diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml index 61c08a516f02..aa21e4001bcf 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml @@ -294,16 +294,17 @@ tests: test: - chain: openshift-upgrade-qe-test workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service -- as: aws-ipi-workers-marketplace-mini-perm-f60 +- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f60 cron: 11 5 11 2,4,6,8,10,12 * steps: cluster_profile: aws-qe env: AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.devcluster.openshift.com + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" test: - chain: openshift-upgrade-qe-test - workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace + workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets - as: aws-sc2s-ipi-disc-priv-fips-f60 cron: 55 15 13 2,4,6,8,10,12 * steps: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml index 8421f1cfeb4d..64668296f384 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml @@ -1033,16 +1033,17 @@ tests: test: - chain: openshift-e2e-test-qe-destructive workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service -- as: aws-ipi-workers-marketplace-mini-perm-f7 +- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f7 cron: 1 19 5,12,19,28 * * steps: cluster_profile: aws-qe env: AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.devcluster.openshift.com + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" test: - chain: openshift-e2e-test-qe - workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace + workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets - as: aws-ipi-workers-marketplace-mini-perm-f28-destructive cron: 59 15 16 * * steps: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml index 3038a0f35db3..24159221cd4f 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml @@ -295,15 +295,17 @@ tests: test: - chain: openshift-upgrade-qe-test workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service -- as: aws-ipi-workers-marketplace-f28 +- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f28 cron: 12 6 26 * * steps: cluster_profile: aws-qe env: + AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.devcluster.openshift.com + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" test: - chain: openshift-upgrade-qe-test - workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace + workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets - as: aws-sc2s-ipi-disc-priv-fips-f28 cron: 51 1 14 * * steps: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml index 2052b1842df6..63328b18d78c 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml @@ -310,16 +310,17 @@ tests: test: - chain: openshift-upgrade-qe-test workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service -- as: aws-ipi-workers-marketplace-mini-perm-f60 +- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f60 cron: 53 18 15 2,4,6,8,10,12 * steps: cluster_profile: aws-qe env: AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.devcluster.openshift.com + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" test: - chain: openshift-upgrade-qe-test - workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace + workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets - as: aws-sc2s-ipi-disc-priv-fips-f60 cron: 52 7 15 1,3,5,7,9,11 * steps: diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml index 929545b6c998..c243b6ac8462 100644 --- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml +++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml @@ -1068,16 +1068,17 @@ tests: test: - chain: openshift-e2e-test-qe-destructive workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service -- as: aws-ipi-workers-marketplace-mini-perm-f7 +- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f7 cron: 30 5 6,13,20,29 * * steps: cluster_profile: aws-qe env: AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes" BASE_DOMAIN: qe.devcluster.openshift.com + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" test: - chain: openshift-e2e-test-qe - workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace + workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets - as: aws-ipi-workers-marketplace-mini-perm-f28-destructive cron: 35 2 14 * * steps: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml index a5946b5a20f5..ee151f569dc1 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml @@ -121,6 +121,19 @@ tests: ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false" OCP_ARCH: arm64 workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role +- as: aws-ipi-byo-subnets-only-public-arm-f14 + cron: 34 18 1,17 * * + steps: + cluster_profile: aws-qe + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest + env: + BASE_DOMAIN: qe.devcluster.openshift.com + COMPUTE_NODE_TYPE: m6g.xlarge + CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge + OCP_ARCH: arm64 + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" + workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets - as: aws-ipi-default-mini-perm-arm-f7 cron: 56 23 6,15,22,29 * * steps: diff --git a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml index ce954d3a5377..5349a4148fcc 100644 --- a/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml +++ b/ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml @@ -121,6 +121,19 @@ tests: ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false" OCP_ARCH: arm64 workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role +- as: aws-ipi-byo-subnets-only-public-arm-f14 + cron: 32 8 8,24 * * + steps: + cluster_profile: aws-qe + dependencies: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest + env: + BASE_DOMAIN: qe.devcluster.openshift.com + COMPUTE_NODE_TYPE: m6g.xlarge + CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge + OCP_ARCH: arm64 + OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true" + workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets - as: aws-ipi-default-mini-perm-arm-f7 cron: 7 21 4,11,20,27 * * steps: diff --git a/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18-periodics.yaml b/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18-periodics.yaml index 1eb4d11cbd4c..08ce81e7a85c 100644 --- a/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18-periodics.yaml +++ b/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18-periodics.yaml @@ -11623,7 +11623,7 @@ periodics: ci-operator.openshift.io/variant: amd64-nightly-4.18-upgrade-from-stable-4.18 ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-4.18-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-mini-perm-f60 + name: periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-4.18-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-public-subnets-mini-perm-f60 spec: containers: - args: @@ -11633,7 +11633,7 @@ periodics: - --oauth-token-path=/usr/local/github-credentials/oauth - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=aws-ipi-workers-marketplace-mini-perm-f60 + - --target=aws-ipi-workers-marketplace-public-subnets-mini-perm-f60 - --variant=amd64-nightly-4.18-upgrade-from-stable-4.18 command: - ci-operator @@ -24240,7 +24240,7 @@ periodics: ci.openshift.io/generator: prowgen job-release: "4.18" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-aws-ipi-workers-marketplace-mini-perm-f7 + name: periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-aws-ipi-workers-marketplace-public-subnets-mini-perm-f7 spec: containers: - args: @@ -24250,7 +24250,7 @@ periodics: - --oauth-token-path=/usr/local/github-credentials/oauth - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=aws-ipi-workers-marketplace-mini-perm-f7 + - --target=aws-ipi-workers-marketplace-public-subnets-mini-perm-f7 - --variant=amd64-nightly command: - ci-operator diff --git a/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml b/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml index d8f0fa9e5bf8..986690467e90 100644 --- a/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml +++ b/ci-operator/jobs/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml @@ -2367,7 +2367,7 @@ periodics: ci-operator.openshift.io/variant: amd64-nightly-4.19-upgrade-from-stable-4.18 ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-f28 + name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-public-subnets-f28 spec: containers: - args: @@ -2377,7 +2377,7 @@ periodics: - --oauth-token-path=/usr/local/github-credentials/oauth - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=aws-ipi-workers-marketplace-f28 + - --target=aws-ipi-workers-marketplace-public-subnets-f28 - --variant=amd64-nightly-4.19-upgrade-from-stable-4.18 command: - ci-operator @@ -10240,7 +10240,7 @@ periodics: ci-operator.openshift.io/variant: amd64-nightly-4.19-upgrade-from-stable-4.19 ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.19-aws-ipi-workers-marketplace-mini-perm-f60 + name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.19-aws-ipi-workers-marketplace-public-subnets-mini-perm-f60 spec: containers: - args: @@ -10250,7 +10250,7 @@ periodics: - --oauth-token-path=/usr/local/github-credentials/oauth - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=aws-ipi-workers-marketplace-mini-perm-f60 + - --target=aws-ipi-workers-marketplace-public-subnets-mini-perm-f60 - --variant=amd64-nightly-4.19-upgrade-from-stable-4.19 command: - ci-operator @@ -22470,7 +22470,7 @@ periodics: ci.openshift.io/generator: prowgen job-release: "4.19" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-workers-marketplace-mini-perm-f7 + name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-workers-marketplace-public-subnets-mini-perm-f7 spec: containers: - args: @@ -22480,7 +22480,7 @@ periodics: - --oauth-token-path=/usr/local/github-credentials/oauth - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=aws-ipi-workers-marketplace-mini-perm-f7 + - --target=aws-ipi-workers-marketplace-public-subnets-mini-perm-f7 - --variant=amd64-nightly command: - ci-operator diff --git a/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml b/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml index 6004c4c95a3b..f68f6a98ee1c 100644 --- a/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml +++ b/ci-operator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml @@ -12529,6 +12529,81 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build03 + cron: 34 18 1,17 * * + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: verification-tests + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: installation-nightly-4.18 + ci.openshift.io/generator: prowgen + job-release: "4.18" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-byo-subnets-only-public-arm-f14 + - --variant=installation-nightly-4.18 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build03 cron: 56 23 6,15,22,29 * * @@ -17556,6 +17631,81 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build03 + cron: 32 8 8,24 * * + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: verification-tests + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-qe + ci-operator.openshift.io/variant: installation-nightly-4.19 + ci.openshift.io/generator: prowgen + job-release: "4.19" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-verification-tests-master-installation-nightly-4.19-aws-ipi-byo-subnets-only-public-arm-f14 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=aws-ipi-byo-subnets-only-public-arm-f14 + - --variant=installation-nightly-4.19 + command: + - ci-operator + image: ci-operator:latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build03 cron: 7 21 4,11,20,27 * * diff --git a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh index ac340958ca2b..076c70fd4af8 100644 --- a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh +++ b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh @@ -74,6 +74,13 @@ Parameters: - "no" Description: "Create a dhcpOptionSet with a custom DNS name" Type: String + OnlyPublicSubnets: + Default: "no" + AllowedValues: + - "yes" + - "no" + Description: "Only create public subnets" + Type: String AllowedAvailabilityZoneList: ConstraintDescription: "Select AZs from this list, e.g. 'us-east-2c,us-east-2a'" Type: CommaDelimitedList @@ -108,6 +115,10 @@ Conditions: DoAz3: !Equals [3, !Ref AvailabilityZoneCount] DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3] DoDhcp: !Equals ["yes", !Ref DhcpOptionSet] + DoOnlyPublicSubnets: !Equals ["yes", !Ref OnlyPublicSubnets] + DoAz1PrivateSubnet: !Not [Condition: DoOnlyPublicSubnets] + DoAz2PrivateSubnet: !And [ !Not [Condition: DoOnlyPublicSubnets], Condition: DoAz2 ] + DoAz3PrivateSubnet: !And [ !Not [Condition: DoOnlyPublicSubnets], Condition: DoAz3 ] AzRestriction: !Not [ !Equals [!Join ['', !Ref AllowedAvailabilityZoneList], ''] ] ShareSubnets: !Not [ !Equals ['', !Ref ResourceSharePrincipals] ] @@ -124,6 +135,12 @@ Resources: PublicSubnet: Type: "AWS::EC2::Subnet" Properties: + MapPublicIpOnLaunch: + !If [ + "DoOnlyPublicSubnets", + "true", + "false" + ] VpcId: !Ref VPC CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] AvailabilityZone: @@ -136,6 +153,12 @@ Resources: Type: "AWS::EC2::Subnet" Condition: DoAz2 Properties: + MapPublicIpOnLaunch: + !If [ + "DoOnlyPublicSubnets", + "true", + "false" + ] VpcId: !Ref VPC CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] AvailabilityZone: @@ -148,6 +171,12 @@ Resources: Type: "AWS::EC2::Subnet" Condition: DoAz3 Properties: + MapPublicIpOnLaunch: + !If [ + "DoOnlyPublicSubnets", + "true", + "false" + ] VpcId: !Ref VPC CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] AvailabilityZone: @@ -193,6 +222,7 @@ Resources: RouteTableId: !Ref PublicRouteTable PrivateSubnet: Type: "AWS::EC2::Subnet" + Condition: DoAz1PrivateSubnet Properties: VpcId: !Ref VPC CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] @@ -203,11 +233,13 @@ Resources: !Select [0, Fn::GetAZs: !Ref "AWS::Region"] ] PrivateRouteTable: + Condition: DoAz1PrivateSubnet Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC PrivateSubnetRouteTableAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" + Condition: DoAz1PrivateSubnet Properties: SubnetId: !Ref PrivateSubnet RouteTableId: !Ref PrivateRouteTable @@ -215,6 +247,7 @@ Resources: DependsOn: - GatewayToInternet Type: "AWS::EC2::NatGateway" + Condition: DoAz1PrivateSubnet Properties: AllocationId: "Fn::GetAtt": @@ -223,10 +256,12 @@ Resources: SubnetId: !Ref PublicSubnet EIP: Type: "AWS::EC2::EIP" + Condition: DoAz1PrivateSubnet Properties: Domain: vpc Route: Type: "AWS::EC2::Route" + Condition: DoAz1PrivateSubnet Properties: RouteTableId: Ref: PrivateRouteTable @@ -235,7 +270,7 @@ Resources: Ref: NAT PrivateSubnet2: Type: "AWS::EC2::Subnet" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: VpcId: !Ref VPC CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] @@ -247,12 +282,12 @@ Resources: ] PrivateRouteTable2: Type: "AWS::EC2::RouteTable" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: VpcId: !Ref VPC PrivateSubnetRouteTableAssociation2: Type: "AWS::EC2::SubnetRouteTableAssociation" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: SubnetId: !Ref PrivateSubnet2 RouteTableId: !Ref PrivateRouteTable2 @@ -260,7 +295,7 @@ Resources: DependsOn: - GatewayToInternet Type: "AWS::EC2::NatGateway" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: AllocationId: "Fn::GetAtt": @@ -269,12 +304,12 @@ Resources: SubnetId: !Ref PublicSubnet2 EIP2: Type: "AWS::EC2::EIP" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: Domain: vpc Route2: Type: "AWS::EC2::Route" - Condition: DoAz2 + Condition: DoAz2PrivateSubnet Properties: RouteTableId: Ref: PrivateRouteTable2 @@ -283,7 +318,7 @@ Resources: Ref: NAT2 PrivateSubnet3: Type: "AWS::EC2::Subnet" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: VpcId: !Ref VPC CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]] @@ -295,12 +330,12 @@ Resources: ] PrivateRouteTable3: Type: "AWS::EC2::RouteTable" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: VpcId: !Ref VPC PrivateSubnetRouteTableAssociation3: Type: "AWS::EC2::SubnetRouteTableAssociation" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: SubnetId: !Ref PrivateSubnet3 RouteTableId: !Ref PrivateRouteTable3 @@ -308,7 +343,7 @@ Resources: DependsOn: - GatewayToInternet Type: "AWS::EC2::NatGateway" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: AllocationId: "Fn::GetAtt": @@ -317,12 +352,12 @@ Resources: SubnetId: !Ref PublicSubnet3 EIP3: Type: "AWS::EC2::EIP" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: Domain: vpc Route3: Type: "AWS::EC2::Route" - Condition: DoAz3 + Condition: DoAz3PrivateSubnet Properties: RouteTableId: Ref: PrivateRouteTable3 @@ -465,8 +500,7 @@ if (( ZONES_COUNT > MAX_ZONES_COUNT )); then fi # The above cloudformation template's max zones account is 3 -if [[ "${ZONES_COUNT}" -gt 3 ]] -then +if [[ "${ZONES_COUNT}" -gt 3 ]]; then ZONES_COUNT=3 fi @@ -483,6 +517,10 @@ if [[ ${ENABLE_SHARED_VPC} == "yes" ]]; then aws_add_param_to_json "ResourceSharePrincipals" ${CLUSTER_CREATOR_AWS_ACCOUNT_NO} "$vpc_params" fi +if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" == "true" ]]; then + aws_add_param_to_json "OnlyPublicSubnets" "yes" "$vpc_params" +fi + if [[ -n "${VPC_CIDR}" ]]; then aws_add_param_to_json "VpcCidr" ${VPC_CIDR} "$vpc_params" fi diff --git a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml index fad6da02baed..c118531ff4a2 100644 --- a/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml +++ b/ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml @@ -31,5 +31,9 @@ ref: default: "" documentation: |- Set VPC CIDR, e.g. '10.0.0.0/16' + - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY + default: "" + documentation: |- + Whether to use only public subnets for AWS. Implies no NAT Gateways. documentation: |- Create a shared VPC. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS new file mode 100644 index 000000000000..a28975911361 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/OWNERS @@ -0,0 +1,8 @@ +approvers: +- jianlinliu +- yunjiang29 +- gpei +reviewers: +- jianlinliu +- yunjiang29 +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json new file mode 100644 index 000000000000..ff3a3e98b819 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml", + "owners": { + "approvers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ], + "reviewers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml new file mode 100644 index 000000000000..ac98f84941d6 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml @@ -0,0 +1,9 @@ +workflow: + as: cucushift-installer-rehearse-aws-ipi-byo-subnets + steps: + pre: + - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-provision + post: + - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision + documentation: |- + This is the workflow to trigger Prow's rehearsal test when submitting installer steps/chain/workflow diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS new file mode 100644 index 000000000000..285fb5db6b0b --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS @@ -0,0 +1,8 @@ +approvers: +- yunjiang29 +- jianlinliu +- gpei +reviewers: +- yunjiang29 +- jianlinliu +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml new file mode 100644 index 000000000000..ded30ca26798 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision-chain.yaml @@ -0,0 +1,8 @@ +chain: + as: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision + steps: + - chain: cucushift-installer-rehearse-aws-ipi-deprovision + - ref: aws-deprovision-security-group + - ref: aws-deprovision-stacks + documentation: |- + Destroy cluster diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS new file mode 100644 index 000000000000..285fb5db6b0b --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/OWNERS @@ -0,0 +1,8 @@ +approvers: +- yunjiang29 +- jianlinliu +- gpei +reviewers: +- yunjiang29 +- jianlinliu +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json new file mode 100644 index 000000000000..04555dafd512 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml", + "owners": { + "approvers": [ + "yunjiang29", + "jianlinliu", + "gpei" + ], + "reviewers": [ + "yunjiang29", + "jianlinliu", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml new file mode 100644 index 000000000000..eb79f1709314 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-byo-subnets-provision-chain.yaml @@ -0,0 +1,25 @@ +chain: + as: cucushift-installer-rehearse-aws-ipi-byo-subnets-provision + steps: + - ref: aws-provision-vpc-shared + - chain: ipi-conf-aws + - ref: aws-provision-security-group + - ref: ipi-conf-aws-custom-vpc + - ref: ipi-conf-aws-custom-security-groups + - ref: ipi-conf-aws-usage-info + - chain: aws-provision-iam-user-minimal-permission + - chain: ipi-install + - ref: aws-provision-tags-for-byo-vpc + - ref: cucushift-installer-check-aws-custom-vpc + - ref: enable-qe-catalogsource + - chain: cucushift-installer-check + env: + - name: CONTROL_PLANE_INSTANCE_TYPE + default: "m6i.xlarge" + documentation: "Instance type for control plane nodes" + - name: COMPUTE_NODE_TYPE + default: "m5.xlarge" + documentation: "Instance type for compute nodes" + documentation: |- + Create an IPI cluster on AWS for QE e2e tests. + diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS new file mode 100644 index 000000000000..2ff191d05e8f --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/OWNERS @@ -0,0 +1,4 @@ +approvers: +- jianlinliu +- yunjiang29 +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json new file mode 100644 index 000000000000..b97f052f1456 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.metadata.json @@ -0,0 +1,10 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml", + "owners": { + "approvers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml new file mode 100644 index 000000000000..3bb96cbc95a3 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml @@ -0,0 +1,9 @@ +workflow: + as: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets + steps: + pre: + - chain: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision + post: + - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision + documentation: |- + This is the workflow to trigger Prow's rehearsal test when submitting installer steps/chain/workflow by using AWS Marketplace images. diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS new file mode 100644 index 000000000000..2ff191d05e8f --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/OWNERS @@ -0,0 +1,4 @@ +approvers: +- jianlinliu +- yunjiang29 +- gpei diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json new file mode 100644 index 000000000000..8297fc0f0328 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.metadata.json @@ -0,0 +1,10 @@ +{ + "path": "cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml", + "owners": { + "approvers": [ + "jianlinliu", + "yunjiang29", + "gpei" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml new file mode 100644 index 000000000000..f97f471d63a5 --- /dev/null +++ b/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/workers-marketplace/byo-subnets/provision/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision-chain.yaml @@ -0,0 +1,24 @@ +chain: + as: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-provision + steps: + - ref: aws-provision-vpc-shared + - chain: ipi-conf-aws + - ref: ipi-conf-aws-custom-vpc + - ref: ipi-conf-aws-marketplace + - ref: ipi-conf-aws-usage-info + - chain: aws-provision-iam-user-minimal-permission + - chain: ipi-install + - ref: cucushift-installer-check-aws-custom-ami + - ref: aws-provision-tags-for-byo-vpc + - ref: cucushift-installer-check-aws-custom-vpc + - ref: enable-qe-catalogsource + - chain: cucushift-installer-check + env: + - name: USE_MARKETPLACE_CONTRACT_NODE_TYPE_ONLY + default: "yes" + documentation: |- + Use instance types which present in the contract only. + documentation: |- + Create an IPI cluster on AWS for QE e2e tests. + The worker node is configured by using AWS Marketplace images +