From 46371262d323f68a326f9e31d088c02d39f07fa3 Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Wed, 3 Jan 2024 12:36:19 +0100 Subject: [PATCH] Add docs for ROSA - add new cluster template for ROSA clusters --- .../rosacontrolplane_controller.go | 9 +- docs/book/src/SUMMARY_PREFIX.md | 3 + docs/book/src/crd/index.md | 1822 ++++++++++++++--- .../src/topics/rosa/creating-a-cluster.md | 53 + docs/book/src/topics/rosa/enabling.md | 8 + docs/book/src/topics/rosa/index.md | 22 + templates/cluster-template-rosa.yaml | 51 + 7 files changed, 1653 insertions(+), 315 deletions(-) create mode 100644 docs/book/src/topics/rosa/creating-a-cluster.md create mode 100644 docs/book/src/topics/rosa/enabling.md create mode 100644 docs/book/src/topics/rosa/index.md create mode 100644 templates/cluster-template-rosa.yaml diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go index 5431db9be1..cd55018258 100644 --- a/controlplane/rosa/controllers/rosacontrolplane_controller.go +++ b/controlplane/rosa/controllers/rosacontrolplane_controller.go @@ -46,7 +46,6 @@ import ( ) const ( - ocmAPIUrl = "https://api.stage.openshift.com" rosaCreatorArnProperty = "rosa_creator_arn" rosaControlPlaneKind = "ROSAControlPlane" @@ -293,6 +292,10 @@ func (r *ROSAControlPlaneReconciler) reconcileNormal(ctx context.Context, rosaSc // Create the connection, and remember to close it: token := os.Getenv("OCM_TOKEN") + ocmAPIUrl := os.Getenv("OCM_API_URL") + if ocmAPIUrl == "" { + ocmAPIUrl = "https://api.openshift.com" + } connection, err := sdk.NewConnectionBuilder(). Logger(ocmLogger). Tokens(token). @@ -340,6 +343,10 @@ func (r *ROSAControlPlaneReconciler) reconcileDelete(_ context.Context, rosaScop // Create the connection, and remember to close it: // TODO: token should be read from a secret: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/4460 token := os.Getenv("OCM_TOKEN") + ocmAPIUrl := os.Getenv("OCM_API_URL") + if ocmAPIUrl == "" { + ocmAPIUrl = "https://api.openshift.com" + } connection, err := sdk.NewConnectionBuilder(). Logger(ocmLogger). Tokens(token). diff --git a/docs/book/src/SUMMARY_PREFIX.md b/docs/book/src/SUMMARY_PREFIX.md index 01a67be166..765c63312b 100644 --- a/docs/book/src/SUMMARY_PREFIX.md +++ b/docs/book/src/SUMMARY_PREFIX.md @@ -21,6 +21,9 @@ - [Using EKS Addons](./topics/eks/addons.md) - [Enabling Encryption](./topics/eks/encryption.md) - [Cluster Upgrades](./topics/eks/cluster-upgrades.md) + - [ROSA Support](./topics/rosa/index.md) + - [Enabling ROSA Support](./topics/rosa/enabling.md) + - [Creating a cluster](./topics/rosa/creating-a-cluster.md) - [Bring Your Own AWS Infrastructure](./topics/bring-your-own-aws-infrastructure.md) - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md) - [Using external cloud provider with EBS CSI driver](./topics/external-cloud-provider-with-ebs-csi-driver.md) diff --git a/docs/book/src/crd/index.md b/docs/book/src/crd/index.md index 11689384ec..71dccd1323 100644 --- a/docs/book/src/crd/index.md +++ b/docs/book/src/crd/index.md @@ -1244,6 +1244,17 @@ create S3 Buckets for workload clusters. TODO: This field could be a pointer, but it seems it breaks setting default values?

+ + +allowAssumeRole
+ +bool + + + +

AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies

+ + @@ -1445,6 +1456,17 @@ create S3 Buckets for workload clusters. TODO: This field could be a pointer, but it seems it breaks setting default values?

+ + +allowAssumeRole
+ +bool + + + +

AllowAssumeRole enables the sts:AssumeRole permission within the CAPA policies

+ +

AWSIAMRoleSpec @@ -5289,6 +5311,18 @@ string +configuration
+ +string + + + +(Optional) +

Configuration of the EKS addon

+ + + + conflictResolution
@@ -6245,6 +6279,18 @@ string +partition
+ +string + + + +(Optional) +

Partition is the AWS security partition being used. Defaults to “aws”

+ + + + sshKeyName
string @@ -6511,21 +6557,6 @@ to be attached with this eks cluster

-disableVPCCNI
- -bool - - - -

DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the -Amazon VPC CNI is automatically installed into the cluster. For clusters where you want -to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI -should be deleted. You cannot set this to true if you are using the -Amazon VPC CNI addon.

- - - - vpcCni
@@ -6651,6 +6682,18 @@ string +partition
+ +string + + + +(Optional) +

Partition is the AWS security partition being used. Defaults to “aws”

+ + + + sshKeyName
string @@ -6917,21 +6960,6 @@ to be attached with this eks cluster

-disableVPCCNI
- -bool - - - -

DisableVPCCNI indicates that the Amazon VPC CNI should be disabled. With EKS clusters the -Amazon VPC CNI is automatically installed into the cluster. For clusters where you want -to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI -should be deleted. You cannot set this to true if you are using the -Amazon VPC CNI addon.

- - - - vpcCni
@@ -7162,6 +7190,18 @@ string +configuration
+ +string + + + +(Optional) +

Configuration of the EKS addon

+ + + + conflictResolution
@@ -7990,6 +8030,21 @@ KubernetesMapping +disable
+ +bool + + + +

Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the +Amazon VPC CNI is automatically installed into the cluster. For clusters where you want +to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI +should be deleted. You cannot set this to true if you are using the +Amazon VPC CNI addon.

+ + + + env
@@ -15531,6 +15586,18 @@ string +partition
+ +string + + + +(Optional) +

Partition is the AWS security partition being used. Defaults to “aws”

+ + + + sshKeyName
string @@ -16063,6 +16130,18 @@ string +partition
+ +string + + + +(Optional) +

Partition is the AWS security partition being used. Defaults to “aws”

+ + + + sshKeyName
string @@ -16543,6 +16622,18 @@ string +partition
+ +string + + + +(Optional) +

Partition is the AWS security partition being used. Defaults to “aws”

+ + + + sshKeyName
string @@ -16812,8 +16903,8 @@ set, the value cannot be changed.

scheme
-
-ClassicELBScheme + +ELBScheme @@ -16855,15 +16946,15 @@ the registered instances in its Availability Zone only.

healthCheckProtocol
- -ClassicELBProtocol + +ELBProtocol (Optional) -

HealthCheckProtocol sets the protocol type for classic ELB health check target -default value is ClassicELBProtocolSSL

+

HealthCheckProtocol sets the protocol type for ELB health check target +default value is ELBProtocolSSL

@@ -16879,6 +16970,72 @@ default value is ClassicELBProtocolSSL

This is optional - if not provided new security groups will be created for the load balancer

+ + +additionalListeners
+ + +[]AdditionalListenerSpec + + + + +(Optional) +

AdditionalListeners sets the additional listeners for the control plane load balancer. +This is only applicable to Network Load Balancer (NLB) types for the time being.

+ + + + +ingressRules
+ + +[]IngressRule + + + + +(Optional) +

IngressRules sets the ingress rules for the control plane load balancer.

+ + + + +loadBalancerType
+ + +LoadBalancerType + + + + +

LoadBalancerType sets the type for a load balancer. The default type is classic.

+ + + + +disableHostsRewrite
+ +bool + + + +

DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB’s address as 127.0.0.1 to the hosts +file of each instance. This is by default, false.

+ + + + +preserveClientIP
+ +bool + + + +

PreserveClientIP lets the user control if preservation of client ips must be retained or not. +If this is enabled 6443 will be opened to 0.0.0.0/0.

+ +

AWSMachine @@ -16945,6 +17102,20 @@ string +instanceMetadataOptions
+ + +InstanceMetadataOptions + + + + +(Optional) +

InstanceMetadataOptions is the metadata options for the EC2 instance.

+ + + + ami
@@ -17075,19 +17246,6 @@ will cause additional requests to AWS API and if tags change the attached securi -failureDomain
- -string - - - -

FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. -For this infrastructure provider, the ID is equivalent to an AWS Availability Zone. -If multiple subnets are matched for the availability zone, the first one returned is picked.

- - - - subnet
@@ -17213,6 +17371,18 @@ SpotMarketOptions +placementGroupName
+ +string + + + +(Optional) +

PlacementGroupName specifies the name of the placement group in which to launch the instance.

+ + + + tenancy
string @@ -17285,6 +17455,20 @@ string +instanceMetadataOptions
+ +
+InstanceMetadataOptions + + + + +(Optional) +

InstanceMetadataOptions is the metadata options for the EC2 instance.

+ + + + ami
@@ -17415,19 +17599,6 @@ will cause additional requests to AWS API and if tags change the attached securi -failureDomain
- -string - - - -

FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. -For this infrastructure provider, the ID is equivalent to an AWS Availability Zone. -If multiple subnets are matched for the availability zone, the first one returned is picked.

- - - - subnet
@@ -17553,21 +17724,33 @@ SpotMarketOptions -tenancy
+placementGroupName
string (Optional) -

Tenancy indicates if instance should run on shared or single-tenant hardware.

+

PlacementGroupName specifies the name of the placement group in which to launch the instance.

- - -

AWSMachineStatus -

-

+ + +tenancy
+ +string + + + +(Optional) +

Tenancy indicates if instance should run on shared or single-tenant hardware.

+ + + + +

AWSMachineStatus +

+

(Appears on:AWSMachine)

@@ -17841,6 +18024,20 @@ string +instanceMetadataOptions
+ + +InstanceMetadataOptions + + + + +(Optional) +

InstanceMetadataOptions is the metadata options for the EC2 instance.

+ + + + ami
@@ -17971,19 +18168,6 @@ will cause additional requests to AWS API and if tags change the attached securi -failureDomain
- -string - - - -

FailureDomain is the failure domain unique identifier this Machine should be attached to, as defined in Cluster API. -For this infrastructure provider, the ID is equivalent to an AWS Availability Zone. -If multiple subnets are matched for the availability zone, the first one returned is picked.

- - - - subnet
@@ -18109,6 +18293,18 @@ SpotMarketOptions +placementGroupName
+ +string + + + +(Optional) +

PlacementGroupName specifies the name of the placement group in which to launch the instance.

+ + + + tenancy
string @@ -18191,17 +18387,87 @@ This value is used for autoscaling from zero operations as defined in:

AWSMachineTemplateWebhook

-

AWSMachineTemplateWebhook implements a custom validation webhook for AWSMachineTemplate.

+

AWSMachineTemplateWebhook implements a custom validation webhook for AWSMachineTemplate. +Note: we use a custom validator to access the request context for SSA of AWSMachineTemplate.

-

AWSResourceReference +

AWSManagedCluster

-(Appears on:AWSMachineSpec, AWSLaunchTemplate, AWSMachinePoolSpec, AWSLaunchTemplate, AWSMachinePoolSpec) +

AWSManagedCluster is the Schema for the awsmanagedclusters API

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+metadata
+ + +Kubernetes meta/v1.ObjectMeta + + +
+Refer to the Kubernetes API documentation for the fields of the +metadata field. +
+spec
+ + +AWSManagedClusterSpec + + +
+
+
+ + + + + +
+controlPlaneEndpoint
+ + +Cluster API api/v1beta1.APIEndpoint + + +
+(Optional) +

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

+
+
+status
+ + +AWSManagedClusterStatus + + +
+
+

AWSManagedClusterSpec +

+

+(Appears on:AWSManagedCluster)

-

AWSResourceReference is a reference to a specific AWS resource by ID or filters. -Only one of ID or Filters may be specified. Specifying more than one will result in -a validation error.

+

AWSManagedClusterSpec defines the desired state of AWSManagedCluster

@@ -18213,27 +18479,92 @@ a validation error.

+ +
-id
+controlPlaneEndpoint
-string + +Cluster API api/v1beta1.APIEndpoint +
(Optional) -

ID of resource

+

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

+

AWSManagedClusterStatus +

+

+(Appears on:AWSManagedCluster) +

+

+

AWSManagedClusterStatus defines the observed state of AWSManagedCluster

+

+ + + + + + + + + + + + + + + +
FieldDescription
-arn
+ready
+ +bool + +
+(Optional) +

Ready is when the AWSManagedControlPlane has a API server URL.

+
+failureDomains
+ + +Cluster API api/v1beta1.FailureDomains + + +
+(Optional) +

FailureDomains specifies a list fo available availability zones that can be used

+
+

AWSResourceReference +

+

+(Appears on:AWSMachineSpec, AWSLaunchTemplate, AWSMachinePoolSpec, AWSLaunchTemplate, AWSMachinePoolSpec) +

+

+

AWSResourceReference is a reference to a specific AWS resource by ID or filters. +Only one of ID or Filters may be specified. Specifying more than one will result in +a validation error.

+

+ + + + + + + + + + @@ -18337,6 +18668,50 @@ The policies must exist in the same account as the role.

AZSelectionScheme defines the scheme of selecting AZs.

+

AdditionalListenerSpec +

+

+(Appears on:AWSLoadBalancerSpec) +

+

+

AdditionalListenerSpec defines the desired state of an +additional listener on an AWS load balancer.

+

+
FieldDescription
+id
string
(Optional) -

ARN of resource. -Deprecated: This field has no function and is going to be removed in the next release.

+

ID of resource

+ + + + + + + + + + + + + + + + +
FieldDescription
+port
+ +int64 + +
+

Port sets the port for the additional listener.

+
+protocol
+ + +ELBProtocol + + +
+

Protocol sets the protocol for the additional listener. +Currently only TCP is supported.

+

AllowedNamespaces

@@ -18653,13 +19028,13 @@ The source for the rule will be set to control plane and worker security group I -

ClassicELB +

ClassicELBAttributes

-(Appears on:NetworkStatus) +(Appears on:LoadBalancer)

-

ClassicELB defines an AWS classic load balancer.

+

ClassicELBAttributes defines extra attributes associated with a classic load balancer.

@@ -18671,166 +19046,28 @@ The source for the rule will be set to control plane and worker security group I - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-name
+idleTimeout
-string + +time.Duration +
-(Optional) -

The name of the load balancer. It must be unique within the set of load balancers -defined in the region. It also serves as identifier.

+

IdleTimeout is time that the connection is allowed to be idle (no data +has been sent over the connection) before it is closed by the load balancer.

-dnsName
+crossZoneLoadBalancing
-string +bool
-

DNSName is the dns name of the load balancer.

-
-scheme
- - -ClassicELBScheme - - -
-

Scheme is the load balancer scheme, either internet-facing or private.

-
-availabilityZones
- -[]string - -
-

AvailabilityZones is an array of availability zones in the VPC attached to the load balancer.

-
-subnetIds
- -[]string - -
-

SubnetIDs is an array of subnets in the VPC attached to the load balancer.

-
-securityGroupIds
- -[]string - -
-

SecurityGroupIDs is an array of security groups assigned to the load balancer.

-
-listeners
- - -[]ClassicELBListener - - -
-

Listeners is an array of classic elb listeners associated with the load balancer. There must be at least one.

-
-healthChecks
- - -ClassicELBHealthCheck - - -
-

HealthCheck is the classic elb health check associated with the load balancer.

-
-attributes
- - -ClassicELBAttributes - - -
-

Attributes defines extra attributes associated with the load balancer.

-
-tags
- -map[string]string - -
-

Tags is a map of tags associated with the load balancer.

-
-

ClassicELBAttributes -

-

-(Appears on:ClassicELB) -

-

-

ClassicELBAttributes defines extra attributes associated with a classic load balancer.

-

- - - - - - - - - - - - - - - @@ -18838,7 +19075,7 @@ bool

ClassicELBHealthCheck

-(Appears on:ClassicELB) +(Appears on:LoadBalancer)

ClassicELBHealthCheck defines an AWS classic load balancer health check.

@@ -18910,7 +19147,7 @@ int64

ClassicELBListener

-(Appears on:ClassicELB) +(Appears on:LoadBalancer)

ClassicELBListener defines an AWS classic load balancer listener.

@@ -18927,8 +19164,8 @@ int64 @@ -18949,8 +19186,8 @@ int64 @@ -18969,22 +19206,6 @@ int64
FieldDescription
-idleTimeout
- - -time.Duration - - -
-

IdleTimeout is time that the connection is allowed to be idle (no data -has been sent over the connection) before it is closed by the load balancer.

-
-crossZoneLoadBalancing
- -bool - -
-(Optional) -

CrossZoneLoadBalancing enables the classic load balancer load balancing.

+(Optional) +

CrossZoneLoadBalancing enables the classic load balancer load balancing.

protocol
- -ClassicELBProtocol + +ELBProtocol
instanceProtocol
- -ClassicELBProtocol + +ELBProtocol
-

ClassicELBProtocol -(string alias)

-

-(Appears on:AWSLoadBalancerSpec, ClassicELBListener) -

-

-

ClassicELBProtocol defines listener protocols for a classic load balancer.

-

-

ClassicELBScheme -(string alias)

-

-(Appears on:AWSLoadBalancerSpec, ClassicELB) -

-

-

ClassicELBScheme defines the scheme of a classic load balancer.

-

CloudInit

@@ -19068,6 +19289,22 @@ will use AWS Secrets Manager instead.

EKSAMILookupType specifies which AWS AMI to use for a AWSMachine and AWSMachinePool.

+

ELBProtocol +(string alias)

+

+(Appears on:AWSLoadBalancerSpec, AdditionalListenerSpec, ClassicELBListener, Listener, TargetGroupSpec) +

+

+

ELBProtocol defines listener protocols for a load balancer.

+

+

ELBScheme +(string alias)

+

+(Appears on:AWSLoadBalancerSpec, LoadBalancer) +

+

+

ELBScheme defines the scheme of a load balancer.

+

Filter

@@ -19108,6 +19345,71 @@ string +

GCTask +(string alias)

+

+

+

HTTPTokensState +(string alias)

+

+(Appears on:InstanceMetadataOptions) +

+

+

HTTPTokensState describes the state of InstanceMetadataOptions.HTTPTokensState

+

+

IPAMPool +

+

+(Appears on:IPv6, VPCSpec) +

+

+

IPAMPool defines the IPAM pool to be used for VPC.

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+id
+ +string + +
+

ID is the ID of the IPAM pool this provider should use to create VPC.

+
+name
+ +string + +
+

Name is the name of the IPAM pool this provider should use to create VPC.

+
+netmaskLength
+ +int64 + +
+

The netmask length of the IPv4 CIDR you want to allocate to VPC from +an Amazon VPC IP Address Manager (IPAM) pool. +Defaults to /16 for IPv4 if not specified.

+

IPv6

@@ -19133,7 +19435,8 @@ string (Optional) -

CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6.

+

CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6. +Mutually exclusive with IPAMPool.

@@ -19145,7 +19448,9 @@ string (Optional) -

PoolID is the IP pool which must be defined in case of BYO IP is defined.

+

PoolID is the IP pool which must be defined in case of BYO IP is defined. +Must be specified if CidrBlock is set. +Mutually exclusive with IPAMPool.

@@ -19160,6 +19465,21 @@ string

EgressOnlyInternetGatewayID is the id of the egress only internet gateway associated with an IPv6 enabled VPC.

+ + +ipamPool
+ + +IPAMPool + + + + +(Optional) +

IPAMPool defines the IPAMv6 pool to be used for VPC. +Mutually exclusive with CidrBlock.

+ +

Ignition @@ -19195,6 +19515,9 @@ string

IngressRule

+(Appears on:AWSLoadBalancerSpec, NetworkSpec) +

+

IngressRule defines an AWS ingress rule for security groups.

@@ -19213,6 +19536,7 @@ string @@ -19225,6 +19549,7 @@ SecurityGroupProtocol @@ -19235,6 +19560,7 @@ int64 @@ -19245,6 +19571,7 @@ int64 @@ -19283,6 +19610,21 @@ int64

The security group id to allow access from. Cannot be specified with CidrBlocks.

+ + + +
+

Description provides extended information about the ingress rule.

+

Protocol is the protocol for the ingress rule. Accepted values are “-1” (all), “4” (IP in IP),“tcp”, “udp”, “icmp”, and “58” (ICMPv6), “50” (ESP).

+

FromPort is the start of port range.

+

ToPort is the end of port range.

+sourceSecurityGroupRoles
+ + +[]SecurityGroupRole + + +
+(Optional) +

The security group role to allow access from. Cannot be specified with CidrBlocks. +The field will be combined with source security group IDs if specified.

+

IngressRules @@ -19543,6 +19885,18 @@ SpotMarketOptions +placementGroupName
+ +string + + + +(Optional) +

PlacementGroupName specifies the name of the placement group in which to launch the instance.

+ + + + tenancy
string @@ -19565,16 +19919,375 @@ string

IDs of the instance’s volumes

+ + +instanceMetadataOptions
+ + +InstanceMetadataOptions + + + + +(Optional) +

InstanceMetadataOptions is the metadata options for the EC2 instance.

+ + -

InstanceState -(string alias)

+

InstanceMetadataOptions +

-(Appears on:AWSMachineStatus, Instance) +(Appears on:AWSMachineSpec, Instance, AWSLaunchTemplate) +

+

+

InstanceMetadataOptions describes metadata options for the EC2 instance.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+httpEndpoint
+ + +InstanceMetadataState + + +
+

Enables or disables the HTTP metadata endpoint on your instances.

+

If you specify a value of disabled, you cannot access your instance metadata.

+

Default: enabled

+
+httpPutResponseHopLimit
+ +int64 + +
+

The desired HTTP PUT response hop limit for instance metadata requests. The +larger the number, the further instance metadata requests can travel.

+

Default: 1

+
+httpTokens
+ + +HTTPTokensState + + +
+

The state of token usage for your instance metadata requests.

+

If the state is optional, you can choose to retrieve instance metadata with +or without a session token on your request. If you retrieve the IAM role +credentials without a token, the version 1.0 role credentials are returned. +If you retrieve the IAM role credentials using a valid session token, the +version 2.0 role credentials are returned.

+

If the state is required, you must send a session token with any instance +metadata retrieval requests. In this state, retrieving the IAM role credentials +always returns the version 2.0 credentials; the version 1.0 credentials are +not available.

+

Default: optional

+
+instanceMetadataTags
+ + +InstanceMetadataState + + +
+

Set to enabled to allow access to instance tags from the instance metadata. +Set to disabled to turn off access to instance tags from the instance metadata. +For more information, see Work with instance tags using the instance metadata +(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS).

+

Default: disabled

+
+

InstanceMetadataState +(string alias)

+

+(Appears on:InstanceMetadataOptions) +

+

+

InstanceMetadataState describes the state of InstanceMetadataOptions.HttpEndpoint and InstanceMetadataOptions.InstanceMetadataTags

+

+

InstanceState +(string alias)

+

+(Appears on:AWSMachineStatus, Instance)

InstanceState describes the state of an AWS instance.

+

Listener +

+

+(Appears on:LoadBalancer) +

+

+

Listener defines an AWS network load balancer listener.

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+protocol
+ + +ELBProtocol + + +
+
+port
+ +int64 + +
+
+targetGroup
+ + +TargetGroupSpec + + +
+
+

LoadBalancer +

+

+(Appears on:NetworkStatus) +

+

+

LoadBalancer defines an AWS load balancer.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+arn
+ +string + +
+

ARN of the load balancer. Unlike the ClassicLB, ARN is used mostly +to define and get it.

+
+name
+ +string + +
+(Optional) +

The name of the load balancer. It must be unique within the set of load balancers +defined in the region. It also serves as identifier.

+
+dnsName
+ +string + +
+

DNSName is the dns name of the load balancer.

+
+scheme
+ + +ELBScheme + + +
+

Scheme is the load balancer scheme, either internet-facing or private.

+
+availabilityZones
+ +[]string + +
+

AvailabilityZones is an array of availability zones in the VPC attached to the load balancer.

+
+subnetIds
+ +[]string + +
+

SubnetIDs is an array of subnets in the VPC attached to the load balancer.

+
+securityGroupIds
+ +[]string + +
+

SecurityGroupIDs is an array of security groups assigned to the load balancer.

+
+listeners
+ + +[]ClassicELBListener + + +
+

ClassicELBListeners is an array of classic elb listeners associated with the load balancer. There must be at least one.

+
+healthChecks
+ + +ClassicELBHealthCheck + + +
+

HealthCheck is the classic elb health check associated with the load balancer.

+
+attributes
+ + +ClassicELBAttributes + + +
+

ClassicElbAttributes defines extra attributes associated with the load balancer.

+
+tags
+ +map[string]string + +
+

Tags is a map of tags associated with the load balancer.

+
+elbListeners
+ + +[]Listener + + +
+

ELBListeners is an array of listeners associated with the load balancer. There must be at least one.

+
+elbAttributes
+ +map[string]*string + +
+

ELBAttributes defines extra attributes associated with v2 load balancers.

+
+loadBalancerType
+ + +LoadBalancerType + + +
+

LoadBalancerType sets the type for a load balancer. The default type is classic.

+
+

LoadBalancerAttribute +(string alias)

+

+

LoadBalancerAttribute defines a set of attributes for a V2 load balancer.

+

+

LoadBalancerType +(string alias)

+

+(Appears on:AWSLoadBalancerSpec, LoadBalancer) +

+

+

NetworkSpec

@@ -19646,6 +20359,20 @@ map[sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SecurityGroupRole]string This is optional - if not provided new security groups will be created for the cluster

+ + +additionalControlPlaneIngressRules
+ + +[]IngressRule + + + + +(Optional) +

AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane

+ +

NetworkStatus @@ -19681,13 +20408,24 @@ map[sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SecurityGroupRole]sigs.k apiServerElb
- -ClassicELB + +LoadBalancer -

APIServerELB is the Kubernetes api server classic load balancer.

+

APIServerELB is the Kubernetes api server load balancer.

+ + + + +natGatewaysIPs
+ +[]string + + + +

NatGatewaysIPs contains the public IPs of the NAT Gateways

@@ -19748,6 +20486,7 @@ string
+(Optional)

ControlPlaneIAMInstanceProfile is a name of the IAMInstanceProfile, which will be allowed to read control-plane node bootstrap data from S3 Bucket.

@@ -19760,12 +20499,30 @@ to read control-plane node bootstrap data from S3 Bucket.

+(Optional)

NodesIAMInstanceProfiles is a list of IAM instance profiles, which will be allowed to read worker nodes bootstrap data from S3 Bucket.

+presignedURLDuration
+ + +Kubernetes meta/v1.Duration + + + + +(Optional) +

PresignedURLDuration defines the duration for which presigned URLs are valid.

+

This is used to generate presigned URLs for S3 Bucket objects, which are used by +control-plane and worker nodes to fetch bootstrap data.

+

When enabled, the IAM instance profiles specified are not used.

+ + + + name
string @@ -19863,6 +20620,9 @@ Tags

SecurityGroupRole (string alias)

+(Appears on:IngressRule) +

+

SecurityGroupRole defines the unique role of a security group.

SpotMarketOptions @@ -19918,7 +20678,26 @@ string -

ID defines a unique identifier to reference this resource.

+

ID defines a unique identifier to reference this resource. +If you’re bringing your subnet, set the AWS subnet-id here, it must start with subnet-.

+

When the VPC is managed by CAPA, and you’d like the provider to create a subnet for you, +the id can be set to any placeholder value that does not start with subnet-; +upon creation, the subnet AWS identifier will be populated in the ResourceID field and +the id field is going to be used as the subnet name. If you specify a tag +called Name, it takes precedence.

+ + + + +resourceID
+ +string + + + +(Optional) +

ResourceID is the subnet identifier from AWS, READ ONLY. +This field is populated when the provider manages the subnet.

@@ -19959,85 +20738,244 @@ string -isPublic
+isPublic
+ +bool + + + +(Optional) +

IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway.

+ + + + +isIpv6
+ +bool + + + +(Optional) +

IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled. +IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.

+ + + + +routeTableId
+ +string + + + +(Optional) +

RouteTableID is the routing table id associated with the subnet.

+ + + + +natGatewayId
+ +string + + + +(Optional) +

NatGatewayID is the NAT gateway id associated with the subnet. +Ignored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet.

+ + + + +tags
+ + +Tags + + + + +

Tags is a collection of tags describing the resource.

+ + + + +

Subnets +([]sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SubnetSpec alias)

+

+(Appears on:NetworkSpec) +

+

+

Subnets is a slice of Subnet.

+

+

Tags +(map[string]string alias)

+

+(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec) +

+

+

Tags defines a map of tags.

+

+

TargetGroupAttribute +(string alias)

+

+

TargetGroupAttribute defines attribute key values for V2 Load Balancer Attributes.

+

+

TargetGroupHealthCheck +

+

+(Appears on:TargetGroupSpec) +

+

+

TargetGroupHealthCheck defines health check settings for the target group.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+protocol
+ +string + +
+
+path
+ +string + +
+
+port
+ +string + +
+
+intervalSeconds
+ +int64 + +
+
+timeoutSeconds
+ +int64 + +
+
+thresholdCount
+ +int64 + +
+
+

TargetGroupSpec +

+

+(Appears on:Listener) +

+

+

TargetGroupSpec specifies target group settings for a given listener. +This is created first, and the ARN is then passed to the listener.

+

+ + + + + + + + + +
FieldDescription
+name
-bool +string
-(Optional) -

IsPublic defines the subnet as a public subnet. A subnet is public when it is associated with a route table that has a route to an internet gateway.

+

Name of the TargetGroup. Must be unique over the same group of listeners.

-isIpv6
+port
-bool +int64
-(Optional) -

IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled. -IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object.

+

Port is the exposed port

-routeTableId
+protocol
-string + +ELBProtocol +
-(Optional) -

RouteTableID is the routing table id associated with the subnet.

-natGatewayId
+vpcId
string
-(Optional) -

NatGatewayID is the NAT gateway id associated with the subnet. -Ignored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet.

-tags
+targetGroupHealthCheck
- -Tags + +TargetGroupHealthCheck
-

Tags is a collection of tags describing the resource.

+

HealthCheck is the elb health check associated with the load balancer.

-

Subnets -([]sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.SubnetSpec alias)

-

-(Appears on:NetworkSpec) -

-

-

Subnets is a slice of Subnet.

-

-

Tags -(map[string]string alias)

-

-(Appears on:AWSClusterSpec, AWSMachineSpec, BuildParams, SecurityGroup, SubnetSpec, VPCSpec, AWSIAMRoleSpec, BootstrapUser, AWSIAMRoleSpec, BootstrapUser, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSManagedControlPlaneSpec, OIDCIdentityProviderConfig, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec, AWSMachinePoolSpec, AWSManagedMachinePoolSpec, AutoScalingGroup, FargateProfileSpec) -

-

-

Tags defines a map of tags.

-

VPCSpec

@@ -20074,7 +21012,22 @@ string

CidrBlock is the CIDR block to be used when the provider creates a managed VPC. -Defaults to 10.0.0.0/16.

+Defaults to 10.0.0.0/16. +Mutually exclusive with IPAMPool.

+ + + + +ipamPool
+ + +IPAMPool + + + + +

IPAMPool defines the IPAMv4 pool to be used for VPC. +Mutually exclusive with CidrBlock.

@@ -20589,6 +21542,20 @@ SpotMarketOptions

SpotMarketOptions are options for configuring AWSMachinePool instances to be run using AWS Spot instances.

+ + +instanceMetadataOptions
+ + +InstanceMetadataOptions + + + + +(Optional) +

InstanceMetadataOptions defines the behavior for applying metadata to instances.

+ +

AWSMachinePool @@ -20678,6 +21645,20 @@ int32 +availabilityZoneSubnetType
+ + +AZSubnetType + + + + +(Optional) +

AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.

+ + + + subnets
@@ -20921,6 +21902,20 @@ int32 +availabilityZoneSubnetType
+ +
+AZSubnetType + + + + +(Optional) +

AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.

+ + + + subnets
@@ -21269,6 +22264,20 @@ name of the managed machine pool.

+availabilityZoneSubnetType
+ +
+AZSubnetType + + + + +(Optional) +

AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.

+ + + + subnetIDs
[]string @@ -21550,6 +22559,20 @@ name of the managed machine pool.

+availabilityZoneSubnetType
+ + +AZSubnetType + + + + +(Optional) +

AvailabilityZoneSubnetType specifies which type of subnets to use when an availability zone is specified.

+ + + + subnetIDs
[]string @@ -21904,6 +22927,32 @@ Cluster API api/v1beta1.Conditions +

AZSubnetType +(string alias)

+

+(Appears on:AWSMachinePoolSpec, AWSManagedMachinePoolSpec) +

+

+

AZSubnetType is the type of subnet to use when an availability zone is specified.

+

+ + + + + + + + + + + + + + +
ValueDescription

"all"

AZSubnetTypeAll is all subnets in an availability zone.

+

"private"

AZSubnetTypePrivate is a private subnet.

+

"public"

AZSubnetTypePublic is a public subnet.

+

AutoScalingGroup

@@ -22788,6 +23837,151 @@ bool +

ROSACluster +

+

+

+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+metadata
+ + +Kubernetes meta/v1.ObjectMeta + + +
+Refer to the Kubernetes API documentation for the fields of the +metadata field. +
+spec
+ + +ROSAClusterSpec + + +
+
+
+ + + + + +
+controlPlaneEndpoint
+ + +Cluster API api/v1beta1.APIEndpoint + + +
+(Optional) +

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

+
+
+status
+ + +ROSAClusterStatus + + +
+
+

ROSAClusterSpec +

+

+(Appears on:ROSACluster) +

+

+

+ + + + + + + + + + + + + +
FieldDescription
+controlPlaneEndpoint
+ + +Cluster API api/v1beta1.APIEndpoint + + +
+(Optional) +

ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

+
+

ROSAClusterStatus +

+

+(Appears on:ROSACluster) +

+

+

ROSAClusterStatus defines the observed state of ROSACluster

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+ready
+ +bool + +
+(Optional) +

Ready is when the ROSAControlPlane has a API server URL.

+
+failureDomains
+ + +Cluster API api/v1beta1.FailureDomains + + +
+(Optional) +

FailureDomains specifies a list fo available availability zones that can be used

+

RefreshPreferences

diff --git a/docs/book/src/topics/rosa/creating-a-cluster.md b/docs/book/src/topics/rosa/creating-a-cluster.md new file mode 100644 index 0000000000..150a46f46a --- /dev/null +++ b/docs/book/src/topics/rosa/creating-a-cluster.md @@ -0,0 +1,53 @@ +# Creating a ROSA cluster + +## Permissions +CAPA controller requires an API token in order to be able to provision ROSA clusters: + +1. Visit [https://console.redhat.com/openshift/token](https://console.redhat.com/openshift/token) to retrieve your API authentication token + +2. Edit CAPA controller deployment: + ```shell + kubectl edit deployment -n capa-system capa-controller-manager + ``` + + and add the following environment variables to the manager container: + ```yaml + env: + - name: OCM_TOKEN + value: "" + - name: OCM_API_URL + value: "https://api.openshift.com" # or https://api.stage.openshift.com + ``` + +## Prerequisites + +Follow the guide [here](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-hcp.html) up until [Step 3](https://docs.aws.amazon.com/ROSA/latest/userguide/getting-started-hcp.html#getting-started-hcp-step-3) +to install the required tools and setup the prerequisite infrastructure. +Once Step 3 is done, you will be ready to proceed with creating a ROSA cluster using cluster-api. + +## Creating the cluster + +1. Prepare the environment: + ```bash + export OPENSHIFT_VERSION="openshift-v4.12.15" + export CLUSTER_NAME="capi-rosa-quickstart" + export AWS_REGION="us-west-2" + export AWS_AVAILABILITY_ZONE="us-west-2a" + export AWS_ACCOUNT_ID="` + + # subnet IDs created earlier + export PUBLIC_SUBNET_ID="subnet-0b54a1111111111111" + export PRIVATE_SUBNET_ID="subnet-05e72222222222222" + ``` + +1. Create a cluster using the ROSA cluster template: + ```bash + cat templates/cluster-template-rosa.yaml | envsubst > rosa-capi-cluster.yaml + + kubectl apply -f rosa-capi-cluster.yaml + ``` diff --git a/docs/book/src/topics/rosa/enabling.md b/docs/book/src/topics/rosa/enabling.md new file mode 100644 index 0000000000..1f56416db0 --- /dev/null +++ b/docs/book/src/topics/rosa/enabling.md @@ -0,0 +1,8 @@ +# Enabling ROSA Support + +To enable support for ROSA clusters, the ROSA feature flag must be set to true. This can be done using the **EXP_ROSA** environment variable: + +```shell +export EXP_ROSA="true" +clusterctl init --infrastructure aws +``` \ No newline at end of file diff --git a/docs/book/src/topics/rosa/index.md b/docs/book/src/topics/rosa/index.md new file mode 100644 index 0000000000..0fa6a87ada --- /dev/null +++ b/docs/book/src/topics/rosa/index.md @@ -0,0 +1,22 @@ +# ROSA Support in the AWS Provider + +- **Feature status:** Experimental +- **Feature gate (required):** ROSA=true + +## Overview + +The AWS provider supports creating Red Hat OpenShift Service on AWS ([ROSA](https://www.redhat.com/en/technologies/cloud-computing/openshift/aws)) based cluster. Currently the following features are supported: + +- Provisioning/Deleting a ROSA cluster with hosted control planes ([HCP](https://docs.openshift.com/rosa/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.html)) + +The implementation introduces the following CRD kinds: + +- `ROSAControlPlane` - specifies the ROSA Cluster in AWS +- `ROSACluster` - needed only to satisfy cluster-api contract + +A new template is available in the templates folder for creating a managed ROSA workload cluster. + +## SEE ALSO + +* [Enabling ROSA Support](enabling.md) +* [Creating a cluster](creating-a-cluster.md) \ No newline at end of file diff --git a/templates/cluster-template-rosa.yaml b/templates/cluster-template-rosa.yaml new file mode 100644 index 0000000000..cc15af9505 --- /dev/null +++ b/templates/cluster-template-rosa.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: cluster.x-k8s.io/v1beta1 +kind: Cluster +metadata: + name: "${CLUSTER_NAME}" +spec: + clusterNetwork: + pods: + cidrBlocks: ["192.168.0.0/16"] + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 + kind: ROSACluster + name: "${CLUSTER_NAME}" + controlPlaneRef: + apiVersion: controlplane.cluster.x-k8s.io/v1beta2 + kind: ROSAControlPlane + name: "${CLUSTER_NAME}-control-plane" +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 +kind: ROSACluster +metadata: + name: "${CLUSTER_NAME}" +spec: {} +--- +apiVersion: controlplane.cluster.x-k8s.io/v1beta2 +kind: ROSAControlPlane +metadata: + name: "${CLUSTER_NAME}-control-plane" +spec: + version: "${OPENSHIFT_VERSION}" + region: "${AWS_REGION}" + accountID: "${AWS_ACCOUNT_ID}" + creatorARN: "${AWS_CREATOR_ARN}" + machineCIDR: "10.0.0.0/16" + rolesRef: + ingressARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-openshift-ingress-operator-cloud-credentials" + imageRegistryARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-openshift-image-registry-installer-cloud-credentials" + storageARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-openshift-cluster-csi-drivers-ebs-cloud-credentials" + networkARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-openshift-cloud-network-config-controller-cloud-credent" + kubeCloudControllerARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-kube-system-kube-controller-manager" + nodePoolManagementARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-kube-system-capa-controller-manager" + controlPlaneOperatorARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-kube-system-control-plane-operator" + kmsProviderARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${OPERATOR_ROLES_PREFIX}-kube-system-kms-provider" + oidcID: "${OIDC_CONFIG_ID}" + subnets: + - "${PUBLIC_SUBNET_ID}" + - "${PRIVATE_SUBNET_ID}" + availabilityZones: + - "${AWS_AVAILABILITY_ZONE}" + installerRoleARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ACCOUNT_ROLES_PREFIX}-HCP-ROSA-Installer-Role" + supportRoleARN: "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ACCOUNT_ROLES_PREFIX}-HCP-ROSA-Support-Role"