IdentityRef is a reference to a identity to be used when reconciling the managed control plane.
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling the managed control plane.
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling the managed control plane.
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling the managed control plane.
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
The URL of the OpenID identity provider that allows the API server to discover -public signing keys for verifying tokens. The URL must begin with https:// -and should correspond to the iss claim in the provider’s OIDC ID tokens. -Per the OIDC standard, path components are allowed but query parameters are -not. Typically the URL consists of only a hostname, like https://server.example.org -or https://example.com. This URL should point to the level below .well-known/openid-configuration -and must be publicly accessible over the internet.
+The URL of the OpenID identity provider that allows the API server to discover +public signing keys for verifying tokens. The URL must begin with https:// +and should correspond to the iss claim in the provider’s OIDC ID tokens. +Per the OIDC standard, path components are allowed but query parameters are +not. Typically the URL consists of only a hostname, like https://server.example.org +or https://example.com. This URL should point to the level below .well-known/openid-configuration +and must be publicly accessible over the internet.
+requiredClaimsThe key value pairs that describe required claims in the identity token. +If set, each claim is verified to be present in the token with a matching +value. For the maximum number of claims that you can require, see Amazon +EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) +in the Amazon EKS User Guide.
+usernameClaimThe JSON Web Token (JWT) claim to use as the username. The default is sub, +which is expected to be a unique identifier of the end user. You can choose +other claims, such as email or name, depending on the OpenID identity provider. +Claims other than email are prefixed with the issuer URL to prevent naming +clashes with other plug-ins.
+usernamePrefixThe prefix that is prepended to username claims to prevent clashes with existing +names. If you do not provide this field, and username is a value other than +email, the prefix defaults to issuerurl#. You can use the value - to disable +all prefixing.
+tagstags to apply to oidc identity provider association
++(Appears on:AWSManagedControlPlaneStatus) +
++
OIDCProviderStatus holds the status of the AWS OIDC identity provider.
+ +| Field | +Description | +
|---|---|
+arn+ +string + + |
+
+ ARN holds the ARN of the provider + |
+
+trustPolicy+ +string + + |
+
+ TrustPolicy contains the boilerplate IAM trust policy to use for IRSA + |
+
+(Appears on:IAMAuthenticatorConfig) +
++
RoleMapping represents a mapping from a IAM role to Kubernetes users and groups.
+ +| Field | +Description | +
|---|---|
+rolearn+ +string + + |
+
+ RoleARN is the AWS ARN for the role to map + |
+
+KubernetesMapping+ + +KubernetesMapping + + + |
+
+
+(Members of KubernetesMapping holds the RBAC details for the mapping + |
+
+(Appears on:IAMAuthenticatorConfig) +
++
UserMapping represents a mapping from an IAM user to Kubernetes users and groups.
+ +| Field | +Description | +
|---|---|
+userarn+ +string + + |
+
+ UserARN is the AWS ARN for the user to map + |
+
+KubernetesMapping+ + +KubernetesMapping + + + |
+
+
+(Members of KubernetesMapping holds the RBAC details for the mapping + |
+
+(Appears on:AWSManagedControlPlaneSpec) +
++
VpcCni specifies configuration related to the VPC CNI.
+ +| Field | +Description | +
|---|---|
+disable+ +bool + + |
+
+ Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the +Amazon VPC CNI is automatically installed into the cluster. For clusters where you want +to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI +should be deleted. You cannot set this to true if you are using the +Amazon VPC CNI addon. + |
+
+env+ + +[]Kubernetes core/v1.EnvVar + + + |
+
+(Optional)
+ Env defines a list of environment variables to apply to the |
+
+(Appears on:RosaControlPlaneSpec) +
++
AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
+ +| Field | +Description | +
|---|---|
+ingressARN+ +string + + |
+
+ The referenced role must have a trust relationship that allows it to be assumed via web identity. +https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html. +Example: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Principal”: { +“Federated”: “{{ .ProviderARN }}” +}, +“Action”: “sts:AssumeRoleWithWebIdentity”, +“Condition”: { +“StringEquals”: { +“{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} +} +} +} +] +} +IngressARN is an ARN value referencing a role appropriate for the Ingress Operator. +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“elasticloadbalancing:DescribeLoadBalancers”, +“tag:GetResources”, +“route53:ListHostedZones” +], +“Resource”: “*” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“route53:ChangeResourceRecordSets” +], +“Resource”: [ +“arn:aws:route53:::PUBLIC_ZONE_ID”, +“arn:aws:route53:::PRIVATE_ZONE_ID” +] +} +] +} + |
+
+imageRegistryARN+ +string + + |
+
+ ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“s3:CreateBucket”, +“s3:DeleteBucket”, +“s3:PutBucketTagging”, +“s3:GetBucketTagging”, +“s3:PutBucketPublicAccessBlock”, +“s3:GetBucketPublicAccessBlock”, +“s3:PutEncryptionConfiguration”, +“s3:GetEncryptionConfiguration”, +“s3:PutLifecycleConfiguration”, +“s3:GetLifecycleConfiguration”, +“s3:GetBucketLocation”, +“s3:ListBucket”, +“s3:GetObject”, +“s3:PutObject”, +“s3:DeleteObject”, +“s3:ListBucketMultipartUploads”, +“s3:AbortMultipartUpload”, +“s3:ListMultipartUploadParts” +], +“Resource”: “*” +} +] +} + |
+
+storageARN+ +string + + |
+
+ StorageARN is an ARN value referencing a role appropriate for the Storage Operator. +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“ec2:AttachVolume”, +“ec2:CreateSnapshot”, +“ec2:CreateTags”, +“ec2:CreateVolume”, +“ec2:DeleteSnapshot”, +“ec2:DeleteTags”, +“ec2:DeleteVolume”, +“ec2:DescribeInstances”, +“ec2:DescribeSnapshots”, +“ec2:DescribeTags”, +“ec2:DescribeVolumes”, +“ec2:DescribeVolumesModifications”, +“ec2:DetachVolume”, +“ec2:ModifyVolume” +], +“Resource”: “*” +} +] +} + |
+
+networkARN+ +string + + |
+
+ NetworkARN is an ARN value referencing a role appropriate for the Network Operator. +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“ec2:DescribeInstances”, +“ec2:DescribeInstanceStatus”, +“ec2:DescribeInstanceTypes”, +“ec2:UnassignPrivateIpAddresses”, +“ec2:AssignPrivateIpAddresses”, +“ec2:UnassignIpv6Addresses”, +“ec2:AssignIpv6Addresses”, +“ec2:DescribeSubnets”, +“ec2:DescribeNetworkInterfaces” +], +“Resource”: “*” +} +] +} + |
+
+kubeCloudControllerARN+ +string + + |
+
+ KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. +Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Action”: [ +“autoscaling:DescribeAutoScalingGroups”, +“autoscaling:DescribeLaunchConfigurations”, +“autoscaling:DescribeTags”, +“ec2:DescribeAvailabilityZones”, +“ec2:DescribeInstances”, +“ec2:DescribeImages”, +“ec2:DescribeRegions”, +“ec2:DescribeRouteTables”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeSubnets”, +“ec2:DescribeVolumes”, +“ec2:CreateSecurityGroup”, +“ec2:CreateTags”, +“ec2:CreateVolume”, +“ec2:ModifyInstanceAttribute”, +“ec2:ModifyVolume”, +“ec2:AttachVolume”, +“ec2:AuthorizeSecurityGroupIngress”, +“ec2:CreateRoute”, +“ec2:DeleteRoute”, +“ec2:DeleteSecurityGroup”, +“ec2:DeleteVolume”, +“ec2:DetachVolume”, +“ec2:RevokeSecurityGroupIngress”, +“ec2:DescribeVpcs”, +“elasticloadbalancing:AddTags”, +“elasticloadbalancing:AttachLoadBalancerToSubnets”, +“elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, +“elasticloadbalancing:CreateLoadBalancer”, +“elasticloadbalancing:CreateLoadBalancerPolicy”, +“elasticloadbalancing:CreateLoadBalancerListeners”, +“elasticloadbalancing:ConfigureHealthCheck”, +“elasticloadbalancing:DeleteLoadBalancer”, +“elasticloadbalancing:DeleteLoadBalancerListeners”, +“elasticloadbalancing:DescribeLoadBalancers”, +“elasticloadbalancing:DescribeLoadBalancerAttributes”, +“elasticloadbalancing:DetachLoadBalancerFromSubnets”, +“elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, +“elasticloadbalancing:ModifyLoadBalancerAttributes”, +“elasticloadbalancing:RegisterInstancesWithLoadBalancer”, +“elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, +“elasticloadbalancing:AddTags”, +“elasticloadbalancing:CreateListener”, +“elasticloadbalancing:CreateTargetGroup”, +“elasticloadbalancing:DeleteListener”, +“elasticloadbalancing:DeleteTargetGroup”, +“elasticloadbalancing:DeregisterTargets”, +“elasticloadbalancing:DescribeListeners”, +“elasticloadbalancing:DescribeLoadBalancerPolicies”, +“elasticloadbalancing:DescribeTargetGroups”, +“elasticloadbalancing:DescribeTargetHealth”, +“elasticloadbalancing:ModifyListener”, +“elasticloadbalancing:ModifyTargetGroup”, +“elasticloadbalancing:RegisterTargets”, +“elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, +“iam:CreateServiceLinkedRole”, +“kms:DescribeKey” +], +“Resource”: [ +“*” +], +“Effect”: “Allow” +} +] +} + |
+
+nodePoolManagementARN+ +string + + |
+
+ NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller. +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Action”: [ +“ec2:AssociateRouteTable”, +“ec2:AttachInternetGateway”, +“ec2:AuthorizeSecurityGroupIngress”, +“ec2:CreateInternetGateway”, +“ec2:CreateNatGateway”, +“ec2:CreateRoute”, +“ec2:CreateRouteTable”, +“ec2:CreateSecurityGroup”, +“ec2:CreateSubnet”, +“ec2:CreateTags”, +“ec2:DeleteInternetGateway”, +“ec2:DeleteNatGateway”, +“ec2:DeleteRouteTable”, +“ec2:DeleteSecurityGroup”, +“ec2:DeleteSubnet”, +“ec2:DeleteTags”, +“ec2:DescribeAccountAttributes”, +“ec2:DescribeAddresses”, +“ec2:DescribeAvailabilityZones”, +“ec2:DescribeImages”, +“ec2:DescribeInstances”, +“ec2:DescribeInternetGateways”, +“ec2:DescribeNatGateways”, +“ec2:DescribeNetworkInterfaces”, +“ec2:DescribeNetworkInterfaceAttribute”, +“ec2:DescribeRouteTables”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeSubnets”, +“ec2:DescribeVpcs”, +“ec2:DescribeVpcAttribute”, +“ec2:DescribeVolumes”, +“ec2:DetachInternetGateway”, +“ec2:DisassociateRouteTable”, +“ec2:DisassociateAddress”, +“ec2:ModifyInstanceAttribute”, +“ec2:ModifyNetworkInterfaceAttribute”, +“ec2:ModifySubnetAttribute”, +“ec2:RevokeSecurityGroupIngress”, +“ec2:RunInstances”, +“ec2:TerminateInstances”, +“tag:GetResources”, +“ec2:CreateLaunchTemplate”, +“ec2:CreateLaunchTemplateVersion”, +“ec2:DescribeLaunchTemplates”, +“ec2:DescribeLaunchTemplateVersions”, +“ec2:DeleteLaunchTemplate”, +“ec2:DeleteLaunchTemplateVersions” +], +“Resource”: [ +“” +], +“Effect”: “Allow” +}, +{ +“Condition”: { +“StringLike”: { +“iam:AWSServiceName”: “elasticloadbalancing.amazonaws.com” +} +}, +“Action”: [ +“iam:CreateServiceLinkedRole” +], +“Resource”: [ +“arn::iam:::role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing” +], +“Effect”: “Allow” +}, +{ +“Action”: [ +“iam:PassRole” +], +“Resource”: [ +“arn::iam:::role/-worker-role” +], +“Effect”: “Allow” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“kms:Decrypt”, +“kms:ReEncrypt”, +“kms:GenerateDataKeyWithoutPlainText”, +“kms:DescribeKey” +], +“Resource”: “” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“kms:CreateGrant” +], +“Resource”: “”, +“Condition”: { +“Bool”: { +“kms:GrantIsForAWSResource”: true +} +} +} +] +} + |
+
+controlPlaneOperatorARN+ +string + + |
+
+ ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator. +The following is an example of a valid policy document: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“ec2:CreateVpcEndpoint”, +“ec2:DescribeVpcEndpoints”, +“ec2:ModifyVpcEndpoint”, +“ec2:DeleteVpcEndpoints”, +“ec2:CreateTags”, +“route53:ListHostedZones”, +“ec2:CreateSecurityGroup”, +“ec2:AuthorizeSecurityGroupIngress”, +“ec2:AuthorizeSecurityGroupEgress”, +“ec2:DeleteSecurityGroup”, +“ec2:RevokeSecurityGroupIngress”, +“ec2:RevokeSecurityGroupEgress”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeVpcs”, +], +“Resource”: “*” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“route53:ChangeResourceRecordSets”, +“route53:ListResourceRecordSets” +], +“Resource”: “arn:aws:route53:::%s” +} +] +} + |
+
+kmsProviderARN+ +string + + |
++ | +
+(Appears on:RosaControlPlaneSpec) +
++
NetworkSpec for ROSA-HCP.
+ +| Field | +Description | +
|---|---|
+machineCIDR+ +string + + |
+
+(Optional)
+ IP addresses block used by OpenShift while installing the cluster, for example “10.0.0.0/16”. + |
+
+podCIDR+ +string + + |
+
+(Optional)
+ IP address block from which to assign pod IP addresses, for example |
+
+serviceCIDR+ +string + + |
+
+(Optional)
+ IP address block from which to assign service IP addresses, for example |
+
+hostPrefix+ +int + + |
+
+(Optional)
+ Network host prefix which is defaulted to |
+
+networkType+ +string + + |
+
+(Optional)
+ The CNI network type default is OVNKubernetes. + |
+
+
+| Field | +Description | +||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+metadata+ + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||||||||||||||||||||||||||||||||||||
+spec+ + +RosaControlPlaneSpec + + + |
+
+ + +
|
+||||||||||||||||||||||||||||||||||||||||
+status+ + +RosaControlPlaneStatus + + + |
++ | +
+(Appears on:ROSAControlPlane) +
++
+| Field | +Description | +
|---|---|
+rosaClusterName+ +string + + |
+
+ Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric +characters or ‘-’, start with an alphabetic character, end with an alphanumeric character +and have a max length of 15 characters. + |
+
+subnets+ +[]string + + |
+
+ The Subnet IDs to use when installing the cluster. +SubnetIDs should come in pairs; two per availability zone, one private and one public. + |
+
+availabilityZones+ +[]string + + |
+
+ AWS AvailabilityZones of the worker nodes +should match the AvailabilityZones of the Subnets. + |
+
+region+ +string + + |
+
+ The AWS Region the cluster lives in. + |
+
+version+ +string + + |
+
+ OpenShift semantic version, for example “4.14.5”. + |
+
+rolesRef+ + +AWSRolesRef + + + |
+
+ AWS IAM roles used to perform credential requests by the openshift operators. + |
+
+oidcID+ +string + + |
+
+ The ID of the OpenID Connect Provider. + |
+
+installerRoleARN+ +string + + |
+
+ TODO: these are to satisfy ocm sdk. Explore how to drop them. + |
+
+supportRoleARN+ +string + + |
++ | +
+workerRoleARN+ +string + + |
++ | +
+billingAccount+ +string + + |
+
+(Optional)
+ BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters. +The cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster +is running. + |
+
+credentialsSecretRef+ + +Kubernetes core/v1.LocalObjectReference + + + |
+
+(Optional)
+ CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. +The secret should contain the following data keys: +- ocmToken: eyJhbGciOiJIUzI1NiIsI…. +- ocmApiUrl: Optional, defaults to ‘https://api.openshift.com’ + |
+
+identityRef+ + +AWSIdentityReference + + + |
+
+(Optional)
+ IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used. + |
+
+network+ + +NetworkSpec + + + |
+
+(Optional)
+ Network config for the ROSA HCP cluster. + |
+
+endpointAccess+ + +RosaEndpointAccessType + + + |
+
+(Optional)
+ EndpointAccess specifies the publishing scope of cluster endpoints. The +default is Public. + |
+
+instanceType+ +string + + |
+
+(Optional)
+ The instance type to use, for example |
-requiredClaims+ autoscaling-map[string]string + +RosaMachinePoolAutoScaling + |
(Optional)
- The key value pairs that describe required claims in the identity token. -If set, each claim is verified to be present in the token with a matching -value. For the maximum number of claims that you can require, see Amazon -EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) -in the Amazon EKS User Guide. +Autoscaling specifies auto scaling behaviour for the MachinePools. |
-usernameClaim+ additionalTags-string + +Tags + |
(Optional)
- The JSON Web Token (JWT) claim to use as the username. The default is sub, -which is expected to be a unique identifier of the end user. You can choose -other claims, such as email or name, depending on the OpenID identity provider. -Claims other than email are prefixed with the issuer URL to prevent naming -clashes with other plug-ins. +AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane. |
-usernamePrefix+ etcdEncryptionKMSArnstring |
(Optional)
- The prefix that is prepended to username claims to prevent clashes with existing -names. If you do not provide this field, and username is a value other than -email, the prefix defaults to issuerurl#. You can use the value - to disable -all prefixing. +EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be
+created out-of-band by the user and tagged with |
-tags+ controlPlaneEndpoint- -Tags + +Cluster API api/v1beta1.APIEndpoint |
(Optional)
- tags to apply to oidc identity provider association +ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. |
-(Appears on:AWSManagedControlPlaneStatus) +(Appears on:ROSAControlPlane)
-
OIDCProviderStatus holds the status of the AWS OIDC identity provider.
-arn+ externalManagedControlPlane-string +bool |
- ARN holds the ARN of the provider +ExternalManagedControlPlane indicates to cluster-api that the control plane +is managed by an external service such as AKS, EKS, GKE, etc. |
-trustPolicy+ initialized-string +bool |
- TrustPolicy contains the boilerplate IAM trust policy to use for IRSA +(Optional) +Initialized denotes whether or not the control plane has the +uploaded kubernetes config-map. |
-(Appears on:IAMAuthenticatorConfig) -
--
RoleMapping represents a mapping from a IAM role to Kubernetes users and groups.
- -| Field | -Description | +
+ready+ +bool + + |
+
+ Ready denotes that the ROSAControlPlane API Server is ready to receive requests. + |
|---|---|---|---|
-rolearn+ failureMessagestring |
- RoleARN is the AWS ARN for the role to map +(Optional) +FailureMessage will be set in the event that there is a terminal problem +reconciling the state and will be set to a descriptive error message. +This field should not be set for transitive errors that a controller +faces that are expected to be fixed automatically over +time (like service outages), but instead indicate that something is +fundamentally wrong with the spec or the configuration of +the controller, and that manual intervention is required. |
||
-KubernetesMapping+ conditions- -KubernetesMapping + +Cluster API api/v1beta1.Conditions |
-
-(Members of KubernetesMapping holds the RBAC details for the mapping +Conditions specifies the conditions for the managed control plane |
-(Appears on:IAMAuthenticatorConfig) -
--
UserMapping represents a mapping from an IAM user to Kubernetes users and groups.
- -| Field | -Description | +
+id+ +string + + |
+
+ ID is the cluster ID given by ROSA. + |
|---|---|---|---|
-userarn+ consoleURLstring |
- UserARN is the AWS ARN for the user to map +ConsoleURL is the url for the openshift console. |
||
-KubernetesMapping+ oidcEndpointURL- -KubernetesMapping - +string |
-
-(Members of KubernetesMapping holds the RBAC details for the mapping +OIDCEndpointURL is the endpoint url for the managed OIDC provider. |
string alias)-(Appears on:AWSManagedControlPlaneSpec) +(Appears on:RosaControlPlaneSpec)
-
VpcCni specifies configuration related to the VPC CNI.
+RosaEndpointAccessType specifies the publishing scope of cluster endpoints.
| Field | +Value | Description |
|---|---|---|
-disable- -bool - - |
-
- Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the -Amazon VPC CNI is automatically installed into the cluster. For clusters where you want -to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI -should be deleted. You cannot set this to true if you are using the -Amazon VPC CNI addon. + | |
"Private" |
+Private endpoint access allows only private API server access and private +node communication with the control plane. |
-|
-env- - -[]Kubernetes core/v1.EnvVar - - - |
-
-(Optional)
- Env defines a list of environment variables to apply to the | |
"Public" |
+Public endpoint access allows public API server access and +private node communication with the control plane. |
-
IdentityRef is a reference to a identity to be used when reconciling this cluster
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling this cluster
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling this cluster
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling this cluster
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling this cluster
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
IdentityRef is a reference to a identity to be used when reconciling this cluster
+IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.
-(Appears on:AWSClusterRoleIdentitySpec, AWSClusterSpec, AWSManagedControlPlaneSpec, AWSManagedControlPlaneSpec) +(Appears on:AWSClusterRoleIdentitySpec, AWSClusterSpec, AWSManagedControlPlaneSpec, AWSManagedControlPlaneSpec, RosaControlPlaneSpec)
AWSIdentityReference specifies a identity.
@@ -17309,6 +18553,19 @@ the cluster subnet will be used.securityGroupOverridesSecurityGroupOverrides is an optional set of security groups to use for the node. +This is optional - if not provided security groups from the cluster will be used.
+sshKeyNameTenancy indicates if instance should run on shared or single-tenant hardware.
privateDnsNamePrivateDNSName is the options for the instance hostname.
+securityGroupOverridesSecurityGroupOverrides is an optional set of security groups to use for the node. +This is optional - if not provided security groups from the cluster will be used.
+sshKeyNameTenancy indicates if instance should run on shared or single-tenant hardware.
privateDnsNamePrivateDNSName is the options for the instance hostname.
+securityGroupOverridesSecurityGroupOverrides is an optional set of security groups to use for the node. +This is optional - if not provided security groups from the cluster will be used.
+sshKeyNameTenancy indicates if instance should run on shared or single-tenant hardware.
privateDnsNamePrivateDNSName is the options for the instance hostname.
+versionVersion defines which version of Ignition will be used to generate bootstrap data.
+versionstorageTypeVersion defines which version of Ignition will be used to generate bootstrap data.
+StorageType defines how to store the boostrap user data for Ignition. +This can be used to instruct Ignition from where to fetch the user data to bootstrap an instance.
+When omitted, the storage option will default to ClusterObjectStore.
+When set to “ClusterObjectStore”, if the capability is available and a Cluster ObjectStore configuration +is correctly provided in the Cluster object (under .spec.s3Bucket), +an object store will be used to store bootstrap user data.
+When set to “UnencryptedUserData”, EC2 Instance User Data will be used to store the machine bootstrap user data, unencrypted. +This option is considered less secure than others as user data may contain sensitive informations (keys, certificates, etc.) +and users with ec2:DescribeInstances permission or users running pods +that can access the ec2 metadata service have access to this sensitive information. +So this is only to be used at ones own risk, and only when other more secure options are not viable.
string alias)+(Appears on:Ignition) +
++
IgnitionStorageTypeOption defines the different storage types for Ignition.
+@@ -19981,6 +21338,20 @@ InstanceMetadataOptions
InstanceMetadataOptions is the metadata options for the EC2 instance.
+privateDnsNamePrivateDNSName is the options for the instance hostname.
++(Appears on:AWSMachineSpec, Instance, AWSLaunchTemplate) +
++
PrivateDNSName is the options for the instance hostname.
+ +| Field | +Description | +
|---|---|
+enableResourceNameDnsAAAARecord+ +bool + + |
+
+(Optional)
+ EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. + |
+
+enableResourceNameDnsARecord+ +bool + + |
+
+(Optional)
+ EnableResourceNameDNSARecord indicates whether to respond to DNS queries for instance hostnames with DNS A records. + |
+
+hostnameType+ +string + + |
+
+(Optional)
+ The type of hostname to assign to an instance. + |
+
string alias)@@ -20873,7 +22298,7 @@ Tags
map[string]string alias)-(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec) +(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, RosaControlPlaneSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec)
Tags defines a map of tags.
@@ -21179,6 +22604,20 @@ it’s generally suggested that the group rules are removed or modified apprNOTE: This only applies when the VPC is managed by the Cluster API AWS controller.
+privateDnsHostnameTypeOnLaunchPrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch. +For IPv4-only and dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the instance IPv4 address (ip-name) +or the instance ID (resource-name). For IPv6 only subnets, an instance DNS name must be based on the instance ID (resource-name).
+InstanceMetadataOptions defines the behavior for applying metadata to instances.
+privateDnsNamePrivateDNSName is the options for the instance hostname.
+defaultInstanceWarmupThe amount of time, in seconds, until a new instance is considered to +have finished initializing and resource consumption to become stable +after it enters the InService state. +If no value is supplied by user a default value of 300 seconds is set
+refreshPreferencesdefaultInstanceWarmupThe amount of time, in seconds, until a new instance is considered to +have finished initializing and resource consumption to become stable +after it enters the InService state. +If no value is supplied by user a default value of 300 seconds is set
+refreshPreferencesdefaultInstanceWarmupcapacityRebalanceversionVersion specifies the OpenShift version of the nodes associated with this machinepool. +ROSAControlPlane version is used if not set.
+availabilityZonetaintsTaints specifies the taints to apply to the nodes of the machine pool
+autoRepairtuningConfigsTuningConfigs specifies the names of the tuning configs to be applied to this MachinePool. +Tuning configs must already exist.
+providerIDList-(Appears on:RosaMachinePoolSpec) +(Appears on:RosaControlPlaneSpec, RosaMachinePoolSpec)
RosaMachinePoolAutoScaling specifies scaling options.
@@ -24356,6 +25895,19 @@ must be a valid DNS-1035 label, so it must consist of lower case alphanumeric anversionVersion specifies the OpenShift version of the nodes associated with this machinepool. +ROSAControlPlane version is used if not set.
+availabilityZonetaintsTaints specifies the taints to apply to the nodes of the machine pool
+autoRepairtuningConfigsTuningConfigs specifies the names of the tuning configs to be applied to this MachinePool. +Tuning configs must already exist.
+providerIDListfailureMessageFailureMessage will be set in the event that there is a terminal problem +reconciling the state and will be set to a descriptive error message.
+This field should not be set for transitive errors that a controller +faces that are expected to be fixed automatically over +time (like service outages), but instead indicate that something is +fundamentally wrong with the spec or the configuration of +the controller, and that manual intervention is required.
+id+(Appears on:RosaMachinePoolSpec) +
++
+| Field | +Description | +
|---|---|
+key+ +string + + |
+
+ The taint key to be applied to a node. + |
+
+value+ +string + + |
+
+(Optional)
+ The taint value corresponding to the taint key. + |
+
+effect+ + +Kubernetes core/v1.TaintEffect + + + |
+
+ The effect of the taint on pods that do not tolerate the taint. +Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + |
+
string alias)diff --git a/templates/cluster-template-rosa-machinepool.yaml b/templates/cluster-template-rosa-machinepool.yaml index c86266fe5d..8b6c79bbfe 100644 --- a/templates/cluster-template-rosa-machinepool.yaml +++ b/templates/cluster-template-rosa-machinepool.yaml @@ -30,8 +30,6 @@ spec: rosaClusterName: ${CLUSTER_NAME:0:15} version: "${OPENSHIFT_VERSION}" region: "${AWS_REGION}" - accountID: "${AWS_ACCOUNT_ID}" - creatorARN: "${AWS_CREATOR_ARN}" network: machineCIDR: "10.0.0.0/16" rolesRef: diff --git a/templates/cluster-template-rosa.yaml b/templates/cluster-template-rosa.yaml index 763575134d..f311e9cdb1 100644 --- a/templates/cluster-template-rosa.yaml +++ b/templates/cluster-template-rosa.yaml @@ -30,8 +30,6 @@ spec: rosaClusterName: ${CLUSTER_NAME:0:15} version: "${OPENSHIFT_VERSION}" region: "${AWS_REGION}" - accountID: "${AWS_ACCOUNT_ID}" - creatorARN: "${AWS_CREATOR_ARN}" network: machineCIDR: "10.0.0.0/16" rolesRef: