ ELBAttributes defines extra attributes associated with v2 load balancers. + |
+
+loadBalancerType + + +LoadBalancerType + + + |
+
+ LoadBalancerType sets the type for a load balancer. The default type is classic. + |
+
string
alias)+
LoadBalancerAttribute defines a set of attributes for a V2 load balancer.
+ +string
alias)+(Appears on:AWSLoadBalancerSpec, LoadBalancer) +
++
@@ -19646,6 +20359,20 @@ map[sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SecurityGroupRole]string This is optional - if not provided new security groups will be created for the cluster
+additionalControlPlaneIngressRules
AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane
+apiServerElb
APIServerELB is the Kubernetes api server classic load balancer.
+APIServerELB is the Kubernetes api server load balancer.
+natGatewaysIPs
NatGatewaysIPs contains the public IPs of the NAT Gateways
ControlPlaneIAMInstanceProfile is a name of the IAMInstanceProfile, which will be allowed to read control-plane node bootstrap data from S3 Bucket.
NodesIAMInstanceProfiles is a list of IAM instance profiles, which will be allowed to read worker nodes bootstrap data from S3 Bucket.
presignedURLDuration
PresignedURLDuration defines the duration for which presigned URLs are valid.
+This is used to generate presigned URLs for S3 Bucket objects, which are used by +control-plane and worker nodes to fetch bootstrap data.
+When enabled, the IAM instance profiles specified are not used.
+name
string
alias)+(Appears on:IngressRule) +
+
SecurityGroupRole defines the unique role of a security group.
ID defines a unique identifier to reference this resource.
+ID defines a unique identifier to reference this resource.
+If you’re bringing your subnet, set the AWS subnet-id here, it must start with subnet-
.
When the VPC is managed by CAPA, and you’d like the provider to create a subnet for you,
+the id can be set to any placeholder value that does not start with subnet-
;
+upon creation, the subnet AWS identifier will be populated in the ResourceID
field and
+the id
field is going to be used as the subnet name. If you specify a tag
+called Name
, it takes precedence.
resourceID
ResourceID is the subnet identifier from AWS, READ ONLY. +This field is populated when the provider manages the subnet.
isPublic
isPublic
IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway.
+isIpv6
IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled. +IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.
+routeTableId
RouteTableID is the routing table id associated with the subnet.
+natGatewayId
NatGatewayID is the NAT gateway id associated with the subnet. +Ignored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet.
+tags
Tags is a collection of tags describing the resource.
+[]sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SubnetSpec
alias)+(Appears on:NetworkSpec) +
++
Subnets is a slice of Subnet.
+ +map[string]string
alias)+(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec) +
++
Tags defines a map of tags.
+ +string
alias)+
TargetGroupAttribute defines attribute key values for V2 Load Balancer Attributes.
+ ++(Appears on:TargetGroupSpec) +
++
TargetGroupHealthCheck defines health check settings for the target group.
+ +Field | +Description | +
---|---|
+protocol + +string + + |
++ | +
+path + +string + + |
++ | +
+port + +string + + |
++ | +
+intervalSeconds + +int64 + + |
++ | +
+timeoutSeconds + +int64 + + |
++ | +
+thresholdCount + +int64 + + |
++ | +
+(Appears on:Listener) +
++
TargetGroupSpec specifies target group settings for a given listener. +This is created first, and the ARN is then passed to the listener.
+ +Field | +Description | +
---|---|
+name -bool +string |
-(Optional)
- IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway. +Name of the TargetGroup. Must be unique over the same group of listeners. |
-isIpv6 + port -bool +int64 |
-(Optional)
- IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled. -IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object. +Port is the exposed port |
-routeTableId + protocol -string + +ELBProtocol + |
-(Optional)
- RouteTableID is the routing table id associated with the subnet. |
-natGatewayId + vpcId string |
-(Optional)
- NatGatewayID is the NAT gateway id associated with the subnet. -Ignored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet. |
-tags + targetGroupHealthCheck - -Tags + +TargetGroupHealthCheck |
- Tags is a collection of tags describing the resource. +HealthCheck is the elb health check associated with the load balancer. |
[]sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SubnetSpec
alias)-(Appears on:NetworkSpec) -
--
Subnets is a slice of Subnet.
- -map[string]string
alias)-(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec) -
--
Tags defines a map of tags.
-@@ -20074,7 +21012,22 @@ string
CidrBlock is the CIDR block to be used when the provider creates a managed VPC. -Defaults to 10.0.0.0/16.
+Defaults to 10.0.0.0/16. +Mutually exclusive with IPAMPool. +ipamPool
IPAMPool defines the IPAMv4 pool to be used for VPC. +Mutually exclusive with CidrBlock.
SpotMarketOptions are options for configuring AWSMachinePool instances to be run using AWS Spot instances.
instanceMetadataOptions
InstanceMetadataOptions defines the behavior for applying metadata to instances.
+availabilityZoneSubnetType
AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.
+subnets
availabilityZoneSubnetType
AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.
+subnets
availabilityZoneSubnetType
AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.
+subnetIDs
availabilityZoneSubnetType
AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.
+subnetIDs
string
alias)+(Appears on:AWSMachinePoolSpec, AWSManagedMachinePoolSpec) +
++
AZSubnetType is the type of subnet to use when an availability zone is specified.
+ +Value | +Description | +
---|---|
"all" |
+AZSubnetTypeAll is all subnets in an availability zone. + |
+
"private" |
+AZSubnetTypePrivate is a private subnet. + |
+
"public" |
+AZSubnetTypePublic is a public subnet. + |
+
@@ -22788,6 +23837,151 @@ bool +
+
+Field | +Description | +||
---|---|---|---|
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||
+spec + + +ROSAClusterSpec + + + |
+
+ + +
|
+||
+status + + +ROSAClusterStatus + + + |
++ | +
+(Appears on:ROSACluster) +
++
+Field | +Description | +
---|---|
+controlPlaneEndpoint + + +Cluster API api/v1beta1.APIEndpoint + + + |
+
+(Optional)
+ ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. + |
+
+(Appears on:ROSACluster) +
++
ROSAClusterStatus defines the observed state of ROSACluster
+ +Field | +Description | +
---|---|
+ready + +bool + + |
+
+(Optional)
+ Ready is when the ROSAControlPlane has a API server URL. + |
+
+failureDomains + + +Cluster API api/v1beta1.FailureDomains + + + |
+
+(Optional)
+ FailureDomains specifies a list fo available availability zones that can be used + |
+
diff --git a/docs/book/src/topics/reference/reference.md b/docs/book/src/topics/reference/reference.md
index f406c2dbe3..4e91a0f21b 100644
--- a/docs/book/src/topics/reference/reference.md
+++ b/docs/book/src/topics/reference/reference.md
@@ -14,4 +14,5 @@
| BootstrapFormatIgnition | EXP_BOOTSTRAP_FORMAT_IGNITION | false |
| ExternalResourceGC | EXP_EXTERNAL_RESOURCE_GC | false |
| AlternativeGCStrategy | EXP_ALTERNATIVE_GC_STRATEGY | false |
-| TagUnmanagedNetworkResources | TAG_UNMANAGED_NETWORK_RESOURCES | true |
\ No newline at end of file
+| TagUnmanagedNetworkResources | TAG_UNMANAGED_NETWORK_RESOURCES | true |
+| ROSA | EXP_ROSA | false |
\ No newline at end of file
diff --git a/docs/book/src/topics/rosa/creating-a-cluster.md b/docs/book/src/topics/rosa/creating-a-cluster.md
new file mode 100644
index 0000000000..150a46f46a
--- /dev/null
+++ b/docs/book/src/topics/rosa/creating-a-cluster.md
@@ -0,0 +1,53 @@
+# Creating a ROSA cluster
+
+## Permissions
+CAPA controller requires an API token in order to be able to provision ROSA clusters:
+
+1. Visit [https://console.redhat.com/openshift/token](https://console.redhat.com/openshift/token) to retrieve your API authentication token
+
+2. Edit CAPA controller deployment:
+ ```shell
+ kubectl edit deployment -n capa-system capa-controller-manager
+ ```
+
+ and add the following environment variables to the manager container:
+ ```yaml
+ env:
+ - name: OCM_TOKEN
+ value: "