{ "description": "ROSAControlPlane is the Schema for the ROSAControlPlanes API.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "RosaControlPlaneSpec defines the desired state of ROSAControlPlane.", "properties": { "additionalTags": { "additionalProperties": { "type": "string" }, "description": "AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.", "type": "object" }, "auditLogRoleARN": { "description": "AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch.\nIf not set, audit log forwarding is disabled.", "type": "string" }, "availabilityZones": { "description": "AvailabilityZones describe AWS AvailabilityZones of the worker nodes.\nshould match the AvailabilityZones of the provided Subnets.\na machinepool will be created for each availabilityZone.", "items": { "type": "string" }, "type": "array" }, "billingAccount": { "description": "BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters.\nThe cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster\nis running.", "type": "string", "x-kubernetes-validations": [ { "message": "billingAccount is immutable", "rule": "self == oldSelf" }, { "message": "billingAccount must be a valid AWS account ID", "rule": "self.matches('^[0-9]{12}$')" } ] }, "controlPlaneEndpoint": { "description": "ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.", "properties": { "host": { "description": "The hostname on which the API server is serving.", "type": "string" }, "port": { "description": "The port on which the API server is serving.", "format": "int32", "type": "integer" } }, "required": [ "host", "port" ], "type": "object", "additionalProperties": false }, "credentialsSecretRef": { "description": "CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.\nThe secret should contain the following data keys:\n- ocmToken: eyJhbGciOiJIUzI1NiIsI....\n- ocmApiUrl: Optional, defaults to 'https://api.openshift.com'", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "defaultMachinePoolSpec": { "description": "DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation.\nOne MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators\nto work properly.\nAs these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider.\n`rosa list machinepools -c ` can be used to view those machinepools.\n\n\nThis field will be removed in the future once the current limitation is resolved.", "properties": { "autoscaling": { "description": "Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value\nmust be equal or multiple of the availability zones count.", "properties": { "maxReplicas": { "minimum": 1, "type": "integer" }, "minReplicas": { "minimum": 1, "type": "integer" } }, "type": "object", "additionalProperties": false }, "instanceType": { "description": "The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/", "type": "string" } }, "type": "object", "additionalProperties": false }, "domainPrefix": { "description": "DomainPrefix is an optional prefix added to the cluster's domain name. It will be used\nwhen generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label\nconsisting of lower case alphanumeric characters or '-', start with an alphabetic character\nend with an alphanumeric character and have a max length of 15 characters.", "maxLength": 15, "pattern": "^[a-z]([-a-z0-9]*[a-z0-9])?$", "type": "string", "x-kubernetes-validations": [ { "message": "domainPrefix is immutable", "rule": "self == oldSelf" } ] }, "enableExternalAuthProviders": { "default": false, "description": "EnableExternalAuthProviders enables external authentication configuration for the cluster.", "type": "boolean", "x-kubernetes-validations": [ { "message": "enableExternalAuthProviders is immutable", "rule": "self == oldSelf" } ] }, "endpointAccess": { "default": "Public", "description": "EndpointAccess specifies the publishing scope of cluster endpoints. The\ndefault is Public.", "enum": [ "Public", "Private" ], "type": "string" }, "etcdEncryptionKMSARN": { "description": "EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be\ncreated out-of-band by the user and tagged with `red-hat:true`.", "type": "string" }, "externalAuthProviders": { "description": "ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster.\nCan only be set if \"enableExternalAuthProviders\" is set to \"True\".\n\n\nAt most one provider can be configured.", "items": { "description": "ExternalAuthProvider is an external OIDC identity provider that can issue tokens for this cluster", "properties": { "claimMappings": { "description": "ClaimMappings describes rules on how to transform information from an\nID token into a cluster identity", "properties": { "groups": { "description": "Groups is a name of the claim that should be used to construct\ngroups for the cluster identity.\nThe referenced claim must use array of strings values.", "properties": { "claim": { "description": "Claim is a JWT token claim to be used in the mapping", "type": "string" }, "prefix": { "description": "Prefix is a string to prefix the value from the token in the result of the\nclaim mapping.\n\n\nBy default, no prefixing occurs.\n\n\nExample: if `prefix` is set to \"myoidc:\"\" and the `claim` in JWT contains\nan array of strings \"a\", \"b\" and \"c\", the mapping will result in an\narray of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", "type": "string" } }, "required": [ "claim" ], "type": "object", "additionalProperties": false }, "username": { "description": "Username is a name of the claim that should be used to construct\nusernames for the cluster identity.\n\n\nDefault value: \"sub\"", "properties": { "claim": { "description": "Claim is a JWT token claim to be used in the mapping", "type": "string" }, "prefix": { "description": "Prefix is prepended to claim to prevent clashes with existing names.", "minLength": 1, "type": "string" }, "prefixPolicy": { "description": "PrefixPolicy specifies how a prefix should apply.\n\n\nBy default, claims other than `email` will be prefixed with the issuer URL to\nprevent naming clashes with other plugins.\n\n\nSet to \"NoPrefix\" to disable prefixing.\n\n\nExample:\n (1) `prefix` is set to \"myoidc:\" and `claim` is set to \"username\".\n If the JWT claim `username` contains value `userA`, the resulting\n mapped value will be \"myoidc:userA\".\n (2) `prefix` is set to \"myoidc:\" and `claim` is set to \"email\". If the\n JWT `email` claim contains value \"userA@myoidc.tld\", the resulting\n mapped value will be \"myoidc:userA@myoidc.tld\".\n (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n (a) \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n (b) \"email\": the mapped value will be \"userA@myoidc.tld\"", "enum": [ "", "NoPrefix", "Prefix" ], "type": "string" } }, "required": [ "claim" ], "type": "object", "x-kubernetes-validations": [ { "message": "prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise", "rule": "self.prefixPolicy == 'Prefix' ? has(self.prefix) : !has(self.prefix)" } ], "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "claimValidationRules": { "description": "ClaimValidationRules are rules that are applied to validate token claims to authenticate users.", "items": { "description": "TokenClaimValidationRule validates token claims to authenticate users.", "properties": { "requiredClaim": { "description": "RequiredClaim allows configuring a required claim name and its expected value", "properties": { "claim": { "description": "Claim is a name of a required claim. Only claims with string values are\nsupported.", "minLength": 1, "type": "string" }, "requiredValue": { "description": "RequiredValue is the required value for the claim.", "minLength": 1, "type": "string" } }, "required": [ "claim", "requiredValue" ], "type": "object", "additionalProperties": false }, "type": { "default": "RequiredClaim", "description": "Type sets the type of the validation rule", "enum": [ "RequiredClaim" ], "type": "string" } }, "required": [ "requiredClaim", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "issuer": { "description": "Issuer describes attributes of the OIDC token issuer", "properties": { "audiences": { "description": "Audiences is an array of audiences that the token was issued for.\nValid tokens must include at least one of these values in their\n\"aud\" claim.\nMust be set to exactly one value.", "items": { "description": "TokenAudience is the audience that the token was issued for.", "minLength": 1, "type": "string" }, "maxItems": 10, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "issuerCertificateAuthority": { "description": "CertificateAuthority is a reference to a config map in the\nconfiguration namespace. The .data of the configMap must contain\nthe \"ca-bundle.crt\" key.\nIf unset, system trust is used instead.", "properties": { "name": { "description": "Name is the metadata.name of the referenced object.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "issuerURL": { "description": "URL is the serving URL of the token issuer.\nMust use the https:// scheme.", "pattern": "^https:\\/\\/[^\\s]", "type": "string" } }, "required": [ "audiences", "issuerURL" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name of the OIDC provider", "minLength": 1, "type": "string" }, "oidcClients": { "description": "OIDCClients contains configuration for the platform's clients that\nneed to request tokens from the issuer", "items": { "description": "OIDCClientConfig contains configuration for the platform's client that\nneed to request tokens from the issuer.", "properties": { "clientID": { "description": "ClientID is the identifier of the OIDC client from the OIDC provider", "minLength": 1, "type": "string" }, "clientSecret": { "description": "ClientSecret refers to a secret that\ncontains the client secret in the `clientSecret` key of the `.data` field", "properties": { "name": { "description": "Name is the metadata.name of the referenced object.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "componentName": { "description": "ComponentName is the name of the component that is supposed to consume this\nclient configuration", "maxLength": 256, "minLength": 1, "type": "string" }, "componentNamespace": { "description": "ComponentNamespace is the namespace of the component that is supposed to consume this\nclient configuration", "maxLength": 63, "minLength": 1, "type": "string" }, "extraScopes": { "description": "ExtraScopes is an optional set of scopes to request tokens with.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" } }, "required": [ "clientID", "clientSecret", "componentName", "componentNamespace" ], "type": "object", "additionalProperties": false }, "maxItems": 20, "type": "array", "x-kubernetes-list-map-keys": [ "componentNamespace", "componentName" ], "x-kubernetes-list-type": "map" } }, "required": [ "issuer", "name" ], "type": "object", "additionalProperties": false }, "maxItems": 1, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "identityRef": { "description": "IdentityRef is a reference to an identity to be used when reconciling the managed control plane.\nIf no identity is specified, the default identity for this controller will be used.", "properties": { "kind": { "description": "Kind of the identity.", "enum": [ "AWSClusterControllerIdentity", "AWSClusterRoleIdentity", "AWSClusterStaticIdentity" ], "type": "string" }, "name": { "description": "Name of the identity.", "minLength": 1, "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "installerRoleARN": { "description": "InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster..", "type": "string" }, "network": { "description": "Network config for the ROSA HCP cluster.", "properties": { "hostPrefix": { "default": 23, "description": "Network host prefix which is defaulted to `23` if not specified.", "type": "integer" }, "machineCIDR": { "description": "IP addresses block used by OpenShift while installing the cluster, for example \"10.0.0.0/16\".", "format": "cidr", "type": "string" }, "networkType": { "default": "OVNKubernetes", "description": "The CNI network type default is OVNKubernetes.", "enum": [ "OVNKubernetes", "Other" ], "type": "string" }, "podCIDR": { "description": "IP address block from which to assign pod IP addresses, for example `10.128.0.0/14`.", "format": "cidr", "type": "string" }, "serviceCIDR": { "description": "IP address block from which to assign service IP addresses, for example `172.30.0.0/16`.", "format": "cidr", "type": "string" } }, "type": "object", "additionalProperties": false }, "oidcID": { "description": "The ID of the internal OpenID Connect Provider.", "type": "string", "x-kubernetes-validations": [ { "message": "oidcID is immutable", "rule": "self == oldSelf" } ] }, "provisionShardID": { "description": "ProvisionShardID defines the shard where rosa control plane components will be hosted.", "type": "string", "x-kubernetes-validations": [ { "message": "provisionShardID is immutable", "rule": "self == oldSelf" } ] }, "region": { "description": "The AWS Region the cluster lives in.", "type": "string" }, "rolesRef": { "description": "AWS IAM roles used to perform credential requests by the openshift operators.", "properties": { "controlPlaneOperatorARN": { "description": "ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator.\n\n\nThe following is an example of a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}", "type": "string" }, "imageRegistryARN": { "description": "ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.\n\n\nThe following is an example of a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t}\n\t]\n}", "type": "string" }, "ingressARN": { "description": "The referenced role must have a trust relationship that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\n\nIngressARN is an ARN value referencing a role appropriate for the Ingress Operator.\n\n\nThe following is an example of a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}", "type": "string" }, "kmsProviderARN": { "type": "string" }, "kubeCloudControllerARN": { "description": "KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC.\nSource: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies\n\n\nThe following is an example of a valid policy document:\n\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"autoscaling:DescribeAutoScalingGroups\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeTags\",\n \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeImages\",\n \"ec2:DescribeRegions\",\n \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVolumes\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:CreateTags\",\n \"ec2:CreateVolume\",\n \"ec2:ModifyInstanceAttribute\",\n \"ec2:ModifyVolume\",\n \"ec2:AttachVolume\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateRoute\",\n \"ec2:DeleteRoute\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteVolume\",\n \"ec2:DetachVolume\",\n \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:DescribeVpcs\",\n \"elasticloadbalancing:AddTags\",\n \"elasticloadbalancing:AttachLoadBalancerToSubnets\",\n \"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer\",\n \"elasticloadbalancing:CreateLoadBalancer\",\n \"elasticloadbalancing:CreateLoadBalancerPolicy\",\n \"elasticloadbalancing:CreateLoadBalancerListeners\",\n \"elasticloadbalancing:ConfigureHealthCheck\",\n \"elasticloadbalancing:DeleteLoadBalancer\",\n \"elasticloadbalancing:DeleteLoadBalancerListeners\",\n \"elasticloadbalancing:DescribeLoadBalancers\",\n \"elasticloadbalancing:DescribeLoadBalancerAttributes\",\n \"elasticloadbalancing:DetachLoadBalancerFromSubnets\",\n \"elasticloadbalancing:DeregisterInstancesFromLoadBalancer\",\n \"elasticloadbalancing:ModifyLoadBalancerAttributes\",\n \"elasticloadbalancing:RegisterInstancesWithLoadBalancer\",\n \"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer\",\n \"elasticloadbalancing:AddTags\",\n \"elasticloadbalancing:CreateListener\",\n \"elasticloadbalancing:CreateTargetGroup\",\n \"elasticloadbalancing:DeleteListener\",\n \"elasticloadbalancing:DeleteTargetGroup\",\n \"elasticloadbalancing:DeregisterTargets\",\n \"elasticloadbalancing:DescribeListeners\",\n \"elasticloadbalancing:DescribeLoadBalancerPolicies\",\n \"elasticloadbalancing:DescribeTargetGroups\",\n \"elasticloadbalancing:DescribeTargetHealth\",\n \"elasticloadbalancing:ModifyListener\",\n \"elasticloadbalancing:ModifyTargetGroup\",\n \"elasticloadbalancing:RegisterTargets\",\n \"elasticloadbalancing:SetLoadBalancerPoliciesOfListener\",\n \"iam:CreateServiceLinkedRole\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": [\n \"*\"\n ],\n \"Effect\": \"Allow\"\n }\n ]\n}", "type": "string" }, "networkARN": { "description": "NetworkARN is an ARN value referencing a role appropriate for the Network Operator.\n\n\nThe following is an example of a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t}\n\t]\n}", "type": "string" }, "nodePoolManagementARN": { "description": "NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.\n\n\nThe following is an example of a valid policy document:\n\n\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeNetworkInterfaceAttribute\",\n \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n ],\n \"Resource\": [\n \"*\"\n ],\n \"Effect\": \"Allow\"\n },\n {\n \"Condition\": {\n \"StringLike\": {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n }\n },\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": [\n \"iam:PassRole\"\n ],\n \"Resource\": [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": true\n\t \t\t}\n\t \t}\n\t }\n ]\n}", "type": "string" }, "storageARN": { "description": "StorageARN is an ARN value referencing a role appropriate for the Storage Operator.\n\n\nThe following is an example of a valid policy document:\n\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t}\n\t]\n}", "type": "string" } }, "required": [ "controlPlaneOperatorARN", "imageRegistryARN", "ingressARN", "kmsProviderARN", "kubeCloudControllerARN", "networkARN", "nodePoolManagementARN", "storageARN" ], "type": "object", "additionalProperties": false }, "rosaClusterName": { "description": "Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric\ncharacters or '-', start with an alphabetic character, end with an alphanumeric character\nand have a max length of 54 characters.", "maxLength": 54, "pattern": "^[a-z]([-a-z0-9]*[a-z0-9])?$", "type": "string", "x-kubernetes-validations": [ { "message": "rosaClusterName is immutable", "rule": "self == oldSelf" } ] }, "subnets": { "description": "The Subnet IDs to use when installing the cluster.\nSubnetIDs should come in pairs; two per availability zone, one private and one public.", "items": { "type": "string" }, "type": "array" }, "supportRoleARN": { "description": "SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable\naccess to the cluster account in order to provide support.", "type": "string" }, "version": { "description": "OpenShift semantic version, for example \"4.14.5\".", "type": "string" }, "workerRoleARN": { "description": "WorkerRoleARN is an AWS IAM role that will be attached to worker instances.", "type": "string" } }, "required": [ "availabilityZones", "installerRoleARN", "oidcID", "region", "rolesRef", "rosaClusterName", "subnets", "supportRoleARN", "version", "workerRoleARN" ], "type": "object", "additionalProperties": false }, "status": { "description": "RosaControlPlaneStatus defines the observed state of ROSAControlPlane.", "properties": { "conditions": { "description": "Conditions specifies the conditions for the managed control plane", "items": { "description": "Condition defines an observation of a Cluster API resource operational state.", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when\nthe API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.\nThis field may be empty.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition in CamelCase.\nThe specific API may choose whether or not this field is considered a guaranteed API.\nThis field may not be empty.", "type": "string" }, "severity": { "description": "Severity provides an explicit classification of Reason code, so the users or machines can immediately\nunderstand the current situation and act accordingly.\nThe Severity field MUST be set only when Status=False.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type of condition in CamelCase or in foo.example.com/CamelCase.\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions\ncan be useful (see .node.status.conditions), the ability to deconflict is important.", "type": "string" } }, "required": [ "lastTransitionTime", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "consoleURL": { "description": "ConsoleURL is the url for the openshift console.", "type": "string" }, "externalManagedControlPlane": { "default": true, "description": "ExternalManagedControlPlane indicates to cluster-api that the control plane\nis managed by an external service such as AKS, EKS, GKE, etc.", "type": "boolean" }, "failureMessage": { "description": "FailureMessage will be set in the event that there is a terminal problem\nreconciling the state and will be set to a descriptive error message.\n\n\nThis field should not be set for transitive errors that a controller\nfaces that are expected to be fixed automatically over\ntime (like service outages), but instead indicate that something is\nfundamentally wrong with the spec or the configuration of\nthe controller, and that manual intervention is required.", "type": "string" }, "id": { "description": "ID is the cluster ID given by ROSA.", "type": "string" }, "initialized": { "description": "Initialized denotes whether or not the control plane has the\nuploaded kubernetes config-map.", "type": "boolean" }, "oidcEndpointURL": { "description": "OIDCEndpointURL is the endpoint url for the managed OIDC provider.", "type": "string" }, "ready": { "default": false, "description": "Ready denotes that the ROSAControlPlane API Server is ready to receive requests.", "type": "boolean" } }, "required": [ "ready" ], "type": "object", "additionalProperties": false } }, "type": "object" }