From be41c4fba5e6628dbf7d22a57035dc6de2e7caf3 Mon Sep 17 00:00:00 2001 From: Xiangjing Li Date: Tue, 20 Feb 2024 13:32:44 -0500 Subject: [PATCH 1/3] Add missing Fields to RosaControlPlane - tags, etcdEncryption Signed-off-by: Xiangjing Li --- ...ne.cluster.x-k8s.io_rosacontrolplanes.yaml | 11 ++++++++++ .../api/v1beta2/rosacontrolplane_types.go | 9 +++++++++ .../api/v1beta2/rosacontrolplane_webhook.go | 20 +++++++++++++++++++ .../rosa/api/v1beta2/zz_generated.deepcopy.go | 7 +++++++ .../rosacontrolplane_controller.go | 3 +++ .../cluster-template-rosa-machinepool.yaml | 2 -- templates/cluster-template-rosa.yaml | 2 -- 7 files changed, 50 insertions(+), 4 deletions(-) diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml index 61b3e37648..0638f163b0 100644 --- a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml +++ b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml @@ -47,6 +47,12 @@ spec: spec: description: RosaControlPlaneSpec defines the desired state of ROSAControlPlane. properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags are user-defined tags to be added on the + AWS resources associated with the control plane. + type: object autoscaling: description: Autoscaling specifies auto scaling behaviour for the MachinePools. @@ -102,6 +108,11 @@ spec: type: string type: object x-kubernetes-map-type: atomic + etcdEncryptionKMSArn: + description: EtcdEncryptionKMSArn is the ARN of the KMS key used to + encrypt etcd. The key itself needs to be created out-of-band by + the user and tagged with `red-hat:true`. + type: string identityRef: description: IdentityRef is a reference to an identity to be used when reconciling the managed control plane. If no identity is specified, diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go index c6c00f43c8..5e00a4635e 100644 --- a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go +++ b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go @@ -98,6 +98,15 @@ type RosaControlPlaneSpec struct { //nolint: maligned // +optional Autoscaling *expinfrav1.RosaMachinePoolAutoScaling `json:"autoscaling,omitempty"` + // AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane. + // +optional + AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"` + + // EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be + // created out-of-band by the user and tagged with `red-hat:true`. + // +optional + EtcdEncryptionKMSArn string `json:"etcdEncryptionKMSArn,omitempty"` + // ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. // +optional ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"` diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go index b13edf43d1..6fb6b27504 100644 --- a/controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go +++ b/controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go @@ -4,6 +4,7 @@ import ( "net" "github.com/blang/semver" + kmsArnRegexpValidator "github.com/openshift-online/ocm-common/pkg/resource/validations" apierrors "k8s.io/apimachinery/pkg/api/errors" runtime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/validation/field" @@ -33,7 +34,12 @@ func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err er allErrs = append(allErrs, err) } + if err := r.validateEtcdEncryptionKMSArn(); err != nil { + allErrs = append(allErrs, err) + } + allErrs = append(allErrs, r.validateNetwork()...) + allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...) if len(allErrs) == 0 { return nil, nil @@ -54,7 +60,12 @@ func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admissio allErrs = append(allErrs, err) } + if err := r.validateEtcdEncryptionKMSArn(); err != nil { + allErrs = append(allErrs, err) + } + allErrs = append(allErrs, r.validateNetwork()...) + allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...) if len(allErrs) == 0 { return nil, nil @@ -113,6 +124,15 @@ func (r *ROSAControlPlane) validateNetwork() field.ErrorList { return allErrs } +func (r *ROSAControlPlane) validateEtcdEncryptionKMSArn() *field.Error { + err := kmsArnRegexpValidator.ValidateKMSKeyARN(&r.Spec.EtcdEncryptionKMSArn) + if err != nil { + return field.Invalid(field.NewPath("spec.EtcdEncryptionKMSArn"), r.Spec.EtcdEncryptionKMSArn, err.Error()) + } + + return nil +} + // Default implements admission.Defaulter. func (r *ROSAControlPlane) Default() { SetObjectDefaults_ROSAControlPlane(r) diff --git a/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go b/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go index 7a972c59fe..7600d4cad2 100644 --- a/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go +++ b/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go @@ -166,6 +166,13 @@ func (in *RosaControlPlaneSpec) DeepCopyInto(out *RosaControlPlaneSpec) { *out = new(expapiv1beta2.RosaMachinePoolAutoScaling) **out = **in } + if in.AdditionalTags != nil { + in, out := &in.AdditionalTags, &out.AdditionalTags + *out = make(apiv1beta2.Tags, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } out.ControlPlaneEndpoint = in.ControlPlaneEndpoint } diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go index d9b27893af..5f41c63fb7 100644 --- a/controlplane/rosa/controllers/rosacontrolplane_controller.go +++ b/controlplane/rosa/controllers/rosacontrolplane_controller.go @@ -284,6 +284,9 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc DisableWorkloadMonitoring: ptr.To(true), DefaultIngress: ocm.NewDefaultIngressSpec(), // n.b. this is a no-op when it's set to the default value ComputeMachineType: rosaScope.ControlPlane.Spec.InstanceType, + Tags: rosaScope.ControlPlane.Spec.AdditionalTags, + EtcdEncryption: rosaScope.ControlPlane.Spec.EtcdEncryptionKMSArn != "", + EtcdEncryptionKMSArn: rosaScope.ControlPlane.Spec.EtcdEncryptionKMSArn, SubnetIds: rosaScope.ControlPlane.Spec.Subnets, AvailabilityZones: rosaScope.ControlPlane.Spec.AvailabilityZones, diff --git a/templates/cluster-template-rosa-machinepool.yaml b/templates/cluster-template-rosa-machinepool.yaml index c86266fe5d..8b6c79bbfe 100644 --- a/templates/cluster-template-rosa-machinepool.yaml +++ b/templates/cluster-template-rosa-machinepool.yaml @@ -30,8 +30,6 @@ spec: rosaClusterName: ${CLUSTER_NAME:0:15} version: "${OPENSHIFT_VERSION}" region: "${AWS_REGION}" - accountID: "${AWS_ACCOUNT_ID}" - creatorARN: "${AWS_CREATOR_ARN}" network: machineCIDR: "10.0.0.0/16" rolesRef: diff --git a/templates/cluster-template-rosa.yaml b/templates/cluster-template-rosa.yaml index 763575134d..f311e9cdb1 100644 --- a/templates/cluster-template-rosa.yaml +++ b/templates/cluster-template-rosa.yaml @@ -30,8 +30,6 @@ spec: rosaClusterName: ${CLUSTER_NAME:0:15} version: "${OPENSHIFT_VERSION}" region: "${AWS_REGION}" - accountID: "${AWS_ACCOUNT_ID}" - creatorARN: "${AWS_CREATOR_ARN}" network: machineCIDR: "10.0.0.0/16" rolesRef: From 977ecec3ba9088389a544c963bc7a1713eec3410 Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Mon, 4 Mar 2024 18:13:40 +0100 Subject: [PATCH 2/3] Add EndpointAccess field - remove cluster expirationTime --- ...ne.cluster.x-k8s.io_rosacontrolplanes.yaml | 12 +++++++-- .../api/v1beta2/rosacontrolplane_types.go | 25 +++++++++++++++++-- .../rosa/api/v1beta2/zz_generated.defaults.go | 8 ++++++ .../rosacontrolplane_controller.go | 6 ++++- 4 files changed, 46 insertions(+), 5 deletions(-) diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml index 0638f163b0..5f3a60b523 100644 --- a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml +++ b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml @@ -108,6 +108,14 @@ spec: type: string type: object x-kubernetes-map-type: atomic + endpointAccess: + default: Public + description: EndpointAccess specifies the publishing scope of cluster + endpoints. The default is Public. + enum: + - Public + - Private + type: string etcdEncryptionKMSArn: description: EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be created out-of-band by @@ -372,7 +380,7 @@ spec: description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane. properties: conditions: - description: Conditions specifies the cpnditions for the managed control + description: Conditions specifies the conditions for the managed control plane items: description: Condition defines an observation of a Cluster API resource @@ -444,7 +452,7 @@ spec: type: boolean oidcEndpointURL: description: OIDCEndpointURL is the endpoint url for the managed OIDC - porvider. + provider. type: string ready: default: false diff --git a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go index 5e00a4635e..2ac5adfa0d 100644 --- a/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go +++ b/controlplane/rosa/api/v1beta2/rosacontrolplane_types.go @@ -25,6 +25,19 @@ import ( clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1" ) +// RosaEndpointAccessType specifies the publishing scope of cluster endpoints. +type RosaEndpointAccessType string + +const ( + // Public endpoint access allows public API server access and + // private node communication with the control plane. + Public RosaEndpointAccessType = "Public" + + // Private endpoint access allows only private API server access and private + // node communication with the control plane. + Private RosaEndpointAccessType = "Private" +) + // RosaControlPlaneSpec defines the desired state of ROSAControlPlane. type RosaControlPlaneSpec struct { //nolint: maligned // Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric @@ -90,6 +103,14 @@ type RosaControlPlaneSpec struct { //nolint: maligned // +optional Network *NetworkSpec `json:"network,omitempty"` + // EndpointAccess specifies the publishing scope of cluster endpoints. The + // default is Public. + // + // +kubebuilder:validation:Enum=Public;Private + // +kubebuilder:default=Public + // +optional + EndpointAccess RosaEndpointAccessType `json:"endpointAccess,omitempty"` + // The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/ // +optional InstanceType string `json:"instanceType,omitempty"` @@ -543,14 +564,14 @@ type RosaControlPlaneStatus struct { // // +optional FailureMessage *string `json:"failureMessage,omitempty"` - // Conditions specifies the cpnditions for the managed control plane + // Conditions specifies the conditions for the managed control plane Conditions clusterv1.Conditions `json:"conditions,omitempty"` // ID is the cluster ID given by ROSA. ID string `json:"id,omitempty"` // ConsoleURL is the url for the openshift console. ConsoleURL string `json:"consoleURL,omitempty"` - // OIDCEndpointURL is the endpoint url for the managed OIDC porvider. + // OIDCEndpointURL is the endpoint url for the managed OIDC provider. OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"` } diff --git a/controlplane/rosa/api/v1beta2/zz_generated.defaults.go b/controlplane/rosa/api/v1beta2/zz_generated.defaults.go index 510687638d..60d82ff4d7 100644 --- a/controlplane/rosa/api/v1beta2/zz_generated.defaults.go +++ b/controlplane/rosa/api/v1beta2/zz_generated.defaults.go @@ -30,9 +30,17 @@ import ( // All generated defaulters are covering - they call all nested defaulters. func RegisterDefaults(scheme *runtime.Scheme) error { scheme.AddTypeDefaultingFunc(&ROSAControlPlane{}, func(obj interface{}) { SetObjectDefaults_ROSAControlPlane(obj.(*ROSAControlPlane)) }) + scheme.AddTypeDefaultingFunc(&ROSAControlPlaneList{}, func(obj interface{}) { SetObjectDefaults_ROSAControlPlaneList(obj.(*ROSAControlPlaneList)) }) return nil } func SetObjectDefaults_ROSAControlPlane(in *ROSAControlPlane) { SetDefaults_RosaControlPlaneSpec(&in.Spec) } + +func SetObjectDefaults_ROSAControlPlaneList(in *ROSAControlPlaneList) { + for i := range in.Items { + a := &in.Items[i] + SetObjectDefaults_ROSAControlPlane(a) + } +} diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go index 5f41c63fb7..22e86d7ef6 100644 --- a/controlplane/rosa/controllers/rosacontrolplane_controller.go +++ b/controlplane/rosa/controllers/rosacontrolplane_controller.go @@ -280,7 +280,6 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc MultiAZ: true, Version: ocm.CreateVersionID(rosaScope.ControlPlane.Spec.Version, ocm.DefaultChannelGroup), ChannelGroup: ocm.DefaultChannelGroup, - Expiration: time.Now().Add(1 * time.Hour), DisableWorkloadMonitoring: ptr.To(true), DefaultIngress: ocm.NewDefaultIngressSpec(), // n.b. this is a no-op when it's set to the default value ComputeMachineType: rosaScope.ControlPlane.Spec.InstanceType, @@ -304,6 +303,11 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc AWSCreator: creator, } + if rosaScope.ControlPlane.Spec.EndpointAccess == rosacontrolplanev1.Private { + ocmClusterSpec.Private = ptr.To(true) + ocmClusterSpec.PrivateLink = ptr.To(true) + } + if networkSpec := rosaScope.ControlPlane.Spec.Network; networkSpec != nil { if networkSpec.MachineCIDR != "" { _, machineCIDR, err := net.ParseCIDR(networkSpec.MachineCIDR) From 87df892d0f1e1cecc6352a6c73d8ae557745f5f8 Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Wed, 6 Mar 2024 13:36:52 +0100 Subject: [PATCH 3/3] Add ROSAControlPlane CRD docs --- controlplane/rosa/api/v1beta2/doc.go | 21 + docs/book/src/crd/index.md | 1955 ++++++++++++++++++++++++-- 2 files changed, 1824 insertions(+), 152 deletions(-) create mode 100644 controlplane/rosa/api/v1beta2/doc.go diff --git a/controlplane/rosa/api/v1beta2/doc.go b/controlplane/rosa/api/v1beta2/doc.go new file mode 100644 index 0000000000..9308d1fb62 --- /dev/null +++ b/controlplane/rosa/api/v1beta2/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group +// +gencrdrefdocs:force +// +groupName=controlplane.cluster.x-k8s.io +// +k8s:defaulter-gen=TypeMeta +package v1beta2 diff --git a/docs/book/src/crd/index.md b/docs/book/src/crd/index.md index 9ee3ff5135..1bc6c3aada 100644 --- a/docs/book/src/crd/index.md +++ b/docs/book/src/crd/index.md @@ -4351,8 +4351,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling the managed control plane.

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -4757,8 +4757,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling the managed control plane.

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -6236,8 +6236,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling the managed control plane.

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -6639,8 +6639,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling the managed control plane.

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -7810,85 +7810,1363 @@ string -

The URL of the OpenID identity provider that allows the API server to discover -public signing keys for verifying tokens. The URL must begin with https:// -and should correspond to the iss claim in the provider’s OIDC ID tokens. -Per the OIDC standard, path components are allowed but query parameters are -not. Typically the URL consists of only a hostname, like https://server.example.org -or https://example.com. This URL should point to the level below .well-known/openid-configuration -and must be publicly accessible over the internet.

+

The URL of the OpenID identity provider that allows the API server to discover +public signing keys for verifying tokens. The URL must begin with https:// +and should correspond to the iss claim in the provider’s OIDC ID tokens. +Per the OIDC standard, path components are allowed but query parameters are +not. Typically the URL consists of only a hostname, like https://server.example.org +or https://example.com. This URL should point to the level below .well-known/openid-configuration +and must be publicly accessible over the internet.

+ + + + +requiredClaims
+ +map[string]string + + + +(Optional) +

The key value pairs that describe required claims in the identity token. +If set, each claim is verified to be present in the token with a matching +value. For the maximum number of claims that you can require, see Amazon +EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) +in the Amazon EKS User Guide.

+ + + + +usernameClaim
+ +string + + + +(Optional) +

The JSON Web Token (JWT) claim to use as the username. The default is sub, +which is expected to be a unique identifier of the end user. You can choose +other claims, such as email or name, depending on the OpenID identity provider. +Claims other than email are prefixed with the issuer URL to prevent naming +clashes with other plug-ins.

+ + + + +usernamePrefix
+ +string + + + +(Optional) +

The prefix that is prepended to username claims to prevent clashes with existing +names. If you do not provide this field, and username is a value other than +email, the prefix defaults to issuerurl#. You can use the value - to disable +all prefixing.

+ + + + +tags
+ + +Tags + + + + +(Optional) +

tags to apply to oidc identity provider association

+ + + + +

OIDCProviderStatus +

+

+(Appears on:AWSManagedControlPlaneStatus) +

+

+

OIDCProviderStatus holds the status of the AWS OIDC identity provider.

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+arn
+ +string + +		 +

ARN holds the ARN of the provider

+
+trustPolicy
+ +string + +		 +

TrustPolicy contains the boilerplate IAM trust policy to use for IRSA

+
+

RoleMapping +

+

+(Appears on:IAMAuthenticatorConfig) +

+

+

RoleMapping represents a mapping from a IAM role to Kubernetes users and groups.

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+rolearn
+ +string + +		 +

RoleARN is the AWS ARN for the role to map

+
+KubernetesMapping
+ + +KubernetesMapping + + +		 +

+(Members of KubernetesMapping are embedded into this type.) +

+

KubernetesMapping holds the RBAC details for the mapping

+
+

UserMapping +

+

+(Appears on:IAMAuthenticatorConfig) +

+

+

UserMapping represents a mapping from an IAM user to Kubernetes users and groups.

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+userarn
+ +string + +		 +

UserARN is the AWS ARN for the user to map

+
+KubernetesMapping
+ + +KubernetesMapping + + +		 +

+(Members of KubernetesMapping are embedded into this type.) +

+

KubernetesMapping holds the RBAC details for the mapping

+
+

VpcCni +

+

+(Appears on:AWSManagedControlPlaneSpec) +

+

+

VpcCni specifies configuration related to the VPC CNI.

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+disable
+ +bool + +		 +

Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the +Amazon VPC CNI is automatically installed into the cluster. For clusters where you want +to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI +should be deleted. You cannot set this to true if you are using the +Amazon VPC CNI addon.

+
+env
+ + +[]Kubernetes core/v1.EnvVar + + +		 +(Optional) +

Env defines a list of environment variables to apply to the aws-node DaemonSet

+
+

AWSRolesRef +

+

+(Appears on:RosaControlPlaneSpec) +

+

+

AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+ingressARN
+ +string + +		 +

The referenced role must have a trust relationship that allows it to be assumed via web identity. +https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html. +Example: +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Principal”: { +“Federated”: “{{ .ProviderARN }}” +}, +“Action”: “sts:AssumeRoleWithWebIdentity”, +“Condition”: { +“StringEquals”: { +“{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} +} +} +} +] +}

+

IngressARN is an ARN value referencing a role appropriate for the Ingress Operator.

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“elasticloadbalancing:DescribeLoadBalancers”, +“tag:GetResources”, +“route53:ListHostedZones” +], +“Resource”: “*” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“route53:ChangeResourceRecordSets” +], +“Resource”: [ +“arn:aws:route53:::PUBLIC_ZONE_ID”, +“arn:aws:route53:::PRIVATE_ZONE_ID” +] +} +] +}

+
+imageRegistryARN
+ +string + +		 +

ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“s3:CreateBucket”, +“s3:DeleteBucket”, +“s3:PutBucketTagging”, +“s3:GetBucketTagging”, +“s3:PutBucketPublicAccessBlock”, +“s3:GetBucketPublicAccessBlock”, +“s3:PutEncryptionConfiguration”, +“s3:GetEncryptionConfiguration”, +“s3:PutLifecycleConfiguration”, +“s3:GetLifecycleConfiguration”, +“s3:GetBucketLocation”, +“s3:ListBucket”, +“s3:GetObject”, +“s3:PutObject”, +“s3:DeleteObject”, +“s3:ListBucketMultipartUploads”, +“s3:AbortMultipartUpload”, +“s3:ListMultipartUploadParts” +], +“Resource”: “*” +} +] +}

+
+storageARN
+ +string + +		 +

StorageARN is an ARN value referencing a role appropriate for the Storage Operator.

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“ec2:AttachVolume”, +“ec2:CreateSnapshot”, +“ec2:CreateTags”, +“ec2:CreateVolume”, +“ec2:DeleteSnapshot”, +“ec2:DeleteTags”, +“ec2:DeleteVolume”, +“ec2:DescribeInstances”, +“ec2:DescribeSnapshots”, +“ec2:DescribeTags”, +“ec2:DescribeVolumes”, +“ec2:DescribeVolumesModifications”, +“ec2:DetachVolume”, +“ec2:ModifyVolume” +], +“Resource”: “*” +} +] +}

+
+networkARN
+ +string + +		 +

NetworkARN is an ARN value referencing a role appropriate for the Network Operator.

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“ec2:DescribeInstances”, +“ec2:DescribeInstanceStatus”, +“ec2:DescribeInstanceTypes”, +“ec2:UnassignPrivateIpAddresses”, +“ec2:AssignPrivateIpAddresses”, +“ec2:UnassignIpv6Addresses”, +“ec2:AssignIpv6Addresses”, +“ec2:DescribeSubnets”, +“ec2:DescribeNetworkInterfaces” +], +“Resource”: “*” +} +] +}

+
+kubeCloudControllerARN
+ +string + +		 +

KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. +Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Action”: [ +“autoscaling:DescribeAutoScalingGroups”, +“autoscaling:DescribeLaunchConfigurations”, +“autoscaling:DescribeTags”, +“ec2:DescribeAvailabilityZones”, +“ec2:DescribeInstances”, +“ec2:DescribeImages”, +“ec2:DescribeRegions”, +“ec2:DescribeRouteTables”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeSubnets”, +“ec2:DescribeVolumes”, +“ec2:CreateSecurityGroup”, +“ec2:CreateTags”, +“ec2:CreateVolume”, +“ec2:ModifyInstanceAttribute”, +“ec2:ModifyVolume”, +“ec2:AttachVolume”, +“ec2:AuthorizeSecurityGroupIngress”, +“ec2:CreateRoute”, +“ec2:DeleteRoute”, +“ec2:DeleteSecurityGroup”, +“ec2:DeleteVolume”, +“ec2:DetachVolume”, +“ec2:RevokeSecurityGroupIngress”, +“ec2:DescribeVpcs”, +“elasticloadbalancing:AddTags”, +“elasticloadbalancing:AttachLoadBalancerToSubnets”, +“elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, +“elasticloadbalancing:CreateLoadBalancer”, +“elasticloadbalancing:CreateLoadBalancerPolicy”, +“elasticloadbalancing:CreateLoadBalancerListeners”, +“elasticloadbalancing:ConfigureHealthCheck”, +“elasticloadbalancing:DeleteLoadBalancer”, +“elasticloadbalancing:DeleteLoadBalancerListeners”, +“elasticloadbalancing:DescribeLoadBalancers”, +“elasticloadbalancing:DescribeLoadBalancerAttributes”, +“elasticloadbalancing:DetachLoadBalancerFromSubnets”, +“elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, +“elasticloadbalancing:ModifyLoadBalancerAttributes”, +“elasticloadbalancing:RegisterInstancesWithLoadBalancer”, +“elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, +“elasticloadbalancing:AddTags”, +“elasticloadbalancing:CreateListener”, +“elasticloadbalancing:CreateTargetGroup”, +“elasticloadbalancing:DeleteListener”, +“elasticloadbalancing:DeleteTargetGroup”, +“elasticloadbalancing:DeregisterTargets”, +“elasticloadbalancing:DescribeListeners”, +“elasticloadbalancing:DescribeLoadBalancerPolicies”, +“elasticloadbalancing:DescribeTargetGroups”, +“elasticloadbalancing:DescribeTargetHealth”, +“elasticloadbalancing:ModifyListener”, +“elasticloadbalancing:ModifyTargetGroup”, +“elasticloadbalancing:RegisterTargets”, +“elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, +“iam:CreateServiceLinkedRole”, +“kms:DescribeKey” +], +“Resource”: [ +“*” +], +“Effect”: “Allow” +} +] +}

+
+nodePoolManagementARN
+ +string + +		 +

NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Action”: [ +“ec2:AssociateRouteTable”, +“ec2:AttachInternetGateway”, +“ec2:AuthorizeSecurityGroupIngress”, +“ec2:CreateInternetGateway”, +“ec2:CreateNatGateway”, +“ec2:CreateRoute”, +“ec2:CreateRouteTable”, +“ec2:CreateSecurityGroup”, +“ec2:CreateSubnet”, +“ec2:CreateTags”, +“ec2:DeleteInternetGateway”, +“ec2:DeleteNatGateway”, +“ec2:DeleteRouteTable”, +“ec2:DeleteSecurityGroup”, +“ec2:DeleteSubnet”, +“ec2:DeleteTags”, +“ec2:DescribeAccountAttributes”, +“ec2:DescribeAddresses”, +“ec2:DescribeAvailabilityZones”, +“ec2:DescribeImages”, +“ec2:DescribeInstances”, +“ec2:DescribeInternetGateways”, +“ec2:DescribeNatGateways”, +“ec2:DescribeNetworkInterfaces”, +“ec2:DescribeNetworkInterfaceAttribute”, +“ec2:DescribeRouteTables”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeSubnets”, +“ec2:DescribeVpcs”, +“ec2:DescribeVpcAttribute”, +“ec2:DescribeVolumes”, +“ec2:DetachInternetGateway”, +“ec2:DisassociateRouteTable”, +“ec2:DisassociateAddress”, +“ec2:ModifyInstanceAttribute”, +“ec2:ModifyNetworkInterfaceAttribute”, +“ec2:ModifySubnetAttribute”, +“ec2:RevokeSecurityGroupIngress”, +“ec2:RunInstances”, +“ec2:TerminateInstances”, +“tag:GetResources”, +“ec2:CreateLaunchTemplate”, +“ec2:CreateLaunchTemplateVersion”, +“ec2:DescribeLaunchTemplates”, +“ec2:DescribeLaunchTemplateVersions”, +“ec2:DeleteLaunchTemplate”, +“ec2:DeleteLaunchTemplateVersions” +], +“Resource”: [ +“” +], +“Effect”: “Allow” +}, +{ +“Condition”: { +“StringLike”: { +“iam:AWSServiceName”: “elasticloadbalancing.amazonaws.com” +} +}, +“Action”: [ +“iam:CreateServiceLinkedRole” +], +“Resource”: [ +“arn::iam:::role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing” +], +“Effect”: “Allow” +}, +{ +“Action”: [ +“iam:PassRole” +], +“Resource”: [ +“arn::iam:::role/-worker-role” +], +“Effect”: “Allow” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“kms:Decrypt”, +“kms:ReEncrypt”, +“kms:GenerateDataKeyWithoutPlainText”, +“kms:DescribeKey” +], +“Resource”: “” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“kms:CreateGrant” +], +“Resource”: “”, +“Condition”: { +“Bool”: { +“kms:GrantIsForAWSResource”: true +} +} +} +] +}

+
+controlPlaneOperatorARN
+ +string + +		 +

ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator.

+

The following is an example of a valid policy document:

+

{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Action”: [ +“ec2:CreateVpcEndpoint”, +“ec2:DescribeVpcEndpoints”, +“ec2:ModifyVpcEndpoint”, +“ec2:DeleteVpcEndpoints”, +“ec2:CreateTags”, +“route53:ListHostedZones”, +“ec2:CreateSecurityGroup”, +“ec2:AuthorizeSecurityGroupIngress”, +“ec2:AuthorizeSecurityGroupEgress”, +“ec2:DeleteSecurityGroup”, +“ec2:RevokeSecurityGroupIngress”, +“ec2:RevokeSecurityGroupEgress”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeVpcs”, +], +“Resource”: “*” +}, +{ +“Effect”: “Allow”, +“Action”: [ +“route53:ChangeResourceRecordSets”, +“route53:ListResourceRecordSets” +], +“Resource”: “arn:aws:route53:::%s” +} +] +}

+
+kmsProviderARN
+ +string + +		 +
+

NetworkSpec +

+

+(Appears on:RosaControlPlaneSpec) +

+

+

NetworkSpec for ROSA-HCP.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+machineCIDR
+ +string + +		 +(Optional) +

IP addresses block used by OpenShift while installing the cluster, for example “10.0.0.0/16”.

+
+podCIDR
+ +string + +		 +(Optional) +

IP address block from which to assign pod IP addresses, for example 10.128.0.0/14.

+
+serviceCIDR
+ +string + +		 +(Optional) +

IP address block from which to assign service IP addresses, for example 172.30.0.0/16.

+
+hostPrefix
+ +int + +		 +(Optional) +

Network host prefix which is defaulted to 23 if not specified.

+
+networkType
+ +string + +		 +(Optional) +

The CNI network type default is OVNKubernetes.

+
+

ROSAControlPlane +

+

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+metadata
+ + +Kubernetes meta/v1.ObjectMeta + + +		 +Refer to the Kubernetes API documentation for the fields of the +metadata field. +
+spec
+ + +RosaControlPlaneSpec + + +		 +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+rosaClusterName
+ +string + +		 +

Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric +characters or ‘-’, start with an alphabetic character, end with an alphanumeric character +and have a max length of 15 characters.

+
+subnets
+ +[]string + +		 +

The Subnet IDs to use when installing the cluster. +SubnetIDs should come in pairs; two per availability zone, one private and one public.

+
+availabilityZones
+ +[]string + +		 +

AWS AvailabilityZones of the worker nodes +should match the AvailabilityZones of the Subnets.

+
+region
+ +string + +		 +

The AWS Region the cluster lives in.

+
+version
+ +string + +		 +

OpenShift semantic version, for example “4.14.5”.

+
+rolesRef
+ + +AWSRolesRef + + +		 +

AWS IAM roles used to perform credential requests by the openshift operators.

+
+oidcID
+ +string + +		 +

The ID of the OpenID Connect Provider.

+
+installerRoleARN
+ +string + +		 +

TODO: these are to satisfy ocm sdk. Explore how to drop them.

+
+supportRoleARN
+ +string + +		 +
+workerRoleARN
+ +string + +		 +
+billingAccount
+ +string + +		 +(Optional) +

BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters. +The cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster +is running.

+
+credentialsSecretRef
+ + +Kubernetes core/v1.LocalObjectReference + + +		 +(Optional) +

CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. +The secret should contain the following data keys: +- ocmToken: eyJhbGciOiJIUzI1NiIsI…. +- ocmApiUrl: Optional, defaults to ‘https://api.openshift.com’

+
+identityRef
+ + +AWSIdentityReference + + +		 +(Optional) +

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

+
+network
+ + +NetworkSpec + + +		 +(Optional) +

Network config for the ROSA HCP cluster.

+
+endpointAccess
+ + +RosaEndpointAccessType + + +		 +(Optional) +

EndpointAccess specifies the publishing scope of cluster endpoints. The +default is Public.

+
+instanceType
+ +string + +		 +(Optional) +

The instance type to use, for example r5.xlarge. Instance type ref; https://aws.amazon.com/ec2/instance-types/

+
+autoscaling
+ + +RosaMachinePoolAutoScaling + + +		 +(Optional) +

Autoscaling specifies auto scaling behaviour for the MachinePools.

+
+additionalTags
+ + +Tags + + +		 +(Optional) +

AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.

+
+etcdEncryptionKMSArn
+ +string + +		 +(Optional) +

EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be +created out-of-band by the user and tagged with red-hat:true.

+
+controlPlaneEndpoint
+ + +Cluster API api/v1beta1.APIEndpoint + + +		 +(Optional) +

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

+
+
+status
+ + +RosaControlPlaneStatus + + +		 +
+

RosaControlPlaneSpec +

+

+(Appears on:ROSAControlPlane) +

+

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+rosaClusterName
+ +string + +		 +

Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric +characters or ‘-’, start with an alphabetic character, end with an alphanumeric character +and have a max length of 15 characters.

+
+subnets
+ +[]string + +		 +

The Subnet IDs to use when installing the cluster. +SubnetIDs should come in pairs; two per availability zone, one private and one public.

+
+availabilityZones
+ +[]string + +		 +

AWS AvailabilityZones of the worker nodes +should match the AvailabilityZones of the Subnets.

+
+region
+ +string + +		 +

The AWS Region the cluster lives in.

+
+version
+ +string + +		 +

OpenShift semantic version, for example “4.14.5”.

+
+rolesRef
+ + +AWSRolesRef + + +		 +

AWS IAM roles used to perform credential requests by the openshift operators.

+
+oidcID
+ +string + +		 +

The ID of the OpenID Connect Provider.

+
+installerRoleARN
+ +string + +		 +

TODO: these are to satisfy ocm sdk. Explore how to drop them.

+
+supportRoleARN
+ +string + +		 +
+workerRoleARN
+ +string + +		 +
+billingAccount
+ +string + +		 +(Optional) +

BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters. +The cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster +is running.

+
+credentialsSecretRef
+ + +Kubernetes core/v1.LocalObjectReference + + +		 +(Optional) +

CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. +The secret should contain the following data keys: +- ocmToken: eyJhbGciOiJIUzI1NiIsI…. +- ocmApiUrl: Optional, defaults to ‘https://api.openshift.com’

+
+identityRef
+ + +AWSIdentityReference + + +		 +(Optional) +

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

+
+network
+ + +NetworkSpec + + +		 +(Optional) +

Network config for the ROSA HCP cluster.

+
+endpointAccess
+ + +RosaEndpointAccessType + + +		 +(Optional) +

EndpointAccess specifies the publishing scope of cluster endpoints. The +default is Public.

+
+instanceType
+ +string + +		 +(Optional) +

The instance type to use, for example r5.xlarge. Instance type ref; https://aws.amazon.com/ec2/instance-types/
-requiredClaims
+autoscaling
-map[string]string + +RosaMachinePoolAutoScaling + 		(Optional) -

The key value pairs that describe required claims in the identity token. -If set, each claim is verified to be present in the token with a matching -value. For the maximum number of claims that you can require, see Amazon -EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) -in the Amazon EKS User Guide.

+

Autoscaling specifies auto scaling behaviour for the MachinePools.
-usernameClaim
+additionalTags
-string + +Tags + 		(Optional) -

The JSON Web Token (JWT) claim to use as the username. The default is sub, -which is expected to be a unique identifier of the end user. You can choose -other claims, such as email or name, depending on the OpenID identity provider. -Claims other than email are prefixed with the issuer URL to prevent naming -clashes with other plug-ins.

+

AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.
-usernamePrefix
+etcdEncryptionKMSArn
string 		(Optional) -

The prefix that is prepended to username claims to prevent clashes with existing -names. If you do not provide this field, and username is a value other than -email, the prefix defaults to issuerurl#. You can use the value - to disable -all prefixing.

+

EtcdEncryptionKMSArn is the ARN of the KMS key used to encrypt etcd. The key itself needs to be +created out-of-band by the user and tagged with red-hat:true.
-tags
+controlPlaneEndpoint
- -Tags + +Cluster API api/v1beta1.APIEndpoint 		(Optional) -

tags to apply to oidc identity provider association

+

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
-

OIDCProviderStatus +

RosaControlPlaneStatus

-(Appears on:AWSManagedControlPlaneStatus) +(Appears on:ROSAControlPlane)

-

OIDCProviderStatus holds the status of the AWS OIDC identity provider.

@@ -7900,164 +9178,130 @@ Tags - -
-arn
+externalManagedControlPlane
-string +bool 		-

ARN holds the ARN of the provider

+

ExternalManagedControlPlane indicates to cluster-api that the control plane +is managed by an external service such as AKS, EKS, GKE, etc.
-trustPolicy
+initialized
-string +bool 		-

TrustPolicy contains the boilerplate IAM trust policy to use for IRSA

+(Optional) +

Initialized denotes whether or not the control plane has the +uploaded kubernetes config-map.
-

RoleMapping -

-

-(Appears on:IAMAuthenticatorConfig) -

-

-

RoleMapping represents a mapping from a IAM role to Kubernetes users and groups.

-

- - - - + + - - - -
FieldDescription +ready
+ +bool + +		 +

Ready denotes that the ROSAControlPlane API Server is ready to receive requests.

+
-rolearn
+failureMessage
string 		-

RoleARN is the AWS ARN for the role to map

+(Optional) +

FailureMessage will be set in the event that there is a terminal problem +reconciling the state and will be set to a descriptive error message.

+

This field should not be set for transitive errors that a controller +faces that are expected to be fixed automatically over +time (like service outages), but instead indicate that something is +fundamentally wrong with the spec or the configuration of +the controller, and that manual intervention is required.
-KubernetesMapping
+conditions
- -KubernetesMapping + +Cluster API api/v1beta1.Conditions 		-

-(Members of KubernetesMapping are embedded into this type.) -

-

KubernetesMapping holds the RBAC details for the mapping

+

Conditions specifies the conditions for the managed control plane
-

UserMapping -

-

-(Appears on:IAMAuthenticatorConfig) -

-

-

UserMapping represents a mapping from an IAM user to Kubernetes users and groups.

-

- - - - + + - -
FieldDescription +id
+ +string + +		 +

ID is the cluster ID given by ROSA.

+
-userarn
+consoleURL
string 		-

UserARN is the AWS ARN for the user to map

+

ConsoleURL is the url for the openshift console.
-KubernetesMapping
+oidcEndpointURL
- -KubernetesMapping - +string 		-

-(Members of KubernetesMapping are embedded into this type.) -

-

KubernetesMapping holds the RBAC details for the mapping

+

OIDCEndpointURL is the endpoint url for the managed OIDC provider.
-

VpcCni -

+

RosaEndpointAccessType +(string alias)

-(Appears on:AWSManagedControlPlaneSpec) +(Appears on:RosaControlPlaneSpec)

-

VpcCni specifies configuration related to the VPC CNI.

+

RosaEndpointAccessType specifies the publishing scope of cluster endpoints.

- + - - - - + - - - - + - - +
FieldValue Description
-disable
- -bool - -		 -

Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the -Amazon VPC CNI is automatically installed into the cluster. For clusters where you want -to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI -should be deleted. You cannot set this to true if you are using the -Amazon VPC CNI addon.

+

"Private"

Private endpoint access allows only private API server access and private +node communication with the control plane.

-env
- - -[]Kubernetes core/v1.EnvVar - - -		 -(Optional) -

Env defines a list of environment variables to apply to the aws-node DaemonSet

+

"Public"

Public endpoint access allows public API server access and +private node communication with the control plane.

infrastructure.cluster.x-k8s.io/v1beta1

@@ -8306,8 +9550,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling this cluster

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -8838,8 +10082,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling this cluster

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -9318,8 +10562,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling this cluster

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -15742,8 +16986,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling this cluster

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -16302,8 +17546,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling this cluster

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -16810,8 +18054,8 @@ AWSIdentityReference -(Optional) -

IdentityRef is a reference to a identity to be used when reconciling this cluster

+

IdentityRef is a reference to an identity to be used when reconciling the managed control plane. +If no identity is specified, the default identity for this controller will be used.

@@ -16877,7 +18121,7 @@ AWSClusterTemplateResource

AWSIdentityReference

-(Appears on:AWSClusterRoleIdentitySpec, AWSClusterSpec, AWSManagedControlPlaneSpec, AWSManagedControlPlaneSpec) +(Appears on:AWSClusterRoleIdentitySpec, AWSClusterSpec, AWSManagedControlPlaneSpec, AWSManagedControlPlaneSpec, RosaControlPlaneSpec)

AWSIdentityReference specifies a identity.

@@ -17309,6 +18553,19 @@ the cluster subnet will be used.

+securityGroupOverrides
+ +map[sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SecurityGroupRole]string + + + +(Optional) +

SecurityGroupOverrides is an optional set of security groups to use for the node. +This is optional - if not provided security groups from the cluster will be used.

+ + + + sshKeyName
string @@ -17441,6 +18698,20 @@ string

Tenancy indicates if instance should run on shared or single-tenant hardware.

+ + +privateDnsName
+ + +PrivateDNSName + + + + +(Optional) +

PrivateDNSName is the options for the instance hostname.

+ + @@ -17662,6 +18933,19 @@ the cluster subnet will be used.

+securityGroupOverrides
+ +map[sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SecurityGroupRole]string + + + +(Optional) +

SecurityGroupOverrides is an optional set of security groups to use for the node. +This is optional - if not provided security groups from the cluster will be used.

+ + + + sshKeyName
string @@ -17794,6 +19078,20 @@ string

Tenancy indicates if instance should run on shared or single-tenant hardware.

+ + +privateDnsName
+ + +PrivateDNSName + + + + +(Optional) +

PrivateDNSName is the options for the instance hostname.

+ +

AWSMachineStatus @@ -18231,6 +19529,19 @@ the cluster subnet will be used.

+securityGroupOverrides
+ +map[sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SecurityGroupRole]string + + + +(Optional) +

SecurityGroupOverrides is an optional set of security groups to use for the node. +This is optional - if not provided security groups from the cluster will be used.

+ + + + sshKeyName
string @@ -18363,6 +19674,20 @@ string

Tenancy indicates if instance should run on shared or single-tenant hardware.

+ + +privateDnsName
+ + +PrivateDNSName + + + + +(Optional) +

PrivateDNSName is the options for the instance hostname.

+ + @@ -19544,22 +20869,54 @@ Mutually exclusive with CidrBlock.

Field Description - - + + + + +version
+ +string + + + +(Optional) +

Version defines which version of Ignition will be used to generate bootstrap data.

+ + -version
+storageType
-string + +IgnitionStorageTypeOption + (Optional) -

Version defines which version of Ignition will be used to generate bootstrap data.

+

StorageType defines how to store the boostrap user data for Ignition. +This can be used to instruct Ignition from where to fetch the user data to bootstrap an instance.

+

When omitted, the storage option will default to ClusterObjectStore.

+

When set to “ClusterObjectStore”, if the capability is available and a Cluster ObjectStore configuration +is correctly provided in the Cluster object (under .spec.s3Bucket), +an object store will be used to store bootstrap user data.

+

When set to “UnencryptedUserData”, EC2 Instance User Data will be used to store the machine bootstrap user data, unencrypted. +This option is considered less secure than others as user data may contain sensitive informations (keys, certificates, etc.) +and users with ec2:DescribeInstances permission or users running pods +that can access the ec2 metadata service have access to this sensitive information. +So this is only to be used at ones own risk, and only when other more secure options are not viable.

+

IgnitionStorageTypeOption +(string alias)

+

+(Appears on:Ignition) +

+

+

IgnitionStorageTypeOption defines the different storage types for Ignition.

+

IngressRule

@@ -19981,6 +21338,20 @@ InstanceMetadataOptions

InstanceMetadataOptions is the metadata options for the EC2 instance.

+ + +privateDnsName
+ + +PrivateDNSName + + + + +(Optional) +

PrivateDNSName is the options for the instance hostname.

+ +

InstanceMetadataOptions @@ -20491,6 +21862,60 @@ LoadBalancer +

PrivateDNSName +

+

+(Appears on:AWSMachineSpec, Instance, AWSLaunchTemplate) +

+

+

PrivateDNSName is the options for the instance hostname.

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+enableResourceNameDnsAAAARecord
+ +bool + +		 +(Optional) +

EnableResourceNameDNSAAAARecord indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.

+
+enableResourceNameDnsARecord
+ +bool + +		 +(Optional) +

EnableResourceNameDNSARecord indicates whether to respond to DNS queries for instance hostnames with DNS A records.

+
+hostnameType
+ +string + +		 +(Optional) +

The type of hostname to assign to an instance.

+

ResourceLifecycle (string alias)

@@ -20873,7 +22298,7 @@ Tags

Tags (map[string]string alias)

-(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec) +(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, RosaControlPlaneSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec)

Tags defines a map of tags.

@@ -21179,6 +22604,20 @@ it’s generally suggested that the group rules are removed or modified appr

NOTE: This only applies when the VPC is managed by the Cluster API AWS controller.

+ + +privateDnsHostnameTypeOnLaunch
+ +string + + + +(Optional) +

PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch. +For IPv4-only and dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the instance IPv4 address (ip-name) +or the instance ID (resource-name). For IPv6 only subnets, an instance DNS name must be based on the instance ID (resource-name).

+ +

Volume @@ -21634,6 +23073,20 @@ InstanceMetadataOptions

InstanceMetadataOptions defines the behavior for applying metadata to instances.

+ + +privateDnsName
+ + +PrivateDNSName + + + + +(Optional) +

PrivateDNSName is the options for the instance hostname.

+ +

AWSMachinePool @@ -21820,6 +23273,23 @@ If no value is supplied by user a default value of 300 seconds is set

+defaultInstanceWarmup
+ + +Kubernetes meta/v1.Duration + + + + +(Optional) +

The amount of time, in seconds, until a new instance is considered to +have finished initializing and resource consumption to become stable +after it enters the InService state. +If no value is supplied by user a default value of 300 seconds is set

+ + + + refreshPreferences
@@ -22077,6 +23547,23 @@ If no value is supplied by user a default value of 300 seconds is set

+defaultInstanceWarmup
+ + +Kubernetes meta/v1.Duration + + + + +(Optional) +

The amount of time, in seconds, until a new instance is considered to +have finished initializing and resource consumption to become stable +after it enters the InService state. +If no value is supplied by user a default value of 300 seconds is set

+ + + + refreshPreferences
@@ -23141,6 +24628,18 @@ Kubernetes meta/v1.Duration +defaultInstanceWarmup
+ + +Kubernetes meta/v1.Duration + + + + + + + + capacityRebalance
bool @@ -24114,6 +25613,19 @@ must be a valid DNS-1035 label, so it must consist of lower case alphanumeric an +version
+ +string + + + +(Optional) +

Version specifies the OpenShift version of the nodes associated with this machinepool. +ROSAControlPlane version is used if not set.

+ + + + availabilityZone
string @@ -24150,6 +25662,20 @@ map[string]string +taints
+ + +[]RosaTaint + + + + +(Optional) +

Taints specifies the taints to apply to the nodes of the machine pool

+ + + + autoRepair
bool @@ -24189,6 +25715,19 @@ required if Replicas is not configured

+tuningConfigs
+ +[]string + + + +(Optional) +

TuningConfigs specifies the names of the tuning configs to be applied to this MachinePool. +Tuning configs must already exist.

+ + + + providerIDList
[]string @@ -24291,7 +25830,7 @@ during an instance refresh. The default is 90.

RosaMachinePoolAutoScaling

-(Appears on:RosaMachinePoolSpec) +(Appears on:RosaControlPlaneSpec, RosaMachinePoolSpec)

RosaMachinePoolAutoScaling specifies scaling options.

@@ -24356,6 +25895,19 @@ must be a valid DNS-1035 label, so it must consist of lower case alphanumeric an +version
+ +string + + + +(Optional) +

Version specifies the OpenShift version of the nodes associated with this machinepool. +ROSAControlPlane version is used if not set.

+ + + + availabilityZone
string @@ -24392,6 +25944,20 @@ map[string]string +taints
+ + +[]RosaTaint + + + + +(Optional) +

Taints specifies the taints to apply to the nodes of the machine pool

+ + + + autoRepair
bool @@ -24431,6 +25997,19 @@ required if Replicas is not configured

+tuningConfigs
+ +[]string + + + +(Optional) +

TuningConfigs specifies the names of the tuning configs to be applied to this MachinePool. +Tuning configs must already exist.

+ + + + providerIDList
[]string @@ -24499,6 +26078,24 @@ Cluster API api/v1beta1.Conditions +failureMessage
+ +string + + + +(Optional) +

FailureMessage will be set in the event that there is a terminal problem +reconciling the state and will be set to a descriptive error message.

+

This field should not be set for transitive errors that a controller +faces that are expected to be fixed automatically over +time (like service outages), but instead indicate that something is +fundamentally wrong with the spec or the configuration of +the controller, and that manual intervention is required.

+ + + + id
string @@ -24510,6 +26107,60 @@ string +

RosaTaint +

+

+(Appears on:RosaMachinePoolSpec) +

+

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+key
+ +string + +		 +

The taint key to be applied to a node.

+
+value
+ +string + +		 +(Optional) +

The taint value corresponding to the taint key.

+
+effect
+ + +Kubernetes core/v1.TaintEffect + + +		 +

The effect of the taint on pods that do not tolerate the taint. +Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

+

SpotAllocationStrategy (string alias)