diff --git a/charts/Makefile b/charts/Makefile index a15459cc..e03c7fa2 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -1,7 +1,9 @@ OCP_VERSION ?= 4.19 +MCE_VERSION ?= 2.10.0-1 SYNC2CHARTS ?= true DEFAULT_ORGREPO ?= https://github.com/openshift +STOLOSTRON_ORGREPO ?= https://github.com/stolostron CAPI_BRANCH ?= master CAPA_BRANCH ?= main # needs overridable branch, as the non-master branch will differ @@ -44,15 +46,15 @@ build-cluster-api-chart: build-cluster-api-provider-aws-chart: @echo "Building cluster-api-provider-aws chart" WKDIR="$(WKDIR)" \ - ORGREPO="$(DEFAULT_ORGREPO)" \ + ORGREPO="$(STOLOSTRON_ORGREPO)" \ PROJECT="cluster-api-provider-aws" \ BRANCH="$(CAPA_BRANCH)" \ ../scripts/build.sh BUILTDIR="$(WKDIR)/cluster-api-provider-aws/config/tmp" \ - CHART_VERSION="$(OCP_VERSION)" \ - CHART_APP_VERSION="$(OCP_VERSION)" \ - CHART_VALUES_IMAGE_TAG="$(OCP_VERSION)" \ - CHART_VALUES_IMAGE_TAG_PREFIX="v" \ + CHART_VERSION="$(MCE_VERSION)" \ + CHART_APP_VERSION="$(MCE_VERSION)" \ + CHART_VALUES_IMAGE_TAG="$(MCE_VERSION)" \ + CHART_VALUES_IMAGE_TAG_PREFIX="" \ SYNC2CHARTS="$(SYNC2CHARTS)" \ PROJECT="cluster-api-provider-aws" \ ../scripts/sync2chart.sh diff --git a/charts/cluster-api-provider-aws/Chart.yaml b/charts/cluster-api-provider-aws/Chart.yaml index 5b969358..5cda81a6 100644 --- a/charts/cluster-api-provider-aws/Chart.yaml +++ b/charts/cluster-api-provider-aws/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: cluster-api-provider-aws description: Cluster API provider for AWS type: application -version: "4.19" -appVersion: "4.19" +version: "2.10.0-1" +appVersion: "2.10.0-1" diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml index 45a5d46a..a5b96a37 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml index 7ffba0ec..a069d3f9 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusters.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusters.infrastructure.cluster.x-k8s.io.yaml index 9622082f..70204c0d 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusters.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusters.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -127,10 +127,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -443,11 +444,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -628,27 +637,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -658,6 +672,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -977,10 +993,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -1395,6 +1412,83 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of + ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security + groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot + be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about + the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. + Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs + as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. + Accepted values are "-1" (all), "4" (IP in IP),"tcp", + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. + Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role + of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: @@ -2093,11 +2187,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -2111,6 +2213,49 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. @@ -2119,6 +2264,20 @@ spec: description: Specifies whether enhanced networking with ENA is enabled. type: boolean + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the dedicated host on which the + instance should be started. + type: string iamProfile: description: The name of the IAM instance profile associated with the instance, if applicable. @@ -2398,27 +2557,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -2428,6 +2592,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml index ea54a0df..d36e3cc0 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml index a8200150..be0b97ad 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -87,7 +87,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -142,10 +142,13 @@ spec: used to communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server + is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server + is serving. format: int32 type: integer required: @@ -513,7 +516,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -568,10 +571,13 @@ spec: used to communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server + is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server + is serving. format: int32 type: integer required: @@ -992,6 +998,84 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional + set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule + for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information + about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways + IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress + rule. Accepted values are "-1" (all), "4" (IP + in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), + "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access + from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique + role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsfargateprofiles.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsfargateprofiles.infrastructure.cluster.x-k8s.io.yaml index 88fc83fe..6f558881 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsfargateprofiles.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsfargateprofiles.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -121,27 +121,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -151,6 +156,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -268,6 +275,30 @@ spec: and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created. type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string selectors: description: Selectors specify fargate pod selectors. items: @@ -307,27 +338,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -337,6 +373,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinepools.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinepools.infrastructure.cluster.x-k8s.io.yaml index 46f40227..741b6d3c 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinepools.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinepools.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -135,6 +135,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -396,27 +398,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -426,6 +433,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -628,6 +637,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -637,6 +648,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation + type: string iamInstanceProfile: description: |- The name or the Amazon Resource Name (ARN) of the instance profile associated @@ -893,6 +922,151 @@ spec: after it enters the InService state. If no value is supplied by user a default value of 300 seconds is set type: string + ignition: + description: Ignition defined options related to the bootstrapping + systems where Ignition is used. + properties: + proxy: + description: |- + Proxy defines proxy settings for Ignition. + Only valid for Ignition versions 3.1 and above. + properties: + httpProxy: + description: |- + HTTPProxy is the HTTP proxy to use for Ignition. + A single URL that specifies the proxy server to use for HTTP and HTTPS requests, + unless overridden by the HTTPSProxy or NoProxy options. + type: string + httpsProxy: + description: |- + HTTPSProxy is the HTTPS proxy to use for Ignition. + A single URL that specifies the proxy server to use for HTTPS requests, + unless overridden by the NoProxy option. + type: string + noProxy: + description: |- + NoProxy is the list of domains to not proxy for Ignition. + Specifies a list of strings to hosts that should be excluded from proxying. + + Each value is represented by: + - An IP address prefix (1.2.3.4) + - An IP address prefix in CIDR notation (1.2.3.4/8) + - A domain name + - A domain name matches that name and all subdomains + - A domain name with a leading . matches subdomains only + - A special DNS label (*), indicates that no proxying should be done + + An IP address prefix and domain name can also include a literal port number (1.2.3.4:80). + items: + description: IgnitionNoProxy defines the list of domains + to not proxy for Ignition. + maxLength: 2048 + type: string + maxItems: 64 + type: array + type: object + storageType: + default: ClusterObjectStore + description: |- + StorageType defines how to store the boostrap user data for Ignition. + This can be used to instruct Ignition from where to fetch the user data to bootstrap an instance. + + When omitted, the storage option will default to ClusterObjectStore. + + When set to "ClusterObjectStore", if the capability is available and a Cluster ObjectStore configuration + is correctly provided in the Cluster object (under .spec.s3Bucket), + an object store will be used to store bootstrap user data. + + When set to "UnencryptedUserData", EC2 Instance User Data will be used to store the machine bootstrap user data, unencrypted. + This option is considered less secure than others as user data may contain sensitive informations (keys, certificates, etc.) + and users with ec2:DescribeInstances permission or users running pods + that can access the ec2 metadata service have access to this sensitive information. + So this is only to be used at ones own risk, and only when other more secure options are not viable. + enum: + - ClusterObjectStore + - UnencryptedUserData + type: string + tls: + description: |- + TLS defines TLS settings for Ignition. + Only valid for Ignition versions 3.1 and above. + properties: + certificateAuthorities: + description: |- + CASources defines the list of certificate authorities to use for Ignition. + The value is the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. + Supported schemes are http, https, tftp, s3, arn, gs, and `data` (RFC 2397) URL scheme. + items: + description: IgnitionCASource defines the source of the + certificate authority to use for Ignition. + maxLength: 65536 + type: string + maxItems: 64 + type: array + type: object + version: + description: |- + Version defines which version of Ignition will be used to generate bootstrap data. + Defaults to `2.3` if storageType is set to `ClusterObjectStore`. + It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version. + enum: + - "2.3" + - "3.0" + - "3.1" + - "3.2" + - "3.3" + - "3.4" + type: string + type: object + lifecycleHooks: + description: AWSLifecycleHooks specifies lifecycle hooks for the autoscaling + group. + items: + description: AWSLifecycleHook describes an AWS lifecycle hook + properties: + defaultResult: + description: The default result for the lifecycle hook. The + possible values are CONTINUE and ABANDON. + enum: + - CONTINUE + - ABANDON + type: string + heartbeatTimeout: + description: |- + The maximum time, in seconds, that an instance can remain in a Pending:Wait or + Terminating:Wait state. The maximum is 172800 seconds (48 hours) or 100 times + HeartbeatTimeout, whichever is smaller. + format: duration + type: string + lifecycleTransition: + description: The state of the EC2 instance to which to attach + the lifecycle hook. + enum: + - autoscaling:EC2_INSTANCE_LAUNCHING + - autoscaling:EC2_INSTANCE_TERMINATING + type: string + name: + description: The name of the lifecycle hook. + type: string + notificationMetadata: + description: Contains additional metadata that will be passed + to the notification target. + type: string + notificationTargetARN: + description: |- + The ARN of the notification target that Amazon EC2 Auto Scaling uses to + notify you when an instance is in the transition state for the lifecycle hook. + type: string + roleARN: + description: |- + The ARN of the IAM role that allows the Auto Scaling group to publish to the + specified notification target. + type: string + required: + - lifecycleTransition + - name + type: object + type: array maxSize: default: 1 description: MaxSize defines the maximum size of the group. @@ -1090,27 +1264,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -1120,6 +1299,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachines.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachines.infrastructure.cluster.x-k8s.io.yaml index 45b9d5e9..b6907d47 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachines.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachines.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -415,11 +415,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -434,27 +442,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -464,6 +477,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -631,6 +646,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -640,6 +657,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string cloudInit: description: |- CloudInit defines options related to the bootstrapping systems where @@ -673,6 +708,31 @@ spec: - ssm-parameter-store type: string type: object + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object elasticIpPool: description: ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool. @@ -702,6 +762,20 @@ spec: - message: allowed values are 'none' and 'amazon-pool' rule: self in ['none','amazon-pool'] type: object + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the Dedicated Host on which the instance + must be started. + type: string iamInstanceProfile: description: IAMInstanceProfile is a name of an IAM instance profile to assign to the instance @@ -789,9 +863,10 @@ spec: type: array type: object version: - default: "2.3" - description: Version defines which version of Ignition will be - used to generate bootstrap data. + description: |- + Version defines which version of Ignition will be used to generate bootstrap data. + Defaults to `2.3` if storageType is set to `ClusterObjectStore`. + It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version. enum: - "2.3" - "3.0" @@ -1137,11 +1212,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -1156,27 +1239,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -1186,6 +1274,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml index 6d55f0d4..1155e515 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -82,7 +82,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -496,7 +496,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -565,6 +565,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -574,6 +576,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string cloudInit: description: |- CloudInit defines options related to the bootstrapping systems where @@ -607,6 +627,31 @@ spec: - ssm-parameter-store type: string type: object + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object elasticIpPool: description: ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool. @@ -636,6 +681,20 @@ spec: - message: allowed values are 'none' and 'amazon-pool' rule: self in ['none','amazon-pool'] type: object + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the Dedicated Host on which + the instance must be started. + type: string iamInstanceProfile: description: IAMInstanceProfile is a name of an IAM instance profile to assign to the instance @@ -723,9 +782,10 @@ spec: type: array type: object version: - default: "2.3" - description: Version defines which version of Ignition - will be used to generate bootstrap data. + description: |- + Version defines which version of Ignition will be used to generate bootstrap data. + Defaults to `2.3` if storageType is set to `ClusterObjectStore`. + It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version. enum: - "2.3" - "3.0" diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedclusters.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedclusters.infrastructure.cluster.x-k8s.io.yaml index ee7b6526..84d1c40f 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedclusters.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedclusters.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -67,10 +67,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -89,27 +90,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -119,6 +125,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml index 0e7a5dc9..6b269322 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -112,6 +112,11 @@ spec: description: Name is the name of the addon minLength: 2 type: string + preserveOnDelete: + description: |- + PreserveOnDelete indicates that the addon resources should be + preserved in the cluster on delete. + type: boolean serviceAccountRoleARN: description: ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account @@ -167,10 +172,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -459,6 +465,83 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of + ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security + groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot + be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about + the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. + Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs + as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. + Accepted values are "-1" (all), "4" (IP in IP),"tcp", + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. + Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role + of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: @@ -1126,11 +1209,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -1144,6 +1235,49 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. @@ -1152,6 +1286,20 @@ spec: description: Specifies whether enhanced networking with ENA is enabled. type: boolean + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the dedicated host on which the + instance should be started. + type: string iamProfile: description: The name of the IAM instance profile associated with the instance, if applicable. @@ -1431,27 +1579,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -1461,6 +1614,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -2131,6 +2286,28 @@ spec: description: AWSManagedControlPlaneSpec defines the desired state of an Amazon EKS Cluster. properties: + accessConfig: + description: AccessConfig specifies the access configuration information + for the cluster + properties: + authenticationMode: + default: config_map + description: |- + AuthenticationMode specifies the desired authentication mode for the cluster + Defaults to config_map + enum: + - config_map + - api + - api_and_config_map + type: string + bootstrapClusterCreatorAdminPermissions: + default: true + description: |- + BootstrapClusterCreatorAdminPermissions grants cluster admin permissions + to the IAM identity creating the cluster. Only applied during creation, + ignored when updating existing clusters. Defaults to true. + type: boolean + type: object additionalTags: additionalProperties: type: string @@ -2151,15 +2328,21 @@ spec: default: overwrite description: |- ConflictResolution is used to declare what should happen if there - are parameter conflicts. Defaults to none + are parameter conflicts. Defaults to overwrite enum: - overwrite - none + - preserve type: string name: description: Name is the name of the addon minLength: 2 type: string + preserveOnDelete: + description: |- + PreserveOnDelete indicates that the addon resources should be + preserved in the cluster on delete. + type: boolean serviceAccountRoleARN: description: ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account @@ -2222,10 +2405,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -2505,6 +2689,83 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of + ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security + groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot + be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about + the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. + Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs + as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. + Accepted values are "-1" (all), "4" (IP in IP),"tcp", + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. + Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role + of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: @@ -2953,6 +3214,30 @@ spec: and no name is supplied then a role is created. minLength: 2 type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string secondaryCidrBlock: description: |- SecondaryCidrBlock is the additional CIDR range to use for pod IPs. @@ -3190,11 +3475,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -3208,6 +3501,49 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. @@ -3216,6 +3552,20 @@ spec: description: Specifies whether enhanced networking with ENA is enabled. type: boolean + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the dedicated host on which the + instance should be started. + type: string iamProfile: description: The name of the IAM instance profile associated with the instance, if applicable. @@ -3495,27 +3845,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -3525,6 +3880,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedmachinepools.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedmachinepools.infrastructure.cluster.x-k8s.io.yaml index 0cb4a908..3b652e07 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedmachinepools.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_awsmanagedmachinepools.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -144,6 +144,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -395,27 +397,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -425,6 +432,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -543,9 +552,22 @@ spec: - AL2_x86_64 - AL2_x86_64_GPU - AL2_ARM_64 + - CUSTOM + - BOTTLEROCKET_ARM_64 + - BOTTLEROCKET_x86_64 + - BOTTLEROCKET_ARM_64_FIPS + - BOTTLEROCKET_x86_64_FIPS + - BOTTLEROCKET_ARM_64_NVIDIA + - BOTTLEROCKET_x86_64_NVIDIA + - WINDOWS_CORE_2019_x86_64 + - WINDOWS_FULL_2019_x86_64 + - WINDOWS_CORE_2022_x86_64 + - WINDOWS_FULL_2022_x86_64 - AL2023_x86_64_STANDARD - AL2023_ARM_64_STANDARD - - CUSTOM + - AL2023_x86_64_NEURON + - AL2023_x86_64_NVIDIA + - AL2023_ARM_64_NVIDIA type: string amiVersion: description: |- @@ -624,6 +646,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -633,6 +657,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation + type: string iamInstanceProfile: description: |- The name or the Amazon Resource Name (ARN) of the instance profile associated @@ -900,6 +942,55 @@ spec: type: string description: Labels specifies labels for the Kubernetes node objects type: object + lifecycleHooks: + description: AWSLifecycleHooks specifies lifecycle hooks for the managed + node group. + items: + description: AWSLifecycleHook describes an AWS lifecycle hook + properties: + defaultResult: + description: The default result for the lifecycle hook. The + possible values are CONTINUE and ABANDON. + enum: + - CONTINUE + - ABANDON + type: string + heartbeatTimeout: + description: |- + The maximum time, in seconds, that an instance can remain in a Pending:Wait or + Terminating:Wait state. The maximum is 172800 seconds (48 hours) or 100 times + HeartbeatTimeout, whichever is smaller. + format: duration + type: string + lifecycleTransition: + description: The state of the EC2 instance to which to attach + the lifecycle hook. + enum: + - autoscaling:EC2_INSTANCE_LAUNCHING + - autoscaling:EC2_INSTANCE_TERMINATING + type: string + name: + description: The name of the lifecycle hook. + type: string + notificationMetadata: + description: Contains additional metadata that will be passed + to the notification target. + type: string + notificationTargetARN: + description: |- + The ARN of the notification target that Amazon EC2 Auto Scaling uses to + notify you when an instance is in the transition state for the lifecycle hook. + type: string + roleARN: + description: |- + The ARN of the IAM role that allows the Auto Scaling group to publish to the + specified notification target. + type: string + required: + - lifecycleTransition + - name + type: object + type: array providerIDList: description: |- ProviderIDList are the provider IDs of instances in the @@ -942,6 +1033,30 @@ spec: and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created. type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string scaling: description: Scaling specifies scaling for the ASG behind this pool properties: @@ -1018,27 +1133,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -1048,6 +1168,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigs.bootstrap.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigs.bootstrap.cluster.x-k8s.io.yaml index ee174f8d..f27f3ab2 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigs.bootstrap.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigs.bootstrap.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws @@ -129,27 +129,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -159,6 +164,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -529,27 +536,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -559,6 +571,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigtemplates.bootstrap.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigtemplates.bootstrap.cluster.x-k8s.io.yaml index b2efd3f0..a9cd3cdb 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigtemplates.bootstrap.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_eksconfigtemplates.bootstrap.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 service.beta.openshift.io/inject-cabundle: "true" labels: cluster.x-k8s.io/provider: infrastructure-aws diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosaclusters.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosaclusters.infrastructure.cluster.x-k8s.io.yaml index 8b49576b..c31a5eae 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosaclusters.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosaclusters.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -66,10 +66,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -88,27 +89,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -118,6 +124,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml index 4b2607a5..0907a6ab 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -91,6 +91,8 @@ spec: description: OpenShift version channel group, default is stable. enum: - stable + - eus + - fast - candidate - nightly type: string @@ -168,10 +170,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -526,8 +529,9 @@ spec: - name type: object installerRoleARN: - description: InstallerRoleARN is an AWS IAM role that OpenShift Cluster - Manager will assume to create the cluster.. + description: |- + InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster. + Required if RosaRoleConfigRef is not specified. type: string network: description: Network config for the ROSA HCP cluster. @@ -561,7 +565,9 @@ spec: type: string type: object oidcID: - description: The ID of the internal OpenID Connect Provider. + description: |- + The ID of the internal OpenID Connect Provider. + Required if RosaRoleConfigRef is not specified. type: string x-kubernetes-validations: - message: oidcID is immutable @@ -577,8 +583,9 @@ spec: description: The AWS Region the cluster lives in. type: string rolesRef: - description: AWS IAM roles used to perform credential requests by - the openshift operators. + description: |- + AWS IAM roles used to perform credential requests by the openshift operators. + Required if RosaRoleConfigRef is not specified. properties: controlPlaneOperatorARN: description: "ControlPlaneOperatorARN is an ARN value referencing @@ -778,6 +785,22 @@ spec: x-kubernetes-validations: - message: rosaClusterName is immutable rule: self == oldSelf + rosaRoleConfigRef: + description: |- + RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account roles, operator roles and OIDC configuration. + RosaRoleConfigRef and role fields such as installerRoleARN, supportRoleARN, workerRoleARN, rolesRef and oidcID are mutually exclusive. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic subnets: description: |- The Subnet IDs to use when installing the cluster. @@ -789,6 +812,7 @@ spec: description: |- SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable access to the cluster account in order to provide support. + Required if RosaRoleConfigRef is not specified. type: string version: description: OpenShift semantic version, for example "4.14.5". @@ -807,22 +831,18 @@ spec: - AlwaysAcknowledge type: string workerRoleARN: - description: WorkerRoleARN is an AWS IAM role that will be attached - to worker instances. + description: |- + WorkerRoleARN is an AWS IAM role that will be attached to worker instances. + Required if RosaRoleConfigRef is not specified. type: string required: - availabilityZones - channelGroup - - installerRoleARN - - oidcID - region - - rolesRef - rosaClusterName - subnets - - supportRoleARN - version - versionGate - - workerRoleARN type: object status: description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane. @@ -841,27 +861,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -871,6 +896,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -915,6 +942,9 @@ spec: description: Ready denotes that the ROSAControlPlane API Server is ready to receive requests. type: boolean + version: + description: OpenShift semantic version, for example "4.14.5". + type: string required: - ready type: object diff --git a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosamachinepools.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosamachinepools.infrastructure.cluster.x-k8s.io.yaml index b2d0deac..09a3d871 100644 --- a/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosamachinepools.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-aws/crds/apiextensions.k8s.io_v1_customresourcedefinition_rosamachinepools.infrastructure.cluster.x-k8s.io.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -92,6 +92,11 @@ spec: AvailabilityZone is an optinal field specifying the availability zone where instances of this machine pool should run For Multi-AZ clusters, you can create a machine pool in a Single-AZ of your choice. type: string + capacityReservationID: + description: |- + CapacityReservationID specifies the ID of an AWS On-Demand Capacity Reservation and Capacity Blocks for ML. + The CapacityReservationID must be pre-created in advance, before creating a NodePool. + type: string instanceType: description: InstanceType specifies the AWS instance type type: string @@ -245,27 +250,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -275,6 +285,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_capa-mutating-webhook-configuration.yaml b/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_capa-mutating-webhook-configuration.yaml index d2a38042..6e37c66a 100644 --- a/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_capa-mutating-webhook-configuration.yaml +++ b/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_capa-mutating-webhook-configuration.yaml @@ -226,6 +226,28 @@ webhooks: resources: - rosamachinepools sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta2-rosaroleconfig + failurePolicy: Fail + matchPolicy: Equivalent + name: default.rosaroleconfig.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - rosaroleconfigs + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 @@ -292,6 +314,28 @@ webhooks: resources: - awsmanagedcontrolplanes sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /mutate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplanetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: default.awsmanagedcontrolplanetemplates.controlplane.cluster.x-k8s.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - awsmanagedcontrolplanetemplates + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 diff --git a/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_capa-validating-webhook-configuration.yaml b/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_capa-validating-webhook-configuration.yaml index 76e644b8..6f64a612 100644 --- a/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_capa-validating-webhook-configuration.yaml +++ b/charts/cluster-api-provider-aws/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_capa-validating-webhook-configuration.yaml @@ -249,6 +249,28 @@ webhooks: resources: - rosamachinepools sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta2-rosaroleconfig + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.rosaroleconfig.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - rosaroleconfigs + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 @@ -315,6 +337,28 @@ webhooks: resources: - awsmanagedcontrolplanes sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /validate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplanetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.awsmanagedcontrolplanetemplates.controlplane.cluster.x-k8s.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - awsmanagedcontrolplanetemplates + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 diff --git a/charts/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml b/charts/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml index 277684f5..b467d3fd 100644 --- a/charts/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml +++ b/charts/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml @@ -36,7 +36,7 @@ spec: containers: - args: - --leader-elect - - --feature-gates=EKS=true,EKSEnableIAM=true,EKSAllowAddRoles=true,EKSFargate=true,MachinePool=true,EventBridgeInstanceState=false,AutoControllerIdentityCreator=true,BootstrapFormatIgnition=false,ExternalResourceGC=false,AlternativeGCStrategy=false,TagUnmanagedNetworkResources=true,ROSA=true + - --feature-gates=EKS=true,EKSEnableIAM=true,EKSAllowAddRoles=true,EKSFargate=true,MachinePool=true,MachinePoolMachines=true,EventBridgeInstanceState=false,AutoControllerIdentityCreator=true,BootstrapFormatIgnition=false,ExternalResourceGC=true,AlternativeGCStrategy=false,TagUnmanagedNetworkResources=true,ROSA=true - --v=0 - --diagnostics-address=:8443 - --insecure-diagnostics=false diff --git a/charts/cluster-api-provider-aws/templates/rbac.authorization.k8s.io_v1_clusterrole_capa-manager-role.yaml b/charts/cluster-api-provider-aws/templates/rbac.authorization.k8s.io_v1_clusterrole_capa-manager-role.yaml index 0133cebb..98f25a69 100644 --- a/charts/cluster-api-provider-aws/templates/rbac.authorization.k8s.io_v1_clusterrole_capa-manager-role.yaml +++ b/charts/cluster-api-provider-aws/templates/rbac.authorization.k8s.io_v1_clusterrole_capa-manager-role.yaml @@ -84,6 +84,7 @@ rules: - machinepools - machinepools/status verbs: + - create - get - list - patch @@ -117,6 +118,13 @@ rules: - patch - update - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - awsmanagedcontrolplanes/finalizers + - rosacontrolplanes/finalizers + verbs: + - update - apiGroups: - controlplane.cluster.x-k8s.io resources: @@ -128,12 +136,6 @@ rules: - patch - update - watch -- apiGroups: - - controlplane.cluster.x-k8s.io - resources: - - rosacontrolplanes/finalizers - verbs: - - update - apiGroups: - infrastructure.cluster.x-k8s.io resources: @@ -162,7 +164,6 @@ rules: - awsmanagedclusters - awsmanagedmachinepools - rosaclusters - - rosamachinepools verbs: - delete - get @@ -176,7 +177,7 @@ rules: - awsclusters/status - awsfargateprofiles/status - rosaclusters/status - - rosamachinepools/status + - rosaroleconfigs/status verbs: - get - patch @@ -198,6 +199,8 @@ rules: - infrastructure.cluster.x-k8s.io resources: - awsmachines + - rosamachinepools + - rosaroleconfigs verbs: - create - delete @@ -210,5 +213,17 @@ rules: - infrastructure.cluster.x-k8s.io resources: - rosamachinepools/finalizers + - rosaroleconfigs/finalizers verbs: - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - rosamachinepools/status + verbs: + - create + - get + - list + - patch + - update + - watch diff --git a/charts/cluster-api-provider-aws/values.yaml b/charts/cluster-api-provider-aws/values.yaml index 17df59fa..57bc32bc 100644 --- a/charts/cluster-api-provider-aws/values.yaml +++ b/charts/cluster-api-provider-aws/values.yaml @@ -6,5 +6,5 @@ rosa: manager: cmd: /bin/cluster-api-provider-aws-controller-manager image: - tag: v4.19 - url: registry.redhat.io/openshift4/ose-aws-cluster-api-controllers-rhel9 + tag: 2.10.0-1 + url: registry.redhat.io/multicluster-engine/cluster-api-provider-aws-rhel9 diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ipaddresses.ipam.metal3.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ipaddresses.ipam.metal3.io.yaml deleted file mode 100644 index c1f8ad64..00000000 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ipaddresses.ipam.metal3.io.yaml +++ /dev/null @@ -1,188 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - service.beta.openshift.io/inject-cabundle: "true" - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - cluster.x-k8s.io/v1alpha2: v1alpha2 - cluster.x-k8s.io/v1alpha3: v1alpha3_v1alpha4 - cluster.x-k8s.io/v1alpha4: v1alpha5 - cluster.x-k8s.io/v1beta1: v1beta1 - name: ipaddresses.ipam.metal3.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: ipam.metal3.io - names: - categories: - - metal3 - kind: IPAddress - listKind: IPAddressList - plural: ipaddresses - shortNames: - - ipa - - ipaddress - - m3ipa - - m3ipaddress - - m3ipaddresses - - metal3ipa - - metal3ipaddress - - metal3ipaddresses - singular: ipaddress - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Time duration since creation of Metal3IPAddress - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IPAddress is the Schema for the ipaddresses API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAddressSpec defines the desired state of IPAddress. - properties: - address: - description: Address contains the IP address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - claim: - description: Claim points to the object the IPClaim was created for. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - dnsServers: - description: DNSServers is the list of dns servers - items: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - type: array - gateway: - description: Gateway is the gateway ip address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - pool: - description: Pool is the IPPool this was generated from. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - prefix: - description: Prefix is the mask of the network as integer (max 128) - maximum: 128 - type: integer - required: - - address - - claim - - pool - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ipclaims.ipam.metal3.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ipclaims.ipam.metal3.io.yaml deleted file mode 100644 index 8abe4d3d..00000000 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ipclaims.ipam.metal3.io.yaml +++ /dev/null @@ -1,176 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - service.beta.openshift.io/inject-cabundle: "true" - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - cluster.x-k8s.io/v1alpha2: v1alpha2 - cluster.x-k8s.io/v1alpha3: v1alpha3_v1alpha4 - cluster.x-k8s.io/v1alpha4: v1alpha5 - cluster.x-k8s.io/v1beta1: v1beta1 - name: ipclaims.ipam.metal3.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: ipam.metal3.io - names: - categories: - - cluster-api - kind: IPClaim - listKind: IPClaimList - plural: ipclaims - shortNames: - - ipc - - ipclaim - - m3ipc - - m3ipclaim - - m3ipclaims - - metal3ipc - - metal3ipclaim - - metal3ipclaims - singular: ipclaim - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Time duration since creation of Metal3IPClaim - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IPClaim is the Schema for the ipclaims API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPClaimSpec defines the desired state of IPClaim. - properties: - pool: - description: Pool is the IPPool this was generated from. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - required: - - pool - type: object - status: - description: IPClaimStatus defines the observed state of IPClaim. - properties: - address: - description: Address is the IPAddress that was generated for this - claim. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - errorMessage: - description: ErrorMessage contains the error message - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ippools.ipam.metal3.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ippools.ipam.metal3.io.yaml deleted file mode 100644 index 6a29632b..00000000 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_ippools.ipam.metal3.io.yaml +++ /dev/null @@ -1,175 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - service.beta.openshift.io/inject-cabundle: "true" - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - cluster.x-k8s.io/v1alpha2: v1alpha2 - cluster.x-k8s.io/v1alpha3: v1alpha3_v1alpha4 - cluster.x-k8s.io/v1alpha4: v1alpha5 - cluster.x-k8s.io/v1beta1: v1beta1 - name: ippools.ipam.metal3.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: ipam.metal3.io - names: - categories: - - cluster-api - kind: IPPool - listKind: IPPoolList - plural: ippools - shortNames: - - ipp - - ippool - - m3ipp - - m3ippool - - m3ippools - - metal3ipp - - metal3ippool - - metal3ippools - singular: ippool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster to which this template belongs - jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name - name: Cluster - type: string - - description: Time duration since creation of Metal3IPPool - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IPPool is the Schema for the ippools API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPPoolSpec defines the desired state of IPPool. - properties: - clusterName: - description: ClusterName is the name of the Cluster this object belongs - to. - type: string - dnsServers: - description: DNSServers is the list of dns servers - items: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - type: array - gateway: - description: Gateway is the gateway ip address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - namePrefix: - description: namePrefix is the prefix used to generate the IPAddress - object names - minLength: 1 - type: string - pools: - description: Pools contains the list of IP addresses pools - items: - description: |- - MetaDataIPAddress contains the info to render th ip address. It is IP-version - agnostic. - properties: - dnsServers: - description: DNSServers is the list of dns servers - items: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - type: array - end: - description: |- - End is the last IP address that can be rendered. It is used as a validation - that the rendered IP is in bound. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - gateway: - description: Gateway is the gateway ip address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - prefix: - description: Prefix is the mask of the network as integer (max - 128) - maximum: 128 - type: integer - start: - description: Start is the first ip address that can be rendered - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - subnet: - description: |- - Subnet is used to validate that the rendered IP is in bounds. In case the - Start value is not given, it is derived from the subnet ip incremented by 1 - (`192.168.0.1` for `192.168.0.0/24`) - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))/([0-9]|[1-2][0-9]|3[0-2])$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))/([0-9]|[0-9][0-9]|1[0-1][0-9]|12[0-8])$)) - type: string - type: object - type: array - preAllocations: - additionalProperties: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - description: PreAllocations contains the preallocated IP addresses - type: object - prefix: - description: Prefix is the mask of the network as integer (max 128) - maximum: 128 - type: integer - required: - - namePrefix - type: object - status: - description: IPPoolStatus defines the observed state of IPPool. - properties: - indexes: - additionalProperties: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - description: Allocations contains the map of objects and IP addresses - they have - type: object - lastUpdated: - description: LastUpdated identifies when this status was last observed. - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3clusters.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3clusters.infrastructure.cluster.x-k8s.io.yaml index 20955dda..cd4fc7a3 100644 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3clusters.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3clusters.infrastructure.cluster.x-k8s.io.yaml @@ -123,27 +123,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -153,6 +158,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datas.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datas.infrastructure.cluster.x-k8s.io.yaml index e3a804fa..f1951aac 100644 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datas.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datas.infrastructure.cluster.x-k8s.io.yaml @@ -189,7 +189,9 @@ spec: description: |- TemplateReference refers to the Template the Metal3MachineTemplate refers to. It can be matched against the key or it may also point to the name of the template - Metal3Data refers to + Metal3Data refers to. + + Deprecated: This field is deprecated and will be removed in a future release. type: string required: - claim diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datatemplates.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datatemplates.infrastructure.cluster.x-k8s.io.yaml index f84e0a3b..29b82d12 100644 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datatemplates.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3datatemplates.infrastructure.cluster.x-k8s.io.yaml @@ -443,6 +443,12 @@ spec: description: MTU is the MTU of the interface maximum: 9000 type: integer + parameters: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: params blob passed without any validation/modifications + into cloud-init config + type: object required: - bondMode - id @@ -1004,7 +1010,9 @@ spec: description: |- TemplateReference refers to the Template the Metal3MachineTemplate refers to. It can be matched against the key or it may also point to the name of the template - Metal3Data refers to + Metal3Data refers to. + + Deprecated: This field is deprecated and will be removed in a future release. type: string required: - clusterName diff --git a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3machines.infrastructure.cluster.x-k8s.io.yaml b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3machines.infrastructure.cluster.x-k8s.io.yaml index dd24381e..0721514e 100644 --- a/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3machines.infrastructure.cluster.x-k8s.io.yaml +++ b/charts/cluster-api-provider-metal3/crds/apiextensions.k8s.io_v1_customresourcedefinition_metal3machines.infrastructure.cluster.x-k8s.io.yaml @@ -279,11 +279,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -298,27 +306,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -328,6 +341,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime diff --git a/charts/cluster-api-provider-metal3/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_ipam-mutating-webhook-configuration.yaml b/charts/cluster-api-provider-metal3/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_ipam-mutating-webhook-configuration.yaml deleted file mode 100644 index dc2c1a5c..00000000 --- a/charts/cluster-api-provider-metal3/templates/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_ipam-mutating-webhook-configuration.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - service.beta.openshift.io/inject-cabundle: "true" - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /mutate-ipam-metal3-io-v1alpha1-ipaddress - failurePolicy: Fail - matchPolicy: Equivalent - name: default.ipaddress.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipaddresses - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /mutate-ipam-metal3-io-v1alpha1-ipclaim - failurePolicy: Fail - matchPolicy: Equivalent - name: default.ipclaim.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipclaims - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /mutate-ipam-metal3-io-v1alpha1-ippool - failurePolicy: Fail - matchPolicy: Equivalent - name: default.ippool.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ippools - sideEffects: None diff --git a/charts/cluster-api-provider-metal3/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_ipam-validating-webhook-configuration.yaml b/charts/cluster-api-provider-metal3/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_ipam-validating-webhook-configuration.yaml deleted file mode 100644 index 9429652a..00000000 --- a/charts/cluster-api-provider-metal3/templates/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_ipam-validating-webhook-configuration.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - service.beta.openshift.io/inject-cabundle: "true" - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /validate-ipam-metal3-io-v1alpha1-ipaddress - failurePolicy: Fail - matchPolicy: Equivalent - name: validation.ipaddress.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipaddresses - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /validate-ipam-metal3-io-v1alpha1-ipclaim - failurePolicy: Fail - matchPolicy: Equivalent - name: validation.ipclaim.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipclaims - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /validate-ipam-metal3-io-v1alpha1-ippool - failurePolicy: Fail - matchPolicy: Equivalent - name: validation.ippool.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ippools - sideEffects: None diff --git a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_clusterrole_ipam-manager-role.yaml b/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_clusterrole_ipam-manager-role.yaml deleted file mode 100644 index c2f6af0d..00000000 --- a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_clusterrole_ipam-manager-role.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-manager-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - cluster.x-k8s.io - resources: - - clusters - verbs: - - get - - list - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - clusters/status - verbs: - - get -- apiGroups: - - ipam.metal3.io - resources: - - ipaddresses - - ipclaims - - ippools - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - ipam.metal3.io - resources: - - ipaddresses/status - - ipclaims/status - - ippools/status - verbs: - - get - - patch - - update diff --git a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_ipam-manager-rolebinding.yaml b/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_ipam-manager-rolebinding.yaml deleted file mode 100644 index 4ed1ff1a..00000000 --- a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_clusterrolebinding_ipam-manager-rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ipam-manager-role -subjects: -- kind: ServiceAccount - name: ipam-manager - namespace: capm3-system diff --git a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_role_ipam-leader-election-role.yaml b/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_role_ipam-leader-election-role.yaml deleted file mode 100644 index f7a3b219..00000000 --- a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_role_ipam-leader-election-role.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-leader-election-role - namespace: capm3-system -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create diff --git a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_rolebinding_ipam-leader-election-rolebinding.yaml b/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_rolebinding_ipam-leader-election-rolebinding.yaml deleted file mode 100644 index a9b144b7..00000000 --- a/charts/cluster-api-provider-metal3/templates/rbac.authorization.k8s.io_v1_rolebinding_ipam-leader-election-rolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-leader-election-rolebinding - namespace: capm3-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ipam-leader-election-role -subjects: -- kind: ServiceAccount - name: ipam-manager - namespace: capm3-system diff --git a/charts/cluster-api-provider-metal3/templates/v1_service_ipam-webhook-service.yaml b/charts/cluster-api-provider-metal3/templates/v1_service_ipam-webhook-service.yaml deleted file mode 100644 index 728b1893..00000000 --- a/charts/cluster-api-provider-metal3/templates/v1_service_ipam-webhook-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - annotations: - service.beta.openshift.io/serving-cert-secret-name: ipam-webhook-service-cert - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-webhook-service - namespace: capm3-system -spec: - ports: - - port: 443 - targetPort: ipam-webhook - selector: - cluster.x-k8s.io/provider: infrastructure-metal3 diff --git a/charts/cluster-api-provider-metal3/templates/v1_serviceaccount_ipam-manager.yaml b/charts/cluster-api-provider-metal3/templates/v1_serviceaccount_ipam-manager.yaml deleted file mode 100644 index cfc7e7a2..00000000 --- a/charts/cluster-api-provider-metal3/templates/v1_serviceaccount_ipam-manager.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-manager - namespace: capm3-system diff --git a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_clusters.cluster.x-k8s.io.yaml b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_clusters.cluster.x-k8s.io.yaml index 8c54c19b..2558fbc8 100644 --- a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_clusters.cluster.x-k8s.io.yaml +++ b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_clusters.cluster.x-k8s.io.yaml @@ -980,12 +980,14 @@ spec: type: string classNamespace: description: |- - classNamespace is the namespace of the ClusterClass object to create the topology. - If the namespace is empty or not set, it is defaulted to the namespace of the cluster object. - Value must follow the DNS1123Subdomain syntax. - maxLength: 253 + classNamespace is the namespace of the ClusterClass that should be used for the topology. + If classNamespace is empty or not set, it is defaulted to the namespace of the Cluster object. + classNamespace must be a valid namespace name and because of that be at most 63 characters in length + and it must consist only of lower case alphanumeric characters or hyphens (-), and must start + and end with an alphanumeric character. + maxLength: 63 minLength: 1 - pattern: ^[a-z0-9](?:[-a-z0-9]*[a-z0-9])?(?:\.[a-z0-9](?:[-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string controlPlane: description: controlPlane describes the cluster control plane. diff --git a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinedeployments.cluster.x-k8s.io.yaml b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinedeployments.cluster.x-k8s.io.yaml index f629dc81..6ddbedb4 100644 --- a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinedeployments.cluster.x-k8s.io.yaml +++ b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinedeployments.cluster.x-k8s.io.yaml @@ -1456,7 +1456,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: diff --git a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinepools.cluster.x-k8s.io.yaml b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinepools.cluster.x-k8s.io.yaml index 377ef558..9c3d5467 100644 --- a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinepools.cluster.x-k8s.io.yaml +++ b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinepools.cluster.x-k8s.io.yaml @@ -1194,7 +1194,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: diff --git a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machines.cluster.x-k8s.io.yaml b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machines.cluster.x-k8s.io.yaml index ab53abe3..3372abc9 100644 --- a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machines.cluster.x-k8s.io.yaml +++ b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machines.cluster.x-k8s.io.yaml @@ -953,7 +953,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: diff --git a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinesets.cluster.x-k8s.io.yaml b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinesets.cluster.x-k8s.io.yaml index a7b9a2d7..00e469dc 100644 --- a/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinesets.cluster.x-k8s.io.yaml +++ b/charts/cluster-api/crds/apiextensions.k8s.io_v1_customresourcedefinition_machinesets.cluster.x-k8s.io.yaml @@ -1208,7 +1208,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: diff --git a/src/cluster-api-provider-aws.yaml b/src/cluster-api-provider-aws.yaml index ba24226b..ae0426f4 100644 --- a/src/cluster-api-provider-aws.yaml +++ b/src/cluster-api-provider-aws.yaml @@ -10,7 +10,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -240,7 +240,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -588,7 +588,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -712,10 +712,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -1028,11 +1029,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -1213,27 +1222,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -1243,6 +1257,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -1562,10 +1578,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -1980,6 +1997,83 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of + ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security + groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot + be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about + the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. + Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs + as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. + Accepted values are "-1" (all), "4" (IP in IP),"tcp", + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. + Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role + of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: @@ -2678,11 +2772,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -2696,6 +2798,49 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. @@ -2704,6 +2849,20 @@ spec: description: Specifies whether enhanced networking with ENA is enabled. type: boolean + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the dedicated host on which the + instance should be started. + type: string iamProfile: description: The name of the IAM instance profile associated with the instance, if applicable. @@ -2983,27 +3142,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -3013,6 +3177,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -3593,7 +3759,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -3832,7 +3998,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -3916,7 +4082,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -3971,10 +4137,13 @@ spec: used to communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server + is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server + is serving. format: int32 type: integer required: @@ -4342,7 +4511,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -4397,10 +4566,13 @@ spec: used to communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server + is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server + is serving. format: int32 type: integer required: @@ -4821,6 +4993,84 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional + set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule + for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information + about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways + IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress + rule. Accepted values are "-1" (all), "4" (IP + in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), + "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access + from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique + role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: @@ -5528,7 +5778,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -5647,27 +5897,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -5677,6 +5932,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -5794,6 +6051,30 @@ spec: and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created. type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string selectors: description: Selectors specify fargate pod selectors. items: @@ -5833,27 +6114,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -5863,6 +6149,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -5925,7 +6213,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -6058,6 +6346,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -6319,27 +6609,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -6349,6 +6644,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -6551,6 +6848,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -6560,6 +6859,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation + type: string iamInstanceProfile: description: |- The name or the Amazon Resource Name (ARN) of the instance profile associated @@ -6816,62 +7133,207 @@ spec: after it enters the InService state. If no value is supplied by user a default value of 300 seconds is set type: string - maxSize: - default: 1 - description: MaxSize defines the maximum size of the group. - format: int32 - minimum: 1 - type: integer - minSize: - default: 1 - description: MinSize defines the minimum size of the group. - format: int32 - minimum: 0 - type: integer - mixedInstancesPolicy: - description: MixedInstancesPolicy describes how multiple instance - types will be used by the ASG. + ignition: + description: Ignition defined options related to the bootstrapping + systems where Ignition is used. properties: - instancesDistribution: - description: InstancesDistribution to configure distribution of - On-Demand Instances and Spot Instances. + proxy: + description: |- + Proxy defines proxy settings for Ignition. + Only valid for Ignition versions 3.1 and above. properties: - onDemandAllocationStrategy: - default: prioritized - description: OnDemandAllocationStrategy indicates how to allocate - instance types to fulfill On-Demand capacity. - enum: - - prioritized - - lowest-price + httpProxy: + description: |- + HTTPProxy is the HTTP proxy to use for Ignition. + A single URL that specifies the proxy server to use for HTTP and HTTPS requests, + unless overridden by the HTTPSProxy or NoProxy options. type: string - onDemandBaseCapacity: - default: 0 - format: int64 - type: integer - onDemandPercentageAboveBaseCapacity: - default: 100 - format: int64 - type: integer - spotAllocationStrategy: - default: lowest-price - description: SpotAllocationStrategy indicates how to allocate - instances across Spot Instance pools. - enum: - - lowest-price - - capacity-optimized - - capacity-optimized-prioritized - - price-capacity-optimized + httpsProxy: + description: |- + HTTPSProxy is the HTTPS proxy to use for Ignition. + A single URL that specifies the proxy server to use for HTTPS requests, + unless overridden by the NoProxy option. type: string - type: object - overrides: - items: - description: |- - Overrides are used to override the instance type specified by the launch template with multiple - instance types that can be used to launch On-Demand Instances and Spot Instances. - properties: - instanceType: - type: string - required: + noProxy: + description: |- + NoProxy is the list of domains to not proxy for Ignition. + Specifies a list of strings to hosts that should be excluded from proxying. + + Each value is represented by: + - An IP address prefix (1.2.3.4) + - An IP address prefix in CIDR notation (1.2.3.4/8) + - A domain name + - A domain name matches that name and all subdomains + - A domain name with a leading . matches subdomains only + - A special DNS label (*), indicates that no proxying should be done + + An IP address prefix and domain name can also include a literal port number (1.2.3.4:80). + items: + description: IgnitionNoProxy defines the list of domains + to not proxy for Ignition. + maxLength: 2048 + type: string + maxItems: 64 + type: array + type: object + storageType: + default: ClusterObjectStore + description: |- + StorageType defines how to store the boostrap user data for Ignition. + This can be used to instruct Ignition from where to fetch the user data to bootstrap an instance. + + When omitted, the storage option will default to ClusterObjectStore. + + When set to "ClusterObjectStore", if the capability is available and a Cluster ObjectStore configuration + is correctly provided in the Cluster object (under .spec.s3Bucket), + an object store will be used to store bootstrap user data. + + When set to "UnencryptedUserData", EC2 Instance User Data will be used to store the machine bootstrap user data, unencrypted. + This option is considered less secure than others as user data may contain sensitive informations (keys, certificates, etc.) + and users with ec2:DescribeInstances permission or users running pods + that can access the ec2 metadata service have access to this sensitive information. + So this is only to be used at ones own risk, and only when other more secure options are not viable. + enum: + - ClusterObjectStore + - UnencryptedUserData + type: string + tls: + description: |- + TLS defines TLS settings for Ignition. + Only valid for Ignition versions 3.1 and above. + properties: + certificateAuthorities: + description: |- + CASources defines the list of certificate authorities to use for Ignition. + The value is the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. + Supported schemes are http, https, tftp, s3, arn, gs, and `data` (RFC 2397) URL scheme. + items: + description: IgnitionCASource defines the source of the + certificate authority to use for Ignition. + maxLength: 65536 + type: string + maxItems: 64 + type: array + type: object + version: + description: |- + Version defines which version of Ignition will be used to generate bootstrap data. + Defaults to `2.3` if storageType is set to `ClusterObjectStore`. + It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version. + enum: + - "2.3" + - "3.0" + - "3.1" + - "3.2" + - "3.3" + - "3.4" + type: string + type: object + lifecycleHooks: + description: AWSLifecycleHooks specifies lifecycle hooks for the autoscaling + group. + items: + description: AWSLifecycleHook describes an AWS lifecycle hook + properties: + defaultResult: + description: The default result for the lifecycle hook. The + possible values are CONTINUE and ABANDON. + enum: + - CONTINUE + - ABANDON + type: string + heartbeatTimeout: + description: |- + The maximum time, in seconds, that an instance can remain in a Pending:Wait or + Terminating:Wait state. The maximum is 172800 seconds (48 hours) or 100 times + HeartbeatTimeout, whichever is smaller. + format: duration + type: string + lifecycleTransition: + description: The state of the EC2 instance to which to attach + the lifecycle hook. + enum: + - autoscaling:EC2_INSTANCE_LAUNCHING + - autoscaling:EC2_INSTANCE_TERMINATING + type: string + name: + description: The name of the lifecycle hook. + type: string + notificationMetadata: + description: Contains additional metadata that will be passed + to the notification target. + type: string + notificationTargetARN: + description: |- + The ARN of the notification target that Amazon EC2 Auto Scaling uses to + notify you when an instance is in the transition state for the lifecycle hook. + type: string + roleARN: + description: |- + The ARN of the IAM role that allows the Auto Scaling group to publish to the + specified notification target. + type: string + required: + - lifecycleTransition + - name + type: object + type: array + maxSize: + default: 1 + description: MaxSize defines the maximum size of the group. + format: int32 + minimum: 1 + type: integer + minSize: + default: 1 + description: MinSize defines the minimum size of the group. + format: int32 + minimum: 0 + type: integer + mixedInstancesPolicy: + description: MixedInstancesPolicy describes how multiple instance + types will be used by the ASG. + properties: + instancesDistribution: + description: InstancesDistribution to configure distribution of + On-Demand Instances and Spot Instances. + properties: + onDemandAllocationStrategy: + default: prioritized + description: OnDemandAllocationStrategy indicates how to allocate + instance types to fulfill On-Demand capacity. + enum: + - prioritized + - lowest-price + type: string + onDemandBaseCapacity: + default: 0 + format: int64 + type: integer + onDemandPercentageAboveBaseCapacity: + default: 100 + format: int64 + type: integer + spotAllocationStrategy: + default: lowest-price + description: SpotAllocationStrategy indicates how to allocate + instances across Spot Instance pools. + enum: + - lowest-price + - capacity-optimized + - capacity-optimized-prioritized + - price-capacity-optimized + type: string + type: object + overrides: + items: + description: |- + Overrides are used to override the instance type specified by the launch template with multiple + instance types that can be used to launch On-Demand Instances and Spot Instances. + properties: + instanceType: + type: string + required: - instanceType type: object type: array @@ -7013,27 +7475,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -7043,6 +7510,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -7134,7 +7603,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -7546,11 +8015,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -7565,27 +8042,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -7595,6 +8077,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -7762,6 +8246,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -7771,6 +8257,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string cloudInit: description: |- CloudInit defines options related to the bootstrapping systems where @@ -7804,6 +8308,31 @@ spec: - ssm-parameter-store type: string type: object + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object elasticIpPool: description: ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool. @@ -7833,6 +8362,20 @@ spec: - message: allowed values are 'none' and 'amazon-pool' rule: self in ['none','amazon-pool'] type: object + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the Dedicated Host on which the instance + must be started. + type: string iamInstanceProfile: description: IAMInstanceProfile is a name of an IAM instance profile to assign to the instance @@ -7920,9 +8463,10 @@ spec: type: array type: object version: - default: "2.3" - description: Version defines which version of Ignition will be - used to generate bootstrap data. + description: |- + Version defines which version of Ignition will be used to generate bootstrap data. + Defaults to `2.3` if storageType is set to `ClusterObjectStore`. + It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version. enum: - "2.3" - "3.0" @@ -8268,11 +8812,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -8287,27 +8839,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -8317,6 +8874,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -8386,7 +8945,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -8465,7 +9024,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -8879,7 +9438,7 @@ spec: additionalProperties: type: string description: |- - Map of string keys and values that can be used to organize and categorize + labels is a map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels @@ -8948,6 +9507,8 @@ spec: enum: - AmazonLinux - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU type: string id: description: ID of resource @@ -8957,6 +9518,24 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string cloudInit: description: |- CloudInit defines options related to the bootstrapping systems where @@ -8990,6 +9569,31 @@ spec: - ssm-parameter-store type: string type: object + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object elasticIpPool: description: ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool. @@ -9019,6 +9623,20 @@ spec: - message: allowed values are 'none' and 'amazon-pool' rule: self in ['none','amazon-pool'] type: object + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the Dedicated Host on which + the instance must be started. + type: string iamInstanceProfile: description: IAMInstanceProfile is a name of an IAM instance profile to assign to the instance @@ -9106,9 +9724,10 @@ spec: type: array type: object version: - default: "2.3" - description: Version defines which version of Ignition - will be used to generate bootstrap data. + description: |- + Version defines which version of Ignition will be used to generate bootstrap data. + Defaults to `2.3` if storageType is set to `ClusterObjectStore`. + It will be ignored if storageType is set to `UnencryptedUserData`, as the userdata defines its own version. enum: - "2.3" - "3.0" @@ -9483,7 +10102,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 @@ -9547,10 +10166,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -9569,27 +10189,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -9599,6 +10224,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -9642,64 +10269,31 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 cluster.x-k8s.io/v1alpha4: v1alpha4 cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io + name: awsmanagedclustertemplates.infrastructure.cluster.x-k8s.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: capa-webhook-service - namespace: capa-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: controlplane.cluster.x-k8s.io + group: infrastructure.cluster.x-k8s.io names: categories: - cluster-api - kind: AWSManagedControlPlane - listKind: AWSManagedControlPlaneList - plural: awsmanagedcontrolplanes + kind: AWSManagedClusterTemplate + listKind: AWSManagedClusterTemplateList + plural: awsmanagedclustertemplates shortNames: - - awsmcp - singular: awsmanagedcontrolplane + - awsmct + singular: awsmanagedclustertemplate scope: Namespaced versions: - - additionalPrinterColumns: - - description: Cluster to which this AWSManagedControl belongs - jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name - name: Cluster - type: string - - description: Control plane infrastructure is ready for worker nodes - jsonPath: .status.ready - name: Ready - type: string - - description: AWS VPC the control plane is using - jsonPath: .spec.network.vpc.id - name: VPC - type: string - - description: API Endpoint - jsonPath: .spec.controlPlaneEndpoint.host - name: Endpoint - priority: 1 - type: string - - description: Bastion IP address for breakglass access - jsonPath: .status.bastion.publicIp - name: Bastion IP - type: string - name: v1beta1 + - name: v1beta2 schema: openAPIV3Schema: - description: AWSManagedControlPlane is the schema for the Amazon EKS Managed - Control Plane API. + description: AWSManagedClusterTemplate is the Schema for the AWSManagedClusterTemplates + API. properties: apiVersion: description: |- @@ -9719,18 +10313,140 @@ spec: metadata: type: object spec: - description: AWSManagedControlPlaneSpec defines the desired state of an - Amazon EKS Cluster. + description: AWSManagedClusterTemplateSpec defines the desired state of + AWSManagedClusterTemplate. properties: - additionalTags: - additionalProperties: - type: string - description: |- - AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the - ones added by default. - type: object - addons: - description: Addons defines the EKS addons to enable with the EKS + template: + description: AWSManagedClusterTemplateResource describes the data + needed to create an AWSManagedCluster from a template. + properties: + spec: + description: AWSManagedClusterSpec defines the desired state of + AWSManagedCluster + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint + used to communicate with the control plane. + properties: + host: + description: host is the hostname on which the API server + is serving. + maxLength: 512 + type: string + port: + description: port is the port on which the API server + is serving. + format: int32 + type: integer + required: + - host + - port + type: object + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: capa-system/capa-serving-cert + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + cluster.x-k8s.io/provider: infrastructure-aws + cluster.x-k8s.io/v1alpha3: v1alpha3 + cluster.x-k8s.io/v1alpha4: v1alpha4 + cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 + name: awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: controlplane.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AWSManagedControlPlane + listKind: AWSManagedControlPlaneList + plural: awsmanagedcontrolplanes + shortNames: + - awsmcp + singular: awsmanagedcontrolplane + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this AWSManagedControl belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Control plane infrastructure is ready for worker nodes + jsonPath: .status.ready + name: Ready + type: string + - description: AWS VPC the control plane is using + jsonPath: .spec.network.vpc.id + name: VPC + type: string + - description: API Endpoint + jsonPath: .spec.controlPlaneEndpoint.host + name: Endpoint + priority: 1 + type: string + - description: Bastion IP address for breakglass access + jsonPath: .status.bastion.publicIp + name: Bastion IP + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: AWSManagedControlPlane is the schema for the Amazon EKS Managed + Control Plane API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AWSManagedControlPlaneSpec defines the desired state of an + Amazon EKS Cluster. + properties: + additionalTags: + additionalProperties: + type: string + description: |- + AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the + ones added by default. + type: object + addons: + description: Addons defines the EKS addons to enable with the EKS cluster. items: description: Addon represents a EKS addon. @@ -9751,6 +10467,11 @@ spec: description: Name is the name of the addon minLength: 2 type: string + preserveOnDelete: + description: |- + PreserveOnDelete indicates that the addon resources should be + preserved in the cluster on delete. + type: boolean serviceAccountRoleARN: description: ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account @@ -9806,10 +10527,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -10098,6 +10820,83 @@ spec: - toPort type: object type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of + ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security + groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot + be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about + the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. + Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs + as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. + Accepted values are "-1" (all), "4" (IP in IP),"tcp", + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. + Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role + of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array cni: description: CNI configuration properties: @@ -10765,11 +11564,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -10783,6 +11590,49 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. @@ -10791,6 +11641,20 @@ spec: description: Specifies whether enhanced networking with ENA is enabled. type: boolean + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the dedicated host on which the + instance should be started. + type: string iamProfile: description: The name of the IAM instance profile associated with the instance, if applicable. @@ -11070,27 +11934,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -11100,6 +11969,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -11770,6 +12641,28 @@ spec: description: AWSManagedControlPlaneSpec defines the desired state of an Amazon EKS Cluster. properties: + accessConfig: + description: AccessConfig specifies the access configuration information + for the cluster + properties: + authenticationMode: + default: config_map + description: |- + AuthenticationMode specifies the desired authentication mode for the cluster + Defaults to config_map + enum: + - config_map + - api + - api_and_config_map + type: string + bootstrapClusterCreatorAdminPermissions: + default: true + description: |- + BootstrapClusterCreatorAdminPermissions grants cluster admin permissions + to the IAM identity creating the cluster. Only applied during creation, + ignored when updating existing clusters. Defaults to true. + type: boolean + type: object additionalTags: additionalProperties: type: string @@ -11790,15 +12683,21 @@ spec: default: overwrite description: |- ConflictResolution is used to declare what should happen if there - are parameter conflicts. Defaults to none + are parameter conflicts. Defaults to overwrite enum: - overwrite - none + - preserve type: string name: description: Name is the name of the addon minLength: 2 type: string + preserveOnDelete: + description: |- + PreserveOnDelete indicates that the addon resources should be + preserved in the cluster on delete. + type: boolean serviceAccountRoleARN: description: ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account @@ -11861,10 +12760,11 @@ spec: communicate with the control plane. properties: host: - description: The hostname on which the API server is serving. + description: host is the hostname on which the API server is serving. + maxLength: 512 type: string port: - description: The port on which the API server is serving. + description: port is the port on which the API server is serving. format: int32 type: integer required: @@ -12144,38 +13044,115 @@ spec: - toPort type: object type: array - cni: - description: CNI configuration - properties: - cniIngressRules: - description: |- - CNIIngressRules specify rules to apply to control plane and worker node security groups. - The source for the rule will be set to control plane and worker security group IDs. - items: - description: CNIIngressRule defines an AWS ingress rule - for CNI requirements. - properties: - description: - type: string - fromPort: - format: int64 - type: integer - protocol: - description: SecurityGroupProtocol defines the protocol - type for a security group rule. - type: string - toPort: - format: int64 - type: integer - required: - - description - - fromPort - - protocol - - toPort - type: object - type: array - type: object - nodePortIngressRuleCidrBlocks: + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional set of + ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule for security + groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access from. Cannot + be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information about + the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access from. + Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs + as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress rule. + Accepted values are "-1" (all), "4" (IP in IP),"tcp", + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access from. + Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique role + of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array + cni: + description: CNI configuration + properties: + cniIngressRules: + description: |- + CNIIngressRules specify rules to apply to control plane and worker node security groups. + The source for the rule will be set to control plane and worker security group IDs. + items: + description: CNIIngressRule defines an AWS ingress rule + for CNI requirements. + properties: + description: + type: string + fromPort: + format: int64 + type: integer + protocol: + description: SecurityGroupProtocol defines the protocol + type for a security group rule. + type: string + toPort: + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array + type: object + nodePortIngressRuleCidrBlocks: description: |- NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services. If none are specified here, all IPs are allowed to connect. @@ -12592,6 +13569,30 @@ spec: and no name is supplied then a role is created. minLength: 2 type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string secondaryCidrBlock: description: |- SecondaryCidrBlock is the additional CIDR range to use for pod IPs. @@ -12829,11 +13830,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -12847,6 +13856,49 @@ spec: description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot` + type: string + cpuOptions: + description: |- + CPUOptions defines CPU-related settings for the instance, including the confidential computing policy. + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default. + minProperties: 1 + properties: + confidentialCompute: + description: |- + ConfidentialCompute specifies whether confidential computing should be enabled for the instance, + and, if so, which confidential computing technology to use. + Valid values are: Disabled, AMDEncryptedVirtualizationNestedPaging + When set to Disabled, confidential computing will be disabled for the instance. + When set to AMDEncryptedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. + In this case, ensure the following conditions are met: + 1) The selected instance type supports AMD SEV-SNP. + 2) The selected AWS region supports AMD SEV-SNP. + 3) The selected AMI supports AMD SEV-SNP. + More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html + When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, + which is subject to change without notice. The current default is Disabled. + enum: + - Disabled + - AMDEncryptedVirtualizationNestedPaging + type: string + type: object ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. @@ -12855,6 +13907,20 @@ spec: description: Specifies whether enhanced networking with ENA is enabled. type: boolean + hostAffinity: + description: |- + HostAffinity specifies the dedicated host affinity setting for the instance. + When hostAffinity is set to host, an instance started onto a specific host always restarts on the same host if stopped. + When hostAffinity is set to default, and you stop and restart the instance, it can be restarted on any available host. + When HostAffinity is defined, HostID is required. + enum: + - default + - host + type: string + hostID: + description: HostID specifies the dedicated host on which the + instance should be started. + type: string iamProfile: description: The name of the IAM instance profile associated with the instance, if applicable. @@ -13134,27 +14200,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -13164,6 +14235,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -13795,39 +14868,42 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + cert-manager.io/inject-ca-from: capa-system/capa-serving-cert + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 cluster.x-k8s.io/v1alpha4: v1alpha4 cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: awsmanagedmachinepools.infrastructure.cluster.x-k8s.io + name: awsmanagedcontrolplanetemplates.controlplane.cluster.x-k8s.io spec: - group: infrastructure.cluster.x-k8s.io + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: controlplane.cluster.x-k8s.io names: categories: - cluster-api - kind: AWSManagedMachinePool - listKind: AWSManagedMachinePoolList - plural: awsmanagedmachinepools + kind: AWSManagedControlPlaneTemplate + listKind: AWSManagedControlPlaneTemplateList + plural: awsmanagedcontrolplanetemplates shortNames: - - awsmmp - singular: awsmanagedmachinepool + - awmcpt + singular: awsmanagedcontrolplanetemplate scope: Namespaced versions: - - additionalPrinterColumns: - - description: MachinePool ready status - jsonPath: .status.ready - name: Ready - type: string - - description: Number of replicas - jsonPath: .status.replicas - name: Replicas - type: integer - name: v1beta1 + - name: v1beta2 schema: openAPIV3Schema: - description: AWSManagedMachinePool is the Schema for the awsmanagedmachinepools + description: AWSManagedControlPlaneTemplate is the Schema for the AWSManagedControlPlaneTemplates API. properties: apiVersion: @@ -13848,210 +14924,2089 @@ spec: metadata: type: object spec: - description: AWSManagedMachinePoolSpec defines the desired state of AWSManagedMachinePool. + description: AWSManagedControlPlaneTemplateSpec defines the desired state + of AWSManagedControlPlaneTemplate. properties: - additionalTags: - additionalProperties: - type: string - description: |- - AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the - ones added by default. - type: object - amiType: - default: AL2_x86_64 - description: AMIType defines the AMI type - enum: - - AL2_x86_64 - - AL2_x86_64_GPU - - AL2_ARM_64 - - AL2023_x86_64_STANDARD - - AL2023_ARM_64_STANDARD - - CUSTOM - type: string - amiVersion: - description: |- - AMIVersion defines the desired AMI release version. If no version number - is supplied then the latest version for the Kubernetes version - will be used - minLength: 2 - type: string - availabilityZones: - description: AvailabilityZones is an array of availability zones instances - can run in - items: - type: string - type: array - awsLaunchTemplate: - description: |- - AWSLaunchTemplate specifies the launch template to use to create the managed node group. - If AWSLaunchTemplate is specified, certain node group configuraions outside of launch template - are prohibited (https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html). + template: + description: AWSManagedControlPlaneTemplateResource describes the + data needed to create an AWSManagedCluster from a template. properties: - additionalSecurityGroups: - description: |- - AdditionalSecurityGroups is an array of references to security groups that should be applied to the - instances. These security groups would be set in addition to any security groups defined - at the cluster level or in the actuator. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an AWS - resource. - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter values. - Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - ami: - description: AMI is the reference to the AMI from which to create - the machine instance. + spec: + description: AWSManagedControlPlaneSpec defines the desired state + of an Amazon EKS Cluster. properties: - eksLookupType: - description: EKSOptimizedLookupType If specified, will look - up an EKS Optimized image in SSM Parameter store - enum: - - AmazonLinux - - AmazonLinuxGPU - type: string - id: - description: ID of resource - type: string - type: object - iamInstanceProfile: - description: |- - The name or the Amazon Resource Name (ARN) of the instance profile associated - with the IAM role for the instance. The instance profile contains the IAM - role. - type: string - imageLookupBaseOS: - description: |- - ImageLookupBaseOS is the name of the base operating system to use for - image lookup the AMI is not set. - type: string - imageLookupFormat: - description: |- - ImageLookupFormat is the AMI naming format to look up the image for this - machine It will be ignored if an explicit AMI is set. Supports - substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and - kubernetes version, respectively. The BaseOS will be the value in - ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as - defined by the packages produced by kubernetes/release without v as a - prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default - image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up - searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a - Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See - also: https://golang.org/pkg/text/template/ - type: string - imageLookupOrg: - description: ImageLookupOrg is the AWS Organization ID to use - for image lookup if AMI is not set. - type: string - instanceType: - description: 'InstanceType is the type of instance to create. - Example: m4.xlarge' - type: string - name: - description: The name of the launch template. - type: string - rootVolume: - description: RootVolume encapsulates the configuration options - for the root volume - properties: - deviceName: - description: Device name - type: string - encrypted: - description: Encrypted is whether the volume should be encrypted - or not. + accessConfig: + description: AccessConfig specifies the access configuration + information for the cluster + properties: + authenticationMode: + default: config_map + description: |- + AuthenticationMode specifies the desired authentication mode for the cluster + Defaults to config_map + enum: + - config_map + - api + - api_and_config_map + type: string + bootstrapClusterCreatorAdminPermissions: + default: true + description: |- + BootstrapClusterCreatorAdminPermissions grants cluster admin permissions + to the IAM identity creating the cluster. Only applied during creation, + ignored when updating existing clusters. Defaults to true. + type: boolean + type: object + additionalTags: + additionalProperties: + type: string + description: |- + AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the + ones added by default. + type: object + addons: + description: Addons defines the EKS addons to enable with + the EKS cluster. + items: + description: Addon represents a EKS addon. + properties: + configuration: + description: Configuration of the EKS addon + type: string + conflictResolution: + default: overwrite + description: |- + ConflictResolution is used to declare what should happen if there + are parameter conflicts. Defaults to overwrite + enum: + - overwrite + - none + - preserve + type: string + name: + description: Name is the name of the addon + minLength: 2 + type: string + preserveOnDelete: + description: |- + PreserveOnDelete indicates that the addon resources should be + preserved in the cluster on delete. + type: boolean + serviceAccountRoleARN: + description: ServiceAccountRoleArn is the ARN of an + IAM role to bind to the addons service account + type: string + version: + description: Version is the version of the addon to + use + type: string + required: + - name + - version + type: object + type: array + associateOIDCProvider: + default: false + description: |- + AssociateOIDCProvider can be enabled to automatically create an identity + provider for the controller for use with IAM roles for service accounts type: boolean - encryptionKey: + bastion: + description: Bastion contains options to configure the bastion + host. + properties: + allowedCIDRBlocks: + description: |- + AllowedCIDRBlocks is a list of CIDR blocks allowed to access the bastion host. + They are set as ingress rules for the Bastion host's Security Group (defaults to 0.0.0.0/0). + items: + type: string + type: array + ami: + description: |- + AMI will use the specified AMI to boot the bastion. If not specified, + the AMI will default to one picked out in public space. + type: string + disableIngressRules: + description: |- + DisableIngressRules will ensure there are no Ingress rules in the bastion host's security group. + Requires AllowedCIDRBlocks to be empty. + type: boolean + enabled: + description: |- + Enabled allows this provider to create a bastion host instance + with a public ip to access the VPC private network. + type: boolean + instanceType: + description: |- + InstanceType will use the specified instance type for the bastion. If not specified, + Cluster API Provider AWS will use t3.micro for all regions except us-east-1, where t2.micro + will be the default. + type: string + type: object + bootstrapSelfManagedAddons: + default: true description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. + BootstrapSelfManagedAddons is used to set configuration options for + bare EKS cluster without EKS default networking addons + If you set this value to false when creating a cluster, the default networking add-ons will not be installed + type: boolean + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint + used to communicate with the control plane. + properties: + host: + description: host is the hostname on which the API server + is serving. + maxLength: 512 + type: string + port: + description: port is the port on which the API server + is serving. + format: int32 + type: integer + required: + - host + - port + type: object + eksClusterName: + description: |- + EKSClusterName allows you to specify the name of the EKS cluster in + AWS. If you don't specify a name then a default name will be created + based on the namespace and name of the managed control plane. type: string - iops: - description: IOPS is the number of IOPS requested for the - disk. Not applicable to all types. - format: int64 - type: integer - size: + encryptionConfig: + description: EncryptionConfig specifies the encryption configuration + for the cluster + properties: + provider: + description: Provider specifies the ARN or alias of the + CMK (in AWS KMS) + type: string + resources: + description: Resources specifies the resources to be encrypted + items: + type: string + type: array + type: object + endpointAccess: + description: Endpoints specifies access to this cluster's + control plane endpoints + properties: + private: + description: Private points VPC-internal control plane + access to the private endpoint + type: boolean + public: + description: Public controls whether control plane endpoints + are publicly accessible + type: boolean + publicCIDRs: + description: PublicCIDRs specifies which blocks can access + the public endpoint + items: + type: string + type: array + type: object + iamAuthenticatorConfig: description: |- - Size specifies size (in Gi) of the storage device. - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - throughput: - description: Throughput to provision in MiB/s supported for - the volume type. Not applicable to all types. - format: int64 - type: integer - type: - description: Type is the type of the volume (e.g. gp2, io1, - etc...). + IAMAuthenticatorConfig allows the specification of any additional user or role mappings + for use when generating the aws-iam-authenticator configuration. If this is nil the + default configuration is still generated for the cluster. + properties: + mapRoles: + description: RoleMappings is a list of role mappings + items: + description: RoleMapping represents a mapping from a + IAM role to Kubernetes users and groups. + properties: + groups: + description: Groups is a list of kubernetes RBAC + groups + items: + type: string + type: array + rolearn: + description: RoleARN is the AWS ARN for the role + to map + minLength: 31 + type: string + username: + description: UserName is a kubernetes RBAC user + subject + type: string + required: + - groups + - rolearn + - username + type: object + type: array + mapUsers: + description: UserMappings is a list of user mappings + items: + description: UserMapping represents a mapping from an + IAM user to Kubernetes users and groups. + properties: + groups: + description: Groups is a list of kubernetes RBAC + groups + items: + type: string + type: array + userarn: + description: UserARN is the AWS ARN for the user + to map + minLength: 31 + type: string + username: + description: UserName is a kubernetes RBAC user + subject + type: string + required: + - groups + - userarn + - username + type: object + type: array + type: object + identityRef: + description: |- + IdentityRef is a reference to an identity to be used when reconciling the managed control plane. + If no identity is specified, the default identity for this controller will be used. + properties: + kind: + description: Kind of the identity. + enum: + - AWSClusterControllerIdentity + - AWSClusterRoleIdentity + - AWSClusterStaticIdentity + type: string + name: + description: Name of the identity. + minLength: 1 + type: string + required: + - kind + - name + type: object + imageLookupBaseOS: + description: |- + ImageLookupBaseOS is the name of the base operating system used to look + up machine images when a machine does not specify an AMI. When set, this + will be used for all cluster machines unless a machine specifies a + different ImageLookupBaseOS. type: string - required: - - size - type: object - spotMarketOptions: - description: SpotMarketOptions are options for configuring AWSMachinePool - instances to be run using AWS Spot instances. - properties: - maxPrice: - description: MaxPrice defines the maximum price the user is - willing to pay for Spot VM instances + imageLookupFormat: + description: |- + ImageLookupFormat is the AMI naming format to look up machine images when + a machine does not specify an AMI. When set, this will be used for all + cluster machines unless a machine specifies a different ImageLookupOrg. + Supports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base + OS and kubernetes version, respectively. The BaseOS will be the value in + ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as + defined by the packages produced by kubernetes/release without v as a + prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default + image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up + searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a + Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See + also: https://golang.org/pkg/text/template/ type: string - type: object - sshKeyName: - description: |- - SSHKeyName is the name of the ssh key to attach to the instance. Valid values are empty string - (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name) - type: string - versionNumber: - description: |- - VersionNumber is the version of the launch template that is applied. - Typically a new version is created when at least one of the following happens: - 1) A new launch template spec is applied. - 2) One or more parameters in an existing template is changed. - 3) A new AMI is discovered. - format: int64 - type: integer - type: object - capacityType: - default: onDemand - description: CapacityType specifies the capacity type for the ASG - behind this pool - enum: - - onDemand - - spot - type: string - diskSize: + imageLookupOrg: + description: |- + ImageLookupOrg is the AWS Organization ID to look up machine images when a + machine does not specify an AMI. When set, this will be used for all + cluster machines unless a machine specifies a different ImageLookupOrg. + type: string + kubeProxy: + description: KubeProxy defines managed attributes of the kube-proxy + daemonset + properties: + disable: + default: false + description: |- + Disable set to true indicates that kube-proxy should be disabled. With EKS clusters + kube-proxy is automatically installed into the cluster. For clusters where you want + to use kube-proxy functionality that is provided with an alternate CNI, this option + provides a way to specify that the kube-proxy daemonset should be deleted. You cannot + set this to true if you are using the Amazon kube-proxy addon. + type: boolean + type: object + logging: + description: |- + Logging specifies which EKS Cluster logs should be enabled. Entries for + each of the enabled logs will be sent to CloudWatch + properties: + apiServer: + default: false + description: APIServer indicates if the Kubernetes API + Server log (kube-apiserver) shoulkd be enabled + type: boolean + audit: + default: false + description: Audit indicates if the Kubernetes API audit + log should be enabled + type: boolean + authenticator: + default: false + description: Authenticator indicates if the iam authenticator + log should be enabled + type: boolean + controllerManager: + default: false + description: ControllerManager indicates if the controller + manager (kube-controller-manager) log should be enabled + type: boolean + scheduler: + default: false + description: Scheduler indicates if the Kubernetes scheduler + (kube-scheduler) log should be enabled + type: boolean + required: + - apiServer + - audit + - authenticator + - controllerManager + - scheduler + type: object + network: + description: NetworkSpec encapsulates all things related to + AWS network. + properties: + additionalControlPlaneIngressRules: + description: AdditionalControlPlaneIngressRules is an + optional set of ingress rules to add to the control + plane + items: + description: IngressRule defines an AWS ingress rule + for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information + about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways + IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress + rule. Accepted values are "-1" (all), "4" (IP + in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), + "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access + from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique + role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array + additionalNodeIngressRules: + description: AdditionalNodeIngressRules is an optional + set of ingress rules to add to every node + items: + description: IngressRule defines an AWS ingress rule + for security groups. + properties: + cidrBlocks: + description: List of CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + description: + description: Description provides extended information + about the ingress rule. + type: string + fromPort: + description: FromPort is the start of port range. + format: int64 + type: integer + ipv6CidrBlocks: + description: List of IPv6 CIDR blocks to allow access + from. Cannot be specified with SourceSecurityGroupID. + items: + type: string + type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways + IPs as the source for the ingress rule. + type: boolean + protocol: + description: Protocol is the protocol for the ingress + rule. Accepted values are "-1" (all), "4" (IP + in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), + "50" (ESP). + enum: + - "-1" + - "4" + - tcp + - udp + - icmp + - "58" + - "50" + type: string + sourceSecurityGroupIds: + description: The security group id to allow access + from. Cannot be specified with CidrBlocks. + items: + type: string + type: array + sourceSecurityGroupRoles: + description: |- + The security group role to allow access from. Cannot be specified with CidrBlocks. + The field will be combined with source security group IDs if specified. + items: + description: SecurityGroupRole defines the unique + role of a security group. + enum: + - bastion + - node + - controlplane + - apiserver-lb + - lb + - node-eks-additional + type: string + type: array + toPort: + description: ToPort is the end of port range. + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array + cni: + description: CNI configuration + properties: + cniIngressRules: + description: |- + CNIIngressRules specify rules to apply to control plane and worker node security groups. + The source for the rule will be set to control plane and worker security group IDs. + items: + description: CNIIngressRule defines an AWS ingress + rule for CNI requirements. + properties: + description: + type: string + fromPort: + format: int64 + type: integer + protocol: + description: SecurityGroupProtocol defines the + protocol type for a security group rule. + type: string + toPort: + format: int64 + type: integer + required: + - description + - fromPort + - protocol + - toPort + type: object + type: array + type: object + nodePortIngressRuleCidrBlocks: + description: |- + NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services. + If none are specified here, all IPs are allowed to connect. + items: + type: string + type: array + securityGroupOverrides: + additionalProperties: + type: string + description: |- + SecurityGroupOverrides is an optional set of security groups to use for cluster instances + This is optional - if not provided new security groups will be created for the cluster + type: object + subnets: + description: Subnets configuration. + items: + description: SubnetSpec configures an AWS Subnet. + properties: + availabilityZone: + description: AvailabilityZone defines the availability + zone to use for this subnet in the cluster's region. + type: string + cidrBlock: + description: CidrBlock is the CIDR block to be used + when the provider creates a managed VPC. + type: string + id: + description: |- + ID defines a unique identifier to reference this resource. + If you're bringing your subnet, set the AWS subnet-id here, it must start with `subnet-`. + + When the VPC is managed by CAPA, and you'd like the provider to create a subnet for you, + the id can be set to any placeholder value that does not start with `subnet-`; + upon creation, the subnet AWS identifier will be populated in the `ResourceID` field and + the `id` field is going to be used as the subnet name. If you specify a tag + called `Name`, it takes precedence. + type: string + ipv6CidrBlock: + description: |- + IPv6CidrBlock is the IPv6 CIDR block to be used when the provider creates a managed VPC. + A subnet can have an IPv4 and an IPv6 address. + IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object. + type: string + isIpv6: + description: |- + IsIPv6 defines the subnet as an IPv6 subnet. A subnet is IPv6 when it is associated with a VPC that has IPv6 enabled. + IPv6 is only supported in managed clusters, this field cannot be set on AWSCluster object. + type: boolean + isPublic: + description: IsPublic defines the subnet as a public + subnet. A subnet is public when it is associated + with a route table that has a route to an internet + gateway. + type: boolean + natGatewayId: + description: |- + NatGatewayID is the NAT gateway id associated with the subnet. + Ignored unless the subnet is managed by the provider, in which case this is set on the public subnet where the NAT gateway resides. It is then used to determine routes for private subnets in the same AZ as the public subnet. + type: string + parentZoneName: + description: |- + ParentZoneName is the zone name where the current subnet's zone is tied when + the zone is a Local Zone. + + The subnets in Local Zone or Wavelength Zone locations consume the ParentZoneName + to select the correct private route table to egress traffic to the internet. + type: string + resourceID: + description: |- + ResourceID is the subnet identifier from AWS, READ ONLY. + This field is populated when the provider manages the subnet. + type: string + routeTableId: + description: RouteTableID is the routing table id + associated with the subnet. + type: string + tags: + additionalProperties: + type: string + description: Tags is a collection of tags describing + the resource. + type: object + zoneType: + description: |- + ZoneType defines the type of the zone where the subnet is created. + + The valid values are availability-zone, local-zone, and wavelength-zone. + + Subnet with zone type availability-zone (regular) is always selected to create cluster + resources, like Load Balancers, NAT Gateways, Contol Plane nodes, etc. + + Subnet with zone type local-zone or wavelength-zone is not eligible to automatically create + regular cluster resources. + + The public subnet in availability-zone or local-zone is associated with regular public + route table with default route entry to a Internet Gateway. + + The public subnet in wavelength-zone is associated with a carrier public + route table with default route entry to a Carrier Gateway. + + The private subnet in the availability-zone is associated with a private route table with + the default route entry to a NAT Gateway created in that zone. + + The private subnet in the local-zone or wavelength-zone is associated with a private route table with + the default route entry re-using the NAT Gateway in the Region (preferred from the + parent zone, the zone type availability-zone in the region, or first table available). + enum: + - availability-zone + - local-zone + - wavelength-zone + type: string + required: + - id + type: object + type: array + x-kubernetes-list-map-keys: + - id + x-kubernetes-list-type: map + vpc: + description: VPC configuration. + properties: + availabilityZoneSelection: + default: Ordered + description: |- + AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs + in a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes: + Ordered - selects based on alphabetical order + Random - selects AZs randomly in a region + Defaults to Ordered + enum: + - Ordered + - Random + type: string + availabilityZoneUsageLimit: + default: 3 + description: |- + AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that + should be used in a region when automatically creating subnets. If a region has more + than this number of AZs then this number of AZs will be picked randomly when creating + default subnets. Defaults to 3 + minimum: 1 + type: integer + carrierGatewayId: + description: |- + CarrierGatewayID is the id of the internet gateway associated with the VPC, + for carrier network (Wavelength Zones). + type: string + x-kubernetes-validations: + - message: Carrier Gateway ID must start with 'cagw-' + rule: self.startsWith('cagw-') + cidrBlock: + description: |- + CidrBlock is the CIDR block to be used when the provider creates a managed VPC. + Defaults to 10.0.0.0/16. + Mutually exclusive with IPAMPool. + type: string + elasticIpPool: + description: |- + ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool + brought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for + the API Server. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object + emptyRoutesDefaultVPCSecurityGroup: + description: |- + EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress + and egress rules should be removed. + + By default, when creating a VPC, AWS creates a security group called `default` with ingress and egress + rules that allow traffic from anywhere. The group could be used as a potential surface attack and + it's generally suggested that the group rules are removed or modified appropriately. + + NOTE: This only applies when the VPC is managed by the Cluster API AWS controller. + type: boolean + id: + description: ID is the vpc-id of the VPC this provider + should use to create resources. + type: string + internetGatewayId: + description: InternetGatewayID is the id of the internet + gateway associated with the VPC. + type: string + ipamPool: + description: |- + IPAMPool defines the IPAMv4 pool to be used for VPC. + Mutually exclusive with CidrBlock. + properties: + id: + description: ID is the ID of the IPAM pool this + provider should use to create VPC. + type: string + name: + description: Name is the name of the IPAM pool + this provider should use to create VPC. + type: string + netmaskLength: + description: |- + The netmask length of the IPv4 CIDR you want to allocate to VPC from + an Amazon VPC IP Address Manager (IPAM) pool. + Defaults to /16 for IPv4 if not specified. + format: int64 + type: integer + type: object + ipv6: + description: |- + IPv6 contains ipv6 specific settings for the network. Supported only in managed clusters. + This field cannot be set on AWSCluster object. + properties: + cidrBlock: + description: |- + CidrBlock is the CIDR block provided by Amazon when VPC has enabled IPv6. + Mutually exclusive with IPAMPool. + type: string + egressOnlyInternetGatewayId: + description: EgressOnlyInternetGatewayID is the + id of the egress only internet gateway associated + with an IPv6 enabled VPC. + type: string + ipamPool: + description: |- + IPAMPool defines the IPAMv6 pool to be used for VPC. + Mutually exclusive with CidrBlock. + properties: + id: + description: ID is the ID of the IPAM pool + this provider should use to create VPC. + type: string + name: + description: Name is the name of the IPAM + pool this provider should use to create + VPC. + type: string + netmaskLength: + description: |- + The netmask length of the IPv4 CIDR you want to allocate to VPC from + an Amazon VPC IP Address Manager (IPAM) pool. + Defaults to /16 for IPv4 if not specified. + format: int64 + type: integer + type: object + poolId: + description: |- + PoolID is the IP pool which must be defined in case of BYO IP is defined. + Must be specified if CidrBlock is set. + Mutually exclusive with IPAMPool. + type: string + type: object + privateDnsHostnameTypeOnLaunch: + description: |- + PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch. + For IPv4-only and dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the instance IPv4 address (ip-name) + or the instance ID (resource-name). For IPv6 only subnets, an instance DNS name must be based on the instance ID (resource-name). + enum: + - ip-name + - resource-name + type: string + secondaryCidrBlocks: + description: |- + SecondaryCidrBlocks are additional CIDR blocks to be associated when the provider creates a managed VPC. + Defaults to none. Mutually exclusive with IPAMPool. This makes sense to use if, for example, you want to use + a separate IP range for pods (e.g. Cilium ENI mode). + items: + description: VpcCidrBlock defines the CIDR block + and settings to associate with the managed VPC. + Currently, only IPv4 is supported. + properties: + ipv4CidrBlock: + description: IPv4CidrBlock is the IPv4 CIDR + block to associate with the managed VPC. + minLength: 1 + type: string + required: + - ipv4CidrBlock + type: object + type: array + subnetSchema: + default: PreferPrivate + description: |- + SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs. + PreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets. + PreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet + that will be further sub-divided for the private subnets. + Defaults to PreferPrivate + enum: + - PreferPrivate + - PreferPublic + type: string + tags: + additionalProperties: + type: string + description: Tags is a collection of tags describing + the resource. + type: object + type: object + type: object + oidcIdentityProviderConfig: + description: |- + IdentityProviderconfig is used to specify the oidc provider config + to be attached with this eks cluster + properties: + clientId: + description: |- + This is also known as audience. The ID for the client application that makes + authentication requests to the OpenID identity provider. + type: string + groupsClaim: + description: The JWT claim that the provider uses to return + your groups. + type: string + groupsPrefix: + description: |- + The prefix that is prepended to group claims to prevent clashes with existing + names (such as system: groups). For example, the valueoidc: will create group + names like oidc:engineering and oidc:infra. + type: string + identityProviderConfigName: + description: |- + The name of the OIDC provider configuration. + + IdentityProviderConfigName is a required field + type: string + issuerUrl: + description: |- + The URL of the OpenID identity provider that allows the API server to discover + public signing keys for verifying tokens. The URL must begin with https:// + and should correspond to the iss claim in the provider's OIDC ID tokens. + Per the OIDC standard, path components are allowed but query parameters are + not. Typically the URL consists of only a hostname, like https://server.example.org + or https://example.com. This URL should point to the level below .well-known/openid-configuration + and must be publicly accessible over the internet. + type: string + requiredClaims: + additionalProperties: + type: string + description: |- + The key value pairs that describe required claims in the identity token. + If set, each claim is verified to be present in the token with a matching + value. For the maximum number of claims that you can require, see Amazon + EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html) + in the Amazon EKS User Guide. + type: object + tags: + additionalProperties: + type: string + description: tags to apply to oidc identity provider association + type: object + usernameClaim: + description: |- + The JSON Web Token (JWT) claim to use as the username. The default is sub, + which is expected to be a unique identifier of the end user. You can choose + other claims, such as email or name, depending on the OpenID identity provider. + Claims other than email are prefixed with the issuer URL to prevent naming + clashes with other plug-ins. + type: string + usernamePrefix: + description: |- + The prefix that is prepended to username claims to prevent clashes with existing + names. If you do not provide this field, and username is a value other than + email, the prefix defaults to issuerurl#. You can use the value - to disable + all prefixing. + type: string + required: + - clientId + - identityProviderConfigName + - issuerUrl + type: object + partition: + description: Partition is the AWS security partition being + used. Defaults to "aws" + type: string + region: + description: The AWS Region the cluster lives in. + type: string + restrictPrivateSubnets: + default: false + description: RestrictPrivateSubnets indicates that the EKS + control plane should only use private subnets. + type: boolean + roleAdditionalPolicies: + description: |- + RoleAdditionalPolicies allows you to attach additional polices to + the control plane role. You must enable the EKSAllowAddRoles + feature flag to incorporate these into the created role. + items: + type: string + type: array + roleName: + description: |- + RoleName specifies the name of IAM role that gives EKS + permission to make API calls. If the role is pre-existing + we will treat it as unmanaged and not delete it on + deletion. If the EKSEnableIAM feature flag is true + and no name is supplied then a role is created. + minLength: 2 + type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string + secondaryCidrBlock: + description: |- + SecondaryCidrBlock is the additional CIDR range to use for pod IPs. + Must be within the 100.64.0.0/10 or 198.19.0.0/16 range. + type: string + sshKeyName: + description: SSHKeyName is the name of the ssh key to attach + to the bastion host. Valid values are empty string (do not + use SSH keys), a valid SSH key name, or omitted (use the + default SSH key name) + type: string + tokenMethod: + default: iam-authenticator + description: |- + TokenMethod is used to specify the method for obtaining a client token for communicating with EKS + iam-authenticator - obtains a client token using iam-authentictor + aws-cli - obtains a client token using the AWS CLI + Defaults to iam-authenticator + enum: + - iam-authenticator + - aws-cli + type: string + version: + description: |- + Version defines the desired Kubernetes version. If no version number + is supplied then the latest version of Kubernetes that EKS supports + will be used. + minLength: 2 + pattern: ^v?(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.?(\.0|[1-9][0-9]*)?$ + type: string + vpcCni: + description: VpcCni is used to set configuration options for + the VPC CNI plugin + properties: + disable: + default: false + description: |- + Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the + Amazon VPC CNI is automatically installed into the cluster. For clusters where you want + to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI + should be deleted. You cannot set this to true if you are using the + Amazon VPC CNI addon. + type: boolean + env: + description: Env defines a list of environment variables + to apply to the `aws-node` DaemonSet + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + type: object + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + cluster.x-k8s.io/provider: infrastructure-aws + cluster.x-k8s.io/v1alpha3: v1alpha3 + cluster.x-k8s.io/v1alpha4: v1alpha4 + cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 + name: awsmanagedmachinepools.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AWSManagedMachinePool + listKind: AWSManagedMachinePoolList + plural: awsmanagedmachinepools + shortNames: + - awsmmp + singular: awsmanagedmachinepool + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: MachinePool ready status + jsonPath: .status.ready + name: Ready + type: string + - description: Number of replicas + jsonPath: .status.replicas + name: Replicas + type: integer + name: v1beta1 + schema: + openAPIV3Schema: + description: AWSManagedMachinePool is the Schema for the awsmanagedmachinepools + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AWSManagedMachinePoolSpec defines the desired state of AWSManagedMachinePool. + properties: + additionalTags: + additionalProperties: + type: string + description: |- + AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the + ones added by default. + type: object + amiType: + default: AL2_x86_64 + description: AMIType defines the AMI type + enum: + - AL2_x86_64 + - AL2_x86_64_GPU + - AL2_ARM_64 + - AL2023_x86_64_STANDARD + - AL2023_ARM_64_STANDARD + - CUSTOM + type: string + amiVersion: + description: |- + AMIVersion defines the desired AMI release version. If no version number + is supplied then the latest version for the Kubernetes version + will be used + minLength: 2 + type: string + availabilityZones: + description: AvailabilityZones is an array of availability zones instances + can run in + items: + type: string + type: array + awsLaunchTemplate: + description: |- + AWSLaunchTemplate specifies the launch template to use to create the managed node group. + If AWSLaunchTemplate is specified, certain node group configuraions outside of launch template + are prohibited (https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html). + properties: + additionalSecurityGroups: + description: |- + AdditionalSecurityGroups is an array of references to security groups that should be applied to the + instances. These security groups would be set in addition to any security groups defined + at the cluster level or in the actuator. + items: + description: |- + AWSResourceReference is a reference to a specific AWS resource by ID or filters. + Only one of ID or Filters may be specified. Specifying more than one will result in + a validation error. + properties: + filters: + description: |- + Filters is a set of key/value pairs used to identify a resource + They are applied according to the rules defined by the AWS API: + https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html + items: + description: Filter is a filter used to identify an AWS + resource. + properties: + name: + description: Name of the filter. Filter names are + case-sensitive. + type: string + values: + description: Values includes one or more filter values. + Filter values are case-sensitive. + items: + type: string + type: array + required: + - name + - values + type: object + type: array + id: + description: ID of resource + type: string + type: object + type: array + ami: + description: AMI is the reference to the AMI from which to create + the machine instance. + properties: + eksLookupType: + description: EKSOptimizedLookupType If specified, will look + up an EKS Optimized image in SSM Parameter store + enum: + - AmazonLinux + - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU + type: string + id: + description: ID of resource + type: string + type: object + iamInstanceProfile: + description: |- + The name or the Amazon Resource Name (ARN) of the instance profile associated + with the IAM role for the instance. The instance profile contains the IAM + role. + type: string + imageLookupBaseOS: + description: |- + ImageLookupBaseOS is the name of the base operating system to use for + image lookup the AMI is not set. + type: string + imageLookupFormat: + description: |- + ImageLookupFormat is the AMI naming format to look up the image for this + machine It will be ignored if an explicit AMI is set. Supports + substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and + kubernetes version, respectively. The BaseOS will be the value in + ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as + defined by the packages produced by kubernetes/release without v as a + prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default + image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up + searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a + Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See + also: https://golang.org/pkg/text/template/ + type: string + imageLookupOrg: + description: ImageLookupOrg is the AWS Organization ID to use + for image lookup if AMI is not set. + type: string + instanceType: + description: 'InstanceType is the type of instance to create. + Example: m4.xlarge' + type: string + name: + description: The name of the launch template. + type: string + rootVolume: + description: RootVolume encapsulates the configuration options + for the root volume + properties: + deviceName: + description: Device name + type: string + encrypted: + description: Encrypted is whether the volume should be encrypted + or not. + type: boolean + encryptionKey: + description: |- + EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. + If Encrypted is set and this is omitted, the default AWS key will be used. + The key must already exist and be accessible by the controller. + type: string + iops: + description: IOPS is the number of IOPS requested for the + disk. Not applicable to all types. + format: int64 + type: integer + size: + description: |- + Size specifies size (in Gi) of the storage device. + Must be greater than the image snapshot size or 8 (whichever is greater). + format: int64 + minimum: 8 + type: integer + throughput: + description: Throughput to provision in MiB/s supported for + the volume type. Not applicable to all types. + format: int64 + type: integer + type: + description: Type is the type of the volume (e.g. gp2, io1, + etc...). + type: string + required: + - size + type: object + spotMarketOptions: + description: SpotMarketOptions are options for configuring AWSMachinePool + instances to be run using AWS Spot instances. + properties: + maxPrice: + description: MaxPrice defines the maximum price the user is + willing to pay for Spot VM instances + type: string + type: object + sshKeyName: + description: |- + SSHKeyName is the name of the ssh key to attach to the instance. Valid values are empty string + (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name) + type: string + versionNumber: + description: |- + VersionNumber is the version of the launch template that is applied. + Typically a new version is created when at least one of the following happens: + 1) A new launch template spec is applied. + 2) One or more parameters in an existing template is changed. + 3) A new AMI is discovered. + format: int64 + type: integer + type: object + capacityType: + default: onDemand + description: CapacityType specifies the capacity type for the ASG + behind this pool + enum: + - onDemand + - spot + type: string + diskSize: + description: DiskSize specifies the root disk size + format: int32 + type: integer + eksNodegroupName: + description: |- + EKSNodegroupName specifies the name of the nodegroup in AWS + corresponding to this MachinePool. If you don't specify a name + then a default name will be created based on the namespace and + name of the managed machine pool. + type: string + instanceType: + description: InstanceType specifies the AWS instance type + type: string + labels: + additionalProperties: + type: string + description: Labels specifies labels for the Kubernetes node objects + type: object + providerIDList: + description: |- + ProviderIDList are the provider IDs of instances in the + autoscaling group corresponding to the nodegroup represented by this + machine pool + items: + type: string + type: array + remoteAccess: + description: RemoteAccess specifies how machines can be accessed remotely + properties: + public: + description: Public specifies whether to open port 22 to the public + internet + type: boolean + sourceSecurityGroups: + description: SourceSecurityGroups specifies which security groups + are allowed access + items: + type: string + type: array + sshKeyName: + description: |- + SSHKeyName specifies which EC2 SSH key can be used to access machines. + If left empty, the key from the control plane is used. + type: string + type: object + roleAdditionalPolicies: + description: |- + RoleAdditionalPolicies allows you to attach additional polices to + the node group role. You must enable the EKSAllowAddRoles + feature flag to incorporate these into the created role. + items: + type: string + type: array + roleName: + description: |- + RoleName specifies the name of IAM role for the node group. + If the role is pre-existing we will treat it as unmanaged + and not delete it on deletion. If the EKSEnableIAM feature + flag is true and no name is supplied then a role is created. + type: string + scaling: + description: Scaling specifies scaling for the ASG behind this pool + properties: + maxSize: + format: int32 + type: integer + minSize: + format: int32 + type: integer + type: object + subnetIDs: + description: |- + SubnetIDs specifies which subnets are used for the + auto scaling group of this nodegroup + items: + type: string + type: array + taints: + description: Taints specifies the taints to apply to the nodes of + the machine pool + items: + description: Taint defines the specs for a Kubernetes taint. + properties: + effect: + description: Effect specifies the effect for the taint + enum: + - no-schedule + - no-execute + - prefer-no-schedule + type: string + key: + description: Key is the key of the taint + type: string + value: + description: Value is the value of the taint + type: string + required: + - effect + - key + - value + type: object + type: array + updateConfig: + description: |- + UpdateConfig holds the optional config to control the behaviour of the update + to the nodegroup. + properties: + maxUnavailable: + description: |- + MaxUnavailable is the maximum number of nodes unavailable at once during a version update. + Nodes will be updated in parallel. The maximum number is 100. + maximum: 100 + minimum: 1 + type: integer + maxUnavailablePrecentage: + description: |- + MaxUnavailablePercentage is the maximum percentage of nodes unavailable during a version update. This + percentage of nodes will be updated in parallel, up to 100 nodes at once. + maximum: 100 + minimum: 1 + type: integer + type: object + type: object + status: + description: AWSManagedMachinePoolStatus defines the observed state of + AWSManagedMachinePool. + properties: + conditions: + description: Conditions defines current service state of the managed + machine pool + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This field may be empty. + maxLength: 10240 + minLength: 1 + type: string + reason: + description: |- + reason is the reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may be empty. + maxLength: 256 + minLength: 1 + type: string + severity: + description: |- + severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + maxLength: 32 + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + failureMessage: + description: |- + FailureMessage will be set in the event that there is a terminal problem + reconciling the MachinePool and will contain a more verbose string suitable + for logging and human consumption. + + This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over + time (like service outages), but instead indicate that something is + fundamentally wrong with the MachinePool's spec or the configuration of + the controller, and that manual intervention is required. Examples + of terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the + responsible controller itself being critically misconfigured. + + Any transient errors that occur during the reconciliation of MachinePools + can be added as events to the MachinePool object and/or logged in the + controller's output. + type: string + failureReason: + description: |- + FailureReason will be set in the event that there is a terminal problem + reconciling the MachinePool and will contain a succinct value suitable + for machine interpretation. + + This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over + time (like service outages), but instead indicate that something is + fundamentally wrong with the Machine's spec or the configuration of + the controller, and that manual intervention is required. Examples + of terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the + responsible controller itself being critically misconfigured. + + Any transient errors that occur during the reconciliation of MachinePools + can be added as events to the MachinePool object and/or logged in the + controller's output. + type: string + launchTemplateID: + description: The ID of the launch template + type: string + launchTemplateVersion: + description: The version of the launch template + type: string + ready: + default: false + description: |- + Ready denotes that the AWSManagedMachinePool nodegroup has joined + the cluster + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + required: + - ready + type: object + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: MachinePool ready status + jsonPath: .status.ready + name: Ready + type: string + - description: Number of replicas + jsonPath: .status.replicas + name: Replicas + type: integer + name: v1beta2 + schema: + openAPIV3Schema: + description: AWSManagedMachinePool is the Schema for the awsmanagedmachinepools + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AWSManagedMachinePoolSpec defines the desired state of AWSManagedMachinePool. + properties: + additionalTags: + additionalProperties: + type: string + description: |- + AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the + ones added by default. + type: object + amiType: + default: AL2_x86_64 + description: AMIType defines the AMI type + enum: + - AL2_x86_64 + - AL2_x86_64_GPU + - AL2_ARM_64 + - CUSTOM + - BOTTLEROCKET_ARM_64 + - BOTTLEROCKET_x86_64 + - BOTTLEROCKET_ARM_64_FIPS + - BOTTLEROCKET_x86_64_FIPS + - BOTTLEROCKET_ARM_64_NVIDIA + - BOTTLEROCKET_x86_64_NVIDIA + - WINDOWS_CORE_2019_x86_64 + - WINDOWS_FULL_2019_x86_64 + - WINDOWS_CORE_2022_x86_64 + - WINDOWS_FULL_2022_x86_64 + - AL2023_x86_64_STANDARD + - AL2023_ARM_64_STANDARD + - AL2023_x86_64_NEURON + - AL2023_x86_64_NVIDIA + - AL2023_ARM_64_NVIDIA + type: string + amiVersion: + description: |- + AMIVersion defines the desired AMI release version. If no version number + is supplied then the latest version for the Kubernetes version + will be used + minLength: 2 + type: string + availabilityZoneSubnetType: + description: AvailabilityZoneSubnetType specifies which type of subnets + to use when an availability zone is specified. + enum: + - public + - private + - all + type: string + availabilityZones: + description: AvailabilityZones is an array of availability zones instances + can run in + items: + type: string + type: array + awsLaunchTemplate: + description: |- + AWSLaunchTemplate specifies the launch template to use to create the managed node group. + If AWSLaunchTemplate is specified, certain node group configuraions outside of launch template + are prohibited (https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html). + properties: + additionalSecurityGroups: + description: |- + AdditionalSecurityGroups is an array of references to security groups that should be applied to the + instances. These security groups would be set in addition to any security groups defined + at the cluster level or in the actuator. + items: + description: |- + AWSResourceReference is a reference to a specific AWS resource by ID or filters. + Only one of ID or Filters may be specified. Specifying more than one will result in + a validation error. + properties: + filters: + description: |- + Filters is a set of key/value pairs used to identify a resource + They are applied according to the rules defined by the AWS API: + https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html + items: + description: Filter is a filter used to identify an AWS + resource. + properties: + name: + description: Name of the filter. Filter names are + case-sensitive. + type: string + values: + description: Values includes one or more filter values. + Filter values are case-sensitive. + items: + type: string + type: array + required: + - name + - values + type: object + type: array + id: + description: ID of resource + type: string + type: object + type: array + ami: + description: AMI is the reference to the AMI from which to create + the machine instance. + properties: + eksLookupType: + description: EKSOptimizedLookupType If specified, will look + up an EKS Optimized image in SSM Parameter store + enum: + - AmazonLinux + - AmazonLinuxGPU + - AmazonLinux2023 + - AmazonLinux2023GPU + type: string + id: + description: ID of resource + type: string + type: object + capacityReservationId: + description: CapacityReservationID specifies the target Capacity + Reservation into which the instance should be launched. + type: string + capacityReservationPreference: + allOf: + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + - enum: + - "" + - None + - CapacityReservationsOnly + - Open + description: |- + CapacityReservationPreference specifies the preference for use of Capacity Reservations by the instance. Valid values include: + "Open": The instance may make use of open Capacity Reservations that match its AZ and InstanceType + "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation + type: string + iamInstanceProfile: + description: |- + The name or the Amazon Resource Name (ARN) of the instance profile associated + with the IAM role for the instance. The instance profile contains the IAM + role. + type: string + imageLookupBaseOS: + description: |- + ImageLookupBaseOS is the name of the base operating system to use for + image lookup the AMI is not set. + type: string + imageLookupFormat: + description: |- + ImageLookupFormat is the AMI naming format to look up the image for this + machine It will be ignored if an explicit AMI is set. Supports + substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and + kubernetes version, respectively. The BaseOS will be the value in + ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as + defined by the packages produced by kubernetes/release without v as a + prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default + image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up + searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a + Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See + also: https://golang.org/pkg/text/template/ + type: string + imageLookupOrg: + description: ImageLookupOrg is the AWS Organization ID to use + for image lookup if AMI is not set. + type: string + instanceMetadataOptions: + description: InstanceMetadataOptions defines the behavior for + applying metadata to instances. + properties: + httpEndpoint: + default: enabled + description: |- + Enables or disables the HTTP metadata endpoint on your instances. + + If you specify a value of disabled, you cannot access your instance metadata. + + Default: enabled + enum: + - enabled + - disabled + type: string + httpPutResponseHopLimit: + default: 1 + description: |- + The desired HTTP PUT response hop limit for instance metadata requests. The + larger the number, the further instance metadata requests can travel. + + Default: 1 + format: int64 + maximum: 64 + minimum: 1 + type: integer + httpTokens: + default: optional + description: |- + The state of token usage for your instance metadata requests. + + If the state is optional, you can choose to retrieve instance metadata with + or without a session token on your request. If you retrieve the IAM role + credentials without a token, the version 1.0 role credentials are returned. + If you retrieve the IAM role credentials using a valid session token, the + version 2.0 role credentials are returned. + + If the state is required, you must send a session token with any instance + metadata retrieval requests. In this state, retrieving the IAM role credentials + always returns the version 2.0 credentials; the version 1.0 credentials are + not available. + + Default: optional + enum: + - optional + - required + type: string + instanceMetadataTags: + default: disabled + description: |- + Set to enabled to allow access to instance tags from the instance metadata. + Set to disabled to turn off access to instance tags from the instance metadata. + For more information, see Work with instance tags using the instance metadata + (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). + + Default: disabled + enum: + - enabled + - disabled + type: string + type: object + instanceType: + description: 'InstanceType is the type of instance to create. + Example: m4.xlarge' + type: string + marketType: + description: |- + MarketType specifies the type of market for the EC2 instance. Valid values include: + "OnDemand" (default): The instance runs as a standard OnDemand instance. + "Spot": The instance runs as a Spot instance. When SpotMarketOptions is provided, the marketType defaults to "Spot". + "CapacityBlock": The instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. + If this value is selected, CapacityReservationID must be specified to identify the target reservation. + If marketType is not specified and spotMarketOptions is provided, the marketType defaults to "Spot". + enum: + - OnDemand + - Spot + - CapacityBlock + type: string + name: + description: The name of the launch template. + type: string + nonRootVolumes: + description: Configuration options for the non root storage volumes. + items: + description: Volume encapsulates the configuration options for + the storage device. + properties: + deviceName: + description: Device name + type: string + encrypted: + description: Encrypted is whether the volume should be encrypted + or not. + type: boolean + encryptionKey: + description: |- + EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. + If Encrypted is set and this is omitted, the default AWS key will be used. + The key must already exist and be accessible by the controller. + type: string + iops: + description: IOPS is the number of IOPS requested for the + disk. Not applicable to all types. + format: int64 + type: integer + size: + description: |- + Size specifies size (in Gi) of the storage device. + Must be greater than the image snapshot size or 8 (whichever is greater). + format: int64 + minimum: 8 + type: integer + throughput: + description: Throughput to provision in MiB/s supported + for the volume type. Not applicable to all types. + format: int64 + type: integer + type: + description: Type is the type of the volume (e.g. gp2, io1, + etc...). + type: string + required: + - size + type: object + type: array + privateDnsName: + description: PrivateDNSName is the options for the instance hostname. + properties: + enableResourceNameDnsAAAARecord: + description: EnableResourceNameDNSAAAARecord indicates whether + to respond to DNS queries for instance hostnames with DNS + AAAA records. + type: boolean + enableResourceNameDnsARecord: + description: EnableResourceNameDNSARecord indicates whether + to respond to DNS queries for instance hostnames with DNS + A records. + type: boolean + hostnameType: + description: The type of hostname to assign to an instance. + enum: + - ip-name + - resource-name + type: string + type: object + rootVolume: + description: RootVolume encapsulates the configuration options + for the root volume + properties: + deviceName: + description: Device name + type: string + encrypted: + description: Encrypted is whether the volume should be encrypted + or not. + type: boolean + encryptionKey: + description: |- + EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. + If Encrypted is set and this is omitted, the default AWS key will be used. + The key must already exist and be accessible by the controller. + type: string + iops: + description: IOPS is the number of IOPS requested for the + disk. Not applicable to all types. + format: int64 + type: integer + size: + description: |- + Size specifies size (in Gi) of the storage device. + Must be greater than the image snapshot size or 8 (whichever is greater). + format: int64 + minimum: 8 + type: integer + throughput: + description: Throughput to provision in MiB/s supported for + the volume type. Not applicable to all types. + format: int64 + type: integer + type: + description: Type is the type of the volume (e.g. gp2, io1, + etc...). + type: string + required: + - size + type: object + spotMarketOptions: + description: SpotMarketOptions are options for configuring AWSMachinePool + instances to be run using AWS Spot instances. + properties: + maxPrice: + description: MaxPrice defines the maximum price the user is + willing to pay for Spot VM instances + type: string + type: object + sshKeyName: + description: |- + SSHKeyName is the name of the ssh key to attach to the instance. Valid values are empty string + (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name) + type: string + versionNumber: + description: |- + VersionNumber is the version of the launch template that is applied. + Typically a new version is created when at least one of the following happens: + 1) A new launch template spec is applied. + 2) One or more parameters in an existing template is changed. + 3) A new AMI is discovered. + format: int64 + type: integer + type: object + capacityType: + default: onDemand + description: CapacityType specifies the capacity type for the ASG + behind this pool + enum: + - onDemand + - spot + type: string + diskSize: description: DiskSize specifies the root disk size format: int32 type: integer @@ -14070,6 +17025,55 @@ spec: type: string description: Labels specifies labels for the Kubernetes node objects type: object + lifecycleHooks: + description: AWSLifecycleHooks specifies lifecycle hooks for the managed + node group. + items: + description: AWSLifecycleHook describes an AWS lifecycle hook + properties: + defaultResult: + description: The default result for the lifecycle hook. The + possible values are CONTINUE and ABANDON. + enum: + - CONTINUE + - ABANDON + type: string + heartbeatTimeout: + description: |- + The maximum time, in seconds, that an instance can remain in a Pending:Wait or + Terminating:Wait state. The maximum is 172800 seconds (48 hours) or 100 times + HeartbeatTimeout, whichever is smaller. + format: duration + type: string + lifecycleTransition: + description: The state of the EC2 instance to which to attach + the lifecycle hook. + enum: + - autoscaling:EC2_INSTANCE_LAUNCHING + - autoscaling:EC2_INSTANCE_TERMINATING + type: string + name: + description: The name of the lifecycle hook. + type: string + notificationMetadata: + description: Contains additional metadata that will be passed + to the notification target. + type: string + notificationTargetARN: + description: |- + The ARN of the notification target that Amazon EC2 Auto Scaling uses to + notify you when an instance is in the transition state for the lifecycle hook. + type: string + roleARN: + description: |- + The ARN of the IAM role that allows the Auto Scaling group to publish to the + specified notification target. + type: string + required: + - lifecycleTransition + - name + type: object + type: array providerIDList: description: |- ProviderIDList are the provider IDs of instances in the @@ -14112,6 +17116,30 @@ spec: and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created. type: string + rolePath: + description: |- + RolePath sets the path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + type: string + rolePermissionsBoundary: + description: |- + RolePermissionsBoundary sets the ARN of the managed policy that is used + to set the permissions boundary for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string scaling: description: Scaling specifies scaling for the ASG behind this pool properties: @@ -14166,7 +17194,7 @@ spec: maximum: 100 minimum: 1 type: integer - maxUnavailablePrecentage: + maxUnavailablePercentage: description: |- MaxUnavailablePercentage is the maximum percentage of nodes unavailable during a version update. This percentage of nodes will be updated in parallel, up to 100 nodes at once. @@ -14188,27 +17216,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -14218,6 +17251,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -14283,24 +17318,61 @@ spec: - ready type: object type: object - served: false - storage: false + served: true + storage: true subresources: status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: capa-system/capa-serving-cert + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + cluster.x-k8s.io/provider: infrastructure-aws + cluster.x-k8s.io/v1alpha3: v1alpha3 + cluster.x-k8s.io/v1alpha4: v1alpha4 + cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 + name: eksconfigs.bootstrap.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: bootstrap.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: EKSConfig + listKind: EKSConfigList + plural: eksconfigs + shortNames: + - eksc + singular: eksconfig + scope: Namespaced + versions: - additionalPrinterColumns: - - description: MachinePool ready status + - description: Bootstrap configuration is ready jsonPath: .status.ready name: Ready type: string - - description: Number of replicas - jsonPath: .status.replicas - name: Replicas - type: integer - name: v1beta2 + - description: Name of Secret containing bootstrap data + jsonPath: .status.dataSecretName + name: DataSecretName + type: string + name: v1beta1 schema: openAPIV3Schema: - description: AWSManagedMachinePool is the Schema for the awsmanagedmachinepools - API. + description: EKSConfig is the schema for the Amazon EKS Machine Bootstrap + Configuration API. properties: apiVersion: description: |- @@ -14320,518 +17392,501 @@ spec: metadata: type: object spec: - description: AWSManagedMachinePoolSpec defines the desired state of AWSManagedMachinePool. + description: EKSConfigSpec defines the desired state of Amazon EKS Bootstrap + Configuration. properties: - additionalTags: - additionalProperties: - type: string - description: |- - AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the - ones added by default. - type: object - amiType: - default: AL2_x86_64 - description: AMIType defines the AMI type - enum: - - AL2_x86_64 - - AL2_x86_64_GPU - - AL2_ARM_64 - - AL2023_x86_64_STANDARD - - AL2023_ARM_64_STANDARD - - CUSTOM + apiRetryAttempts: + description: APIRetryAttempts is the number of retry attempts for + AWS API call. + type: integer + containerRuntime: + description: ContainerRuntime specify the container runtime to use + when bootstrapping EKS. + type: string + dnsClusterIP: + description: ' DNSClusterIP overrides the IP address to use for DNS + queries within the cluster.' type: string - amiVersion: + dockerConfigJson: description: |- - AMIVersion defines the desired AMI release version. If no version number - is supplied then the latest version for the Kubernetes version - will be used - minLength: 2 - type: string - availabilityZoneSubnetType: - description: AvailabilityZoneSubnetType specifies which type of subnets - to use when an availability zone is specified. - enum: - - public - - private - - all + DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. + This is expected to be a json string. type: string - availabilityZones: - description: AvailabilityZones is an array of availability zones instances - can run in - items: + kubeletExtraArgs: + additionalProperties: type: string - type: array - awsLaunchTemplate: - description: |- - AWSLaunchTemplate specifies the launch template to use to create the managed node group. - If AWSLaunchTemplate is specified, certain node group configuraions outside of launch template - are prohibited (https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html). + description: KubeletExtraArgs passes the specified kubelet args into + the Amazon EKS machine bootstrap script + type: object + pauseContainer: + description: PauseContainer allows customization of the pause container + to use. properties: - additionalSecurityGroups: - description: |- - AdditionalSecurityGroups is an array of references to security groups that should be applied to the - instances. These security groups would be set in addition to any security groups defined - at the cluster level or in the actuator. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an AWS - resource. - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter values. - Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - ami: - description: AMI is the reference to the AMI from which to create - the machine instance. - properties: - eksLookupType: - description: EKSOptimizedLookupType If specified, will look - up an EKS Optimized image in SSM Parameter store - enum: - - AmazonLinux - - AmazonLinuxGPU - type: string - id: - description: ID of resource - type: string - type: object - capacityReservationId: - description: CapacityReservationID specifies the target Capacity - Reservation into which the instance should be launched. - type: string - iamInstanceProfile: - description: |- - The name or the Amazon Resource Name (ARN) of the instance profile associated - with the IAM role for the instance. The instance profile contains the IAM - role. - type: string - imageLookupBaseOS: - description: |- - ImageLookupBaseOS is the name of the base operating system to use for - image lookup the AMI is not set. - type: string - imageLookupFormat: - description: |- - ImageLookupFormat is the AMI naming format to look up the image for this - machine It will be ignored if an explicit AMI is set. Supports - substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base OS and - kubernetes version, respectively. The BaseOS will be the value in - ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as - defined by the packages produced by kubernetes/release without v as a - prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default - image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up - searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a - Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See - also: https://golang.org/pkg/text/template/ - type: string - imageLookupOrg: - description: ImageLookupOrg is the AWS Organization ID to use - for image lookup if AMI is not set. - type: string - instanceMetadataOptions: - description: InstanceMetadataOptions defines the behavior for - applying metadata to instances. - properties: - httpEndpoint: - default: enabled - description: |- - Enables or disables the HTTP metadata endpoint on your instances. - - If you specify a value of disabled, you cannot access your instance metadata. - - Default: enabled - enum: - - enabled - - disabled - type: string - httpPutResponseHopLimit: - default: 1 - description: |- - The desired HTTP PUT response hop limit for instance metadata requests. The - larger the number, the further instance metadata requests can travel. - - Default: 1 - format: int64 - maximum: 64 - minimum: 1 - type: integer - httpTokens: - default: optional - description: |- - The state of token usage for your instance metadata requests. - - If the state is optional, you can choose to retrieve instance metadata with - or without a session token on your request. If you retrieve the IAM role - credentials without a token, the version 1.0 role credentials are returned. - If you retrieve the IAM role credentials using a valid session token, the - version 2.0 role credentials are returned. - - If the state is required, you must send a session token with any instance - metadata retrieval requests. In this state, retrieving the IAM role credentials - always returns the version 2.0 credentials; the version 1.0 credentials are - not available. - - Default: optional - enum: - - optional - - required - type: string - instanceMetadataTags: - default: disabled - description: |- - Set to enabled to allow access to instance tags from the instance metadata. - Set to disabled to turn off access to instance tags from the instance metadata. - For more information, see Work with instance tags using the instance metadata - (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS). - - Default: disabled - enum: - - enabled - - disabled - type: string - type: object - instanceType: - description: 'InstanceType is the type of instance to create. - Example: m4.xlarge' - type: string - marketType: - description: |- - MarketType specifies the type of market for the EC2 instance. Valid values include: - "OnDemand" (default): The instance runs as a standard OnDemand instance. - "Spot": The instance runs as a Spot instance. When SpotMarketOptions is provided, the marketType defaults to "Spot". - "CapacityBlock": The instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. - If this value is selected, CapacityReservationID must be specified to identify the target reservation. - If marketType is not specified and spotMarketOptions is provided, the marketType defaults to "Spot". - enum: - - OnDemand - - Spot - - CapacityBlock + accountNumber: + description: ' AccountNumber is the AWS account number to pull + the pause container from.' type: string - name: - description: The name of the launch template. + version: + description: Version is the tag of the pause container to use. type: string - nonRootVolumes: - description: Configuration options for the non root storage volumes. + required: + - accountNumber + - version + type: object + serviceIPV6Cidr: + description: |- + ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then + the ip family will be set to ipv6. + type: string + useMaxPods: + description: UseMaxPods sets --max-pods for the kubelet when true. + type: boolean + type: object + status: + description: EKSConfigStatus defines the observed state of the Amazon + EKS Bootstrap Configuration. + properties: + conditions: + description: Conditions defines current service state of the EKSConfig. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This field may be empty. + maxLength: 10240 + minLength: 1 + type: string + reason: + description: |- + reason is the reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may be empty. + maxLength: 256 + minLength: 1 + type: string + severity: + description: |- + severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + maxLength: 32 + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + dataSecretName: + description: DataSecretName is the name of the secret that stores + the bootstrap data script. + type: string + failureMessage: + description: FailureMessage will be set on non-retryable errors + type: string + failureReason: + description: FailureReason will be set on non-retryable errors + type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + ready: + description: Ready indicates the BootstrapData secret is ready to + be consumed + type: boolean + type: object + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Bootstrap configuration is ready + jsonPath: .status.ready + name: Ready + type: string + - description: Name of Secret containing bootstrap data + jsonPath: .status.dataSecretName + name: DataSecretName + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: EKSConfig is the schema for the Amazon EKS Machine Bootstrap + Configuration API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: EKSConfigSpec defines the desired state of Amazon EKS Bootstrap + Configuration. + properties: + apiRetryAttempts: + description: APIRetryAttempts is the number of retry attempts for + AWS API call. + type: integer + boostrapCommandOverride: + description: BootstrapCommandOverride allows you to override the bootstrap + command to use for EKS nodes. + type: string + containerRuntime: + description: ContainerRuntime specify the container runtime to use + when bootstrapping EKS. + type: string + diskSetup: + description: DiskSetup specifies options for the creation of partition + tables and file systems on devices. + properties: + filesystems: + description: Filesystems specifies the list of file systems to + setup. items: - description: Volume encapsulates the configuration options for - the storage device. + description: Filesystem defines the file systems to be created. properties: - deviceName: - description: Device name + device: + description: Device specifies the device name type: string - encrypted: - description: Encrypted is whether the volume should be encrypted - or not. - type: boolean - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. + extraOpts: + description: ExtraOpts defined extra options to add to the + command for creating the file system. + items: + type: string + type: array + filesystem: + description: Filesystem specifies the file system type. type: string - iops: - description: IOPS is the number of IOPS requested for the - disk. Not applicable to all types. - format: int64 - type: integer - size: + label: + description: Label specifies the file system label to be + used. If set to None, no label is used. + type: string + overwrite: description: |- - Size specifies size (in Gi) of the storage device. - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - throughput: - description: Throughput to provision in MiB/s supported - for the volume type. Not applicable to all types. - format: int64 - type: integer - type: - description: Type is the type of the volume (e.g. gp2, io1, - etc...). + Overwrite defines whether or not to overwrite any existing filesystem. + If true, any pre-existing file system will be destroyed. Use with Caution. + type: boolean + partition: + description: 'Partition specifies the partition to use. + The valid options are: "auto|any", "auto", "any", "none", + and , where NUM is the actual partition number.' type: string required: - - size + - device + - filesystem + - label + type: object + type: array + partitions: + description: Partitions specifies the list of the partitions to + setup. + items: + description: Partition defines how to create and layout a partition. + properties: + device: + description: Device is the name of the device. + type: string + layout: + description: |- + Layout specifies the device layout. + If it is true, a single partition will be created for the entire device. + When layout is false, it means don't partition or ignore existing partitioning. + type: boolean + overwrite: + description: |- + Overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. + Use with caution. Default is 'false'. + type: boolean + tableType: + description: |- + TableType specifies the tupe of partition table. The following are supported: + 'mbr': default and setups a MS-DOS partition table + 'gpt': setups a GPT partition table + type: string + required: + - device + - layout type: object type: array - privateDnsName: - description: PrivateDNSName is the options for the instance hostname. - properties: - enableResourceNameDnsAAAARecord: - description: EnableResourceNameDNSAAAARecord indicates whether - to respond to DNS queries for instance hostnames with DNS - AAAA records. - type: boolean - enableResourceNameDnsARecord: - description: EnableResourceNameDNSARecord indicates whether - to respond to DNS queries for instance hostnames with DNS - A records. - type: boolean - hostnameType: - description: The type of hostname to assign to an instance. - enum: - - ip-name - - resource-name - type: string - type: object - rootVolume: - description: RootVolume encapsulates the configuration options - for the root volume - properties: - deviceName: - description: Device name - type: string - encrypted: - description: Encrypted is whether the volume should be encrypted - or not. - type: boolean - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. - type: string - iops: - description: IOPS is the number of IOPS requested for the - disk. Not applicable to all types. - format: int64 - type: integer - size: - description: |- - Size specifies size (in Gi) of the storage device. - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - throughput: - description: Throughput to provision in MiB/s supported for - the volume type. Not applicable to all types. - format: int64 - type: integer - type: - description: Type is the type of the volume (e.g. gp2, io1, - etc...). - type: string - required: - - size - type: object - spotMarketOptions: - description: SpotMarketOptions are options for configuring AWSMachinePool - instances to be run using AWS Spot instances. - properties: - maxPrice: - description: MaxPrice defines the maximum price the user is - willing to pay for Spot VM instances - type: string - type: object - sshKeyName: - description: |- - SSHKeyName is the name of the ssh key to attach to the instance. Valid values are empty string - (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name) - type: string - versionNumber: - description: |- - VersionNumber is the version of the launch template that is applied. - Typically a new version is created when at least one of the following happens: - 1) A new launch template spec is applied. - 2) One or more parameters in an existing template is changed. - 3) A new AMI is discovered. - format: int64 - type: integer type: object - capacityType: - default: onDemand - description: CapacityType specifies the capacity type for the ASG - behind this pool - enum: - - onDemand - - spot + dnsClusterIP: + description: ' DNSClusterIP overrides the IP address to use for DNS + queries within the cluster.' type: string - diskSize: - description: DiskSize specifies the root disk size - format: int32 - type: integer - eksNodegroupName: + dockerConfigJson: description: |- - EKSNodegroupName specifies the name of the nodegroup in AWS - corresponding to this MachinePool. If you don't specify a name - then a default name will be created based on the namespace and - name of the managed machine pool. - type: string - instanceType: - description: InstanceType specifies the AWS instance type + DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. + This is expected to be a json string. type: string - labels: + files: + description: Files specifies extra files to be passed to user_data + upon creation. + items: + description: File defines the input for generating write_files in + cloud-init. + properties: + append: + description: Append specifies whether to append Content to existing + file if Path exists. + type: boolean + content: + description: Content is the actual content of the file. + type: string + contentFrom: + description: ContentFrom is a referenced source of content to + populate the file. + properties: + secret: + description: Secret represents a secret that should populate + this file. + properties: + key: + description: Key is the key in the secret's data map + for this value. + type: string + name: + description: Name of the secret in the KubeadmBootstrapConfig's + namespace to use. + type: string + required: + - key + - name + type: object + required: + - secret + type: object + encoding: + description: Encoding specifies the encoding of the file contents. + enum: + - base64 + - gzip + - gzip+base64 + type: string + owner: + description: Owner specifies the ownership of the file, e.g. + "root:root". + type: string + path: + description: Path specifies the full path on disk where to store + the file. + type: string + permissions: + description: Permissions specifies the permissions to assign + to the file, e.g. "0640". + type: string + required: + - path + type: object + type: array + kubeletExtraArgs: additionalProperties: type: string - description: Labels specifies labels for the Kubernetes node objects + description: KubeletExtraArgs passes the specified kubelet args into + the Amazon EKS machine bootstrap script type: object - providerIDList: - description: |- - ProviderIDList are the provider IDs of instances in the - autoscaling group corresponding to the nodegroup represented by this - machine pool + mounts: + description: Mounts specifies a list of mount points to be setup. items: - type: string + description: MountPoints defines input for generated mounts in cloud-init. + items: + type: string + type: array type: array - remoteAccess: - description: RemoteAccess specifies how machines can be accessed remotely + ntp: + description: NTP specifies NTP configuration properties: - public: - description: Public specifies whether to open port 22 to the public - internet + enabled: + description: Enabled specifies whether NTP should be enabled type: boolean - sourceSecurityGroups: - description: SourceSecurityGroups specifies which security groups - are allowed access + servers: + description: Servers specifies which NTP servers to use items: type: string type: array - sshKeyName: - description: |- - SSHKeyName specifies which EC2 SSH key can be used to access machines. - If left empty, the key from the control plane is used. + type: object + pauseContainer: + description: PauseContainer allows customization of the pause container + to use. + properties: + accountNumber: + description: ' AccountNumber is the AWS account number to pull + the pause container from.' + type: string + version: + description: Version is the tag of the pause container to use. type: string + required: + - accountNumber + - version type: object - roleAdditionalPolicies: - description: |- - RoleAdditionalPolicies allows you to attach additional polices to - the node group role. You must enable the EKSAllowAddRoles - feature flag to incorporate these into the created role. + postBootstrapCommands: + description: PostBootstrapCommands specifies extra commands to run + after bootstrapping nodes to the cluster items: type: string type: array - roleName: - description: |- - RoleName specifies the name of IAM role for the node group. - If the role is pre-existing we will treat it as unmanaged - and not delete it on deletion. If the EKSEnableIAM feature - flag is true and no name is supplied then a role is created. - type: string - scaling: - description: Scaling specifies scaling for the ASG behind this pool - properties: - maxSize: - format: int32 - type: integer - minSize: - format: int32 - type: integer - type: object - subnetIDs: - description: |- - SubnetIDs specifies which subnets are used for the - auto scaling group of this nodegroup + preBootstrapCommands: + description: PreBootstrapCommands specifies extra commands to run + before bootstrapping nodes to the cluster items: type: string type: array - taints: - description: Taints specifies the taints to apply to the nodes of - the machine pool + serviceIPV6Cidr: + description: |- + ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then + the ip family will be set to ipv6. + type: string + useMaxPods: + description: UseMaxPods sets --max-pods for the kubelet when true. + type: boolean + users: + description: Users specifies extra users to add items: - description: Taint defines the specs for a Kubernetes taint. + description: User defines the input for a generated user in cloud-init. properties: - effect: - description: Effect specifies the effect for the taint - enum: - - no-schedule - - no-execute - - prefer-no-schedule + gecos: + description: Gecos specifies the gecos to use for the user type: string - key: - description: Key is the key of the taint + groups: + description: Groups specifies the additional groups for the + user + type: string + homeDir: + description: HomeDir specifies the home directory to use for + the user + type: string + inactive: + description: Inactive specifies whether to mark the user as + inactive + type: boolean + lockPassword: + description: LockPassword specifies if password login should + be disabled + type: boolean + name: + description: Name specifies the username + type: string + passwd: + description: Passwd specifies a hashed password for the user + type: string + passwdFrom: + description: PasswdFrom is a referenced source of passwd to + populate the passwd. + properties: + secret: + description: Secret represents a secret that should populate + this password. + properties: + key: + description: Key is the key in the secret's data map + for this value. + type: string + name: + description: Name of the secret in the KubeadmBootstrapConfig's + namespace to use. + type: string + required: + - key + - name + type: object + required: + - secret + type: object + primaryGroup: + description: PrimaryGroup specifies the primary group for the + user + type: string + shell: + description: Shell specifies the user's shell type: string - value: - description: Value is the value of the taint + sshAuthorizedKeys: + description: SSHAuthorizedKeys specifies a list of ssh authorized + keys for the user + items: + type: string + type: array + sudo: + description: Sudo specifies a sudo role for the user type: string required: - - effect - - key - - value + - name type: object type: array - updateConfig: - description: |- - UpdateConfig holds the optional config to control the behaviour of the update - to the nodegroup. - properties: - maxUnavailable: - description: |- - MaxUnavailable is the maximum number of nodes unavailable at once during a version update. - Nodes will be updated in parallel. The maximum number is 100. - maximum: 100 - minimum: 1 - type: integer - maxUnavailablePercentage: - description: |- - MaxUnavailablePercentage is the maximum percentage of nodes unavailable during a version update. This - percentage of nodes will be updated in parallel, up to 100 nodes at once. - maximum: 100 - minimum: 1 - type: integer - type: object type: object status: - description: AWSManagedMachinePoolStatus defines the observed state of - AWSManagedMachinePool. + description: EKSConfigStatus defines the observed state of the Amazon + EKS Bootstrap Configuration. properties: conditions: - description: Conditions defines current service state of the managed - machine pool + description: Conditions defines current service state of the EKSConfig. items: description: Condition defines an observation of a Cluster API resource operational state. properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -14841,6 +17896,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -14848,62 +17905,25 @@ spec: - type type: object type: array + dataSecretName: + description: DataSecretName is the name of the secret that stores + the bootstrap data script. + type: string failureMessage: - description: |- - FailureMessage will be set in the event that there is a terminal problem - reconciling the MachinePool and will contain a more verbose string suitable - for logging and human consumption. - - This field should not be set for transitive errors that a controller - faces that are expected to be fixed automatically over - time (like service outages), but instead indicate that something is - fundamentally wrong with the MachinePool's spec or the configuration of - the controller, and that manual intervention is required. Examples - of terminal errors would be invalid combinations of settings in the - spec, values that are unsupported by the controller, or the - responsible controller itself being critically misconfigured. - - Any transient errors that occur during the reconciliation of MachinePools - can be added as events to the MachinePool object and/or logged in the - controller's output. + description: FailureMessage will be set on non-retryable errors type: string failureReason: - description: |- - FailureReason will be set in the event that there is a terminal problem - reconciling the MachinePool and will contain a succinct value suitable - for machine interpretation. - - This field should not be set for transitive errors that a controller - faces that are expected to be fixed automatically over - time (like service outages), but instead indicate that something is - fundamentally wrong with the Machine's spec or the configuration of - the controller, and that manual intervention is required. Examples - of terminal errors would be invalid combinations of settings in the - spec, values that are unsupported by the controller, or the - responsible controller itself being critically misconfigured. - - Any transient errors that occur during the reconciliation of MachinePools - can be added as events to the MachinePool object and/or logged in the - controller's output. - type: string - launchTemplateID: - description: The ID of the launch template - type: string - launchTemplateVersion: - description: The version of the launch template + description: FailureReason will be set on non-retryable errors type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer ready: - default: false - description: |- - Ready denotes that the AWSManagedMachinePool nodegroup has joined - the cluster + description: Ready indicates the BootstrapData secret is ready to + be consumed type: boolean - replicas: - description: Replicas is the most recently observed number of replicas. - format: int32 - type: integer - required: - - ready type: object type: object served: true @@ -14916,13 +17936,13 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 cluster.x-k8s.io/v1alpha4: v1alpha4 cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: eksconfigs.bootstrap.cluster.x-k8s.io + name: eksconfigtemplates.bootstrap.cluster.x-k8s.io spec: conversion: strategy: Webhook @@ -14939,28 +17959,19 @@ spec: names: categories: - cluster-api - kind: EKSConfig - listKind: EKSConfigList - plural: eksconfigs + kind: EKSConfigTemplate + listKind: EKSConfigTemplateList + plural: eksconfigtemplates shortNames: - - eksc - singular: eksconfig + - eksct + singular: eksconfigtemplate scope: Namespaced versions: - - additionalPrinterColumns: - - description: Bootstrap configuration is ready - jsonPath: .status.ready - name: Ready - type: string - - description: Name of Secret containing bootstrap data - jsonPath: .status.dataSecretName - name: DataSecretName - type: string - name: v1beta1 + - name: v1beta1 schema: openAPIV3Schema: - description: EKSConfig is the schema for the Amazon EKS Machine Bootstrap - Configuration API. + description: EKSConfigTemplate is the Amazon EKS Bootstrap Configuration Template + API. properties: apiVersion: description: |- @@ -14973,151 +17984,84 @@ spec: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EKSConfigSpec defines the desired state of Amazon EKS Bootstrap - Configuration. - properties: - apiRetryAttempts: - description: APIRetryAttempts is the number of retry attempts for - AWS API call. - type: integer - containerRuntime: - description: ContainerRuntime specify the container runtime to use - when bootstrapping EKS. - type: string - dnsClusterIP: - description: ' DNSClusterIP overrides the IP address to use for DNS - queries within the cluster.' - type: string - dockerConfigJson: - description: |- - DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. - This is expected to be a json string. - type: string - kubeletExtraArgs: - additionalProperties: - type: string - description: KubeletExtraArgs passes the specified kubelet args into - the Amazon EKS machine bootstrap script - type: object - pauseContainer: - description: PauseContainer allows customization of the pause container - to use. - properties: - accountNumber: - description: ' AccountNumber is the AWS account number to pull - the pause container from.' - type: string - version: - description: Version is the tag of the pause container to use. - type: string - required: - - accountNumber - - version - type: object - serviceIPV6Cidr: - description: |- - ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then - the ip family will be set to ipv6. - type: string - useMaxPods: - description: UseMaxPods sets --max-pods for the kubelet when true. - type: boolean - type: object - status: - description: EKSConfigStatus defines the observed state of the Amazon - EKS Bootstrap Configuration. - properties: - conditions: - description: Conditions defines current service state of the EKSConfig. - items: - description: Condition defines an observation of a Cluster API resource - operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may be empty. - type: string - severity: - description: |- - severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - dataSecretName: - description: DataSecretName is the name of the secret that stores - the bootstrap data script. - type: string - failureMessage: - description: FailureMessage will be set on non-retryable errors - type: string - failureReason: - description: FailureReason will be set on non-retryable errors - type: string - observedGeneration: - description: ObservedGeneration is the latest generation observed - by the controller. - format: int64 - type: integer - ready: - description: Ready indicates the BootstrapData secret is ready to - be consumed - type: boolean + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: EKSConfigTemplateSpec defines the desired state of templated + EKSConfig Amazon EKS Bootstrap Configuration resources. + properties: + template: + description: EKSConfigTemplateResource defines the Template structure. + properties: + spec: + description: EKSConfigSpec defines the desired state of Amazon + EKS Bootstrap Configuration. + properties: + apiRetryAttempts: + description: APIRetryAttempts is the number of retry attempts + for AWS API call. + type: integer + containerRuntime: + description: ContainerRuntime specify the container runtime + to use when bootstrapping EKS. + type: string + dnsClusterIP: + description: ' DNSClusterIP overrides the IP address to use + for DNS queries within the cluster.' + type: string + dockerConfigJson: + description: |- + DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. + This is expected to be a json string. + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes the specified kubelet + args into the Amazon EKS machine bootstrap script + type: object + pauseContainer: + description: PauseContainer allows customization of the pause + container to use. + properties: + accountNumber: + description: ' AccountNumber is the AWS account number + to pull the pause container from.' + type: string + version: + description: Version is the tag of the pause container + to use. + type: string + required: + - accountNumber + - version + type: object + serviceIPV6Cidr: + description: |- + ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then + the ip family will be set to ipv6. + type: string + useMaxPods: + description: UseMaxPods sets --max-pods for the kubelet when + true. + type: boolean + type: object + type: object + required: + - template type: object type: object served: false storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Bootstrap configuration is ready - jsonPath: .status.ready - name: Ready - type: string - - description: Name of Secret containing bootstrap data - jsonPath: .status.dataSecretName - name: DataSecretName - type: string - name: v1beta2 + - name: v1beta2 schema: openAPIV3Schema: - description: EKSConfig is the schema for the Amazon EKS Machine Bootstrap - Configuration API. + description: EKSConfigTemplate is the Amazon EKS Bootstrap Configuration Template + API. properties: apiVersion: description: |- @@ -15137,332 +18081,443 @@ spec: metadata: type: object spec: - description: EKSConfigSpec defines the desired state of Amazon EKS Bootstrap - Configuration. + description: EKSConfigTemplateSpec defines the desired state of templated + EKSConfig Amazon EKS Bootstrap Configuration resources. properties: - apiRetryAttempts: - description: APIRetryAttempts is the number of retry attempts for - AWS API call. - type: integer - boostrapCommandOverride: - description: BootstrapCommandOverride allows you to override the bootstrap - command to use for EKS nodes. - type: string - containerRuntime: - description: ContainerRuntime specify the container runtime to use - when bootstrapping EKS. - type: string - diskSetup: - description: DiskSetup specifies options for the creation of partition - tables and file systems on devices. + template: + description: EKSConfigTemplateResource defines the Template structure. properties: - filesystems: - description: Filesystems specifies the list of file systems to - setup. - items: - description: Filesystem defines the file systems to be created. - properties: - device: - description: Device specifies the device name - type: string - extraOpts: - description: ExtraOpts defined extra options to add to the - command for creating the file system. - items: - type: string - type: array - filesystem: - description: Filesystem specifies the file system type. - type: string - label: - description: Label specifies the file system label to be - used. If set to None, no label is used. - type: string - overwrite: - description: |- - Overwrite defines whether or not to overwrite any existing filesystem. - If true, any pre-existing file system will be destroyed. Use with Caution. - type: boolean - partition: - description: 'Partition specifies the partition to use. - The valid options are: "auto|any", "auto", "any", "none", - and , where NUM is the actual partition number.' - type: string - required: - - device - - filesystem - - label - type: object - type: array - partitions: - description: Partitions specifies the list of the partitions to - setup. - items: - description: Partition defines how to create and layout a partition. - properties: - device: - description: Device is the name of the device. - type: string - layout: - description: |- - Layout specifies the device layout. - If it is true, a single partition will be created for the entire device. - When layout is false, it means don't partition or ignore existing partitioning. - type: boolean - overwrite: - description: |- - Overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. - Use with caution. Default is 'false'. - type: boolean - tableType: - description: |- - TableType specifies the tupe of partition table. The following are supported: - 'mbr': default and setups a MS-DOS partition table - 'gpt': setups a GPT partition table - type: string - required: - - device - - layout - type: object - type: array - type: object - dnsClusterIP: - description: ' DNSClusterIP overrides the IP address to use for DNS - queries within the cluster.' - type: string - dockerConfigJson: - description: |- - DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. - This is expected to be a json string. - type: string - files: - description: Files specifies extra files to be passed to user_data - upon creation. - items: - description: File defines the input for generating write_files in - cloud-init. - properties: - append: - description: Append specifies whether to append Content to existing - file if Path exists. - type: boolean - content: - description: Content is the actual content of the file. - type: string - contentFrom: - description: ContentFrom is a referenced source of content to - populate the file. - properties: - secret: - description: Secret represents a secret that should populate - this file. + spec: + description: EKSConfigSpec defines the desired state of Amazon + EKS Bootstrap Configuration. + properties: + apiRetryAttempts: + description: APIRetryAttempts is the number of retry attempts + for AWS API call. + type: integer + boostrapCommandOverride: + description: BootstrapCommandOverride allows you to override + the bootstrap command to use for EKS nodes. + type: string + containerRuntime: + description: ContainerRuntime specify the container runtime + to use when bootstrapping EKS. + type: string + diskSetup: + description: DiskSetup specifies options for the creation + of partition tables and file systems on devices. + properties: + filesystems: + description: Filesystems specifies the list of file systems + to setup. + items: + description: Filesystem defines the file systems to + be created. + properties: + device: + description: Device specifies the device name + type: string + extraOpts: + description: ExtraOpts defined extra options to + add to the command for creating the file system. + items: + type: string + type: array + filesystem: + description: Filesystem specifies the file system + type. + type: string + label: + description: Label specifies the file system label + to be used. If set to None, no label is used. + type: string + overwrite: + description: |- + Overwrite defines whether or not to overwrite any existing filesystem. + If true, any pre-existing file system will be destroyed. Use with Caution. + type: boolean + partition: + description: 'Partition specifies the partition + to use. The valid options are: "auto|any", "auto", + "any", "none", and , where NUM is the actual + partition number.' + type: string + required: + - device + - filesystem + - label + type: object + type: array + partitions: + description: Partitions specifies the list of the partitions + to setup. + items: + description: Partition defines how to create and layout + a partition. + properties: + device: + description: Device is the name of the device. + type: string + layout: + description: |- + Layout specifies the device layout. + If it is true, a single partition will be created for the entire device. + When layout is false, it means don't partition or ignore existing partitioning. + type: boolean + overwrite: + description: |- + Overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. + Use with caution. Default is 'false'. + type: boolean + tableType: + description: |- + TableType specifies the tupe of partition table. The following are supported: + 'mbr': default and setups a MS-DOS partition table + 'gpt': setups a GPT partition table + type: string + required: + - device + - layout + type: object + type: array + type: object + dnsClusterIP: + description: ' DNSClusterIP overrides the IP address to use + for DNS queries within the cluster.' + type: string + dockerConfigJson: + description: |- + DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. + This is expected to be a json string. + type: string + files: + description: Files specifies extra files to be passed to user_data + upon creation. + items: + description: File defines the input for generating write_files + in cloud-init. properties: - key: - description: Key is the key in the secret's data map - for this value. + append: + description: Append specifies whether to append Content + to existing file if Path exists. + type: boolean + content: + description: Content is the actual content of the file. type: string - name: - description: Name of the secret in the KubeadmBootstrapConfig's - namespace to use. + contentFrom: + description: ContentFrom is a referenced source of content + to populate the file. + properties: + secret: + description: Secret represents a secret that should + populate this file. + properties: + key: + description: Key is the key in the secret's + data map for this value. + type: string + name: + description: Name of the secret in the KubeadmBootstrapConfig's + namespace to use. + type: string + required: + - key + - name + type: object + required: + - secret + type: object + encoding: + description: Encoding specifies the encoding of the + file contents. + enum: + - base64 + - gzip + - gzip+base64 + type: string + owner: + description: Owner specifies the ownership of the file, + e.g. "root:root". + type: string + path: + description: Path specifies the full path on disk where + to store the file. + type: string + permissions: + description: Permissions specifies the permissions to + assign to the file, e.g. "0640". type: string required: - - key - - name + - path type: object - required: - - secret - type: object - encoding: - description: Encoding specifies the encoding of the file contents. - enum: - - base64 - - gzip - - gzip+base64 - type: string - owner: - description: Owner specifies the ownership of the file, e.g. - "root:root". - type: string - path: - description: Path specifies the full path on disk where to store - the file. - type: string - permissions: - description: Permissions specifies the permissions to assign - to the file, e.g. "0640". - type: string - required: - - path - type: object - type: array - kubeletExtraArgs: - additionalProperties: - type: string - description: KubeletExtraArgs passes the specified kubelet args into - the Amazon EKS machine bootstrap script - type: object - mounts: - description: Mounts specifies a list of mount points to be setup. - items: - description: MountPoints defines input for generated mounts in cloud-init. - items: - type: string - type: array - type: array - ntp: - description: NTP specifies NTP configuration - properties: - enabled: - description: Enabled specifies whether NTP should be enabled - type: boolean - servers: - description: Servers specifies which NTP servers to use - items: - type: string - type: array - type: object - pauseContainer: - description: PauseContainer allows customization of the pause container - to use. - properties: - accountNumber: - description: ' AccountNumber is the AWS account number to pull - the pause container from.' - type: string - version: - description: Version is the tag of the pause container to use. - type: string - required: - - accountNumber - - version - type: object - postBootstrapCommands: - description: PostBootstrapCommands specifies extra commands to run - after bootstrapping nodes to the cluster - items: - type: string - type: array - preBootstrapCommands: - description: PreBootstrapCommands specifies extra commands to run - before bootstrapping nodes to the cluster - items: - type: string - type: array - serviceIPV6Cidr: - description: |- - ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then - the ip family will be set to ipv6. - type: string - useMaxPods: - description: UseMaxPods sets --max-pods for the kubelet when true. - type: boolean - users: - description: Users specifies extra users to add - items: - description: User defines the input for a generated user in cloud-init. - properties: - gecos: - description: Gecos specifies the gecos to use for the user - type: string - groups: - description: Groups specifies the additional groups for the - user - type: string - homeDir: - description: HomeDir specifies the home directory to use for - the user - type: string - inactive: - description: Inactive specifies whether to mark the user as - inactive - type: boolean - lockPassword: - description: LockPassword specifies if password login should - be disabled - type: boolean - name: - description: Name specifies the username - type: string - passwd: - description: Passwd specifies a hashed password for the user - type: string - passwdFrom: - description: PasswdFrom is a referenced source of passwd to - populate the passwd. - properties: - secret: - description: Secret represents a secret that should populate - this password. + type: array + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes the specified kubelet + args into the Amazon EKS machine bootstrap script + type: object + mounts: + description: Mounts specifies a list of mount points to be + setup. + items: + description: MountPoints defines input for generated mounts + in cloud-init. + items: + type: string + type: array + type: array + ntp: + description: NTP specifies NTP configuration + properties: + enabled: + description: Enabled specifies whether NTP should be enabled + type: boolean + servers: + description: Servers specifies which NTP servers to use + items: + type: string + type: array + type: object + pauseContainer: + description: PauseContainer allows customization of the pause + container to use. + properties: + accountNumber: + description: ' AccountNumber is the AWS account number + to pull the pause container from.' + type: string + version: + description: Version is the tag of the pause container + to use. + type: string + required: + - accountNumber + - version + type: object + postBootstrapCommands: + description: PostBootstrapCommands specifies extra commands + to run after bootstrapping nodes to the cluster + items: + type: string + type: array + preBootstrapCommands: + description: PreBootstrapCommands specifies extra commands + to run before bootstrapping nodes to the cluster + items: + type: string + type: array + serviceIPV6Cidr: + description: |- + ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then + the ip family will be set to ipv6. + type: string + useMaxPods: + description: UseMaxPods sets --max-pods for the kubelet when + true. + type: boolean + users: + description: Users specifies extra users to add + items: + description: User defines the input for a generated user + in cloud-init. properties: - key: - description: Key is the key in the secret's data map - for this value. + gecos: + description: Gecos specifies the gecos to use for the + user + type: string + groups: + description: Groups specifies the additional groups + for the user + type: string + homeDir: + description: HomeDir specifies the home directory to + use for the user type: string + inactive: + description: Inactive specifies whether to mark the + user as inactive + type: boolean + lockPassword: + description: LockPassword specifies if password login + should be disabled + type: boolean name: - description: Name of the secret in the KubeadmBootstrapConfig's - namespace to use. + description: Name specifies the username + type: string + passwd: + description: Passwd specifies a hashed password for + the user + type: string + passwdFrom: + description: PasswdFrom is a referenced source of passwd + to populate the passwd. + properties: + secret: + description: Secret represents a secret that should + populate this password. + properties: + key: + description: Key is the key in the secret's + data map for this value. + type: string + name: + description: Name of the secret in the KubeadmBootstrapConfig's + namespace to use. + type: string + required: + - key + - name + type: object + required: + - secret + type: object + primaryGroup: + description: PrimaryGroup specifies the primary group + for the user + type: string + shell: + description: Shell specifies the user's shell + type: string + sshAuthorizedKeys: + description: SSHAuthorizedKeys specifies a list of ssh + authorized keys for the user + items: + type: string + type: array + sudo: + description: Sudo specifies a sudo role for the user type: string required: - - key - name type: object - required: - - secret - type: object - primaryGroup: - description: PrimaryGroup specifies the primary group for the - user - type: string - shell: - description: Shell specifies the user's shell - type: string - sshAuthorizedKeys: - description: SSHAuthorizedKeys specifies a list of ssh authorized - keys for the user - items: - type: string - type: array - sudo: - description: Sudo specifies a sudo role for the user - type: string - required: - - name - type: object - type: array + type: array + type: object + type: object + required: + - template + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + cluster.x-k8s.io/provider: infrastructure-aws + cluster.x-k8s.io/v1alpha3: v1alpha3 + cluster.x-k8s.io/v1alpha4: v1alpha4 + cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 + name: rosaclusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: ROSACluster + listKind: ROSAClusterList + plural: rosaclusters + shortNames: + - rosac + singular: rosacluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this AWSManagedControl belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Control plane infrastructure is ready for worker nodes + jsonPath: .status.ready + name: Ready + type: string + - description: API Endpoint + jsonPath: .spec.controlPlaneEndpoint.host + name: Endpoint + priority: 1 + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: ROSACluster is the Schema for the ROSAClusters API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ROSAClusterSpec defines the desired state of ROSACluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: host is the hostname on which the API server is serving. + maxLength: 512 + type: string + port: + description: port is the port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object type: object status: - description: EKSConfigStatus defines the observed state of the Amazon - EKS Bootstrap Configuration. + description: ROSAClusterStatus defines the observed state of ROSACluster. properties: conditions: - description: Conditions defines current service state of the EKSConfig. + description: Conditions defines current service state of the ROSACluster. items: description: Condition defines an observation of a Cluster API resource operational state. properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -15472,31 +18527,37 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime - status - type type: object - type: array - dataSecretName: - description: DataSecretName is the name of the secret that stores - the bootstrap data script. - type: string - failureMessage: - description: FailureMessage will be set on non-retryable errors - type: string - failureReason: - description: FailureReason will be set on non-retryable errors - type: string - observedGeneration: - description: ObservedGeneration is the latest generation observed - by the controller. - format: int64 - type: integer + type: array + failureDomains: + additionalProperties: + description: |- + FailureDomainSpec is the Schema for Cluster API failure domains. + It allows controllers to understand how many failure domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: controlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains specifies a list fo available availability + zones that can be used + type: object ready: - description: Ready indicates the BootstrapData secret is ready to - be consumed + description: Ready is when the ROSAControlPlane has a API server URL. type: boolean type: object type: object @@ -15509,43 +18570,39 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capa-system/capa-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 cluster.x-k8s.io/v1alpha4: v1alpha4 cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: eksconfigtemplates.bootstrap.cluster.x-k8s.io + name: rosacontrolplanes.controlplane.cluster.x-k8s.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: capa-webhook-service - namespace: capa-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: bootstrap.cluster.x-k8s.io + group: controlplane.cluster.x-k8s.io names: categories: - cluster-api - kind: EKSConfigTemplate - listKind: EKSConfigTemplateList - plural: eksconfigtemplates + kind: ROSAControlPlane + listKind: ROSAControlPlaneList + plural: rosacontrolplanes shortNames: - - eksct - singular: eksconfigtemplate + - rosacp + singular: rosacontrolplane scope: Namespaced versions: - - name: v1beta1 + - additionalPrinterColumns: + - description: Cluster to which this RosaControl belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Control plane infrastructure is ready for worker nodes + jsonPath: .status.ready + name: Ready + type: string + name: v1beta2 schema: openAPIV3Schema: - description: EKSConfigTemplate is the Amazon EKS Bootstrap Configuration Template - API. + description: ROSAControlPlane is the Schema for the ROSAControlPlanes API. properties: apiVersion: description: |- @@ -15565,759 +18622,741 @@ spec: metadata: type: object spec: - description: EKSConfigTemplateSpec defines the desired state of templated - EKSConfig Amazon EKS Bootstrap Configuration resources. + description: RosaControlPlaneSpec defines the desired state of ROSAControlPlane. properties: - template: - description: EKSConfigTemplateResource defines the Template structure. + additionalTags: + additionalProperties: + type: string + description: AdditionalTags are user-defined tags to be added on the + AWS resources associated with the control plane. + type: object + auditLogRoleARN: + description: |- + AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch. + If not set, audit log forwarding is disabled. + type: string + availabilityZones: + description: |- + AvailabilityZones describe AWS AvailabilityZones of the worker nodes. + should match the AvailabilityZones of the provided Subnets. + a machinepool will be created for each availabilityZone. + items: + type: string + type: array + billingAccount: + description: |- + BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA HCP clusters. + The cost of running each ROSA HCP cluster will be billed to the infrastructure account in which the cluster + is running. + type: string + x-kubernetes-validations: + - message: billingAccount is immutable + rule: self == oldSelf + - message: billingAccount must be a valid AWS account ID + rule: self.matches('^[0-9]{12}$') + channelGroup: + default: stable + description: OpenShift version channel group, default is stable. + enum: + - stable + - eus + - fast + - candidate + - nightly + type: string + clusterRegistryConfig: + description: ClusterRegistryConfig represents registry config used + with the cluster. properties: - spec: - description: EKSConfigSpec defines the desired state of Amazon - EKS Bootstrap Configuration. + additionalTrustedCAs: + additionalProperties: + type: string + description: |- + AdditionalTrustedCAs containing the registry hostname as the key, and the PEM-encoded certificate as the value, + for each additional registry CA to trust. + type: object + allowedRegistriesForImport: + description: |- + AllowedRegistriesForImport limits the container image registries that normal users may import + images from. Set this list to the registries that you trust to contain valid Docker + images and that you want applications to be able to import from. + items: + description: RegistryLocation contains a location of the registry + specified by the registry domain name. + properties: + domainName: + description: |- + domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'. + In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well. + type: string + insecure: + default: false + description: insecure indicates whether the registry is + secure (https) or insecure (http), default is secured. + type: boolean + type: object + type: array + registrySources: + description: |- + RegistrySources contains configuration that determines how the container runtime + should treat individual registries when accessing images. It does not contain configuration + for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive. properties: - apiRetryAttempts: - description: APIRetryAttempts is the number of retry attempts - for AWS API call. - type: integer - containerRuntime: - description: ContainerRuntime specify the container runtime - to use when bootstrapping EKS. - type: string - dnsClusterIP: - description: ' DNSClusterIP overrides the IP address to use - for DNS queries within the cluster.' - type: string - dockerConfigJson: + allowedRegistries: description: |- - DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. - This is expected to be a json string. - type: string - kubeletExtraArgs: - additionalProperties: + AllowedRegistries are the registries for which image pull and push actions are allowed. + To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, + For example, *.example.com. + You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. + All other registries are blocked. + items: type: string - description: KubeletExtraArgs passes the specified kubelet - args into the Amazon EKS machine bootstrap script - type: object - pauseContainer: - description: PauseContainer allows customization of the pause - container to use. - properties: - accountNumber: - description: ' AccountNumber is the AWS account number - to pull the pause container from.' - type: string - version: - description: Version is the tag of the pause container - to use. - type: string - required: - - accountNumber - - version - type: object - serviceIPV6Cidr: + type: array + blockedRegistries: description: |- - ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then - the ip family will be set to ipv6. - type: string - useMaxPods: - description: UseMaxPods sets --max-pods for the kubelet when - true. - type: boolean + BlockedRegistries are the registries for which image pull and push actions are denied. + To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, + For example, *.example.com. + You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. + All other registries are allowed. + items: + type: string + type: array + insecureRegistries: + description: |- + InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. + To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, + For example, *.example.com. + You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. + items: + type: string + type: array type: object type: object - required: - - template - type: object - type: object - served: false - storage: false - - name: v1beta2 - schema: - openAPIV3Schema: - description: EKSConfigTemplate is the Amazon EKS Bootstrap Configuration Template - API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EKSConfigTemplateSpec defines the desired state of templated - EKSConfig Amazon EKS Bootstrap Configuration resources. - properties: - template: - description: EKSConfigTemplateResource defines the Template structure. + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. properties: - spec: - description: EKSConfigSpec defines the desired state of Amazon - EKS Bootstrap Configuration. + host: + description: host is the hostname on which the API server is serving. + maxLength: 512 + type: string + port: + description: port is the port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + credentialsSecretRef: + description: |- + CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. + The secret should contain the following data keys: + - ocmToken: eyJhbGciOiJIUzI1NiIsI.... + - ocmApiUrl: Optional, defaults to 'https://api.openshift.com' + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + defaultMachinePoolSpec: + description: |- + DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation. + One MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators + to work properly. + As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider. + `rosa list machinepools -c ` can be used to view those machinepools. + + This field will be removed in the future once the current limitation is resolved. + properties: + autoscaling: + description: |- + Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value + must be equal or multiple of the availability zones count. properties: - apiRetryAttempts: - description: APIRetryAttempts is the number of retry attempts - for AWS API call. + maxReplicas: + minimum: 1 type: integer - boostrapCommandOverride: - description: BootstrapCommandOverride allows you to override - the bootstrap command to use for EKS nodes. - type: string - containerRuntime: - description: ContainerRuntime specify the container runtime - to use when bootstrapping EKS. - type: string - diskSetup: - description: DiskSetup specifies options for the creation - of partition tables and file systems on devices. - properties: - filesystems: - description: Filesystems specifies the list of file systems - to setup. - items: - description: Filesystem defines the file systems to - be created. - properties: - device: - description: Device specifies the device name - type: string - extraOpts: - description: ExtraOpts defined extra options to - add to the command for creating the file system. - items: - type: string - type: array - filesystem: - description: Filesystem specifies the file system - type. - type: string - label: - description: Label specifies the file system label - to be used. If set to None, no label is used. - type: string - overwrite: - description: |- - Overwrite defines whether or not to overwrite any existing filesystem. - If true, any pre-existing file system will be destroyed. Use with Caution. - type: boolean - partition: - description: 'Partition specifies the partition - to use. The valid options are: "auto|any", "auto", - "any", "none", and , where NUM is the actual - partition number.' - type: string - required: - - device - - filesystem - - label - type: object - type: array - partitions: - description: Partitions specifies the list of the partitions - to setup. - items: - description: Partition defines how to create and layout - a partition. - properties: - device: - description: Device is the name of the device. - type: string - layout: - description: |- - Layout specifies the device layout. - If it is true, a single partition will be created for the entire device. - When layout is false, it means don't partition or ignore existing partitioning. - type: boolean - overwrite: - description: |- - Overwrite describes whether to skip checks and create the partition if a partition or filesystem is found on the device. - Use with caution. Default is 'false'. - type: boolean - tableType: - description: |- - TableType specifies the tupe of partition table. The following are supported: - 'mbr': default and setups a MS-DOS partition table - 'gpt': setups a GPT partition table - type: string - required: - - device - - layout - type: object - type: array - type: object - dnsClusterIP: - description: ' DNSClusterIP overrides the IP address to use - for DNS queries within the cluster.' - type: string - dockerConfigJson: - description: |- - DockerConfigJson is used for the contents of the /etc/docker/daemon.json file. Useful if you want a custom config differing from the default one in the AMI. - This is expected to be a json string. - type: string - files: - description: Files specifies extra files to be passed to user_data - upon creation. - items: - description: File defines the input for generating write_files - in cloud-init. + minReplicas: + minimum: 1 + type: integer + type: object + instanceType: + description: The instance type to use, for example `r5.xlarge`. + Instance type ref; https://aws.amazon.com/ec2/instance-types/ + type: string + volumeSize: + description: VolumeSize set the disk volume size for the default + workers machine pool in Gib. The default is 300 GiB. + maximum: 16384 + minimum: 75 + type: integer + type: object + domainPrefix: + description: |- + DomainPrefix is an optional prefix added to the cluster's domain name. It will be used + when generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label + consisting of lower case alphanumeric characters or '-', start with an alphabetic character + end with an alphanumeric character and have a max length of 15 characters. + maxLength: 15 + pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ + type: string + x-kubernetes-validations: + - message: domainPrefix is immutable + rule: self == oldSelf + enableExternalAuthProviders: + default: false + description: EnableExternalAuthProviders enables external authentication + configuration for the cluster. + type: boolean + x-kubernetes-validations: + - message: enableExternalAuthProviders is immutable + rule: self == oldSelf + endpointAccess: + default: Public + description: |- + EndpointAccess specifies the publishing scope of cluster endpoints. The + default is Public. + enum: + - Public + - Private + type: string + etcdEncryptionKMSARN: + description: |- + EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be + created out-of-band by the user and tagged with `red-hat:true`. + type: string + externalAuthProviders: + description: |- + ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster. + Can only be set if "enableExternalAuthProviders" is set to "True". + + At most one provider can be configured. + items: + description: ExternalAuthProvider is an external OIDC identity provider + that can issue tokens for this cluster + properties: + claimMappings: + description: |- + ClaimMappings describes rules on how to transform information from an + ID token into a cluster identity + properties: + groups: + description: |- + Groups is a name of the claim that should be used to construct + groups for the cluster identity. + The referenced claim must use array of strings values. properties: - append: - description: Append specifies whether to append Content - to existing file if Path exists. - type: boolean - content: - description: Content is the actual content of the file. - type: string - contentFrom: - description: ContentFrom is a referenced source of content - to populate the file. - properties: - secret: - description: Secret represents a secret that should - populate this file. - properties: - key: - description: Key is the key in the secret's - data map for this value. - type: string - name: - description: Name of the secret in the KubeadmBootstrapConfig's - namespace to use. - type: string - required: - - key - - name - type: object - required: - - secret - type: object - encoding: - description: Encoding specifies the encoding of the - file contents. - enum: - - base64 - - gzip - - gzip+base64 + claim: + description: Claim is a JWT token claim to be used in + the mapping type: string - owner: - description: Owner specifies the ownership of the file, - e.g. "root:root". + prefix: + description: |- + Prefix is a string to prefix the value from the token in the result of the + claim mapping. + + By default, no prefixing occurs. + + Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains + an array of strings "a", "b" and "c", the mapping will result in an + array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string - path: - description: Path specifies the full path on disk where - to store the file. + required: + - claim + type: object + username: + description: |- + Username is a name of the claim that should be used to construct + usernames for the cluster identity. + + Default value: "sub" + properties: + claim: + description: Claim is a JWT token claim to be used in + the mapping type: string - permissions: - description: Permissions specifies the permissions to - assign to the file, e.g. "0640". + prefix: + description: Prefix is prepended to claim to prevent + clashes with existing names. + minLength: 1 + type: string + prefixPolicy: + description: |- + PrefixPolicy specifies how a prefix should apply. + + By default, claims other than `email` will be prefixed with the issuer URL to + prevent naming clashes with other plugins. + + Set to "NoPrefix" to disable prefixing. + + Example: + (1) `prefix` is set to "myoidc:" and `claim` is set to "username". + If the JWT claim `username` contains value `userA`, the resulting + mapped value will be "myoidc:userA". + (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the + JWT `email` claim contains value "userA@myoidc.tld", the resulting + mapped value will be "myoidc:userA@myoidc.tld". + (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + (a) "username": the mapped value will be "https://myoidc.tld#userA" + (b) "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix type: string required: - - path + - claim type: object - type: array - kubeletExtraArgs: - additionalProperties: - type: string - description: KubeletExtraArgs passes the specified kubelet - args into the Amazon EKS machine bootstrap script - type: object - mounts: - description: Mounts specifies a list of mount points to be - setup. - items: - description: MountPoints defines input for generated mounts - in cloud-init. - items: - type: string - type: array - type: array - ntp: - description: NTP specifies NTP configuration - properties: - enabled: - description: Enabled specifies whether NTP should be enabled - type: boolean - servers: - description: Servers specifies which NTP servers to use - items: - type: string - type: array - type: object - pauseContainer: - description: PauseContainer allows customization of the pause - container to use. + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'self.prefixPolicy == ''Prefix'' ? has(self.prefix) + : !has(self.prefix)' + type: object + claimValidationRules: + description: ClaimValidationRules are rules that are applied + to validate token claims to authenticate users. + items: + description: TokenClaimValidationRule validates token claims + to authenticate users. properties: - accountNumber: - description: ' AccountNumber is the AWS account number - to pull the pause container from.' - type: string - version: - description: Version is the tag of the pause container - to use. + requiredClaim: + description: RequiredClaim allows configuring a required + claim name and its expected value + properties: + claim: + description: |- + Claim is a name of a required claim. Only claims with string values are + supported. + minLength: 1 + type: string + requiredValue: + description: RequiredValue is the required value for + the claim. + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + default: RequiredClaim + description: Type sets the type of the validation rule + enum: + - RequiredClaim type: string required: - - accountNumber - - version + - requiredClaim + - type type: object - postBootstrapCommands: - description: PostBootstrapCommands specifies extra commands - to run after bootstrapping nodes to the cluster - items: - type: string - type: array - preBootstrapCommands: - description: PreBootstrapCommands specifies extra commands - to run before bootstrapping nodes to the cluster - items: - type: string - type: array - serviceIPV6Cidr: - description: |- - ServiceIPV6Cidr is the ipv6 cidr range of the cluster. If this is specified then - the ip family will be set to ipv6. - type: string - useMaxPods: - description: UseMaxPods sets --max-pods for the kubelet when - true. - type: boolean - users: - description: Users specifies extra users to add - items: - description: User defines the input for a generated user - in cloud-init. - properties: - gecos: - description: Gecos specifies the gecos to use for the - user - type: string - groups: - description: Groups specifies the additional groups - for the user - type: string - homeDir: - description: HomeDir specifies the home directory to - use for the user - type: string - inactive: - description: Inactive specifies whether to mark the - user as inactive - type: boolean - lockPassword: - description: LockPassword specifies if password login - should be disabled - type: boolean - name: - description: Name specifies the username - type: string - passwd: - description: Passwd specifies a hashed password for - the user - type: string - passwdFrom: - description: PasswdFrom is a referenced source of passwd - to populate the passwd. - properties: - secret: - description: Secret represents a secret that should - populate this password. - properties: - key: - description: Key is the key in the secret's - data map for this value. - type: string - name: - description: Name of the secret in the KubeadmBootstrapConfig's - namespace to use. - type: string - required: - - key - - name - type: object - required: - - secret - type: object - primaryGroup: - description: PrimaryGroup specifies the primary group - for the user - type: string - shell: - description: Shell specifies the user's shell - type: string - sshAuthorizedKeys: - description: SSHAuthorizedKeys specifies a list of ssh - authorized keys for the user - items: - type: string - type: array - sudo: - description: Sudo specifies a sudo role for the user + type: array + x-kubernetes-list-type: atomic + issuer: + description: Issuer describes attributes of the OIDC token issuer + properties: + audiences: + description: |- + Audiences is an array of audiences that the token was issued for. + Valid tokens must include at least one of these values in their + "aud" claim. + Must be set to exactly one value. + items: + description: TokenAudience is the audience that the token + was issued for. + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + CertificateAuthority is a reference to a config map in the + configuration namespace. The .data of the configMap must contain + the "ca-bundle.crt" key. + If unset, system trust is used instead. + properties: + name: + description: Name is the metadata.name of the referenced + object. type: string required: - name type: object - type: array - type: object - type: object - required: - - template - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - labels: - cluster.x-k8s.io/provider: infrastructure-aws - cluster.x-k8s.io/v1alpha3: v1alpha3 - cluster.x-k8s.io/v1alpha4: v1alpha4 - cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: rosaclusters.infrastructure.cluster.x-k8s.io -spec: - group: infrastructure.cluster.x-k8s.io - names: - categories: - - cluster-api - kind: ROSACluster - listKind: ROSAClusterList - plural: rosaclusters - shortNames: - - rosac - singular: rosacluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster to which this AWSManagedControl belongs - jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name - name: Cluster - type: string - - description: Control plane infrastructure is ready for worker nodes - jsonPath: .status.ready - name: Ready - type: string - - description: API Endpoint - jsonPath: .spec.controlPlaneEndpoint.host - name: Endpoint - priority: 1 - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: ROSACluster is the Schema for the ROSAClusters API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ROSAClusterSpec defines the desired state of ROSACluster. - properties: - controlPlaneEndpoint: - description: ControlPlaneEndpoint represents the endpoint used to - communicate with the control plane. - properties: - host: - description: The hostname on which the API server is serving. - type: string - port: - description: The port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - type: object - status: - description: ROSAClusterStatus defines the observed state of ROSACluster. - properties: - conditions: - description: Conditions defines current service state of the ROSACluster. - items: - description: Condition defines an observation of a Cluster API resource - operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may be empty. - type: string - severity: - description: |- - severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: status of the condition, one of True, False, Unknown. + issuerURL: + description: |- + URL is the serving URL of the token issuer. + Must use the https:// scheme. + pattern: ^https:\/\/[^\s] + type: string + required: + - audiences + - issuerURL + type: object + name: + description: Name of the OIDC provider + minLength: 1 type: string - type: + oidcClients: description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string + OIDCClients contains configuration for the platform's clients that + need to request tokens from the issuer + items: + description: |- + OIDCClientConfig contains configuration for the platform's client that + need to request tokens from the issuer. + properties: + clientID: + description: ClientID is the identifier of the OIDC client + from the OIDC provider + minLength: 1 + type: string + clientSecret: + description: |- + ClientSecret refers to a secret that + contains the client secret in the `clientSecret` key of the `.data` field + properties: + name: + description: Name is the metadata.name of the referenced + object. + type: string + required: + - name + type: object + componentName: + description: |- + ComponentName is the name of the component that is supposed to consume this + client configuration + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + ComponentNamespace is the namespace of the component that is supposed to consume this + client configuration + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: ExtraScopes is an optional set of scopes + to request tokens with. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - clientSecret + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map required: - - lastTransitionTime - - status - - type + - issuer + - name type: object + maxItems: 1 type: array - failureDomains: - additionalProperties: - description: |- - FailureDomainSpec is the Schema for Cluster API failure domains. - It allows controllers to understand how many failure domains a cluster can optionally span across. - properties: - attributes: - additionalProperties: - type: string - description: attributes is a free form map of attributes an - infrastructure provider might use or require. - type: object - controlPlane: - description: controlPlane determines if this failure domain - is suitable for use by control plane machines. - type: boolean - type: object - description: FailureDomains specifies a list fo available availability - zones that can be used + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + identityRef: + description: |- + IdentityRef is a reference to an identity to be used when reconciling the managed control plane. + If no identity is specified, the default identity for this controller will be used. + properties: + kind: + description: Kind of the identity. + enum: + - AWSClusterControllerIdentity + - AWSClusterRoleIdentity + - AWSClusterStaticIdentity + type: string + name: + description: Name of the identity. + minLength: 1 + type: string + required: + - kind + - name + type: object + installerRoleARN: + description: |- + InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster. + Required if RosaRoleConfigRef is not specified. + type: string + network: + description: Network config for the ROSA HCP cluster. + properties: + hostPrefix: + default: 23 + description: Network host prefix which is defaulted to `23` if + not specified. + type: integer + machineCIDR: + description: IP addresses block used by OpenShift while installing + the cluster, for example "10.0.0.0/16". + format: cidr + type: string + networkType: + default: OVNKubernetes + description: The CNI network type default is OVNKubernetes. + enum: + - OVNKubernetes + - Other + type: string + podCIDR: + description: IP address block from which to assign pod IP addresses, + for example `10.128.0.0/14`. + format: cidr + type: string + serviceCIDR: + description: IP address block from which to assign service IP + addresses, for example `172.30.0.0/16`. + format: cidr + type: string type: object - ready: - description: Ready is when the ROSAControlPlane has a API server URL. - type: boolean - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - labels: - cluster.x-k8s.io/provider: infrastructure-aws - cluster.x-k8s.io/v1alpha3: v1alpha3 - cluster.x-k8s.io/v1alpha4: v1alpha4 - cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: rosacontrolplanes.controlplane.cluster.x-k8s.io -spec: - group: controlplane.cluster.x-k8s.io - names: - categories: - - cluster-api - kind: ROSAControlPlane - listKind: ROSAControlPlaneList - plural: rosacontrolplanes - shortNames: - - rosacp - singular: rosacontrolplane - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster to which this RosaControl belongs - jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name - name: Cluster - type: string - - description: Control plane infrastructure is ready for worker nodes - jsonPath: .status.ready - name: Ready - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: ROSAControlPlane is the Schema for the ROSAControlPlanes API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: RosaControlPlaneSpec defines the desired state of ROSAControlPlane. - properties: - additionalTags: - additionalProperties: - type: string - description: AdditionalTags are user-defined tags to be added on the - AWS resources associated with the control plane. + oidcID: + description: |- + The ID of the internal OpenID Connect Provider. + Required if RosaRoleConfigRef is not specified. + type: string + x-kubernetes-validations: + - message: oidcID is immutable + rule: self == oldSelf + provisionShardID: + description: ProvisionShardID defines the shard where ROSA hosted + control plane components will be hosted. + type: string + x-kubernetes-validations: + - message: provisionShardID is immutable + rule: self == oldSelf + region: + description: The AWS Region the cluster lives in. + type: string + rolesRef: + description: |- + AWS IAM roles used to perform credential requests by the openshift operators. + Required if RosaRoleConfigRef is not specified. + properties: + controlPlaneOperatorARN: + description: "ControlPlaneOperatorARN is an ARN value referencing + a role appropriate for the Control Plane Operator.\n\nThe following + is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" + type: string + imageRegistryARN: + description: "ImageRegistryARN is an ARN value referencing a role + appropriate for the Image Registry Operator.\n\nThe following + is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + ingressARN: + description: "The referenced role must have a trust relationship + that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": + \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": + \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": + {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName + }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN + is an ARN value referencing a role appropriate for the Ingress + Operator.\n\nThe following is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" + type: string + kmsProviderARN: + type: string + kubeCloudControllerARN: + description: |- + KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. + Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies + + The following is an example of a valid policy document: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeVpcs", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:CreateServiceLinkedRole", + "kms:DescribeKey" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + } + ] + } + type: string + networkARN: + description: "NetworkARN is an ARN value referencing a role appropriate + for the Network Operator.\n\nThe following is an example of + a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n + \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n + \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + nodePoolManagementARN: + description: "NodePoolManagementARN is an ARN value referencing + a role appropriate for the CAPI Controller.\n\nThe following + is an example of a valid policy document:\n\n{\n \"Version\": + \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n + \ \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n + \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n + \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n + \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n + \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n \"ec2:DeleteInternetGateway\",\n + \ \"ec2:DeleteNatGateway\",\n \"ec2:DeleteRouteTable\",\n + \ \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteSubnet\",\n + \ \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n + \ \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n + \ \"ec2:DescribeImages\",\n \"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNatGateways\",\n + \ \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeNetworkInterfaceAttribute\",\n + \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n + \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n + \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n + \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n + \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n + \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n + \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n + \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n + \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n + \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n + \ ],\n \"Resource\": [\n \"*\"\n ],\n \"Effect\": + \"Allow\"\n },\n {\n \"Condition\": {\n \"StringLike\": + {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n + \ }\n },\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n + \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n + \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": + [\n \"iam:PassRole\"\n ],\n \"Resource\": [\n + \ \"arn:*:iam::*:role/*-worker-role\"\n ],\n \"Effect\": + \"Allow\"\n },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t \t\"Action\": + [\n\t \t\t\"kms:Decrypt\",\n\t \t\t\"kms:ReEncrypt\",\n\t + \ \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t \t\t\"kms:DescribeKey\"\n\t + \ \t],\n\t \t\"Resource\": \"*\"\n\t },\n\t {\n\t \t\"Effect\": + \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t + \ \t],\n\t \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t + \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": + true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" + type: string + storageARN: + description: "StorageARN is an ARN value referencing a role appropriate + for the Storage Operator.\n\nThe following is an example of + a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + required: + - controlPlaneOperatorARN + - imageRegistryARN + - ingressARN + - kmsProviderARN + - kubeCloudControllerARN + - networkARN + - nodePoolManagementARN + - storageARN type: object - auditLogRoleARN: - description: |- - AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch. - If not set, audit log forwarding is disabled. - type: string - availabilityZones: - description: |- - AvailabilityZones describe AWS AvailabilityZones of the worker nodes. - should match the AvailabilityZones of the provided Subnets. - a machinepool will be created for each availabilityZone. - items: - type: string - type: array - billingAccount: + rosaClusterName: description: |- - BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA HCP clusters. - The cost of running each ROSA HCP cluster will be billed to the infrastructure account in which the cluster - is running. + Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric + characters or '-', start with an alphabetic character, end with an alphanumeric character + and have a max length of 54 characters. + maxLength: 54 + pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ type: string x-kubernetes-validations: - - message: billingAccount is immutable + - message: rosaClusterName is immutable rule: self == oldSelf - - message: billingAccount must be a valid AWS account ID - rule: self.matches('^[0-9]{12}$') - channelGroup: - default: stable - description: OpenShift version channel group, default is stable. - enum: - - stable - - candidate - - nightly - type: string - clusterRegistryConfig: - description: ClusterRegistryConfig represents registry config used - with the cluster. - properties: - additionalTrustedCAs: - additionalProperties: - type: string - description: |- - AdditionalTrustedCAs containing the registry hostname as the key, and the PEM-encoded certificate as the value, - for each additional registry CA to trust. - type: object - allowedRegistriesForImport: - description: |- - AllowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. - items: - description: RegistryLocation contains a location of the registry - specified by the registry domain name. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'. - In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well. - type: string - insecure: - default: false - description: insecure indicates whether the registry is - secure (https) or insecure (http), default is secured. - type: boolean - type: object - type: array - registrySources: - description: |- - RegistrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images. It does not contain configuration - for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive. - properties: - allowedRegistries: - description: |- - AllowedRegistries are the registries for which image pull and push actions are allowed. - To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, - For example, *.example.com. - You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. - All other registries are blocked. - items: - type: string - type: array - blockedRegistries: - description: |- - BlockedRegistries are the registries for which image pull and push actions are denied. - To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, - For example, *.example.com. - You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. - All other registries are allowed. - items: - type: string - type: array - insecureRegistries: - description: |- - InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. - To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, - For example, *.example.com. - You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. - items: - type: string - type: array - type: object - type: object - controlPlaneEndpoint: - description: ControlPlaneEndpoint represents the endpoint used to - communicate with the control plane. - properties: - host: - description: The hostname on which the API server is serving. - type: string - port: - description: The port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - credentialsSecretRef: + rosaRoleConfigRef: description: |- - CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. - The secret should contain the following data keys: - - ocmToken: eyJhbGciOiJIUzI1NiIsI.... - - ocmApiUrl: Optional, defaults to 'https://api.openshift.com' + RosaRoleConfigRef is a reference to a RosaRoleConfig resource that contains account roles, operator roles and OIDC configuration. + RosaRoleConfigRef and role fields such as installerRoleARN, supportRoleARN, workerRoleARN, rolesRef and oidcID are mutually exclusive. properties: name: default: "" @@ -16330,672 +19369,437 @@ spec: type: string type: object x-kubernetes-map-type: atomic - defaultMachinePoolSpec: + subnets: description: |- - DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation. - One MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators - to work properly. - As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider. - `rosa list machinepools -c ` can be used to view those machinepools. - - This field will be removed in the future once the current limitation is resolved. - properties: - autoscaling: - description: |- - Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value - must be equal or multiple of the availability zones count. - properties: - maxReplicas: - minimum: 1 - type: integer - minReplicas: - minimum: 1 - type: integer - type: object - instanceType: - description: The instance type to use, for example `r5.xlarge`. - Instance type ref; https://aws.amazon.com/ec2/instance-types/ - type: string - volumeSize: - description: VolumeSize set the disk volume size for the default - workers machine pool in Gib. The default is 300 GiB. - maximum: 16384 - minimum: 75 - type: integer - type: object - domainPrefix: + The Subnet IDs to use when installing the cluster. + SubnetIDs should come in pairs; two per availability zone, one private and one public. + items: + type: string + type: array + supportRoleARN: description: |- - DomainPrefix is an optional prefix added to the cluster's domain name. It will be used - when generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label - consisting of lower case alphanumeric characters or '-', start with an alphabetic character - end with an alphanumeric character and have a max length of 15 characters. - maxLength: 15 - pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ + SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable + access to the cluster account in order to provide support. + Required if RosaRoleConfigRef is not specified. type: string - x-kubernetes-validations: - - message: domainPrefix is immutable - rule: self == oldSelf - enableExternalAuthProviders: - default: false - description: EnableExternalAuthProviders enables external authentication - configuration for the cluster. - type: boolean - x-kubernetes-validations: - - message: enableExternalAuthProviders is immutable - rule: self == oldSelf - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - Private + version: + description: OpenShift semantic version, for example "4.14.5". type: string - etcdEncryptionKMSARN: + versionGate: + default: WaitForAcknowledge description: |- - EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be - created out-of-band by the user and tagged with `red-hat:true`. + VersionGate requires acknowledgment when upgrading ROSA-HCP y-stream versions (e.g., from 4.15 to 4.16). + Default is WaitForAcknowledge. + WaitForAcknowledge: If acknowledgment is required, the upgrade will not proceed until VersionGate is set to Acknowledge or AlwaysAcknowledge. + Acknowledge: If acknowledgment is required, apply it for the upgrade. After upgrade is done set the version gate to WaitForAcknowledge. + AlwaysAcknowledge: If acknowledgment is required, apply it and proceed with the upgrade. + enum: + - Acknowledge + - WaitForAcknowledge + - AlwaysAcknowledge type: string - externalAuthProviders: + workerRoleARN: description: |- - ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster. - Can only be set if "enableExternalAuthProviders" is set to "True". - - At most one provider can be configured. + WorkerRoleARN is an AWS IAM role that will be attached to worker instances. + Required if RosaRoleConfigRef is not specified. + type: string + required: + - availabilityZones + - channelGroup + - region + - rosaClusterName + - subnets + - version + - versionGate + type: object + status: + description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane. + properties: + availableUpgrades: + description: Available upgrades for the ROSA hosted control plane. items: - description: ExternalAuthProvider is an external OIDC identity provider - that can issue tokens for this cluster + type: string + type: array + conditions: + description: Conditions specifies the conditions for the managed control + plane + items: + description: Condition defines an observation of a Cluster API resource + operational state. properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be used in - the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be used in - the mapping - type: string - prefix: - description: Prefix is prepended to claim to prevent - clashes with existing names. - minLength: 1 - type: string - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'self.prefixPolicy == ''Prefix'' ? has(self.prefix) - : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are applied - to validate token claims to authenticate users. - items: - description: TokenClaimValidationRule validates token claims - to authenticate users. - properties: - requiredClaim: - description: RequiredClaim allows configuring a required - claim name and its expected value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required value for - the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation rule - enum: - - RequiredClaim - type: string - required: - - requiredClaim - - type - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes attributes of the OIDC token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - description: TokenAudience is the audience that the token - was issued for. - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: Name is the metadata.name of the referenced - object. - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - description: |- - OIDCClientConfig contains configuration for the platform's client that - need to request tokens from the issuer. - properties: - clientID: - description: ClientID is the identifier of the OIDC client - from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: Name is the metadata.name of the referenced - object. - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of scopes - to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - clientSecret - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This field may be empty. + maxLength: 10240 + minLength: 1 + type: string + reason: + description: |- + reason is the reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may be empty. + maxLength: 256 + minLength: 1 + type: string + severity: + description: |- + severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + maxLength: 32 + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 + type: string required: - - issuer - - name + - lastTransitionTime + - status + - type type: object - maxItems: 1 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - identityRef: + consoleURL: + description: ConsoleURL is the url for the openshift console. + type: string + externalManagedControlPlane: + default: true description: |- - IdentityRef is a reference to an identity to be used when reconciling the managed control plane. - If no identity is specified, the default identity for this controller will be used. - properties: - kind: - description: Kind of the identity. - enum: - - AWSClusterControllerIdentity - - AWSClusterRoleIdentity - - AWSClusterStaticIdentity - type: string - name: - description: Name of the identity. - minLength: 1 - type: string - required: - - kind - - name - type: object - installerRoleARN: - description: InstallerRoleARN is an AWS IAM role that OpenShift Cluster - Manager will assume to create the cluster.. + ExternalManagedControlPlane indicates to cluster-api that the control plane + is managed by an external service such as AKS, EKS, GKE, etc. + type: boolean + failureMessage: + description: |- + FailureMessage will be set in the event that there is a terminal problem + reconciling the state and will be set to a descriptive error message. + + This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over + time (like service outages), but instead indicate that something is + fundamentally wrong with the spec or the configuration of + the controller, and that manual intervention is required. type: string - network: - description: Network config for the ROSA HCP cluster. + id: + description: ID is the cluster ID given by ROSA. + type: string + initialized: + description: |- + Initialized denotes whether or not the control plane has the + uploaded kubernetes config-map. + type: boolean + oidcEndpointURL: + description: OIDCEndpointURL is the endpoint url for the managed OIDC + provider. + type: string + ready: + default: false + description: Ready denotes that the ROSAControlPlane API Server is + ready to receive requests. + type: boolean + version: + description: OpenShift semantic version, for example "4.14.5". + type: string + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + cluster.x-k8s.io/provider: infrastructure-aws + cluster.x-k8s.io/v1alpha3: v1alpha3 + cluster.x-k8s.io/v1alpha4: v1alpha4 + cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 + name: rosamachinepools.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: ROSAMachinePool + listKind: ROSAMachinePoolList + plural: rosamachinepools + shortNames: + - rosamp + singular: rosamachinepool + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: MachinePool ready status + jsonPath: .status.ready + name: Ready + type: string + - description: Number of replicas + jsonPath: .status.replicas + name: Replicas + type: integer + name: v1beta2 + schema: + openAPIV3Schema: + description: ROSAMachinePool is the Schema for the rosamachinepools API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RosaMachinePoolSpec defines the desired state of RosaMachinePool. + properties: + additionalSecurityGroups: + description: |- + AdditionalSecurityGroups is an optional set of security groups to associate + with all node instances of the machine pool. + items: + type: string + type: array + additionalTags: + additionalProperties: + type: string + description: AdditionalTags are user-defined tags to be added on the + underlying EC2 instances associated with this machine pool. + type: object + autoRepair: + default: true + description: |- + AutoRepair specifies whether health checks should be enabled for machines + in the NodePool. The default is true. + type: boolean + autoscaling: + description: |- + Autoscaling specifies auto scaling behaviour for this MachinePool. + required if Replicas is not configured properties: - hostPrefix: - default: 23 - description: Network host prefix which is defaulted to `23` if - not specified. + maxReplicas: + minimum: 1 + type: integer + minReplicas: + minimum: 1 type: integer - machineCIDR: - description: IP addresses block used by OpenShift while installing - the cluster, for example "10.0.0.0/16". - format: cidr - type: string - networkType: - default: OVNKubernetes - description: The CNI network type default is OVNKubernetes. - enum: - - OVNKubernetes - - Other - type: string - podCIDR: - description: IP address block from which to assign pod IP addresses, - for example `10.128.0.0/14`. - format: cidr - type: string - serviceCIDR: - description: IP address block from which to assign service IP - addresses, for example `172.30.0.0/16`. - format: cidr - type: string type: object - oidcID: - description: The ID of the internal OpenID Connect Provider. + availabilityZone: + description: |- + AvailabilityZone is an optinal field specifying the availability zone where instances of this machine pool should run + For Multi-AZ clusters, you can create a machine pool in a Single-AZ of your choice. type: string - x-kubernetes-validations: - - message: oidcID is immutable - rule: self == oldSelf - provisionShardID: - description: ProvisionShardID defines the shard where ROSA hosted - control plane components will be hosted. + capacityReservationID: + description: |- + CapacityReservationID specifies the ID of an AWS On-Demand Capacity Reservation and Capacity Blocks for ML. + The CapacityReservationID must be pre-created in advance, before creating a NodePool. + type: string + instanceType: + description: InstanceType specifies the AWS instance type + type: string + labels: + additionalProperties: + type: string + description: Labels specifies labels for the Kubernetes node objects + type: object + nodeDrainGracePeriod: + description: |- + NodeDrainGracePeriod is grace period for how long Pod Disruption Budget-protected workloads will be + respected during upgrades. After this grace period, any workloads protected by Pod Disruption + Budgets that have not been successfully drained from a node will be forcibly evicted. + + Valid values are from 0 to 1 week(10080m|168h) . + 0 or empty value means that the MachinePool can be drained without any time limitation. + type: string + nodePoolName: + description: |- + NodePoolName specifies the name of the nodepool in Rosa + must be a valid DNS-1035 label, so it must consist of lower case alphanumeric and have a max length of 15 characters. + maxLength: 15 + pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ type: string x-kubernetes-validations: - - message: provisionShardID is immutable + - message: nodepoolName is immutable rule: self == oldSelf - region: - description: The AWS Region the cluster lives in. + providerIDList: + description: ProviderIDList contain a ProviderID for each machine + instance that's currently managed by this machine pool. + items: + type: string + type: array + subnet: type: string - rolesRef: - description: AWS IAM roles used to perform credential requests by - the openshift operators. + x-kubernetes-validations: + - message: subnet is immutable + rule: self == oldSelf + taints: + description: Taints specifies the taints to apply to the nodes of + the machine pool + items: + description: RosaTaint represents a taint to be applied to a node. + properties: + effect: + description: |- + The effect of the taint on pods that do not tolerate the taint. + Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + enum: + - NoSchedule + - PreferNoSchedule + - NoExecute + type: string + key: + description: The taint key to be applied to a node. + type: string + value: + description: The taint value corresponding to the taint key. + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + required: + - effect + - key + type: object + type: array + tuningConfigs: + description: |- + TuningConfigs specifies the names of the tuning configs to be applied to this MachinePool. + Tuning configs must already exist. + items: + type: string + type: array + updateConfig: + description: UpdateConfig specifies update configurations. properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value referencing - a role appropriate for the Control Plane Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing a role - appropriate for the Image Registry Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the Ingress - Operator.\n\nThe following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kmsProviderARN: - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies + rollingUpdate: + description: RollingUpdate specifies MaxUnavailable & MaxSurge + number of nodes during update. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + default: 1 + description: |- + MaxSurge is the maximum number of nodes that can be provisioned above the desired number of nodes. + Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). + Absolute number is calculated from percentage by rounding up. - The following is an example of a valid policy document: + MaxSurge can not be 0 if MaxUnavailable is 0, default is 1. + Both MaxSurge & MaxUnavailable must use the same units (absolute value or percentage). - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a role appropriate - for the Network Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n - \ \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n \"ec2:DeleteInternetGateway\",\n - \ \"ec2:DeleteNatGateway\",\n \"ec2:DeleteRouteTable\",\n - \ \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteSubnet\",\n - \ \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n - \ \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n - \ \"ec2:DescribeImages\",\n \"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNatGateways\",\n - \ \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n \"Effect\": - \"Allow\"\n },\n {\n \"Condition\": {\n \"StringLike\": - {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n - \ }\n },\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": [\n - \ \"arn:*:iam::*:role/*-worker-role\"\n ],\n \"Effect\": - \"Allow\"\n },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t \t\"Action\": - [\n\t \t\t\"kms:Decrypt\",\n\t \t\t\"kms:ReEncrypt\",\n\t - \ \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t \t\t\"kms:DescribeKey\"\n\t - \ \t],\n\t \t\"Resource\": \"*\"\n\t },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t - \ \t],\n\t \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a role appropriate - for the Storage Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kmsProviderARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN + Example: when MaxSurge is set to 30%, new nodes can be provisioned immediately + when the rolling update starts, such that the total number of old and new + nodes do not exceed 130% of desired nodes. Once old nodes have been + deleted, new nodes can be provisioned, ensuring that total number of nodes + running at any time during the update is at most 130% of desired nodes. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + default: 0 + description: |- + MaxUnavailable is the maximum number of nodes that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). + Absolute number is calculated from percentage by rounding down. + + MaxUnavailable can not be 0 if MaxSurge is 0, default is 0. + Both MaxUnavailable & MaxSurge must use the same units (absolute value or percentage). + + Example: when MaxUnavailable is set to 30%, old nodes can be deleted down to 70% of + desired nodes immediately when the rolling update starts. Once new nodes + are ready, more old nodes be deleted, followed by provisioning new nodes, + ensuring that the total number of nodes available at all times during the + update is at least 70% of desired nodes. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + type: object type: object - rosaClusterName: - description: |- - Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric - characters or '-', start with an alphabetic character, end with an alphanumeric character - and have a max length of 54 characters. - maxLength: 54 - pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ - type: string - x-kubernetes-validations: - - message: rosaClusterName is immutable - rule: self == oldSelf - subnets: - description: |- - The Subnet IDs to use when installing the cluster. - SubnetIDs should come in pairs; two per availability zone, one private and one public. - items: - type: string - type: array - supportRoleARN: - description: |- - SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable - access to the cluster account in order to provide support. - type: string version: - description: OpenShift semantic version, for example "4.14.5". - type: string - versionGate: - default: WaitForAcknowledge description: |- - VersionGate requires acknowledgment when upgrading ROSA-HCP y-stream versions (e.g., from 4.15 to 4.16). - Default is WaitForAcknowledge. - WaitForAcknowledge: If acknowledgment is required, the upgrade will not proceed until VersionGate is set to Acknowledge or AlwaysAcknowledge. - Acknowledge: If acknowledgment is required, apply it for the upgrade. After upgrade is done set the version gate to WaitForAcknowledge. - AlwaysAcknowledge: If acknowledgment is required, apply it and proceed with the upgrade. - enum: - - Acknowledge - - WaitForAcknowledge - - AlwaysAcknowledge - type: string - workerRoleARN: - description: WorkerRoleARN is an AWS IAM role that will be attached - to worker instances. + Version specifies the OpenShift version of the nodes associated with this machinepool. + ROSAControlPlane version is used if not set. type: string + volumeSize: + description: VolumeSize set the disk volume size for the machine pool, + in Gib. The default is 300 GiB. + maximum: 16384 + minimum: 75 + type: integer required: - - availabilityZones - - channelGroup - - installerRoleARN - - oidcID - - region - - rolesRef - - rosaClusterName - - subnets - - supportRoleARN - - version - - versionGate - - workerRoleARN + - instanceType + - nodePoolName type: object status: - description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane. + description: RosaMachinePoolStatus defines the observed state of RosaMachinePool. properties: availableUpgrades: - description: Available upgrades for the ROSA hosted control plane. + description: Available upgrades for the ROSA MachinePool. items: type: string type: array conditions: - description: Conditions specifies the conditions for the managed control - plane + description: Conditions defines current service state of the managed + machine pool items: description: Condition defines an observation of a Cluster API resource operational state. properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -17005,6 +19809,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -17012,15 +19818,6 @@ spec: - type type: object type: array - consoleURL: - description: ConsoleURL is the url for the openshift console. - type: string - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service such as AKS, EKS, GKE, etc. - type: boolean failureMessage: description: |- FailureMessage will be set in the event that there is a terminal problem @@ -17033,22 +19830,18 @@ spec: the controller, and that manual intervention is required. type: string id: - description: ID is the cluster ID given by ROSA. - type: string - initialized: - description: |- - Initialized denotes whether or not the control plane has the - uploaded kubernetes config-map. - type: boolean - oidcEndpointURL: - description: OIDCEndpointURL is the endpoint url for the managed OIDC - provider. + description: ID is the ID given by ROSA. type: string ready: default: false - description: Ready denotes that the ROSAControlPlane API Server is - ready to receive requests. + description: |- + Ready denotes that the RosaMachinePool nodepool has joined + the cluster type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer required: - ready type: object @@ -17062,39 +19855,31 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + cert-manager.io/inject-ca-from: capa-system/capa-serving-cert + controller-gen.kubebuilder.io/version: v0.19.0 labels: cluster.x-k8s.io/provider: infrastructure-aws cluster.x-k8s.io/v1alpha3: v1alpha3 cluster.x-k8s.io/v1alpha4: v1alpha4 cluster.x-k8s.io/v1beta1: v1beta1_v1beta2 - name: rosamachinepools.infrastructure.cluster.x-k8s.io + name: rosaroleconfigs.infrastructure.cluster.x-k8s.io spec: group: infrastructure.cluster.x-k8s.io names: categories: - cluster-api - kind: ROSAMachinePool - listKind: ROSAMachinePoolList - plural: rosamachinepools + kind: ROSARoleConfig + listKind: ROSARoleConfigList + plural: rosaroleconfigs shortNames: - - rosamp - singular: rosamachinepool + - rosarole + singular: rosaroleconfig scope: Namespaced versions: - - additionalPrinterColumns: - - description: MachinePool ready status - jsonPath: .status.ready - name: Ready - type: string - - description: Number of replicas - jsonPath: .status.replicas - name: Replicas - type: integer - name: v1beta2 + - name: v1beta2 schema: openAPIV3Schema: - description: ROSAMachinePool is the Schema for the rosamachinepools API. + description: ROSARoleConfig is the Schema for the rosaroleconfigs API properties: apiVersion: description: |- @@ -17114,260 +19899,415 @@ spec: metadata: type: object spec: - description: RosaMachinePoolSpec defines the desired state of RosaMachinePool. + description: ROSARoleConfigSpec defines the desired state of ROSARoleConfig properties: - additionalSecurityGroups: - description: |- - AdditionalSecurityGroups is an optional set of security groups to associate - with all node instances of the machine pool. - items: - type: string - type: array - additionalTags: - additionalProperties: - type: string - description: AdditionalTags are user-defined tags to be added on the - underlying EC2 instances associated with this machine pool. - type: object - autoRepair: - default: true - description: |- - AutoRepair specifies whether health checks should be enabled for machines - in the NodePool. The default is true. - type: boolean - autoscaling: - description: |- - Autoscaling specifies auto scaling behaviour for this MachinePool. - required if Replicas is not configured + accountRoleConfig: + description: AccountRoleConfig defines account-wide IAM roles before + creating your ROSA cluster. properties: - maxReplicas: - minimum: 1 - type: integer - minReplicas: - minimum: 1 - type: integer + path: + description: The arn path for the account/operator roles as well + as their policies. + type: string + permissionsBoundaryARN: + description: The ARN of the policy that is used to set the permissions + boundary for the account roles. + type: string + prefix: + description: User-defined prefix for all generated AWS account + role + maxLength: 4 + pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ + type: string + x-kubernetes-validations: + - message: prefix is immutable + rule: self == oldSelf + sharedVPCConfig: + description: SharedVPCConfig is used to set up shared VPC. + properties: + routeRoleARN: + description: Role ARN associated with the private hosted zone + used for Hosted Control Plane cluster shared VPC, this role + contains policies to be used with Route 53 + type: string + vpcEndpointRoleArn: + description: Role ARN associated with the shared VPC used + for Hosted Control Plane clusters, this role contains policies + to be used with the VPC endpoint + type: string + type: object + version: + description: |- + Version of OpenShift that will be used to the roles tag in formate of x.y.z example; "4.19.0" + Setting the role OpenShift version tag does not affect the associated ROSAControlplane version. + type: string + x-kubernetes-validations: + - message: version is immutable + rule: self == oldSelf + required: + - prefix + - version type: object - availabilityZone: - description: |- - AvailabilityZone is an optinal field specifying the availability zone where instances of this machine pool should run - For Multi-AZ clusters, you can create a machine pool in a Single-AZ of your choice. - type: string - instanceType: - description: InstanceType specifies the AWS instance type - type: string - labels: - additionalProperties: - type: string - description: Labels specifies labels for the Kubernetes node objects + credentialsSecretRef: + description: CredentialsSecretRef references a secret with necessary + credentials to connect to the OCM API. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string type: object - nodeDrainGracePeriod: - description: |- - NodeDrainGracePeriod is grace period for how long Pod Disruption Budget-protected workloads will be - respected during upgrades. After this grace period, any workloads protected by Pod Disruption - Budgets that have not been successfully drained from a node will be forcibly evicted. - - Valid values are from 0 to 1 week(10080m|168h) . - 0 or empty value means that the MachinePool can be drained without any time limitation. - type: string - nodePoolName: + x-kubernetes-map-type: atomic + identityRef: description: |- - NodePoolName specifies the name of the nodepool in Rosa - must be a valid DNS-1035 label, so it must consist of lower case alphanumeric and have a max length of 15 characters. - maxLength: 15 - pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ - type: string - x-kubernetes-validations: - - message: nodepoolName is immutable - rule: self == oldSelf - providerIDList: - description: ProviderIDList contain a ProviderID for each machine - instance that's currently managed by this machine pool. - items: - type: string - type: array - subnet: - type: string - x-kubernetes-validations: - - message: subnet is immutable - rule: self == oldSelf - taints: - description: Taints specifies the taints to apply to the nodes of - the machine pool + IdentityRef is a reference to an identity to be used when reconciling the ROSA Role Config. + If no identity is specified, the default identity for this controller will be used. + properties: + kind: + description: Kind of the identity. + enum: + - AWSClusterControllerIdentity + - AWSClusterRoleIdentity + - AWSClusterStaticIdentity + type: string + name: + description: Name of the identity. + minLength: 1 + type: string + required: + - kind + - name + type: object + oidcProviderType: + default: Managed + description: OIDC provider type values are Managed or UnManaged. When + set to Unmanged OperatorRoleConfig OIDCID field must be provided. + enum: + - Managed + - Unmanaged + type: string + operatorRoleConfig: + description: OperatorRoleConfig defines cluster-specific operator + IAM roles based on your cluster configuration. + properties: + oidcID: + description: |- + OIDCID is the ID of the OIDC config that will be used to create the operator roles. + Cannot be set when OidcProviderType set to Managed + type: string + x-kubernetes-validations: + - message: oidcID is immutable + rule: self == oldSelf + permissionsBoundaryARN: + description: The ARN of the policy that is used to set the permissions + boundary for the operator roles. + type: string + prefix: + description: ' User-defined prefix for generated AWS operator + roles.' + maxLength: 4 + pattern: ^[a-z]([-a-z0-9]*[a-z0-9])?$ + type: string + x-kubernetes-validations: + - message: prefix is immutable + rule: self == oldSelf + sharedVPCConfig: + description: SharedVPCConfig is used to set up shared VPC. + properties: + routeRoleARN: + description: Role ARN associated with the private hosted zone + used for Hosted Control Plane cluster shared VPC, this role + contains policies to be used with Route 53 + type: string + vpcEndpointRoleArn: + description: Role ARN associated with the shared VPC used + for Hosted Control Plane clusters, this role contains policies + to be used with the VPC endpoint + type: string + type: object + required: + - prefix + type: object + required: + - accountRoleConfig + - oidcProviderType + - operatorRoleConfig + type: object + status: + description: ROSARoleConfigStatus defines the observed state of ROSARoleConfig + properties: + accountRolesRef: + description: Created Account roles that can be used to + properties: + installerRoleARN: + description: InstallerRoleARN is an AWS IAM role that OpenShift + Cluster Manager will assume to create the cluster.. + type: string + supportRoleARN: + description: |- + SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable + access to the cluster account in order to provide support. + type: string + workerRoleARN: + description: WorkerRoleARN is an AWS IAM role that will be attached + to worker instances. + type: string + type: object + conditions: + description: Conditions specifies the ROSARoleConfig conditions items: - description: RosaTaint represents a taint to be applied to a node. + description: Condition defines an observation of a Cluster API resource + operational state. properties: - effect: + lastTransitionTime: description: |- - The effect of the taint on pods that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - enum: - - NoSchedule - - PreferNoSchedule - - NoExecute + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time type: string - key: - description: The taint key to be applied to a node. + message: + description: |- + message is a human readable message indicating details about the transition. + This field may be empty. + maxLength: 10240 + minLength: 1 type: string - value: - description: The taint value corresponding to the taint key. - pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + reason: + description: |- + reason is the reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may be empty. + maxLength: 256 + minLength: 1 + type: string + severity: + description: |- + severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + maxLength: 32 + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - - effect - - key + - lastTransitionTime + - status + - type type: object type: array - tuningConfigs: - description: |- - TuningConfigs specifies the names of the tuning configs to be applied to this MachinePool. - Tuning configs must already exist. - items: - type: string - type: array - updateConfig: - description: UpdateConfig specifies update configurations. + oidcID: + description: ID of created OIDC config + type: string + oidcProviderARN: + description: Create OIDC provider for operators to authenticate against + in an STS cluster. + type: string + operatorRolesRef: + description: AWS IAM roles used to perform credential requests by + the openshift operators. properties: - rollingUpdate: - description: RollingUpdate specifies MaxUnavailable & MaxSurge - number of nodes during update. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - default: 1 - description: |- - MaxSurge is the maximum number of nodes that can be provisioned above the desired number of nodes. - Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). - Absolute number is calculated from percentage by rounding up. - - MaxSurge can not be 0 if MaxUnavailable is 0, default is 1. - Both MaxSurge & MaxUnavailable must use the same units (absolute value or percentage). - - Example: when MaxSurge is set to 30%, new nodes can be provisioned immediately - when the rolling update starts, such that the total number of old and new - nodes do not exceed 130% of desired nodes. Once old nodes have been - deleted, new nodes can be provisioned, ensuring that total number of nodes - running at any time during the update is at most 130% of desired nodes. - pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - default: 0 - description: |- - MaxUnavailable is the maximum number of nodes that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). - Absolute number is calculated from percentage by rounding down. + controlPlaneOperatorARN: + description: "ControlPlaneOperatorARN is an ARN value referencing + a role appropriate for the Control Plane Operator.\n\nThe following + is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" + type: string + imageRegistryARN: + description: "ImageRegistryARN is an ARN value referencing a role + appropriate for the Image Registry Operator.\n\nThe following + is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + ingressARN: + description: "The referenced role must have a trust relationship + that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": + \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": + \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": + {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName + }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN + is an ARN value referencing a role appropriate for the Ingress + Operator.\n\nThe following is an example of a valid policy document:\n\n{\n\t\"Version\": + \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": + \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": + [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": + [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" + type: string + kmsProviderARN: + type: string + kubeCloudControllerARN: + description: |- + KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. + Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - MaxUnavailable can not be 0 if MaxSurge is 0, default is 0. - Both MaxUnavailable & MaxSurge must use the same units (absolute value or percentage). + The following is an example of a valid policy document: - Example: when MaxUnavailable is set to 30%, old nodes can be deleted down to 70% of - desired nodes immediately when the rolling update starts. Once new nodes - are ready, more old nodes be deleted, followed by provisioning new nodes, - ensuring that the total number of nodes available at all times during the - update is at least 70% of desired nodes. - pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ - x-kubernetes-int-or-string: true - type: object + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeImages", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyVolume", + "ec2:AttachVolume", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteVolume", + "ec2:DetachVolume", + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeVpcs", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "iam:CreateServiceLinkedRole", + "kms:DescribeKey" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + } + ] + } + type: string + networkARN: + description: "NetworkARN is an ARN value referencing a role appropriate + for the Network Operator.\n\nThe following is an example of + a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n + \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n + \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + nodePoolManagementARN: + description: "NodePoolManagementARN is an ARN value referencing + a role appropriate for the CAPI Controller.\n\nThe following + is an example of a valid policy document:\n\n{\n \"Version\": + \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n + \ \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n + \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n + \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n + \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n + \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n \"ec2:DeleteInternetGateway\",\n + \ \"ec2:DeleteNatGateway\",\n \"ec2:DeleteRouteTable\",\n + \ \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteSubnet\",\n + \ \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n + \ \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n + \ \"ec2:DescribeImages\",\n \"ec2:DescribeInstances\",\n + \ \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNatGateways\",\n + \ \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeNetworkInterfaceAttribute\",\n + \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n + \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n + \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n + \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n + \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n + \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n + \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n + \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n + \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n + \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n + \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n + \ ],\n \"Resource\": [\n \"*\"\n ],\n \"Effect\": + \"Allow\"\n },\n {\n \"Condition\": {\n \"StringLike\": + {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n + \ }\n },\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n + \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n + \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": + [\n \"iam:PassRole\"\n ],\n \"Resource\": [\n + \ \"arn:*:iam::*:role/*-worker-role\"\n ],\n \"Effect\": + \"Allow\"\n },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t \t\"Action\": + [\n\t \t\t\"kms:Decrypt\",\n\t \t\t\"kms:ReEncrypt\",\n\t + \ \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t \t\t\"kms:DescribeKey\"\n\t + \ \t],\n\t \t\"Resource\": \"*\"\n\t },\n\t {\n\t \t\"Effect\": + \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t + \ \t],\n\t \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t + \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": + true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" + type: string + storageARN: + description: "StorageARN is an ARN value referencing a role appropriate + for the Storage Operator.\n\nThe following is an example of + a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": + [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": + \"*\"\n\t\t}\n\t]\n}" + type: string + required: + - controlPlaneOperatorARN + - imageRegistryARN + - ingressARN + - kmsProviderARN + - kubeCloudControllerARN + - networkARN + - nodePoolManagementARN + - storageARN type: object - version: - description: |- - Version specifies the OpenShift version of the nodes associated with this machinepool. - ROSAControlPlane version is used if not set. - type: string - volumeSize: - description: VolumeSize set the disk volume size for the machine pool, - in Gib. The default is 300 GiB. - maximum: 16384 - minimum: 75 - type: integer - required: - - instanceType - - nodePoolName - type: object - status: - description: RosaMachinePoolStatus defines the observed state of RosaMachinePool. - properties: - availableUpgrades: - description: Available upgrades for the ROSA MachinePool. - items: - type: string - type: array - conditions: - description: Conditions defines current service state of the managed - machine pool - items: - description: Condition defines an observation of a Cluster API resource - operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may be empty. - type: string - severity: - description: |- - severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - failureMessage: - description: |- - FailureMessage will be set in the event that there is a terminal problem - reconciling the state and will be set to a descriptive error message. - - This field should not be set for transitive errors that a controller - faces that are expected to be fixed automatically over - time (like service outages), but instead indicate that something is - fundamentally wrong with the spec or the configuration of - the controller, and that manual intervention is required. - type: string - id: - description: ID is the ID given by ROSA. - type: string - ready: - default: false - description: |- - Ready denotes that the RosaMachinePool nodepool has joined - the cluster - type: boolean - replicas: - description: Replicas is the most recently observed number of replicas. - format: int32 - type: integer - required: - - ready type: object type: object served: true @@ -17519,6 +20459,7 @@ rules: - machinepools - machinepools/status verbs: + - create - get - list - patch @@ -17552,6 +20493,13 @@ rules: - patch - update - watch +- apiGroups: + - controlplane.cluster.x-k8s.io + resources: + - awsmanagedcontrolplanes/finalizers + - rosacontrolplanes/finalizers + verbs: + - update - apiGroups: - controlplane.cluster.x-k8s.io resources: @@ -17563,12 +20511,6 @@ rules: - patch - update - watch -- apiGroups: - - controlplane.cluster.x-k8s.io - resources: - - rosacontrolplanes/finalizers - verbs: - - update - apiGroups: - infrastructure.cluster.x-k8s.io resources: @@ -17597,7 +20539,6 @@ rules: - awsmanagedclusters - awsmanagedmachinepools - rosaclusters - - rosamachinepools verbs: - delete - get @@ -17611,7 +20552,7 @@ rules: - awsclusters/status - awsfargateprofiles/status - rosaclusters/status - - rosamachinepools/status + - rosaroleconfigs/status verbs: - get - patch @@ -17633,6 +20574,8 @@ rules: - infrastructure.cluster.x-k8s.io resources: - awsmachines + - rosamachinepools + - rosaroleconfigs verbs: - create - delete @@ -17645,8 +20588,20 @@ rules: - infrastructure.cluster.x-k8s.io resources: - rosamachinepools/finalizers + - rosaroleconfigs/finalizers + verbs: + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - rosamachinepools/status verbs: + - create + - get + - list + - patch - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -17758,7 +20713,7 @@ spec: containers: - args: - --leader-elect - - --feature-gates=EKS=${CAPA_EKS:=true},EKSEnableIAM=${CAPA_EKS_IAM:=false},EKSAllowAddRoles=${CAPA_EKS_ADD_ROLES:=false},EKSFargate=${EXP_EKS_FARGATE:=false},MachinePool=${EXP_MACHINE_POOL:=false},EventBridgeInstanceState=${EVENT_BRIDGE_INSTANCE_STATE:=false},AutoControllerIdentityCreator=${AUTO_CONTROLLER_IDENTITY_CREATOR:=true},BootstrapFormatIgnition=${EXP_BOOTSTRAP_FORMAT_IGNITION:=false},ExternalResourceGC=${EXP_EXTERNAL_RESOURCE_GC:=false},AlternativeGCStrategy=${EXP_ALTERNATIVE_GC_STRATEGY:=false},TagUnmanagedNetworkResources=${TAG_UNMANAGED_NETWORK_RESOURCES:=true},ROSA=${EXP_ROSA:=false} + - --feature-gates=EKS=${CAPA_EKS:=true},EKSEnableIAM=${CAPA_EKS_IAM:=false},EKSAllowAddRoles=${CAPA_EKS_ADD_ROLES:=false},EKSFargate=${EXP_EKS_FARGATE:=false},MachinePool=${EXP_MACHINE_POOL:=false},MachinePoolMachines=${EXP_MACHINE_POOL_MACHINES:=false},EventBridgeInstanceState=${EVENT_BRIDGE_INSTANCE_STATE:=false},AutoControllerIdentityCreator=${AUTO_CONTROLLER_IDENTITY_CREATOR:=true},BootstrapFormatIgnition=${EXP_BOOTSTRAP_FORMAT_IGNITION:=false},ExternalResourceGC=${EXTERNAL_RESOURCE_GC:=true},AlternativeGCStrategy=${ALTERNATIVE_GC_STRATEGY:=false},TagUnmanagedNetworkResources=${TAG_UNMANAGED_NETWORK_RESOURCES:=true},ROSA=${EXP_ROSA:=false} - --v=${CAPA_LOGLEVEL:=0} - --diagnostics-address=${CAPA_DIAGNOSTICS_ADDRESS:=:8443} - --insecure-diagnostics=${CAPA_INSECURE_DIAGNOSTICS:=false} @@ -18077,6 +21032,28 @@ webhooks: resources: - rosamachinepools sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /mutate-infrastructure-cluster-x-k8s-io-v1beta2-rosaroleconfig + failurePolicy: Fail + matchPolicy: Equivalent + name: default.rosaroleconfig.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - rosaroleconfigs + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 @@ -18143,6 +21120,28 @@ webhooks: resources: - awsmanagedcontrolplanes sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /mutate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplanetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: default.awsmanagedcontrolplanetemplates.controlplane.cluster.x-k8s.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - awsmanagedcontrolplanetemplates + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 @@ -18417,6 +21416,28 @@ webhooks: resources: - rosamachinepools sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /validate-infrastructure-cluster-x-k8s-io-v1beta2-rosaroleconfig + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.rosaroleconfig.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - rosaroleconfigs + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 @@ -18483,6 +21504,28 @@ webhooks: resources: - awsmanagedcontrolplanes sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capa-webhook-service + namespace: capa-system + path: /validate-controlplane-cluster-x-k8s-io-v1beta2-awsmanagedcontrolplanetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.awsmanagedcontrolplanetemplates.controlplane.cluster.x-k8s.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - awsmanagedcontrolplanetemplates + sideEffects: None - admissionReviewVersions: - v1 - v1beta1 diff --git a/src/cluster-api-provider-metal3.yaml b/src/cluster-api-provider-metal3.yaml index 749cbda6..c8378b36 100644 --- a/src/cluster-api-provider-metal3.yaml +++ b/src/cluster-api-provider-metal3.yaml @@ -8,548 +8,6 @@ metadata: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: capm3-system/ipam-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - cluster.x-k8s.io/v1alpha2: v1alpha2 - cluster.x-k8s.io/v1alpha3: v1alpha3_v1alpha4 - cluster.x-k8s.io/v1alpha4: v1alpha5 - cluster.x-k8s.io/v1beta1: v1beta1 - name: ipaddresses.ipam.metal3.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: ipam.metal3.io - names: - categories: - - metal3 - kind: IPAddress - listKind: IPAddressList - plural: ipaddresses - shortNames: - - ipa - - ipaddress - - m3ipa - - m3ipaddress - - m3ipaddresses - - metal3ipa - - metal3ipaddress - - metal3ipaddresses - singular: ipaddress - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Time duration since creation of Metal3IPAddress - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IPAddress is the Schema for the ipaddresses API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAddressSpec defines the desired state of IPAddress. - properties: - address: - description: Address contains the IP address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - claim: - description: Claim points to the object the IPClaim was created for. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - dnsServers: - description: DNSServers is the list of dns servers - items: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - type: array - gateway: - description: Gateway is the gateway ip address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - pool: - description: Pool is the IPPool this was generated from. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - prefix: - description: Prefix is the mask of the network as integer (max 128) - maximum: 128 - type: integer - required: - - address - - claim - - pool - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: capm3-system/ipam-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - cluster.x-k8s.io/v1alpha2: v1alpha2 - cluster.x-k8s.io/v1alpha3: v1alpha3_v1alpha4 - cluster.x-k8s.io/v1alpha4: v1alpha5 - cluster.x-k8s.io/v1beta1: v1beta1 - name: ipclaims.ipam.metal3.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: ipam.metal3.io - names: - categories: - - cluster-api - kind: IPClaim - listKind: IPClaimList - plural: ipclaims - shortNames: - - ipc - - ipclaim - - m3ipc - - m3ipclaim - - m3ipclaims - - metal3ipc - - metal3ipclaim - - metal3ipclaims - singular: ipclaim - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Time duration since creation of Metal3IPClaim - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IPClaim is the Schema for the ipclaims API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPClaimSpec defines the desired state of IPClaim. - properties: - pool: - description: Pool is the IPPool this was generated from. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - required: - - pool - type: object - status: - description: IPClaimStatus defines the observed state of IPClaim. - properties: - address: - description: Address is the IPAddress that was generated for this - claim. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - errorMessage: - description: ErrorMessage contains the error message - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: capm3-system/ipam-serving-cert - controller-gen.kubebuilder.io/version: v0.16.5 - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - cluster.x-k8s.io/v1alpha2: v1alpha2 - cluster.x-k8s.io/v1alpha3: v1alpha3_v1alpha4 - cluster.x-k8s.io/v1alpha4: v1alpha5 - cluster.x-k8s.io/v1beta1: v1beta1 - name: ippools.ipam.metal3.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: ipam.metal3.io - names: - categories: - - cluster-api - kind: IPPool - listKind: IPPoolList - plural: ippools - shortNames: - - ipp - - ippool - - m3ipp - - m3ippool - - m3ippools - - metal3ipp - - metal3ippool - - metal3ippools - singular: ippool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster to which this template belongs - jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name - name: Cluster - type: string - - description: Time duration since creation of Metal3IPPool - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IPPool is the Schema for the ippools API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPPoolSpec defines the desired state of IPPool. - properties: - clusterName: - description: ClusterName is the name of the Cluster this object belongs - to. - type: string - dnsServers: - description: DNSServers is the list of dns servers - items: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - type: array - gateway: - description: Gateway is the gateway ip address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - namePrefix: - description: namePrefix is the prefix used to generate the IPAddress - object names - minLength: 1 - type: string - pools: - description: Pools contains the list of IP addresses pools - items: - description: |- - MetaDataIPAddress contains the info to render th ip address. It is IP-version - agnostic. - properties: - dnsServers: - description: DNSServers is the list of dns servers - items: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - type: array - end: - description: |- - End is the last IP address that can be rendered. It is used as a validation - that the rendered IP is in bound. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - gateway: - description: Gateway is the gateway ip address - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - prefix: - description: Prefix is the mask of the network as integer (max - 128) - maximum: 128 - type: integer - start: - description: Start is the first ip address that can be rendered - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - subnet: - description: |- - Subnet is used to validate that the rendered IP is in bounds. In case the - Start value is not given, it is derived from the subnet ip incremented by 1 - (`192.168.0.1` for `192.168.0.0/24`) - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))/([0-9]|[1-2][0-9]|3[0-2])$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))/([0-9]|[0-9][0-9]|1[0-1][0-9]|12[0-8])$)) - type: string - type: object - type: array - preAllocations: - additionalProperties: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - description: PreAllocations contains the preallocated IP addresses - type: object - prefix: - description: Prefix is the mask of the network as integer (max 128) - maximum: 128 - type: integer - required: - - namePrefix - type: object - status: - description: IPPoolStatus defines the observed state of IPPool. - properties: - indexes: - additionalProperties: - description: IPAddress is used for validation of an IP address. - pattern: ((^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))$)|(^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))$)) - type: string - description: Allocations contains the map of objects and IP addresses - they have - type: object - lastUpdated: - description: LastUpdated identifies when this status was last observed. - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: capm3-system/capm3-serving-cert @@ -673,27 +131,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -703,6 +166,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -1199,7 +664,9 @@ spec: description: |- TemplateReference refers to the Template the Metal3MachineTemplate refers to. It can be matched against the key or it may also point to the name of the template - Metal3Data refers to + Metal3Data refers to. + + Deprecated: This field is deprecated and will be removed in a future release. type: string required: - claim @@ -1667,6 +1134,12 @@ spec: description: MTU is the MTU of the interface maximum: 9000 type: integer + parameters: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: params blob passed without any validation/modifications + into cloud-init config + type: object required: - bondMode - id @@ -2228,7 +1701,9 @@ spec: description: |- TemplateReference refers to the Template the Metal3MachineTemplate refers to. It can be matched against the key or it may also point to the name of the template - Metal3Data refers to + Metal3Data refers to. + + Deprecated: This field is deprecated and will be removed in a future release. type: string required: - clusterName @@ -2533,11 +2008,19 @@ spec: address. properties: address: - description: The machine address. + description: address is the machine address. + maxLength: 256 + minLength: 1 type: string type: - description: Machine address type, one of Hostname, ExternalIP, - InternalIP, ExternalDNS or InternalDNS. + description: type is the machine address type, one of Hostname, + ExternalIP, InternalIP, ExternalDNS or InternalDNS. + enum: + - Hostname + - ExternalIP + - InternalIP + - ExternalDNS + - InternalDNS type: string required: - address @@ -2552,27 +2035,32 @@ spec: properties: lastTransitionTime: description: |- - Last time the condition transitioned from one status to another. + lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- - A human readable message indicating details about the transition. + message is a human readable message indicating details about the transition. This field may be empty. + maxLength: 10240 + minLength: 1 type: string reason: description: |- - The reason for the condition's last transition in CamelCase. + reason is the reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may be empty. + maxLength: 256 + minLength: 1 type: string severity: description: |- severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + maxLength: 32 type: string status: description: status of the condition, one of True, False, Unknown. @@ -2582,6 +2070,8 @@ spec: type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + maxLength: 256 + minLength: 1 type: string required: - lastTransitionTime @@ -3274,14 +2764,6 @@ metadata: name: capm3-manager namespace: capm3-system --- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-manager - namespace: capm3-system ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -3297,32 +2779,17 @@ rules: verbs: - create - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-leader-election-role - namespace: capm3-system -rules: -- apiGroups: - - "" + - coordination.k8s.io resources: - - events + - leases verbs: + - get + - list + - watch - create + - update + - patch + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -3522,87 +2989,6 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-manager-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - cluster.x-k8s.io - resources: - - clusters - verbs: - - get - - list - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - clusters/status - verbs: - - get -- apiGroups: - - ipam.metal3.io - resources: - - ipaddresses - - ipclaims - - ippools - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - ipam.metal3.io - resources: - - ipaddresses/status - - ipclaims/status - - ippools/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -3619,22 +3005,6 @@ subjects: namespace: capm3-system --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-leader-election-rolebinding - namespace: capm3-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ipam-leader-election-role -subjects: -- kind: ServiceAccount - name: ipam-manager - namespace: capm3-system ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: @@ -3649,21 +3019,6 @@ subjects: name: capm3-manager namespace: capm3-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ipam-manager-role -subjects: -- kind: ServiceAccount - name: ipam-manager - namespace: capm3-system ---- apiVersion: v1 data: CAPM3_FAST_TRACK: ${CAPM3_FAST_TRACK:='false'} @@ -3688,20 +3043,6 @@ spec: selector: cluster.x-k8s.io/provider: infrastructure-metal3 --- -apiVersion: v1 -kind: Service -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-webhook-service - namespace: capm3-system -spec: - ports: - - port: 443 - targetPort: ipam-webhook - selector: - cluster.x-k8s.io/provider: infrastructure-metal3 ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -3809,22 +3150,6 @@ spec: secretName: capm3-webhook-service-cert --- apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-serving-cert - namespace: capm3-system -spec: - dnsNames: - - ipam-webhook-service.capm3-system.svc - - ipam-webhook-service.capm3-system.svc.cluster.local - issuerRef: - kind: Issuer - name: ipam-selfsigned-issuer - secretName: ipam-webhook-service-cert ---- -apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: @@ -3834,16 +3159,6 @@ metadata: spec: selfSigned: {} --- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-selfsigned-issuer - namespace: capm3-system -spec: - selfSigned: {} ---- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -4053,82 +3368,6 @@ webhooks: sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: capm3-system/ipam-serving-cert - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /mutate-ipam-metal3-io-v1alpha1-ipaddress - failurePolicy: Fail - matchPolicy: Equivalent - name: default.ipaddress.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipaddresses - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /mutate-ipam-metal3-io-v1alpha1-ipclaim - failurePolicy: Fail - matchPolicy: Equivalent - name: default.ipclaim.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipclaims - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /mutate-ipam-metal3-io-v1alpha1-ippool - failurePolicy: Fail - matchPolicy: Equivalent - name: default.ippool.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ippools - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: @@ -4335,79 +3574,3 @@ webhooks: resources: - metal3remediationtemplates sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: capm3-system/ipam-serving-cert - labels: - cluster.x-k8s.io/provider: infrastructure-metal3 - name: ipam-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /validate-ipam-metal3-io-v1alpha1-ipaddress - failurePolicy: Fail - matchPolicy: Equivalent - name: validation.ipaddress.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipaddresses - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /validate-ipam-metal3-io-v1alpha1-ipclaim - failurePolicy: Fail - matchPolicy: Equivalent - name: validation.ipclaim.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ipclaims - sideEffects: None -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: ipam-webhook-service - namespace: capm3-system - path: /validate-ipam-metal3-io-v1alpha1-ippool - failurePolicy: Fail - matchPolicy: Equivalent - name: validation.ippool.ipam.metal3.io - rules: - - apiGroups: - - ipam.metal3.io - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - ippools - sideEffects: None diff --git a/src/cluster-api.yaml b/src/cluster-api.yaml index f6d079d4..945da295 100644 --- a/src/cluster-api.yaml +++ b/src/cluster-api.yaml @@ -4765,12 +4765,14 @@ spec: type: string classNamespace: description: |- - classNamespace is the namespace of the ClusterClass object to create the topology. - If the namespace is empty or not set, it is defaulted to the namespace of the cluster object. - Value must follow the DNS1123Subdomain syntax. - maxLength: 253 + classNamespace is the namespace of the ClusterClass that should be used for the topology. + If classNamespace is empty or not set, it is defaulted to the namespace of the Cluster object. + classNamespace must be a valid namespace name and because of that be at most 63 characters in length + and it must consist only of lower case alphanumeric characters or hyphens (-), and must start + and end with an alphanumeric character. + maxLength: 63 minLength: 1 - pattern: ^[a-z0-9](?:[-a-z0-9]*[a-z0-9])?(?:\.[a-z0-9](?:[-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string controlPlane: description: controlPlane describes the cluster control plane. @@ -8357,7 +8359,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: @@ -11335,7 +11337,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: @@ -12718,7 +12720,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: @@ -14444,7 +14446,7 @@ spec: dataSecretName is the name of the secret that stores the bootstrap data script. If nil, the Machine should remain in the Pending state. maxLength: 253 - minLength: 1 + minLength: 0 type: string type: object clusterName: