From 6cb1b96e51740d9307d70379177670d3f2f45e21 Mon Sep 17 00:00:00 2001 From: Johnny Liu Date: Fri, 28 Feb 2025 19:52:06 +0800 Subject: [PATCH] aws only public subnets coverage --- ...nightly-4.19-upgrade-from-stable-4.18.yaml | 3 +- ...sts-master__installation-nightly-4.18.yaml | 14 ++ ...sts-master__installation-nightly-4.19.yaml | 14 ++ ...-tests-private-release-4.19-periodics.yaml | 4 +- ...t-verification-tests-master-periodics.yaml | 150 ++++++++++++++++++ ...aws-provision-tags-for-byo-vpc-commands.sh | 15 +- .../aws-provision-tags-for-byo-vpc-ref.yaml | 4 + .../aws-provision-vpc-shared-commands.sh | 97 +++++++---- .../shared/aws-provision-vpc-shared-ref.yaml | 4 + .../rehearse/aws/ipi/byo-subnets/OWNERS | 8 + ...aws-ipi-byo-subnets-workflow.metadata.json | 15 ++ ...rehearse-aws-ipi-byo-subnets-workflow.yaml | 9 ++ .../aws/ipi/byo-subnets/deprovision/OWNERS | 8 + ...yo-subnets-deprovision-chain.metadata.json | 15 ++ ...aws-ipi-byo-subnets-deprovision-chain.yaml | 8 + .../aws/ipi/byo-subnets/provision/OWNERS | 8 + ...-byo-subnets-provision-chain.metadata.json | 15 ++ ...e-aws-ipi-byo-subnets-provision-chain.yaml | 25 +++ .../workers-marketplace/byo-subnets/OWNERS | 4 + ...etplace-byo-subnets-workflow.metadata.json | 10 ++ ...kers-marketplace-byo-subnets-workflow.yaml | 9 ++ .../byo-subnets/provision/OWNERS | 4 + ...-byo-subnets-provision-chain.metadata.json | 10 ++ ...rketplace-byo-subnets-provision-chain.yaml | 24 +++ ...-conf-aws-user-min-permissions-commands.sh | 4 + ...ipi-conf-aws-user-min-permissions-ref.yaml | 4 + 26 files changed, 450 insertions(+), 35 deletions(-) create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.metadata.json create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json create mode 100644 ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml index 3038a0f35db3f..da125922d497b 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml @@ -295,11 +295,12 @@ tests: test: - chain: openshift-upgrade-qe-test workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service -- as: aws-ipi-workers-marketplace-f28 +- as: aws-ipi-workers-marketplace-mini-perm-f28 cron: 12 6 26 * * steps: cluster_profile: aws-qe env: + AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.devcluster.openshift.com test: - chain: openshift-upgrade-qe-test diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml index a5946b5a20f50..ea01a651ba0da 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml @@ -121,6 +121,20 @@ tests: ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false" OCP_ARCH: arm64 workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role +- as: aws-ipi-byo-subnets-only-public-mini-perm-arm-f14 + cron: 34 18 1,17 * * + steps: + cluster_profile: aws-qe + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest + env: + AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" + BASE_DOMAIN: qe.devcluster.openshift.com + COMPUTE_NODE_TYPE: m6g.xlarge + CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge + OCP_ARCH: arm64 + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" + workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets - as: aws-ipi-default-mini-perm-arm-f7 cron: 56 23 6,15,22,29 * * steps: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml index ce954d3a53773..3191953b4c239 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml @@ -121,6 +121,20 @@ tests: ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false" OCP_ARCH: arm64 workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role +- as: aws-ipi-byo-subnets-only-public-mini-perm-arm-f14 + cron: 32 8 8,24 * * + steps: + cluster_profile: aws-qe + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest + env: + AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" + BASE_DOMAIN: qe.devcluster.openshift.com + COMPUTE_NODE_TYPE: m6g.xlarge + CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge + OCP_ARCH: arm64 + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" + workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets - as: aws-ipi-default-mini-perm-arm-f7 cron: 7 21 4,11,20,27 * * steps: diff --git a/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml b/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml index d8f0fa9e5bf81..90cad96a00ec0 100644 --- a/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml +++ b/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml @@ -2367,7 +2367,7 @@ periodics: ci-operator.openshift.io/variant: amd64-nightly-4.19-upgrade-from-stable-4.18 ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-f28 + name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-mini-perm-f28 spec: containers: - args: @@ -2377,7 +2377,7 @@ periodics: - --oauth-token-path=/usr/local/github-credentials/oauth - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=aws-ipi-workers-marketplace-f28 + - --target=aws-ipi-workers-marketplace-mini-perm-f28 - --variant=amd64-nightly-4.19-upgrade-from-stable-4.18 command: - ci-operator diff --git a/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml b/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml index 6004c4c95a3ba..88ba4097bd332 100644 --- a/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml +++ b/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml @@ -12529,6 +12529,81 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build03 + cron: 34 18 1,17 * * + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: verification-tests + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: installation-nightly-4.18 + ci.openshift.io/generator: prowgen + job-release: "4.18" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-mini-perm-arm-f14 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-byo-subnets-only-public-mini-perm-arm-f14 + - --variant=installation-nightly-4.18 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build03 cron: 56 23 6,15,22,29 * * @@ -17556,6 +17631,81 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build03 + cron: 32 8 8,24 * * + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: verification-tests + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: installation-nightly-4.19 + ci.openshift.io/generator: prowgen + job-release: "4.19" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-verification-tests-master-installation-nightly-4.19-aws-ipi-byo-subnets-only-public-mini-perm-arm-f14 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-byo-subnets-only-public-mini-perm-arm-f14 + - --variant=installation-nightly-4.19 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build03 cron: 7 21 4,11,20,27 * * diff --git a/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh b/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh index beb415a20bf46..55051dd4470aa 100644 --- a/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh +++ b/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh @@ -31,19 +31,24 @@ fi echo "infra_id: $infra_id" vpc_id=$(head -n 1 ${SHARED_DIR}/vpc_id) -private_subnet_ids=$(yq-go r -j ${SHARED_DIR}/private_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g") -if [[ -z $vpc_id ]] || [[ -z $private_subnet_ids ]] || [[ -z $infra_id ]] || [[ "${infra_id}" == "null" ]]; then +if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" == "true" ]]; then + subnet_ids=$(yq-go r -j ${SHARED_DIR}/public_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g") +else + subnet_ids=$(yq-go r -j ${SHARED_DIR}/private_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g") +fi + +if [[ -z $vpc_id ]] || [[ -z $subnet_ids ]] || [[ -z $infra_id ]] || [[ "${infra_id}" == "null" ]]; then echo "Error: Can not get VPC id or private subnets, exit" - echo "vpc: $vpc_id, private_subnet_ids: $private_subnet_ids" + echo "vpc: $vpc_id, subnet_ids: $subnet_ids" exit 1 fi echo "Adding tags for VPC: $vpc_id, tags: kubernetes.io/cluster/${infra_id}, value: shared." aws --region $REGION ec2 create-tags --resources $vpc_id --tags Key=kubernetes.io/cluster/${infra_id},Value=shared -echo "Adding tags for private subnets:$private_subnet_ids, tags: kubernetes.io/role/internal-elb, value is empty." -aws --region $REGION ec2 create-tags --resources $private_subnet_ids --tags Key=kubernetes.io/role/internal-elb,Value= +echo "Adding tags for subnets:$subnet_ids, tags: kubernetes.io/role/internal-elb, value is empty." +aws --region $REGION ec2 create-tags --resources $subnet_ids --tags Key=kubernetes.io/role/internal-elb,Value= if [[ ${ENABLE_AWS_EDGE_ZONE} == "yes" ]] && [[ ${EDGE_ZONE_TYPES} == "outpost" ]]; then edge_zone_public_subnet_id=$(head -n 1 "${SHARED_DIR}/edge_zone_public_subnet_id") diff --git a/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-ref.yaml b/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-ref.yaml index d99d4c7688416..51d3b998208a4 100644 --- a/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-ref.yaml +++ b/ci-operator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-ref.yaml @@ -19,6 +19,10 @@ ref: default: "no" - name: EDGE_ZONE_TYPES default: "local-zone" + - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY + default: "" + documentation: |- + Whether to use only public subnets for AWS. Implies no NAT Gateways. documentation: |- Create required tags for BYO VPC, see [1][2] for more details. [1] https://bugzilla.redhat.com/show_bug.cgi?id=2075072 diff --git a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh index ac340958ca2be..fcd5d32d1016e 100644 --- a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh +++ b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh @@ -74,6 +74,13 @@ Parameters: - "no" Description: "Create a dhcpOptionSet with a custom DNS name" Type: String + OnlyPublicSubnets: + Default: "no" + AllowedValues: + - "yes" + - "no" + Description: "Only create public subnets" + Type: String AllowedAvailabilityZoneList: ConstraintDescription: "Select AZs from this list, e.g. 'us-east-2c,us-east-2a'" Type: CommaDelimitedList @@ -108,6 +115,10 @@ Conditions: DoAz3: !Equals [3, !Ref AvailabilityZoneCount] DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3] DoDhcp: !Equals ["yes", !Ref DhcpOptionSet] + DoOnlyPublicSubnets: !Equals ["yes", !Ref OnlyPublicSubnets] + DoAz1PrivateSubnet: !Not [Condition: DoOnlyPublicSubnets] + DoAz2PrivateSubnet: !And [ !Not [Condition: DoOnlyPublicSubnets], Condition: DoAz2 ] + DoAz3PrivateSubnet: !And [ !Not [Condition: DoOnlyPublicSubnets], Condition: DoAz3 ] AzRestriction: !Not [ !Equals [!Join ['', !Ref AllowedAvailabilityZoneList], ''] ] ShareSubnets: !Not [ !Equals ['', !Ref ResourceSharePrincipals] ] @@ -124,6 +135,12 @@ Resources: PublicSubnet: Type: "AWS::EC2::Subnet" Properties: + MapPublicIpOnLaunch: + !If [ + "DoOnlyPublicSubnets", + "true", + "false" + ] VpcId: !Ref VPC CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] AvailabilityZone: @@ -136,6 +153,12 @@ Resources: Type: "AWS::EC2::Subnet" Condition: DoAz2 Properties: + MapPublicIpOnLaunch: + !If [ + "DoOnlyPublicSubnets", + "true", + "false" + ] VpcId: !Ref VPC CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] AvailabilityZone: @@ -148,6 +171,12 @@ Resources: Type: "AWS::EC2::Subnet" Condition: DoAz3 Properties: + MapPublicIpOnLaunch: + !If [ + "DoOnlyPublicSubnets", + "true", + "false" + ] VpcId: !Ref VPC CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] AvailabilityZone: @@ -193,6 +222,7 @@ Resources: RouteTableId: !Ref PublicRouteTable PrivateSubnet: Type: "AWS::EC2::Subnet" + Condition: DoAz1PrivateSubnet Properties: VpcId: !Ref VPC CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] @@ -203,11 +233,13 @@ Resources: !Select [0, Fn::GetAZs: !Ref "AWS::Region"] ] PrivateRouteTable: + Condition: DoAz1PrivateSubnet Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC PrivateSubnetRouteTableAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" + Condition: DoAz1PrivateSubnet Properties: SubnetId: !Ref PrivateSubnet RouteTableId: !Ref PrivateRouteTable @@ -215,6 +247,7 @@ Resources: DependsOn: - GatewayToInternet Type: "AWS::EC2::NatGateway" + Condition: DoAz1PrivateSubnet Properties: AllocationId: "Fn::GetAtt": @@ -223,10 +256,12 @@ Resources: SubnetId: !Ref PublicSubnet EIP: Type: "AWS::EC2::EIP" + Condition: DoAz1PrivateSubnet Properties: Domain: vpc Route: Type: "AWS::EC2::Route" + Condition: DoAz1PrivateSubnet Properties: RouteTableId: Ref: PrivateRouteTable @@ -235,7 +270,7 @@ Resources: Ref: NAT PrivateSubnet2: Type: "AWS::EC2::Subnet" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: VpcId: !Ref VPC CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] @@ -247,12 +282,12 @@ Resources: ] PrivateRouteTable2: Type: "AWS::EC2::RouteTable" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: VpcId: !Ref VPC PrivateSubnetRouteTableAssociation2: Type: "AWS::EC2::SubnetRouteTableAssociation" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: SubnetId: !Ref PrivateSubnet2 RouteTableId: !Ref PrivateRouteTable2 @@ -260,7 +295,7 @@ Resources: DependsOn: - GatewayToInternet Type: "AWS::EC2::NatGateway" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: AllocationId: "Fn::GetAtt": @@ -269,12 +304,12 @@ Resources: SubnetId: !Ref PublicSubnet2 EIP2: Type: "AWS::EC2::EIP" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: Domain: vpc Route2: Type: "AWS::EC2::Route" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: RouteTableId: Ref: PrivateRouteTable2 @@ -283,7 +318,7 @@ Resources: Ref: NAT2 PrivateSubnet3: Type: "AWS::EC2::Subnet" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: VpcId: !Ref VPC CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] @@ -295,12 +330,12 @@ Resources: ] PrivateRouteTable3: Type: "AWS::EC2::RouteTable" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: VpcId: !Ref VPC PrivateSubnetRouteTableAssociation3: Type: "AWS::EC2::SubnetRouteTableAssociation" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: SubnetId: !Ref PrivateSubnet3 RouteTableId: !Ref PrivateRouteTable3 @@ -308,7 +343,7 @@ Resources: DependsOn: - GatewayToInternet Type: "AWS::EC2::NatGateway" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: AllocationId: "Fn::GetAtt": @@ -317,12 +352,12 @@ Resources: SubnetId: !Ref PublicSubnet3 EIP3: Type: "AWS::EC2::EIP" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: Domain: vpc Route3: Type: "AWS::EC2::Route" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: RouteTableId: Ref: PrivateRouteTable3 @@ -343,9 +378,9 @@ Resources: - '*' RouteTableIds: - !Ref PublicRouteTable - - !Ref PrivateRouteTable - - !If [DoAz2, !Ref PrivateRouteTable2, !Ref "AWS::NoValue"] - - !If [DoAz3, !Ref PrivateRouteTable3, !Ref "AWS::NoValue"] + - !If [DoAz1PrivateSubnet, !Ref PrivateRouteTable, !Ref "AWS::NoValue"] + - !If [DoAz2PrivateSubnet, !Ref PrivateRouteTable2, !Ref "AWS::NoValue"] + - !If [DoAz3PrivateSubnet, !Ref PrivateRouteTable3, !Ref "AWS::NoValue"] ServiceName: !Join - '' - - com.amazonaws. @@ -423,7 +458,7 @@ Outputs: Value: !Join [ ",", - [!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]] + [!If [DoAz1PrivateSubnet, !Ref PrivateSubnet, !Ref "AWS::NoValue"], !If [DoAz2PrivateSubnet, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3PrivateSubnet, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]] ] PublicRouteTableId: Description: Public Route table ID @@ -434,12 +469,15 @@ Outputs: !Join [ ",", [ - !If [ - "AzRestriction", - !Join ["=", [!Select [0, !Ref AllowedAvailabilityZoneList], !Ref PrivateRouteTable]], - !Join ["=", [!Select [0, "Fn::GetAZs": !Ref "AWS::Region"], !Ref PrivateRouteTable]] + !If [DoAz1PrivateSubnet, + !If [ + "AzRestriction", + !Join ["=", [!Select [0, !Ref AllowedAvailabilityZoneList], !Ref PrivateRouteTable]], + !Join ["=", [!Select [0, "Fn::GetAZs": !Ref "AWS::Region"], !Ref PrivateRouteTable]] + ], + !Ref "AWS::NoValue" ], - !If [DoAz2, + !If [DoAz2PrivateSubnet, !If [ "AzRestriction", !Join ["=", [!Select [1, !Ref AllowedAvailabilityZoneList], !Ref PrivateRouteTable2]], @@ -447,7 +485,7 @@ Outputs: ], !Ref "AWS::NoValue" ], - !If [DoAz3, + !If [DoAz3PrivateSubnet, !If [ "AzRestriction", !Join ["=", [!Select [2, !Ref AllowedAvailabilityZoneList], !Ref PrivateRouteTable3]], @@ -465,8 +503,7 @@ if (( ZONES_COUNT > MAX_ZONES_COUNT )); then fi # The above cloudformation template's max zones account is 3 -if [[ "${ZONES_COUNT}" -gt 3 ]] -then +if [[ "${ZONES_COUNT}" -gt 3 ]]; then ZONES_COUNT=3 fi @@ -483,6 +520,10 @@ if [[ ${ENABLE_SHARED_VPC} == "yes" ]]; then aws_add_param_to_json "ResourceSharePrincipals" ${CLUSTER_CREATOR_AWS_ACCOUNT_NO} "$vpc_params" fi +if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" == "true" ]]; then + aws_add_param_to_json "OnlyPublicSubnets" "yes" "$vpc_params" +fi + if [[ -n "${VPC_CIDR}" ]]; then aws_add_param_to_json "VpcCidr" ${VPC_CIDR} "$vpc_params" fi @@ -556,6 +597,8 @@ echo "$PublicRouteTableId" > "${SHARED_DIR}/public_route_table_id" echo "PublicRouteTableId: ${PublicRouteTableId}" # PrivateRouteTableId -PrivateRouteTableId=$(jq -r '.Stacks[].Outputs[] | select(.OutputKey=="PrivateRouteTableIds") | .OutputValue | split(",")[0] | split("=")[1]' "${SHARED_DIR}/vpc_stack_output") -echo "$PrivateRouteTableId" > "${SHARED_DIR}/private_route_table_id" -echo "PrivateRouteTableId: ${PrivateRouteTableId}" +if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" != "true" ]]; then + PrivateRouteTableId=$(jq -r '.Stacks[].Outputs[] | select(.OutputKey=="PrivateRouteTableIds") | .OutputValue | split(",")[0] | split("=")[1]' "${SHARED_DIR}/vpc_stack_output") + echo "$PrivateRouteTableId" > "${SHARED_DIR}/private_route_table_id" + echo "PrivateRouteTableId: ${PrivateRouteTableId}" +fi diff --git a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml index fad6da02baedb..c118531ff4a2d 100644 --- a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml +++ b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml @@ -31,5 +31,9 @@ ref: default: "" documentation: |- Set VPC CIDR, e.g. '10.0.0.0/16' + - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY + default: "" + documentation: |- + Whether to use only public subnets for AWS. Implies no NAT Gateways. documentation: |- Create a shared VPC. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS new file mode 100644 index 0000000000000..a289759113618 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS @@ -0,0 +1,8 @@ +approvers: +- jianlinliu +- yunjiang29 +- gpei +reviewers: +- jianlinliu +- yunjiang29 +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json new file mode 100644 index 0000000000000..ff3a3e98b819c --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml", + "owners": { + "approvers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ], + "reviewers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml new file mode 100644 index 0000000000000..ac98f84941d6e --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml @@ -0,0 +1,9 @@ +workflow: + as: cucushift-installer-rehearse-aws-ipi-byo-subnets + steps: + pre: + - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-provision + post: + - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision + documentation: |- + This is the workflow to trigger Prow's rehearsal test when submitting installer steps/chain/workflow diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS new file mode 100644 index 0000000000000..285fb5db6b0bd --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS @@ -0,0 +1,8 @@ +approvers: +- yunjiang29 +- jianlinliu +- gpei +reviewers: +- yunjiang29 +- jianlinliu +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.metadata.json new file mode 100644 index 0000000000000..15ac62c4cc6f5 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml", + "owners": { + "approvers": [ + "yunjiang29", + "jianlinliu", + "gpei" + ], + "reviewers": [ + "yunjiang29", + "jianlinliu", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml new file mode 100644 index 0000000000000..ded30ca26798e --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml @@ -0,0 +1,8 @@ +chain: + as: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision + steps: + - chain: cucushift-installer-rehearse-aws-ipi-deprovision + - ref: aws-deprovision-security-group + - ref: aws-deprovision-stacks + documentation: |- + Destroy cluster diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS new file mode 100644 index 0000000000000..285fb5db6b0bd --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS @@ -0,0 +1,8 @@ +approvers: +- yunjiang29 +- jianlinliu +- gpei +reviewers: +- yunjiang29 +- jianlinliu +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json new file mode 100644 index 0000000000000..04555dafd5124 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml", + "owners": { + "approvers": [ + "yunjiang29", + "jianlinliu", + "gpei" + ], + "reviewers": [ + "yunjiang29", + "jianlinliu", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml new file mode 100644 index 0000000000000..eb79f17093145 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml @@ -0,0 +1,25 @@ +chain: + as: cucushift-installer-rehearse-aws-ipi-byo-subnets-provision + steps: + - ref: aws-provision-vpc-shared + - chain: ipi-conf-aws + - ref: aws-provision-security-group + - ref: ipi-conf-aws-custom-vpc + - ref: ipi-conf-aws-custom-security-groups + - ref: ipi-conf-aws-usage-info + - chain: aws-provision-iam-user-minimal-permission + - chain: ipi-install + - ref: aws-provision-tags-for-byo-vpc + - ref: cucushift-installer-check-aws-custom-vpc + - ref: enable-qe-catalogsource + - chain: cucushift-installer-check + env: + - name: CONTROL_PLANE_INSTANCE_TYPE + default: "m6i.xlarge" + documentation: "Instance type for control plane nodes" + - name: COMPUTE_NODE_TYPE + default: "m5.xlarge" + documentation: "Instance type for compute nodes" + documentation: |- + Create an IPI cluster on AWS for QE e2e tests. + diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS new file mode 100644 index 0000000000000..2ff191d05e8fa --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS @@ -0,0 +1,4 @@ +approvers: +- jianlinliu +- yunjiang29 +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json new file mode 100644 index 0000000000000..b97f052f1456d --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json @@ -0,0 +1,10 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml", + "owners": { + "approvers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml new file mode 100644 index 0000000000000..3bb96cbc95a3d --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml @@ -0,0 +1,9 @@ +workflow: + as: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets + steps: + pre: + - chain: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision + post: + - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision + documentation: |- + This is the workflow to trigger Prow's rehearsal test when submitting installer steps/chain/workflow by using AWS Marketplace images. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS new file mode 100644 index 0000000000000..2ff191d05e8fa --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS @@ -0,0 +1,4 @@ +approvers: +- jianlinliu +- yunjiang29 +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json new file mode 100644 index 0000000000000..8297fc0f03284 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json @@ -0,0 +1,10 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml", + "owners": { + "approvers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml new file mode 100644 index 0000000000000..f97f471d63a5f --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml @@ -0,0 +1,24 @@ +chain: + as: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision + steps: + - ref: aws-provision-vpc-shared + - chain: ipi-conf-aws + - ref: ipi-conf-aws-custom-vpc + - ref: ipi-conf-aws-marketplace + - ref: ipi-conf-aws-usage-info + - chain: aws-provision-iam-user-minimal-permission + - chain: ipi-install + - ref: cucushift-installer-check-aws-custom-ami + - ref: aws-provision-tags-for-byo-vpc + - ref: cucushift-installer-check-aws-custom-vpc + - ref: enable-qe-catalogsource + - chain: cucushift-installer-check + env: + - name: USE_MARKETPLACE_CONTRACT_NODE_TYPE_ONLY + default: "yes" + documentation: |- + Use instance types which present in the contract only. + documentation: |- + Create an IPI cluster on AWS for QE e2e tests. + The worker node is configured by using AWS Marketplace images + diff --git a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh index 0c1e33ac878a6..be58e2aeb4b14 100644 --- a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh +++ b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh @@ -335,6 +335,10 @@ EOF mkdir -p ${dir} + echo "install-config.yaml" + echo "-------------------" + cat ${SHARED_DIR}/install-config.yaml | grep -vi "password\|username\|pullSecret\|auth" + # Make a copy of the install-config.yaml since the installer will consume it. cp "${SHARED_DIR}/install-config.yaml" ${dir}/ diff --git a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-ref.yaml b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-ref.yaml index 827b1b26fb96a..ded0b1a649009 100644 --- a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-ref.yaml +++ b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-ref.yaml @@ -29,6 +29,10 @@ ref: - name: FIPS_ENABLED default: "false" documentation: "Indicates a FIPS-enabled cluster, to disable FIPS host checks in the installer." + - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY + default: "" + documentation: |- + Whether to use only public subnets for AWS. The option is only used to run `create permissions-policy` in this step. documentation: |- Generate a permissions policy for the given cluster configuration. This has to run as the last step in the conf chain, since the cluster configuration affects the permissions required.