diff --git a/CHANGELOG.md b/CHANGELOG.md index 9509b56..a0e53c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Bump CAPA version `v2.7.1-gs-*`. This bumps CAPA to `v2.7.1` and applies the customizations we already had in our fork. + ## [2.24.0] - 2024-10-17 ### Added diff --git a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml index 96860a7..a1753bc 100644 --- a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta1/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -328,6 +328,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -399,6 +402,13 @@ type: object type: array type: object + nodePortIngressRuleCidrBlocks: + description: |- + NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services. + If none are specified here, all IPs are allowed to connect. + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -551,6 +561,39 @@ Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool. type: string + elasticIpPool: + description: |- + ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool + brought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for + the API Server. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object emptyRoutesDefaultVPCSecurityGroup: description: |- EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress @@ -653,6 +696,18 @@ - ipv4CidrBlock type: object type: array + subnetSchema: + default: PreferPrivate + description: |- + SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs. + PreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets. + PreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet + that will be further sub-divided for the private subnets. + Defaults to PreferPrivate + enum: + - PreferPrivate + - PreferPublic + type: string tags: additionalProperties: type: string @@ -807,10 +862,15 @@ description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -863,10 +923,15 @@ description: The key of the secret to select from. Must be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must be defined @@ -959,6 +1024,9 @@ availabilityZone: description: Availability zone of instance type: string + capacityReservationId: + description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. + type: string ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. type: boolean @@ -1713,6 +1781,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: diff --git a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml index 3917cfa..91c29a5 100644 --- a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -319,6 +319,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -390,6 +393,13 @@ type: object type: array type: object + nodePortIngressRuleCidrBlocks: + description: |- + NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services. + If none are specified here, all IPs are allowed to connect. + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -542,6 +552,39 @@ Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool. type: string + elasticIpPool: + description: |- + ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool + brought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for + the API Server. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object emptyRoutesDefaultVPCSecurityGroup: description: |- EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress @@ -644,6 +687,18 @@ - ipv4CidrBlock type: object type: array + subnetSchema: + default: PreferPrivate + description: |- + SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs. + PreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets. + PreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet + that will be further sub-divided for the private subnets. + Defaults to PreferPrivate + enum: + - PreferPrivate + - PreferPublic + type: string tags: additionalProperties: type: string @@ -724,6 +779,10 @@ region: description: The AWS Region the cluster lives in. type: string + restrictPrivateSubnets: + default: false + description: RestrictPrivateSubnets indicates that the EKS control plane should only use private subnets. + type: boolean roleAdditionalPolicies: description: |- RoleAdditionalPolicies allows you to attach additional polices to @@ -810,10 +869,15 @@ description: The key to select. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key must be defined @@ -866,10 +930,15 @@ description: The key of the secret to select from. Must be a valid secret key. type: string name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must be defined @@ -962,6 +1031,9 @@ availabilityZone: description: Availability zone of instance type: string + capacityReservationId: + description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. + type: string ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. type: boolean @@ -1716,6 +1788,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: diff --git a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml index f6678d0..a1df50c 100644 --- a/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/controlplane/patches/versions/v1beta2/rosacontrolplanes.controlplane.cluster.x-k8s.io.yaml @@ -53,6 +53,72 @@ rule: self == oldSelf - message: billingAccount must be a valid AWS account ID rule: self.matches('^[0-9]{12}$') + clusterRegistryConfig: + description: ClusterRegistryConfig represents registry config used with the cluster. + properties: + additionalTrustedCAs: + additionalProperties: + type: string + description: |- + AdditionalTrustedCAs containing the registry hostname as the key, and the PEM-encoded certificate as the value, + for each additional registry CA to trust. + type: object + allowedRegistriesForImport: + description: |- + AllowedRegistriesForImport limits the container image registries that normal users may import + images from. Set this list to the registries that you trust to contain valid Docker + images and that you want applications to be able to import from. + items: + description: RegistryLocation contains a location of the registry specified by the registry domain name. + properties: + domainName: + description: |- + domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'. + In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well. + type: string + insecure: + default: false + description: insecure indicates whether the registry is secure (https) or insecure (http), default is secured. + type: boolean + type: object + type: array + registrySources: + description: |- + RegistrySources contains configuration that determines how the container runtime + should treat individual registries when accessing images. It does not contain configuration + for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive. + properties: + allowedRegistries: + description: |- + AllowedRegistries are the registries for which image pull and push actions are allowed. + To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, + For example, *.example.com. + You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. + All other registries are blocked. + items: + type: string + type: array + blockedRegistries: + description: |- + BlockedRegistries are the registries for which image pull and push actions are denied. + To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, + For example, *.example.com. + You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. + All other registries are allowed. + items: + type: string + type: array + insecureRegistries: + description: |- + InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. + To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name, + For example, *.example.com. + You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest. + items: + type: string + type: array + type: object + type: object controlPlaneEndpoint: description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. properties: @@ -75,10 +141,15 @@ - ocmApiUrl: Optional, defaults to 'https://api.openshift.com' properties: name: + default: "" description: |- Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -580,6 +651,19 @@ version: description: OpenShift semantic version, for example "4.14.5". type: string + versionGate: + default: WaitForAcknowledge + description: |- + VersionGate requires acknowledgment when upgrading ROSA-HCP y-stream versions (e.g., from 4.15 to 4.16). + Default is WaitForAcknowledge. + WaitForAcknowledge: If acknowledgment is required, the upgrade will not proceed until VersionGate is set to Acknowledge or AlwaysAcknowledge. + Acknowledge: If acknowledgment is required, apply it for the upgrade. After upgrade is done set the version gate to WaitForAcknowledge. + AlwaysAcknowledge: If acknowledgment is required, apply it and proceed with the upgrade. + enum: + - Acknowledge + - WaitForAcknowledge + - AlwaysAcknowledge + type: string workerRoleARN: description: WorkerRoleARN is an AWS IAM role that will be attached to worker instances. type: string @@ -593,11 +677,17 @@ - subnets - supportRoleARN - version + - versionGate - workerRoleARN type: object status: description: RosaControlPlaneStatus defines the observed state of ROSAControlPlane. properties: + availableUpgrades: + description: Available upgrades for the ROSA hosted control plane. + items: + type: string + type: array conditions: description: Conditions specifies the conditions for the managed control plane items: diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml index f584dfa..b9a9ddc 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml @@ -70,11 +70,13 @@ items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml index 56c6452..17642af 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml @@ -70,11 +70,13 @@ items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml index ce13e4c..b3b8cec 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta1/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml @@ -70,11 +70,13 @@ items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml index 3024280..5348853 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io.yaml @@ -70,11 +70,13 @@ items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml index cb3ac4f..83543dc 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterroleidentities.infrastructure.cluster.x-k8s.io.yaml @@ -70,11 +70,13 @@ items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml index 0db315b..bc429cb 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusters.infrastructure.cluster.x-k8s.io.yaml @@ -260,6 +260,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -412,6 +415,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -483,6 +489,13 @@ type: object type: array type: object + nodePortIngressRuleCidrBlocks: + description: |- + NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services. + If none are specified here, all IPs are allowed to connect. + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -635,6 +648,39 @@ Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool. type: string + elasticIpPool: + description: |- + ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool + brought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for + the API Server. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object emptyRoutesDefaultVPCSecurityGroup: description: |- EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress @@ -737,6 +783,18 @@ - ipv4CidrBlock type: object type: array + subnetSchema: + default: PreferPrivate + description: |- + SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs. + PreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets. + PreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet + that will be further sub-divided for the private subnets. + Defaults to PreferPrivate + enum: + - PreferPrivate + - PreferPublic + type: string tags: additionalProperties: type: string @@ -980,6 +1038,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -1088,6 +1149,9 @@ availabilityZone: description: Availability zone of instance type: string + capacityReservationId: + description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. + type: string ebsOptimized: description: Indicates whether the instance is optimized for Amazon EBS I/O. type: boolean @@ -1814,6 +1878,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml index f8d545a..9269dd9 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclusterstaticidentities.infrastructure.cluster.x-k8s.io.yaml @@ -70,11 +70,13 @@ items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml index b661f18..8bffeaf 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsclustertemplates.infrastructure.cluster.x-k8s.io.yaml @@ -290,6 +290,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -442,6 +445,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: @@ -513,6 +519,13 @@ type: object type: array type: object + nodePortIngressRuleCidrBlocks: + description: |- + NodePortIngressRuleCidrBlocks is an optional set of CIDR blocks to allow traffic to nodes' NodePort services. + If none are specified here, all IPs are allowed to connect. + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -665,6 +678,39 @@ Defaults to 10.0.0.0/16. Mutually exclusive with IPAMPool. type: string + elasticIpPool: + description: |- + ElasticIPPool contains specific configuration to allocate Public IPv4 address (Elastic IP) from user-defined pool + brought to AWS for core infrastructure resources, like NAT Gateways and Public Network Load Balancers for + the API Server. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object emptyRoutesDefaultVPCSecurityGroup: description: |- EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress @@ -767,6 +813,18 @@ - ipv4CidrBlock type: object type: array + subnetSchema: + default: PreferPrivate + description: |- + SubnetSchema specifies how CidrBlock should be divided on subnets in the VPC depending on the number of AZs. + PreferPrivate - one private subnet for each AZ plus one other subnet that will be further sub-divided for the public subnets. + PreferPublic - have the reverse logic of PreferPrivate, one public subnet for each AZ plus one other subnet + that will be further sub-divided for the private subnets. + Defaults to PreferPrivate + enum: + - PreferPrivate + - PreferPublic + type: string tags: additionalProperties: type: string @@ -1010,6 +1068,9 @@ items: type: string type: array + natGatewaysIPsSource: + description: NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule. + type: boolean protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachines.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachines.infrastructure.cluster.x-k8s.io.yaml index d0867f4..621ece3 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachines.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachines.infrastructure.cluster.x-k8s.io.yaml @@ -83,6 +83,9 @@ description: ID of resource type: string type: object + capacityReservationId: + description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. + type: string cloudInit: description: |- CloudInit defines options related to the bootstrapping systems where @@ -115,6 +118,36 @@ - ssm-parameter-store type: string type: object + elasticIpPool: + description: ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object iamInstanceProfile: description: IAMInstanceProfile is a name of an IAM instance profile to assign to the instance type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml index d12c062..49b90e8 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/awsmachinetemplates.infrastructure.cluster.x-k8s.io.yaml @@ -113,6 +113,9 @@ description: ID of resource type: string type: object + capacityReservationId: + description: CapacityReservationID specifies the target Capacity Reservation into which the instance should be launched. + type: string cloudInit: description: |- CloudInit defines options related to the bootstrapping systems where @@ -145,6 +148,36 @@ - ssm-parameter-store type: string type: object + elasticIpPool: + description: ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool. + properties: + publicIpv4Pool: + description: |- + PublicIpv4Pool sets a custom Public IPv4 Pool used to create Elastic IP address for resources + created in public IPv4 subnets. Every IPv4 address, Elastic IP, will be allocated from the custom + Public IPv4 pool that you brought to AWS, instead of Amazon-provided pool. The public IPv4 pool + resource ID starts with 'ipv4pool-ec2'. + maxLength: 30 + type: string + publicIpv4PoolFallbackOrder: + description: |- + PublicIpv4PoolFallBackOrder defines the fallback action when the Public IPv4 Pool has been exhausted, + no more IPv4 address available in the pool. + + + When set to 'amazon-pool', the controller check if the pool has available IPv4 address, when pool has reached the + IPv4 limit, the address will be claimed from Amazon-pool (default). + + + When set to 'none', the controller will fail the Elastic IP allocation when the publicIpv4Pool is exhausted. + enum: + - amazon-pool + - none + type: string + x-kubernetes-validations: + - message: allowed values are 'none' and 'amazon-pool' + rule: self in ['none','amazon-pool'] + type: object iamInstanceProfile: description: IAMInstanceProfile is a name of an IAM instance profile to assign to the instance type: string diff --git a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/rosamachinepools.infrastructure.cluster.x-k8s.io.yaml b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/rosamachinepools.infrastructure.cluster.x-k8s.io.yaml index 43f1b20..a2b5a3f 100644 --- a/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/rosamachinepools.infrastructure.cluster.x-k8s.io.yaml +++ b/helm/cluster-api-provider-aws/files/infrastructure/patches/versions/v1beta2/rosamachinepools.infrastructure.cluster.x-k8s.io.yaml @@ -37,10 +37,10 @@ description: AdditionalTags are user-defined tags to be added on the underlying EC2 instances associated with this machine pool. type: object autoRepair: - default: false + default: true description: |- AutoRepair specifies whether health checks should be enabled for machines - in the NodePool. The default is false. + in the NodePool. The default is true. type: boolean autoscaling: description: |- @@ -130,6 +130,58 @@ items: type: string type: array + updateConfig: + description: UpdateConfig specifies update configurations. + properties: + rollingUpdate: + description: RollingUpdate specifies MaxUnavailable & MaxSurge number of nodes during update. + properties: + maxSurge: + anyOf: + - type: integer + - type: string + default: 1 + description: |- + MaxSurge is the maximum number of nodes that can be provisioned above the desired number of nodes. + Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). + Absolute number is calculated from percentage by rounding up. + + + MaxSurge can not be 0 if MaxUnavailable is 0, default is 1. + Both MaxSurge & MaxUnavailable must use the same units (absolute value or percentage). + + + Example: when MaxSurge is set to 30%, new nodes can be provisioned immediately + when the rolling update starts, such that the total number of old and new + nodes do not exceed 130% of desired nodes. Once old nodes have been + deleted, new nodes can be provisioned, ensuring that total number of nodes + running at any time during the update is at most 130% of desired nodes. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + default: 0 + description: |- + MaxUnavailable is the maximum number of nodes that can be unavailable during the update. + Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). + Absolute number is calculated from percentage by rounding down. + + + MaxUnavailable can not be 0 if MaxSurge is 0, default is 0. + Both MaxUnavailable & MaxSurge must use the same units (absolute value or percentage). + + + Example: when MaxUnavailable is set to 30%, old nodes can be deleted down to 70% of + desired nodes immediately when the rolling update starts. Once new nodes + are ready, more old nodes be deleted, followed by provisioning new nodes, + ensuring that the total number of nodes available at all times during the + update is at least 70% of desired nodes. + pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ + x-kubernetes-int-or-string: true + type: object + type: object version: description: |- Version specifies the OpenShift version of the nodes associated with this machinepool. diff --git a/helm/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml b/helm/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml index 014deca..e4e635f 100644 --- a/helm/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml +++ b/helm/cluster-api-provider-aws/templates/apps_v1_deployment_capa-controller-manager.yaml @@ -99,6 +99,7 @@ spec: runAsUser: 65532 seccompProfile: type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert diff --git a/helm/cluster-api-provider-aws/values.yaml b/helm/cluster-api-provider-aws/values.yaml index 5de7c82..9c639d7 100644 --- a/helm/cluster-api-provider-aws/values.yaml +++ b/helm/cluster-api-provider-aws/values.yaml @@ -4,15 +4,11 @@ name: cluster-api-provider-aws # release. Please include the short commit SHA in the tag name, such as `v2.0.2-gs-123abcd`. After changing this # tag, please run `make generate` to update CRDs and other manifests. -# Changes in this tag include upstream v2.5.2 with additional: -# * GiantSwarm fork modifications (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/08280ec433b63119d652b39c06d9a4b78d5a9055) -# * when aws-cni is disabled deleted all resources including helm managed resources (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/bbbb36a7a7bd050bb232bfa60a10b4202ac99850) -# * do not place EKS nodes in the CNI subnets (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/edd14fb6bd39434a249ed8696e0abeb9b85f6c35) -# * add non root volumes to AWSMachinePools (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/ab0528f4b80ed36fd7b508c4137ee09d41fefa8c) -# * support adding custom secondary VPC CIDR blocks in `AWSCluster` (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/ae00674b1ed47e0e939f44d4712507839df97106) +# Changes in this tag include upstream v2.7.x with additional: +# * Giant Swarm fork modifications (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/08280ec433b63119d652b39c06d9a4b78d5a9055) # * S3 user data support for AWSMachinePools (https://github.com/giantswarm/cluster-api-provider-aws/pull/607/commits/905c44ab2afde5e2d4e983066ab9856859a0de47) -# * Support setting maxHealthyPercentage to configure ASG instance refresh (https://github.com/giantswarm/cluster-api-provider-aws/commit/65159d8609a24802a34800b0c054a4b788a03d6d) -tag: v2.5.2-gs-65159d860 +# * Filter out AWS internal tags when reconciling (https://github.com/kubernetes-sigs/cluster-api-provider-aws/pull/5181/commits/4c61f2b5a01e0b67e647868a066dda1947b97d4c) +tag: v2.7.1-gs-5cad8d37f registry: domain: gsoci.azurecr.io