From 1cfa09ba4b5dd9b877b1bee1df81e8fdaea0f854 Mon Sep 17 00:00:00 2001
From: enxebre
Weekly Friday 12:00 UTC] --> B[Setup Step]
- B --> C[Process Step]
- C --> D[Report Step]
-
- subgraph "Process Step"
- C --> E[Generate GitHub App Tokens]
- E --> F[Clone Fork
hypershift-community/hypershift]
- F --> G[Query Open Dependabot PRs]
- G --> H{PRs Found?}
- H -->|No| I[Exit Successfully]
- H -->|Yes| J[Filter Out k8s.io Bumps]
- J --> K[For Each PR]
- K --> L[Cherry-pick + Validate
make verify & make test]
- L --> M{Passed?}
- M -->|Yes| N[Keep on Branch]
- M -->|No| O[Reset & Skip]
- N --> P{More PRs?}
- O --> P
- P -->|Yes| K
- P -->|No| Q[Reorganize Commits
Deterministic Bash]
- Q --> R[Final Validation
make verify & make test]
- R --> S[Create PR]
- end
- end
-
- subgraph "External Systems"
- G <--> GH[(GitHub API
github.com)]
- L <--> CLAUDE[Claude API
via Vertex AI]
- S <--> FORK[(GitHub Fork
hypershift-community)]
- S <--> UPSTREAM[(GitHub Upstream
openshift/hypershift)]
- end
-```
-
-### Configuration
-
-| Setting | Value | Description |
-|---------|-------|-------------|
-| Schedule | `0 12 * * 5` | Fridays at 12:00 UTC (7:00 AM ET) |
-| Process timeout | 2 hours | Maximum time for the process step |
-| Max Claude turns | 100 | Maximum agentic turns per run |
-| Excluded deps | `k8s.io`, `sigs.k8s.io` | Dependencies managed via manual Kubernetes rebases |
-
-### What Gets Excluded
-
-Dependabot PRs bumping the following module prefixes are **automatically skipped**:
-
-- `k8s.io/*` - Core Kubernetes libraries
-- `sigs.k8s.io/*` - Kubernetes SIG libraries
-
-These dependencies are updated manually as part of coordinated Kubernetes version rebases to ensure compatibility across the full dependency tree.
-
----
-
## User Guide
### Submitting Issues for Processing
@@ -11534,10 +10824,9 @@ The issue will be picked up on the next weekly run (Mondays at 8:30 AM UTC).
### Viewing AI-Generated Output
-Track PRs created by the AI agents:
+Track PRs created by the Jira Agent:
-- **Jira Agent PRs**: github.com/openshift/hypershift/pulls?q=is:pr+author:app/hypershift-jira-solve-ci
-- **Dependabot Triage PRs**: github.com/openshift/hypershift/pulls?q=is:pr+head:fix/weekly-dependabot-consolidation
+- **PR List**: github.com/openshift/hypershift/pulls?q=is:pr+author:app/hypershift-jira-solve-ci
PRs are created as **drafts** and require human review before merging.
@@ -11564,7 +10853,7 @@ This runs the review agent for that specific PR only.
- **AI may produce incorrect or incomplete solutions** - always review carefully
- **Complex issues may not be fully addressed** - multi-faceted problems may need human intervention
-- **Rate limited**: 1 issue per weekly run (jira-agent), 10 PRs per run (review-agent), all non-k8s dependabot PRs per run (dependabot-triage)
+- **Rate limited**: 1 issue per weekly run (jira-agent), 10 PRs per run (review-agent)
- **Cannot access private resources** - no access to internal systems beyond Jira/GitHub
- **Cannot execute destructive operations** - no ability to delete resources or force-push
- **Maximum agentic turns**: 100 per issue (jira-agent), 100 per PR (review-agent)
@@ -11833,104 +11122,6 @@ Understanding the CI infrastructure helps when:
- CI Dashboard
----
-
-## Source: docs/content/how-to/ci/docs-preview.md
-
-# Documentation Preview
-
-When a pull request modifies files under `docs/`, a GitHub Actions workflow automatically builds the documentation and deploys a preview to Cloudflare Pages.
-
-## How It Works
-
-The workflow uses `pull_request_target` with two jobs to securely handle fork PRs:
-
-1. **Build** — checks out the PR code and builds the docs with MkDocs in strict mode. This job has no access to secrets.
-2. **Deploy** — downloads the built artifact and deploys it to Cloudflare Pages. This job has access to the `docs-preview` environment secrets but never executes PR code.
-
-GitHub shows a **View deployment** link in the PR timeline via the `docs-preview` environment.
-
-The preview is available at `https://pr-
-
AzurePrivateLinkService represents Azure Private Link Service infrastructure -for private connectivity to hosted cluster API servers.
+CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
AzurePrivateLinkService |
+CertificateSigningRequestApproval |
| @@ -31083,43 +29995,49 @@ Kubernetes meta/v1.ObjectMeta |
(Optional)
- metadata is the metadata for the AzurePrivateLinkService. +metadata is standard object metadata. Refer to the Kubernetes API documentation for the fields of themetadata field.
|
-spec,omitzero
+spec
-
-AzurePrivateLinkServiceSpec
+
+CertificateSigningRequestApprovalSpec
|
- spec is the specification for the AzurePrivateLinkService. +(Optional) +spec is the specification of the desired behavior of the CertificateSigningRequestApproval. ++ + |
-status,omitzero
+status
-
-AzurePrivateLinkServiceStatus
+
+CertificateSigningRequestApprovalStatus
|
(Optional)
- status is the status of the AzurePrivateLinkService. +status is the most recently observed status of the CertificateSigningRequestApproval. |
-
CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
+GCPPrivateServiceConnect represents GCP Private Service Connect infrastructure. +This resource is feature-gated behind the GCPPlatform feature gate.
CertificateSigningRequestApproval |
+GCPPrivateServiceConnect |
||||||||||
| @@ -31157,7 +30075,7 @@ Kubernetes meta/v1.ObjectMeta |
(Optional)
- metadata is standard object metadata. +metadata is the metadata for the GCPPrivateServiceConnect. Refer to the Kubernetes API documentation for the fields of themetadata field.
|
@@ -31166,17 +30084,68 @@ Refer to the Kubernetes API documentation for the fields of the
spec
-
-CertificateSigningRequestApprovalSpec
+
+GCPPrivateServiceConnectSpec
|
(Optional)
- spec is the specification of the desired behavior of the CertificateSigningRequestApproval. +spec is the specification for the GCPPrivateServiceConnect.
|
status
-
-CertificateSigningRequestApprovalStatus
+
+GCPPrivateServiceConnectStatus
|
(Optional)
- status is the most recently observed status of the CertificateSigningRequestApproval. +status is the status of the GCPPrivateServiceConnect. |
-
GCPPrivateServiceConnect represents GCP Private Service Connect infrastructure. -This resource is feature-gated behind the GCPPlatform feature gate.
- -| Field | -Description | -||||||||
|---|---|---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-hypershift.openshift.io/v1beta1
-
- |
-||||||||
-kind
-string
- |
-GCPPrivateServiceConnect |
-||||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-(Optional)
- metadata is the metadata for the GCPPrivateServiceConnect. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-||||||||
-spec
-
-
-GCPPrivateServiceConnectSpec
-
-
- |
-
-(Optional)
- spec is the specification for the GCPPrivateServiceConnect. -- -
|
-||||||||
-status
-
-
-GCPPrivateServiceConnectStatus
-
-
- |
-
-(Optional)
- status is the status of the GCPPrivateServiceConnect. - |
-
-
HCPEtcdBackup represents a request to back up etcd for a hosted control plane. -This resource is feature-gated behind the HCPEtcdBackup feature gate.
- -| Field | -Description | -
|---|---|
-apiVersion
-string |
-
-
-hypershift.openshift.io/v1beta1
-
- |
-
-kind
-string
- |
-HCPEtcdBackup |
-
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-(Optional)
- metadata is the metadata for the HCPEtcdBackup. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-
-spec,omitzero
-
-
-HCPEtcdBackupSpec
-
-
- |
-
- spec is the specification for the HCPEtcdBackup. - |
-
-status,omitzero
-
-
-HCPEtcdBackupStatus
-
-
- |
-
-(Optional)
- status is the status of the HCPEtcdBackup. - |
-
-
HostedCluster is the primary representation of a HyperShift cluster and encapsulates -the control plane and common data plane configuration. Creating a HostedCluster -results in a fully functional OpenShift control plane with no attached nodes. -To support workloads (e.g. pods), a HostedCluster may have one or more associated -NodePool resources.
+HostedCluster is the primary representation of a HyperShift cluster and encapsulates +the control plane and common data plane configuration. Creating a HostedCluster +results in a fully functional OpenShift control plane with no attached nodes. +To support workloads (e.g. pods), a HostedCluster may have one or more associated +NodePool resources.
|
(Optional)
- autoNode specifies the configuration for automatic node provisioning and lifecycle management. -When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads. +autoNode specifies the configuration for the autoNode feature. |
|
-terminationHandlerQueueURL
-
-string
-
- |
-
-(Optional)
- terminationHandlerQueueURL specifies the SQS queue URL for EC2 spot interruption events. -This is required when using spot instances (marketType: Spot) in NodePools to enable -graceful handling of spot instance terminations. -The queue should be configured to receive EC2 Spot Instance Interruption Warnings -and EC2 Instance Rebalance Recommendations via EventBridge rules. -The AWS Node Termination Handler will poll this queue and cordon/drain nodes -before they are terminated, providing a best effort for graceful shutdown. -Supports both standard and FIFO queues (FIFO queues end with .fifo suffix). - |
-
-
AutoNode specifies the configuration for automatic node provisioning and lifecycle management.
+We expose here internal configuration knobs that won’t be exposed to the service.
-provisionerConfig,omitzero
+provisionerConfig
ProvisionerConfig
@@ -34064,52 +32801,7 @@ ProvisionerConfig
|
- provisionerConfig specifies the provisioner used for automatic node management. - |
-
-(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) -
--
AutoNodeStatus contains the observed state of the AutoNode provisioner.
- -| Field | -Description | -
|---|---|
-nodeCount
-
-int32
-
- |
-
-(Optional)
- nodeCount is the number of nodes fully provisioned by Karpenter. -These are node objects that exist in the cluster and carry the karpenter.sh/nodepool label. - |
-
-nodeClaimCount
-
-int32
-
- |
-
-(Optional)
- nodeClaimCount is the total number of NodeClaims managed by Karpenter. -This represents what Karpenter intends to provision, whether or not the node object exists yet. +provisionerConfig is the implementation used for Node auto provisioning. |
+(Appears on: +AzureAuthenticationConfiguration) +
++
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components +that authenticate with Azure’s API.
+ +| Field | +Description | +
|---|---|
-topology
+controlPlane
-
-AzureTopologyType
+
+ControlPlaneManagedIdentities
|
-(Optional)
- topology specifies the network topology of the API server endpoint for the hosted cluster. -- Public: The API server is accessible only via a public endpoint. -- PublicAndPrivate: The API server is accessible via both public and private endpoints. -- Private: The API server is accessible only via a private endpoint. -When omitted, this means no opinion and the platform is left to choose a reasonable -default, which is subject to change over time. The current default is Public. -This field must be set explicitly for self-hosted environments (WorkloadIdentities). -Transitions between PublicAndPrivate and Private are allowed after creation. -Transitions from Public to non-Public (or vice versa) are not allowed. -When set to Private or PublicAndPrivate, the private field must be provided. +controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to +authenticate with Azure’s API. |
-private,omitzero
+dataPlane
-
-AzurePrivateSpec
+
+DataPlaneManagedIdentities
|
-(Optional)
- private configures private connectivity to the hosted cluster’s API server. -This field is required when topology is Private or PublicAndPrivate, and must -not be set when topology is Public. -Once set at cluster creation, this field cannot be removed, and it cannot be -added to an existing cluster that was created without it. +dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with +Azure’s API. |
(Appears on: -AzurePrivateLinkService) +AzureNodePoolPlatform)
-
AzurePrivateLinkServiceSpec defines the desired state of AzurePrivateLinkService
+AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
-loadBalancerIP
-
-string
-
- |
-
-(Optional)
- loadBalancerIP is the frontend IP address of the internal load balancer that -fronts the hosted control plane’s API server. This field is populated automatically -by the control plane operator from the kube-apiserver service status. -It is not set by users directly. -When set, the value must be a valid IPv4 or IPv6 address. - |
-
-subscriptionID
+type
-
-AzureSubscriptionID
+
+AzureVMImageType
|
- subscriptionID is the Azure subscription ID where the Private Link Service -resources will be created. Must be a valid UUID consisting of hexadecimal -characters and hyphens in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -where x is a hexadecimal digit 0-9a-f. - |
-
-resourceGroupName
-
-string
-
- |
-
- resourceGroupName is the name of the Azure resource group where the Private Link -Service resources will be created. Must be 1-90 characters consisting of -alphanumerics, underscores, hyphens, periods, and parentheses. Cannot end with a period. -See https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules +type is the type of image data that will be provided to the Azure VM. +Valid values are “ImageID” and “AzureMarketplace”. +ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. +AzureMarketplace means the VM will boot from an Azure Marketplace image. +Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. +When Type is “AzureMarketplace”, you can either: +1. Specify only imageGeneration to use marketplace defaults from the release payload +2. Specify publisher, offer, sku, and version to use an explicit marketplace image +3. Specify all fields (imageGeneration along with publisher, offer, sku, version) |
-location
+imageID
string
|
- location is the Azure region where the Private Link Service resources will be -created (e.g., “eastus”, “westeurope”, “centralus”). Must match the region -of the management cluster. - |
-
-natSubnetID
-
-
-AzureSubnetResourceID
-
-
- |
-
(Optional)
- natSubnetID is the full Azure resource ID of the subnet used for Private Link Service -NAT IP allocation. This subnet must have privateLinkServiceNetworkPolicies disabled. -If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} +imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. +TODO: What is the valid character set for this field? What about minimum and maximum lengths? |
-additionalAllowedSubscriptions
+azureMarketplace
-
-[]AzureSubscriptionID
+
+AzureMarketplaceImage
|
(Optional)
- additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs -permitted to create Private Endpoints to the Private Link Service. The guest cluster’s -own subscription (derived from guestSubnetID) is always automatically allowed, so it -does not need to be listed here. -Each entry must be a valid UUID of exactly 36 characters consisting of -lowercase hexadecimal characters and hyphens in the format -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx where x is a hexadecimal digit 0-9a-f. -A maximum of 50 subscriptions may be specified. +azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. |
+(Appears on: +AzureMarketplaceImage) +
++
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
+ +
-guestSubnetID
-
-
-AzureSubnetResourceID
-
-
- |
-
- guestSubnetID is the full Azure resource ID of the subnet in the guest VNet where -the Private Endpoint will be created. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} - |
+Value | +Description |
|---|---|---|---|
-guestVNetID
-
-
-AzureVNetResourceID
-
-
+ | |||
"Gen1" |
+Gen1 represents Hyper-V Generation 1 VMs |
-
- guestVNetID is the full Azure resource ID of the guest VNet for Private DNS zone linking. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName} + | |
"Gen2" |
+Gen2 represents Hyper-V Generation 2 VMs |
-
+(Appears on: +AzureVMImage) +
++
AzureVMImageType is used to specify the source of the Azure VM boot image. +Valid values are ImageID and AzureMarketplace.
+ +
-baseDomain
-
-string
-
+ | Value | +Description | +
|---|---|---|
"AzureMarketplace" |
+AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. |
-
-(Optional)
- baseDomain is the cluster’s base domain (e.g., “example.hypershift.azure.devcluster.openshift.com”).
-Used to create a Private DNS Zone so that worker VMs can resolve the API and OAuth
-hostnames (api- |
"ImageID" |
+ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. |
-
(Appears on: -AzurePrivateLinkService) +AzureAuthenticationConfiguration)
-
AzurePrivateLinkServiceStatus defines the observed state of AzurePrivateLinkService
+AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure +needing to authenticate with Azure’s API.
-conditions
+imageRegistry
-
-[]Kubernetes meta/v1.Condition
+
+WorkloadIdentity
|
-(Optional)
- conditions represent the current state of PLS infrastructure. -Current condition types are: “AzurePrivateLinkServiceAvailable”, “AzureInternalLoadBalancerAvailable”, -“AzurePLSCreated”, “AzurePrivateEndpointAvailable”, “AzurePrivateDNSAvailable” - |
-
-internalLoadBalancerID
-
-string
-
- |
-
-(Optional)
- internalLoadBalancerID is the Azure resource ID of the internal load balancer -fronting the hosted control plane. The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/loadBalancers/{loadBalancerName} -where subscriptionID is a UUID, resourceGroup is up to 90 characters, and -loadBalancerName is up to 80 characters. - |
-
-privateLinkServiceID
-
-string
-
- |
-
-(Optional)
- privateLinkServiceID is the Azure resource ID of the Private Link Service. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateLinkServices/{plsName} +imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in +workload identity authentication. |
-privateLinkServiceAlias
+ingress
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateLinkServiceAlias is the globally unique alias for the Private Link Service, -auto-generated by Azure in the format {plsName}.{guid}.{region}.azure.privatelinkservice. -MaxLength=170 covers: PLS name (80) + GUID (36) + region (19, e.g. “southcentralusstage”) +ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in +workload identity authentication. |
-privateEndpointID
+file
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateEndpointID is the Azure resource ID of the Private Endpoint. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateEndpoints/{endpointName} +file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, +used in workload identity authentication. |
-privateEndpointIP
+disk
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateEndpointIP is the private IP address assigned to the Private Endpoint. -Must be a valid IPv4 (e.g., “10.0.1.4”) or IPv6 address. +disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, +used in workload identity authentication. |
-privateDNSZoneID
+nodePoolManagement
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateDNSZoneID is the Azure resource ID of the Private DNS Zone. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} +nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used +in workload identity authentication. |
-dnsZoneName
+cloudProvider
-string
+
+WorkloadIdentity
+
|
-(Optional)
- dnsZoneName is the Private DNS zone name (derived from the KAS hostname). -Persisted at creation time so that deletion does not depend on the -HostedControlPlane still existing. -Must be a valid DNS domain name consisting of alphanumeric characters, hyphens, -and periods, where each segment starts and ends with an alphanumeric character -(e.g., “api-mycluster.example.hypershift.azure.devcluster.openshift.com”). +cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in +workload identity authentication. |
-baseDomainDNSZoneID
+network
-string
+
+WorkloadIdentity
+
|
-(Optional)
- baseDomainDNSZoneID is the Azure resource ID of the base domain Private DNS Zone. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} +network is the client ID of a federated managed identity, associated with cluster-network-operator, used in +workload identity authentication. |
+(Appears on: +APIServerNetworking) +
++
+###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities }(Appears on: -AzurePrivateSpec) +HostedClusterSpec, +HostedControlPlaneSpec)
-
AzurePrivateLinkSpec configures Azure Private Link Service connectivity.
+capabilities allows enabling or disabling optional components at install time. +When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective +OpenShift version, minus the baremetal capability. +Once set, it cannot be changed.
-natSubnetID
+enabled
-
-AzureSubnetResourceID
+
+[]OptionalCapability
|
(Optional)
- natSubnetID is the Azure resource ID of the subnet used for Private Link Service NAT IP allocation. -This subnet must have privateLinkServiceNetworkPolicies disabled. -If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} -The maximum length is 355 characters. +enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. |
-additionalAllowedSubscriptions
+disabled
-
-[]AzureSubscriptionID
+
+[]OptionalCapability
|
(Optional)
- additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs -permitted to create Private Endpoints to the Private Link Service. The guest cluster’s -own subscription is always automatically allowed, so it does not need to be listed here. -Each item must be a valid UUID consisting of lowercase hexadecimal characters and hyphens, -in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -(e.g., “550e8400-e29b-41d4-a716-446655440000”). A maximum of 50 subscriptions may be specified. +disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. +Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. |
(Appears on: -AzurePlatformSpec) +PlacementOptions)
-
AzurePrivateSpec configures private connectivity to an Azure hosted cluster’s API server. -It is a discriminated union keyed on the type field, which selects the private connectivity -mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may -be added in the future.
+CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
-type
+id
-
-AzurePrivateType
-
+string
|
- type specifies the private connectivity mechanism used for the hosted cluster’s API server. -“PrivateLink” selects Azure Private Link Service for private API server access. -This field is immutable once set. - |
-
-privateLink,omitzero
-
-
-AzurePrivateLinkSpec
-
-
- |
-
-(Optional)
- privateLink configures Azure Private Link Service for private API server access. -This field is required when type is “PrivateLink” and must not be set otherwise. - |
-
-(Appears on: -AzurePrivateSpec) -
--
AzurePrivateType specifies the type of private connectivity mechanism used for the Azure -hosted cluster’s API server. This acts as the discriminator for the AzurePrivateSpec union.
- -| Value | -Description | -
|---|---|
"PrivateLink" |
-AzurePrivateTypePrivateLink specifies private connectivity using Azure Private Link Service. -In this mode, the operator creates a Private Link Service backed by the management cluster’s -internal load balancer, and a Private Endpoint in the guest VNet for private API server access. - |
-
-(Appears on: -AzureAuthenticationConfiguration) -
--
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components -that authenticate with Azure’s API.
- -| Field | -Description | -
|---|---|
-controlPlane
-
-
-ControlPlaneManagedIdentities
-
-
- |
-
- controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to -authenticate with Azure’s API. - |
-
-dataPlane
-
-
-DataPlaneManagedIdentities
-
-
- |
-
- dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with -Azure’s API. - |
-
-(Appears on: -AzurePrivateLinkServiceSpec, -AzurePrivateLinkSpec) -
--
AzureSubnetResourceID is a full Azure resource ID for a subnet. -The expected format is:
-/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
-
-
-###AzureSubscriptionID { #hypershift.openshift.io/v1beta1.AzureSubscriptionID }
--(Appears on: -AzurePrivateLinkServiceSpec, -AzurePrivateLinkSpec) -
--
AzureSubscriptionID is an Azure subscription ID in UUID format. -Must be exactly 36 characters consisting of hexadecimal digits [0-9a-fA-F] and hyphens -in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (e.g., “550e8400-e29b-41d4-a716-446655440000”).
- -###AzureTopologyType { #hypershift.openshift.io/v1beta1.AzureTopologyType } --(Appears on: -AzurePlatformSpec) -
--
AzureTopologyType specifies the network topology of the Azure API server endpoint.
- -| Value | -Description | -
|---|---|
"Private" |
-AzureTopologyPrivate indicates the API server is accessible only via a private endpoint. - |
-
"Public" |
-AzureTopologyPublic indicates the API server is accessible only via a public endpoint. - |
-
"PublicAndPrivate" |
-AzureTopologyPublicAndPrivate indicates the API server is accessible via both public and private endpoints. - |
-
-(Appears on: -AzureNodePoolPlatform) -
--
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
- -| Field | -Description | -
|---|---|
-type
-
-
-AzureVMImageType
-
-
- |
-
- type is the type of image data that will be provided to the Azure VM. -Valid values are “ImageID” and “AzureMarketplace”. -ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. -AzureMarketplace means the VM will boot from an Azure Marketplace image. -Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. -When Type is “AzureMarketplace”, you can either: -1. Specify only imageGeneration to use marketplace defaults from the release payload -2. Specify publisher, offer, sku, and version to use an explicit marketplace image -3. Specify all fields (imageGeneration along with publisher, offer, sku, version) - |
-
-imageID
-
-string
-
- |
-
-(Optional)
- imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. -TODO: What is the valid character set for this field? What about minimum and maximum lengths? - |
-
-azureMarketplace
-
-
-AzureMarketplaceImage
-
-
- |
-
-(Optional)
- azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. - |
-
-(Appears on: -AzureMarketplaceImage) -
--
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
- -| Value | -Description | -
|---|---|
"Gen1" |
-Gen1 represents Hyper-V Generation 1 VMs - |
-
"Gen2" |
-Gen2 represents Hyper-V Generation 2 VMs - |
-
-(Appears on: -AzureVMImage) -
--
AzureVMImageType is used to specify the source of the Azure VM boot image. -Valid values are ImageID and AzureMarketplace.
- -| Value | -Description | -
|---|---|
"AzureMarketplace" |
-AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. - |
-
"ImageID" |
-ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. - |
-
-(Appears on: -AzurePrivateLinkServiceSpec) -
--
AzureVNetResourceID is a full Azure resource ID for a virtual network. -The expected format is:
-/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}
-
-
-###AzureWorkloadIdentities { #hypershift.openshift.io/v1beta1.AzureWorkloadIdentities }
--(Appears on: -AzureAuthenticationConfiguration) -
--
AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure -needing to authenticate with Azure’s API.
- -| Field | -Description | -
|---|---|
-imageRegistry
-
-
-WorkloadIdentity
-
-
- |
-
- imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in -workload identity authentication. - |
-
-ingress
-
-
-WorkloadIdentity
-
-
- |
-
- ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in -workload identity authentication. - |
-
-file
-
-
-WorkloadIdentity
-
-
- |
-
- file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, -used in workload identity authentication. - |
-
-disk
-
-
-WorkloadIdentity
-
-
- |
-
- disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, -used in workload identity authentication. - |
-
-nodePoolManagement
-
-
-WorkloadIdentity
-
-
- |
-
- nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used -in workload identity authentication. - |
-
-cloudProvider
-
-
-WorkloadIdentity
-
-
- |
-
- cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in -workload identity authentication. - |
-
-network
-
-
-WorkloadIdentity
-
-
- |
-
- network is the client ID of a federated managed identity, associated with cluster-network-operator, used in -workload identity authentication. - |
-
-controlPlaneOperator,omitzero
-
-
-WorkloadIdentity
-
-
- |
-
-(Optional)
- controlPlaneOperator is the client ID of a federated managed identity, associated with control-plane-operator, -used in workload identity authentication for Azure Private Link Service operations. - |
-
-(Appears on: -APIServerNetworking) -
--
-###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities } --(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) -
--
capabilities allows enabling or disabling optional components at install time. -When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective -OpenShift version, minus the baremetal capability. -Once set, it cannot be changed.
- -| Field | -Description | -
|---|---|
-enabled
-
-
-[]OptionalCapability
-
-
- |
-
-(Optional)
- enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. - |
-
-disabled
-
-
-[]OptionalCapability
-
-
- |
-
-(Optional)
- disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. -Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. - |
-
-(Appears on: -PlacementOptions) -
--
CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
- -| Field | -Description | -
|---|---|
-id
-
-string
-
- |
-
-(Optional)
- id specifies the target Capacity Reservation into which the EC2 instances should be launched. -Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 -When empty, no specific Capacity Reservation is targeted. -When specified, preference cannot be set to ‘None’ or ‘Open’ as these -are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ -or omit preference field when targeting a specific reservation. +(Optional) +id specifies the target Capacity Reservation into which the EC2 instances should be launched. +Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 +When empty, no specific Capacity Reservation is targeted. +When specified, preference cannot be set to ‘None’ or ‘Open’ as these +are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ +or omit preference field when targeting a specific reservation. |
|
(Optional)
- marketType specifies the market type of the CapacityReservation for the EC2 instances. -Deprecated: Use placement.marketType instead. This field is maintained for backward compatibility. -When both placement.marketType and capacityReservation.marketType are set, placement.marketType takes precedence. -Valid values are OnDemand, CapacityBlocks and omitted: + marketType specifies the market type of the CapacityReservation for the EC2 instances. Valid values are OnDemand, CapacityBlocks and omitted: - “OnDemand”: EC2 instances run as standard On-Demand instances. -- “CapacityBlocks”: scheduled pre-purchased compute capacity. Recommended for GPU/ML workloads. +- “CapacityBlocks”: scheduled pre-purchased compute capacity. Capacity Blocks is recommended when GPUs are needed to support ML workloads. +When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. +The current default value is CapacityBlocks.When set to ‘CapacityBlocks’, a specific Capacity Reservation ID must be provided. |
AWSEndpointServiceAvailable indicates whether the AWS Endpoint Service has been created for the specified NLB in the management VPC |
-
"AutoNodeEnabled" |
-AutoNodeEnabled indicates whether AutoNode is configured and operational for this HostedCluster. -True means AutoNode is configured in the HostedCluster spec and the Karpenter components are fully rolled out and ready. -False / AutoNodeProgressing means AutoNode is being enabled or disabled — the operation is in progress. -False / AutoNodeNotConfigured means AutoNode is not configured in the spec and all Karpenter components have been removed. - |
-
"AzureInternalLoadBalancerAvailable" |
-AzureInternalLoadBalancerAvailable indicates the ILB has been provisioned with a frontend IP - |
-
"AzurePLSCreated" |
-AzurePLSCreated indicates the Azure Private Link Service has been created in the management cluster resource group - |
-
"AzurePrivateDNSAvailable" |
-AzurePrivateDNSAvailable indicates the Private DNS zone and A records have been created - |
-
"AzurePrivateEndpointAvailable" |
-AzurePrivateEndpointAvailable indicates the Private Endpoint has been created in the guest VNet - |
-
"AzurePrivateLinkServiceAvailable" |
-AzurePrivateLinkServiceAvailable indicates overall PLS infrastructure availability - |
-
"BackupCompleted" |
-BackupCompleted indicates whether the etcd backup has completed. + |
"AggregatedAPIServicesAvailable" |
+AggregatedAPIServicesAvailable indicates whether all aggregated APIServices +in the guest cluster are available. This includes OpenShift API Server, +OAuth API Server (when enabled), and OLM PackageServer APIServices. +This condition is an HCP implementation detail set by the HCCO and is not +bubbled up to the HostedCluster level. |
"CVOScaledDown" |
@@ -36827,18 +34941,6 @@ underlying cluster’s ClusterVersion. |
"RolloutComplete" |
ControlPlaneComponentRolloutComplete indicates whether the ControlPlaneComponent has completed its rollout. |
-
"ControlPlaneConnectionAvailable" |
-ControlPlaneConnectionAvailable indicates whether data plane workloads have a successful -network connection to the control plane components. This condition is computed using -a 3-replica Deployment that tests the full data path (DNS resolution of kubernetes.default.svc --> advertise address on lo -> apiserver proxy -> KAS on HCP) and reports results to a shared -ConfigMap. The HCCO evaluates the staleness of the lastSucceeded timestamp in the ConfigMap. -True means the data plane can successfully reach the control plane (a recent successful check was recorded). -False means there are connectivity failures preventing the data plane from reaching the control plane, -or the last successful check is stale (older than 5 minutes). -Unknown means the status cannot be determined due to true inability to inspect (e.g., no worker nodes exist or inspection cannot be performed), -not due to missing required components. - |
"DataPlaneConnectionAvailable" |
DataPlaneConnectionAvailable indicates whether the control plane has a successful network connection to the data plane components. @@ -36846,8 +34948,7 @@ network connection to the data plane components. False means there are network connection issues preventing the control plane from reaching the data plane. A failure here suggests potential issues such as: network policy restrictions, firewall rules, missing data plane nodes, or problems with infrastructure -components like the konnectivity-agent workload. -Unknown means the status cannot be determined (e.g., no worker nodes available or unable to inspect). +components like the konnectivity-agent workload. |
"EtcdAvailable" |
EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. @@ -37349,156 +35450,6 @@ ManagedIdentity |
-(Appears on: -ControlPlaneVersionStatus) -
--
ControlPlaneUpdateHistory is a record of a single version transition for management-side -control plane components. Each entry captures the target version, its release image, when -the rollout started, and when (or whether) it completed.
- -| Field | -Description | -
|---|---|
-state
-
-
-github.com/openshift/api/config/v1.UpdateState
-
-
- |
-
- state reflects whether the update was fully applied. The Partial state -indicates the update is not fully applied, while the Completed state -indicates the update was successfully rolled out. - |
-
-startedTime,omitempty,omitzero
-
-
-Kubernetes meta/v1.Time
-
-
- |
-
- startedTime is the time at which the update was started. - |
-
-completionTime,omitempty,omitzero
-
-
-Kubernetes meta/v1.Time
-
-
- |
-
-(Optional)
- completionTime is the time at which the update completed. It is set -when all management-side components have reached the target version. -It is not set while the update is in progress. - |
-
-version
-
-string
-
- |
-
- version is a semantic version string identifying the update version -(e.g. “4.20.1”). - |
-
-image
-
-string
-
- |
-
- image is the release image pullspec used for this update. - |
-
-(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) -
--
ControlPlaneVersionStatus tracks the rollout state of management-side control plane components. -It records the desired release, a pruned history of version transitions (newest first), and -the last observed generation of the HostedControlPlane spec.
- -| Field | -Description | -
|---|---|
-desired,omitempty,omitzero
-
-
-github.com/openshift/api/config/v1.Release
-
-
- |
-
- desired is the release version that the control plane is reconciling towards. -It is derived from the HostedControlPlane release image fields. - |
-
-history
-
-
-[]ControlPlaneUpdateHistory
-
-
- |
-
-(Optional)
- history contains a list of versions applied to management-side control plane components. The newest entry is -first in the list. Entries have state Completed when all ControlPlaneComponent resources report the target -version with RolloutComplete=True. Entries have state Partial when the rollout is in progress or has failed. - |
-
-observedGeneration,omitempty,omitzero
-
-int64
-
- |
-
-(Optional)
- observedGeneration reports which generation of the HostedControlPlane spec is being synced. - |
-
(Appears on: @@ -37559,11 +35510,6 @@ string
publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. Once set, this value is immutable.
-On Azure, this is a full Azure resource ID for a DNS Zone in the format: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/dnsZones/{zoneName} -The maximum length of 258 is derived from Azure resource naming limits -(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): -/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90)
privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. Once set, this value is immutable.
-On Azure, this is a full Azure resource ID for a Private DNS Zone in the format: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} -The maximum length of 265 is derived from Azure resource naming limits -(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): -/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90)
encryptionKey,omitzero
+encryptionKey
GCPDiskEncryptionKey
@@ -38134,7 +36075,7 @@ private node communication with the control plane via Private Service Connect.
network,omitzero
+network
GCPResourceReference
@@ -38147,7 +36088,7 @@ GCPResourceReference
privateServiceConnectSubnet,omitzero
+privateServiceConnectSubnet
GCPResourceReference
@@ -38212,9 +36153,7 @@ See https://cloud.
subnet
-
-GCPResourceName
-
+string
networkTags
-
-[]GCPResourceName
-
+[]string
onHostMaintenance
-
-GCPOnHostMaintenance
-
+string
email
-
-GCPServiceAccountEmail
-
+string
-(Appears on: -GCPNodePoolPlatform) -
-
GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
|
- region is the GCP region in which the cluster resides (e.g., us-central1, europe-west2). -Must start with lowercase letters, contain exactly one hyphen, and end with digits. + region is the GCP region in which the cluster resides.
+Must be in the form of |
|||
-networkConfig,omitzero
+networkConfig
GCPNetworkConfig
@@ -38576,9 +36508,7 @@ This value must be a valid IPv4 or IPv6 address.
|
forwardingRuleName
-
-GCPResourceName
-
+string
@@ -38595,19 +36525,15 @@ Populated by the reconciler via GCP API lookup
|
- |
consumerAcceptList specifies which customer projects can connect. -Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”). -A maximum of 50 entries are allowed. -See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project ID and number formats. +consumerAcceptList specifies which customer projects can connect +Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”) |
natSubnet
-
-GCPResourceName
-
+string
|
@@ -38670,9 +36596,8 @@ string |
(Optional)
- serviceAttachmentURI is the URI customers use to connect. -Format: projects/{project}/regions/{region}/serviceAttachments/{name} -See https://cloud.google.com/vpc/docs/configure-private-service-connect-producer for service attachment details. +serviceAttachmentURI is the URI customers use to connect +Format: projects/{project}/regions/{region}/serviceAttachments/{name} |
|
|
+(Optional)
value is the value part of the label. A label value can have a maximum of 63 characters. Empty values are allowed by GCP. If non-empty, it must start with a lowercase letter, contain only lowercase letters, digits, underscores, or hyphens, and end with a lowercase letter or digit. @@ -38792,19 +36718,6 @@ See https://c |
-(Appears on: -GCPNodePoolPlatform, -GCPPrivateServiceConnectSpec, -GCPResourceReference) -
--
GCPResourceName is the name of a GCP resource following RFC 1035 naming conventions. -Must start with a lowercase letter, contain only lowercase letters, digits, and hyphens, -must not end with a hyphen, and be 1-63 characters long. -See https://cloud.google.com/compute/docs/naming-resources for details.
- ###GCPResourceReference { #hypershift.openshift.io/v1beta1.GCPResourceReference }(Appears on: @@ -38827,9 +36740,7 @@ See https://google.aip.dev/122 for GCP
name
-
-GCPResourceName
-
+string
-(Appears on: -GCPNodeServiceAccount, -GCPServiceAccountsEmails) -
--
GCPServiceAccountEmail is the email address of a Google Service Account. -Format: service-account-name@project-id.iam.gserviceaccount.com -See https://cloud.google.com/iam/docs/service-accounts-create for service account naming rules.
- ###GCPServiceAccountsEmails { #hypershift.openshift.io/v1beta1.GCPServiceAccountsEmails }(Appears on: @@ -38874,9 +36774,7 @@ Each service account should have the appropriate IAM permissions for its specifi
nodePool
-
-GCPServiceAccountEmail
-
+string
controlPlane
-
-GCPServiceAccountEmail
-
+string
cloudController
-
-GCPServiceAccountEmail
-
+string
storage
-
-GCPServiceAccountEmail
-
+string
hypershift infra create gcp w
the required service accounts with appropriate IAM roles and WIF bindings.
imageRegistry
-
-
-GCPServiceAccountEmail
-
-
-imageRegistry is the Google Service Account email for the Image Registry Operator -that manages GCS storage for the internal container image registry. -This GSA requires the following IAM roles: -- roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com
-This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of hypershift infra create gcp which creates
-the required service accounts with appropriate IAM roles and WIF bindings.
network
-
-
-GCPServiceAccountEmail
-
-
-network is the Google Service Account email for the Cloud Network Config Controller -that manages cloud-level network configurations (egress IPs, subnets). -This GSA requires the following IAM roles: -- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for managing network interfaces) -- roles/compute.networkUser (Compute Network User - for using subnets) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com
-This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of hypershift infra create gcp which creates
-the required service accounts with appropriate IAM roles and WIF bindings.
projectNumber is the numeric GCP project identifier for WIF configuration. This differs from the project ID and is required for workload identity pools. -Must be a numeric string representing the GCP project number. -See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project number details.
+Must be a numeric string representing the GCP project number.This is a user-provided value obtained from GCP (found in GCP Console or via gcloud projects describe PROJECT_ID).
Also available in the output of hypershift infra create gcp.
This is a user-provided value referencing a pre-created Workload Identity Pool.
Typically obtained from the output of hypershift infra create gcp which creates
the WIF infrastructure and generates appropriate pool IDs.
This is a user-provided value referencing a pre-created OIDC Provider within the WIF Pool.
Typically obtained from the output of hypershift infra create gcp.
(Appears on: -HCPEtcdBackupStorage) +HostedCluster)
-
HCPEtcdBackupAzureBlob defines the Azure Blob storage configuration for etcd backups.
-container
+release
-string
+
+Release
+
+
+ |
+
+ release specifies the desired OCP release payload for all the hosted cluster components. +This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc. +The maximum and minimum supported release versions are determined by the running Hypersfhit Operator. +Attempting to use an unsupported version will result in the HostedCluster being degraded and the validateReleaseImage condition being false. +Attempting to use a release with a skew against a NodePool release bigger than N-2 for the y-stream will result in leaving the NodePool in an unsupported state. +Changing this field will trigger a rollout of the control plane components. +The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. + |
+
+controlPlaneRelease
+
+
+Release
+
|
- container is the name of the Azure Blob container where backups are stored. -Must be 3-63 characters, lowercase letters, numbers, and hyphens only. -Must start and end with a letter or number. Consecutive hyphens are not allowed. -See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#container-names +(Optional) +controlPlaneRelease is like spec.release but only for the components running on the management cluster. +This excludes any operand which will land in the hosted cluster data plane. +It is useful when you need to apply patch management side like a CVE, transparently for the hosted cluster. +Version input for this field is free, no validation is performed against spec.release or maximum and minimum is performed. +If defined, it will dicate the version of the components running management side, while spec.release will dictate the version of the components landing in the hosted cluster data plane. +If not defined, spec.release is used for both. +Changing this field will trigger a rollout of the control plane. +The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. |
-storageAccount
+clusterID
string
|
- storageAccount is the name of the Azure Storage Account. -Must be 3-24 characters, lowercase letters and numbers only. -See https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview#storage-account-name +(Optional) +clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal digits). +As with a Kubernetes metadata.uid, this ID uniquely identifies this cluster in space and time. +This value identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. +If a value is not specified, a random clusterID will be generated and set by the controller. +Once set, this value is immutable. |
-keyPrefix
+infraID
string
|
- keyPrefix is the blob name prefix for the backup file. -Must consist of valid blob name characters: alphanumeric characters, forward slashes, -hyphens, underscores, and periods. -See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#blob-names +(Optional) +infraID is a globally unique identifier for the cluster. +It must consist of lowercase alphanumeric characters and hyphens (‘-’) only, and start and end with an alphanumeric character. +It must be no more than 253 characters in length. +This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. +infraID is used to compute and tag created resources with “kubernetes.io/cluster/”+hcluster.Spec.InfraID which has contractual meaning for the cloud provider implementations. +If a value is not specified, a random infraID will be generated and set by the controller. +Once set, this value is immutable. |
-credentials,omitzero
+updateService
-
-SecretReference
+
+github.com/openshift/api/config/v1.URL
|
- credentials references a Secret containing Azure credentials for uploading -to Blob Storage. The Secret must exist in the Hypershift Operator namespace. +(Optional) +updateService may be used to specify the preferred upstream update service. +If omitted we will use the appropriate update service for the cluster and region. +This is used by the control plane operator to determine and signal the appropriate available upgrades in the hostedCluster.status. |
-encryptionKeyURL
+channel
string
|
(Optional)
- encryptionKeyURL is the URL of the Azure Key Vault key used for encryption.
-Must be a valid Azure Key Vault key URL in the format
-“https:// channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. +If omitted no particular upgrades are suggested. +TODO(alberto): Consider the backend to use the default channel by default. Default channel will contain stable updates that are appropriate for production clusters. |
-(Appears on: -ManagedEtcdSpec) -
--
HCPEtcdBackupConfig defines the backup encryption configuration that is propagated -from the HostedCluster to the HostedControlPlane via ManagedEtcdSpec. -Exactly one platform-specific block must be specified, matching the platform discriminator.
- -| Field | -Description | -
|---|---|
platform
-
-HCPEtcdBackupConfigPlatform
+
+PlatformSpec
|
- platform specifies the cloud platform for backup encryption configuration. -Valid values are “AWS” for AWS KMS encryption and “Azure” for Azure Key Vault encryption. +platform specifies the underlying infrastructure provider for the cluster +and is used to configure platform specific behavior. |
-aws,omitzero
+kubeAPIServerDNSName
-
-HCPEtcdBackupConfigAWS
-
+string
|
(Optional)
- aws contains AWS-specific backup encryption configuration. -Required when platform is “AWS”, and forbidden otherwise. +kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS. +When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field. +If it’s set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted. +The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider. +This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable +access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates +for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates. +This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op. |
-azure,omitzero
+controllerAvailabilityPolicy
-
-HCPEtcdBackupConfigAzure
+
+AvailabilityPolicy
|
(Optional)
- azure contains Azure-specific backup encryption configuration. -Required when platform is “Azure”, and forbidden otherwise. +controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server. +Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable. +This field is immutable. |
-(Appears on: -HCPEtcdBackupConfig) -
--
HCPEtcdBackupConfigAWS defines AWS-specific encryption settings for etcd backups.
- -| Field | -Description | -
|---|---|
-kmsKeyARN
+infrastructureAvailabilityPolicy
-string
+
+AvailabilityPolicy
+
|
- kmsKeyARN is the ARN of the AWS KMS key to use for encrypting etcd backup artifacts in S3.
-Must be a valid AWS KMS key ARN in the format
-“arn: infrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on the hosted cluster data plane like the ingress controller and image registry controller. +Possible values are HighlyAvailable and SingleReplica. The default value is SingleReplica. |
-(Appears on: -HCPEtcdBackupConfig) -
--
HCPEtcdBackupConfigAzure defines Azure-specific encryption settings for etcd backups.
- -| Field | -Description | -
|---|---|
-encryptionKeyURL
+dns
-string
+
+DNSSpec
+
|
- encryptionKeyURL is the URL of the Azure Key Vault key to use for encrypting etcd backup artifacts.
-Must be a valid Azure Key Vault key URL in the format
-“https:// dns specifies the DNS configuration for the hosted cluster ingress. |
-(Appears on: -HCPEtcdBackupConfig) -
--
HCPEtcdBackupConfigPlatform identifies the cloud platform for backup encryption configuration.
- -| Value | -Description | -|
|---|---|---|
"AWS" |
-AWSBackupConfigPlatform indicates AWS KMS encryption for backup artifacts. + |
+networking
+
+
+ClusterNetworking
+
+
|
-
"Azure" |
-AzureBackupConfigPlatform indicates Azure Key Vault encryption for backup artifacts. + |
+ networking specifies network configuration for the hosted cluster. +Defaults to OVNKubernetes with a cluster network of cidr: “10.132.0.0/14” and a service network of cidr: “172.31.0.0/16”. |
-
-(Appears on: -HCPEtcdBackupStatus) -
--
HCPEtcdBackupEncryptionMetadata contains platform-specific metadata about the -encryption applied to the backup artifact in cloud storage. -The presence of a platform block indicates that encryption was applied.
- -| Field | -Description |
|---|---|
-aws,omitzero
+autoscaling
-
-HCPEtcdBackupEncryptionMetadataAWS
+
+ClusterAutoscaling
|
(Optional)
- aws contains AWS-specific encryption metadata for the backup. +autoscaling specifies auto-scaling behavior that applies to all NodePools +associated with this HostedCluster. |
-azure,omitzero
+autoNode
-
-HCPEtcdBackupEncryptionMetadataAzure
+
+AutoNode
|
(Optional)
- azure contains Azure-specific encryption metadata for the backup. +autoNode specifies the configuration for the autoNode feature. |
-(Appears on: -HCPEtcdBackupEncryptionMetadata) -
--
HCPEtcdBackupEncryptionMetadataAWS contains AWS-specific encryption metadata. -The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
- -| Field | -Description | -
|---|---|
-kmsKeyARN
+etcd
-string
+
+EtcdSpec
+
|
- kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup in S3.
-Must be a valid AWS KMS key ARN in the format
-“arn: etcd specifies configuration for the control plane etcd cluster. The +default managementType is Managed. Once set, the managementType cannot be +changed. |
-(Appears on: -HCPEtcdBackupEncryptionMetadata) -
--
HCPEtcdBackupEncryptionMetadataAzure contains Azure-specific encryption metadata. -The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
- -| Field | -Description | -
|---|---|
-encryptionKeyURL
+services
-string
+
+[]ServicePublishingStrategyMapping
+
|
- encryptionKeyURL is the URL of the Azure Key Vault key used for encryption of the backup.
-Must be a valid Azure Key Vault key URL in the format
-“https:// services specifies how individual control plane services endpoints are published for consumption. +This requires APIServer;OAuthServer;Konnectivity;Ignition. +This field is immutable for all platforms but IBMCloud. +Max is 6 to account for OIDC;OVNSbDb for backward compatibility though they are no-op. +-kubebuilder:validation:XValidation:rule=“self.all(s, !(s.service == ‘APIServer’ && s.servicePublishingStrategy.type == ‘Route’) || has(s.servicePublishingStrategy.route.hostname))”,message=“If serviceType is ‘APIServer’ and publishing strategy is ‘Route’, then hostname must be set” +-kubebuilder:validation:XValidation:rule=“self.platform.type == ‘IBMCloud’ ? [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’].all(requiredType, self.exists(s, s.service == requiredType))”,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, and ‘Konnectivity’ service types” : [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, ‘Ignition’].all(requiredType, self.exists(s, s.service == requiredType))“,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, and ‘Ignition’ service types” +-kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘Route’ && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘Route’ && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)”,message=“Each route publishingStrategy ‘hostname’ must be unique within the Services list.” +-kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘NodePort’ && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘NodePort’ && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)”,message=“Each nodePort publishingStrategy ‘nodePort’ and ‘hostname’ must be unique within the Services list.” +TODO(alberto): this breaks the cost budget for < 4.17. We should figure why and enable it back. And If not fixable, consider imposing a minimum version on the management cluster. |
-(Appears on: -HCPEtcdBackupStorage) -
--
HCPEtcdBackupS3 defines the S3 storage configuration for etcd backups.
- -| Field | -Description | -
|---|---|
-bucket
+pullSecret
-string
+
+Kubernetes core/v1.LocalObjectReference
+
|
- bucket is the name of the S3 bucket where backups are stored. -Must be 3-63 characters, lowercase letters, numbers, hyphens, and periods only. -Must start and end with a letter or number. Consecutive periods are not allowed. -See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html +pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON. +If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. +TODO(alberto): Signal this in a condition. +This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster +and it will be injected into the container runtime of all NodePools. +Changing this value will trigger a rollout for all existing NodePools in the cluster. +Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour. +TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes. |
-region
+sshKey
-string
+
+Kubernetes core/v1.LocalObjectReference
+
|
- region is the AWS region where the S3 bucket is located (e.g. “us-east-1”). -Must be a valid AWS region identifier: lowercase letters, digits, and hyphens. -Must start and end with an alphanumeric character, no consecutive hyphens. +(Optional) +sshKey is a local reference to a Secret that must have a “id_rsa.pub” key whose content must be the public part of 1..N SSH keys. +If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. +TODO(alberto): Signal this in a condition. +When sshKey is set, the controllers will generate a machineConfig with the sshAuthorizedKeys https://coreos.github.io/ignition/configuration-v3_2/ populated with this value. +This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. +Changing this value will trigger a rollout for all existing NodePools in the cluster. |
-keyPrefix
+issuerURL
string
|
- keyPrefix is the S3 key prefix for the backup file. -Must consist of safe S3 object key characters: alphanumeric characters, -forward slashes, hyphens, underscores, periods, exclamation marks, -asterisks, single quotes, and parentheses. -See https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html +(Optional) +issuerURL is an OIDC issuer URL which will be used as the issuer in all +ServiceAccount tokens generated by the control plane API server via –service-account-issuer kube api server flag. +https://k8s-docs.netlify.app/en/docs/reference/command-line-tools-reference/kube-apiserver/ +https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection +The default value is kubernetes.default.svc, which only works for in-cluster +validation. +If the platform is AWS and this value is set, the controller will update an s3 object with the appropriate OIDC documents (using the serviceAccountSigningKey info) into that issuerURL. +The expectation is for this s3 url to be backed by an OIDC provider in the AWS IAM. |
-credentials,omitzero
+serviceAccountSigningKey
-
-SecretReference
+
+Kubernetes core/v1.LocalObjectReference
|
- credentials references a Secret containing AWS credentials for uploading -to S3. The Secret must exist in the Hypershift Operator namespace and contain a -‘credentials’ key with a valid AWS credentials file. +(Optional) +serviceAccountSigningKey is a local reference to a secret that must have a “key” key whose content must be the private key +used by the service account token issuer. +If not specified, a service account signing key will +be generated automatically for the cluster. +When specifying a service account signing key, an IssuerURL must also be specified. +If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. +TODO(alberto): Signal this in a condition. +For key rotation, the secret may optionally contain an “old-key.pub” key whose content is the PEM-encoded +public key of the previous signing key. When present, the kube-apiserver will accept tokens signed by +both the current and previous keys, allowing for graceful key rotation without invalidating existing tokens. |
-kmsKeyARN
+configuration
-string
+
+ClusterConfiguration
+
|
(Optional)
- kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup.
-Must be a valid AWS KMS key ARN in the format
-“arn: |
-
-(Appears on: -HCPEtcdBackup) -
--
HCPEtcdBackupSpec defines the desired state of HCPEtcdBackup. -HCPEtcdBackup is a one-shot backup request; the entire spec is immutable once created.
- -| Field | -Description | -
|---|---|
-storage,omitzero
-
-
-HCPEtcdBackupStorage
-
-
- |
-
- storage defines the cloud storage backend where the etcd snapshot will be uploaded. - |
-
-(Appears on: -HCPEtcdBackup) -
--
HCPEtcdBackupStatus defines the observed state of HCPEtcdBackup.
- -| Field | -Description | -
|---|---|
-conditions
-
-
-[]Kubernetes meta/v1.Condition
-
-
- |
-
-(Optional)
- conditions contains details for the current state of the etcd backup. -The following condition types are expected: -- “BackupCompleted”: indicates whether the etcd backup has completed (True=success, False=failure). - |
-
-snapshotURL
-
-string
-
- |
-
-(Optional)
- snapshotURL is the URL of the completed backup snapshot in cloud storage. -Must be a valid URL with scheme https or s3. - |
-
-encryptionMetadata,omitzero
-
-
-HCPEtcdBackupEncryptionMetadata
-
-
- |
-
-(Optional)
- encryptionMetadata contains metadata about the encryption of the backup. -When present, at least one platform-specific encryption block must be set. - |
-
-(Appears on: -HCPEtcdBackupSpec) -
--
HCPEtcdBackupStorage defines the cloud storage backend configuration for the backup. -Exactly one storage backend must be specified, matching the storageType discriminator.
- -| Field | -Description | -
|---|---|
-storageType
-
-
-HCPEtcdBackupStorageType
-
-
- |
-
- storageType specifies the type of cloud storage backend for the etcd backup. -Valid values are “S3” for AWS S3 storage and “AzureBlob” for Azure Blob Storage. - |
-
-s3,omitzero
-
-
-HCPEtcdBackupS3
-
-
- |
-
-(Optional)
- s3 specifies the S3 storage configuration for the etcd backup. -Required when storageType is “S3”, and forbidden otherwise. - |
-
-azureBlob,omitzero
-
-
-HCPEtcdBackupAzureBlob
-
-
- |
-
-(Optional)
- azureBlob specifies the Azure Blob storage configuration for the etcd backup. -Required when storageType is “AzureBlob”, and forbidden otherwise. - |
-
-(Appears on: -HCPEtcdBackupStorage) -
--
HCPEtcdBackupStorageType is the type of storage for etcd backups.
- -| Value | -Description | -
|---|---|
"AzureBlob" |
-AzureBlobBackupStorage indicates that the backup is stored in Azure Blob Storage. - |
-
"S3" |
-S3BackupStorage indicates that the backup is stored in AWS S3. - |
-
-(Appears on: -HostedCluster) -
--
-| Field | -Description | -|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-release
-
-
-Release
-
-
- |
-
- release specifies the desired OCP release payload for all the hosted cluster components. -This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc. -The maximum and minimum supported release versions are determined by the running Hypersfhit Operator. -Attempting to use an unsupported version will result in the HostedCluster being degraded and the validateReleaseImage condition being false. -Attempting to use a release with a skew against a NodePool release bigger than N-2 for the y-stream will result in leaving the NodePool in an unsupported state. -Changing this field will trigger a rollout of the control plane components. -The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. - |
-|||||||||||||||
-controlPlaneRelease
-
-
-Release
-
-
- |
-
-(Optional)
- controlPlaneRelease is like spec.release but only for the components running on the management cluster. -This excludes any operand which will land in the hosted cluster data plane. -It is useful when you need to apply patch management side like a CVE, transparently for the hosted cluster. -Version input for this field is free, no validation is performed against spec.release or maximum and minimum is performed. -If defined, it will dicate the version of the components running management side, while spec.release will dictate the version of the components landing in the hosted cluster data plane. -If not defined, spec.release is used for both. -Changing this field will trigger a rollout of the control plane. -The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. - |
-|||||||||||||||
-clusterID
-
-string
-
- |
-
-(Optional)
- clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal digits). -As with a Kubernetes metadata.uid, this ID uniquely identifies this cluster in space and time. -This value identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. -If a value is not specified, a random clusterID will be generated and set by the controller. -Once set, this value is immutable. - |
-|||||||||||||||
-infraID
-
-string
-
- |
-
-(Optional)
- infraID is a globally unique identifier for the cluster. -It must consist of lowercase alphanumeric characters and hyphens (‘-’) only, and start and end with an alphanumeric character. -It must be no more than 253 characters in length. -This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. -infraID is used to compute and tag created resources with “kubernetes.io/cluster/”+hcluster.Spec.InfraID which has contractual meaning for the cloud provider implementations. -If a value is not specified, a random infraID will be generated and set by the controller. -Once set, this value is immutable. - |
-|||||||||||||||
-updateService
-
-
-github.com/openshift/api/config/v1.URL
-
-
- |
-
-(Optional)
- updateService may be used to specify the preferred upstream update service. -If omitted we will use the appropriate update service for the cluster and region. -This is used by the control plane operator to determine and signal the appropriate available upgrades in the hostedCluster.status. - |
-|||||||||||||||
-channel
-
-string
-
- |
-
-(Optional)
- channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. -If omitted no particular upgrades are suggested. -TODO(alberto): Consider the backend to use the default channel by default. Default channel will contain stable updates that are appropriate for production clusters. - |
-|||||||||||||||
-platform
-
-
-PlatformSpec
-
-
- |
-
- platform specifies the underlying infrastructure provider for the cluster -and is used to configure platform specific behavior. - |
-|||||||||||||||
-kubeAPIServerDNSName
-
-string
-
- |
-
-(Optional)
- kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS. -When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field. -If it’s set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted. -The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider. -This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable -access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates -for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates. -This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op. - |
-|||||||||||||||
-controllerAvailabilityPolicy
-
-
-AvailabilityPolicy
-
-
- |
-
-(Optional)
- controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server. -Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable. -This field is immutable. - |
-|||||||||||||||
-infrastructureAvailabilityPolicy
-
-
-AvailabilityPolicy
-
-
- |
-
-(Optional)
- infrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on the hosted cluster data plane like the ingress controller and image registry controller. -Possible values are HighlyAvailable and SingleReplica. The default value is SingleReplica. - |
-|||||||||||||||
-dns
-
-
-DNSSpec
-
-
- |
-
-(Optional)
- dns specifies the DNS configuration for the hosted cluster ingress. - |
-|||||||||||||||
-networking
-
-
-ClusterNetworking
-
-
- |
-
- networking specifies network configuration for the hosted cluster. -Defaults to OVNKubernetes with a cluster network of cidr: “10.132.0.0/14” and a service network of cidr: “172.31.0.0/16”. - |
-|||||||||||||||
-autoscaling
-
-
-ClusterAutoscaling
-
-
- |
-
-(Optional)
- autoscaling specifies auto-scaling behavior that applies to all NodePools -associated with this HostedCluster. - |
-|||||||||||||||
-autoNode
-
-
-AutoNode
-
-
- |
-
-(Optional)
- autoNode specifies the configuration for automatic node provisioning and lifecycle management. -When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads. - |
-|||||||||||||||
-etcd
-
-
-EtcdSpec
-
-
- |
-
- etcd specifies configuration for the control plane etcd cluster. The -default managementType is Managed. Once set, the managementType cannot be -changed. - |
-|||||||||||||||
-services
-
-
-[]ServicePublishingStrategyMapping
-
-
- |
-
- services specifies how individual control plane services endpoints are published for consumption. -This requires APIServer;OAuthServer;Konnectivity;Ignition. -This field is immutable for all platforms but IBMCloud. -Max is 6 to account for OIDC;OVNSbDb for backward compatibility though they are no-op. --kubebuilder:validation:XValidation:rule=“self.all(s, !(s.service == ‘APIServer’ && s.servicePublishingStrategy.type == ‘Route’) || has(s.servicePublishingStrategy.route.hostname))”,message=“If serviceType is ‘APIServer’ and publishing strategy is ‘Route’, then hostname must be set” --kubebuilder:validation:XValidation:rule=“self.platform.type == ‘IBMCloud’ ? [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’].all(requiredType, self.exists(s, s.service == requiredType))”,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, and ‘Konnectivity’ service types” : [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, ‘Ignition’].all(requiredType, self.exists(s, s.service == requiredType))“,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, and ‘Ignition’ service types” --kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘Route’ && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘Route’ && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)”,message=“Each route publishingStrategy ‘hostname’ must be unique within the Services list.” --kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘NodePort’ && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘NodePort’ && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)”,message=“Each nodePort publishingStrategy ‘nodePort’ and ‘hostname’ must be unique within the Services list.” -TODO(alberto): this breaks the cost budget for < 4.17. We should figure why and enable it back. And If not fixable, consider imposing a minimum version on the management cluster. - |
-|||||||||||||||
-pullSecret
-
-
-Kubernetes core/v1.LocalObjectReference
-
-
- |
-
- pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON. -If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. -TODO(alberto): Signal this in a condition. -This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster -and it will be injected into the container runtime of all NodePools. -Changing this value will trigger a rollout for all existing NodePools in the cluster. -Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour. -TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes. - |
-|||||||||||||||
-sshKey
-
-
-Kubernetes core/v1.LocalObjectReference
-
-
- |
-
-(Optional)
- sshKey is a local reference to a Secret that must have a “id_rsa.pub” key whose content must be the public part of 1..N SSH keys. -If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. -TODO(alberto): Signal this in a condition. -When sshKey is set, the controllers will generate a machineConfig with the sshAuthorizedKeys https://coreos.github.io/ignition/configuration-v3_2/ populated with this value. -This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. -Changing this value will trigger a rollout for all existing NodePools in the cluster. - |
-|||||||||||||||
-issuerURL
-
-string
-
- |
-
-(Optional)
- issuerURL is an OIDC issuer URL which will be used as the issuer in all -ServiceAccount tokens generated by the control plane API server via –service-account-issuer kube api server flag. -https://k8s-docs.netlify.app/en/docs/reference/command-line-tools-reference/kube-apiserver/ -https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection -The default value is kubernetes.default.svc, which only works for in-cluster -validation. -If the platform is AWS and this value is set, the controller will update an s3 object with the appropriate OIDC documents (using the serviceAccountSigningKey info) into that issuerURL. -The expectation is for this s3 url to be backed by an OIDC provider in the AWS IAM. - |
-|||||||||||||||
-serviceAccountSigningKey
-
-
-Kubernetes core/v1.LocalObjectReference
-
-
- |
-
-(Optional)
- serviceAccountSigningKey is a local reference to a secret that must have a “key” key whose content must be the private key -used by the service account token issuer. -If not specified, a service account signing key will -be generated automatically for the cluster. -When specifying a service account signing key, an IssuerURL must also be specified. -If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. -TODO(alberto): Signal this in a condition. -For key rotation, the secret may optionally contain an “old-key.pub” key whose content is the PEM-encoded -public key of the previous signing key. When present, the kube-apiserver will accept tokens signed by -both the current and previous keys, allowing for graceful key rotation without invalidating existing tokens. - |
-|||||||||||||||
-configuration
-
-
-ClusterConfiguration
-
-
- |
-
-(Optional)
- configuration specifies configuration for individual OCP components in the -cluster, represented as embedded resources that correspond to the openshift -configuration API. +configuration specifies configuration for individual OCP components in the +cluster, represented as embedded resources that correspond to the openshift +configuration API. |
|||||||||||||||
-controlPlaneVersion,omitzero
-
-
-ControlPlaneVersionStatus
-
-
- |
-
-(Optional)
- controlPlaneVersion tracks the rollout status of the control plane -components running on the management cluster, independently from -the data-plane version reported in the version field. - |
-|||||||||||||||
version
@@ -40471,20 +37678,6 @@ PlatformStatus
| ||||||||||||||||
-autoNode,omitzero
-
-
-AutoNodeStatus
-
-
- |
-
-(Optional)
- autoNode contains the observed state of the autoNode (Karpenter) provisioner. - |
-|||||||||||||||
configuration
@@ -40955,10 +38148,7 @@ AutoNode
|
(Optional)
- autoNode specifies the configuration for automatic node provisioning -and lifecycle management. When set, nodes are automatically provisioned -using the specified provisioner (e.g. Karpenter) instead of requiring -manual NodePool management. +autoNode specifies the configuration for the autoNode feature. |
|||||||||||||||
-controlPlaneVersion,omitzero
-
-
-ControlPlaneVersionStatus
-
-
- |
-
-(Optional)
- controlPlaneVersion tracks the rollout status of the control plane -components running on the management cluster, independently from -the data-plane version reported in the version field. - |
-|||||||||||||||
versionStatus
@@ -41273,20 +38447,6 @@ int
| ||||||||||||||||
-autoNode,omitzero
-
-
-AutoNodeStatus
-
-
- |
-
-(Optional)
- autoNode contains the observed state of the autoNode (Karpenter) provisioner. - |
-|||||||||||||||
configuration
@@ -41858,7 +39018,6 @@ AzureKMSSpec
KarpenterConfig)
- KarpenterAWSConfig specifies AWS-specific configuration for the Karpenter provisioner.
(Appears on: -CapacityReservationOptions, -PlacementOptions) +CapacityReservationOptions) - MarketType describes the market type for EC2 instances. +MarketType describes the market type of the CapacityReservation for an Instance.
-(Appears on: -NodePoolStatus) - -- NodePoolNodesInfo aggregates observed information about nodes belonging to this NodePool. - -
(Appears on: @@ -44367,21 +41240,6 @@ the NodePool. | ||||||||||||||||
-nodesInfo,omitzero
-
-
-NodePoolNodesInfo
-
-
- |
-
-(Optional)
- nodesInfo contains aggregated information observed from nodes belonging -to this NodePool. - |
-|||||||||||||||
platform
@@ -44453,73 +41311,6 @@ assigned when the service is created.
|
-(Appears on: -NodePoolNodesInfo) -
--
NodeVersion represents a version combination and the count of ready and unready nodes running it.
- -| Field | -Description | -
|---|---|
-ocpVersion
-
-string
-
- |
-
- ocpVersion is the OpenShift release version this node was provisioned -or upgraded with. - |
-
-kubeletVersion
-
-string
-
- |
-
- kubeletVersion is the kubelet version reported by the node, as observed -from Machine.Status.NodeInfo.KubeletVersion. - |
-
-readyNodeCount
-
-int32
-
- |
-
- readyNodeCount is the number of nodes running this version where the -CAPI NodeHealthy condition is True. - |
-
-unreadyNodeCount
-
-int32
-
- |
-
- unreadyNodeCount is the number of nodes running this version where the -CAPI NodeHealthy condition is not True. Useful for tracking upgrade -progress and detecting stuck nodes. - |
-
(Appears on: @@ -44637,28 +41428,6 @@ this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.
-mtu
-
-int32
-
-mtu is the MTU to use for the tunnel interface on hosted cluster nodes. -This must be 100 bytes smaller than the uplink MTU. -When unset, the cluster-network-operator will determine the MTU automatically -based on the infrastructure (e.g., for commercial AWS regions, it defaults -to 8901 based on the 9001 uplink MTU minus 100 bytes overhead). -Some non-commercial AWS regions do not support 9001 uplink MTU, -requiring this field to be explicitly set to a lower value. -The maximum is 9216, which is the standard jumbo frame upper limit -supported by datacenter and cloud network interfaces. -The minimum is 576, which is the minimum IPv4 MTU per RFC 791. -This field is immutable once set.
-
PlacementOptions specifies the placement options for the EC2 instances.
-The instance market type is determined by the marketType field: -- “OnDemand” (default): Standard on-demand instances -- “Spot”: Spot instances using spare EC2 capacity at reduced prices -- “CapacityBlocks”: Scheduled pre-purchased compute capacity for ML workloads
-marketType
-
-
-MarketType
-
-
- |
-
-(Optional)
- marketType specifies the EC2 instance purchasing model. -Supported values are “OnDemand” for standard on-demand instances, -“Spot” for spot instances that use spare EC2 capacity at reduced prices -but may be interrupted (optionally accepts spot options and requires -terminationHandlerQueueURL on the HostedCluster), and “CapacityBlocks” for scheduled pre-purchased -compute capacity recommended for GPU/ML workloads (requires -capacityReservation with a specific reservation ID). -When omitted, the default is “OnDemand”. - |
-|
-spot,omitzero
-
-
-SpotOptions
-
-
- |
-
-(Optional)
- spot configures optional Spot instance overrides. -When omitted, Spot instances use AWS defaults. -Spot instances use spare EC2 capacity at reduced prices but may be interrupted -with a 2-minute warning. Requires terminationHandlerQueueURL to be set on the -HostedCluster’s AWS platform spec for graceful handling of interruptions. - |
-|
capacityReservation
@@ -45231,7 +41957,6 @@ CapacityReservationOptions
capacityReservation specifies Capacity Reservation options for the NodePool instances. Cannot be specified when tenancy is set to “host” as Dedicated Hosts do not support Capacity Reservations. Compatible with “default” and “dedicated” tenancy. -Required when marketType is “CapacityBlocks”. |
"Karpenter" |
-ProvisionerKarpenter indicates that Karpenter is used for automatic node provisioning. - |
+
-
ProvisionerConfig specifies the provisioner used for automatic node management -and its associated configuration.
+ProvisionerConfig is a enum specifying the strategy for auto managing Nodes.
|
- name specifies the name of the provisioner to use for automatic node management. +name specifies the name of the provisioner to use. |
-(Appears on: -HCPEtcdBackupAzureBlob, -HCPEtcdBackupS3) -
--
SecretReference contains a reference to a Secret by name. -The Secret must exist in the same namespace as the referencing resource.
- -| Field | -Description | -
|---|---|
-name
-
-string
-
- |
-
- name is the name of the Secret. It must be a valid DNS-1123 subdomain: at most -253 characters, consisting of lowercase alphanumeric characters, hyphens, and periods. -Each period-separated segment must start and end with an alphanumeric character. - |
-
(Appears on: @@ -46985,44 +43675,6 @@ ServicePublishingStrategy
ServiceType defines what control plane services can be exposed from the management control plane.
-###SpotOptions { #hypershift.openshift.io/v1beta1.SpotOptions } --(Appears on: -PlacementOptions) -
--
SpotOptions configures options for Spot instances.
-Spot instances use spare EC2 capacity at reduced prices but may be interrupted -with a 2-minute warning when EC2 needs the capacity back.
- -| Field | -Description | -
|---|---|
-maxPrice
-
-string
-
- |
-
-(Optional)
- maxPrice defines the maximum price the user is willing to pay for Spot instances. -If not specified, the on-demand price is used as the maximum (you pay the actual spot price). -The value should be a decimal number representing the price per hour in USD. -For example, “0.50” means 50 cents per hour. -Note: AWS recommends NOT setting maxPrice to reduce interruption frequency. -When omitted, you pay the current Spot price (capped at On-Demand price). -AWS minimum allowed value is $0.001. - |
-
(Appears on:
@@ -47692,186 +44344,6 @@ graph TB
- **AWSEndpointService API types**: `api/hypershift/v1beta1/endpointservice_types.go`
----
-
-## Source: docs/content/reference/architecture/azure/privatelink.md
-
----
-title: Azure Private Link
----
-
-# Azure Private Link Architecture in HyperShift
-
-## Overview
-
-HyperShift uses Azure Private Link Service (PLS) to establish secure connectivity between worker nodes in the guest cluster VNet and the hosted control plane in the management cluster. This is used when `EndpointAccess` is set to `Private` or `PublicAndPrivate`.
-
-Unlike AWS PrivateLink which uses VPC Endpoint Services, Azure Private Link uses a dedicated Private Link Service resource backed by an internal load balancer with NAT IP translation.
-
-## Architecture Diagram
-
-```mermaid
-graph TB
- subgraph MC["Management Cluster"]
- subgraph HO["hypershift-operator"]
- HO_Controller["AzurePLSController
- - Watches: AzurePrivateLinkService CR
- - Waits for LoadBalancerIP in Spec
- - Finds ILB by frontend IP
- - Creates PLS with NAT subnet
- - Writes PLS alias to Status"]
- end
-
- subgraph HCP["HCP Namespace (e.g., clusters-foo)"]
- subgraph CPO["control-plane-operator"]
- Observer["AzurePLSObserver
- - Watches: private-router Service
- - Waits for ILB frontend IP
- - Creates AzurePrivateLinkService CR
- - Writes LoadBalancerIP to Spec"]
- Reconciler["AzurePLSReconciler
- - Waits for PLS alias in Status
- - Creates Private Endpoint in guest VNet
- - Creates Private DNS zones
- - Creates VNet links and A records
- - Writes PrivateEndpointIP to Status"]
- end
- ROUTER_SVC["private-router (Svc)
- type: LoadBalancer
- annotation: internal"]
- end
- end
-
- subgraph MGMT_AZURE["Management Azure Subscription"]
- ILB["Internal Load Balancer
- Frontend IP from private-router"]
- PLS["Private Link Service
- NAT subnet for IP translation
- Visibility: auto-approve guest sub"]
- end
-
- subgraph GUEST_AZURE["Guest Azure Subscription"]
- subgraph GUEST_VNET["Guest VNet"]
- PE["Private Endpoint
- Connected to PLS alias
- Gets private IP in guest VNet"]
- DNS_LOCAL["Private DNS Zone
- clusterName.hypershift.local"]
- DNS_BASE["Private DNS Zone
- baseDomain"]
- VNET_LINK["VNet Links
- Link DNS zones to guest VNet"]
- A_LOCAL["A Records (hypershift.local)
- api → PE IP
- *.apps → PE IP"]
- A_BASE["A Records (baseDomain)
- api-clusterName → PE IP
- oauth-clusterName → PE IP"]
- WORKERS["Worker Nodes
- Resolve API via Private DNS"]
- end
- end
-
- Observer --> ROUTER_SVC
- ROUTER_SVC --> ILB
- HO_Controller -- "Creates PLS
- Writes alias to Status" --> PLS
- ILB --> PLS
- PLS -- "Azure Private Link" --> PE
- Reconciler -- "Creates PE, DNS zones,
- VNet links, A records" --> PE
- PE --> DNS_LOCAL
- PE --> DNS_BASE
- DNS_LOCAL --> VNET_LINK
- DNS_BASE --> VNET_LINK
- DNS_LOCAL --> A_LOCAL
- DNS_BASE --> A_BASE
- WORKERS -- "DNS resolution" --> A_LOCAL
- WORKERS -- "DNS resolution" --> A_BASE
- A_LOCAL -- "PE IP" --> PE
- A_BASE -- "PE IP" --> PE
-```
-
-## Component Responsibilities
-
-### Azure Resources
-
-| Azure Resource | Created By | Description |
-|----------------|------------|-------------|
-| Internal Load Balancer | Azure (via `private-router` Service) | Fronts the KAS/router in the management cluster with an internal IP |
-| Private Link Service | HyperShift operator (HO controller) | Exposes the ILB via Private Link using NAT subnet for IP translation |
-| Private Endpoint | Control plane operator (CPO reconciler) | Connects guest VNet to PLS, receives a private IP in the guest subnet |
-| Private DNS Zone (local) | Control plane operator (CPO reconciler) | `
External LB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane --> Router
- ExtUsers --> Router
-
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-**Without External DNS**:
-
-- **APIServer**: `LoadBalancer` (dedicated external load balancer)
-- **OAuthServer**: `Route` (management cluster ingress)
-- **Konnectivity**: `Route` (management cluster ingress)
-- **Ignition**: `Route` (management cluster ingress)
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: AWS
- aws:
- endpointAccess: Public
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: LoadBalancer
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- KASLB[KAS LoadBalancer
External]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane --> KASLB
- DataPlane --> MCIngress
- ExtUsers --> KASLB
- ExtUsers --> MCIngress
-
- KASLB --> KAS
- MCIngress --> OAuth
- MCIngress --> Konnectivity
- MCIngress --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-#### PublicAndPrivate Endpoint Access
-
-**With External DNS** (`--external-dns-domain` flag):
-
-- **APIServer**: `Route` (hostname required)
-- **OAuthServer**: `Route` (hostname required)
-- **Konnectivity**: `Route` (resolves via `hypershift.local`)
-- **Ignition**: `Route` (resolves via `hypershift.local`)
-
-APIServer and OAuthServer are exposed externally through a dedicated HCP router. Konnectivity and Ignition resolve via `hypershift.local` through PrivateLink, so hostnames are not needed for them.
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: AWS
- aws:
- endpointAccess: PublicAndPrivate
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: api.my-cluster.example.com
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: oauth.my-cluster.example.com
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- Router[HCP Router]
- InternalLB[Internal LB]
- ExternalLB[External LB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane -->|PrivateLink| InternalLB
- ExtUsers --> ExternalLB
-
- InternalLB --> Router
- ExternalLB --> Router
-
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-**Without External DNS**:
-
-- **APIServer**: `LoadBalancer` (dedicated external load balancer)
-- **OAuthServer**: `Route` (HCP router with internal load balancer)
-- **Konnectivity**: `Route` (HCP router with internal load balancer)
-- **Ignition**: `Route` (HCP router with internal load balancer)
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: AWS
- aws:
- endpointAccess: PublicAndPrivate
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: LoadBalancer
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- KASLB[KAS LoadBalancer
External]
- Router[HCP Router]
- RouterInternalLB[Router Internal LB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- ExtUsers ~~~ DataPlane
-
- DataPlane --> |PrivateLink| RouterInternalLB
- ExtUsers --> KASLB
- ExtUsers -->|OAuth| MCIngress
-
- KASLB --> KAS
- RouterInternalLB --> Router
- MCIngress --> OAuth
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-#### Private Endpoint Access
-
-All traffic in private clusters happens via PrivateLink. All services use Route publishing through an HCP router with an internal load balancer.
-
-- **APIServer**: `Route`
-- **OAuthServer**: `Route`
-- **Konnectivity**: `Route`
-- **Ignition**: `Route`
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: AWS
- aws:
- endpointAccess: Private
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- Router[HCP Router]
- InternalLB[Internal LB]
- end
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane -->|PrivateLink| InternalLB
- ExtUsers -->|PrivateLink| InternalLB
-
- InternalLB --> Router
-
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-
-### Azure
-
-Azure has two deployment modes with different service publishing strategy requirements:
-
-#### Managed Azure (ARO HCP)
-
-ARO HCP (Azure Red Hat OpenShift Hosted Control Planes) uses a unique architecture with two distinct traffic paths. All ARO HCP clusters are considered **PublicAndPrivate**.
-
-##### Architecture Overview
-
-ARO HCP management clusters are based on **AKS (Azure Kubernetes Service)**, not OpenShift. The architecture separates traffic into two paths:
-
-1. **External Traffic (KAS, OAuth)**: Flows through a **Shared Ingress HAProxy** deployment. A single HAProxy in the `hypershift-sharedingress` namespace, fronted by one Azure LoadBalancer, routes traffic to the correct hosted control plane using SNI-based hostname routing.
-
-2. **In-Cluster Traffic (Konnectivity, Ignition)**: Flows through **Swift** (Azure Service Networking). Private router pods are labeled with `kubernetes.azure.com/pod-network-instance`, which connects them directly to the customer VNet. Services resolve via the `hypershift.local` internal DNS zone (e.g., `konnectivity-server.apps.
SNI Hostname Routing]
- SharedLB[Azure LoadBalancer
Single LB for all clusters]
- end
-
- subgraph HCP1 ["Hosted Control Plane 1"]
- KAS1[APIServer]
- OAuth1[OAuthServer]
- Konnectivity1[Konnectivity]
- Ignition1[Ignition]
- end
-
- subgraph SwiftRouter ["Private Router (Swift-enabled)"]
- PrivRouter[Private Router Pod
kubernetes.azure.com/
pod-network-instance]
- end
- end
-
- subgraph "Data Plane (Customer VNet)"
- Worker1[Worker Node]
- end
-
- ExtUsers[External Users]
-
- ExtUsers --> |HTTPS
KAS / OAuth| SharedLB
- SharedLB --> HAProxy
- HAProxy --> |SNI routing| KAS1
- HAProxy --> |SNI routing| OAuth1
-
- Worker1 --> |Swift
hypershift.local| PrivRouter
- PrivRouter --> Konnectivity1
- PrivRouter --> Ignition1
-
- classDef sharedIngressStyle fill:#fff3cd,stroke:#856404,stroke-width:3px;
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- classDef dataPlaneStyle fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px;
- classDef swiftStyle fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px;
-
- class SharedIngress sharedIngressStyle
- class HCP1 hcpStyle
- class Worker1 dataPlaneStyle
- class SwiftRouter swiftStyle
-```
-
-##### Traffic Paths
-
-| Traffic Type | Path | DNS Resolution |
-|-------------|------|----------------|
-| **External** (KAS, OAuth) | Client → Shared Ingress LB → HAProxy → HCP | External DNS zone (e.g., `api.
Ingress Controller]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- ExtUsers --> |External DNS| MCIngress
- DataPlane --> |External DNS| MCIngress
-
- MCIngress --> KAS
- MCIngress --> OAuth
- MCIngress --> Konnectivity
- MCIngress --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-##### PublicAndPrivate Endpoint Access
-
-Services are accessible both from the public internet through external DNS and privately through Azure Private Link Service. Konnectivity and Ignition hostnames are handled internally.
-
-- **APIServer**: `Route` (hostname required)
-- **OAuthServer**: `Route` (hostname required)
-- **Konnectivity**: `Route` (hostname handled internally)
-- **Ignition**: `Route` (hostname handled internally)
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: Azure
- azure:
- azureAuthenticationConfig:
- azureAuthenticationConfigType: WorkloadIdentities
- workloadIdentities:
- # Workload identity configuration
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: api.my-cluster.example.com
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: oauth.my-cluster.example.com
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster (OpenShift)"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- end
- MCIngress[Management Cluster
Ingress Controller]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
- PrivLink[Azure Private
Link Service]
-
- ExtUsers --> |External DNS| MCIngress
- DataPlane --> |Private Link| PrivLink
- PrivLink --> MCIngress
-
- MCIngress --> KAS
- MCIngress --> OAuth
- MCIngress --> Konnectivity
- MCIngress --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- classDef privLinkStyle fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px;
-
- class HCP hcpStyle
- class PrivLink privLinkStyle
-```
-
-##### Private Endpoint Access
-
-All traffic flows through Azure Private Link Service. Not accessible from the public internet. Konnectivity and Ignition hostnames are handled internally.
-
-- **APIServer**: `Route` (hostname required)
-- **OAuthServer**: `Route` (hostname required)
-- **Konnectivity**: `Route` (hostname handled internally)
-- **Ignition**: `Route` (hostname handled internally)
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: Azure
- azure:
- azureAuthenticationConfig:
- azureAuthenticationConfigType: WorkloadIdentities
- workloadIdentities:
- # Workload identity configuration
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: api.my-cluster.example.com
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: oauth.my-cluster.example.com
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster (OpenShift)"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- end
- MCIngress[Management Cluster
Ingress Controller]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
- PrivLink[Azure Private
Link Service]
-
- ExtUsers --> |Private Link| PrivLink
- DataPlane --> |Private Link| PrivLink
- PrivLink --> MCIngress
-
- MCIngress --> KAS
- MCIngress --> OAuth
- MCIngress --> Konnectivity
- MCIngress --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- classDef privLinkStyle fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px;
-
- class HCP hcpStyle
- class PrivLink privLinkStyle
-```
-
-### Managed GCP
-
-Managed GCP (Google Cloud Platform) HostedClusters are managed service deployments on GCP. Publishing strategies are determined by the endpoint access mode. All services use Route publishing strategy, including APIServer.
-
-#### PublicAndPrivate Endpoint Access
-
-External DNS is required for GCP (`--external-dns-domain` flag):
-
-- **APIServer**: `Route` (hostname required)
-- **OAuthServer**: `Route` (hostname required)
-- **Konnectivity**: `Route` (hostname required)
-- **Ignition**: `Route` (hostname required)
-
-All Route-based services are exposed through a dedicated HCP router with both internal and external load balancers.
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: GCP
- gcp:
- endpointAccess: PublicAndPrivate
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: api.my-cluster.example.com
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: oauth.my-cluster.example.com
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- route:
- hostname: konnectivity.my-cluster.example.com
- - service: Ignition
- servicePublishingStrategy:
- type: Route
- route:
- hostname: ignition.my-cluster.example.com
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- Router[HCP Router]
- InternalLB[Internal LB]
- ExternalLB[External LB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane -->|Private Service Connect| InternalLB
- ExtUsers --> ExternalLB
-
- InternalLB --> Router
- ExternalLB --> Router
-
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-#### Private Endpoint Access
-
-All traffic in private GCP clusters happens via Private Service Connect. All services use Route publishing through an HCP router with an internal load balancer.
-
-- **APIServer**: `Route`
-- **OAuthServer**: `Route`
-- **Konnectivity**: `Route`
-- **Ignition**: `Route`
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: GCP
- gcp:
- endpointAccess: Private
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- Router[HCP Router]
- InternalLB[Internal LB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane -->|Private Service Connect| InternalLB
- ExtUsers-->|Private Service Connect| InternalLB
-
- InternalLB --> Router
-
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-### KubeVirt
-
-KubeVirt is unique in supporting both Ingress-based (Route/LoadBalancer) and NodePort-based service publishing strategies through the `--service-publishing-strategy` flag.
-
-#### Supported Publishing Strategies
-
-**Ingress Strategy (Default)**:
-
-| Service | Supported Strategies |
-|---------|---------------------|
-| **APIServer** | `LoadBalancer` or `Route`* |
-| **OAuthServer** | `Route` |
-| **Konnectivity** | `Route` |
-| **Ignition** | `Route` |
-
-\* With external DNS, uses `Route`; without it, uses `LoadBalancer`.
-
-**NodePort Strategy**:
-
-| Service | Supported Strategies |
-|---------|---------------------|
-| **APIServer** | `NodePort` |
-| **OAuthServer** | `NodePort` |
-| **Konnectivity** | `NodePort` |
-| **Ignition** | `NodePort` |
-
-#### Validation Rules
-
-- When using `--service-publishing-strategy=NodePort`, the `--api-server-address` flag is required
-- If not provided, the system will attempt to auto-detect the API server address
-- Supports `--external-dns-domain` flag when using Ingress strategy
-
-#### Example Configurations
-
-**Ingress Strategy with External DNS**:
-
-```yaml
-spec:
- platform:
- type: Kubevirt
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: Route
- route:
- hostname: api-mycluster.example.com
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-**Architecture Diagram:**
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- Router[HCP Router]
- ExternalLB[External LB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane --> ExternalLB
- ExtUsers --> ExternalLB
-
- ExternalLB --> Router
-
- Router --> KAS
- Router --> OAuth
- Router --> Konnectivity
- Router --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-**NodePort Strategy**:
-
-```yaml
-spec:
- platform:
- type: Kubevirt
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 192.168.1.100
- port: 30000
- - service: OAuthServer
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 192.168.1.100
- - service: Konnectivity
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 192.168.1.100
- - service: Ignition
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 192.168.1.100
-```
-
-**Architecture Diagram:**
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer
NodePort]
- OAuth[OAuthServer
NodePort]
- Konnectivity[Konnectivity
NodePort]
- Ignition[Ignition
NodePort]
- end
- Node1[Management Node
192.168.1.100]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane --> |NodePort| Node1
- ExtUsers --> |NodePort| Node1
-
- Node1 --> KAS
- Node1 --> OAuth
- Node1 --> Konnectivity
- Node1 --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-### Agent
-
-The Agent platform supports multiple service publishing strategies. By default, the `hcp create cluster agent` command creates a hosted cluster with NodePort configuration. However, LoadBalancer is the preferred publishing strategy for production environments.
-
-#### Supported Publishing Strategies
-
-| Service | Supported Strategies |
-|---------|---------------------|
-| **APIServer** | `NodePort` (default), `LoadBalancer`, `Route` |
-| **OAuthServer** | `NodePort`, `Route` |
-| **Konnectivity** | `NodePort`, `Route` |
-| **Ignition** | `NodePort`, `Route` |
-
-#### Publishing Strategy Recommendations
-
-- **NodePort (Default)**: Used by default when creating clusters with `hcp create cluster agent`. Suitable for development and testing.
-- **LoadBalancer (Recommended for Production)**: Provides better certificate handling and automatic DNS resolution. Requires MetalLB or similar load balancer infrastructure.
-- **Route**: Services can be exposed through Routes on the management cluster's ingress controller.
-
-#### NodePort Strategy (Default)
-
-**Configuration:**
-
-- **APIServer**: `NodePort` (with address and optional port)
-- **OAuthServer**: `NodePort`
-- **Konnectivity**: `NodePort`
-- **Ignition**: `NodePort`
-
-**Important Notes:**
-- When using NodePort, the `--api-server-address` flag is required or the system will auto-detect the API server address from available nodes
-- DNS must point to the hosted cluster compute nodes, not the management cluster nodes
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: Agent
- agent:
- agentNamespace: agent-namespace
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 10.0.0.100
- port: 30000
- - service: OAuthServer
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 10.0.0.100
- - service: Konnectivity
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 10.0.0.100
- - service: Ignition
- servicePublishingStrategy:
- type: NodePort
- nodePort:
- address: 10.0.0.100
-```
-
-**Architecture Diagram:**
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer
NodePort]
- OAuth[OAuthServer
NodePort]
- Konnectivity[Konnectivity
NodePort]
- Ignition[Ignition
NodePort]
- end
- Node1[Management Node
10.0.0.100]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane --> |NodePort:30000| Node1
- ExtUsers --> |NodePort:30000| Node1
-
- Node1 --> KAS
- Node1 --> OAuth
- Node1 --> Konnectivity
- Node1 --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-#### LoadBalancer Strategy (Recommended for Production)
-
-**Configuration:**
-
-- **APIServer**: `LoadBalancer`
-- **OAuthServer**: `Route`
-- **Konnectivity**: `Route`
-- **Ignition**: `Route`
-
-**Benefits:**
-- Better certificate handling
-- Automatic DNS resolution
-- Simplified access through a single IP address
-
-**Prerequisites:**
-- MetalLB or similar load balancer infrastructure must be installed and configured on the hosted cluster
-
-**Example Configuration:**
-
-```yaml
-spec:
- platform:
- type: Agent
- agent:
- agentNamespace: agent-namespace
- services:
- - service: APIServer
- servicePublishingStrategy:
- type: LoadBalancer
- - service: OAuthServer
- servicePublishingStrategy:
- type: Route
- - service: Konnectivity
- servicePublishingStrategy:
- type: Route
- - service: Ignition
- servicePublishingStrategy:
- type: Route
-```
-
-**Architecture Diagram:**
-
-```mermaid
-graph RL
- subgraph "Management Cluster"
- subgraph HCP ["Hosted Control Plane"]
- KAS[APIServer]
- OAuth[OAuthServer]
- Konnectivity[Konnectivity]
- Ignition[Ignition]
- KASLB[KAS LoadBalancer
MetalLB]
- end
- MCIngress[Management Cluster
Ingress]
- end
-
- DataPlane[Data Plane]
- ExtUsers[External Users]
-
- DataPlane --> KASLB
- DataPlane --> MCIngress
- ExtUsers --> KASLB
- ExtUsers --> MCIngress
-
- KASLB --> KAS
- MCIngress --> OAuth
- MCIngress --> Konnectivity
- MCIngress --> Ignition
-
- classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
- class HCP hcpStyle
-```
-
-## Summary Table
-
-| Platform | APIServer Default | Other Services Default | External DNS Support | NodePort Support | Special Features |
-|----------|------------------|----------------------|---------------------|-----------------|------------------|
-| AWS | LoadBalancer or Route | Route | Yes | No | Endpoint access modes |
-| Azure (Managed/ARO HCP)\* | Route (hostname required) | Route (hostname required) | No | No | Shared ingress HAProxy + Swift, all Routes need explicit hostnames |
-| Azure (Self-Managed) | Route (hostname required) | Route (hostname required) | Required | No | Endpoint access modes (Public, PublicAndPrivate, Private), uses workload identities |
-| GCP (Managed) | Route | Route | Required | No | Endpoint access modes (PublicAndPrivate, Private) |
-| KubeVirt | LoadBalancer or Route | Route | Yes | Yes | Dual strategy support via flag |
-| Agent | NodePort (default), LoadBalancer | NodePort, Route | No | Yes (default) | LoadBalancer recommended for production |
-
-\* **ARO HCP**: All clusters are PublicAndPrivate. External traffic (KAS, OAuth) flows through a shared HAProxy deployment with SNI-based hostname routing. In-cluster traffic (Konnectivity, Ignition) flows through Swift (Azure Service Networking), where private router pods connect directly to the customer VNet and services resolve via `hypershift.local`.
-
-## Best Practices
-
-1. **Use External DNS when available**: For cloud platforms that support it (AWS, Azure, GCP, KubeVirt), using the `--external-dns-domain` flag provides a cleaner configuration with predictable hostnames for all services. Note that Managed GCP requires external DNS, while it's optional for AWS, Azure, and KubeVirt.
-
-2. **Understand endpoint access modes**: On AWS, choose the endpoint access mode that matches your security requirements:
- - `Public`: Services accessible from the internet
- - `PublicAndPrivate`: Services accessible from both internet and VPC
- - `Private`: Services only accessible from VPC
-
-3. **Validate your configuration**: Always check the `ValidConfiguration` condition on your HostedCluster to ensure your service publishing strategy is valid:
- ```bash
- oc get hostedcluster
-
AzurePrivateLinkService represents Azure Private Link Service infrastructure -for private connectivity to hosted cluster API servers.
- -| Field | -Description | -
|---|---|
-apiVersion
-string |
-
-
-hypershift.openshift.io/v1beta1
-
- |
-
-kind
-string
- |
-AzurePrivateLinkService |
-
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-(Optional)
- metadata is the metadata for the AzurePrivateLinkService. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-
-spec,omitzero
-
-
-AzurePrivateLinkServiceSpec
-
-
- |
-
- spec is the specification for the AzurePrivateLinkService. - |
-
-status,omitzero
-
-
-AzurePrivateLinkServiceStatus
-
-
- |
-
-(Optional)
- status is the status of the AzurePrivateLinkService. - |
-
CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
@@ -253,9 +178,7 @@ This value must be a valid IPv4 or IPv6 address.forwardingRuleName
-
-GCPResourceName
-
+string
consumerAcceptList specifies which customer projects can connect. -Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”). -A maximum of 50 entries are allowed. -See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project ID and number formats.
+consumerAcceptList specifies which customer projects can connect +Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”)
natSubnet
-
-GCPResourceName
-
+string
-
HCPEtcdBackup represents a request to back up etcd for a hosted control plane. -This resource is feature-gated behind the HCPEtcdBackup feature gate.
- -| Field | -Description | -
|---|---|
-apiVersion
-string |
-
-
-hypershift.openshift.io/v1beta1
-
- |
-
-kind
-string
- |
-HCPEtcdBackup |
-
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-(Optional)
- metadata is the metadata for the HCPEtcdBackup. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-
-spec,omitzero
-
-
-HCPEtcdBackupSpec
-
-
- |
-
- spec is the specification for the HCPEtcdBackup. - |
-
-status,omitzero
-
-
-HCPEtcdBackupStatus
-
-
- |
-
-(Optional)
- status is the status of the HCPEtcdBackup. - |
-
HostedCluster is the primary representation of a HyperShift cluster and encapsulates @@ -673,8 +517,7 @@ AutoNode
autoNode specifies the configuration for automatic node provisioning and lifecycle management. -When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads.
+autoNode specifies the configuration for the autoNode feature.
terminationHandlerQueueURL
-
-string
-
-terminationHandlerQueueURL specifies the SQS queue URL for EC2 spot interruption events. -This is required when using spot instances (marketType: Spot) in NodePools to enable -graceful handling of spot instance terminations.
-The queue should be configured to receive EC2 Spot Instance Interruption Warnings -and EC2 Instance Rebalance Recommendations via EventBridge rules. -The AWS Node Termination Handler will poll this queue and cordon/drain nodes -before they are terminated, providing a best effort for graceful shutdown.
-Supports both standard and FIFO queues (FIFO queues end with .fifo suffix).
--
AutoNode specifies the configuration for automatic node provisioning and lifecycle management.
+We expose here internal configuration knobs that won’t be exposed to the service.
-provisionerConfig,omitzero
+provisionerConfig
ProvisionerConfig
@@ -3043,52 +2867,7 @@ ProvisionerConfig
|
- provisionerConfig specifies the provisioner used for automatic node management. - |
-
-(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) -
--
AutoNodeStatus contains the observed state of the AutoNode provisioner.
- -| Field | -Description | -
|---|---|
-nodeCount
-
-int32
-
- |
-
-(Optional)
- nodeCount is the number of nodes fully provisioned by Karpenter. -These are node objects that exist in the cluster and carry the karpenter.sh/nodepool label. - |
-
-nodeClaimCount
-
-int32
-
- |
-
-(Optional)
- nodeClaimCount is the total number of NodeClaims managed by Karpenter. -This represents what Karpenter intends to provision, whether or not the node object exists yet. +provisionerConfig is the implementation used for Node auto provisioning. |
+(Appears on: +AzureAuthenticationConfiguration) +
++
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components +that authenticate with Azure’s API.
+ +| Field | +Description | +
|---|---|
-topology
+controlPlane
-
-AzureTopologyType
+
+ControlPlaneManagedIdentities
|
-(Optional)
- topology specifies the network topology of the API server endpoint for the hosted cluster. -- Public: The API server is accessible only via a public endpoint. -- PublicAndPrivate: The API server is accessible via both public and private endpoints. -- Private: The API server is accessible only via a private endpoint. -When omitted, this means no opinion and the platform is left to choose a reasonable -default, which is subject to change over time. The current default is Public. -This field must be set explicitly for self-hosted environments (WorkloadIdentities). -Transitions between PublicAndPrivate and Private are allowed after creation. -Transitions from Public to non-Public (or vice versa) are not allowed. -When set to Private or PublicAndPrivate, the private field must be provided. +controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to +authenticate with Azure’s API. |
-private,omitzero
+dataPlane
-
-AzurePrivateSpec
+
+DataPlaneManagedIdentities
|
-(Optional)
- private configures private connectivity to the hosted cluster’s API server. -This field is required when topology is Private or PublicAndPrivate, and must -not be set when topology is Public. -Once set at cluster creation, this field cannot be removed, and it cannot be -added to an existing cluster that was created without it. +dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with +Azure’s API. |
(Appears on: -AzurePrivateLinkService) +AzureNodePoolPlatform)
-
AzurePrivateLinkServiceSpec defines the desired state of AzurePrivateLinkService
+AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
-loadBalancerIP
-
-string
-
- |
-
-(Optional)
- loadBalancerIP is the frontend IP address of the internal load balancer that -fronts the hosted control plane’s API server. This field is populated automatically -by the control plane operator from the kube-apiserver service status. -It is not set by users directly. -When set, the value must be a valid IPv4 or IPv6 address. - |
-
-subscriptionID
+type
-
-AzureSubscriptionID
+
+AzureVMImageType
|
- subscriptionID is the Azure subscription ID where the Private Link Service -resources will be created. Must be a valid UUID consisting of hexadecimal -characters and hyphens in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -where x is a hexadecimal digit 0-9a-f. - |
-
-resourceGroupName
-
-string
-
- |
-
- resourceGroupName is the name of the Azure resource group where the Private Link -Service resources will be created. Must be 1-90 characters consisting of -alphanumerics, underscores, hyphens, periods, and parentheses. Cannot end with a period. -See https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules +type is the type of image data that will be provided to the Azure VM. +Valid values are “ImageID” and “AzureMarketplace”. +ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. +AzureMarketplace means the VM will boot from an Azure Marketplace image. +Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. +When Type is “AzureMarketplace”, you can either: +1. Specify only imageGeneration to use marketplace defaults from the release payload +2. Specify publisher, offer, sku, and version to use an explicit marketplace image +3. Specify all fields (imageGeneration along with publisher, offer, sku, version) |
-location
+imageID
string
|
- location is the Azure region where the Private Link Service resources will be -created (e.g., “eastus”, “westeurope”, “centralus”). Must match the region -of the management cluster. +(Optional) +imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. +TODO: What is the valid character set for this field? What about minimum and maximum lengths? |
-natSubnetID
+azureMarketplace
-
-AzureSubnetResourceID
+
+AzureMarketplaceImage
|
(Optional)
- natSubnetID is the full Azure resource ID of the subnet used for Private Link Service -NAT IP allocation. This subnet must have privateLinkServiceNetworkPolicies disabled. -If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} - |
-
-additionalAllowedSubscriptions
-
-
-[]AzureSubscriptionID
-
-
- |
-
-(Optional)
- additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs -permitted to create Private Endpoints to the Private Link Service. The guest cluster’s -own subscription (derived from guestSubnetID) is always automatically allowed, so it -does not need to be listed here. -Each entry must be a valid UUID of exactly 36 characters consisting of -lowercase hexadecimal characters and hyphens in the format -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx where x is a hexadecimal digit 0-9a-f. -A maximum of 50 subscriptions may be specified. +azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. |
+(Appears on: +AzureMarketplaceImage) +
++
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
+ +
-guestSubnetID
-
-
-AzureSubnetResourceID
-
-
- |
-
- guestSubnetID is the full Azure resource ID of the subnet in the guest VNet where -the Private Endpoint will be created. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} - |
+Value | +Description |
|---|---|---|---|
-guestVNetID
-
-
-AzureVNetResourceID
-
-
+ | |||
"Gen1" |
+Gen1 represents Hyper-V Generation 1 VMs |
-
- guestVNetID is the full Azure resource ID of the guest VNet for Private DNS zone linking. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName} + | |
"Gen2" |
+Gen2 represents Hyper-V Generation 2 VMs |
-
+(Appears on: +AzureVMImage) +
++
AzureVMImageType is used to specify the source of the Azure VM boot image. +Valid values are ImageID and AzureMarketplace.
+ +
-baseDomain
-
-string
-
+ | Value | +Description | +
|---|---|---|
"AzureMarketplace" |
+AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. |
-
-(Optional)
- baseDomain is the cluster’s base domain (e.g., “example.hypershift.azure.devcluster.openshift.com”).
-Used to create a Private DNS Zone so that worker VMs can resolve the API and OAuth
-hostnames (api- |
"ImageID" |
+ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. |
-
(Appears on: -AzurePrivateLinkService) +AzureAuthenticationConfiguration)
-
AzurePrivateLinkServiceStatus defines the observed state of AzurePrivateLinkService
+AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure +needing to authenticate with Azure’s API.
-conditions
+imageRegistry
-
-[]Kubernetes meta/v1.Condition
+
+WorkloadIdentity
|
-(Optional)
- conditions represent the current state of PLS infrastructure. -Current condition types are: “AzurePrivateLinkServiceAvailable”, “AzureInternalLoadBalancerAvailable”, -“AzurePLSCreated”, “AzurePrivateEndpointAvailable”, “AzurePrivateDNSAvailable” - |
-
-internalLoadBalancerID
-
-string
-
- |
-
-(Optional)
- internalLoadBalancerID is the Azure resource ID of the internal load balancer -fronting the hosted control plane. The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/loadBalancers/{loadBalancerName} -where subscriptionID is a UUID, resourceGroup is up to 90 characters, and -loadBalancerName is up to 80 characters. - |
-
-privateLinkServiceID
-
-string
-
- |
-
-(Optional)
- privateLinkServiceID is the Azure resource ID of the Private Link Service. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateLinkServices/{plsName} +imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in +workload identity authentication. |
-privateLinkServiceAlias
+ingress
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateLinkServiceAlias is the globally unique alias for the Private Link Service, -auto-generated by Azure in the format {plsName}.{guid}.{region}.azure.privatelinkservice. -MaxLength=170 covers: PLS name (80) + GUID (36) + region (19, e.g. “southcentralusstage”) +ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in +workload identity authentication. |
-privateEndpointID
+file
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateEndpointID is the Azure resource ID of the Private Endpoint. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateEndpoints/{endpointName} +file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, +used in workload identity authentication. |
-privateEndpointIP
+disk
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateEndpointIP is the private IP address assigned to the Private Endpoint. -Must be a valid IPv4 (e.g., “10.0.1.4”) or IPv6 address. +disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, +used in workload identity authentication. |
-privateDNSZoneID
+nodePoolManagement
-string
+
+WorkloadIdentity
+
|
-(Optional)
- privateDNSZoneID is the Azure resource ID of the Private DNS Zone. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} +nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used +in workload identity authentication. |
-dnsZoneName
+cloudProvider
-string
+
+WorkloadIdentity
+
|
-(Optional)
- dnsZoneName is the Private DNS zone name (derived from the KAS hostname). -Persisted at creation time so that deletion does not depend on the -HostedControlPlane still existing. -Must be a valid DNS domain name consisting of alphanumeric characters, hyphens, -and periods, where each segment starts and ends with an alphanumeric character -(e.g., “api-mycluster.example.hypershift.azure.devcluster.openshift.com”). +cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in +workload identity authentication. |
-baseDomainDNSZoneID
+network
-string
+
+WorkloadIdentity
+
|
-(Optional)
- baseDomainDNSZoneID is the Azure resource ID of the base domain Private DNS Zone. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} +network is the client ID of a federated managed identity, associated with cluster-network-operator, used in +workload identity authentication. |
+(Appears on: +APIServerNetworking) +
++
+###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities }(Appears on: -AzurePrivateSpec) +HostedClusterSpec, +HostedControlPlaneSpec)
-
AzurePrivateLinkSpec configures Azure Private Link Service connectivity.
+capabilities allows enabling or disabling optional components at install time. +When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective +OpenShift version, minus the baremetal capability. +Once set, it cannot be changed.
-natSubnetID
+enabled
-
-AzureSubnetResourceID
+
+[]OptionalCapability
|
(Optional)
- natSubnetID is the Azure resource ID of the subnet used for Private Link Service NAT IP allocation. -This subnet must have privateLinkServiceNetworkPolicies disabled. -If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. -The expected format is: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} -The maximum length is 355 characters. +enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. |
-additionalAllowedSubscriptions
+disabled
-
-[]AzureSubscriptionID
+
+[]OptionalCapability
|
(Optional)
- additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs -permitted to create Private Endpoints to the Private Link Service. The guest cluster’s -own subscription is always automatically allowed, so it does not need to be listed here. -Each item must be a valid UUID consisting of lowercase hexadecimal characters and hyphens, -in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -(e.g., “550e8400-e29b-41d4-a716-446655440000”). A maximum of 50 subscriptions may be specified. +disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. +Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. |
(Appears on: -AzurePlatformSpec) +PlacementOptions)
-
AzurePrivateSpec configures private connectivity to an Azure hosted cluster’s API server. -It is a discriminated union keyed on the type field, which selects the private connectivity -mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may -be added in the future.
+CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
-type
+id
+
+string
+
+ |
+
+(Optional)
+ id specifies the target Capacity Reservation into which the EC2 instances should be launched. +Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 +When empty, no specific Capacity Reservation is targeted. +When specified, preference cannot be set to ‘None’ or ‘Open’ as these +are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ +or omit preference field when targeting a specific reservation. + |
+
+marketType
-
-AzurePrivateType
+
+MarketType
|
- type specifies the private connectivity mechanism used for the hosted cluster’s API server. -“PrivateLink” selects Azure Private Link Service for private API server access. -This field is immutable once set. +(Optional) +marketType specifies the market type of the CapacityReservation for the EC2 instances. Valid values are OnDemand, CapacityBlocks and omitted: +- “OnDemand”: EC2 instances run as standard On-Demand instances. +- “CapacityBlocks”: scheduled pre-purchased compute capacity. Capacity Blocks is recommended when GPUs are needed to support ML workloads. +When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. +The current default value is CapacityBlocks. +When set to ‘CapacityBlocks’, a specific Capacity Reservation ID must be provided. |
-privateLink,omitzero
+preference
-
-AzurePrivateLinkSpec
+
+CapacityReservationPreference
|
(Optional)
- privateLink configures Azure Private Link Service for private API server access. -This field is required when type is “PrivateLink” and must not be set otherwise. +preference specifies the preference for use of Capacity Reservations by the instance. Valid values include: +- “”: No preference (platform default) +- “Open”: The instance may make use of open Capacity Reservations that match its AZ and InstanceType +- “None”: The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads +- “CapacityReservationsOnly”: The instance will only run if matched or targeted to a Capacity Reservation +Cannot be set to ‘None’ or ‘Open’ when a specific Capacity Reservation ID is provided, +as targeting a specific reservation is mutually exclusive with these general preference settings. |
(Appears on: -AzurePrivateSpec) +CapacityReservationOptions)
-
AzurePrivateType specifies the type of private connectivity mechanism used for the Azure -hosted cluster’s API server. This acts as the discriminator for the AzurePrivateSpec union.
+CapacityReservationPreference describes the preferred use of capacity reservations +of an instance
| Description | -|
|---|---|
"PrivateLink" |
-AzurePrivateTypePrivateLink specifies private connectivity using Azure Private Link Service. -In this mode, the operator creates a Private Link Service backed by the management cluster’s -internal load balancer, and a Private Endpoint in the guest VNet for private API server access. + |
"None" |
+CapacityReservationPreferenceNone the instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + |
+
"CapacityReservationsOnly" |
+CapacityReservationPreferenceOnly the instance will only run if matched or targeted to a Capacity Reservation + |
+
"Open" |
+CapacityReservationPreferenceOpen the instance may make use of open Capacity Reservations that match its AZ and InstanceType. |
(Appears on: -AzureAuthenticationConfiguration) +CertificateSigningRequestApproval)
-
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components -that authenticate with Azure’s API.
+CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval
+ +###CertificateSigningRequestApprovalStatus { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalStatus } ++(Appears on: +CertificateSigningRequestApproval) +
++
CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval
+ +###ClusterAutoscaling { #hypershift.openshift.io/v1beta1.ClusterAutoscaling } ++(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
ClusterAutoscaling specifies auto-scaling behavior that applies to all +NodePools associated with a control plane.
-controlPlane
+scaling
-
-ControlPlaneManagedIdentities
+
+ScalingType
|
- controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to -authenticate with Azure’s API. +(Optional) +scaling defines the scaling behavior for the cluster autoscaler. +ScaleUpOnly means the autoscaler will only scale up nodes, never scale down. +ScaleUpAndScaleDown means the autoscaler will both scale up and scale down nodes. +When set to ScaleUpAndScaleDown, the scaleDown field can be used to configure scale down behavior. +Note: This field is only supported in OpenShift versions 4.19 and above. |
-dataPlane
+scaleDown
-
-DataPlaneManagedIdentities
+
+ScaleDownConfig
|
- dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with -Azure’s API. +(Optional) +scaleDown configures the behavior of the Cluster Autoscaler scale down operation. +This field is only valid when scaling is set to ScaleUpAndScaleDown. |
-(Appears on: -AzurePrivateLinkServiceSpec, -AzurePrivateLinkSpec) -
--
AzureSubnetResourceID is a full Azure resource ID for a subnet. -The expected format is:
-/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
-
-
-###AzureSubscriptionID { #hypershift.openshift.io/v1beta1.AzureSubscriptionID }
--(Appears on: -AzurePrivateLinkServiceSpec, -AzurePrivateLinkSpec) -
--
AzureSubscriptionID is an Azure subscription ID in UUID format. -Must be exactly 36 characters consisting of hexadecimal digits [0-9a-fA-F] and hyphens -in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (e.g., “550e8400-e29b-41d4-a716-446655440000”).
- -###AzureTopologyType { #hypershift.openshift.io/v1beta1.AzureTopologyType } --(Appears on: -AzurePlatformSpec) -
--
AzureTopologyType specifies the network topology of the Azure API server endpoint.
- -| Value | -Description | -|
|---|---|---|
"Private" |
-AzureTopologyPrivate indicates the API server is accessible only via a private endpoint. - |
-|
"Public" |
-AzureTopologyPublic indicates the API server is accessible only via a public endpoint. + |
+balancingIgnoredLabels
+
+[]string
+
|
-
"PublicAndPrivate" |
-AzureTopologyPublicAndPrivate indicates the API server is accessible via both public and private endpoints. + |
+(Optional)
+ balancingIgnoredLabels sets “–balancing-ignore-label +HyperShift automatically appends platform-specific balancing ignore labels: +- AWS: “lifecycle”, “k8s.amazonaws.com/eniConfig”, “topology.k8s.aws/zone-id” +- Azure: “agentpool”, “kubernetes.azure.com/agentpool” +- Common: +- “hypershift.openshift.io/nodePool” +- “topology.ebs.csi.aws.com/zone” +- “topology.disk.csi.azure.com/zone” +- “ibm-cloud.kubernetes.io/worker-id” +- “vpc-block-csi-driver-labels” +These labels are added by default and do not need to be manually specified. |
-
-(Appears on: -AzureNodePoolPlatform) -
--
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
- -| Field | -Description | +
+maxNodesTotal
+
+int32
+
+ |
+
+(Optional)
+ maxNodesTotal is the maximum allowable number of nodes for the Autoscaler scale out to be operational. +The autoscaler will not grow the cluster beyond this number. +If omitted, the autoscaler will not have a maximum limit. +number. + |
|---|---|---|---|
-type
+maxPodGracePeriod
-
-AzureVMImageType
-
+int32
|
- type is the type of image data that will be provided to the Azure VM. -Valid values are “ImageID” and “AzureMarketplace”. -ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. -AzureMarketplace means the VM will boot from an Azure Marketplace image. -Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. -When Type is “AzureMarketplace”, you can either: -1. Specify only imageGeneration to use marketplace defaults from the release payload -2. Specify publisher, offer, sku, and version to use an explicit marketplace image -3. Specify all fields (imageGeneration along with publisher, offer, sku, version) +(Optional) +maxPodGracePeriod is the maximum seconds to wait for graceful pod +termination before scaling down a NodePool. The default is 600 seconds. |
||
-imageID
+maxNodeProvisionTime
string
|
(Optional)
- imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. -TODO: What is the valid character set for this field? What about minimum and maximum lengths? +maxNodeProvisionTime is the maximum time to wait for node provisioning +before considering the provisioning to be unsuccessful, expressed as a Go +duration string. The default is 15 minutes. |
||
-azureMarketplace
+maxFreeDifferenceRatioPercent
-
-AzureMarketplaceImage
-
+int32
|
(Optional)
- azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. +maxFreeDifferenceRatioPercent sets the maximum difference ratio for free resources between similar node groups. This parameter controls how strict the similarity check is when comparing node groups for load balancing. +The value represents a percentage from 0 to 100. +When set to 0, this means node groups must have exactly the same free resources to be considered similar (no difference allowed). +When set to 100, this means node groups will be considered similar regardless of their free resource differences (any difference allowed). +A value between 0 and 100 represents the maximum allowed difference ratio for free resources between node groups to be considered similar. +When omitted, the autoscaler defaults to 10%. +This affects the “–max-free-difference-ratio” flag on cluster-autoscaler. |
-(Appears on: -AzureMarketplaceImage) -
--
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
- -| Value | -Description | -|
|---|---|---|
"Gen1" |
-Gen1 represents Hyper-V Generation 1 VMs + |
+podPriorityThreshold
+
+int32
+
|
-
"Gen2" |
-Gen2 represents Hyper-V Generation 2 VMs + |
+(Optional)
+ podPriorityThreshold enables users to schedule “best-effort” pods, which +shouldn’t trigger autoscaler actions, but only run when there are spare +resources available. The default is -10. +See the following for more details: +https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption |
-
-(Appears on: -AzureVMImage) -
--
AzureVMImageType is used to specify the source of the Azure VM boot image. -Valid values are ImageID and AzureMarketplace.
- -| Value | -Description | |
|---|---|---|
"AzureMarketplace" |
-AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. + | |
+expanders
+
+
+[]ExpanderString
+
+
|
-||
"ImageID" |
-ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. + |
+(Optional)
+ expanders guide the autoscaler in choosing node groups during scale-out.
+Sets the order of expanders for scaling out node groups.
+Options include:
+* LeastWaste - selects the group with minimal idle CPU and memory after scaling.
+* Priority - selects the group with the highest user-defined priority.
+* Random - selects a group randomly.
+If not specified, |
-
-(Appears on: -AzurePrivateLinkServiceSpec) -
--
AzureVNetResourceID is a full Azure resource ID for a virtual network. -The expected format is:
-/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}
-
-
-###AzureWorkloadIdentities { #hypershift.openshift.io/v1beta1.AzureWorkloadIdentities }
+###ClusterConfiguration { #hypershift.openshift.io/v1beta1.ClusterConfiguration }
(Appears on: -AzureAuthenticationConfiguration) +HostedClusterSpec, +HostedControlPlaneSpec)
-
AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure -needing to authenticate with Azure’s API.
+ClusterConfiguration specifies configuration for individual OCP components in the +cluster, represented as embedded resources that correspond to the openshift +configuration API.
+The API for individual configuration items is at: +https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html
-imageRegistry
+apiServer
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.APIServerSpec
|
- imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in -workload identity authentication. +(Optional) +apiServer holds configuration (like serving certificates, client CA and CORS domains) +shared by all API servers in the system, among them especially kube-apiserver +and openshift-apiserver. |
-ingress
+authentication
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.AuthenticationSpec
|
- ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in -workload identity authentication. +(Optional) +authentication specifies cluster-wide settings for authentication (like OAuth and +webhook token authenticators). |
-file
+featureGate
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.FeatureGateSpec
|
- file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, -used in workload identity authentication. +(Optional) +featureGate holds cluster-wide information about feature gates. |
-disk
+image
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.ImageSpec
|
- disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, -used in workload identity authentication. +(Optional) +image governs policies related to imagestream imports and runtime configuration +for external registries. It allows cluster admins to configure which registries +OpenShift is allowed to import images from, extra CA trust bundles for external +registries, and policies to block or allow registry hostnames. +When exposing OpenShift’s image registry to the public, this also lets cluster +admins specify the external hostname. +This input will be part of every payload generated by the controllers for any NodePool of the HostedCluster. +Changing this value will trigger a rollout for all existing NodePools in the cluster. |
-nodePoolManagement
+ingress
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.IngressSpec
|
- nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used -in workload identity authentication. +(Optional) +ingress holds cluster-wide information about ingress, including the default ingress domain +used for routes. |
-cloudProvider
+network
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.NetworkSpec
|
- cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in -workload identity authentication. +(Optional) +network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. +Please view network.spec for an explanation on what applies when configuring this resource. +TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. |
-network
+oauth
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.OAuthSpec
|
- network is the client ID of a federated managed identity, associated with cluster-network-operator, used in -workload identity authentication. +(Optional) +oauth holds cluster-wide information about OAuth. +It is used to configure the integrated OAuth server. +This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. |
-controlPlaneOperator,omitzero
+operatorhub
-
-WorkloadIdentity
+
+github.com/openshift/api/config/v1.OperatorHubSpec
|
(Optional)
- controlPlaneOperator is the client ID of a federated managed identity, associated with control-plane-operator, -used in workload identity authentication for Azure Private Link Service operations. +operatorhub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. +The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. |
-(Appears on: -APIServerNetworking) -
--
-###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities } --(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) -
--
capabilities allows enabling or disabling optional components at install time. -When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective -OpenShift version, minus the baremetal capability. -Once set, it cannot be changed.
- -| Field | -Description | -
|---|---|
-enabled
+scheduler
-
-[]OptionalCapability
+
+github.com/openshift/api/config/v1.SchedulerSpec
|
(Optional)
- enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. +scheduler holds cluster-wide config information to run the Kubernetes Scheduler
+and influence its placement decisions. The canonical name for this config is |
-disabled
+proxy
-
-[]OptionalCapability
+
+github.com/openshift/api/config/v1.ProxySpec
|
(Optional)
- disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. -Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. +proxy holds cluster-wide information on how to configure default proxies for the cluster. +This affects traffic flowing from the hosted cluster data plane. +The controllers will generate a machineConfig with the proxy config for the cluster. +This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. +Changing this value will trigger a rollout for all existing NodePools in the cluster. |
(Appears on: -PlacementOptions) +ClusterNetworking)
-
CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
+ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks +are allocated with size 2^HostSubnetLength.
-id
-
-string
-
- |
-
-(Optional)
- id specifies the target Capacity Reservation into which the EC2 instances should be launched. -Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 -When empty, no specific Capacity Reservation is targeted. -When specified, preference cannot be set to ‘None’ or ‘Open’ as these -are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ -or omit preference field when targeting a specific reservation. - |
-
-marketType
+cidr
-
-MarketType
+
+github.com/openshift/hypershift/api/util/ipnet.IPNet
|
-(Optional)
- marketType specifies the market type of the CapacityReservation for the EC2 instances. -Deprecated: Use placement.marketType instead. This field is maintained for backward compatibility. -When both placement.marketType and capacityReservation.marketType are set, placement.marketType takes precedence. -Valid values are OnDemand, CapacityBlocks and omitted: -- “OnDemand”: EC2 instances run as standard On-Demand instances. -- “CapacityBlocks”: scheduled pre-purchased compute capacity. Recommended for GPU/ML workloads. -When set to ‘CapacityBlocks’, a specific Capacity Reservation ID must be provided. +cidr is the IP block address pool. |
-preference
+hostPrefix
-
-CapacityReservationPreference
-
+int32
|
(Optional)
- preference specifies the preference for use of Capacity Reservations by the instance. Valid values include: -- “”: No preference (platform default) -- “Open”: The instance may make use of open Capacity Reservations that match its AZ and InstanceType -- “None”: The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads -- “CapacityReservationsOnly”: The instance will only run if matched or targeted to a Capacity Reservation -Cannot be set to ‘None’ or ‘Open’ when a specific Capacity Reservation ID is provided, -as targeting a specific reservation is mutually exclusive with these general preference settings. +hostPrefix is the prefix size to allocate to each node from the CIDR. +For example, 24 would allocate 2^(32-24)=2^8=256 addresses to each node. If this +field is not used by the plugin, it can be left unset. |
(Appears on: -CapacityReservationOptions) +OperatorConfiguration)
-
CapacityReservationPreference describes the preferred use of capacity reservations -of an instance
| Value | +Field | Description |
|---|---|---|
"None" |
-CapacityReservationPreferenceNone the instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads + | |
+disableMultiNetwork
+
+bool
+
|
-||
"CapacityReservationsOnly" |
-CapacityReservationPreferenceOnly the instance will only run if matched or targeted to a Capacity Reservation + |
+(Optional)
+ disableMultiNetwork when set to true disables the Multus CNI plugin and related components +in the hosted cluster. This prevents the installation of multus daemon sets in the +guest cluster and the multus-admission-controller in the management cluster. +Default is false (Multus is enabled). +This field is immutable. +This field can only be set to true when NetworkType is “Other”. Setting it to true +with any other NetworkType will result in a validation error during cluster creation. |
-
"Open" |
-CapacityReservationPreferenceOpen the instance may make use of open Capacity Reservations that match its AZ and InstanceType. + | |
+ovnKubernetesConfig
+
+
+OVNKubernetesConfig
+
+
|
-
+(Optional)
+ ovnKubernetesConfig holds OVN-Kubernetes specific configuration. +This is only consumed when NetworkType is OVNKubernetes. + |
+
+
-(Appears on: -CertificateSigningRequestApproval) -
--
CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval
- -###CertificateSigningRequestApprovalStatus { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalStatus } --(Appears on: -CertificateSigningRequestApproval) -
--
CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval
- -###ClusterAutoscaling { #hypershift.openshift.io/v1beta1.ClusterAutoscaling } +###ClusterNetworking { #hypershift.openshift.io/v1beta1.ClusterNetworking }(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
-
ClusterAutoscaling specifies auto-scaling behavior that applies to all -NodePools associated with a control plane.
+clusterNetworking specifies network configuration for a cluster. +All CIDRs must be unique. Additional validation to check for CIDRs overlap and consistent network stack is performed by the controllers. +Failing that validation will result in the HostedCluster being degraded and the validConfiguration condition being false. +TODO this is available in vanilla kube from 1.31 API servers and in Openshift from 4.16. +TODO(alberto): Use CEL cidr library for all these validation when all management clusters are >= 1.31.
-scaling
+machineNetwork
-
-ScalingType
+
+[]MachineNetworkEntry
|
(Optional)
- scaling defines the scaling behavior for the cluster autoscaler. -ScaleUpOnly means the autoscaler will only scale up nodes, never scale down. -ScaleUpAndScaleDown means the autoscaler will both scale up and scale down nodes. -When set to ScaleUpAndScaleDown, the scaleDown field can be used to configure scale down behavior. -Note: This field is only supported in OpenShift versions 4.19 and above. - |
-
-scaleDown
-
-
-ScaleDownConfig
-
-
- |
-
-(Optional)
- scaleDown configures the behavior of the Cluster Autoscaler scale down operation. -This field is only valid when scaling is set to ScaleUpAndScaleDown. +machineNetwork is the list of IP address pools for machines. +This might be used among other things to generate appropriate networking security groups in some clouds providers. +Currently only one entry or two for dual stack is supported. +This field is immutable. |
-balancingIgnoredLabels
+clusterNetwork
-[]string
+
+[]ClusterNetworkEntry
+
|
(Optional)
- balancingIgnoredLabels sets “–balancing-ignore-label -HyperShift automatically appends platform-specific balancing ignore labels: -- AWS: “lifecycle”, “k8s.amazonaws.com/eniConfig”, “topology.k8s.aws/zone-id” -- Azure: “agentpool”, “kubernetes.azure.com/agentpool” -- Common: -- “hypershift.openshift.io/nodePool” -- “topology.ebs.csi.aws.com/zone” -- “topology.disk.csi.azure.com/zone” -- “ibm-cloud.kubernetes.io/worker-id” -- “vpc-block-csi-driver-labels” -These labels are added by default and do not need to be manually specified. +clusterNetwork is the list of IP address pools for pods. +Defaults to cidr: “10.132.0.0/14”. +Currently only one entry is supported. +This field is immutable. |
-maxNodesTotal
+serviceNetwork
-int32
+
+[]ServiceNetworkEntry
+
|
(Optional)
- maxNodesTotal is the maximum allowable number of nodes for the Autoscaler scale out to be operational. -The autoscaler will not grow the cluster beyond this number. -If omitted, the autoscaler will not have a maximum limit. -number. +serviceNetwork is the list of IP address pools for services. +Defaults to cidr: “172.31.0.0/16”. +Currently only one entry is supported. +This field is immutable. |
-maxPodGracePeriod
+networkType
-int32
+
+NetworkType
+
|
(Optional)
- maxPodGracePeriod is the maximum seconds to wait for graceful pod -termination before scaling down a NodePool. The default is 600 seconds. +networkType specifies the SDN provider used for cluster networking. +Defaults to OVNKubernetes. +This field is required and immutable. +kubebuilder:validation:XValidation:rule=“self == oldSelf”, message=“networkType is immutable” |
-maxNodeProvisionTime
+apiServer
-string
+
+APIServerNetworking
+
|
(Optional)
- maxNodeProvisionTime is the maximum time to wait for node provisioning -before considering the provisioning to be unsuccessful, expressed as a Go -duration string. The default is 15 minutes. +apiServer contains advanced network settings for the API server that affect +how the APIServer is exposed inside a hosted cluster node. |
-maxFreeDifferenceRatioPercent
+allocateNodeCIDRs
-int32
+
+AllocateNodeCIDRsMode
+
|
(Optional)
- maxFreeDifferenceRatioPercent sets the maximum difference ratio for free resources between similar node groups. This parameter controls how strict the similarity check is when comparing node groups for load balancing. -The value represents a percentage from 0 to 100. -When set to 0, this means node groups must have exactly the same free resources to be considered similar (no difference allowed). -When set to 100, this means node groups will be considered similar regardless of their free resource differences (any difference allowed). -A value between 0 and 100 represents the maximum allowed difference ratio for free resources between node groups to be considered similar. -When omitted, the autoscaler defaults to 10%. -This affects the “–max-free-difference-ratio” flag on cluster-autoscaler. +allocateNodeCIDRs controls whether the kube-controller-manager manages node CIDR allocation. +When using networkType=Other, it is recommended to set this field to “Enabled” +if Flannel is used as the CNI, as it relies on this behavior. +Default is “Disabled”. +This field can only be set to “Enabled” when NetworkType is “Other”. Setting it to “Enabled” +with any other NetworkType will result in a validation error during cluster creation. |
+(Appears on: +OperatorConfiguration) +
++
ClusterVersionOperatorSpec is the specification of the desired behavior of the Cluster Version Operator.
+ +
-podPriorityThreshold
-
-int32
-
- |
-
-(Optional)
- podPriorityThreshold enables users to schedule “best-effort” pods, which -shouldn’t trigger autoscaler actions, but only run when there are spare -resources available. The default is -10. -See the following for more details: -https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - |
+Field | +Description |
|---|---|---|---|
-expanders
+operatorLogLevel
-
-[]ExpanderString
+
+LogLevel
|
(Optional)
- expanders guide the autoscaler in choosing node groups during scale-out.
-Sets the order of expanders for scaling out node groups.
-Options include:
-* LeastWaste - selects the group with minimal idle CPU and memory after scaling.
-* Priority - selects the group with the highest user-defined priority.
-* Random - selects a group randomly.
-If not specified, operatorLogLevel is an intent based logging for the operator itself. It does not give fine-grained control, +but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves. +Valid values are: “Normal”, “Debug”, “Trace”, “TraceAll”. +Defaults to “Normal”. |
(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +HostedClusterStatus, +HostedControlPlaneStatus)
-
ClusterConfiguration specifies configuration for individual OCP components in the -cluster, represented as embedded resources that correspond to the openshift -configuration API.
-The API for individual configuration items is at: -https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html
+ClusterVersionStatus reports the status of the cluster versioning, +including any upgrades that are in progress. The current field will +be set to whichever version the cluster is reconciling to, and the +conditions array will report whether the update succeeded, is in +progress, or is failing.
-apiServer
+desired
-github.com/openshift/api/config/v1.APIServerSpec
+github.com/openshift/api/config/v1.Release
|
-(Optional)
- apiServer holds configuration (like serving certificates, client CA and CORS domains) -shared by all API servers in the system, among them especially kube-apiserver -and openshift-apiserver. +desired is the version that the cluster is reconciling towards. +If the cluster is not yet fully initialized desired will be set +with the information available, which may be an image or a tag. |
-authentication
+history
-github.com/openshift/api/config/v1.AuthenticationSpec
+[]github.com/openshift/api/config/v1.UpdateHistory
|
(Optional)
- authentication specifies cluster-wide settings for authentication (like OAuth and -webhook token authenticators). +history contains a list of the most recent versions applied to the cluster. +This value may be empty during cluster startup, and then will be updated +when a new update is being applied. The newest update is first in the +list and it is ordered by recency. Updates in the history have state +Completed if the rollout completed - if an update was failing or halfway +applied the state will be Partial. Only a limited amount of update history +is preserved. |
-featureGate
+observedGeneration
-
-github.com/openshift/api/config/v1.FeatureGateSpec
-
+int64
|
-(Optional)
- featureGate holds cluster-wide information about feature gates. +observedGeneration reports which version of the spec is being synced. +If this value is not equal to metadata.generation, then the desired +and conditions fields may represent a previous version. |
-image
+availableUpdates
-github.com/openshift/api/config/v1.ImageSpec
+[]github.com/openshift/api/config/v1.Release
|
-(Optional)
- image governs policies related to imagestream imports and runtime configuration -for external registries. It allows cluster admins to configure which registries -OpenShift is allowed to import images from, extra CA trust bundles for external -registries, and policies to block or allow registry hostnames. -When exposing OpenShift’s image registry to the public, this also lets cluster -admins specify the external hostname. -This input will be part of every payload generated by the controllers for any NodePool of the HostedCluster. -Changing this value will trigger a rollout for all existing NodePools in the cluster. +availableUpdates contains updates recommended for this +cluster. Updates which appear in conditionalUpdates but not in +availableUpdates may expose this cluster to known issues. This list +may be empty if no updates are recommended, if the update service +is unavailable, or if an invalid channel has been specified. |
-ingress
+conditionalUpdates
-github.com/openshift/api/config/v1.IngressSpec
+[]github.com/openshift/api/config/v1.ConditionalUpdate
|
(Optional)
- ingress holds cluster-wide information about ingress, including the default ingress domain -used for routes. +conditionalUpdates contains the list of updates that may be +recommended for this cluster if it meets specific required +conditions. Consumers interested in the set of updates that are +actually recommended for this cluster should use +availableUpdates. This list may be empty if no updates are +recommended, if the update service is unavailable, or if an empty +or invalid channel has been specified. |
+(Appears on: +ControlPlaneComponentStatus) +
++
ComponentResource defines a resource reconciled by a ControlPlaneComponent.
+ +| Field | +Description | +
|---|---|
-network
+kind
-
-github.com/openshift/api/config/v1.NetworkSpec
-
+string
|
-(Optional)
- network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. -Please view network.spec for an explanation on what applies when configuring this resource. -TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. +kind is the name of the resource schema. |
-oauth
-
-
-github.com/openshift/api/config/v1.OAuthSpec
-
-
- |
-
-(Optional)
- oauth holds cluster-wide information about OAuth. -It is used to configure the integrated OAuth server. -This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - |
-
-operatorhub
-
-
-github.com/openshift/api/config/v1.OperatorHubSpec
-
-
- |
-
-(Optional)
- operatorhub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. -The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - |
-
-scheduler
+group
-
-github.com/openshift/api/config/v1.SchedulerSpec
-
+string
|
-(Optional)
- scheduler holds cluster-wide config information to run the Kubernetes Scheduler
-and influence its placement decisions. The canonical name for this config is group is the API group for this resource type. |
-proxy
+name
-
-github.com/openshift/api/config/v1.ProxySpec
-
+string
|
-(Optional)
- proxy holds cluster-wide information on how to configure default proxies for the cluster. -This affects traffic flowing from the hosted cluster data plane. -The controllers will generate a machineConfig with the proxy config for the cluster. -This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. -Changing this value will trigger a rollout for all existing NodePools in the cluster. +name is the name of this resource. |
-(Appears on: -ClusterNetworking) -
+###ConditionType { #hypershift.openshift.io/v1beta1.ConditionType }-
ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks -are allocated with size 2^HostSubnetLength.
| Field | +Value | Description |
|---|---|---|
-cidr
-
-
-github.com/openshift/hypershift/api/util/ipnet.IPNet
-
-
+ | ||
"AWSDefaultSecurityGroupCreated" |
+AWSDefaultSecurityGroupCreated indicates whether the default security group +for AWS workers has been created. +A failure here indicates that NodePools without a security group will be +blocked from creating machines. |
-
- cidr is the IP block address pool. + |
"AWSDefaultSecurityGroupDeleted" |
+AWSDefaultSecurityGroupDeleted indicates whether the default security group +for AWS workers has been deleted. +A failure here indicates that the Security Group has some dependencies that +there are still pending cloud resources to be deleted that are using that SG. |
-|
-hostPrefix
-
-int32
-
+ | ||
"AWSEndpointAvailable" |
+AWSEndpointServiceAvailable indicates whether the AWS Endpoint has been +created in the guest VPC |
-
-(Optional)
- hostPrefix is the prefix size to allocate to each node from the CIDR. -For example, 24 would allocate 2^(32-24)=2^8=256 addresses to each node. If this -field is not used by the plugin, it can be left unset. + |
"AWSEndpointServiceAvailable" |
+AWSEndpointServiceAvailable indicates whether the AWS Endpoint Service +has been created for the specified NLB in the management VPC |
-
-(Appears on: -OperatorConfiguration) -
--
-| Field | -Description | -|
|---|---|---|
-disableMultiNetwork
-
-bool
-
+ | ||
"AggregatedAPIServicesAvailable" |
+AggregatedAPIServicesAvailable indicates whether all aggregated APIServices +in the guest cluster are available. This includes OpenShift API Server, +OAuth API Server (when enabled), and OLM PackageServer APIServices. +This condition is an HCP implementation detail set by the HCCO and is not +bubbled up to the HostedCluster level. |
-
-(Optional)
- disableMultiNetwork when set to true disables the Multus CNI plugin and related components -in the hosted cluster. This prevents the installation of multus daemon sets in the -guest cluster and the multus-admission-controller in the management cluster. -Default is false (Multus is enabled). -This field is immutable. -This field can only be set to true when NetworkType is “Other”. Setting it to true -with any other NetworkType will result in a validation error during cluster creation. + |
"CVOScaledDown" |
++ | |
"CloudResourcesDestroyed" |
+CloudResourcesDestroyed bubbles up the same condition from HCP. It signals if the cloud provider infrastructure created by Kubernetes +in the consumer cloud provider account was destroyed. +A failure here may require external user intervention to resolve. E.g. cloud provider perms were corrupted. E.g. the guest cluster was broken +and kube resource deletion that affects cloud infra like service type load balancer can’t succeed. |
-|
-ovnKubernetesConfig
-
-
-OVNKubernetesConfig
-
-
+ | ||
"ClusterVersionAvailable" |
+ClusterVersionAvailable bubbles up Failing configv1.OperatorAvailable from the CVO. |
-
-(Optional)
- ovnKubernetesConfig holds OVN-Kubernetes specific configuration. -This is only consumed when NetworkType is OVNKubernetes. + |
"ClusterVersionFailing" |
+ClusterVersionFailing bubbles up Failing from the CVO. |
-
-(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) -
--
clusterNetworking specifies network configuration for a cluster. -All CIDRs must be unique. Additional validation to check for CIDRs overlap and consistent network stack is performed by the controllers. -Failing that validation will result in the HostedCluster being degraded and the validConfiguration condition being false. -TODO this is available in vanilla kube from 1.31 API servers and in Openshift from 4.16. -TODO(alberto): Use CEL cidr library for all these validation when all management clusters are >= 1.31.
- -| Field | -Description | -|
|---|---|---|
-machineNetwork
-
-
-[]MachineNetworkEntry
-
-
+ | ||
"ClusterVersionProgressing" |
+ClusterVersionProgressing bubbles up configv1.OperatorProgressing from the CVO. |
-
-(Optional)
- machineNetwork is the list of IP address pools for machines. -This might be used among other things to generate appropriate networking security groups in some clouds providers. -Currently only one entry or two for dual stack is supported. -This field is immutable. + |
"ClusterVersionReleaseAccepted" |
+ClusterVersionReleaseAccepted bubbles up Failing ReleaseAccepted from the CVO. |
-|
-clusterNetwork
-
-
-[]ClusterNetworkEntry
-
-
+ | ||
"ClusterVersionRetrievedUpdates" |
+ClusterVersionRetrievedUpdates bubbles up RetrievedUpdates from the CVO. |
-
-(Optional)
- clusterNetwork is the list of IP address pools for pods. -Defaults to cidr: “10.132.0.0/14”. -Currently only one entry is supported. -This field is immutable. + |
"ClusterVersionSucceeding" |
+ClusterVersionSucceeding indicates the current status of the desired release +version of the HostedCluster as indicated by the Failing condition in the +underlying cluster’s ClusterVersion. |
-|
-serviceNetwork
-
-
-[]ServiceNetworkEntry
-
-
+ | ||
"ClusterVersionUpgradeable" |
+ClusterVersionUpgradeable indicates the Upgradeable condition in the +underlying cluster’s ClusterVersion. |
-
-(Optional)
- serviceNetwork is the list of IP address pools for services. -Defaults to cidr: “172.31.0.0/16”. -Currently only one entry is supported. -This field is immutable. + |
"Available" |
+ControlPlaneComponentAvailable indicates whether the ControlPlaneComponent is available. |
-|
-networkType
-
-
-NetworkType
-
-
+ | ||
"RolloutComplete" |
+ControlPlaneComponentRolloutComplete indicates whether the ControlPlaneComponent has completed its rollout. |
-
-(Optional)
- networkType specifies the SDN provider used for cluster networking. -Defaults to OVNKubernetes. -This field is required and immutable. -kubebuilder:validation:XValidation:rule=“self == oldSelf”, message=“networkType is immutable” - |
-
-apiServer
-
-
-APIServerNetworking
-
-
- |
-
-(Optional)
- apiServer contains advanced network settings for the API server that affect -how the APIServer is exposed inside a hosted cluster node. - |
-|
-allocateNodeCIDRs
-
-
-AllocateNodeCIDRsMode
-
-
- |
-
-(Optional)
- allocateNodeCIDRs controls whether the kube-controller-manager manages node CIDR allocation. -When using networkType=Other, it is recommended to set this field to “Enabled” -if Flannel is used as the CNI, as it relies on this behavior. -Default is “Disabled”. -This field can only be set to “Enabled” when NetworkType is “Other”. Setting it to “Enabled” -with any other NetworkType will result in a validation error during cluster creation. - |
-
-(Appears on: -OperatorConfiguration) -
--
ClusterVersionOperatorSpec is the specification of the desired behavior of the Cluster Version Operator.
- -| Field | -Description | -
|---|---|
-operatorLogLevel
-
-
-LogLevel
-
-
- |
-
-(Optional)
- operatorLogLevel is an intent based logging for the operator itself. It does not give fine-grained control, -but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves. -Valid values are: “Normal”, “Debug”, “Trace”, “TraceAll”. -Defaults to “Normal”. - |
-
-(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) -
--
ClusterVersionStatus reports the status of the cluster versioning, -including any upgrades that are in progress. The current field will -be set to whichever version the cluster is reconciling to, and the -conditions array will report whether the update succeeded, is in -progress, or is failing.
- -| Field | -Description | -
|---|---|
-desired
-
-
-github.com/openshift/api/config/v1.Release
-
-
- |
-
- desired is the version that the cluster is reconciling towards. -If the cluster is not yet fully initialized desired will be set -with the information available, which may be an image or a tag. - |
-
-history
-
-
-[]github.com/openshift/api/config/v1.UpdateHistory
-
-
- |
-
-(Optional)
- history contains a list of the most recent versions applied to the cluster. -This value may be empty during cluster startup, and then will be updated -when a new update is being applied. The newest update is first in the -list and it is ordered by recency. Updates in the history have state -Completed if the rollout completed - if an update was failing or halfway -applied the state will be Partial. Only a limited amount of update history -is preserved. - |
-
-observedGeneration
-
-int64
-
- |
-
- observedGeneration reports which version of the spec is being synced. -If this value is not equal to metadata.generation, then the desired -and conditions fields may represent a previous version. - |
-
-availableUpdates
-
-
-[]github.com/openshift/api/config/v1.Release
-
-
- |
-
- availableUpdates contains updates recommended for this -cluster. Updates which appear in conditionalUpdates but not in -availableUpdates may expose this cluster to known issues. This list -may be empty if no updates are recommended, if the update service -is unavailable, or if an invalid channel has been specified. - |
-
-conditionalUpdates
-
-
-[]github.com/openshift/api/config/v1.ConditionalUpdate
-
-
- |
-
-(Optional)
- conditionalUpdates contains the list of updates that may be -recommended for this cluster if it meets specific required -conditions. Consumers interested in the set of updates that are -actually recommended for this cluster should use -availableUpdates. This list may be empty if no updates are -recommended, if the update service is unavailable, or if an empty -or invalid channel has been specified. - |
-
-(Appears on: -ControlPlaneComponentStatus) -
--
ComponentResource defines a resource reconciled by a ControlPlaneComponent.
- -| Field | -Description | -
|---|---|
-kind
-
-string
-
- |
-
- kind is the name of the resource schema. - |
-
-group
-
-string
-
- |
-
- group is the API group for this resource type. - |
-
-name
-
-string
-
- |
-
- name is the name of this resource. - |
-
-
-| Value | -Description | -
|---|---|
"AWSDefaultSecurityGroupCreated" |
-AWSDefaultSecurityGroupCreated indicates whether the default security group -for AWS workers has been created. -A failure here indicates that NodePools without a security group will be -blocked from creating machines. - |
-
"AWSDefaultSecurityGroupDeleted" |
-AWSDefaultSecurityGroupDeleted indicates whether the default security group -for AWS workers has been deleted. -A failure here indicates that the Security Group has some dependencies that -there are still pending cloud resources to be deleted that are using that SG. - |
-
"AWSEndpointAvailable" |
-AWSEndpointServiceAvailable indicates whether the AWS Endpoint has been -created in the guest VPC - |
-
"AWSEndpointServiceAvailable" |
-AWSEndpointServiceAvailable indicates whether the AWS Endpoint Service -has been created for the specified NLB in the management VPC - |
-
"AutoNodeEnabled" |
-AutoNodeEnabled indicates whether AutoNode is configured and operational for this HostedCluster. -True means AutoNode is configured in the HostedCluster spec and the Karpenter components are fully rolled out and ready. -False / AutoNodeProgressing means AutoNode is being enabled or disabled — the operation is in progress. -False / AutoNodeNotConfigured means AutoNode is not configured in the spec and all Karpenter components have been removed. - |
-
"AzureInternalLoadBalancerAvailable" |
-AzureInternalLoadBalancerAvailable indicates the ILB has been provisioned with a frontend IP - |
-
"AzurePLSCreated" |
-AzurePLSCreated indicates the Azure Private Link Service has been created in the management cluster resource group - |
-
"AzurePrivateDNSAvailable" |
-AzurePrivateDNSAvailable indicates the Private DNS zone and A records have been created - |
-
"AzurePrivateEndpointAvailable" |
-AzurePrivateEndpointAvailable indicates the Private Endpoint has been created in the guest VNet - |
-
"AzurePrivateLinkServiceAvailable" |
-AzurePrivateLinkServiceAvailable indicates overall PLS infrastructure availability - |
-
"BackupCompleted" |
-BackupCompleted indicates whether the etcd backup has completed. - |
-
"CVOScaledDown" |
-- |
"CloudResourcesDestroyed" |
-CloudResourcesDestroyed bubbles up the same condition from HCP. It signals if the cloud provider infrastructure created by Kubernetes -in the consumer cloud provider account was destroyed. -A failure here may require external user intervention to resolve. E.g. cloud provider perms were corrupted. E.g. the guest cluster was broken -and kube resource deletion that affects cloud infra like service type load balancer can’t succeed. - |
-
"ClusterVersionAvailable" |
-ClusterVersionAvailable bubbles up Failing configv1.OperatorAvailable from the CVO. - |
-
"ClusterVersionFailing" |
-ClusterVersionFailing bubbles up Failing from the CVO. - |
-
"ClusterVersionProgressing" |
-ClusterVersionProgressing bubbles up configv1.OperatorProgressing from the CVO. - |
-
"ClusterVersionReleaseAccepted" |
-ClusterVersionReleaseAccepted bubbles up Failing ReleaseAccepted from the CVO. - |
-
"ClusterVersionRetrievedUpdates" |
-ClusterVersionRetrievedUpdates bubbles up RetrievedUpdates from the CVO. - |
-
"ClusterVersionSucceeding" |
-ClusterVersionSucceeding indicates the current status of the desired release -version of the HostedCluster as indicated by the Failing condition in the -underlying cluster’s ClusterVersion. - |
-
"ClusterVersionUpgradeable" |
-ClusterVersionUpgradeable indicates the Upgradeable condition in the -underlying cluster’s ClusterVersion. - |
-
"Available" |
-ControlPlaneComponentAvailable indicates whether the ControlPlaneComponent is available. - |
-
"RolloutComplete" |
-ControlPlaneComponentRolloutComplete indicates whether the ControlPlaneComponent has completed its rollout. - |
-
"ControlPlaneConnectionAvailable" |
-ControlPlaneConnectionAvailable indicates whether data plane workloads have a successful -network connection to the control plane components. This condition is computed using -a 3-replica Deployment that tests the full data path (DNS resolution of kubernetes.default.svc --> advertise address on lo -> apiserver proxy -> KAS on HCP) and reports results to a shared -ConfigMap. The HCCO evaluates the staleness of the lastSucceeded timestamp in the ConfigMap. -True means the data plane can successfully reach the control plane (a recent successful check was recorded). -False means there are connectivity failures preventing the data plane from reaching the control plane, -or the last successful check is stale (older than 5 minutes). -Unknown means the status cannot be determined due to true inability to inspect (e.g., no worker nodes exist or inspection cannot be performed), -not due to missing required components. - |
-
"DataPlaneConnectionAvailable" |
-DataPlaneConnectionAvailable indicates whether the control plane has a successful -network connection to the data plane components. -True means the control plane can successfully reach the data plane nodes. -False means there are network connection issues preventing the control plane from reaching the data plane. -A failure here suggests potential issues such as: network policy restrictions, -firewall rules, missing data plane nodes, or problems with infrastructure -components like the konnectivity-agent workload. -Unknown means the status cannot be determined (e.g., no worker nodes available or unable to inspect). - |
-
"EtcdAvailable" |
-EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. -A failure here often means a software bug or a non-stable cluster. - |
-
"EtcdBackupSucceeded" |
-EtcdBackupSucceeded bubbles up from HCP. It indicates the result of the -most recent etcd backup. True means the last backup completed successfully; -False means a backup is in progress or the last backup failed. - |
-
"EtcdRecoveryActive" |
-EtcdRecoveryActive indicates that the Etcd cluster is failing and the -recovery job was triggered. - |
-
"EtcdSnapshotRestored" |
-- |
"ExternalDNSReachable" |
-ExternalDNSReachable bubbles up the same condition from HCP. It signals if the configured external DNS is reachable. -A failure here requires external user intervention to resolve. E.g. changing the external DNS domain or making sure the domain is created -and registered correctly. - |
-
"GCPDNSAvailable" |
-GCPDNSAvailable indicates whether the DNS configuration has been -created in the customer VPC - |
-
"GCPEndpointAvailable" |
-GCPEndpointAvailable indicates whether the GCP PSC Endpoint has been -created in the customer VPC - |
-
"GCPPrivateServiceConnectAvailable" |
-GCPPrivateServiceConnectAvailable indicates overall PSC infrastructure availability - |
-
"GCPServiceAttachmentAvailable" |
-GCPServiceAttachmentAvailable indicates whether the GCP Service Attachment -has been created for the specified Internal Load Balancer in the management VPC - |
-
"Available" |
-HostedClusterAvailable indicates whether the HostedCluster has a healthy -control plane. -When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. - |
-
"Degraded" |
-HostedClusterDegraded indicates whether the HostedCluster is encountering -an error that may require user intervention to resolve. - |
-
"HostedClusterDestroyed" |
-HostedClusterDestroyed indicates that a hosted has finished destroying and that it is waiting for a destroy grace period to go away. -The grace period is determined by the hypershift.openshift.io/destroy-grace-period annotation in the HostedCluster if present. - |
-
"Progressing" |
-HostedClusterProgressing indicates whether the HostedCluster is attempting -an initial deployment or upgrade. -When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. - |
-
"HostedClusterRestoredFromBackup" |
-HostedClusterRestoredFromBackup indicates that the HostedCluster was restored from backup. -This condition is set to true when the HostedCluster is restored from backup and the recovery process is complete. -This condition is used to track the status of the recovery process and to determine if the HostedCluster -is ready to be used after restoration. - |
-
"Available" |
-- |
"Degraded" |
-- |
"IgnitionEndpointAvailable" |
-IgnitionEndpointAvailable indicates whether the ignition server for the -HostedCluster is available to handle ignition requests. -A failure here often means a software bug or a non-stable cluster. - |
-
"IgnitionServerValidReleaseInfo" |
-IgnitionServerValidReleaseInfo indicates if the release contains all the images used by the local ignition provider -and reports missing images if any. - |
-
"InfrastructureReady" |
-InfrastructureReady bubbles up the same condition from HCP. It signals if the infrastructure for a control plane to be operational, -e.g. load balancers were created successfully. -A failure here may require external user intervention to resolve. E.g. hitting quotas on the cloud provider. - |
-
"KubeAPIServerAvailable" |
-KubeAPIServerAvailable bubbles up the same condition from HCP. It signals if the kube API server is available. -A failure here often means a software bug or a non-stable cluster. - |
-
"KubeVirtNodesLiveMigratable" |
-KubeVirtNodesLiveMigratable indicates if all nodes (VirtualMachines) of the kubevirt -hosted cluster can be live migrated without experiencing a node restart - |
-
"PlatformCredentialsFound" |
-PlatformCredentialsFound indicates that credentials required for the -desired platform are valid. -A failure here is unlikely to resolve without the changing user input. - |
-
"ReconciliationActive" |
-ReconciliationActive indicates if reconciliation of the HostedCluster is -active or paused hostedCluster.spec.pausedUntil. - |
-
"ReconciliationSucceeded" |
-ReconciliationSucceeded indicates if the HostedCluster reconciliation -succeeded. -A failure here often means a software bug or a non-stable cluster. - |
-
"SupportedHostedCluster" |
-SupportedHostedCluster indicates whether a HostedCluster is supported by -the current configuration of the hypershift-operator. -e.g. If HostedCluster requests endpointAcess Private but the hypershift-operator -is running on a management cluster outside AWS or is not configured with AWS -credentials, the HostedCluster is not supported. -A failure here is unlikely to resolve without the changing user input. - |
-
"UnmanagedEtcdAvailable" |
-UnmanagedEtcdAvailable indicates whether a user-managed etcd cluster is -healthy. - |
-
"ValidAWSIdentityProvider" |
-ValidAWSIdentityProvider indicates if the Identity Provider referenced -in the cloud credentials is healthy. E.g. for AWS the idp ARN is referenced in the iam roles. -“Version”: “2012-10-17”, -“Statement”: [ -{ -“Effect”: “Allow”, -“Principal”: { -“Federated”: “{{ .ProviderARN }}” -}, -“Action”: “sts:AssumeRoleWithWebIdentity”, -“Condition”: { -“StringEquals”: { -“{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} -} -} -} -] -A failure here may require external user intervention to resolve. - |
-
"ValidAWSKMSConfig" |
-ValidAWSKMSConfig indicates whether the AWS KMS role and encryption key are valid and operational -A failure here indicates that the role or the key are invalid, or the role doesn’t have access to use the key. - |
-
"ValidAzureKMSConfig" |
-ValidAzureKMSConfig indicates whether the given KMS input for the Azure platform is valid and operational -A failure here indicates that the input is invalid, or permissions are missing to use the encryption key. - |
-
"ValidGCPCredentials" |
-ValidGCPCredentials indicates if GCP credentials are valid and operational -for the HostedCluster. This includes service account authentication and -proper IAM permissions for CAPG controllers. -A failure here may require external user intervention to resolve. - |
-
"ValidGCPWorkloadIdentity" |
-ValidGCPWorkloadIdentity indicates if GCP Workload Identity Federation -is properly configured and operational for the cluster. -A failure here may require external user intervention to resolve. - |
-
"ValidConfiguration" |
-ValidHostedClusterConfiguration signals if the hostedCluster input is valid and -supported by the underlying management cluster. -A failure here is unlikely to resolve without the changing user input. - |
-
"ValidHostedControlPlaneConfiguration" |
-ValidHostedControlPlaneConfiguration bubbles up the same condition from HCP. It signals if the hostedControlPlane input is valid and -supported by the underlying management cluster. -A failure here is unlikely to resolve without the changing user input. - |
-
"ValidIDPConfiguration" |
-ValidIDPConfiguration indicates if the Identity Provider configuration is valid. -A failure here may require external user intervention to resolve -e.g. the user-provided IDP configuration provided is invalid or the IDP is not reachable. - |
-
"ValidKubeVirtInfraNetworkMTU" |
-ValidKubeVirtInfraNetworkMTU indicates if the MTU configured on an infra cluster -hosting a guest cluster utilizing kubevirt platform is a sufficient value that will avoid -performance degradation due to fragmentation of the double encapsulation in ovn-kubernetes - |
-
"ValidOIDCConfiguration" |
-ValidOIDCConfiguration indicates if an AWS cluster’s OIDC condition is -detected as invalid. -A failure here may require external user intervention to resolve. E.g. oidc was deleted out of band. - |
-
"ValidProxyConfiguration" |
-ValidProxyConfiguration indicates if the proxy CA bundle is valid. -A failure here may require external user intervention to resolve. E.g. certificates in the CA bundle have expired. - |
-
"ValidReleaseImage" |
-ValidReleaseImage indicates if the release image set in the spec is valid -for the HostedCluster. For example, this can be set false if the -HostedCluster itself attempts an unsupported version before 4.9 or an -unsupported upgrade e.g y-stream upgrade before 4.11. -A failure here is unlikely to resolve without the changing user input. - |
-
"ValidReleaseInfo" |
-ValidReleaseInfo bubbles up the same condition from HCP. It indicates if the release contains all the images used by hypershift -and reports missing images if any. - |
-
-(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) -
--
ConfigurationStatus contains the status of HostedCluster configuration
- -| Field | -Description | -
|---|---|
-authentication
-
-
-github.com/openshift/api/config/v1.AuthenticationStatus
-
-
- |
-
-(Optional)
- authentication contains the observed authentication configuration status from the hosted cluster. -This field reflects the current state of the cluster authentication including OAuth metadata, -OIDC client status, and other authentication-related configurations. - |
-
-
ControlPlaneComponent specifies the state of a ControlPlane Component
- -| Field | -Description | -
|---|---|
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-(Optional)
- metadata is the metadata for the ControlPlaneComponent. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-
-spec
-
-
-ControlPlaneComponentSpec
-
-
- |
-
-(Optional)
- spec is the specification for the ControlPlaneComponent. -- - |
-
-status
-
-
-ControlPlaneComponentStatus
-
-
- |
-
-(Optional)
- status is the status of the ControlPlaneComponent. - |
-
-(Appears on: -ControlPlaneComponent) -
--
ControlPlaneComponentSpec defines the desired state of ControlPlaneComponent
- -###ControlPlaneComponentStatus { #hypershift.openshift.io/v1beta1.ControlPlaneComponentStatus } --(Appears on: -ControlPlaneComponent) -
--
ControlPlaneComponentStatus defines the observed state of ControlPlaneComponent
- -| Field | -Description | -
|---|---|
-conditions
-
-
-[]Kubernetes meta/v1.Condition
-
-
- |
-
-(Optional)
- conditions contains details for the current state of the ControlPlane Component. -If there is an error, then the Available condition will be false. -Current condition types are: “Available” - |
-
-version
-
-string
-
- |
-
-(Optional)
- version reports the current version of this component. - |
-
-resources
-
-
-[]ComponentResource
-
-
- |
-
-(Optional)
- resources is a list of the resources reconciled by this component. - |
-
-(Appears on: -AzureResourceManagedIdentities) -
--
ControlPlaneManagedIdentities contains the managed identities on the HCP control plane needing to authenticate with -Azure’s API.
- -| Field | -Description | -|
|---|---|---|
-managedIdentitiesKeyVault
-
-
-ManagedAzureKeyVault
-
-
- |
-
- managedIdentitiesKeyVault contains information on the management cluster’s managed identities Azure Key Vault. -This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the -Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring -authentication with Azure API. -More information on how the Secrets Store CSI driver works to do this can be found here: -https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - |
-|
-cloudProvider
-
-
-ManagedIdentity
-
-
- |
-
- cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller -manager. - |
-|
-nodePoolManagement
-
-
-ManagedIdentity
-
-
- |
-
- nodePoolManagement is a pre-existing managed identity associated with the operator managing the NodePools. + | |
"DataPlaneConnectionAvailable" |
+DataPlaneConnectionAvailable indicates whether the control plane has a successful +network connection to the data plane components. +True means the control plane can successfully reach the data plane nodes. +False means there are network connection issues preventing the control plane from reaching the data plane. +A failure here suggests potential issues such as: network policy restrictions, +firewall rules, missing data plane nodes, or problems with infrastructure +components like the konnectivity-agent workload. |
-|
-controlPlaneOperator
-
-
-ManagedIdentity
-
-
+ | ||
"EtcdAvailable" |
+EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. +A failure here often means a software bug or a non-stable cluster. |
-
- controlPlaneOperator is a pre-existing managed identity associated with the control plane operator. + |
"EtcdBackupSucceeded" |
+EtcdBackupSucceeded bubbles up from HCP. It indicates the result of the +most recent etcd backup. True means the last backup completed successfully; +False means a backup is in progress or the last backup failed. |
-|
-imageRegistry
-
-
-ManagedIdentity
-
-
+ | ||
"EtcdRecoveryActive" |
+EtcdRecoveryActive indicates that the Etcd cluster is failing and the +recovery job was triggered. |
-
-(Optional)
- imageRegistry is a pre-existing managed identity associated with the cluster-image-registry-operator. + |
"EtcdSnapshotRestored" |
++ | |
"ExternalDNSReachable" |
+ExternalDNSReachable bubbles up the same condition from HCP. It signals if the configured external DNS is reachable. +A failure here requires external user intervention to resolve. E.g. changing the external DNS domain or making sure the domain is created +and registered correctly. |
-|
-ingress
-
-
-ManagedIdentity
-
-
+ | ||
"GCPDNSAvailable" |
+GCPDNSAvailable indicates whether the DNS configuration has been +created in the customer VPC |
-
- ingress is a pre-existing managed identity associated with the cluster-ingress-operator. + |
"GCPEndpointAvailable" |
+GCPEndpointAvailable indicates whether the GCP PSC Endpoint has been +created in the customer VPC |
-|
-network
-
-
-ManagedIdentity
-
-
+ | ||
"GCPPrivateServiceConnectAvailable" |
+GCPPrivateServiceConnectAvailable indicates overall PSC infrastructure availability |
-
- network is a pre-existing managed identity associated with the cluster-network-operator. + |
"GCPServiceAttachmentAvailable" |
+GCPServiceAttachmentAvailable indicates whether the GCP Service Attachment +has been created for the specified Internal Load Balancer in the management VPC |
-|
-disk
-
-
-ManagedIdentity
-
-
+ | ||
"Available" |
+HostedClusterAvailable indicates whether the HostedCluster has a healthy +control plane. +When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. |
-
- disk is a pre-existing managed identity associated with the azure-disk-controller. + |
"Degraded" |
+HostedClusterDegraded indicates whether the HostedCluster is encountering +an error that may require user intervention to resolve. |
-|
-file
-
-
-ManagedIdentity
-
-
+ | ||
"HostedClusterDestroyed" |
+HostedClusterDestroyed indicates that a hosted has finished destroying and that it is waiting for a destroy grace period to go away. +The grace period is determined by the hypershift.openshift.io/destroy-grace-period annotation in the HostedCluster if present. |
-
- file is a pre-existing managed identity associated with the azure-disk-controller. + |
"Progressing" |
+HostedClusterProgressing indicates whether the HostedCluster is attempting +an initial deployment or upgrade. +When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. |
-
-(Appears on: -ControlPlaneVersionStatus) -
--
ControlPlaneUpdateHistory is a record of a single version transition for management-side -control plane components. Each entry captures the target version, its release image, when -the rollout started, and when (or whether) it completed.
- -| Field | -Description | -|
|---|---|---|
-state
-
-
-github.com/openshift/api/config/v1.UpdateState
-
-
+ | ||
"HostedClusterRestoredFromBackup" |
+HostedClusterRestoredFromBackup indicates that the HostedCluster was restored from backup. +This condition is set to true when the HostedCluster is restored from backup and the recovery process is complete. +This condition is used to track the status of the recovery process and to determine if the HostedCluster +is ready to be used after restoration. |
-
- state reflects whether the update was fully applied. The Partial state -indicates the update is not fully applied, while the Completed state -indicates the update was successfully rolled out. + |
"Available" |
++ | |
"Degraded" |
++ | |
"IgnitionEndpointAvailable" |
+IgnitionEndpointAvailable indicates whether the ignition server for the +HostedCluster is available to handle ignition requests. +A failure here often means a software bug or a non-stable cluster. |
-|
-startedTime,omitempty,omitzero
-
-
-Kubernetes meta/v1.Time
-
-
+ | ||
"IgnitionServerValidReleaseInfo" |
+IgnitionServerValidReleaseInfo indicates if the release contains all the images used by the local ignition provider +and reports missing images if any. |
-
- startedTime is the time at which the update was started. + |
"InfrastructureReady" |
+InfrastructureReady bubbles up the same condition from HCP. It signals if the infrastructure for a control plane to be operational, +e.g. load balancers were created successfully. +A failure here may require external user intervention to resolve. E.g. hitting quotas on the cloud provider. |
-|
-completionTime,omitempty,omitzero
-
-
-Kubernetes meta/v1.Time
-
-
+ | ||
"KubeAPIServerAvailable" |
+KubeAPIServerAvailable bubbles up the same condition from HCP. It signals if the kube API server is available. +A failure here often means a software bug or a non-stable cluster. |
-
-(Optional)
- completionTime is the time at which the update completed. It is set -when all management-side components have reached the target version. -It is not set while the update is in progress. + |
"KubeVirtNodesLiveMigratable" |
+KubeVirtNodesLiveMigratable indicates if all nodes (VirtualMachines) of the kubevirt +hosted cluster can be live migrated without experiencing a node restart |
-|
-version
-
-string
-
+ | ||
"PlatformCredentialsFound" |
+PlatformCredentialsFound indicates that credentials required for the +desired platform are valid. +A failure here is unlikely to resolve without the changing user input. |
-
- version is a semantic version string identifying the update version -(e.g. “4.20.1”). + |
"ReconciliationActive" |
+ReconciliationActive indicates if reconciliation of the HostedCluster is +active or paused hostedCluster.spec.pausedUntil. |
-|
-image
-
-string
-
+ | ||
"ReconciliationSucceeded" |
+ReconciliationSucceeded indicates if the HostedCluster reconciliation +succeeded. +A failure here often means a software bug or a non-stable cluster. |
-
- image is the release image pullspec used for this update. + |
"SupportedHostedCluster" |
+SupportedHostedCluster indicates whether a HostedCluster is supported by +the current configuration of the hypershift-operator. +e.g. If HostedCluster requests endpointAcess Private but the hypershift-operator +is running on a management cluster outside AWS or is not configured with AWS +credentials, the HostedCluster is not supported. +A failure here is unlikely to resolve without the changing user input. |
-
-(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) -
--
ControlPlaneVersionStatus tracks the rollout state of management-side control plane components. -It records the desired release, a pruned history of version transitions (newest first), and -the last observed generation of the HostedControlPlane spec.
- -| Field | -Description | -|
|---|---|---|
-desired,omitempty,omitzero
-
-
-github.com/openshift/api/config/v1.Release
-
-
+ | ||
"UnmanagedEtcdAvailable" |
+UnmanagedEtcdAvailable indicates whether a user-managed etcd cluster is +healthy. |
-
- desired is the release version that the control plane is reconciling towards. -It is derived from the HostedControlPlane release image fields. + |
"ValidAWSIdentityProvider" |
+ValidAWSIdentityProvider indicates if the Identity Provider referenced +in the cloud credentials is healthy. E.g. for AWS the idp ARN is referenced in the iam roles. +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Principal”: { +“Federated”: “{{ .ProviderARN }}” +}, +“Action”: “sts:AssumeRoleWithWebIdentity”, +“Condition”: { +“StringEquals”: { +“{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} +} +} +} +] +A failure here may require external user intervention to resolve. |
-|
-history
-
-
-[]ControlPlaneUpdateHistory
-
-
+ | ||
"ValidAWSKMSConfig" |
+ValidAWSKMSConfig indicates whether the AWS KMS role and encryption key are valid and operational +A failure here indicates that the role or the key are invalid, or the role doesn’t have access to use the key. |
-
-(Optional)
- history contains a list of versions applied to management-side control plane components. The newest entry is -first in the list. Entries have state Completed when all ControlPlaneComponent resources report the target -version with RolloutComplete=True. Entries have state Partial when the rollout is in progress or has failed. + |
"ValidAzureKMSConfig" |
+ValidAzureKMSConfig indicates whether the given KMS input for the Azure platform is valid and operational +A failure here indicates that the input is invalid, or permissions are missing to use the encryption key. |
-|
-observedGeneration,omitempty,omitzero
-
-int64
-
+ | ||
"ValidGCPCredentials" |
+ValidGCPCredentials indicates if GCP credentials are valid and operational +for the HostedCluster. This includes service account authentication and +proper IAM permissions for CAPG controllers. +A failure here may require external user intervention to resolve. |
-
-(Optional)
- observedGeneration reports which generation of the HostedControlPlane spec is being synced. + |
"ValidGCPWorkloadIdentity" |
+ValidGCPWorkloadIdentity indicates if GCP Workload Identity Federation +is properly configured and operational for the cluster. +A failure here may require external user intervention to resolve. |
-
-(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) -
--
DNSSpec specifies the DNS configuration for the hosted cluster ingress.
- -| Field | -Description | -|
|---|---|---|
-baseDomain
-
-string
-
+ | ||
"ValidConfiguration" |
+ValidHostedClusterConfiguration signals if the hostedCluster input is valid and +supported by the underlying management cluster. +A failure here is unlikely to resolve without the changing user input. |
-
- baseDomain is the base domain of the hosted cluster. -It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. -If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. -Once set, this field is immutable. -When the value is the empty string “”, the controller might default to a value depending on the platform. + |
"ValidHostedControlPlaneConfiguration" |
+ValidHostedControlPlaneConfiguration bubbles up the same condition from HCP. It signals if the hostedControlPlane input is valid and +supported by the underlying management cluster. +A failure here is unlikely to resolve without the changing user input. |
-|
-baseDomainPrefix
-
-string
-
+ | ||
"ValidIDPConfiguration" |
+ValidIDPConfiguration indicates if the Identity Provider configuration is valid. +A failure here may require external user intervention to resolve +e.g. the user-provided IDP configuration provided is invalid or the IDP is not reachable. |
-
-(Optional)
- baseDomainPrefix is the base domain prefix for the hosted cluster ingress. -It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. -If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. -Set baseDomainPrefix to an empty string “”, if you don’t want a prefix at all (not even hostedCluster.name) to be prepended to baseDomain. -This field is immutable. + |
"ValidKubeVirtInfraNetworkMTU" |
+ValidKubeVirtInfraNetworkMTU indicates if the MTU configured on an infra cluster +hosting a guest cluster utilizing kubevirt platform is a sufficient value that will avoid +performance degradation due to fragmentation of the double encapsulation in ovn-kubernetes |
-|
-publicZoneID
-
-string
-
+ | ||
"ValidOIDCConfiguration" |
+ValidOIDCConfiguration indicates if an AWS cluster’s OIDC condition is +detected as invalid. +A failure here may require external user intervention to resolve. E.g. oidc was deleted out of band. |
-
-(Optional)
- publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. -This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. -Once set, this value is immutable. -On Azure, this is a full Azure resource ID for a DNS Zone in the format: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/dnsZones/{zoneName} -The maximum length of 258 is derived from Azure resource naming limits -(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): -/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90) + |
"ValidProxyConfiguration" |
+ValidProxyConfiguration indicates if the proxy CA bundle is valid. +A failure here may require external user intervention to resolve. E.g. certificates in the CA bundle have expired. |
-|
-privateZoneID
-
-string
-
+ | ||
"ValidReleaseImage" |
+ValidReleaseImage indicates if the release image set in the spec is valid +for the HostedCluster. For example, this can be set false if the +HostedCluster itself attempts an unsupported version before 4.9 or an +unsupported upgrade e.g y-stream upgrade before 4.11. +A failure here is unlikely to resolve without the changing user input. |
-
-(Optional)
- privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. -This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. -Once set, this value is immutable. -On Azure, this is a full Azure resource ID for a Private DNS Zone in the format: -/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} -The maximum length of 265 is derived from Azure resource naming limits -(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): -/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90) + |
"ValidReleaseInfo" |
+ValidReleaseInfo bubbles up the same condition from HCP. It indicates if the release contains all the images used by hypershift +and reports missing images if any. |
-
(Appears on: -GCPPrivateServiceConnectStatus) +HostedClusterStatus, +HostedControlPlaneStatus)
-
DNSZoneStatus represents a single DNS zone and its records
+ConfigurationStatus contains the status of HostedCluster configuration
-name
-
-string
-
- |
-
- name is the DNS zone name - |
-
-records
+authentication
-[]string
+
+github.com/openshift/api/config/v1.AuthenticationStatus
+
|
(Optional)
- records lists the DNS records created in this zone +authentication contains the observed authentication configuration status from the hosted cluster. +This field reflects the current state of the cluster authentication including OAuth metadata, +OIDC client status, and other authentication-related configurations. |
-(Appears on: -AzureResourceManagedIdentities) -
+###ControlPlaneComponent { #hypershift.openshift.io/v1beta1.ControlPlaneComponent }-
DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to -authenticate with Azure’s API.
+ControlPlaneComponent specifies the state of a ControlPlane Component
-imageRegistryMSIClientID
-
-string
-
- |
-
- imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image -registry controller. - |
-
-diskMSIClientID
-
-string
-
- |
-
- diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. - |
-
-fileMSIClientID
+metadata
-string
+
+Kubernetes meta/v1.ObjectMeta
+
|
- fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. +(Optional) +metadata is the metadata for the ControlPlaneComponent. +Refer to the Kubernetes API documentation for the fields of the +metadata field.
|
-(Appears on: -AzureNodePoolPlatform) -
--
Diagnostics specifies the diagnostics settings for a virtual machine.
- -| Field | -Description | -
|---|---|
-storageAccountType
+spec
-
-AzureDiagnosticsStorageAccountType
+
+ControlPlaneComponentSpec
|
(Optional)
- storageAccountType determines if the storage account for storing the diagnostics data -should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). +spec is the specification for the ControlPlaneComponent. ++ + |
-userManaged
+status
-
-UserManagedDiagnostics
+
+ControlPlaneComponentStatus
|
(Optional)
- userManaged specifies the diagnostics settings for a virtual machine when the storage account is managed by the user. +status is the status of the ControlPlaneComponent. |
(Appears on: -EtcdSpec) +ControlPlaneComponent)
-
EtcdManagementType is a enum specifying the strategy for managing the cluster’s etcd instance
+ControlPlaneComponentSpec defines the desired state of ControlPlaneComponent
-| Value | -Description | -
|---|---|
"Managed" |
-Managed means HyperShift should provision and operator the etcd cluster -automatically. - |
-
"Unmanaged" |
-Unmanaged means HyperShift will not provision or manage the etcd cluster, -and the user is responsible for doing so. - |
-
(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +ControlPlaneComponent)
-
EtcdSpec specifies configuration for a control plane etcd cluster.
+ControlPlaneComponentStatus defines the observed state of ControlPlaneComponent
-managementType
+conditions
-
-EtcdManagementType
+
+[]Kubernetes meta/v1.Condition
|
- managementType defines how the etcd cluster is managed. -This can be either Managed or Unmanaged. -This field is immutable. +(Optional) +conditions contains details for the current state of the ControlPlane Component. +If there is an error, then the Available condition will be false. +Current condition types are: “Available” |
-managed
+version
-
-ManagedEtcdSpec
-
+string
|
(Optional)
- managed specifies the behavior of an etcd cluster managed by HyperShift. +version reports the current version of this component. |
-unmanaged
+resources
-
-UnmanagedEtcdSpec
+
+[]ComponentResource
|
(Optional)
- unmanaged specifies configuration which enables the control plane to -integrate with an externally managed etcd cluster. +resources is a list of the resources reconciled by this component. |
(Appears on: -UnmanagedEtcdSpec) +AzureResourceManagedIdentities)
-
EtcdTLSConfig specifies TLS configuration for HTTPS etcd client endpoints.
+ControlPlaneManagedIdentities contains the managed identities on the HCP control plane needing to authenticate with +Azure’s API.
-clientSecret
+managedIdentitiesKeyVault
-
-Kubernetes core/v1.LocalObjectReference
+
+ManagedAzureKeyVault
|
- clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It -may have the following key/value pairs: -
+managedIdentitiesKeyVault contains information on the management cluster’s managed identities Azure Key Vault. +This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the +Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring +authentication with Azure API. +More information on how the Secrets Store CSI driver works to do this can be found here: +https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. |
-(Appears on: -ClusterAutoscaling) -
--
ExpanderString contains the name of an expander to be used by the cluster autoscaler.
- -| Value | -Description | -|
|---|---|---|
"LeastWaste" |
-- | |
"Priority" |
-Selects the node group with the least idle resources. + |
+cloudProvider
+
+
+ManagedIdentity
+
+
|
-
"Random" |
-Selects the node group with the highest priority. + |
+ cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller +manager. |
-
-(Appears on: -AWSResourceReference) -
--
Filter is a filter used to identify an AWS resource
- -| Field | -Description |
|---|---|
-name
+nodePoolManagement
-string
+
+ManagedIdentity
+
|
- name is the name of the filter. +nodePoolManagement is a pre-existing managed identity associated with the operator managing the NodePools. |
-values
+controlPlaneOperator
-[]string
+
+ManagedIdentity
+
|
- values is a list of values for the filter. +controlPlaneOperator is a pre-existing managed identity associated with the control plane operator. |
-(Appears on: -NetworkFilter, -RouterFilter, -SubnetFilter) -
--
-| Field | -Description | +
+imageRegistry
+
+
+ManagedIdentity
+
+
+ |
+
+(Optional)
+ imageRegistry is a pre-existing managed identity associated with the cluster-image-registry-operator. + |
|---|---|---|---|
-tags
+ingress
-
-[]NeutronTag
+
+ManagedIdentity
|
-(Optional)
- tags is a list of tags to filter by. If specified, the resource must -have all of the tags specified to be included in the result. +ingress is a pre-existing managed identity associated with the cluster-ingress-operator. |
||
-tagsAny
+network
-
-[]NeutronTag
+
+ManagedIdentity
|
-(Optional)
- tagsAny is a list of tags to filter by. If specified, the resource -must have at least one of the tags specified to be included in the -result. +network is a pre-existing managed identity associated with the cluster-network-operator. |
||
-notTags
+disk
-
-[]NeutronTag
+
+ManagedIdentity
|
-(Optional)
- notTags is a list of tags to filter by. If specified, resources which -contain all of the given tags will be excluded from the result. +disk is a pre-existing managed identity associated with the azure-disk-controller. |
||
-notTagsAny
+file
-
-[]NeutronTag
+
+ManagedIdentity
|
-(Optional)
- notTagsAny is a list of tags to filter by. If specified, resources -which contain any of the given tags will be excluded from the result. +file is a pre-existing managed identity associated with the azure-disk-controller. |
(Appears on: -GCPNodePoolPlatform) +HostedClusterSpec, +HostedControlPlaneSpec)
-
GCPBootDisk specifies configuration for the boot disk of GCP node instances.
+DNSSpec specifies the DNS configuration for the hosted cluster ingress.
-diskSizeGB
+baseDomain
-int64
+string
|
-(Optional)
- diskSizeGB specifies the size of the boot disk in gigabytes. -Must be at least 20 GB for RHCOS images. +baseDomain is the base domain of the hosted cluster. +It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. +If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. +Once set, this field is immutable. +When the value is the empty string “”, the controller might default to a value depending on the platform. |
-diskType
+baseDomainPrefix
string
|
(Optional)
- diskType specifies the disk type for the boot disk. -Valid values include: -- “pd-standard” - Standard persistent disk (magnetic) -- “pd-ssd” - SSD persistent disk -- “pd-balanced” - Balanced persistent disk (recommended) -If not specified, defaults to “pd-balanced”. +baseDomainPrefix is the base domain prefix for the hosted cluster ingress. +It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. +If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. +Set baseDomainPrefix to an empty string “”, if you don’t want a prefix at all (not even hostedCluster.name) to be prepended to baseDomain. +This field is immutable. |
-encryptionKey,omitzero
+publicZoneID
-
-GCPDiskEncryptionKey
-
+string
|
(Optional)
- encryptionKey specifies customer-managed encryption key (CMEK) configuration. -If not specified, Google-managed encryption keys are used. +publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. +This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. +Once set, this value is immutable. |
-(Appears on: -GCPBootDisk) -
--
GCPDiskEncryptionKey specifies configuration for customer-managed encryption keys.
- -| Field | -Description | -
|---|---|
-kmsKeyName
+privateZoneID
string
|
- kmsKeyName is the resource name of the Cloud KMS key used for disk encryption. -Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key} +(Optional) +privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. +This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. +Once set, this value is immutable. |
-(Appears on: -GCPPlatformSpec) -
--
GCPEndpointAccessType defines the endpoint access type for GCP clusters. -Equivalent to AWS EndpointAccessType but adapted for GCP networking model.
- -| Value | -Description | -
|---|---|
"Private" |
-GCPEndpointAccessPrivate endpoint access allows only private API server access and private -node communication with the control plane via Private Service Connect. - |
-
"PublicAndPrivate" |
-GCPEndpointAccessPublicAndPrivate endpoint access allows public API server access and -private node communication with the control plane via Private Service Connect. - |
-
(Appears on: -GCPPlatformSpec) +GCPPrivateServiceConnectStatus)
-
GCPNetworkConfig specifies VPC configuration for GCP clusters and Private Service Connect endpoint creation.
+DNSZoneStatus represents a single DNS zone and its records
-network,omitzero
+name
-
-GCPResourceReference
-
+string
|
- network is the VPC network name +name is the DNS zone name |
-privateServiceConnectSubnet,omitzero
+records
-
-GCPResourceReference
-
+[]string
|
- privateServiceConnectSubnet is the subnet for Private Service Connect endpoints +(Optional) +records lists the DNS records created in this zone |
(Appears on: -NodePoolPlatform) +AzureResourceManagedIdentities)
-
GCPNodePoolPlatform specifies the configuration of a NodePool when operating on GCP. -This follows the AWS and Azure patterns for platform-specific NodePool configuration.
+DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to +authenticate with Azure’s API.
-machineType
+imageRegistryMSIClientID
string
|
- machineType is the GCP machine type for node instances (e.g. n2-standard-4). -Must follow GCP machine type naming conventions as documented at: -https://cloud.google.com/compute/docs/machine-resource#machine_type_comparison -Valid machine type formats: -- predefined: n1-standard-1, n2-highmem-4, c2-standard-8, etc. -- custom: custom-{cpus}-{memory} (e.g. custom-4-8192) -- custom with extended memory: custom-{cpus}-{memory}-ext (e.g. custom-2-13312-ext) +imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image +registry controller. |
-zone
+diskMSIClientID
string
|
- zone is the GCP zone where node instances will be created. -Must be a valid zone within the cluster’s region. -Format: {region}-{zone} (e.g. us-central1-a, europe-west2-b) -See https://cloud.google.com/compute/docs/regions-zones for available zones. +diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. |
-subnet
+fileMSIClientID
-
-GCPResourceName
-
+string
|
- subnet is the name of the subnet where node instances will be created. -Must be a subnet within the VPC network specified in the HostedCluster’s -networkConfig and located in the same region as the zone. -The subnet must have enough IP addresses available for the expected number of nodes. +fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. |
+(Appears on: +AzureNodePoolPlatform) +
++
Diagnostics specifies the diagnostics settings for a virtual machine.
+ +
-image
-
-string
-
- |
-
-(Optional)
- image specifies the boot image for node instances. -If unspecified, the default RHCOS image will be used based on the NodePool release payload. -Can be: -- A family name: projects/rhel-cloud/global/images/family/rhel-8 -- A specific image: projects/rhel-cloud/global/images/rhel-8-v20231010 -- A full resource URL: https://www.googleapis.com/compute/v1/projects/rhel-cloud/global/images/rhel-8-v20231010 - |
+Field | +Description |
|---|---|---|---|
-bootDisk
+storageAccountType
-
-GCPBootDisk
+
+AzureDiagnosticsStorageAccountType
|
(Optional)
- bootDisk specifies the configuration for the boot disk of node instances. +storageAccountType determines if the storage account for storing the diagnostics data +should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). |
||
-serviceAccount
+userManaged
-
-GCPNodeServiceAccount
+
+UserManagedDiagnostics
|
(Optional)
- serviceAccount configures the Google Service Account attached to node instances. -If not specified, uses the default compute service account for the project. +userManaged specifies the diagnostics settings for a virtual machine when the storage account is managed by the user. |
+(Appears on: +EtcdSpec) +
++
EtcdManagementType is a enum specifying the strategy for managing the cluster’s etcd instance
+ +
-resourceLabels
-
-
-[]GCPResourceLabel
-
-
+ | Value | +Description | +
|---|---|---|
"Managed" |
+Managed means HyperShift should provision and operator the etcd cluster +automatically. |
-
-(Optional)
- resourceLabels is an optional list of additional labels to apply to GCP node -instances and their associated resources (disks, etc.). -Labels will be merged with cluster-level resource labels, with NodePool labels -taking precedence in case of conflicts. -Keys and values must conform to GCP labeling requirements: -- Keys: 1–63 chars, must start with a lowercase letter; allowed [a-z0-9-] -- Values: empty or 1–63 chars; allowed [a-z0-9-] -- Maximum 60 user labels per resource (GCP limit is 64 total, with ~4 reserved) + |
"Unmanaged" |
+Unmanaged means HyperShift will not provision or manage the etcd cluster, +and the user is responsible for doing so. |
+
+(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
EtcdSpec specifies configuration for a control plane etcd cluster.
+ +| Field | +Description |
|---|---|
-networkTags
+managementType
-
-[]GCPResourceName
+
+EtcdManagementType
|
-(Optional)
- networkTags is an optional list of network tags to apply to node instances. -These tags are used by GCP firewall rules to control network access. -Tags must conform to GCP naming conventions: -- 1-63 characters -- Lowercase letters, numbers, and hyphens only -- Must start with lowercase letter -- Cannot end with hyphen +managementType defines how the etcd cluster is managed. +This can be either Managed or Unmanaged. +This field is immutable. |
-provisioningModel
+managed
-
-GCPProvisioningModel
+
+ManagedEtcdSpec
|
(Optional)
- provisioningModel specifies the provisioning model for node instances. -Spot and Preemptible instances cost less but can be terminated by GCP with 30 seconds notice. -Spot instances are recommended over Preemptible as they have no maximum runtime limit. -Standard instances are regular VMs that run until explicitly stopped. -If not specified, defaults to “Standard”. +managed specifies the behavior of an etcd cluster managed by HyperShift. |
-onHostMaintenance
+unmanaged
-
-GCPOnHostMaintenance
+
+UnmanagedEtcdSpec
|
(Optional)
- onHostMaintenance specifies the behavior when host maintenance occurs. -For Spot and Preemptible instances, this must be “TERMINATE”. -For Standard instances, can be “MIGRATE” (live migrate) or “TERMINATE”. -If not specified, defaults to “MIGRATE” for Standard instances and “TERMINATE” for Spot/Preemptible. +unmanaged specifies configuration which enables the control plane to +integrate with an externally managed etcd cluster. |
(Appears on: -GCPNodePoolPlatform) +UnmanagedEtcdSpec)
-
GCPNodeServiceAccount specifies the Google Service Account configuration for node instances.
+EtcdTLSConfig specifies TLS configuration for HTTPS etcd client endpoints.
-email
+clientSecret
-
-GCPServiceAccountEmail
+
+Kubernetes core/v1.LocalObjectReference
|
-(Optional)
- email specifies the email address of the Google Service Account to use for node instances. -If not specified, uses the default compute service account for the project. -The service account must have the necessary permissions for the node to function: -- Logging writer -- Monitoring metric writer -- Storage object viewer (for pulling container images) - |
-
-scopes
-
-[]string
-
- |
-
-(Optional)
- scopes specifies the access scopes for the service account. -If not specified, defaults to standard compute scopes. -Common scopes include: -- “https://www.googleapis.com/auth/devstorage.read_only” - Storage read-only -- “https://www.googleapis.com/auth/logging.write” - Logging write -- “https://www.googleapis.com/auth/monitoring.write” - Monitoring write -- “https://www.googleapis.com/auth/cloud-platform” - Full access (use with caution) +clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It +may have the following key/value pairs: +
|
(Appears on: -GCPNodePoolPlatform) +ClusterAutoscaling)
-
GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
+ExpanderString contains the name of an expander to be used by the cluster autoscaler.
| Description | -|
|---|---|
"MIGRATE" |
-GCPOnHostMaintenanceMigrate causes Compute Engine to live migrate an instance during host maintenance. + |
"LeastWaste" |
++ |
"Priority" |
+Selects the node group with the least idle resources. |
-
"TERMINATE" |
-GCPOnHostMaintenanceTerminate causes Compute Engine to stop an instance during host maintenance. + |
"Random" |
+Selects the node group with the highest priority. |
(Appears on: -PlatformSpec) +AWSResourceReference)
-
GCPPlatformSpec specifies configuration for clusters running on Google Cloud Platform.
+Filter is a filter used to identify an AWS resource
-project
-
-string
-
- |
-
- project is the GCP project ID.
-A valid project ID must satisfy the following rules:
-length: Must be between 6 and 30 characters, inclusive
-characters: Only lowercase letters ( |
-
-region
+name
string
|
- region is the GCP region in which the cluster resides (e.g., us-central1, europe-west2). -Must start with lowercase letters, contain exactly one hyphen, and end with digits. -For a full list of valid regions, see: https://cloud.google.com/compute/docs/regions-zones. - |
-
-networkConfig,omitzero
-
-
-GCPNetworkConfig
-
-
- |
-
- networkConfig specifies VPC configuration for Private Service Connect. -Required for VPC configuration in Private Service Connect deployments. - |
-
-endpointAccess
-
-
-GCPEndpointAccessType
-
-
- |
-
-(Optional)
- endpointAccess controls API endpoint accessibility for the HostedControlPlane on GCP. -Allowed values: “Private”, “PublicAndPrivate”. Defaults to “Private”. - |
-
-resourceLabels
-
-
-[]GCPResourceLabel
-
-
- |
-
-(Optional)
- resourceLabels are applied to all GCP resources created for the cluster. -Labels are key-value pairs used for organizing and managing GCP resources. -Changes to this field will be propagated in-place to GCP resources where supported. -GCP supports a maximum of 64 labels per resource. HyperShift reserves approximately 4 labels for system use. -For GCP labeling guidance, see https://cloud.google.com/compute/docs/labeling-resources +name is the name of the filter. |
-workloadIdentity,omitzero
+values
-
-GCPWorkloadIdentityConfig
-
+[]string
|
- workloadIdentity configures Workload Identity Federation for the cluster. -This enables secure, short-lived token-based authentication without storing -long-term service account keys. These fields are immutable after cluster creation -to prevent breaking the authentication chain. -Prerequisites for WIF setup: -- Workload Identity Pool and Provider must exist in the GCP project -- Provider must be configured with audience mapping for OpenShift SA tokens -- Target Google Service Account must have roles/iam.workloadIdentityUser -granted to the workload pool principal (e.g., principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/system:serviceaccount:kube-system:capi-gcp-controller-manager) -- Attribute mappings on the provider should include google.subject for token subject verification +values is a list of values for the filter. |
(Appears on: -GCPPrivateServiceConnect) +NetworkFilter, +RouterFilter, +SubnetFilter)
-
GCPPrivateServiceConnectSpec defines the desired state of PSC infrastructure
-loadBalancerIP
+tags
-string
+
+[]NeutronTag
+
|
- loadBalancerIP is the IP address of the Internal Load Balancer -Populated by the observer from service status -This value must be a valid IPv4 or IPv6 address. +(Optional) +tags is a list of tags to filter by. If specified, the resource must +have all of the tags specified to be included in the result. |
-forwardingRuleName
+tagsAny
-
-GCPResourceName
+
+[]NeutronTag
|
(Optional)
- forwardingRuleName is the name of the Internal Load Balancer forwarding rule -Populated by the reconciler via GCP API lookup +tagsAny is a list of tags to filter by. If specified, the resource +must have at least one of the tags specified to be included in the +result. |
-consumerAcceptList
+notTags
-[]string
+
+[]NeutronTag
+
|
- consumerAcceptList specifies which customer projects can connect. -Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”). -A maximum of 50 entries are allowed. -See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project ID and number formats. +(Optional) +notTags is a list of tags to filter by. If specified, resources which +contain all of the given tags will be excluded from the result. |
-natSubnet
+notTagsAny
-
-GCPResourceName
+
+[]NeutronTag
|
(Optional)
- natSubnet is the subnet used for NAT by the Service Attachment -Auto-populated by the HyperShift Operator +notTagsAny is a list of tags to filter by. If specified, resources +which contain any of the given tags will be excluded from the result. |
(Appears on: -GCPPrivateServiceConnect) +GCPNodePoolPlatform)
-
GCPPrivateServiceConnectStatus defines the observed state of PSC infrastructure
+GCPBootDisk specifies configuration for the boot disk of GCP node instances.
-conditions
+diskSizeGB
-
-[]Kubernetes meta/v1.Condition
-
+int64
|
(Optional)
- conditions represent the current state of PSC infrastructure -Current condition types are: “GCPPrivateServiceConnectAvailable”, “GCPServiceAttachmentAvailable”, “GCPEndpointAvailable”, “GCPDNSAvailable” +diskSizeGB specifies the size of the boot disk in gigabytes. +Must be at least 20 GB for RHCOS images. |
-serviceAttachmentName
+diskType
string
|
(Optional)
- serviceAttachmentName is the name of the created Service Attachment +diskType specifies the disk type for the boot disk. +Valid values include: +- “pd-standard” - Standard persistent disk (magnetic) +- “pd-ssd” - SSD persistent disk +- “pd-balanced” - Balanced persistent disk (recommended) +If not specified, defaults to “pd-balanced”. |
-serviceAttachmentURI
+encryptionKey
-string
+
+GCPDiskEncryptionKey
+
|
(Optional)
- serviceAttachmentURI is the URI customers use to connect. -Format: projects/{project}/regions/{region}/serviceAttachments/{name} -See https://cloud.google.com/vpc/docs/configure-private-service-connect-producer for service attachment details. +encryptionKey specifies customer-managed encryption key (CMEK) configuration. +If not specified, Google-managed encryption keys are used. |
+(Appears on: +GCPBootDisk) +
++
GCPDiskEncryptionKey specifies configuration for customer-managed encryption keys.
+ +
-endpointIP
-
-string
-
- |
-
-(Optional)
- endpointIP is the reserved IP address for the PSC endpoint -This value must be a valid IPv4 or IPv6 address. - |
+Field | +Description |
|---|---|---|---|
-dnsZones
+kmsKeyName
-
-[]DNSZoneStatus
-
+string
|
- dnsZones contains DNS zone information created for this cluster +kmsKeyName is the resource name of the Cloud KMS key used for disk encryption. +Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key} |
(Appears on: -GCPNodePoolPlatform) +GCPPlatformSpec)
-
GCPProvisioningModel defines the provisioning model for GCP node instances. -Follows GCP’s provisioning model terminology for compute instances.
+GCPEndpointAccessType defines the endpoint access type for GCP clusters. +Equivalent to AWS EndpointAccessType but adapted for GCP networking model.
| Description | -|
|---|---|
"Preemptible" |
-GCPProvisioningModelPreemptible specifies preemptible instances (legacy). -Preemptible instances are lower-cost instances that can be terminated by GCP -with 30 seconds notice when capacity is needed elsewhere. -Note: Preemptible instances have a maximum runtime of 24 hours. -Consider using Spot instances instead, which have no maximum runtime limit. - |
-
"Spot" |
-GCPProvisioningModelSpot specifies Spot instances. -Spot instances are lower-cost instances that can be terminated by GCP -with 30 seconds notice when capacity is needed elsewhere. -Unlike preemptible instances, Spot instances have no maximum runtime limit. -This is the recommended option for cost-effective, interruptible workloads. + |
"Private" |
+GCPEndpointAccessPrivate endpoint access allows only private API server access and private +node communication with the control plane via Private Service Connect. |
-
"Standard" |
-GCPProvisioningModelStandard specifies standard (non-preemptible) instances. -Standard instances run until explicitly stopped and are not subject to automatic termination. + |
"PublicAndPrivate" |
+GCPEndpointAccessPublicAndPrivate endpoint access allows public API server access and +private node communication with the control plane via Private Service Connect. |
(Appears on: -GCPNodePoolPlatform, GCPPlatformSpec)
-
GCPResourceLabel is a label to apply to GCP resources created for the cluster. -Labels are key-value pairs used for organizing and managing GCP resources. -See https://cloud.google.com/compute/docs/labeling-resources for GCP labeling guidance.
+GCPNetworkConfig specifies VPC configuration for GCP clusters and Private Service Connect endpoint creation.
-(Appears on: -GCPNodePoolPlatform, -GCPPrivateServiceConnectSpec, -GCPResourceReference) -
--
GCPResourceName is the name of a GCP resource following RFC 1035 naming conventions. -Must start with a lowercase letter, contain only lowercase letters, digits, and hyphens, -must not end with a hyphen, and be 1-63 characters long. -See https://cloud.google.com/compute/docs/naming-resources for details.
- -###GCPResourceReference { #hypershift.openshift.io/v1beta1.GCPResourceReference } +###GCPNodePoolPlatform { #hypershift.openshift.io/v1beta1.GCPNodePoolPlatform }(Appears on: -GCPNetworkConfig) +NodePoolPlatform)
-
GCPResourceReference represents a reference to a GCP resource by name. -Follows GCP naming patterns (name-based APIs, not ID-based like AWS). -See https://google.aip.dev/122 for GCP resource name standards.
+GCPNodePoolPlatform specifies the configuration of a NodePool when operating on GCP. +This follows the AWS and Azure patterns for platform-specific NodePool configuration.
-name
+machineType
-
-GCPResourceName
-
+string
|
- name is the name of the GCP resource. -Must conform to GCP resource naming standards: lowercase letters, numbers, and hyphens only. -Must start with a lowercase letter and end with a lowercase letter or number, max 63 characters. -Pattern: “^a-z?$” (max 63 chars), per GCP naming requirements. -See https://cloud.google.com/compute/docs/naming-resources for details. +machineType is the GCP machine type for node instances (e.g. n2-standard-4). +Must follow GCP machine type naming conventions as documented at: +https://cloud.google.com/compute/docs/machine-resource#machine_type_comparison +Valid machine type formats: +- predefined: n1-standard-1, n2-highmem-4, c2-standard-8, etc. +- custom: custom-{cpus}-{memory} (e.g. custom-4-8192) +- custom with extended memory: custom-{cpus}-{memory}-ext (e.g. custom-2-13312-ext) |
-(Appears on: -GCPNodeServiceAccount, -GCPServiceAccountsEmails) -
--
GCPServiceAccountEmail is the email address of a Google Service Account. -Format: service-account-name@project-id.iam.gserviceaccount.com -See https://cloud.google.com/iam/docs/service-accounts-create for service account naming rules.
- -###GCPServiceAccountsEmails { #hypershift.openshift.io/v1beta1.GCPServiceAccountsEmails } --(Appears on: -GCPWorkloadIdentityConfig) -
--
GCPServiceAccountsEmails contains email addresses of Google Service Accounts for different controllers. -Each service account should have the appropriate IAM permissions for its specific role.
- -| Field | -Description | +
+zone
+
+string
+
+ |
+
+ zone is the GCP zone where node instances will be created. +Must be a valid zone within the cluster’s region. +Format: {region}-{zone} (e.g. us-central1-a, europe-west2-b) +See https://cloud.google.com/compute/docs/regions-zones for available zones. + |
|---|---|---|---|
-nodePool
+subnet
-
-GCPServiceAccountEmail
-
+string
|
- nodePool is the Google Service Account email for CAPG controllers -that manage NodePool infrastructure (VMs, networks, disks, etc.). -This GSA requires the following IAM roles: -- roles/compute.instanceAdmin.v1 (Compute Instance Admin v1) -- roles/compute.networkAdmin (Compute Network Admin) -- roles/iam.serviceAccountUser (Service Account User - to attach service accounts to VMs) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of subnet is the name of the subnet where node instances will be created. +Must be a subnet within the VPC network specified in the HostedCluster’s +networkConfig and located in the same region as the zone. +The subnet must have enough IP addresses available for the expected number of nodes. |
||
-controlPlane
+image
+
+string
+
+ |
+
+(Optional)
+ image specifies the boot image for node instances. +If unspecified, the default RHCOS image will be used based on the NodePool release payload. +Can be: +- A family name: projects/rhel-cloud/global/images/family/rhel-8 +- A specific image: projects/rhel-cloud/global/images/rhel-8-v20231010 +- A full resource URL: https://www.googleapis.com/compute/v1/projects/rhel-cloud/global/images/rhel-8-v20231010 + |
+||
+bootDisk
-
-GCPServiceAccountEmail
+
+GCPBootDisk
|
- controlPlane is the Google Service Account email for the Control Plane Operator -that manages control plane infrastructure and resources. -This GSA requires the following IAM roles: -- roles/dns.admin (DNS Admin - for managing DNS records) -- roles/compute.networkAdmin (Compute Network Admin - for network management) -- roles/compute.viewer (Compute Viewer - for CCM to read instance metadata) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of bootDisk specifies the configuration for the boot disk of node instances. |
||
-cloudController
+serviceAccount
-
-GCPServiceAccountEmail
+
+GCPNodeServiceAccount
|
- cloudController is the Google Service Account email for the Cloud Controller Manager -that manages LoadBalancer services and node lifecycle in the hosted cluster. -This GSA requires the following IAM roles: -- roles/compute.loadBalancerAdmin (Load Balancer Admin - for provisioning GCP load balancers) -- roles/compute.securityAdmin (Security Admin - for managing firewall rules) -- roles/compute.viewer (Compute Viewer - for reading instance metadata for node management) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of serviceAccount configures the Google Service Account attached to node instances. +If not specified, uses the default compute service account for the project. |
||
-storage
+resourceLabels
-
-GCPServiceAccountEmail
+
+[]GCPResourceLabel
|
- storage is the Google Service Account email for the GCP PD CSI Driver -that manages Persistent Disk storage operations (create, attach, delete volumes). -This GSA requires the following IAM roles: -- roles/compute.storageAdmin (Compute Storage Admin - for managing persistent disks) -- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for attaching disks to VMs) -- roles/iam.serviceAccountUser (Service Account User - for impersonation) -- roles/resourcemanager.tagUser (Tag User - for applying resource tags to disks) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of resourceLabels is an optional list of additional labels to apply to GCP node +instances and their associated resources (disks, etc.). +Labels will be merged with cluster-level resource labels, with NodePool labels +taking precedence in case of conflicts. +Keys and values must conform to GCP labeling requirements: +- Keys: 1–63 chars, must start with a lowercase letter; allowed [a-z0-9-] +- Values: empty or 1–63 chars; allowed [a-z0-9-] +- Maximum 60 user labels per resource (GCP limit is 64 total, with ~4 reserved) |
||
-imageRegistry
+networkTags
+
+[]string
+
+ |
+
+(Optional)
+ networkTags is an optional list of network tags to apply to node instances. +These tags are used by GCP firewall rules to control network access. +Tags must conform to GCP naming conventions: +- 1-63 characters +- Lowercase letters, numbers, and hyphens only +- Must start with lowercase letter +- Cannot end with hyphen + |
+||
+provisioningModel
-
-GCPServiceAccountEmail
+
+GCPProvisioningModel
|
- imageRegistry is the Google Service Account email for the Image Registry Operator -that manages GCS storage for the internal container image registry. -This GSA requires the following IAM roles: -- roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of provisioningModel specifies the provisioning model for node instances. +Spot and Preemptible instances cost less but can be terminated by GCP with 30 seconds notice. +Spot instances are recommended over Preemptible as they have no maximum runtime limit. +Standard instances are regular VMs that run until explicitly stopped. +If not specified, defaults to “Standard”. |
||
-network
+onHostMaintenance
-
-GCPServiceAccountEmail
-
+string
|
- network is the Google Service Account email for the Cloud Network Config Controller -that manages cloud-level network configurations (egress IPs, subnets). -This GSA requires the following IAM roles: -- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for managing network interfaces) -- roles/compute.networkUser (Compute Network User - for using subnets) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of onHostMaintenance specifies the behavior when host maintenance occurs. +For Spot and Preemptible instances, this must be “TERMINATE”. +For Standard instances, can be “MIGRATE” (live migrate) or “TERMINATE”. +If not specified, defaults to “MIGRATE” for Standard instances and “TERMINATE” for Spot/Preemptible. |
(Appears on: -GCPPlatformSpec) +GCPNodePoolPlatform)
-
GCPWorkloadIdentityConfig configures Workload Identity Federation for GCP clusters. -This enables secure, short-lived token-based authentication without storing -long-term service account keys.
+GCPNodeServiceAccount specifies the Google Service Account configuration for node instances.
-projectNumber
+email
string
|
- projectNumber is the numeric GCP project identifier for WIF configuration. -This differs from the project ID and is required for workload identity pools. -Must be a numeric string representing the GCP project number. -See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project number details. -This is a user-provided value obtained from GCP (found in GCP Console or via email specifies the email address of the Google Service Account to use for node instances. +If not specified, uses the default compute service account for the project. +The service account must have the necessary permissions for the node to function: +- Logging writer +- Monitoring metric writer +- Storage object viewer (for pulling container images) |
-poolID
+scopes
-string
+[]string
|
- poolID is the workload identity pool identifier within the project. -This pool is used to manage external identity mappings. -Must be 4-32 characters and start with a lowercase letter. -Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). -Cannot start or end with a hyphen. -The prefix “gcp-” is reserved by Google and cannot be used. -See https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers for naming rules. -This is a user-provided value referencing a pre-created Workload Identity Pool.
-Typically obtained from the output of scopes specifies the access scopes for the service account. +If not specified, defaults to standard compute scopes. +Common scopes include: +- “https://www.googleapis.com/auth/devstorage.read_only” - Storage read-only +- “https://www.googleapis.com/auth/logging.write” - Logging write +- “https://www.googleapis.com/auth/monitoring.write” - Monitoring write +- “https://www.googleapis.com/auth/cloud-platform” - Full access (use with caution) |
+
GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
+ +
-providerID
-
-string
-
- |
-
- providerID is the workload identity provider identifier within the pool. -This provider handles the token exchange between external and GCP identities. -Must be 4-32 characters and start with a lowercase letter. -Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). -Cannot start or end with a hyphen. -The prefix “gcp-” is reserved by Google and cannot be used. -See https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers for naming rules. -This is a user-provided value referencing a pre-created OIDC Provider within the WIF Pool.
-Typically obtained from the output of |
+Value | +Description |
|---|---|---|---|
-serviceAccountsEmails,omitzero
-
-
-GCPServiceAccountsEmails
-
-
+ | |||
"MIGRATE" |
+GCPOnHostMaintenanceMigrate causes Compute Engine to live migrate an instance during host maintenance. |
-
- serviceAccountsEmails contains email addresses of various Google Service Accounts -required to enable integrations for different controllers and operators. -This follows the AWS pattern of having different roles for different purposes. + | |
"TERMINATE" |
+GCPOnHostMaintenanceTerminate causes Compute Engine to stop an instance during host maintenance. |
-
(Appears on: -HCPEtcdBackupStorage) +PlatformSpec)
-
HCPEtcdBackupAzureBlob defines the Azure Blob storage configuration for etcd backups.
+GCPPlatformSpec specifies configuration for clusters running on Google Cloud Platform.
-container
+project
string
|
- container is the name of the Azure Blob container where backups are stored. -Must be 3-63 characters, lowercase letters, numbers, and hyphens only. -Must start and end with a letter or number. Consecutive hyphens are not allowed. -See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#container-names +project is the GCP project ID.
+A valid project ID must satisfy the following rules:
+length: Must be between 6 and 30 characters, inclusive
+characters: Only lowercase letters ( |
-storageAccount
+region
string
|
- storageAccount is the name of the Azure Storage Account. -Must be 3-24 characters, lowercase letters and numbers only. -See https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview#storage-account-name +region is the GCP region in which the cluster resides.
+Must be in the form of |
-keyPrefix
+networkConfig
-string
+
+GCPNetworkConfig
+
|
- keyPrefix is the blob name prefix for the backup file. -Must consist of valid blob name characters: alphanumeric characters, forward slashes, -hyphens, underscores, and periods. -See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#blob-names +networkConfig specifies VPC configuration for Private Service Connect. +Required for VPC configuration in Private Service Connect deployments. |
-credentials,omitzero
+endpointAccess
-
-SecretReference
+
+GCPEndpointAccessType
|
- credentials references a Secret containing Azure credentials for uploading -to Blob Storage. The Secret must exist in the Hypershift Operator namespace. +(Optional) +endpointAccess controls API endpoint accessibility for the HostedControlPlane on GCP. +Allowed values: “Private”, “PublicAndPrivate”. Defaults to “Private”. |
-encryptionKeyURL
+resourceLabels
-string
+
+[]GCPResourceLabel
+
|
(Optional)
- encryptionKeyURL is the URL of the Azure Key Vault key used for encryption.
-Must be a valid Azure Key Vault key URL in the format
-“https:// resourceLabels are applied to all GCP resources created for the cluster. +Labels are key-value pairs used for organizing and managing GCP resources. +Changes to this field will be propagated in-place to GCP resources where supported. +GCP supports a maximum of 64 labels per resource. HyperShift reserves approximately 4 labels for system use. +For GCP labeling guidance, see https://cloud.google.com/compute/docs/labeling-resources + |
+
+workloadIdentity,omitzero
+
+
+GCPWorkloadIdentityConfig
+
+
+ |
+
+ workloadIdentity configures Workload Identity Federation for the cluster. +This enables secure, short-lived token-based authentication without storing +long-term service account keys. These fields are immutable after cluster creation +to prevent breaking the authentication chain. +Prerequisites for WIF setup: +- Workload Identity Pool and Provider must exist in the GCP project +- Provider must be configured with audience mapping for OpenShift SA tokens +- Target Google Service Account must have roles/iam.workloadIdentityUser +granted to the workload pool principal (e.g., principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/system:serviceaccount:kube-system:capi-gcp-controller-manager) +- Attribute mappings on the provider should include google.subject for token subject verification |
(Appears on: -ManagedEtcdSpec) +GCPPrivateServiceConnect)
-
HCPEtcdBackupConfig defines the backup encryption configuration that is propagated -from the HostedCluster to the HostedControlPlane via ManagedEtcdSpec. -Exactly one platform-specific block must be specified, matching the platform discriminator.
+GCPPrivateServiceConnectSpec defines the desired state of PSC infrastructure
-platform
+loadBalancerIP
-
-HCPEtcdBackupConfigPlatform
-
+string
|
- platform specifies the cloud platform for backup encryption configuration. -Valid values are “AWS” for AWS KMS encryption and “Azure” for Azure Key Vault encryption. +loadBalancerIP is the IP address of the Internal Load Balancer +Populated by the observer from service status +This value must be a valid IPv4 or IPv6 address. |
-aws,omitzero
+forwardingRuleName
-
-HCPEtcdBackupConfigAWS
-
+string
|
(Optional)
- aws contains AWS-specific backup encryption configuration. -Required when platform is “AWS”, and forbidden otherwise. +forwardingRuleName is the name of the Internal Load Balancer forwarding rule +Populated by the reconciler via GCP API lookup |
-azure,omitzero
+consumerAcceptList
-
-HCPEtcdBackupConfigAzure
-
+[]string
|
-(Optional)
- azure contains Azure-specific backup encryption configuration. -Required when platform is “Azure”, and forbidden otherwise. +consumerAcceptList specifies which customer projects can connect +Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”) |
-(Appears on: -HCPEtcdBackupConfig) -
--
HCPEtcdBackupConfigAWS defines AWS-specific encryption settings for etcd backups.
- -| Field | -Description | -
|---|---|
-kmsKeyARN
+natSubnet
string
|
- kmsKeyARN is the ARN of the AWS KMS key to use for encrypting etcd backup artifacts in S3.
-Must be a valid AWS KMS key ARN in the format
-“arn: natSubnet is the subnet used for NAT by the Service Attachment +Auto-populated by the HyperShift Operator |
(Appears on: -HCPEtcdBackupConfig) +GCPPrivateServiceConnect)
-
HCPEtcdBackupConfigAzure defines Azure-specific encryption settings for etcd backups.
+GCPPrivateServiceConnectStatus defines the observed state of PSC infrastructure
-encryptionKeyURL
+conditions
-string
+
+[]Kubernetes meta/v1.Condition
+
|
- encryptionKeyURL is the URL of the Azure Key Vault key to use for encrypting etcd backup artifacts.
-Must be a valid Azure Key Vault key URL in the format
-“https:// conditions represent the current state of PSC infrastructure +Current condition types are: “GCPPrivateServiceConnectAvailable”, “GCPServiceAttachmentAvailable”, “GCPEndpointAvailable”, “GCPDNSAvailable” |
-(Appears on: -HCPEtcdBackupConfig) -
--
HCPEtcdBackupConfigPlatform identifies the cloud platform for backup encryption configuration.
- -| Value | -Description | -|
|---|---|---|
"AWS" |
-AWSBackupConfigPlatform indicates AWS KMS encryption for backup artifacts. + |
+serviceAttachmentName
+
+string
+
|
-
"Azure" |
-AzureBackupConfigPlatform indicates Azure Key Vault encryption for backup artifacts. + |
+(Optional)
+ serviceAttachmentName is the name of the created Service Attachment |
-
-(Appears on: -HCPEtcdBackupStatus) -
--
HCPEtcdBackupEncryptionMetadata contains platform-specific metadata about the -encryption applied to the backup artifact in cloud storage. -The presence of a platform block indicates that encryption was applied.
- -| Field | -Description |
|---|---|
-aws,omitzero
+serviceAttachmentURI
-
-HCPEtcdBackupEncryptionMetadataAWS
-
+string
|
(Optional)
- aws contains AWS-specific encryption metadata for the backup. +serviceAttachmentURI is the URI customers use to connect +Format: projects/{project}/regions/{region}/serviceAttachments/{name} |
-azure,omitzero
+endpointIP
-
-HCPEtcdBackupEncryptionMetadataAzure
-
+string
|
(Optional)
- azure contains Azure-specific encryption metadata for the backup. +endpointIP is the reserved IP address for the PSC endpoint +This value must be a valid IPv4 or IPv6 address. |
-(Appears on: -HCPEtcdBackupEncryptionMetadata) -
--
HCPEtcdBackupEncryptionMetadataAWS contains AWS-specific encryption metadata. -The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
- -| Field | -Description | -
|---|---|
-kmsKeyARN
+dnsZones
-string
+
+[]DNSZoneStatus
+
|
- kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup in S3.
-Must be a valid AWS KMS key ARN in the format
-“arn: dnsZones contains DNS zone information created for this cluster |
(Appears on: -HCPEtcdBackupEncryptionMetadata) +GCPNodePoolPlatform)
-
HCPEtcdBackupEncryptionMetadataAzure contains Azure-specific encryption metadata. -The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
+GCPProvisioningModel defines the provisioning model for GCP node instances. +Follows GCP’s provisioning model terminology for compute instances.
| Field | +Value | Description |
|---|---|---|
-encryptionKeyURL
-
-string
-
+ | ||
"Preemptible" |
+GCPProvisioningModelPreemptible specifies preemptible instances (legacy). +Preemptible instances are lower-cost instances that can be terminated by GCP +with 30 seconds notice when capacity is needed elsewhere. +Note: Preemptible instances have a maximum runtime of 24 hours. +Consider using Spot instances instead, which have no maximum runtime limit. |
-
- encryptionKeyURL is the URL of the Azure Key Vault key used for encryption of the backup.
-Must be a valid Azure Key Vault key URL in the format
-“https:// |
"Spot" |
+GCPProvisioningModelSpot specifies Spot instances. +Spot instances are lower-cost instances that can be terminated by GCP +with 30 seconds notice when capacity is needed elsewhere. +Unlike preemptible instances, Spot instances have no maximum runtime limit. +This is the recommended option for cost-effective, interruptible workloads. |
-|
"Standard" |
+GCPProvisioningModelStandard specifies standard (non-preemptible) instances. +Standard instances run until explicitly stopped and are not subject to automatic termination. + |
+
(Appears on: -HCPEtcdBackupStorage) +GCPNodePoolPlatform, +GCPPlatformSpec)
-
HCPEtcdBackupS3 defines the S3 storage configuration for etcd backups.
+GCPResourceLabel is a label to apply to GCP resources created for the cluster. +Labels are key-value pairs used for organizing and managing GCP resources. +See https://cloud.google.com/compute/docs/labeling-resources for GCP labeling guidance.
-bucket
-
-string
-
- |
-
- bucket is the name of the S3 bucket where backups are stored. -Must be 3-63 characters, lowercase letters, numbers, hyphens, and periods only. -Must start and end with a letter or number. Consecutive periods are not allowed. -See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html - |
-
-region
-
-string
-
- |
-
- region is the AWS region where the S3 bucket is located (e.g. “us-east-1”). -Must be a valid AWS region identifier: lowercase letters, digits, and hyphens. -Must start and end with an alphanumeric character, no consecutive hyphens. - |
-
-keyPrefix
+key
string
|
- keyPrefix is the S3 key prefix for the backup file. -Must consist of safe S3 object key characters: alphanumeric characters, -forward slashes, hyphens, underscores, periods, exclamation marks, -asterisks, single quotes, and parentheses. -See https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html - |
-
-credentials,omitzero
-
-
-SecretReference
-
-
- |
-
- credentials references a Secret containing AWS credentials for uploading -to S3. The Secret must exist in the Hypershift Operator namespace and contain a -‘credentials’ key with a valid AWS credentials file. +key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty. +For Compute Engine resources (VMs, disks, networks created by CAPG), keys must: +- Start with a lowercase letter +- Contain only lowercase letters, digits, underscores, or hyphens +- End with a lowercase letter or digit (not a hyphen or underscore) +- Be 1-63 characters long +GCP reserves the ‘goog’ prefix for system labels. +See https://cloud.google.com/compute/docs/labeling-resources for Compute Engine label requirements. |
-kmsKeyARN
+value
string
|
(Optional)
- kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup.
-Must be a valid AWS KMS key ARN in the format
-“arn: value is the value part of the label. A label value can have a maximum of 63 characters. +Empty values are allowed by GCP. If non-empty, it must start with a lowercase letter, +contain only lowercase letters, digits, underscores, or hyphens, and end with a lowercase letter or digit. +See https://cloud.google.com/compute/docs/labeling-resources for Compute Engine label requirements. |
(Appears on: -HCPEtcdBackup) +GCPNetworkConfig)
-
HCPEtcdBackupSpec defines the desired state of HCPEtcdBackup. -HCPEtcdBackup is a one-shot backup request; the entire spec is immutable once created.
+GCPResourceReference represents a reference to a GCP resource by name. +Follows GCP naming patterns (name-based APIs, not ID-based like AWS). +See https://google.aip.dev/122 for GCP resource name standards.
-storage,omitzero
+name
-
-HCPEtcdBackupStorage
-
+string
|
- storage defines the cloud storage backend where the etcd snapshot will be uploaded. +name is the name of the GCP resource. +Must conform to GCP resource naming standards: lowercase letters, numbers, and hyphens only. +Must start with a lowercase letter and end with a lowercase letter or number, max 63 characters. +Pattern: “^a-z?$” (max 63 chars), per GCP naming requirements. +See https://cloud.google.com/compute/docs/naming-resources for details. |
(Appears on: -HCPEtcdBackup) +GCPWorkloadIdentityConfig)
-
HCPEtcdBackupStatus defines the observed state of HCPEtcdBackup.
+GCPServiceAccountsEmails contains email addresses of Google Service Accounts for different controllers. +Each service account should have the appropriate IAM permissions for its specific role.
-conditions
+nodePool
-
-[]Kubernetes meta/v1.Condition
-
+string
|
-(Optional)
- conditions contains details for the current state of the etcd backup. -The following condition types are expected: -- “BackupCompleted”: indicates whether the etcd backup has completed (True=success, False=failure). +nodePool is the Google Service Account email for CAPG controllers +that manage NodePool infrastructure (VMs, networks, disks, etc.). +This GSA requires the following IAM roles: +- roles/compute.instanceAdmin.v1 (Compute Instance Admin v1) +- roles/compute.networkAdmin (Compute Network Admin) +- roles/iam.serviceAccountUser (Service Account User - to attach service accounts to VMs) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
-snapshotURL
+controlPlane
string
|
-(Optional)
- snapshotURL is the URL of the completed backup snapshot in cloud storage. -Must be a valid URL with scheme https or s3. +controlPlane is the Google Service Account email for the Control Plane Operator +that manages control plane infrastructure and resources. +This GSA requires the following IAM roles: +- roles/dns.admin (DNS Admin - for managing DNS records) +- roles/compute.networkAdmin (Compute Network Admin - for network management) +- roles/compute.viewer (Compute Viewer - for CCM to read instance metadata) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
+
+cloudController
+
+string
+
+ |
+
+ cloudController is the Google Service Account email for the Cloud Controller Manager +that manages LoadBalancer services and node lifecycle in the hosted cluster. +This GSA requires the following IAM roles: +- roles/compute.loadBalancerAdmin (Load Balancer Admin - for provisioning GCP load balancers) +- roles/compute.securityAdmin (Security Admin - for managing firewall rules) +- roles/compute.viewer (Compute Viewer - for reading instance metadata for node management) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
-encryptionMetadata,omitzero
+storage
-
-HCPEtcdBackupEncryptionMetadata
-
+string
|
-(Optional)
- encryptionMetadata contains metadata about the encryption of the backup. -When present, at least one platform-specific encryption block must be set. +storage is the Google Service Account email for the GCP PD CSI Driver +that manages Persistent Disk storage operations (create, attach, delete volumes). +This GSA requires the following IAM roles: +- roles/compute.storageAdmin (Compute Storage Admin - for managing persistent disks) +- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for attaching disks to VMs) +- roles/iam.serviceAccountUser (Service Account User - for impersonation) +- roles/resourcemanager.tagUser (Tag User - for applying resource tags to disks) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
(Appears on: -HCPEtcdBackupSpec) +GCPPlatformSpec)
-
HCPEtcdBackupStorage defines the cloud storage backend configuration for the backup. -Exactly one storage backend must be specified, matching the storageType discriminator.
+GCPWorkloadIdentityConfig configures Workload Identity Federation for GCP clusters. +This enables secure, short-lived token-based authentication without storing +long-term service account keys.
-storageType
+projectNumber
-
-HCPEtcdBackupStorageType
-
+string
|
- storageType specifies the type of cloud storage backend for the etcd backup. -Valid values are “S3” for AWS S3 storage and “AzureBlob” for Azure Blob Storage. +projectNumber is the numeric GCP project identifier for WIF configuration. +This differs from the project ID and is required for workload identity pools. +Must be a numeric string representing the GCP project number. +This is a user-provided value obtained from GCP (found in GCP Console or via |
-s3,omitzero
+poolID
-
-HCPEtcdBackupS3
-
+string
|
-(Optional)
- s3 specifies the S3 storage configuration for the etcd backup. -Required when storageType is “S3”, and forbidden otherwise. +poolID is the workload identity pool identifier within the project. +This pool is used to manage external identity mappings. +Must be 4-32 characters and start with a lowercase letter. +Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). +Cannot start or end with a hyphen. +The prefix “gcp-” is reserved by Google and cannot be used. +This is a user-provided value referencing a pre-created Workload Identity Pool.
+Typically obtained from the output of |
-azureBlob,omitzero
+providerID
-
-HCPEtcdBackupAzureBlob
-
+string
|
-(Optional)
- azureBlob specifies the Azure Blob storage configuration for the etcd backup. -Required when storageType is “AzureBlob”, and forbidden otherwise. +providerID is the workload identity provider identifier within the pool. +This provider handles the token exchange between external and GCP identities. +Must be 4-32 characters and start with a lowercase letter. +Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). +Cannot start or end with a hyphen. +The prefix “gcp-” is reserved by Google and cannot be used. +This is a user-provided value referencing a pre-created OIDC Provider within the WIF Pool.
+Typically obtained from the output of |
-(Appears on: -HCPEtcdBackupStorage) -
--
HCPEtcdBackupStorageType is the type of storage for etcd backups.
- -| Value | -Description | -|
|---|---|---|
"AzureBlob" |
-AzureBlobBackupStorage indicates that the backup is stored in Azure Blob Storage. + |
+serviceAccountsEmails,omitzero
+
+
+GCPServiceAccountsEmails
+
+
|
-
"S3" |
-S3BackupStorage indicates that the backup is stored in AWS S3. + |
+ serviceAccountsEmails contains email addresses of various Google Service Accounts +required to enable integrations for different controllers and operators. +This follows the AWS pattern of having different roles for different purposes. |
-
@@ -8936,8 +7247,7 @@ AutoNode
autoNode specifies the configuration for automatic node provisioning and lifecycle management. -When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads.
+autoNode specifies the configuration for the autoNode feature.
controlPlaneVersion,omitzero
-
-
-ControlPlaneVersionStatus
-
-
-controlPlaneVersion tracks the rollout status of the control plane -components running on the management cluster, independently from -the data-plane version reported in the version field.
-version
@@ -9450,20 +7744,6 @@ PlatformStatus
autoNode,omitzero
-
-
-AutoNodeStatus
-
-
-autoNode contains the observed state of the autoNode (Karpenter) provisioner.
-configuration
@@ -9934,10 +8214,7 @@ AutoNode
autoNode specifies the configuration for automatic node provisioning -and lifecycle management. When set, nodes are automatically provisioned -using the specified provisioner (e.g. Karpenter) instead of requiring -manual NodePool management.
+autoNode specifies the configuration for the autoNode feature.
controlPlaneVersion,omitzero
-
-
-ControlPlaneVersionStatus
-
-
-controlPlaneVersion tracks the rollout status of the control plane -components running on the management cluster, independently from -the data-plane version reported in the version field.
-versionStatus
@@ -10252,20 +8513,6 @@ int
autoNode,omitzero
-
-
-AutoNodeStatus
-
-
-autoNode contains the observed state of the autoNode (Karpenter) provisioner.
-configuration
@@ -10784,308 +9031,77 @@ KMSProvider
provider defines the KMS provider
-ibmcloud
-
-
-IBMCloudKMSSpec
-
-
-ibmcloud defines metadata for the IBM Cloud KMS encryption strategy
-aws
-
-
-AWSKMSSpec
-
-
-aws defines metadata about the configuration of the AWS KMS Secret Encryption provider
-azure
-
-
-AzureKMSSpec
-
-
-azure defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault
--(Appears on: -KarpenterConfig) -
--
KarpenterAWSConfig specifies AWS-specific configuration for the Karpenter provisioner.
- -| Field | -Description | -
|---|---|
-roleARN
-
-string
-
- |
-
- roleARN specifies the ARN of the IAM role that Karpenter assumes to provision -and manage EC2 instances in the hosted cluster’s AWS account. -The referenced role must have a trust relationship that allows it to be assumed
-by the karpenter service account in the hosted cluster via OIDC.
-Example:
-{
-“Version”: “2012-10-17”,
-“Statement”: [
-{
-“Effect”: “Allow”,
-“Principal”: {
-“Federated”: “ The following is an example of the policy document for this role. -{ -“Version”: “2012-10-17”, -“Statement”: [ -{ -“Sid”: “AllowScopedEC2InstanceAccessActions”, -“Effect”: “Allow”, -“Resource”: [ -“arn::ec2:::image/”, -“arn::ec2:::snapshot/”, -“arn::ec2:::security-group/”, -“arn::ec2:::subnet/” -], -“Action”: [ -“ec2:RunInstances”, -“ec2:CreateFleet” -] -}, -{ -“Sid”: “AllowScopedEC2LaunchTemplateAccessActions”, -“Effect”: “Allow”, -“Resource”: “arn::ec2:::launch-template/”, -“Action”: [ -“ec2:RunInstances”, -“ec2:CreateFleet” -] -}, -{ -“Sid”: “AllowScopedEC2InstanceActionsWithTags”, -“Effect”: “Allow”, -“Resource”: [ -“arn::ec2:::fleet/”, -“arn::ec2:::instance/”, -“arn::ec2:::volume/”, -“arn::ec2:::network-interface/”, -“arn::ec2:::launch-template/”, -“arn::ec2:::spot-instances-request/” -], -“Action”: [ -“ec2:RunInstances”, -“ec2:CreateFleet”, -“ec2:CreateLaunchTemplate” -], -“Condition”: { -“StringLike”: { -“aws:RequestTag/karpenter.sh/nodepool”: “” -} -} -}, -{ -“Sid”: “AllowScopedResourceCreationTagging”, -“Effect”: “Allow”, -“Resource”: [ -“arn::ec2:::fleet/”, -“arn::ec2:::instance/”, -“arn::ec2:::volume/”, -“arn::ec2:::network-interface/”, -“arn::ec2:::launch-template/”, -“arn::ec2:::spot-instances-request/” -], -“Action”: “ec2:CreateTags”, -“Condition”: { -“StringEquals”: { -“ec2:CreateAction”: [ -“RunInstances”, -“CreateFleet”, -“CreateLaunchTemplate” -] -}, -“StringLike”: { -“aws:RequestTag/karpenter.sh/nodepool”: “” -} -} -}, -{ -“Sid”: “AllowScopedResourceTagging”, -“Effect”: “Allow”, -“Resource”: “arn::ec2:::instance/”, -“Action”: “ec2:CreateTags”, -“Condition”: { -“StringLike”: { -“aws:ResourceTag/karpenter.sh/nodepool”: “” -} -} -}, -{ -“Sid”: “AllowScopedDeletion”, -“Effect”: “Allow”, -“Resource”: [ -“arn::ec2:::instance/”, -“arn::ec2:::launch-template/” -], -“Action”: [ -“ec2:TerminateInstances”, -“ec2:DeleteLaunchTemplate” -], -“Condition”: { -“StringLike”: { -“aws:ResourceTag/karpenter.sh/nodepool”: “” -} -} -}, -{ -“Sid”: “AllowRegionalReadActions”, -“Effect”: “Allow”, -“Resource”: “”, -“Action”: [ -“ec2:DescribeImages”, -“ec2:DescribeInstances”, -“ec2:DescribeInstanceTypeOfferings”, -“ec2:DescribeInstanceTypes”, -“ec2:DescribeLaunchTemplates”, -“ec2:DescribeSecurityGroups”, -“ec2:DescribeSpotPriceHistory”, -“ec2:DescribeSubnets” -] -}, -{ -“Sid”: “AllowSSMReadActions”, -“Effect”: “Allow”, -“Resource”: “arn::ssm:::parameter/aws/service/”, -“Action”: “ssm:GetParameter” -}, -{ -“Sid”: “AllowPricingReadActions”, -“Effect”: “Allow”, -“Resource”: “”, -“Action”: “pricing:GetProducts” -}, -{ -“Sid”: “AllowInterruptionQueueActions”, -“Effect”: “Allow”, -“Resource”: “”, -“Action”: [ -“sqs:DeleteMessage”, -“sqs:GetQueueUrl”, -“sqs:ReceiveMessage” -] -}, -{ -“Sid”: “AllowPassingInstanceRole”, -“Effect”: “Allow”, -“Resource”: “arn::iam:::role/”, -“Action”: “iam:PassRole”, -“Condition”: { -“StringEquals”: { -“iam:PassedToService”: [ -“ec2.amazonaws.com”, -“ec2.amazonaws.com.cn” -] -} -} -}, -{ -“Sid”: “AllowScopedInstanceProfileCreationActions”, -“Effect”: “Allow”, -“Resource”: “arn::iam:::instance-profile/”, -“Action”: [ -“iam:CreateInstanceProfile” -], -“Condition”: { -“StringLike”: { -“aws:RequestTag/karpenter.k8s.aws/ec2nodeclass”: “” -} -} -}, -{ -“Sid”: “AllowScopedInstanceProfileTagActions”, -“Effect”: “Allow”, -“Resource”: “arn::iam:::instance-profile/”, -“Action”: [ -“iam:TagInstanceProfile” -], -“Condition”: { -“StringLike”: { -“aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass”: “”, -“aws:RequestTag/karpenter.k8s.aws/ec2nodeclass”: “” -} -} -}, -{ -“Sid”: “AllowScopedInstanceProfileActions”, -“Effect”: “Allow”, -“Resource”: “arn::iam:::instance-profile/”, -“Action”: [ -“iam:AddRoleToInstanceProfile”, -“iam:RemoveRoleFromInstanceProfile”, -“iam:DeleteInstanceProfile” -], -“Condition”: { -“StringLike”: { -“aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass”: “” -} -} -}, -{ -“Sid”: “AllowInstanceProfileReadActions”, -“Effect”: “Allow”, -“Resource”: “arn::iam:::instance-profile/”, -“Action”: “iam:GetInstanceProfile” -}, -{ -“Sid”: “AllowUnscopedInstanceProfileListAction”, -“Effect”: “Allow”, -“Resource”: “”, -“Action”: “iam:ListInstanceProfiles” -} -] -} +provider defines the KMS provider + |
+
+ibmcloud
+
+
+IBMCloudKMSSpec
+
+
+ |
+
+(Optional)
+ ibmcloud defines metadata for the IBM Cloud KMS encryption strategy + |
+
+aws
+
+
+AWSKMSSpec
+
+
+ |
+
+(Optional)
+ aws defines metadata about the configuration of the AWS KMS Secret Encryption provider + |
+
+azure
+
+
+AzureKMSSpec
+
+
+ |
+
+(Optional)
+ azure defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault + |
+
+(Appears on: +KarpenterConfig) +
++
+| Field | +Description | +|
|---|---|---|
+roleARN
+
+string
+
+ |
+
+ roleARN specifies the ARN of the Karpenter provisioner. |
|
- platform specifies the infrastructure platform that Karpenter should provision nodes on. +platform specifies the platform-specific configuration for Karpenter. |
|
-backup,omitzero
-
-
-HCPEtcdBackupConfig
-
-
- |
-
-(Optional)
- backup defines the backup configuration for managed etcd, including -optional KMS key settings for artifact encryption in cloud storage. -This configuration is only used when an HCPEtcdBackup CR exists. - |
-
(Appears on: -CapacityReservationOptions, -PlacementOptions) +CapacityReservationOptions)
-
MarketType describes the market type for EC2 instances.
+MarketType describes the market type of the CapacityReservation for an Instance.
"CapacityBlocks" |
-MarketTypeCapacityBlock is a MarketType enum value for Capacity Blocks. + | MarketTypeCapacityBlock is a MarketType enum value |
"OnDemand" |
-MarketTypeOnDemand is a MarketType enum value for standard on-demand instances. - |
-|
"Spot" |
-MarketTypeSpot is a MarketType enum value for Spot instances. -Spot instances use spare EC2 capacity at reduced prices but may be interrupted. + | MarketTypeOnDemand is a MarketType enum value |
-(Appears on: -NodePoolStatus) -
--
NodePoolNodesInfo aggregates observed information about nodes belonging to this NodePool.
- -| Field | -Description | -
|---|---|
-nodeVersions
-
-
-[]NodeVersion
-
-
- |
-
- nodeVersions summarizes the versions and health of nodes belonging -to this NodePool. Each entry represents a distinct version combination -and the number of ready/unready nodes running it. - |
-
(Appears on: @@ -13346,21 +11306,6 @@ the NodePool.
nodesInfo,omitzero
-
-
-NodePoolNodesInfo
-
-
-nodesInfo contains aggregated information observed from nodes belonging -to this NodePool.
-platform
@@ -13432,73 +11377,6 @@ assigned when the service is created.
-(Appears on: -NodePoolNodesInfo) -
--
NodeVersion represents a version combination and the count of ready and unready nodes running it.
- -| Field | -Description | -
|---|---|
-ocpVersion
-
-string
-
- |
-
- ocpVersion is the OpenShift release version this node was provisioned -or upgraded with. - |
-
-kubeletVersion
-
-string
-
- |
-
- kubeletVersion is the kubelet version reported by the node, as observed -from Machine.Status.NodeInfo.KubeletVersion. - |
-
-readyNodeCount
-
-int32
-
- |
-
- readyNodeCount is the number of nodes running this version where the -CAPI NodeHealthy condition is True. - |
-
-unreadyNodeCount
-
-int32
-
- |
-
- unreadyNodeCount is the number of nodes running this version where the -CAPI NodeHealthy condition is not True. Useful for tracking upgrade -progress and detecting stuck nodes. - |
-
(Appears on: @@ -13616,28 +11494,6 @@ this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.
-mtu
-
-int32
-
-mtu is the MTU to use for the tunnel interface on hosted cluster nodes. -This must be 100 bytes smaller than the uplink MTU. -When unset, the cluster-network-operator will determine the MTU automatically -based on the infrastructure (e.g., for commercial AWS regions, it defaults -to 8901 based on the 9001 uplink MTU minus 100 bytes overhead). -Some non-commercial AWS regions do not support 9001 uplink MTU, -requiring this field to be explicitly set to a lower value. -The maximum is 9216, which is the standard jumbo frame upper limit -supported by datacenter and cloud network interfaces. -The minimum is 576, which is the minimum IPv4 MTU per RFC 791. -This field is immutable once set.
-
PlacementOptions specifies the placement options for the EC2 instances.
-The instance market type is determined by the marketType field: -- “OnDemand” (default): Standard on-demand instances -- “Spot”: Spot instances using spare EC2 capacity at reduced prices -- “CapacityBlocks”: Scheduled pre-purchased compute capacity for ML workloads
-marketType
-
-
-MarketType
-
-
- |
-
-(Optional)
- marketType specifies the EC2 instance purchasing model. -Supported values are “OnDemand” for standard on-demand instances, -“Spot” for spot instances that use spare EC2 capacity at reduced prices -but may be interrupted (optionally accepts spot options and requires -terminationHandlerQueueURL on the HostedCluster), and “CapacityBlocks” for scheduled pre-purchased -compute capacity recommended for GPU/ML workloads (requires -capacityReservation with a specific reservation ID). -When omitted, the default is “OnDemand”. - |
-||||||||||
-spot,omitzero
-
-
-SpotOptions
-
-
- |
-
-(Optional)
- spot configures optional Spot instance overrides. -When omitted, Spot instances use AWS defaults. -Spot instances use spare EC2 capacity at reduced prices but may be interrupted -with a 2-minute warning. Requires terminationHandlerQueueURL to be set on the -HostedCluster’s AWS platform spec for graceful handling of interruptions. - |
-||||||||||
capacityReservation
@@ -14210,7 +12023,6 @@ CapacityReservationOptions
capacityReservation specifies Capacity Reservation options for the NodePool instances. Cannot be specified when tenancy is set to “host” as Dedicated Hosts do not support Capacity Reservations. Compatible with “default” and “dedicated” tenancy. -Required when marketType is “CapacityBlocks”. |
"Karpenter" |
-ProvisionerKarpenter indicates that Karpenter is used for automatic node provisioning. - |
+
-
ProvisionerConfig specifies the provisioner used for automatic node management -and its associated configuration.
+ProvisionerConfig is a enum specifying the strategy for auto managing Nodes.
|
- name specifies the name of the provisioner to use for automatic node management. +name specifies the name of the provisioner to use. |
-(Appears on: -HCPEtcdBackupAzureBlob, -HCPEtcdBackupS3) -
--
SecretReference contains a reference to a Secret by name. -The Secret must exist in the same namespace as the referencing resource.
- -| Field | -Description | -
|---|---|
-name
-
-string
-
- |
-
- name is the name of the Secret. It must be a valid DNS-1123 subdomain: at most -253 characters, consisting of lowercase alphanumeric characters, hyphens, and periods. -Each period-separated segment must start and end with an alphanumeric character. - |
-
(Appears on: @@ -15964,44 +13741,6 @@ ServicePublishingStrategy
ServiceType defines what control plane services can be exposed from the management control plane.
-###SpotOptions { #hypershift.openshift.io/v1beta1.SpotOptions } --(Appears on: -PlacementOptions) -
--
SpotOptions configures options for Spot instances.
-Spot instances use spare EC2 capacity at reduced prices but may be interrupted -with a 2-minute warning when EC2 needs the capacity back.
- -| Field | -Description | -
|---|---|
-maxPrice
-
-string
-
- |
-
-(Optional)
- maxPrice defines the maximum price the user is willing to pay for Spot instances. -If not specified, the on-demand price is used as the maximum (you pay the actual spot price). -The value should be a decimal number representing the price per hour in USD. -For example, “0.50” means 50 cents per hour. -Note: AWS recommends NOT setting maxPrice to reduce interruption frequency. -When omitted, you pay the current Spot price (capped at On-Demand price). -AWS minimum allowed value is $0.001. - |
-
(Appears on:
From c6b3ea9a538ee5180cd8f580658ebca39cf36fd6 Mon Sep 17 00:00:00 2001
From: OpenShift CI Bot
Weekly Friday 12:00 UTC] --> B[Setup Step]
+ B --> C[Process Step]
+ C --> D[Report Step]
+
+ subgraph "Process Step"
+ C --> E[Generate GitHub App Tokens]
+ E --> F[Clone Fork
hypershift-community/hypershift]
+ F --> G[Query Open Dependabot PRs]
+ G --> H{PRs Found?}
+ H -->|No| I[Exit Successfully]
+ H -->|Yes| J[Filter Out k8s.io Bumps]
+ J --> K[For Each PR]
+ K --> L[Cherry-pick + Validate
make verify & make test]
+ L --> M{Passed?}
+ M -->|Yes| N[Keep on Branch]
+ M -->|No| O[Reset & Skip]
+ N --> P{More PRs?}
+ O --> P
+ P -->|Yes| K
+ P -->|No| Q[Reorganize Commits
Deterministic Bash]
+ Q --> R[Final Validation
make verify & make test]
+ R --> S[Create PR]
+ end
+ end
+
+ subgraph "External Systems"
+ G <--> GH[(GitHub API
github.com)]
+ L <--> CLAUDE[Claude API
via Vertex AI]
+ S <--> FORK[(GitHub Fork
hypershift-community)]
+ S <--> UPSTREAM[(GitHub Upstream
openshift/hypershift)]
+ end
+```
+
+### Configuration
+
+| Setting | Value | Description |
+|---------|-------|-------------|
+| Schedule | `0 12 * * 5` | Fridays at 12:00 UTC (7:00 AM ET) |
+| Process timeout | 2 hours | Maximum time for the process step |
+| Max Claude turns | 100 | Maximum agentic turns per run |
+| Excluded deps | `k8s.io`, `sigs.k8s.io` | Dependencies managed via manual Kubernetes rebases |
+
+### What Gets Excluded
+
+Dependabot PRs bumping the following module prefixes are **automatically skipped**:
+
+- `k8s.io/*` - Core Kubernetes libraries
+- `sigs.k8s.io/*` - Kubernetes SIG libraries
+
+These dependencies are updated manually as part of coordinated Kubernetes version rebases to ensure compatibility across the full dependency tree.
+
+---
+
## User Guide
### Submitting Issues for Processing
@@ -10824,9 +11534,10 @@ The issue will be picked up on the next weekly run (Mondays at 8:30 AM UTC).
### Viewing AI-Generated Output
-Track PRs created by the Jira Agent:
+Track PRs created by the AI agents:
-- **PR List**: github.com/openshift/hypershift/pulls?q=is:pr+author:app/hypershift-jira-solve-ci
+- **Jira Agent PRs**: github.com/openshift/hypershift/pulls?q=is:pr+author:app/hypershift-jira-solve-ci
+- **Dependabot Triage PRs**: github.com/openshift/hypershift/pulls?q=is:pr+head:fix/weekly-dependabot-consolidation
PRs are created as **drafts** and require human review before merging.
@@ -10853,7 +11564,7 @@ This runs the review agent for that specific PR only.
- **AI may produce incorrect or incomplete solutions** - always review carefully
- **Complex issues may not be fully addressed** - multi-faceted problems may need human intervention
-- **Rate limited**: 1 issue per weekly run (jira-agent), 10 PRs per run (review-agent)
+- **Rate limited**: 1 issue per weekly run (jira-agent), 10 PRs per run (review-agent), all non-k8s dependabot PRs per run (dependabot-triage)
- **Cannot access private resources** - no access to internal systems beyond Jira/GitHub
- **Cannot execute destructive operations** - no ability to delete resources or force-push
- **Maximum agentic turns**: 100 per issue (jira-agent), 100 per PR (review-agent)
@@ -11122,6 +11833,104 @@ Understanding the CI infrastructure helps when:
- CI Dashboard
+---
+
+## Source: docs/content/how-to/ci/docs-preview.md
+
+# Documentation Preview
+
+When a pull request modifies files under `docs/`, a GitHub Actions workflow automatically builds the documentation and deploys a preview to Cloudflare Pages.
+
+## How It Works
+
+The workflow uses `pull_request_target` with two jobs to securely handle fork PRs:
+
+1. **Build** — checks out the PR code and builds the docs with MkDocs in strict mode. This job has no access to secrets.
+2. **Deploy** — downloads the built artifact and deploys it to Cloudflare Pages. This job has access to the `docs-preview` environment secrets but never executes PR code.
+
+GitHub shows a **View deployment** link in the PR timeline via the `docs-preview` environment.
+
+The preview is available at `https://pr-
-
CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
+AzurePrivateLinkService represents Azure Private Link Service infrastructure +for private connectivity to hosted cluster API servers.
CertificateSigningRequestApproval |
+AzurePrivateLinkService |
| @@ -29995,49 +31079,43 @@ Kubernetes meta/v1.ObjectMeta |
(Optional)
- metadata is standard object metadata. +metadata is the metadata for the AzurePrivateLinkService. Refer to the Kubernetes API documentation for the fields of themetadata field.
|
-spec
+spec,omitzero
-
-CertificateSigningRequestApprovalSpec
+
+AzurePrivateLinkServiceSpec
|
-(Optional)
- spec is the specification of the desired behavior of the CertificateSigningRequestApproval. -- - spec is the specification for the AzurePrivateLinkService. |
-status
+status,omitzero
-
-CertificateSigningRequestApprovalStatus
+
+AzurePrivateLinkServiceStatus
|
(Optional)
- status is the most recently observed status of the CertificateSigningRequestApproval. +status is the status of the AzurePrivateLinkService. |
-
GCPPrivateServiceConnect represents GCP Private Service Connect infrastructure. -This resource is feature-gated behind the GCPPlatform feature gate.
+CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
GCPPrivateServiceConnect |
+CertificateSigningRequestApproval |
||||||||||
| @@ -30075,7 +31153,7 @@ Kubernetes meta/v1.ObjectMeta |
(Optional)
- metadata is the metadata for the GCPPrivateServiceConnect. +metadata is standard object metadata. Refer to the Kubernetes API documentation for the fields of themetadata field.
|
@@ -30084,68 +31162,17 @@ Refer to the Kubernetes API documentation for the fields of the
spec
-
-GCPPrivateServiceConnectSpec
+
+CertificateSigningRequestApprovalSpec
|
(Optional)
- spec is the specification for the GCPPrivateServiceConnect. +spec is the specification of the desired behavior of the CertificateSigningRequestApproval.
|
status
-
-GCPPrivateServiceConnectStatus
+
+CertificateSigningRequestApprovalStatus
|
(Optional)
- status is the status of the GCPPrivateServiceConnect. +status is the most recently observed status of the CertificateSigningRequestApproval. |
-
HostedCluster is the primary representation of a HyperShift cluster and encapsulates -the control plane and common data plane configuration. Creating a HostedCluster -results in a fully functional OpenShift control plane with no attached nodes. -To support workloads (e.g. pods), a HostedCluster may have one or more associated -NodePool resources.
+GCPPrivateServiceConnect represents GCP Private Service Connect infrastructure. +This resource is feature-gated behind the GCPPlatform feature gate.
+ +| Field | +Description | +||||||||
|---|---|---|---|---|---|---|---|---|---|
+apiVersion
+string |
+
+
+hypershift.openshift.io/v1beta1
+
+ |
+||||||||
+kind
+string
+ |
+GCPPrivateServiceConnect |
+||||||||
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+(Optional)
+ metadata is the metadata for the GCPPrivateServiceConnect. +Refer to the Kubernetes API documentation for the fields of the +metadata field.
+ |
+||||||||
+spec
+
+
+GCPPrivateServiceConnectSpec
+
+
+ |
+
+(Optional)
+ spec is the specification for the GCPPrivateServiceConnect. ++ +
|
+||||||||
+status
+
+
+GCPPrivateServiceConnectStatus
+
+
+ |
+
+(Optional)
+ status is the status of the GCPPrivateServiceConnect. + |
+
+
HCPEtcdBackup represents a request to back up etcd for a hosted control plane. +This resource is feature-gated behind the HCPEtcdBackup feature gate.
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+hypershift.openshift.io/v1beta1
+
+ |
+
+kind
+string
+ |
+HCPEtcdBackup |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+(Optional)
+ metadata is the metadata for the HCPEtcdBackup. +Refer to the Kubernetes API documentation for the fields of the +metadata field.
+ |
+
+spec,omitzero
+
+
+HCPEtcdBackupSpec
+
+
+ |
+
+ spec is the specification for the HCPEtcdBackup. + |
+
+status,omitzero
+
+
+HCPEtcdBackupStatus
+
+
+ |
+
+(Optional)
+ status is the status of the HCPEtcdBackup. + |
+
+
HostedCluster is the primary representation of a HyperShift cluster and encapsulates +the control plane and common data plane configuration. Creating a HostedCluster +results in a fully functional OpenShift control plane with no attached nodes. +To support workloads (e.g. pods), a HostedCluster may have one or more associated +NodePool resources.
|
(Optional)
- autoNode specifies the configuration for the autoNode feature. +autoNode specifies the configuration for automatic node provisioning and lifecycle management. +When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads. |
|
+terminationHandlerQueueURL
+
+string
+
+ |
+
+(Optional)
+ terminationHandlerQueueURL specifies the SQS queue URL for EC2 spot interruption events. +This is required when using spot instances (marketType: Spot) in NodePools to enable +graceful handling of spot instance terminations. +The queue should be configured to receive EC2 Spot Instance Interruption Warnings +and EC2 Instance Rebalance Recommendations via EventBridge rules. +The AWS Node Termination Handler will poll this queue and cordon/drain nodes +before they are terminated, providing a best effort for graceful shutdown. +Supports both standard and FIFO queues (FIFO queues end with .fifo suffix). + |
+
-
We expose here internal configuration knobs that won’t be exposed to the service.
+AutoNode specifies the configuration for automatic node provisioning and lifecycle management.
-provisionerConfig
+provisionerConfig,omitzero
ProvisionerConfig
@@ -32801,7 +34060,52 @@ ProvisionerConfig
|
- provisionerConfig is the implementation used for Node auto provisioning. +provisionerConfig specifies the provisioner used for automatic node management. + |
+
+(Appears on: +HostedClusterStatus, +HostedControlPlaneStatus) +
++
AutoNodeStatus contains the observed state of the AutoNode provisioner.
+ +| Field | +Description | +
|---|---|
+nodeCount
+
+int32
+
+ |
+
+(Optional)
+ nodeCount is the number of nodes fully provisioned by Karpenter. +These are node objects that exist in the cluster and carry the karpenter.sh/nodepool label. + |
+
+nodeClaimCount
+
+int32
+
+ |
+
+(Optional)
+ nodeClaimCount is the total number of NodeClaims managed by Karpenter. +This represents what Karpenter intends to provision, whether or not the node object exists yet. |
-(Appears on: -AzureAuthenticationConfiguration) -
--
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components -that authenticate with Azure’s API.
- -| Field | -Description | -
|---|---|
-controlPlane
+topology
-
-ControlPlaneManagedIdentities
+
+AzureTopologyType
|
- controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to -authenticate with Azure’s API. +(Optional) +topology specifies the network topology of the API server endpoint for the hosted cluster. +- Public: The API server is accessible only via a public endpoint. +- PublicAndPrivate: The API server is accessible via both public and private endpoints. +- Private: The API server is accessible only via a private endpoint. +When omitted, this means no opinion and the platform is left to choose a reasonable +default, which is subject to change over time. The current default is Public. +This field must be set explicitly for self-hosted environments (WorkloadIdentities). +Transitions between PublicAndPrivate and Private are allowed after creation. +Transitions from Public to non-Public (or vice versa) are not allowed. +When set to Private or PublicAndPrivate, the private field must be provided. |
-dataPlane
+private,omitzero
-
-DataPlaneManagedIdentities
+
+AzurePrivateSpec
|
- dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with -Azure’s API. +(Optional) +private configures private connectivity to the hosted cluster’s API server. +This field is required when topology is Private or PublicAndPrivate, and must +not be set when topology is Public. +Once set at cluster creation, this field cannot be removed, and it cannot be +added to an existing cluster that was created without it. |
(Appears on: -AzureNodePoolPlatform) +AzurePrivateLinkService)
-
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
+AzurePrivateLinkServiceSpec defines the desired state of AzurePrivateLinkService
-type
+loadBalancerIP
-
-AzureVMImageType
+string
+
+ |
+
+(Optional)
+ loadBalancerIP is the frontend IP address of the internal load balancer that +fronts the hosted control plane’s API server. This field is populated automatically +by the control plane operator from the kube-apiserver service status. +It is not set by users directly. +When set, the value must be a valid IPv4 or IPv6 address. + |
+
+subscriptionID
+
+
+AzureSubscriptionID
|
- type is the type of image data that will be provided to the Azure VM. -Valid values are “ImageID” and “AzureMarketplace”. -ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. -AzureMarketplace means the VM will boot from an Azure Marketplace image. -Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. -When Type is “AzureMarketplace”, you can either: -1. Specify only imageGeneration to use marketplace defaults from the release payload -2. Specify publisher, offer, sku, and version to use an explicit marketplace image -3. Specify all fields (imageGeneration along with publisher, offer, sku, version) +subscriptionID is the Azure subscription ID where the Private Link Service +resources will be created. Must be a valid UUID consisting of hexadecimal +characters and hyphens in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +where x is a hexadecimal digit 0-9a-f. |
-imageID
+resourceGroupName
string
|
-(Optional)
- imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. -TODO: What is the valid character set for this field? What about minimum and maximum lengths? +resourceGroupName is the name of the Azure resource group where the Private Link +Service resources will be created. Must be 1-90 characters consisting of +alphanumerics, underscores, hyphens, periods, and parentheses. Cannot end with a period. +See https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules |
-azureMarketplace
+location
-
-AzureMarketplaceImage
+string
+
+ |
+
+ location is the Azure region where the Private Link Service resources will be +created (e.g., “eastus”, “westeurope”, “centralus”). Must match the region +of the management cluster. + |
+
+natSubnetID
+
+
+AzureSubnetResourceID
|
(Optional)
- azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. +natSubnetID is the full Azure resource ID of the subnet used for Private Link Service +NAT IP allocation. This subnet must have privateLinkServiceNetworkPolicies disabled. +If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} |
-(Appears on: -AzureMarketplaceImage) -
--
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
- -| Value | -Description | +
+additionalAllowedSubscriptions
+
+
+[]AzureSubscriptionID
+
+
+ |
+
+(Optional)
+ additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs +permitted to create Private Endpoints to the Private Link Service. The guest cluster’s +own subscription (derived from guestSubnetID) is always automatically allowed, so it +does not need to be listed here. +Each entry must be a valid UUID of exactly 36 characters consisting of +lowercase hexadecimal characters and hyphens in the format +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx where x is a hexadecimal digit 0-9a-f. +A maximum of 50 subscriptions may be specified. + |
|---|---|---|---|
"Gen1" |
-Gen1 represents Hyper-V Generation 1 VMs + | ||
+guestSubnetID
+
+
+AzureSubnetResourceID
+
+
|
-|||
"Gen2" |
-Gen2 represents Hyper-V Generation 2 VMs + |
+ guestSubnetID is the full Azure resource ID of the subnet in the guest VNet where +the Private Endpoint will be created. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} |
-
-(Appears on: -AzureVMImage) -
--
AzureVMImageType is used to specify the source of the Azure VM boot image. -Valid values are ImageID and AzureMarketplace.
- -| Value | -Description | +
+guestVNetID
+
+
+AzureVNetResourceID
+
+
+ |
+
+ guestVNetID is the full Azure resource ID of the guest VNet for Private DNS zone linking. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName} + |
|---|---|---|---|
"AzureMarketplace" |
-AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. + | ||
+baseDomain
+
+string
+
|
-|||
"ImageID" |
-ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. + |
+(Optional)
+ baseDomain is the cluster’s base domain (e.g., “example.hypershift.azure.devcluster.openshift.com”).
+Used to create a Private DNS Zone so that worker VMs can resolve the API and OAuth
+hostnames (api- |
-
(Appears on: -AzureAuthenticationConfiguration) +AzurePrivateLinkService)
-
AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure -needing to authenticate with Azure’s API.
+AzurePrivateLinkServiceStatus defines the observed state of AzurePrivateLinkService
-imageRegistry
+conditions
-
-WorkloadIdentity
+
+[]Kubernetes meta/v1.Condition
|
- imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in -workload identity authentication. +(Optional) +conditions represent the current state of PLS infrastructure. +Current condition types are: “AzurePrivateLinkServiceAvailable”, “AzureInternalLoadBalancerAvailable”, +“AzurePLSCreated”, “AzurePrivateEndpointAvailable”, “AzurePrivateDNSAvailable” |
-ingress
+internalLoadBalancerID
-
-WorkloadIdentity
-
+string
|
- ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in -workload identity authentication. +(Optional) +internalLoadBalancerID is the Azure resource ID of the internal load balancer +fronting the hosted control plane. The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/loadBalancers/{loadBalancerName} +where subscriptionID is a UUID, resourceGroup is up to 90 characters, and +loadBalancerName is up to 80 characters. |
-file
+privateLinkServiceID
-
-WorkloadIdentity
-
+string
|
- file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, -used in workload identity authentication. +(Optional) +privateLinkServiceID is the Azure resource ID of the Private Link Service. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateLinkServices/{plsName} |
-disk
+privateLinkServiceAlias
-
-WorkloadIdentity
-
+string
|
- disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, -used in workload identity authentication. +(Optional) +privateLinkServiceAlias is the globally unique alias for the Private Link Service, +auto-generated by Azure in the format {plsName}.{guid}.{region}.azure.privatelinkservice. +MaxLength=170 covers: PLS name (80) + GUID (36) + region (19, e.g. “southcentralusstage”) |
-nodePoolManagement
+privateEndpointID
-
-WorkloadIdentity
-
+string
|
- nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used -in workload identity authentication. +(Optional) +privateEndpointID is the Azure resource ID of the Private Endpoint. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateEndpoints/{endpointName} |
-cloudProvider
+privateEndpointIP
-
-WorkloadIdentity
-
+string
|
- cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in -workload identity authentication. +(Optional) +privateEndpointIP is the private IP address assigned to the Private Endpoint. +Must be a valid IPv4 (e.g., “10.0.1.4”) or IPv6 address. |
-network
+privateDNSZoneID
-
-WorkloadIdentity
-
+string
|
- network is the client ID of a federated managed identity, associated with cluster-network-operator, used in -workload identity authentication. +(Optional) +privateDNSZoneID is the Azure resource ID of the Private DNS Zone. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} + |
+
+dnsZoneName
+
+string
+
+ |
+
+(Optional)
+ dnsZoneName is the Private DNS zone name (derived from the KAS hostname). +Persisted at creation time so that deletion does not depend on the +HostedControlPlane still existing. +Must be a valid DNS domain name consisting of alphanumeric characters, hyphens, +and periods, where each segment starts and ends with an alphanumeric character +(e.g., “api-mycluster.example.hypershift.azure.devcluster.openshift.com”). + |
+
+baseDomainDNSZoneID
+
+string
+
+ |
+
+(Optional)
+ baseDomainDNSZoneID is the Azure resource ID of the base domain Private DNS Zone. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} |
-(Appears on: -APIServerNetworking) -
--
-###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities } +###AzurePrivateLinkSpec { #hypershift.openshift.io/v1beta1.AzurePrivateLinkSpec }(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +AzurePrivateSpec)
-
capabilities allows enabling or disabling optional components at install time. -When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective -OpenShift version, minus the baremetal capability. -Once set, it cannot be changed.
+AzurePrivateLinkSpec configures Azure Private Link Service connectivity.
-enabled
+natSubnetID
-
-[]OptionalCapability
+
+AzureSubnetResourceID
|
(Optional)
- enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. +natSubnetID is the Azure resource ID of the subnet used for Private Link Service NAT IP allocation. +This subnet must have privateLinkServiceNetworkPolicies disabled. +If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} +The maximum length is 355 characters. |
-disabled
+additionalAllowedSubscriptions
-
-[]OptionalCapability
+
+[]AzureSubscriptionID
|
(Optional)
- disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. -Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. +additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs +permitted to create Private Endpoints to the Private Link Service. The guest cluster’s +own subscription is always automatically allowed, so it does not need to be listed here. +Each item must be a valid UUID consisting of lowercase hexadecimal characters and hyphens, +in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +(e.g., “550e8400-e29b-41d4-a716-446655440000”). A maximum of 50 subscriptions may be specified. |
(Appears on: -PlacementOptions) +AzurePlatformSpec)
-
CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
+AzurePrivateSpec configures private connectivity to an Azure hosted cluster’s API server. +It is a discriminated union keyed on the type field, which selects the private connectivity +mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may +be added in the future.
-id
+type
-string
+
+AzurePrivateType
+
|
-(Optional)
- id specifies the target Capacity Reservation into which the EC2 instances should be launched. -Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 -When empty, no specific Capacity Reservation is targeted. -When specified, preference cannot be set to ‘None’ or ‘Open’ as these -are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ -or omit preference field when targeting a specific reservation. +type specifies the private connectivity mechanism used for the hosted cluster’s API server. +“PrivateLink” selects Azure Private Link Service for private API server access. +This field is immutable once set. + |
+
+privateLink,omitzero
+
+
+AzurePrivateLinkSpec
+
+
+ |
+
+(Optional)
+ privateLink configures Azure Private Link Service for private API server access. +This field is required when type is “PrivateLink” and must not be set otherwise. + |
+
+(Appears on: +AzurePrivateSpec) +
++
AzurePrivateType specifies the type of private connectivity mechanism used for the Azure +hosted cluster’s API server. This acts as the discriminator for the AzurePrivateSpec union.
+ +| Value | +Description | +
|---|---|
"PrivateLink" |
+AzurePrivateTypePrivateLink specifies private connectivity using Azure Private Link Service. +In this mode, the operator creates a Private Link Service backed by the management cluster’s +internal load balancer, and a Private Endpoint in the guest VNet for private API server access. + |
+
+(Appears on: +AzureAuthenticationConfiguration) +
++
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components +that authenticate with Azure’s API.
+ +| Field | +Description | +
|---|---|
+controlPlane
+
+
+ControlPlaneManagedIdentities
+
+
+ |
+
+ controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to +authenticate with Azure’s API. + |
+
+dataPlane
+
+
+DataPlaneManagedIdentities
+
+
+ |
+
+ dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with +Azure’s API. + |
+
+(Appears on: +AzurePrivateLinkServiceSpec, +AzurePrivateLinkSpec) +
++
AzureSubnetResourceID is a full Azure resource ID for a subnet. +The expected format is:
+/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
+
+
+###AzureSubscriptionID { #hypershift.openshift.io/v1beta1.AzureSubscriptionID }
++(Appears on: +AzurePrivateLinkServiceSpec, +AzurePrivateLinkSpec) +
++
AzureSubscriptionID is an Azure subscription ID in UUID format. +Must be exactly 36 characters consisting of hexadecimal digits [0-9a-fA-F] and hyphens +in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (e.g., “550e8400-e29b-41d4-a716-446655440000”).
+ +###AzureTopologyType { #hypershift.openshift.io/v1beta1.AzureTopologyType } ++(Appears on: +AzurePlatformSpec) +
++
AzureTopologyType specifies the network topology of the Azure API server endpoint.
+ +| Value | +Description | +
|---|---|
"Private" |
+AzureTopologyPrivate indicates the API server is accessible only via a private endpoint. + |
+
"Public" |
+AzureTopologyPublic indicates the API server is accessible only via a public endpoint. + |
+
"PublicAndPrivate" |
+AzureTopologyPublicAndPrivate indicates the API server is accessible via both public and private endpoints. + |
+
+(Appears on: +AzureNodePoolPlatform) +
++
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
+ +| Field | +Description | +
|---|---|
+type
+
+
+AzureVMImageType
+
+
+ |
+
+ type is the type of image data that will be provided to the Azure VM. +Valid values are “ImageID” and “AzureMarketplace”. +ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. +AzureMarketplace means the VM will boot from an Azure Marketplace image. +Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. +When Type is “AzureMarketplace”, you can either: +1. Specify only imageGeneration to use marketplace defaults from the release payload +2. Specify publisher, offer, sku, and version to use an explicit marketplace image +3. Specify all fields (imageGeneration along with publisher, offer, sku, version) + |
+
+imageID
+
+string
+
+ |
+
+(Optional)
+ imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. +TODO: What is the valid character set for this field? What about minimum and maximum lengths? + |
+
+azureMarketplace
+
+
+AzureMarketplaceImage
+
+
+ |
+
+(Optional)
+ azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. + |
+
+(Appears on: +AzureMarketplaceImage) +
++
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
+ +| Value | +Description | +
|---|---|
"Gen1" |
+Gen1 represents Hyper-V Generation 1 VMs + |
+
"Gen2" |
+Gen2 represents Hyper-V Generation 2 VMs + |
+
+(Appears on: +AzureVMImage) +
++
AzureVMImageType is used to specify the source of the Azure VM boot image. +Valid values are ImageID and AzureMarketplace.
+ +| Value | +Description | +
|---|---|
"AzureMarketplace" |
+AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. + |
+
"ImageID" |
+ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. + |
+
+(Appears on: +AzurePrivateLinkServiceSpec) +
++
AzureVNetResourceID is a full Azure resource ID for a virtual network. +The expected format is:
+/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}
+
+
+###AzureWorkloadIdentities { #hypershift.openshift.io/v1beta1.AzureWorkloadIdentities }
++(Appears on: +AzureAuthenticationConfiguration) +
++
AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure +needing to authenticate with Azure’s API.
+ +| Field | +Description | +
|---|---|
+imageRegistry
+
+
+WorkloadIdentity
+
+
+ |
+
+ imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in +workload identity authentication. + |
+
+ingress
+
+
+WorkloadIdentity
+
+
+ |
+
+ ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in +workload identity authentication. + |
+
+file
+
+
+WorkloadIdentity
+
+
+ |
+
+ file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, +used in workload identity authentication. + |
+
+disk
+
+
+WorkloadIdentity
+
+
+ |
+
+ disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, +used in workload identity authentication. + |
+
+nodePoolManagement
+
+
+WorkloadIdentity
+
+
+ |
+
+ nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used +in workload identity authentication. + |
+
+cloudProvider
+
+
+WorkloadIdentity
+
+
+ |
+
+ cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in +workload identity authentication. + |
+
+network
+
+
+WorkloadIdentity
+
+
+ |
+
+ network is the client ID of a federated managed identity, associated with cluster-network-operator, used in +workload identity authentication. + |
+
+controlPlaneOperator,omitzero
+
+
+WorkloadIdentity
+
+
+ |
+
+(Optional)
+ controlPlaneOperator is the client ID of a federated managed identity, associated with control-plane-operator, +used in workload identity authentication for Azure Private Link Service operations. + |
+
+(Appears on: +APIServerNetworking) +
++
+###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities } ++(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
capabilities allows enabling or disabling optional components at install time. +When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective +OpenShift version, minus the baremetal capability. +Once set, it cannot be changed.
+ +| Field | +Description | +
|---|---|
+enabled
+
+
+[]OptionalCapability
+
+
+ |
+
+(Optional)
+ enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. + |
+
+disabled
+
+
+[]OptionalCapability
+
+
+ |
+
+(Optional)
+ disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. +Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. + |
+
+(Appears on: +PlacementOptions) +
++
CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
+ +| Field | +Description | +
|---|---|
+id
+
+string
+
+ |
+
+(Optional)
+ id specifies the target Capacity Reservation into which the EC2 instances should be launched. +Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 +When empty, no specific Capacity Reservation is targeted. +When specified, preference cannot be set to ‘None’ or ‘Open’ as these +are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ +or omit preference field when targeting a specific reservation. |
|
(Optional)
- marketType specifies the market type of the CapacityReservation for the EC2 instances. Valid values are OnDemand, CapacityBlocks and omitted: + marketType specifies the market type of the CapacityReservation for the EC2 instances. +Deprecated: Use placement.marketType instead. This field is maintained for backward compatibility. +When both placement.marketType and capacityReservation.marketType are set, placement.marketType takes precedence. +Valid values are OnDemand, CapacityBlocks and omitted: - “OnDemand”: EC2 instances run as standard On-Demand instances. -- “CapacityBlocks”: scheduled pre-purchased compute capacity. Capacity Blocks is recommended when GPUs are needed to support ML workloads. -When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. -The current default value is CapacityBlocks. +- “CapacityBlocks”: scheduled pre-purchased compute capacity. Recommended for GPU/ML workloads.When set to ‘CapacityBlocks’, a specific Capacity Reservation ID must be provided. |
|
"AutoNodeEnabled" |
+AutoNodeEnabled indicates whether AutoNode is configured and operational for this HostedCluster. +True means AutoNode is configured in the HostedCluster spec and the Karpenter components are fully rolled out and ready. +False / AutoNodeProgressing means AutoNode is being enabled or disabled — the operation is in progress. +False / AutoNodeNotConfigured means AutoNode is not configured in the spec and all Karpenter components have been removed. + |
+
"AzureInternalLoadBalancerAvailable" |
+AzureInternalLoadBalancerAvailable indicates the ILB has been provisioned with a frontend IP + |
+
"AzurePLSCreated" |
+AzurePLSCreated indicates the Azure Private Link Service has been created in the management cluster resource group + |
+
"AzurePrivateDNSAvailable" |
+AzurePrivateDNSAvailable indicates the Private DNS zone and A records have been created + |
+
"AzurePrivateEndpointAvailable" |
+AzurePrivateEndpointAvailable indicates the Private Endpoint has been created in the guest VNet + |
+
"AzurePrivateLinkServiceAvailable" |
+AzurePrivateLinkServiceAvailable indicates overall PLS infrastructure availability + |
+
"BackupCompleted" |
+BackupCompleted indicates whether the etcd backup has completed. + |
"CVOScaledDown" |
|
"CloudResourcesDestroyed" |
@@ -34941,6 +36830,18 @@ underlying cluster’s ClusterVersion.
|
"RolloutComplete" |
ControlPlaneComponentRolloutComplete indicates whether the ControlPlaneComponent has completed its rollout. |
+
"ControlPlaneConnectionAvailable" |
+ControlPlaneConnectionAvailable indicates whether data plane workloads have a successful +network connection to the control plane components. This condition is computed using +a 3-replica Deployment that tests the full data path (DNS resolution of kubernetes.default.svc +-> advertise address on lo -> apiserver proxy -> KAS on HCP) and reports results to a shared +ConfigMap. The HCCO evaluates the staleness of the lastSucceeded timestamp in the ConfigMap. +True means the data plane can successfully reach the control plane (a recent successful check was recorded). +False means there are connectivity failures preventing the data plane from reaching the control plane, +or the last successful check is stale (older than 5 minutes). +Unknown means the status cannot be determined due to true inability to inspect (e.g., no worker nodes exist or inspection cannot be performed), +not due to missing required components. + |
"DataPlaneConnectionAvailable" |
DataPlaneConnectionAvailable indicates whether the control plane has a successful network connection to the data plane components. @@ -34948,7 +36849,8 @@ network connection to the data plane components. False means there are network connection issues preventing the control plane from reaching the data plane. A failure here suggests potential issues such as: network policy restrictions, firewall rules, missing data plane nodes, or problems with infrastructure -components like the konnectivity-agent workload. +components like the konnectivity-agent workload. +Unknown means the status cannot be determined (e.g., no worker nodes available or unable to inspect). |
"EtcdAvailable" |
EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. @@ -35450,6 +37352,156 @@ ManagedIdentity |
+(Appears on: +ControlPlaneVersionStatus) +
++
ControlPlaneUpdateHistory is a record of a single version transition for management-side +control plane components. Each entry captures the target version, its release image, when +the rollout started, and when (or whether) it completed.
+ +| Field | +Description | +
|---|---|
+state
+
+
+github.com/openshift/api/config/v1.UpdateState
+
+
+ |
+
+ state reflects whether the update was fully applied. The Partial state +indicates the update is not fully applied, while the Completed state +indicates the update was successfully rolled out. + |
+
+startedTime,omitempty,omitzero
+
+
+Kubernetes meta/v1.Time
+
+
+ |
+
+ startedTime is the time at which the update was started. + |
+
+completionTime,omitempty,omitzero
+
+
+Kubernetes meta/v1.Time
+
+
+ |
+
+(Optional)
+ completionTime is the time at which the update completed. It is set +when all management-side components have reached the target version. +It is not set while the update is in progress. + |
+
+version
+
+string
+
+ |
+
+ version is a semantic version string identifying the update version +(e.g. “4.20.1”). + |
+
+image
+
+string
+
+ |
+
+ image is the release image pullspec used for this update. + |
+
+(Appears on: +HostedClusterStatus, +HostedControlPlaneStatus) +
++
ControlPlaneVersionStatus tracks the rollout state of management-side control plane components. +It records the desired release, a pruned history of version transitions (newest first), and +the last observed generation of the HostedControlPlane spec.
+ +| Field | +Description | +
|---|---|
+desired,omitempty,omitzero
+
+
+github.com/openshift/api/config/v1.Release
+
+
+ |
+
+ desired is the release version that the control plane is reconciling towards. +It is derived from the HostedControlPlane release image fields. + |
+
+history
+
+
+[]ControlPlaneUpdateHistory
+
+
+ |
+
+(Optional)
+ history contains a list of versions applied to management-side control plane components. The newest entry is +first in the list. Entries have state Completed when all ControlPlaneComponent resources report the target +version with RolloutComplete=True. Entries have state Partial when the rollout is in progress or has failed. + |
+
+observedGeneration,omitempty,omitzero
+
+int64
+
+ |
+
+(Optional)
+ observedGeneration reports which generation of the HostedControlPlane spec is being synced. + |
+
(Appears on: @@ -35510,6 +37562,11 @@ string
publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. Once set, this value is immutable.
+On Azure, this is a full Azure resource ID for a DNS Zone in the format: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/dnsZones/{zoneName} +The maximum length of 258 is derived from Azure resource naming limits +(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): +/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90)
privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. Once set, this value is immutable.
+On Azure, this is a full Azure resource ID for a Private DNS Zone in the format: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} +The maximum length of 265 is derived from Azure resource naming limits +(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): +/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90)
encryptionKey
+encryptionKey,omitzero
GCPDiskEncryptionKey
@@ -36075,7 +38137,7 @@ private node communication with the control plane via Private Service Connect.
network
+network,omitzero
GCPResourceReference
@@ -36088,7 +38150,7 @@ GCPResourceReference
privateServiceConnectSubnet
+privateServiceConnectSubnet,omitzero
GCPResourceReference
@@ -36153,7 +38215,9 @@ See https://cloud.
subnet
-string
+
+GCPResourceName
+
networkTags
-[]string
+
+[]GCPResourceName
+
onHostMaintenance
-string
+
+GCPOnHostMaintenance
+
email
-string
+
+GCPServiceAccountEmail
+
+(Appears on: +GCPNodePoolPlatform) +
+
GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
|
- region is the GCP region in which the cluster resides.
-Must be in the form of region is the GCP region in which the cluster resides (e.g., us-central1, europe-west2).
+Must start with lowercase letters, contain exactly one hyphen, and end with digits.
For a full list of valid regions, see: https://cloud.google.com/compute/docs/regions-zones. |
|||
-networkConfig
+networkConfig,omitzero
GCPNetworkConfig
@@ -36508,7 +38579,9 @@ This value must be a valid IPv4 or IPv6 address.
|
forwardingRuleName
-string
+
+GCPResourceName
+
@@ -36525,15 +38598,19 @@ Populated by the reconciler via GCP API lookup
|
- |
consumerAcceptList specifies which customer projects can connect -Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”) +consumerAcceptList specifies which customer projects can connect. +Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”). +A maximum of 50 entries are allowed. +See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project ID and number formats. |
natSubnet
-string
+
+GCPResourceName
+
|
@@ -36596,8 +38673,9 @@ string |
(Optional)
- serviceAttachmentURI is the URI customers use to connect -Format: projects/{project}/regions/{region}/serviceAttachments/{name} +serviceAttachmentURI is the URI customers use to connect. +Format: projects/{project}/regions/{region}/serviceAttachments/{name} +See https://cloud.google.com/vpc/docs/configure-private-service-connect-producer for service attachment details. |
|
|
-(Optional)
value is the value part of the label. A label value can have a maximum of 63 characters. Empty values are allowed by GCP. If non-empty, it must start with a lowercase letter, contain only lowercase letters, digits, underscores, or hyphens, and end with a lowercase letter or digit. @@ -36718,6 +38795,19 @@ See https://c |
+(Appears on: +GCPNodePoolPlatform, +GCPPrivateServiceConnectSpec, +GCPResourceReference) +
++
GCPResourceName is the name of a GCP resource following RFC 1035 naming conventions. +Must start with a lowercase letter, contain only lowercase letters, digits, and hyphens, +must not end with a hyphen, and be 1-63 characters long. +See https://cloud.google.com/compute/docs/naming-resources for details.
+ ###GCPResourceReference { #hypershift.openshift.io/v1beta1.GCPResourceReference }(Appears on: @@ -36740,7 +38830,9 @@ See https://google.aip.dev/122 for GCP
name
-string
+
+GCPResourceName
+
+(Appears on: +GCPNodeServiceAccount, +GCPServiceAccountsEmails) +
++
GCPServiceAccountEmail is the email address of a Google Service Account. +Format: service-account-name@project-id.iam.gserviceaccount.com +See https://cloud.google.com/iam/docs/service-accounts-create for service account naming rules.
+ ###GCPServiceAccountsEmails { #hypershift.openshift.io/v1beta1.GCPServiceAccountsEmails }(Appears on: @@ -36774,7 +38877,9 @@ Each service account should have the appropriate IAM permissions for its specifi
nodePool
-string
+
+GCPServiceAccountEmail
+
controlPlane
-string
+
+GCPServiceAccountEmail
+
cloudController
-string
+
+GCPServiceAccountEmail
+
storage
-string
+
+GCPServiceAccountEmail
+
hypershift infra create gcp w
the required service accounts with appropriate IAM roles and WIF bindings.
imageRegistry
+
+
+GCPServiceAccountEmail
+
+
+imageRegistry is the Google Service Account email for the Image Registry Operator +that manages GCS storage for the internal container image registry. +This GSA requires the following IAM roles: +- roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com
+This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of hypershift infra create gcp which creates
+the required service accounts with appropriate IAM roles and WIF bindings.
projectNumber is the numeric GCP project identifier for WIF configuration. This differs from the project ID and is required for workload identity pools. -Must be a numeric string representing the GCP project number.
+Must be a numeric string representing the GCP project number. +See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project number details.This is a user-provided value obtained from GCP (found in GCP Console or via gcloud projects describe PROJECT_ID).
Also available in the output of hypershift infra create gcp.
This is a user-provided value referencing a pre-created Workload Identity Pool.
Typically obtained from the output of hypershift infra create gcp which creates
the WIF infrastructure and generates appropriate pool IDs.
This is a user-provided value referencing a pre-created OIDC Provider within the WIF Pool.
Typically obtained from the output of hypershift infra create gcp.
(Appears on: -HostedCluster) +HCPEtcdBackupStorage)
+
HCPEtcdBackupAzureBlob defines the Azure Blob storage configuration for etcd backups.
-release
-
-
-Release
-
-
- |
-
- release specifies the desired OCP release payload for all the hosted cluster components. -This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc. -The maximum and minimum supported release versions are determined by the running Hypersfhit Operator. -Attempting to use an unsupported version will result in the HostedCluster being degraded and the validateReleaseImage condition being false. -Attempting to use a release with a skew against a NodePool release bigger than N-2 for the y-stream will result in leaving the NodePool in an unsupported state. -Changing this field will trigger a rollout of the control plane components. -The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. - |
-
-controlPlaneRelease
+container
-
-Release
-
+string
|
-(Optional)
- controlPlaneRelease is like spec.release but only for the components running on the management cluster. -This excludes any operand which will land in the hosted cluster data plane. -It is useful when you need to apply patch management side like a CVE, transparently for the hosted cluster. -Version input for this field is free, no validation is performed against spec.release or maximum and minimum is performed. -If defined, it will dicate the version of the components running management side, while spec.release will dictate the version of the components landing in the hosted cluster data plane. -If not defined, spec.release is used for both. -Changing this field will trigger a rollout of the control plane. -The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. +container is the name of the Azure Blob container where backups are stored. +Must be 3-63 characters, lowercase letters, numbers, and hyphens only. +Must start and end with a letter or number. Consecutive hyphens are not allowed. +See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#container-names |
-clusterID
+storageAccount
string
|
-(Optional)
- clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal digits). -As with a Kubernetes metadata.uid, this ID uniquely identifies this cluster in space and time. -This value identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. -If a value is not specified, a random clusterID will be generated and set by the controller. -Once set, this value is immutable. +storageAccount is the name of the Azure Storage Account. +Must be 3-24 characters, lowercase letters and numbers only. +See https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview#storage-account-name |
-infraID
+keyPrefix
string
|
-(Optional)
- infraID is a globally unique identifier for the cluster. -It must consist of lowercase alphanumeric characters and hyphens (‘-’) only, and start and end with an alphanumeric character. -It must be no more than 253 characters in length. -This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. -infraID is used to compute and tag created resources with “kubernetes.io/cluster/”+hcluster.Spec.InfraID which has contractual meaning for the cloud provider implementations. -If a value is not specified, a random infraID will be generated and set by the controller. -Once set, this value is immutable. +keyPrefix is the blob name prefix for the backup file. +Must consist of valid blob name characters: alphanumeric characters, forward slashes, +hyphens, underscores, and periods. +See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#blob-names |
-updateService
+credentials,omitzero
-
-github.com/openshift/api/config/v1.URL
+
+SecretReference
|
-(Optional)
- updateService may be used to specify the preferred upstream update service. -If omitted we will use the appropriate update service for the cluster and region. -This is used by the control plane operator to determine and signal the appropriate available upgrades in the hostedCluster.status. +credentials references a Secret containing Azure credentials for uploading +to Blob Storage. The Secret must exist in the Hypershift Operator namespace. |
-channel
+encryptionKeyURL
string
|
(Optional)
- channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. -If omitted no particular upgrades are suggested. -TODO(alberto): Consider the backend to use the default channel by default. Default channel will contain stable updates that are appropriate for production clusters. +encryptionKeyURL is the URL of the Azure Key Vault key used for encryption.
+Must be a valid Azure Key Vault key URL in the format
+“https:// |
+(Appears on: +ManagedEtcdSpec) +
++
HCPEtcdBackupConfig defines the backup encryption configuration that is propagated +from the HostedCluster to the HostedControlPlane via ManagedEtcdSpec. +Exactly one platform-specific block must be specified, matching the platform discriminator.
+ +| Field | +Description | +
|---|---|
platform
-
-PlatformSpec
+
+HCPEtcdBackupConfigPlatform
|
- platform specifies the underlying infrastructure provider for the cluster -and is used to configure platform specific behavior. +platform specifies the cloud platform for backup encryption configuration. +Valid values are “AWS” for AWS KMS encryption and “Azure” for Azure Key Vault encryption. |
-kubeAPIServerDNSName
+aws,omitzero
-string
+
+HCPEtcdBackupConfigAWS
+
|
(Optional)
- kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS. -When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field. -If it’s set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted. -The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider. -This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable -access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates -for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates. -This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op. +aws contains AWS-specific backup encryption configuration. +Required when platform is “AWS”, and forbidden otherwise. |
-controllerAvailabilityPolicy
+azure,omitzero
-
-AvailabilityPolicy
+
+HCPEtcdBackupConfigAzure
|
(Optional)
- controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server. -Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable. -This field is immutable. +azure contains Azure-specific backup encryption configuration. +Required when platform is “Azure”, and forbidden otherwise. |
+(Appears on: +HCPEtcdBackupConfig) +
++
HCPEtcdBackupConfigAWS defines AWS-specific encryption settings for etcd backups.
+ +| Field | +Description | +
|---|---|
-infrastructureAvailabilityPolicy
+kmsKeyARN
-
-AvailabilityPolicy
-
+string
|
-(Optional)
- infrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on the hosted cluster data plane like the ingress controller and image registry controller. -Possible values are HighlyAvailable and SingleReplica. The default value is SingleReplica. +kmsKeyARN is the ARN of the AWS KMS key to use for encrypting etcd backup artifacts in S3.
+Must be a valid AWS KMS key ARN in the format
+“arn: |
+(Appears on: +HCPEtcdBackupConfig) +
++
HCPEtcdBackupConfigAzure defines Azure-specific encryption settings for etcd backups.
+ +| Field | +Description | +
|---|---|
-dns
+encryptionKeyURL
-
-DNSSpec
-
+string
|
-(Optional)
- dns specifies the DNS configuration for the hosted cluster ingress. +encryptionKeyURL is the URL of the Azure Key Vault key to use for encrypting etcd backup artifacts.
+Must be a valid Azure Key Vault key URL in the format
+“https:// |
+(Appears on: +HCPEtcdBackupConfig) +
++
HCPEtcdBackupConfigPlatform identifies the cloud platform for backup encryption configuration.
+ +
-networking
-
-
-ClusterNetworking
-
-
+ | Value | +Description | +
|---|---|---|
"AWS" |
+AWSBackupConfigPlatform indicates AWS KMS encryption for backup artifacts. |
-
- networking specifies network configuration for the hosted cluster. -Defaults to OVNKubernetes with a cluster network of cidr: “10.132.0.0/14” and a service network of cidr: “172.31.0.0/16”. + |
"Azure" |
+AzureBackupConfigPlatform indicates Azure Key Vault encryption for backup artifacts. |
+
+(Appears on: +HCPEtcdBackupStatus) +
++
HCPEtcdBackupEncryptionMetadata contains platform-specific metadata about the +encryption applied to the backup artifact in cloud storage. +The presence of a platform block indicates that encryption was applied.
+ +| Field | +Description |
|---|---|
-autoscaling
+aws,omitzero
-
-ClusterAutoscaling
+
+HCPEtcdBackupEncryptionMetadataAWS
|
(Optional)
- autoscaling specifies auto-scaling behavior that applies to all NodePools -associated with this HostedCluster. +aws contains AWS-specific encryption metadata for the backup. |
-autoNode
+azure,omitzero
-
-AutoNode
+
+HCPEtcdBackupEncryptionMetadataAzure
|
(Optional)
- autoNode specifies the configuration for the autoNode feature. +azure contains Azure-specific encryption metadata for the backup. |
+(Appears on: +HCPEtcdBackupEncryptionMetadata) +
++
HCPEtcdBackupEncryptionMetadataAWS contains AWS-specific encryption metadata. +The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
+ +| Field | +Description | +
|---|---|
-etcd
+kmsKeyARN
-
-EtcdSpec
-
+string
|
- etcd specifies configuration for the control plane etcd cluster. The -default managementType is Managed. Once set, the managementType cannot be -changed. +kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup in S3.
+Must be a valid AWS KMS key ARN in the format
+“arn: |
+(Appears on: +HCPEtcdBackupEncryptionMetadata) +
++
HCPEtcdBackupEncryptionMetadataAzure contains Azure-specific encryption metadata. +The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
+ +| Field | +Description | +
|---|---|
-services
+encryptionKeyURL
-
-[]ServicePublishingStrategyMapping
-
+string
|
- services specifies how individual control plane services endpoints are published for consumption. -This requires APIServer;OAuthServer;Konnectivity;Ignition. -This field is immutable for all platforms but IBMCloud. -Max is 6 to account for OIDC;OVNSbDb for backward compatibility though they are no-op. --kubebuilder:validation:XValidation:rule=“self.all(s, !(s.service == ‘APIServer’ && s.servicePublishingStrategy.type == ‘Route’) || has(s.servicePublishingStrategy.route.hostname))”,message=“If serviceType is ‘APIServer’ and publishing strategy is ‘Route’, then hostname must be set” --kubebuilder:validation:XValidation:rule=“self.platform.type == ‘IBMCloud’ ? [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’].all(requiredType, self.exists(s, s.service == requiredType))”,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, and ‘Konnectivity’ service types” : [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, ‘Ignition’].all(requiredType, self.exists(s, s.service == requiredType))“,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, and ‘Ignition’ service types” --kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘Route’ && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘Route’ && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)”,message=“Each route publishingStrategy ‘hostname’ must be unique within the Services list.” --kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘NodePort’ && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘NodePort’ && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)”,message=“Each nodePort publishingStrategy ‘nodePort’ and ‘hostname’ must be unique within the Services list.” -TODO(alberto): this breaks the cost budget for < 4.17. We should figure why and enable it back. And If not fixable, consider imposing a minimum version on the management cluster. +encryptionKeyURL is the URL of the Azure Key Vault key used for encryption of the backup.
+Must be a valid Azure Key Vault key URL in the format
+“https:// |
+(Appears on: +HCPEtcdBackupStorage) +
++
HCPEtcdBackupS3 defines the S3 storage configuration for etcd backups.
+ +| Field | +Description | +
|---|---|
-pullSecret
+bucket
-
-Kubernetes core/v1.LocalObjectReference
-
+string
|
- pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON. -If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. -TODO(alberto): Signal this in a condition. -This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster -and it will be injected into the container runtime of all NodePools. -Changing this value will trigger a rollout for all existing NodePools in the cluster. -Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour. -TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes. +bucket is the name of the S3 bucket where backups are stored. +Must be 3-63 characters, lowercase letters, numbers, hyphens, and periods only. +Must start and end with a letter or number. Consecutive periods are not allowed. +See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html |
-sshKey
+region
-
-Kubernetes core/v1.LocalObjectReference
-
+string
|
-(Optional)
- sshKey is a local reference to a Secret that must have a “id_rsa.pub” key whose content must be the public part of 1..N SSH keys. -If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. -TODO(alberto): Signal this in a condition. -When sshKey is set, the controllers will generate a machineConfig with the sshAuthorizedKeys https://coreos.github.io/ignition/configuration-v3_2/ populated with this value. -This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. -Changing this value will trigger a rollout for all existing NodePools in the cluster. +region is the AWS region where the S3 bucket is located (e.g. “us-east-1”). +Must be a valid AWS region identifier: lowercase letters, digits, and hyphens. +Must start and end with an alphanumeric character, no consecutive hyphens. |
-issuerURL
+keyPrefix
string
|
-(Optional)
- issuerURL is an OIDC issuer URL which will be used as the issuer in all -ServiceAccount tokens generated by the control plane API server via –service-account-issuer kube api server flag. -https://k8s-docs.netlify.app/en/docs/reference/command-line-tools-reference/kube-apiserver/ -https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection -The default value is kubernetes.default.svc, which only works for in-cluster -validation. -If the platform is AWS and this value is set, the controller will update an s3 object with the appropriate OIDC documents (using the serviceAccountSigningKey info) into that issuerURL. -The expectation is for this s3 url to be backed by an OIDC provider in the AWS IAM. +keyPrefix is the S3 key prefix for the backup file. +Must consist of safe S3 object key characters: alphanumeric characters, +forward slashes, hyphens, underscores, periods, exclamation marks, +asterisks, single quotes, and parentheses. +See https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html |
-serviceAccountSigningKey
+credentials,omitzero
-
-Kubernetes core/v1.LocalObjectReference
+
+SecretReference
|
-(Optional)
- serviceAccountSigningKey is a local reference to a secret that must have a “key” key whose content must be the private key -used by the service account token issuer. -If not specified, a service account signing key will -be generated automatically for the cluster. -When specifying a service account signing key, an IssuerURL must also be specified. -If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. -TODO(alberto): Signal this in a condition. -For key rotation, the secret may optionally contain an “old-key.pub” key whose content is the PEM-encoded -public key of the previous signing key. When present, the kube-apiserver will accept tokens signed by -both the current and previous keys, allowing for graceful key rotation without invalidating existing tokens. +credentials references a Secret containing AWS credentials for uploading +to S3. The Secret must exist in the Hypershift Operator namespace and contain a +‘credentials’ key with a valid AWS credentials file. |
-configuration
+kmsKeyARN
-
-ClusterConfiguration
-
+string
|
(Optional)
- configuration specifies configuration for individual OCP components in the -cluster, represented as embedded resources that correspond to the openshift -configuration API. +kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup.
+Must be a valid AWS KMS key ARN in the format
+“arn: |
+(Appears on: +HCPEtcdBackup) +
++
HCPEtcdBackupSpec defines the desired state of HCPEtcdBackup. +HCPEtcdBackup is a one-shot backup request; the entire spec is immutable once created.
+ +| Field | +Description | +
|---|---|
-operatorConfiguration
+storage,omitzero
-
-OperatorConfiguration
+
+HCPEtcdBackupStorage
|
-(Optional)
- operatorConfiguration specifies configuration for individual OCP operators in the cluster. +storage defines the cloud storage backend where the etcd snapshot will be uploaded. |
+(Appears on: +HCPEtcdBackup) +
++
HCPEtcdBackupStatus defines the observed state of HCPEtcdBackup.
+ +| Field | +Description | +
|---|---|
+conditions
+
+
+[]Kubernetes meta/v1.Condition
+
+
+ |
+
+(Optional)
+ conditions contains details for the current state of the etcd backup. +The following condition types are expected: +- “BackupCompleted”: indicates whether the etcd backup has completed (True=success, False=failure). + |
+
+snapshotURL
+
+string
+
+ |
+
+(Optional)
+ snapshotURL is the URL of the completed backup snapshot in cloud storage. +Must be a valid URL with scheme https or s3. + |
+
+encryptionMetadata,omitzero
+
+
+HCPEtcdBackupEncryptionMetadata
+
+
+ |
+
+(Optional)
+ encryptionMetadata contains metadata about the encryption of the backup. +When present, at least one platform-specific encryption block must be set. + |
+
+(Appears on: +HCPEtcdBackupSpec) +
++
HCPEtcdBackupStorage defines the cloud storage backend configuration for the backup. +Exactly one storage backend must be specified, matching the storageType discriminator.
+ +| Field | +Description | +
|---|---|
+storageType
+
+
+HCPEtcdBackupStorageType
+
+
+ |
+
+ storageType specifies the type of cloud storage backend for the etcd backup. +Valid values are “S3” for AWS S3 storage and “AzureBlob” for Azure Blob Storage. + |
+
+s3,omitzero
+
+
+HCPEtcdBackupS3
+
+
+ |
+
+(Optional)
+ s3 specifies the S3 storage configuration for the etcd backup. +Required when storageType is “S3”, and forbidden otherwise. + |
+
+azureBlob,omitzero
+
+
+HCPEtcdBackupAzureBlob
+
+
+ |
+
+(Optional)
+ azureBlob specifies the Azure Blob storage configuration for the etcd backup. +Required when storageType is “AzureBlob”, and forbidden otherwise. + |
+
+(Appears on: +HCPEtcdBackupStorage) +
++
HCPEtcdBackupStorageType is the type of storage for etcd backups.
+ +| Value | +Description | +
|---|---|
"AzureBlob" |
+AzureBlobBackupStorage indicates that the backup is stored in Azure Blob Storage. + |
+
"S3" |
+S3BackupStorage indicates that the backup is stored in AWS S3. + |
+
+(Appears on: +HostedCluster) +
++
+| Field | +Description | +|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+release
+
+
+Release
+
+
+ |
+
+ release specifies the desired OCP release payload for all the hosted cluster components. +This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc. +The maximum and minimum supported release versions are determined by the running Hypersfhit Operator. +Attempting to use an unsupported version will result in the HostedCluster being degraded and the validateReleaseImage condition being false. +Attempting to use a release with a skew against a NodePool release bigger than N-2 for the y-stream will result in leaving the NodePool in an unsupported state. +Changing this field will trigger a rollout of the control plane components. +The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. + |
+|||||||||||||||
+controlPlaneRelease
+
+
+Release
+
+
+ |
+
+(Optional)
+ controlPlaneRelease is like spec.release but only for the components running on the management cluster. +This excludes any operand which will land in the hosted cluster data plane. +It is useful when you need to apply patch management side like a CVE, transparently for the hosted cluster. +Version input for this field is free, no validation is performed against spec.release or maximum and minimum is performed. +If defined, it will dicate the version of the components running management side, while spec.release will dictate the version of the components landing in the hosted cluster data plane. +If not defined, spec.release is used for both. +Changing this field will trigger a rollout of the control plane. +The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. + |
+|||||||||||||||
+clusterID
+
+string
+
+ |
+
+(Optional)
+ clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal digits). +As with a Kubernetes metadata.uid, this ID uniquely identifies this cluster in space and time. +This value identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. +If a value is not specified, a random clusterID will be generated and set by the controller. +Once set, this value is immutable. + |
+|||||||||||||||
+infraID
+
+string
+
+ |
+
+(Optional)
+ infraID is a globally unique identifier for the cluster. +It must consist of lowercase alphanumeric characters and hyphens (‘-’) only, and start and end with an alphanumeric character. +It must be no more than 253 characters in length. +This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. +infraID is used to compute and tag created resources with “kubernetes.io/cluster/”+hcluster.Spec.InfraID which has contractual meaning for the cloud provider implementations. +If a value is not specified, a random infraID will be generated and set by the controller. +Once set, this value is immutable. + |
+|||||||||||||||
+updateService
+
+
+github.com/openshift/api/config/v1.URL
+
+
+ |
+
+(Optional)
+ updateService may be used to specify the preferred upstream update service. +If omitted we will use the appropriate update service for the cluster and region. +This is used by the control plane operator to determine and signal the appropriate available upgrades in the hostedCluster.status. + |
+|||||||||||||||
+channel
+
+string
+
+ |
+
+(Optional)
+ channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. +If omitted no particular upgrades are suggested. +TODO(alberto): Consider the backend to use the default channel by default. Default channel will contain stable updates that are appropriate for production clusters. + |
+|||||||||||||||
+platform
+
+
+PlatformSpec
+
+
+ |
+
+ platform specifies the underlying infrastructure provider for the cluster +and is used to configure platform specific behavior. + |
+|||||||||||||||
+kubeAPIServerDNSName
+
+string
+
+ |
+
+(Optional)
+ kubeAPIServerDNSName specifies a desired DNS name to resolve to the KAS. +When set, the controller will automatically generate a secret with kubeconfig and expose it in the hostedCluster Status.customKubeconfig field. +If it’s set or removed day 2, the kubeconfig generated secret will be created, recreated or deleted. +The DNS entries should be resolvable from the cluster, so this should be manually configured in the DNS provider. +This field works in conjunction with configuration.APIServer.ServingCerts.NamedCertificates to enable +access to the API server via a custom domain name. The NamedCertificates provide the TLS certificates +for the custom domain, while this field triggers the generation of a kubeconfig that uses those certificates. +This API endpoint only works in OCP version 4.19 or later. Older versions will result in a no-op. + |
+|||||||||||||||
+controllerAvailabilityPolicy
+
+
+AvailabilityPolicy
+
+
+ |
+
+(Optional)
+ controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server. +Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable. +This field is immutable. + |
+|||||||||||||||
+infrastructureAvailabilityPolicy
+
+
+AvailabilityPolicy
+
+
+ |
+
+(Optional)
+ infrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on the hosted cluster data plane like the ingress controller and image registry controller. +Possible values are HighlyAvailable and SingleReplica. The default value is SingleReplica. + |
+|||||||||||||||
+dns
+
+
+DNSSpec
+
+
+ |
+
+(Optional)
+ dns specifies the DNS configuration for the hosted cluster ingress. + |
+|||||||||||||||
+networking
+
+
+ClusterNetworking
+
+
+ |
+
+ networking specifies network configuration for the hosted cluster. +Defaults to OVNKubernetes with a cluster network of cidr: “10.132.0.0/14” and a service network of cidr: “172.31.0.0/16”. + |
+|||||||||||||||
+autoscaling
+
+
+ClusterAutoscaling
+
+
+ |
+
+(Optional)
+ autoscaling specifies auto-scaling behavior that applies to all NodePools +associated with this HostedCluster. + |
+|||||||||||||||
+autoNode
+
+
+AutoNode
+
+
+ |
+
+(Optional)
+ autoNode specifies the configuration for automatic node provisioning and lifecycle management. +When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads. + |
+|||||||||||||||
+etcd
+
+
+EtcdSpec
+
+
+ |
+
+ etcd specifies configuration for the control plane etcd cluster. The +default managementType is Managed. Once set, the managementType cannot be +changed. + |
+|||||||||||||||
+services
+
+
+[]ServicePublishingStrategyMapping
+
+
+ |
+
+ services specifies how individual control plane services endpoints are published for consumption. +This requires APIServer;OAuthServer;Konnectivity;Ignition. +This field is immutable for all platforms but IBMCloud. +Max is 6 to account for OIDC;OVNSbDb for backward compatibility though they are no-op. +-kubebuilder:validation:XValidation:rule=“self.all(s, !(s.service == ‘APIServer’ && s.servicePublishingStrategy.type == ‘Route’) || has(s.servicePublishingStrategy.route.hostname))”,message=“If serviceType is ‘APIServer’ and publishing strategy is ‘Route’, then hostname must be set” +-kubebuilder:validation:XValidation:rule=“self.platform.type == ‘IBMCloud’ ? [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’].all(requiredType, self.exists(s, s.service == requiredType))”,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, and ‘Konnectivity’ service types” : [‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, ‘Ignition’].all(requiredType, self.exists(s, s.service == requiredType))“,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, and ‘Ignition’ service types” +-kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘Route’ && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘Route’ && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)”,message=“Each route publishingStrategy ‘hostname’ must be unique within the Services list.” +-kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘NodePort’ && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘NodePort’ && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)”,message=“Each nodePort publishingStrategy ‘nodePort’ and ‘hostname’ must be unique within the Services list.” +TODO(alberto): this breaks the cost budget for < 4.17. We should figure why and enable it back. And If not fixable, consider imposing a minimum version on the management cluster. + |
+|||||||||||||||
+pullSecret
+
+
+Kubernetes core/v1.LocalObjectReference
+
+
+ |
+
+ pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON. +If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. +TODO(alberto): Signal this in a condition. +This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster +and it will be injected into the container runtime of all NodePools. +Changing this value will trigger a rollout for all existing NodePools in the cluster. +Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour. +TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes. + |
+|||||||||||||||
+sshKey
+
+
+Kubernetes core/v1.LocalObjectReference
+
+
+ |
+
+(Optional)
+ sshKey is a local reference to a Secret that must have a “id_rsa.pub” key whose content must be the public part of 1..N SSH keys. +If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. +TODO(alberto): Signal this in a condition. +When sshKey is set, the controllers will generate a machineConfig with the sshAuthorizedKeys https://coreos.github.io/ignition/configuration-v3_2/ populated with this value. +This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. +Changing this value will trigger a rollout for all existing NodePools in the cluster. + |
+|||||||||||||||
+issuerURL
+
+string
+
+ |
+
+(Optional)
+ issuerURL is an OIDC issuer URL which will be used as the issuer in all +ServiceAccount tokens generated by the control plane API server via –service-account-issuer kube api server flag. +https://k8s-docs.netlify.app/en/docs/reference/command-line-tools-reference/kube-apiserver/ +https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection +The default value is kubernetes.default.svc, which only works for in-cluster +validation. +If the platform is AWS and this value is set, the controller will update an s3 object with the appropriate OIDC documents (using the serviceAccountSigningKey info) into that issuerURL. +The expectation is for this s3 url to be backed by an OIDC provider in the AWS IAM. + |
+|||||||||||||||
+serviceAccountSigningKey
+
+
+Kubernetes core/v1.LocalObjectReference
+
+
+ |
+
+(Optional)
+ serviceAccountSigningKey is a local reference to a secret that must have a “key” key whose content must be the private key +used by the service account token issuer. +If not specified, a service account signing key will +be generated automatically for the cluster. +When specifying a service account signing key, an IssuerURL must also be specified. +If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. +TODO(alberto): Signal this in a condition. +For key rotation, the secret may optionally contain an “old-key.pub” key whose content is the PEM-encoded +public key of the previous signing key. When present, the kube-apiserver will accept tokens signed by +both the current and previous keys, allowing for graceful key rotation without invalidating existing tokens. + |
+|||||||||||||||
+configuration
+
+
+ClusterConfiguration
+
+
+ |
+
+(Optional)
+ configuration specifies configuration for individual OCP components in the +cluster, represented as embedded resources that correspond to the openshift +configuration API. + |
+|||||||||||||||
+operatorConfiguration
+
+
+OperatorConfiguration
+
+
+ |
+
+(Optional)
+ operatorConfiguration specifies configuration for individual OCP operators in the cluster. + |
+|||||||||||||||
auditWebhook
@@ -37545,6 +40303,22 @@ plane’s current state.
| ||||||||||||||||
+controlPlaneVersion,omitzero
+
+
+ControlPlaneVersionStatus
+
+
+ |
+
+(Optional)
+ controlPlaneVersion tracks the rollout status of the control plane +components running on the management cluster, independently from +the data-plane version reported in the version field. + |
+|||||||||||||||
version
@@ -37678,16 +40452,30 @@ PlatformStatus
| ||||||||||||||||
-configuration
+autoNode,omitzero
-
-ConfigurationStatus
+
+AutoNodeStatus
|
(Optional)
- configuration contains the cluster configuration status of the HostedCluster +autoNode contains the observed state of the autoNode (Karpenter) provisioner. + |
+|||||||||||||||
+configuration
+
+
+ConfigurationStatus
+
+
+ |
+
+(Optional)
+ configuration contains the cluster configuration status of the HostedCluster |
|||||||||||||||
|
(Optional)
- autoNode specifies the configuration for the autoNode feature. +autoNode specifies the configuration for automatic node provisioning +and lifecycle management. When set, nodes are automatically provisioned +using the specified provisioner (e.g. Karpenter) instead of requiring +manual NodePool management. |
||||||||||||||||
+controlPlaneVersion,omitzero
+
+
+ControlPlaneVersionStatus
+
+
+ |
+
+(Optional)
+ controlPlaneVersion tracks the rollout status of the control plane +components running on the management cluster, independently from +the data-plane version reported in the version field. + |
+|||||||||||||||
versionStatus
@@ -38447,6 +41254,20 @@ int
| ||||||||||||||||
+autoNode,omitzero
+
+
+AutoNodeStatus
+
+
+ |
+
+(Optional)
+ autoNode contains the observed state of the autoNode (Karpenter) provisioner. + |
+|||||||||||||||
configuration
@@ -39018,6 +41839,7 @@ AzureKMSSpec
KarpenterConfig)
+ KarpenterAWSConfig specifies AWS-specific configuration for the Karpenter provisioner.
(Appears on: -CapacityReservationOptions) +CapacityReservationOptions, +PlacementOptions) - MarketType describes the market type of the CapacityReservation for an Instance. +MarketType describes the market type for EC2 instances.
+(Appears on: +NodePoolStatus) + ++ NodePoolNodesInfo aggregates observed information about nodes belonging to this NodePool. + +
(Appears on: @@ -41240,6 +44348,21 @@ the NodePool. | ||||||||||||||||
+nodesInfo,omitzero
+
+
+NodePoolNodesInfo
+
+
+ |
+
+(Optional)
+ nodesInfo contains aggregated information observed from nodes belonging +to this NodePool. + |
+|||||||||||||||
platform
@@ -41311,6 +44434,73 @@ assigned when the service is created.
|
+(Appears on: +NodePoolNodesInfo) +
++
NodeVersion represents a version combination and the count of ready and unready nodes running it.
+ +| Field | +Description | +
|---|---|
+ocpVersion
+
+string
+
+ |
+
+ ocpVersion is the OpenShift release version this node was provisioned +or upgraded with. + |
+
+kubeletVersion
+
+string
+
+ |
+
+ kubeletVersion is the kubelet version reported by the node, as observed +from Machine.Status.NodeInfo.KubeletVersion. + |
+
+readyNodeCount
+
+int32
+
+ |
+
+ readyNodeCount is the number of nodes running this version where the +CAPI NodeHealthy condition is True. + |
+
+unreadyNodeCount
+
+int32
+
+ |
+
+ unreadyNodeCount is the number of nodes running this version where the +CAPI NodeHealthy condition is not True. Useful for tracking upgrade +progress and detecting stuck nodes. + |
+
(Appears on: @@ -41428,6 +44618,28 @@ this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.
+mtu
+
+int32
+
+mtu is the MTU to use for the tunnel interface on hosted cluster nodes. +This must be 100 bytes smaller than the uplink MTU. +When unset, the cluster-network-operator will determine the MTU automatically +based on the infrastructure (e.g., for commercial AWS regions, it defaults +to 8901 based on the 9001 uplink MTU minus 100 bytes overhead). +Some non-commercial AWS regions do not support 9001 uplink MTU, +requiring this field to be explicitly set to a lower value. +The maximum is 9216, which is the standard jumbo frame upper limit +supported by datacenter and cloud network interfaces. +The minimum is 576, which is the minimum IPv4 MTU per RFC 791. +This field is immutable once set.
+
PlacementOptions specifies the placement options for the EC2 instances.
+The instance market type is determined by the marketType field: +- “OnDemand” (default): Standard on-demand instances +- “Spot”: Spot instances using spare EC2 capacity at reduced prices +- “CapacityBlocks”: Scheduled pre-purchased compute capacity for ML workloads
+marketType
+
+
+MarketType
+
+
+ |
+
+(Optional)
+ marketType specifies the EC2 instance purchasing model. +Supported values are “OnDemand” for standard on-demand instances, +“Spot” for spot instances that use spare EC2 capacity at reduced prices +but may be interrupted (optionally accepts spot options and requires +terminationHandlerQueueURL on the HostedCluster), and “CapacityBlocks” for scheduled pre-purchased +compute capacity recommended for GPU/ML workloads (requires +capacityReservation with a specific reservation ID). +When omitted, the default is “OnDemand”. + |
+|
+spot,omitzero
+
+
+SpotOptions
+
+
+ |
+
+(Optional)
+ spot configures optional Spot instance overrides. +When omitted, Spot instances use AWS defaults. +Spot instances use spare EC2 capacity at reduced prices but may be interrupted +with a 2-minute warning. Requires terminationHandlerQueueURL to be set on the +HostedCluster’s AWS platform spec for graceful handling of interruptions. + |
+|
capacityReservation
@@ -41957,6 +45212,7 @@ CapacityReservationOptions
capacityReservation specifies Capacity Reservation options for the NodePool instances. Cannot be specified when tenancy is set to “host” as Dedicated Hosts do not support Capacity Reservations. Compatible with “default” and “dedicated” tenancy. +Required when marketType is “CapacityBlocks”. |
"Karpenter" |
-+ | ProvisionerKarpenter indicates that Karpenter is used for automatic node provisioning. + |
-
ProvisionerConfig is a enum specifying the strategy for auto managing Nodes.
+ProvisionerConfig specifies the provisioner used for automatic node management +and its associated configuration.
|
- name specifies the name of the provisioner to use. +name specifies the name of the provisioner to use for automatic node management. |
+(Appears on: +HCPEtcdBackupAzureBlob, +HCPEtcdBackupS3) +
++
SecretReference contains a reference to a Secret by name. +The Secret must exist in the same namespace as the referencing resource.
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ name is the name of the Secret. It must be a valid DNS-1123 subdomain: at most +253 characters, consisting of lowercase alphanumeric characters, hyphens, and periods. +Each period-separated segment must start and end with an alphanumeric character. + |
+
(Appears on: @@ -43675,6 +46966,44 @@ ServicePublishingStrategy
ServiceType defines what control plane services can be exposed from the management control plane.
+###SpotOptions { #hypershift.openshift.io/v1beta1.SpotOptions } ++(Appears on: +PlacementOptions) +
++
SpotOptions configures options for Spot instances.
+Spot instances use spare EC2 capacity at reduced prices but may be interrupted +with a 2-minute warning when EC2 needs the capacity back.
+ +| Field | +Description | +
|---|---|
+maxPrice
+
+string
+
+ |
+
+(Optional)
+ maxPrice defines the maximum price the user is willing to pay for Spot instances. +If not specified, the on-demand price is used as the maximum (you pay the actual spot price). +The value should be a decimal number representing the price per hour in USD. +For example, “0.50” means 50 cents per hour. +Note: AWS recommends NOT setting maxPrice to reduce interruption frequency. +When omitted, you pay the current Spot price (capped at On-Demand price). +AWS minimum allowed value is $0.001. + |
+
(Appears on:
@@ -44344,6 +47673,186 @@ graph TB
- **AWSEndpointService API types**: `api/hypershift/v1beta1/endpointservice_types.go`
+---
+
+## Source: docs/content/reference/architecture/azure/privatelink.md
+
+---
+title: Azure Private Link
+---
+
+# Azure Private Link Architecture in HyperShift
+
+## Overview
+
+HyperShift uses Azure Private Link Service (PLS) to establish secure connectivity between worker nodes in the guest cluster VNet and the hosted control plane in the management cluster. This is used when `EndpointAccess` is set to `Private` or `PublicAndPrivate`.
+
+Unlike AWS PrivateLink which uses VPC Endpoint Services, Azure Private Link uses a dedicated Private Link Service resource backed by an internal load balancer with NAT IP translation.
+
+## Architecture Diagram
+
+```mermaid
+graph TB
+ subgraph MC["Management Cluster"]
+ subgraph HO["hypershift-operator"]
+ HO_Controller["AzurePLSController
+ - Watches: AzurePrivateLinkService CR
+ - Waits for LoadBalancerIP in Spec
+ - Finds ILB by frontend IP
+ - Creates PLS with NAT subnet
+ - Writes PLS alias to Status"]
+ end
+
+ subgraph HCP["HCP Namespace (e.g., clusters-foo)"]
+ subgraph CPO["control-plane-operator"]
+ Observer["AzurePLSObserver
+ - Watches: private-router Service
+ - Waits for ILB frontend IP
+ - Creates AzurePrivateLinkService CR
+ - Writes LoadBalancerIP to Spec"]
+ Reconciler["AzurePLSReconciler
+ - Waits for PLS alias in Status
+ - Creates Private Endpoint in guest VNet
+ - Creates Private DNS zones
+ - Creates VNet links and A records
+ - Writes PrivateEndpointIP to Status"]
+ end
+ ROUTER_SVC["private-router (Svc)
+ type: LoadBalancer
+ annotation: internal"]
+ end
+ end
+
+ subgraph MGMT_AZURE["Management Azure Subscription"]
+ ILB["Internal Load Balancer
+ Frontend IP from private-router"]
+ PLS["Private Link Service
+ NAT subnet for IP translation
+ Visibility: auto-approve guest sub"]
+ end
+
+ subgraph GUEST_AZURE["Guest Azure Subscription"]
+ subgraph GUEST_VNET["Guest VNet"]
+ PE["Private Endpoint
+ Connected to PLS alias
+ Gets private IP in guest VNet"]
+ DNS_LOCAL["Private DNS Zone
+ clusterName.hypershift.local"]
+ DNS_BASE["Private DNS Zone
+ baseDomain"]
+ VNET_LINK["VNet Links
+ Link DNS zones to guest VNet"]
+ A_LOCAL["A Records (hypershift.local)
+ api → PE IP
+ *.apps → PE IP"]
+ A_BASE["A Records (baseDomain)
+ api-clusterName → PE IP
+ oauth-clusterName → PE IP"]
+ WORKERS["Worker Nodes
+ Resolve API via Private DNS"]
+ end
+ end
+
+ Observer --> ROUTER_SVC
+ ROUTER_SVC --> ILB
+ HO_Controller -- "Creates PLS
+ Writes alias to Status" --> PLS
+ ILB --> PLS
+ PLS -- "Azure Private Link" --> PE
+ Reconciler -- "Creates PE, DNS zones,
+ VNet links, A records" --> PE
+ PE --> DNS_LOCAL
+ PE --> DNS_BASE
+ DNS_LOCAL --> VNET_LINK
+ DNS_BASE --> VNET_LINK
+ DNS_LOCAL --> A_LOCAL
+ DNS_BASE --> A_BASE
+ WORKERS -- "DNS resolution" --> A_LOCAL
+ WORKERS -- "DNS resolution" --> A_BASE
+ A_LOCAL -- "PE IP" --> PE
+ A_BASE -- "PE IP" --> PE
+```
+
+## Component Responsibilities
+
+### Azure Resources
+
+| Azure Resource | Created By | Description |
+|----------------|------------|-------------|
+| Internal Load Balancer | Azure (via `private-router` Service) | Fronts the KAS/router in the management cluster with an internal IP |
+| Private Link Service | HyperShift operator (HO controller) | Exposes the ILB via Private Link using NAT subnet for IP translation |
+| Private Endpoint | Control plane operator (CPO reconciler) | Connects guest VNet to PLS, receives a private IP in the guest subnet |
+| Private DNS Zone (local) | Control plane operator (CPO reconciler) | `
External LB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane --> Router
+ ExtUsers --> Router
+
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+**Without External DNS**:
+
+- **APIServer**: `LoadBalancer` (dedicated external load balancer)
+- **OAuthServer**: `Route` (management cluster ingress)
+- **Konnectivity**: `Route` (management cluster ingress)
+- **Ignition**: `Route` (management cluster ingress)
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: AWS
+ aws:
+ endpointAccess: Public
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: LoadBalancer
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ KASLB[KAS LoadBalancer
External]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane --> KASLB
+ DataPlane --> MCIngress
+ ExtUsers --> KASLB
+ ExtUsers --> MCIngress
+
+ KASLB --> KAS
+ MCIngress --> OAuth
+ MCIngress --> Konnectivity
+ MCIngress --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+#### PublicAndPrivate Endpoint Access
+
+**With External DNS** (`--external-dns-domain` flag):
+
+- **APIServer**: `Route` (hostname required)
+- **OAuthServer**: `Route` (hostname required)
+- **Konnectivity**: `Route` (resolves via `hypershift.local`)
+- **Ignition**: `Route` (resolves via `hypershift.local`)
+
+APIServer and OAuthServer are exposed externally through a dedicated HCP router. Konnectivity and Ignition resolve via `hypershift.local` through PrivateLink, so hostnames are not needed for them.
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: AWS
+ aws:
+ endpointAccess: PublicAndPrivate
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: api.my-cluster.example.com
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: oauth.my-cluster.example.com
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ Router[HCP Router]
+ InternalLB[Internal LB]
+ ExternalLB[External LB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane -->|PrivateLink| InternalLB
+ ExtUsers --> ExternalLB
+
+ InternalLB --> Router
+ ExternalLB --> Router
+
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+**Without External DNS**:
+
+- **APIServer**: `LoadBalancer` (dedicated external load balancer)
+- **OAuthServer**: `Route` (HCP router with internal load balancer)
+- **Konnectivity**: `Route` (HCP router with internal load balancer)
+- **Ignition**: `Route` (HCP router with internal load balancer)
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: AWS
+ aws:
+ endpointAccess: PublicAndPrivate
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: LoadBalancer
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ KASLB[KAS LoadBalancer
External]
+ Router[HCP Router]
+ RouterInternalLB[Router Internal LB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ ExtUsers ~~~ DataPlane
+
+ DataPlane --> |PrivateLink| RouterInternalLB
+ ExtUsers --> KASLB
+ ExtUsers -->|OAuth| MCIngress
+
+ KASLB --> KAS
+ RouterInternalLB --> Router
+ MCIngress --> OAuth
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+#### Private Endpoint Access
+
+All traffic in private clusters happens via PrivateLink. All services use Route publishing through an HCP router with an internal load balancer.
+
+- **APIServer**: `Route`
+- **OAuthServer**: `Route`
+- **Konnectivity**: `Route`
+- **Ignition**: `Route`
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: AWS
+ aws:
+ endpointAccess: Private
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ Router[HCP Router]
+ InternalLB[Internal LB]
+ end
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane -->|PrivateLink| InternalLB
+ ExtUsers -->|PrivateLink| InternalLB
+
+ InternalLB --> Router
+
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+
+### Azure
+
+Azure has two deployment modes with different service publishing strategy requirements:
+
+#### Managed Azure (ARO HCP)
+
+ARO HCP (Azure Red Hat OpenShift Hosted Control Planes) uses a unique architecture with two distinct traffic paths. All ARO HCP clusters are considered **PublicAndPrivate**.
+
+##### Architecture Overview
+
+ARO HCP management clusters are based on **AKS (Azure Kubernetes Service)**, not OpenShift. The architecture separates traffic into two paths:
+
+1. **External Traffic (KAS, OAuth)**: Flows through a **Shared Ingress HAProxy** deployment. A single HAProxy in the `hypershift-sharedingress` namespace, fronted by one Azure LoadBalancer, routes traffic to the correct hosted control plane using SNI-based hostname routing.
+
+2. **In-Cluster Traffic (Konnectivity, Ignition)**: Flows through **Swift** (Azure Service Networking). Private router pods are labeled with `kubernetes.azure.com/pod-network-instance`, which connects them directly to the customer VNet. Services resolve via the `hypershift.local` internal DNS zone (e.g., `konnectivity-server.apps.
SNI Hostname Routing]
+ SharedLB[Azure LoadBalancer
Single LB for all clusters]
+ end
+
+ subgraph HCP1 ["Hosted Control Plane 1"]
+ KAS1[APIServer]
+ OAuth1[OAuthServer]
+ Konnectivity1[Konnectivity]
+ Ignition1[Ignition]
+ end
+
+ subgraph SwiftRouter ["Private Router (Swift-enabled)"]
+ PrivRouter[Private Router Pod
kubernetes.azure.com/
pod-network-instance]
+ end
+ end
+
+ subgraph "Data Plane (Customer VNet)"
+ Worker1[Worker Node]
+ end
+
+ ExtUsers[External Users]
+
+ ExtUsers --> |HTTPS
KAS / OAuth| SharedLB
+ SharedLB --> HAProxy
+ HAProxy --> |SNI routing| KAS1
+ HAProxy --> |SNI routing| OAuth1
+
+ Worker1 --> |Swift
hypershift.local| PrivRouter
+ PrivRouter --> Konnectivity1
+ PrivRouter --> Ignition1
+
+ classDef sharedIngressStyle fill:#fff3cd,stroke:#856404,stroke-width:3px;
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ classDef dataPlaneStyle fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px;
+ classDef swiftStyle fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px;
+
+ class SharedIngress sharedIngressStyle
+ class HCP1 hcpStyle
+ class Worker1 dataPlaneStyle
+ class SwiftRouter swiftStyle
+```
+
+##### Traffic Paths
+
+| Traffic Type | Path | DNS Resolution |
+|-------------|------|----------------|
+| **External** (KAS, OAuth) | Client → Shared Ingress LB → HAProxy → HCP | External DNS zone (e.g., `api.
Ingress Controller]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ ExtUsers --> |External DNS| MCIngress
+ DataPlane --> |External DNS| MCIngress
+
+ MCIngress --> KAS
+ MCIngress --> OAuth
+ MCIngress --> Konnectivity
+ MCIngress --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+##### PublicAndPrivate Endpoint Access
+
+Services are accessible both from the public internet through external DNS and privately through Azure Private Link Service. Konnectivity and Ignition hostnames are handled internally.
+
+- **APIServer**: `Route` (hostname required)
+- **OAuthServer**: `Route` (hostname required)
+- **Konnectivity**: `Route` (hostname handled internally)
+- **Ignition**: `Route` (hostname handled internally)
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: Azure
+ azure:
+ azureAuthenticationConfig:
+ azureAuthenticationConfigType: WorkloadIdentities
+ workloadIdentities:
+ # Workload identity configuration
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: api.my-cluster.example.com
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: oauth.my-cluster.example.com
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster (OpenShift)"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ end
+ MCIngress[Management Cluster
Ingress Controller]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+ PrivLink[Azure Private
Link Service]
+
+ ExtUsers --> |External DNS| MCIngress
+ DataPlane --> |Private Link| PrivLink
+ PrivLink --> MCIngress
+
+ MCIngress --> KAS
+ MCIngress --> OAuth
+ MCIngress --> Konnectivity
+ MCIngress --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ classDef privLinkStyle fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px;
+
+ class HCP hcpStyle
+ class PrivLink privLinkStyle
+```
+
+##### Private Endpoint Access
+
+All traffic flows through Azure Private Link Service. Not accessible from the public internet. Konnectivity and Ignition hostnames are handled internally.
+
+- **APIServer**: `Route` (hostname required)
+- **OAuthServer**: `Route` (hostname required)
+- **Konnectivity**: `Route` (hostname handled internally)
+- **Ignition**: `Route` (hostname handled internally)
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: Azure
+ azure:
+ azureAuthenticationConfig:
+ azureAuthenticationConfigType: WorkloadIdentities
+ workloadIdentities:
+ # Workload identity configuration
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: api.my-cluster.example.com
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: oauth.my-cluster.example.com
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster (OpenShift)"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ end
+ MCIngress[Management Cluster
Ingress Controller]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+ PrivLink[Azure Private
Link Service]
+
+ ExtUsers --> |Private Link| PrivLink
+ DataPlane --> |Private Link| PrivLink
+ PrivLink --> MCIngress
+
+ MCIngress --> KAS
+ MCIngress --> OAuth
+ MCIngress --> Konnectivity
+ MCIngress --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ classDef privLinkStyle fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px;
+
+ class HCP hcpStyle
+ class PrivLink privLinkStyle
+```
+
+### Managed GCP
+
+Managed GCP (Google Cloud Platform) HostedClusters are managed service deployments on GCP. Publishing strategies are determined by the endpoint access mode. All services use Route publishing strategy, including APIServer.
+
+#### PublicAndPrivate Endpoint Access
+
+External DNS is required for GCP (`--external-dns-domain` flag):
+
+- **APIServer**: `Route` (hostname required)
+- **OAuthServer**: `Route` (hostname required)
+- **Konnectivity**: `Route` (hostname required)
+- **Ignition**: `Route` (hostname required)
+
+All Route-based services are exposed through a dedicated HCP router with both internal and external load balancers.
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: GCP
+ gcp:
+ endpointAccess: PublicAndPrivate
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: api.my-cluster.example.com
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: oauth.my-cluster.example.com
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: konnectivity.my-cluster.example.com
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: ignition.my-cluster.example.com
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ Router[HCP Router]
+ InternalLB[Internal LB]
+ ExternalLB[External LB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane -->|Private Service Connect| InternalLB
+ ExtUsers --> ExternalLB
+
+ InternalLB --> Router
+ ExternalLB --> Router
+
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+#### Private Endpoint Access
+
+All traffic in private GCP clusters happens via Private Service Connect. All services use Route publishing through an HCP router with an internal load balancer.
+
+- **APIServer**: `Route`
+- **OAuthServer**: `Route`
+- **Konnectivity**: `Route`
+- **Ignition**: `Route`
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: GCP
+ gcp:
+ endpointAccess: Private
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ Router[HCP Router]
+ InternalLB[Internal LB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane -->|Private Service Connect| InternalLB
+ ExtUsers-->|Private Service Connect| InternalLB
+
+ InternalLB --> Router
+
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+### KubeVirt
+
+KubeVirt is unique in supporting both Ingress-based (Route/LoadBalancer) and NodePort-based service publishing strategies through the `--service-publishing-strategy` flag.
+
+#### Supported Publishing Strategies
+
+**Ingress Strategy (Default)**:
+
+| Service | Supported Strategies |
+|---------|---------------------|
+| **APIServer** | `LoadBalancer` or `Route`* |
+| **OAuthServer** | `Route` |
+| **Konnectivity** | `Route` |
+| **Ignition** | `Route` |
+
+\* With external DNS, uses `Route`; without it, uses `LoadBalancer`.
+
+**NodePort Strategy**:
+
+| Service | Supported Strategies |
+|---------|---------------------|
+| **APIServer** | `NodePort` |
+| **OAuthServer** | `NodePort` |
+| **Konnectivity** | `NodePort` |
+| **Ignition** | `NodePort` |
+
+#### Validation Rules
+
+- When using `--service-publishing-strategy=NodePort`, the `--api-server-address` flag is required
+- If not provided, the system will attempt to auto-detect the API server address
+- Supports `--external-dns-domain` flag when using Ingress strategy
+
+#### Example Configurations
+
+**Ingress Strategy with External DNS**:
+
+```yaml
+spec:
+ platform:
+ type: Kubevirt
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: Route
+ route:
+ hostname: api-mycluster.example.com
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+**Architecture Diagram:**
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ Router[HCP Router]
+ ExternalLB[External LB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane --> ExternalLB
+ ExtUsers --> ExternalLB
+
+ ExternalLB --> Router
+
+ Router --> KAS
+ Router --> OAuth
+ Router --> Konnectivity
+ Router --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+**NodePort Strategy**:
+
+```yaml
+spec:
+ platform:
+ type: Kubevirt
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 192.168.1.100
+ port: 30000
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 192.168.1.100
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 192.168.1.100
+ - service: Ignition
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 192.168.1.100
+```
+
+**Architecture Diagram:**
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer
NodePort]
+ OAuth[OAuthServer
NodePort]
+ Konnectivity[Konnectivity
NodePort]
+ Ignition[Ignition
NodePort]
+ end
+ Node1[Management Node
192.168.1.100]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane --> |NodePort| Node1
+ ExtUsers --> |NodePort| Node1
+
+ Node1 --> KAS
+ Node1 --> OAuth
+ Node1 --> Konnectivity
+ Node1 --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+### Agent
+
+The Agent platform supports multiple service publishing strategies. By default, the `hcp create cluster agent` command creates a hosted cluster with NodePort configuration. However, LoadBalancer is the preferred publishing strategy for production environments.
+
+#### Supported Publishing Strategies
+
+| Service | Supported Strategies |
+|---------|---------------------|
+| **APIServer** | `NodePort` (default), `LoadBalancer`, `Route` |
+| **OAuthServer** | `NodePort`, `Route` |
+| **Konnectivity** | `NodePort`, `Route` |
+| **Ignition** | `NodePort`, `Route` |
+
+#### Publishing Strategy Recommendations
+
+- **NodePort (Default)**: Used by default when creating clusters with `hcp create cluster agent`. Suitable for development and testing.
+- **LoadBalancer (Recommended for Production)**: Provides better certificate handling and automatic DNS resolution. Requires MetalLB or similar load balancer infrastructure.
+- **Route**: Services can be exposed through Routes on the management cluster's ingress controller.
+
+#### NodePort Strategy (Default)
+
+**Configuration:**
+
+- **APIServer**: `NodePort` (with address and optional port)
+- **OAuthServer**: `NodePort`
+- **Konnectivity**: `NodePort`
+- **Ignition**: `NodePort`
+
+**Important Notes:**
+- When using NodePort, the `--api-server-address` flag is required or the system will auto-detect the API server address from available nodes
+- DNS must point to the hosted cluster compute nodes, not the management cluster nodes
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: Agent
+ agent:
+ agentNamespace: agent-namespace
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 10.0.0.100
+ port: 30000
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 10.0.0.100
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 10.0.0.100
+ - service: Ignition
+ servicePublishingStrategy:
+ type: NodePort
+ nodePort:
+ address: 10.0.0.100
+```
+
+**Architecture Diagram:**
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer
NodePort]
+ OAuth[OAuthServer
NodePort]
+ Konnectivity[Konnectivity
NodePort]
+ Ignition[Ignition
NodePort]
+ end
+ Node1[Management Node
10.0.0.100]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane --> |NodePort:30000| Node1
+ ExtUsers --> |NodePort:30000| Node1
+
+ Node1 --> KAS
+ Node1 --> OAuth
+ Node1 --> Konnectivity
+ Node1 --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+#### LoadBalancer Strategy (Recommended for Production)
+
+**Configuration:**
+
+- **APIServer**: `LoadBalancer`
+- **OAuthServer**: `Route`
+- **Konnectivity**: `Route`
+- **Ignition**: `Route`
+
+**Benefits:**
+- Better certificate handling
+- Automatic DNS resolution
+- Simplified access through a single IP address
+
+**Prerequisites:**
+- MetalLB or similar load balancer infrastructure must be installed and configured on the hosted cluster
+
+**Example Configuration:**
+
+```yaml
+spec:
+ platform:
+ type: Agent
+ agent:
+ agentNamespace: agent-namespace
+ services:
+ - service: APIServer
+ servicePublishingStrategy:
+ type: LoadBalancer
+ - service: OAuthServer
+ servicePublishingStrategy:
+ type: Route
+ - service: Konnectivity
+ servicePublishingStrategy:
+ type: Route
+ - service: Ignition
+ servicePublishingStrategy:
+ type: Route
+```
+
+**Architecture Diagram:**
+
+```mermaid
+graph RL
+ subgraph "Management Cluster"
+ subgraph HCP ["Hosted Control Plane"]
+ KAS[APIServer]
+ OAuth[OAuthServer]
+ Konnectivity[Konnectivity]
+ Ignition[Ignition]
+ KASLB[KAS LoadBalancer
MetalLB]
+ end
+ MCIngress[Management Cluster
Ingress]
+ end
+
+ DataPlane[Data Plane]
+ ExtUsers[External Users]
+
+ DataPlane --> KASLB
+ DataPlane --> MCIngress
+ ExtUsers --> KASLB
+ ExtUsers --> MCIngress
+
+ KASLB --> KAS
+ MCIngress --> OAuth
+ MCIngress --> Konnectivity
+ MCIngress --> Ignition
+
+ classDef hcpStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px;
+ class HCP hcpStyle
+```
+
+## Summary Table
+
+| Platform | APIServer Default | Other Services Default | External DNS Support | NodePort Support | Special Features |
+|----------|------------------|----------------------|---------------------|-----------------|------------------|
+| AWS | LoadBalancer or Route | Route | Yes | No | Endpoint access modes |
+| Azure (Managed/ARO HCP)\* | Route (hostname required) | Route (hostname required) | No | No | Shared ingress HAProxy + Swift, all Routes need explicit hostnames |
+| Azure (Self-Managed) | Route (hostname required) | Route (hostname required) | Required | No | Endpoint access modes (Public, PublicAndPrivate, Private), uses workload identities |
+| GCP (Managed) | Route | Route | Required | No | Endpoint access modes (PublicAndPrivate, Private) |
+| KubeVirt | LoadBalancer or Route | Route | Yes | Yes | Dual strategy support via flag |
+| Agent | NodePort (default), LoadBalancer | NodePort, Route | No | Yes (default) | LoadBalancer recommended for production |
+
+\* **ARO HCP**: All clusters are PublicAndPrivate. External traffic (KAS, OAuth) flows through a shared HAProxy deployment with SNI-based hostname routing. In-cluster traffic (Konnectivity, Ignition) flows through Swift (Azure Service Networking), where private router pods connect directly to the customer VNet and services resolve via `hypershift.local`.
+
+## Best Practices
+
+1. **Use External DNS when available**: For cloud platforms that support it (AWS, Azure, GCP, KubeVirt), using the `--external-dns-domain` flag provides a cleaner configuration with predictable hostnames for all services. Note that Managed GCP requires external DNS, while it's optional for AWS, Azure, and KubeVirt.
+
+2. **Understand endpoint access modes**: On AWS, choose the endpoint access mode that matches your security requirements:
+ - `Public`: Services accessible from the internet
+ - `PublicAndPrivate`: Services accessible from both internet and VPC
+ - `Private`: Services only accessible from VPC
+
+3. **Validate your configuration**: Always check the `ValidConfiguration` condition on your HostedCluster to ensure your service publishing strategy is valid:
+ ```bash
+ oc get hostedcluster
+
AzurePrivateLinkService represents Azure Private Link Service infrastructure +for private connectivity to hosted cluster API servers.
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+hypershift.openshift.io/v1beta1
+
+ |
+
+kind
+string
+ |
+AzurePrivateLinkService |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+(Optional)
+ metadata is the metadata for the AzurePrivateLinkService. +Refer to the Kubernetes API documentation for the fields of the +metadata field.
+ |
+
+spec,omitzero
+
+
+AzurePrivateLinkServiceSpec
+
+
+ |
+
+ spec is the specification for the AzurePrivateLinkService. + |
+
+status,omitzero
+
+
+AzurePrivateLinkServiceStatus
+
+
+ |
+
+(Optional)
+ status is the status of the AzurePrivateLinkService. + |
+
CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
@@ -178,7 +253,9 @@ This value must be a valid IPv4 or IPv6 address.forwardingRuleName
-string
+
+GCPResourceName
+
consumerAcceptList specifies which customer projects can connect -Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”)
+consumerAcceptList specifies which customer projects can connect. +Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”). +A maximum of 50 entries are allowed. +See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project ID and number formats.
natSubnet
-string
+
+GCPResourceName
+
+
HCPEtcdBackup represents a request to back up etcd for a hosted control plane. +This resource is feature-gated behind the HCPEtcdBackup feature gate.
+ +| Field | +Description | +
|---|---|
+apiVersion
+string |
+
+
+hypershift.openshift.io/v1beta1
+
+ |
+
+kind
+string
+ |
+HCPEtcdBackup |
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+(Optional)
+ metadata is the metadata for the HCPEtcdBackup. +Refer to the Kubernetes API documentation for the fields of the +metadata field.
+ |
+
+spec,omitzero
+
+
+HCPEtcdBackupSpec
+
+
+ |
+
+ spec is the specification for the HCPEtcdBackup. + |
+
+status,omitzero
+
+
+HCPEtcdBackupStatus
+
+
+ |
+
+(Optional)
+ status is the status of the HCPEtcdBackup. + |
+
HostedCluster is the primary representation of a HyperShift cluster and encapsulates @@ -517,7 +673,8 @@ AutoNode
autoNode specifies the configuration for the autoNode feature.
+autoNode specifies the configuration for automatic node provisioning and lifecycle management. +When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads.
terminationHandlerQueueURL
+
+string
+
+terminationHandlerQueueURL specifies the SQS queue URL for EC2 spot interruption events. +This is required when using spot instances (marketType: Spot) in NodePools to enable +graceful handling of spot instance terminations.
+The queue should be configured to receive EC2 Spot Instance Interruption Warnings +and EC2 Instance Rebalance Recommendations via EventBridge rules. +The AWS Node Termination Handler will poll this queue and cordon/drain nodes +before they are terminated, providing a best effort for graceful shutdown.
+Supports both standard and FIFO queues (FIFO queues end with .fifo suffix).
+-
We expose here internal configuration knobs that won’t be exposed to the service.
+AutoNode specifies the configuration for automatic node provisioning and lifecycle management.
-provisionerConfig
+provisionerConfig,omitzero
ProvisionerConfig
@@ -2867,7 +3043,52 @@ ProvisionerConfig
|
- provisionerConfig is the implementation used for Node auto provisioning. +provisionerConfig specifies the provisioner used for automatic node management. + |
+
+(Appears on: +HostedClusterStatus, +HostedControlPlaneStatus) +
++
AutoNodeStatus contains the observed state of the AutoNode provisioner.
+ +| Field | +Description | +
|---|---|
+nodeCount
+
+int32
+
+ |
+
+(Optional)
+ nodeCount is the number of nodes fully provisioned by Karpenter. +These are node objects that exist in the cluster and carry the karpenter.sh/nodepool label. + |
+
+nodeClaimCount
+
+int32
+
+ |
+
+(Optional)
+ nodeClaimCount is the total number of NodeClaims managed by Karpenter. +This represents what Karpenter intends to provision, whether or not the node object exists yet. |
-(Appears on: -AzureAuthenticationConfiguration) -
--
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components -that authenticate with Azure’s API.
- -| Field | -Description | -
|---|---|
-controlPlane
+topology
-
-ControlPlaneManagedIdentities
+
+AzureTopologyType
|
- controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to -authenticate with Azure’s API. +(Optional) +topology specifies the network topology of the API server endpoint for the hosted cluster. +- Public: The API server is accessible only via a public endpoint. +- PublicAndPrivate: The API server is accessible via both public and private endpoints. +- Private: The API server is accessible only via a private endpoint. +When omitted, this means no opinion and the platform is left to choose a reasonable +default, which is subject to change over time. The current default is Public. +This field must be set explicitly for self-hosted environments (WorkloadIdentities). +Transitions between PublicAndPrivate and Private are allowed after creation. +Transitions from Public to non-Public (or vice versa) are not allowed. +When set to Private or PublicAndPrivate, the private field must be provided. |
-dataPlane
+private,omitzero
-
-DataPlaneManagedIdentities
+
+AzurePrivateSpec
|
- dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with -Azure’s API. +(Optional) +private configures private connectivity to the hosted cluster’s API server. +This field is required when topology is Private or PublicAndPrivate, and must +not be set when topology is Public. +Once set at cluster creation, this field cannot be removed, and it cannot be +added to an existing cluster that was created without it. |
(Appears on: -AzureNodePoolPlatform) +AzurePrivateLinkService)
-
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
+AzurePrivateLinkServiceSpec defines the desired state of AzurePrivateLinkService
-type
+loadBalancerIP
-
-AzureVMImageType
+string
+
+ |
+
+(Optional)
+ loadBalancerIP is the frontend IP address of the internal load balancer that +fronts the hosted control plane’s API server. This field is populated automatically +by the control plane operator from the kube-apiserver service status. +It is not set by users directly. +When set, the value must be a valid IPv4 or IPv6 address. + |
+
+subscriptionID
+
+
+AzureSubscriptionID
|
- type is the type of image data that will be provided to the Azure VM. -Valid values are “ImageID” and “AzureMarketplace”. -ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. -AzureMarketplace means the VM will boot from an Azure Marketplace image. -Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. -When Type is “AzureMarketplace”, you can either: -1. Specify only imageGeneration to use marketplace defaults from the release payload -2. Specify publisher, offer, sku, and version to use an explicit marketplace image -3. Specify all fields (imageGeneration along with publisher, offer, sku, version) +subscriptionID is the Azure subscription ID where the Private Link Service +resources will be created. Must be a valid UUID consisting of hexadecimal +characters and hyphens in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +where x is a hexadecimal digit 0-9a-f. |
-imageID
+resourceGroupName
string
|
-(Optional)
- imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. -TODO: What is the valid character set for this field? What about minimum and maximum lengths? +resourceGroupName is the name of the Azure resource group where the Private Link +Service resources will be created. Must be 1-90 characters consisting of +alphanumerics, underscores, hyphens, periods, and parentheses. Cannot end with a period. +See https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules |
-azureMarketplace
+location
-
-AzureMarketplaceImage
+string
+
+ |
+
+ location is the Azure region where the Private Link Service resources will be +created (e.g., “eastus”, “westeurope”, “centralus”). Must match the region +of the management cluster. + |
+
+natSubnetID
+
+
+AzureSubnetResourceID
|
(Optional)
- azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. +natSubnetID is the full Azure resource ID of the subnet used for Private Link Service +NAT IP allocation. This subnet must have privateLinkServiceNetworkPolicies disabled. +If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} |
-(Appears on: -AzureMarketplaceImage) -
--
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
- -| Value | -Description | +
+additionalAllowedSubscriptions
+
+
+[]AzureSubscriptionID
+
+
+ |
+
+(Optional)
+ additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs +permitted to create Private Endpoints to the Private Link Service. The guest cluster’s +own subscription (derived from guestSubnetID) is always automatically allowed, so it +does not need to be listed here. +Each entry must be a valid UUID of exactly 36 characters consisting of +lowercase hexadecimal characters and hyphens in the format +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx where x is a hexadecimal digit 0-9a-f. +A maximum of 50 subscriptions may be specified. + |
|---|---|---|---|
"Gen1" |
-Gen1 represents Hyper-V Generation 1 VMs + | ||
+guestSubnetID
+
+
+AzureSubnetResourceID
+
+
|
-|||
"Gen2" |
-Gen2 represents Hyper-V Generation 2 VMs + |
+ guestSubnetID is the full Azure resource ID of the subnet in the guest VNet where +the Private Endpoint will be created. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} |
-
-(Appears on: -AzureVMImage) -
--
AzureVMImageType is used to specify the source of the Azure VM boot image. -Valid values are ImageID and AzureMarketplace.
- -| Value | -Description | +
+guestVNetID
+
+
+AzureVNetResourceID
+
+
+ |
+
+ guestVNetID is the full Azure resource ID of the guest VNet for Private DNS zone linking. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName} + |
|---|---|---|---|
"AzureMarketplace" |
-AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. + | ||
+baseDomain
+
+string
+
|
-|||
"ImageID" |
-ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. + |
+(Optional)
+ baseDomain is the cluster’s base domain (e.g., “example.hypershift.azure.devcluster.openshift.com”).
+Used to create a Private DNS Zone so that worker VMs can resolve the API and OAuth
+hostnames (api- |
-
(Appears on: -AzureAuthenticationConfiguration) +AzurePrivateLinkService)
-
AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure -needing to authenticate with Azure’s API.
+AzurePrivateLinkServiceStatus defines the observed state of AzurePrivateLinkService
-imageRegistry
+conditions
-
-WorkloadIdentity
+
+[]Kubernetes meta/v1.Condition
|
- imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in -workload identity authentication. +(Optional) +conditions represent the current state of PLS infrastructure. +Current condition types are: “AzurePrivateLinkServiceAvailable”, “AzureInternalLoadBalancerAvailable”, +“AzurePLSCreated”, “AzurePrivateEndpointAvailable”, “AzurePrivateDNSAvailable” |
-ingress
+internalLoadBalancerID
-
-WorkloadIdentity
-
+string
|
- ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in -workload identity authentication. +(Optional) +internalLoadBalancerID is the Azure resource ID of the internal load balancer +fronting the hosted control plane. The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/loadBalancers/{loadBalancerName} +where subscriptionID is a UUID, resourceGroup is up to 90 characters, and +loadBalancerName is up to 80 characters. |
-file
+privateLinkServiceID
-
-WorkloadIdentity
-
+string
|
- file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, -used in workload identity authentication. +(Optional) +privateLinkServiceID is the Azure resource ID of the Private Link Service. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateLinkServices/{plsName} |
-disk
+privateLinkServiceAlias
-
-WorkloadIdentity
-
+string
|
- disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, -used in workload identity authentication. +(Optional) +privateLinkServiceAlias is the globally unique alias for the Private Link Service, +auto-generated by Azure in the format {plsName}.{guid}.{region}.azure.privatelinkservice. +MaxLength=170 covers: PLS name (80) + GUID (36) + region (19, e.g. “southcentralusstage”) |
-nodePoolManagement
+privateEndpointID
-
-WorkloadIdentity
-
+string
|
- nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used -in workload identity authentication. +(Optional) +privateEndpointID is the Azure resource ID of the Private Endpoint. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateEndpoints/{endpointName} |
-cloudProvider
+privateEndpointIP
-
-WorkloadIdentity
-
+string
|
- cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in -workload identity authentication. +(Optional) +privateEndpointIP is the private IP address assigned to the Private Endpoint. +Must be a valid IPv4 (e.g., “10.0.1.4”) or IPv6 address. |
-network
+privateDNSZoneID
-
-WorkloadIdentity
-
+string
|
- network is the client ID of a federated managed identity, associated with cluster-network-operator, used in -workload identity authentication. +(Optional) +privateDNSZoneID is the Azure resource ID of the Private DNS Zone. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} + |
+
+dnsZoneName
+
+string
+
+ |
+
+(Optional)
+ dnsZoneName is the Private DNS zone name (derived from the KAS hostname). +Persisted at creation time so that deletion does not depend on the +HostedControlPlane still existing. +Must be a valid DNS domain name consisting of alphanumeric characters, hyphens, +and periods, where each segment starts and ends with an alphanumeric character +(e.g., “api-mycluster.example.hypershift.azure.devcluster.openshift.com”). + |
+
+baseDomainDNSZoneID
+
+string
+
+ |
+
+(Optional)
+ baseDomainDNSZoneID is the Azure resource ID of the base domain Private DNS Zone. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} |
-(Appears on: -APIServerNetworking) -
--
-###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities } +###AzurePrivateLinkSpec { #hypershift.openshift.io/v1beta1.AzurePrivateLinkSpec }(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +AzurePrivateSpec)
-
capabilities allows enabling or disabling optional components at install time. -When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective -OpenShift version, minus the baremetal capability. -Once set, it cannot be changed.
+AzurePrivateLinkSpec configures Azure Private Link Service connectivity.
-enabled
+natSubnetID
-
-[]OptionalCapability
+
+AzureSubnetResourceID
|
(Optional)
- enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. +natSubnetID is the Azure resource ID of the subnet used for Private Link Service NAT IP allocation. +This subnet must have privateLinkServiceNetworkPolicies disabled. +If not provided, the controller will auto-create a NAT subnet in the HC’s VNet. +The expected format is: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName} +The maximum length is 355 characters. |
-disabled
+additionalAllowedSubscriptions
-
-[]OptionalCapability
+
+[]AzureSubscriptionID
|
(Optional)
- disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. -Once set, this field cannot be changed. -Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. +additionalAllowedSubscriptions is an optional list of additional Azure subscription IDs +permitted to create Private Endpoints to the Private Link Service. The guest cluster’s +own subscription is always automatically allowed, so it does not need to be listed here. +Each item must be a valid UUID consisting of lowercase hexadecimal characters and hyphens, +in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +(e.g., “550e8400-e29b-41d4-a716-446655440000”). A maximum of 50 subscriptions may be specified. |
(Appears on: -PlacementOptions) +AzurePlatformSpec)
-
CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
+AzurePrivateSpec configures private connectivity to an Azure hosted cluster’s API server. +It is a discriminated union keyed on the type field, which selects the private connectivity +mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may +be added in the future.
-id
-
-string
-
- |
-
-(Optional)
- id specifies the target Capacity Reservation into which the EC2 instances should be launched. -Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 -When empty, no specific Capacity Reservation is targeted. -When specified, preference cannot be set to ‘None’ or ‘Open’ as these -are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ -or omit preference field when targeting a specific reservation. - |
-
-marketType
+type
-
-MarketType
+
+AzurePrivateType
|
-(Optional)
- marketType specifies the market type of the CapacityReservation for the EC2 instances. Valid values are OnDemand, CapacityBlocks and omitted: -- “OnDemand”: EC2 instances run as standard On-Demand instances. -- “CapacityBlocks”: scheduled pre-purchased compute capacity. Capacity Blocks is recommended when GPUs are needed to support ML workloads. -When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. -The current default value is CapacityBlocks. -When set to ‘CapacityBlocks’, a specific Capacity Reservation ID must be provided. +type specifies the private connectivity mechanism used for the hosted cluster’s API server. +“PrivateLink” selects Azure Private Link Service for private API server access. +This field is immutable once set. |
-preference
+privateLink,omitzero
-
-CapacityReservationPreference
+
+AzurePrivateLinkSpec
|
(Optional)
- preference specifies the preference for use of Capacity Reservations by the instance. Valid values include: -- “”: No preference (platform default) -- “Open”: The instance may make use of open Capacity Reservations that match its AZ and InstanceType -- “None”: The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads -- “CapacityReservationsOnly”: The instance will only run if matched or targeted to a Capacity Reservation -Cannot be set to ‘None’ or ‘Open’ when a specific Capacity Reservation ID is provided, -as targeting a specific reservation is mutually exclusive with these general preference settings. +privateLink configures Azure Private Link Service for private API server access. +This field is required when type is “PrivateLink” and must not be set otherwise. |
(Appears on: -CapacityReservationOptions) +AzurePrivateSpec)
-
CapacityReservationPreference describes the preferred use of capacity reservations -of an instance
+AzurePrivateType specifies the type of private connectivity mechanism used for the Azure +hosted cluster’s API server. This acts as the discriminator for the AzurePrivateSpec union.
| Description | -|
|---|---|
"None" |
-CapacityReservationPreferenceNone the instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads - |
-
"CapacityReservationsOnly" |
-CapacityReservationPreferenceOnly the instance will only run if matched or targeted to a Capacity Reservation - |
-
"Open" |
-CapacityReservationPreferenceOpen the instance may make use of open Capacity Reservations that match its AZ and InstanceType. + |
"PrivateLink" |
+AzurePrivateTypePrivateLink specifies private connectivity using Azure Private Link Service. +In this mode, the operator creates a Private Link Service backed by the management cluster’s +internal load balancer, and a Private Endpoint in the guest VNet for private API server access. |
-(Appears on: -CertificateSigningRequestApproval) -
--
CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval
- -###CertificateSigningRequestApprovalStatus { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalStatus } --(Appears on: -CertificateSigningRequestApproval) -
--
CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval
- -###ClusterAutoscaling { #hypershift.openshift.io/v1beta1.ClusterAutoscaling } +###AzureResourceManagedIdentities { #hypershift.openshift.io/v1beta1.AzureResourceManagedIdentities }(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +AzureAuthenticationConfiguration)
-
ClusterAutoscaling specifies auto-scaling behavior that applies to all -NodePools associated with a control plane.
+AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components +that authenticate with Azure’s API.
-scaling
+controlPlane
-
-ScalingType
+
+ControlPlaneManagedIdentities
|
-(Optional)
- scaling defines the scaling behavior for the cluster autoscaler. -ScaleUpOnly means the autoscaler will only scale up nodes, never scale down. -ScaleUpAndScaleDown means the autoscaler will both scale up and scale down nodes. -When set to ScaleUpAndScaleDown, the scaleDown field can be used to configure scale down behavior. -Note: This field is only supported in OpenShift versions 4.19 and above. +controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to +authenticate with Azure’s API. |
-scaleDown
+dataPlane
-
-ScaleDownConfig
+
+DataPlaneManagedIdentities
|
-(Optional)
- scaleDown configures the behavior of the Cluster Autoscaler scale down operation. -This field is only valid when scaling is set to ScaleUpAndScaleDown. +dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with +Azure’s API. |
+(Appears on: +AzurePrivateLinkServiceSpec, +AzurePrivateLinkSpec) +
++
AzureSubnetResourceID is a full Azure resource ID for a subnet. +The expected format is:
+/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
+
+
+###AzureSubscriptionID { #hypershift.openshift.io/v1beta1.AzureSubscriptionID }
++(Appears on: +AzurePrivateLinkServiceSpec, +AzurePrivateLinkSpec) +
++
AzureSubscriptionID is an Azure subscription ID in UUID format. +Must be exactly 36 characters consisting of hexadecimal digits [0-9a-fA-F] and hyphens +in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (e.g., “550e8400-e29b-41d4-a716-446655440000”).
+ +###AzureTopologyType { #hypershift.openshift.io/v1beta1.AzureTopologyType } ++(Appears on: +AzurePlatformSpec) +
++
AzureTopologyType specifies the network topology of the Azure API server endpoint.
+ +
-balancingIgnoredLabels
-
-[]string
-
- |
-
-(Optional)
- balancingIgnoredLabels sets “–balancing-ignore-label -HyperShift automatically appends platform-specific balancing ignore labels: -- AWS: “lifecycle”, “k8s.amazonaws.com/eniConfig”, “topology.k8s.aws/zone-id” -- Azure: “agentpool”, “kubernetes.azure.com/agentpool” -- Common: -- “hypershift.openshift.io/nodePool” -- “topology.ebs.csi.aws.com/zone” -- “topology.disk.csi.azure.com/zone” -- “ibm-cloud.kubernetes.io/worker-id” -- “vpc-block-csi-driver-labels” -These labels are added by default and do not need to be manually specified. - |
+Value | +Description |
|---|---|---|---|
-maxNodesTotal
-
-int32
-
+ | |||
"Private" |
+AzureTopologyPrivate indicates the API server is accessible only via a private endpoint. |
-
-(Optional)
- maxNodesTotal is the maximum allowable number of nodes for the Autoscaler scale out to be operational. -The autoscaler will not grow the cluster beyond this number. -If omitted, the autoscaler will not have a maximum limit. -number. + | |
"Public" |
+AzureTopologyPublic indicates the API server is accessible only via a public endpoint. |
+||
"PublicAndPrivate" |
+AzureTopologyPublicAndPrivate indicates the API server is accessible via both public and private endpoints. + |
+
+(Appears on: +AzureNodePoolPlatform) +
++
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
+ +| Field | +Description |
|---|---|
-maxPodGracePeriod
+type
-int32
+
+AzureVMImageType
+
|
-(Optional)
- maxPodGracePeriod is the maximum seconds to wait for graceful pod -termination before scaling down a NodePool. The default is 600 seconds. +type is the type of image data that will be provided to the Azure VM. +Valid values are “ImageID” and “AzureMarketplace”. +ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. +AzureMarketplace means the VM will boot from an Azure Marketplace image. +Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. +When Type is “AzureMarketplace”, you can either: +1. Specify only imageGeneration to use marketplace defaults from the release payload +2. Specify publisher, offer, sku, and version to use an explicit marketplace image +3. Specify all fields (imageGeneration along with publisher, offer, sku, version) |
-maxNodeProvisionTime
+imageID
string
|
(Optional)
- maxNodeProvisionTime is the maximum time to wait for node provisioning -before considering the provisioning to be unsuccessful, expressed as a Go -duration string. The default is 15 minutes. +imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. +TODO: What is the valid character set for this field? What about minimum and maximum lengths? |
-maxFreeDifferenceRatioPercent
+azureMarketplace
-int32
+
+AzureMarketplaceImage
+
|
(Optional)
- maxFreeDifferenceRatioPercent sets the maximum difference ratio for free resources between similar node groups. This parameter controls how strict the similarity check is when comparing node groups for load balancing. -The value represents a percentage from 0 to 100. -When set to 0, this means node groups must have exactly the same free resources to be considered similar (no difference allowed). -When set to 100, this means node groups will be considered similar regardless of their free resource differences (any difference allowed). -A value between 0 and 100 represents the maximum allowed difference ratio for free resources between node groups to be considered similar. -When omitted, the autoscaler defaults to 10%. -This affects the “–max-free-difference-ratio” flag on cluster-autoscaler. +azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. |
+(Appears on: +AzureMarketplaceImage) +
++
AzureVMImageGeneration represents the Hyper-V generation of an Azure VM image.
+ +
-podPriorityThreshold
-
-int32
-
+ | Value | +Description | +
|---|---|---|
"Gen1" |
+Gen1 represents Hyper-V Generation 1 VMs |
-
-(Optional)
- podPriorityThreshold enables users to schedule “best-effort” pods, which -shouldn’t trigger autoscaler actions, but only run when there are spare -resources available. The default is -10. -See the following for more details: -https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption + |
"Gen2" |
+Gen2 represents Hyper-V Generation 2 VMs |
-
+(Appears on: +AzureVMImage) +
++
AzureVMImageType is used to specify the source of the Azure VM boot image. +Valid values are ImageID and AzureMarketplace.
+ +
-expanders
-
-
-[]ExpanderString
-
-
+ | Value | +Description | +
|---|---|---|
"AzureMarketplace" |
+AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. |
-
-(Optional)
- expanders guide the autoscaler in choosing node groups during scale-out.
-Sets the order of expanders for scaling out node groups.
-Options include:
-* LeastWaste - selects the group with minimal idle CPU and memory after scaling.
-* Priority - selects the group with the highest user-defined priority.
-* Random - selects a group randomly.
-If not specified, |
"ImageID" |
+ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. |
-
(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +AzurePrivateLinkServiceSpec)
-
ClusterConfiguration specifies configuration for individual OCP components in the -cluster, represented as embedded resources that correspond to the openshift -configuration API.
-The API for individual configuration items is at: -https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html
+AzureVNetResourceID is a full Azure resource ID for a virtual network. +The expected format is:
+/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/virtualNetworks/{vnetName}
+
+
+###AzureWorkloadIdentities { #hypershift.openshift.io/v1beta1.AzureWorkloadIdentities }
++(Appears on: +AzureAuthenticationConfiguration) +
++
AzureWorkloadIdentities is a struct that contains the client IDs of all the managed identities in self-managed Azure +needing to authenticate with Azure’s API.
-apiServer
+imageRegistry
-
-github.com/openshift/api/config/v1.APIServerSpec
+
+WorkloadIdentity
|
-(Optional)
- apiServer holds configuration (like serving certificates, client CA and CORS domains) -shared by all API servers in the system, among them especially kube-apiserver -and openshift-apiserver. +imageRegistry is the client ID of a federated managed identity, associated with cluster-image-registry-operator, used in +workload identity authentication. |
-authentication
+ingress
-
-github.com/openshift/api/config/v1.AuthenticationSpec
+
+WorkloadIdentity
|
-(Optional)
- authentication specifies cluster-wide settings for authentication (like OAuth and -webhook token authenticators). +ingress is the client ID of a federated managed identity, associated with cluster-ingress-operator, used in +workload identity authentication. |
-featureGate
+file
-
-github.com/openshift/api/config/v1.FeatureGateSpec
+
+WorkloadIdentity
|
-(Optional)
- featureGate holds cluster-wide information about feature gates. +file is the client ID of a federated managed identity, associated with cluster-storage-operator-file, +used in workload identity authentication. |
-image
+disk
-
-github.com/openshift/api/config/v1.ImageSpec
+
+WorkloadIdentity
|
-(Optional)
- image governs policies related to imagestream imports and runtime configuration -for external registries. It allows cluster admins to configure which registries -OpenShift is allowed to import images from, extra CA trust bundles for external -registries, and policies to block or allow registry hostnames. -When exposing OpenShift’s image registry to the public, this also lets cluster -admins specify the external hostname. -This input will be part of every payload generated by the controllers for any NodePool of the HostedCluster. -Changing this value will trigger a rollout for all existing NodePools in the cluster. +disk is the client ID of a federated managed identity, associated with cluster-storage-operator-disk, +used in workload identity authentication. |
-ingress
+nodePoolManagement
-
-github.com/openshift/api/config/v1.IngressSpec
+
+WorkloadIdentity
|
-(Optional)
- ingress holds cluster-wide information about ingress, including the default ingress domain -used for routes. +nodePoolManagement is the client ID of a federated managed identity, associated with cluster-api-provider-azure, used +in workload identity authentication. |
-network
+cloudProvider
-
-github.com/openshift/api/config/v1.NetworkSpec
+
+WorkloadIdentity
|
-(Optional)
- network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. -Please view network.spec for an explanation on what applies when configuring this resource. -TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. +cloudProvider is the client ID of a federated managed identity, associated with azure-cloud-provider, used in +workload identity authentication. |
-oauth
+network
-
-github.com/openshift/api/config/v1.OAuthSpec
+
+WorkloadIdentity
|
-(Optional)
- oauth holds cluster-wide information about OAuth. -It is used to configure the integrated OAuth server. -This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. +network is the client ID of a federated managed identity, associated with cluster-network-operator, used in +workload identity authentication. |
-operatorhub
+controlPlaneOperator,omitzero
-
-github.com/openshift/api/config/v1.OperatorHubSpec
+
+WorkloadIdentity
|
(Optional)
- operatorhub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. -The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. +controlPlaneOperator is the client ID of a federated managed identity, associated with control-plane-operator, +used in workload identity authentication for Azure Private Link Service operations. |
+(Appears on: +APIServerNetworking) +
++
+###Capabilities { #hypershift.openshift.io/v1beta1.Capabilities } ++(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
capabilities allows enabling or disabling optional components at install time. +When this is not supplied, the cluster will use the DefaultCapabilitySet defined for the respective +OpenShift version, minus the baremetal capability. +Once set, it cannot be changed.
+ +| Field | +Description | +
|---|---|
-scheduler
+enabled
-
-github.com/openshift/api/config/v1.SchedulerSpec
+
+[]OptionalCapability
|
(Optional)
- scheduler holds cluster-wide config information to run the Kubernetes Scheduler
-and influence its placement decisions. The canonical name for this config is enabled when specified, explicitly enables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. |
-proxy
+disabled
-
-github.com/openshift/api/config/v1.ProxySpec
+
+[]OptionalCapability
|
(Optional)
- proxy holds cluster-wide information on how to configure default proxies for the cluster. -This affects traffic flowing from the hosted cluster data plane. -The controllers will generate a machineConfig with the proxy config for the cluster. -This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. -Changing this value will trigger a rollout for all existing NodePools in the cluster. +disabled when specified, explicitly disables the specified capabilitíes on the hosted cluster. +Once set, this field cannot be changed. +Note: Disabling ‘openshift-samples’,‘Insights’, ‘Console’, ‘NodeTuning’, ‘Ingress’ are only supported in OpenShift versions 4.20 and above. |
(Appears on: -ClusterNetworking) +PlacementOptions)
-
ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks -are allocated with size 2^HostSubnetLength.
+CapacityReservationOptions specifies Capacity Reservation options for the NodePool instances.
-cidr
+id
-
-github.com/openshift/hypershift/api/util/ipnet.IPNet
+string
+
+ |
+
+(Optional)
+ id specifies the target Capacity Reservation into which the EC2 instances should be launched. +Must follow the format: cr- followed by 17 lowercase hexadecimal characters. For example: cr-0123456789abcdef0 +When empty, no specific Capacity Reservation is targeted. +When specified, preference cannot be set to ‘None’ or ‘Open’ as these +are mutually exclusive with targeting a specific reservation. Use preference ‘CapacityReservationsOnly’ +or omit preference field when targeting a specific reservation. + |
+
+marketType
+
+
+MarketType
|
- cidr is the IP block address pool. +(Optional) +marketType specifies the market type of the CapacityReservation for the EC2 instances. +Deprecated: Use placement.marketType instead. This field is maintained for backward compatibility. +When both placement.marketType and capacityReservation.marketType are set, placement.marketType takes precedence. +Valid values are OnDemand, CapacityBlocks and omitted: +- “OnDemand”: EC2 instances run as standard On-Demand instances. +- “CapacityBlocks”: scheduled pre-purchased compute capacity. Recommended for GPU/ML workloads. +When set to ‘CapacityBlocks’, a specific Capacity Reservation ID must be provided. |
-hostPrefix
+preference
-int32
+
+CapacityReservationPreference
+
|
(Optional)
- hostPrefix is the prefix size to allocate to each node from the CIDR. -For example, 24 would allocate 2^(32-24)=2^8=256 addresses to each node. If this -field is not used by the plugin, it can be left unset. +preference specifies the preference for use of Capacity Reservations by the instance. Valid values include: +- “”: No preference (platform default) +- “Open”: The instance may make use of open Capacity Reservations that match its AZ and InstanceType +- “None”: The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads +- “CapacityReservationsOnly”: The instance will only run if matched or targeted to a Capacity Reservation +Cannot be set to ‘None’ or ‘Open’ when a specific Capacity Reservation ID is provided, +as targeting a specific reservation is mutually exclusive with these general preference settings. |
(Appears on: -OperatorConfiguration) +CapacityReservationOptions)
+
CapacityReservationPreference describes the preferred use of capacity reservations +of an instance
| Field | +Value | Description |
|---|---|---|
-disableMultiNetwork
-
-bool
-
- |
-
-(Optional)
- disableMultiNetwork when set to true disables the Multus CNI plugin and related components -in the hosted cluster. This prevents the installation of multus daemon sets in the -guest cluster and the multus-admission-controller in the management cluster. -Default is false (Multus is enabled). -This field is immutable. -This field can only be set to true when NetworkType is “Other”. Setting it to true -with any other NetworkType will result in a validation error during cluster creation. + | |
"None" |
+CapacityReservationPreferenceNone the instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads |
-|
-ovnKubernetesConfig
-
-
-OVNKubernetesConfig
-
-
+ | ||
"CapacityReservationsOnly" |
+CapacityReservationPreferenceOnly the instance will only run if matched or targeted to a Capacity Reservation |
-
-(Optional)
- ovnKubernetesConfig holds OVN-Kubernetes specific configuration. -This is only consumed when NetworkType is OVNKubernetes. + |
"Open" |
+CapacityReservationPreferenceOpen the instance may make use of open Capacity Reservations that match its AZ and InstanceType. |
-
+(Appears on: +CertificateSigningRequestApproval) +
++
CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval
+ +###CertificateSigningRequestApprovalStatus { #hypershift.openshift.io/v1beta1.CertificateSigningRequestApprovalStatus } ++(Appears on: +CertificateSigningRequestApproval) +
++
CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval
+ +###ClusterAutoscaling { #hypershift.openshift.io/v1beta1.ClusterAutoscaling }(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
-
clusterNetworking specifies network configuration for a cluster. -All CIDRs must be unique. Additional validation to check for CIDRs overlap and consistent network stack is performed by the controllers. -Failing that validation will result in the HostedCluster being degraded and the validConfiguration condition being false. -TODO this is available in vanilla kube from 1.31 API servers and in Openshift from 4.16. -TODO(alberto): Use CEL cidr library for all these validation when all management clusters are >= 1.31.
+ClusterAutoscaling specifies auto-scaling behavior that applies to all +NodePools associated with a control plane.
-machineNetwork
+scaling
-
-[]MachineNetworkEntry
+
+ScalingType
|
(Optional)
- machineNetwork is the list of IP address pools for machines. -This might be used among other things to generate appropriate networking security groups in some clouds providers. -Currently only one entry or two for dual stack is supported. -This field is immutable. +scaling defines the scaling behavior for the cluster autoscaler. +ScaleUpOnly means the autoscaler will only scale up nodes, never scale down. +ScaleUpAndScaleDown means the autoscaler will both scale up and scale down nodes. +When set to ScaleUpAndScaleDown, the scaleDown field can be used to configure scale down behavior. +Note: This field is only supported in OpenShift versions 4.19 and above. |
-clusterNetwork
+scaleDown
-
-[]ClusterNetworkEntry
+
+ScaleDownConfig
|
(Optional)
- clusterNetwork is the list of IP address pools for pods. -Defaults to cidr: “10.132.0.0/14”. -Currently only one entry is supported. -This field is immutable. +scaleDown configures the behavior of the Cluster Autoscaler scale down operation. +This field is only valid when scaling is set to ScaleUpAndScaleDown. |
-serviceNetwork
+balancingIgnoredLabels
-
-[]ServiceNetworkEntry
-
+[]string
|
(Optional)
- serviceNetwork is the list of IP address pools for services. -Defaults to cidr: “172.31.0.0/16”. -Currently only one entry is supported. -This field is immutable. +balancingIgnoredLabels sets “–balancing-ignore-label +HyperShift automatically appends platform-specific balancing ignore labels: +- AWS: “lifecycle”, “k8s.amazonaws.com/eniConfig”, “topology.k8s.aws/zone-id” +- Azure: “agentpool”, “kubernetes.azure.com/agentpool” +- Common: +- “hypershift.openshift.io/nodePool” +- “topology.ebs.csi.aws.com/zone” +- “topology.disk.csi.azure.com/zone” +- “ibm-cloud.kubernetes.io/worker-id” +- “vpc-block-csi-driver-labels” +These labels are added by default and do not need to be manually specified. |
-networkType
+maxNodesTotal
-
-NetworkType
-
+int32
|
(Optional)
- networkType specifies the SDN provider used for cluster networking. -Defaults to OVNKubernetes. -This field is required and immutable. -kubebuilder:validation:XValidation:rule=“self == oldSelf”, message=“networkType is immutable” +maxNodesTotal is the maximum allowable number of nodes for the Autoscaler scale out to be operational. +The autoscaler will not grow the cluster beyond this number. +If omitted, the autoscaler will not have a maximum limit. +number. |
-apiServer
+maxPodGracePeriod
-
-APIServerNetworking
-
+int32
|
(Optional)
- apiServer contains advanced network settings for the API server that affect -how the APIServer is exposed inside a hosted cluster node. +maxPodGracePeriod is the maximum seconds to wait for graceful pod +termination before scaling down a NodePool. The default is 600 seconds. |
-allocateNodeCIDRs
+maxNodeProvisionTime
-
-AllocateNodeCIDRsMode
-
+string
|
(Optional)
- allocateNodeCIDRs controls whether the kube-controller-manager manages node CIDR allocation. -When using networkType=Other, it is recommended to set this field to “Enabled” -if Flannel is used as the CNI, as it relies on this behavior. -Default is “Disabled”. -This field can only be set to “Enabled” when NetworkType is “Other”. Setting it to “Enabled” -with any other NetworkType will result in a validation error during cluster creation. +maxNodeProvisionTime is the maximum time to wait for node provisioning +before considering the provisioning to be unsuccessful, expressed as a Go +duration string. The default is 15 minutes. |
-(Appears on: -OperatorConfiguration) -
--
ClusterVersionOperatorSpec is the specification of the desired behavior of the Cluster Version Operator.
- -| Field | -Description | +
+maxFreeDifferenceRatioPercent
+
+int32
+
+ |
+
+(Optional)
+ maxFreeDifferenceRatioPercent sets the maximum difference ratio for free resources between similar node groups. This parameter controls how strict the similarity check is when comparing node groups for load balancing. +The value represents a percentage from 0 to 100. +When set to 0, this means node groups must have exactly the same free resources to be considered similar (no difference allowed). +When set to 100, this means node groups will be considered similar regardless of their free resource differences (any difference allowed). +A value between 0 and 100 represents the maximum allowed difference ratio for free resources between node groups to be considered similar. +When omitted, the autoscaler defaults to 10%. +This affects the “–max-free-difference-ratio” flag on cluster-autoscaler. + |
|---|---|---|---|
-operatorLogLevel
+podPriorityThreshold
-
-LogLevel
+int32
+
+ |
+
+(Optional)
+ podPriorityThreshold enables users to schedule “best-effort” pods, which +shouldn’t trigger autoscaler actions, but only run when there are spare +resources available. The default is -10. +See the following for more details: +https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption + |
+||
+expanders
+
+
+[]ExpanderString
|
(Optional)
- operatorLogLevel is an intent based logging for the operator itself. It does not give fine-grained control, -but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves. -Valid values are: “Normal”, “Debug”, “Trace”, “TraceAll”. -Defaults to “Normal”. +expanders guide the autoscaler in choosing node groups during scale-out.
+Sets the order of expanders for scaling out node groups.
+Options include:
+* LeastWaste - selects the group with minimal idle CPU and memory after scaling.
+* Priority - selects the group with the highest user-defined priority.
+* Random - selects a group randomly.
+If not specified, |
(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) +HostedClusterSpec, +HostedControlPlaneSpec)
-
ClusterVersionStatus reports the status of the cluster versioning, -including any upgrades that are in progress. The current field will -be set to whichever version the cluster is reconciling to, and the -conditions array will report whether the update succeeded, is in -progress, or is failing.
+ClusterConfiguration specifies configuration for individual OCP components in the +cluster, represented as embedded resources that correspond to the openshift +configuration API.
+The API for individual configuration items is at: +https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html
-desired
+apiServer
-github.com/openshift/api/config/v1.Release
+github.com/openshift/api/config/v1.APIServerSpec
|
- desired is the version that the cluster is reconciling towards. -If the cluster is not yet fully initialized desired will be set -with the information available, which may be an image or a tag. +(Optional) +apiServer holds configuration (like serving certificates, client CA and CORS domains) +shared by all API servers in the system, among them especially kube-apiserver +and openshift-apiserver. |
-history
+authentication
-[]github.com/openshift/api/config/v1.UpdateHistory
+github.com/openshift/api/config/v1.AuthenticationSpec
|
(Optional)
- history contains a list of the most recent versions applied to the cluster. -This value may be empty during cluster startup, and then will be updated -when a new update is being applied. The newest update is first in the -list and it is ordered by recency. Updates in the history have state -Completed if the rollout completed - if an update was failing or halfway -applied the state will be Partial. Only a limited amount of update history -is preserved. +authentication specifies cluster-wide settings for authentication (like OAuth and +webhook token authenticators). |
-observedGeneration
+featureGate
-int64
+
+github.com/openshift/api/config/v1.FeatureGateSpec
+
|
- observedGeneration reports which version of the spec is being synced. -If this value is not equal to metadata.generation, then the desired -and conditions fields may represent a previous version. +(Optional) +featureGate holds cluster-wide information about feature gates. |
-availableUpdates
+image
-[]github.com/openshift/api/config/v1.Release
+github.com/openshift/api/config/v1.ImageSpec
|
- availableUpdates contains updates recommended for this -cluster. Updates which appear in conditionalUpdates but not in -availableUpdates may expose this cluster to known issues. This list -may be empty if no updates are recommended, if the update service -is unavailable, or if an invalid channel has been specified. +(Optional) +image governs policies related to imagestream imports and runtime configuration +for external registries. It allows cluster admins to configure which registries +OpenShift is allowed to import images from, extra CA trust bundles for external +registries, and policies to block or allow registry hostnames. +When exposing OpenShift’s image registry to the public, this also lets cluster +admins specify the external hostname. +This input will be part of every payload generated by the controllers for any NodePool of the HostedCluster. +Changing this value will trigger a rollout for all existing NodePools in the cluster. |
-conditionalUpdates
+ingress
-[]github.com/openshift/api/config/v1.ConditionalUpdate
+github.com/openshift/api/config/v1.IngressSpec
|
(Optional)
- conditionalUpdates contains the list of updates that may be -recommended for this cluster if it meets specific required -conditions. Consumers interested in the set of updates that are -actually recommended for this cluster should use -availableUpdates. This list may be empty if no updates are -recommended, if the update service is unavailable, or if an empty -or invalid channel has been specified. +ingress holds cluster-wide information about ingress, including the default ingress domain +used for routes. |
-(Appears on: -ControlPlaneComponentStatus) -
--
ComponentResource defines a resource reconciled by a ControlPlaneComponent.
- -| Field | -Description | -
|---|---|
-kind
+network
-string
+
+github.com/openshift/api/config/v1.NetworkSpec
+
|
- kind is the name of the resource schema. +(Optional) +network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. +Please view network.spec for an explanation on what applies when configuring this resource. +TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. |
-group
+oauth
-string
-
+
+github.com/openshift/api/config/v1.OAuthSpec
+
+
|
- group is the API group for this resource type. +(Optional) +oauth holds cluster-wide information about OAuth. +It is used to configure the integrated OAuth server. +This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. |
-name
+operatorhub
-string
+
+github.com/openshift/api/config/v1.OperatorHubSpec
+
|
- name is the name of this resource. +(Optional) +operatorhub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. +The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. + |
+
+scheduler
+
+
+github.com/openshift/api/config/v1.SchedulerSpec
+
+
+ |
+
+(Optional)
+ scheduler holds cluster-wide config information to run the Kubernetes Scheduler
+and influence its placement decisions. The canonical name for this config is |
+
+proxy
+
+
+github.com/openshift/api/config/v1.ProxySpec
+
+
+ |
+
+(Optional)
+ proxy holds cluster-wide information on how to configure default proxies for the cluster. +This affects traffic flowing from the hosted cluster data plane. +The controllers will generate a machineConfig with the proxy config for the cluster. +This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. +Changing this value will trigger a rollout for all existing NodePools in the cluster. |
+(Appears on: +ClusterNetworking) +
+
ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks +are allocated with size 2^HostSubnetLength.
| Value | +Field | Description |
|---|---|---|
"AWSDefaultSecurityGroupCreated" |
-AWSDefaultSecurityGroupCreated indicates whether the default security group -for AWS workers has been created. -A failure here indicates that NodePools without a security group will be -blocked from creating machines. - |
-|
"AWSDefaultSecurityGroupDeleted" |
-AWSDefaultSecurityGroupDeleted indicates whether the default security group -for AWS workers has been deleted. -A failure here indicates that the Security Group has some dependencies that -there are still pending cloud resources to be deleted that are using that SG. + | |
+cidr
+
+
+github.com/openshift/hypershift/api/util/ipnet.IPNet
+
+
|
-||
"AWSEndpointAvailable" |
-AWSEndpointServiceAvailable indicates whether the AWS Endpoint has been -created in the guest VPC + |
+ cidr is the IP block address pool. |
-
"AWSEndpointServiceAvailable" |
-AWSEndpointServiceAvailable indicates whether the AWS Endpoint Service -has been created for the specified NLB in the management VPC + | |
+hostPrefix
+
+int32
+
|
-||
"AggregatedAPIServicesAvailable" |
-AggregatedAPIServicesAvailable indicates whether all aggregated APIServices -in the guest cluster are available. This includes OpenShift API Server, -OAuth API Server (when enabled), and OLM PackageServer APIServices. -This condition is an HCP implementation detail set by the HCCO and is not -bubbled up to the HostedCluster level. + |
+(Optional)
+ hostPrefix is the prefix size to allocate to each node from the CIDR. +For example, 24 would allocate 2^(32-24)=2^8=256 addresses to each node. If this +field is not used by the plugin, it can be left unset. |
-
"CVOScaledDown" |
-- | |
"CloudResourcesDestroyed" |
-CloudResourcesDestroyed bubbles up the same condition from HCP. It signals if the cloud provider infrastructure created by Kubernetes -in the consumer cloud provider account was destroyed. -A failure here may require external user intervention to resolve. E.g. cloud provider perms were corrupted. E.g. the guest cluster was broken -and kube resource deletion that affects cloud infra like service type load balancer can’t succeed. + |
+(Appears on: +OperatorConfiguration) +
++
+| Field | +Description | +|
|---|---|---|
+disableMultiNetwork
+
+bool
+
|
-||
"ClusterVersionAvailable" |
-ClusterVersionAvailable bubbles up Failing configv1.OperatorAvailable from the CVO. + |
+(Optional)
+ disableMultiNetwork when set to true disables the Multus CNI plugin and related components +in the hosted cluster. This prevents the installation of multus daemon sets in the +guest cluster and the multus-admission-controller in the management cluster. +Default is false (Multus is enabled). +This field is immutable. +This field can only be set to true when NetworkType is “Other”. Setting it to true +with any other NetworkType will result in a validation error during cluster creation. |
-
"ClusterVersionFailing" |
-ClusterVersionFailing bubbles up Failing from the CVO. + | |
+ovnKubernetesConfig
+
+
+OVNKubernetesConfig
+
+
|
-||
"ClusterVersionProgressing" |
-ClusterVersionProgressing bubbles up configv1.OperatorProgressing from the CVO. + |
+(Optional)
+ ovnKubernetesConfig holds OVN-Kubernetes specific configuration. +This is only consumed when NetworkType is OVNKubernetes. |
-
"ClusterVersionReleaseAccepted" |
-ClusterVersionReleaseAccepted bubbles up Failing ReleaseAccepted from the CVO. + |
+(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
clusterNetworking specifies network configuration for a cluster. +All CIDRs must be unique. Additional validation to check for CIDRs overlap and consistent network stack is performed by the controllers. +Failing that validation will result in the HostedCluster being degraded and the validConfiguration condition being false. +TODO this is available in vanilla kube from 1.31 API servers and in Openshift from 4.16. +TODO(alberto): Use CEL cidr library for all these validation when all management clusters are >= 1.31.
+ +| Field | +Description | +|
|---|---|---|
+machineNetwork
+
+
+[]MachineNetworkEntry
+
+
|
-||
"ClusterVersionRetrievedUpdates" |
-ClusterVersionRetrievedUpdates bubbles up RetrievedUpdates from the CVO. + |
+(Optional)
+ machineNetwork is the list of IP address pools for machines. +This might be used among other things to generate appropriate networking security groups in some clouds providers. +Currently only one entry or two for dual stack is supported. +This field is immutable. |
-
"ClusterVersionSucceeding" |
-ClusterVersionSucceeding indicates the current status of the desired release -version of the HostedCluster as indicated by the Failing condition in the -underlying cluster’s ClusterVersion. + | |
+clusterNetwork
+
+
+[]ClusterNetworkEntry
+
+
|
-||
"ClusterVersionUpgradeable" |
-ClusterVersionUpgradeable indicates the Upgradeable condition in the -underlying cluster’s ClusterVersion. + |
+(Optional)
+ clusterNetwork is the list of IP address pools for pods. +Defaults to cidr: “10.132.0.0/14”. +Currently only one entry is supported. +This field is immutable. |
-
"Available" |
-ControlPlaneComponentAvailable indicates whether the ControlPlaneComponent is available. + | |
+serviceNetwork
+
+
+[]ServiceNetworkEntry
+
+
|
-||
"RolloutComplete" |
-ControlPlaneComponentRolloutComplete indicates whether the ControlPlaneComponent has completed its rollout. + |
+(Optional)
+ serviceNetwork is the list of IP address pools for services. +Defaults to cidr: “172.31.0.0/16”. +Currently only one entry is supported. +This field is immutable. |
-
"DataPlaneConnectionAvailable" |
-DataPlaneConnectionAvailable indicates whether the control plane has a successful -network connection to the data plane components. -True means the control plane can successfully reach the data plane nodes. -False means there are network connection issues preventing the control plane from reaching the data plane. -A failure here suggests potential issues such as: network policy restrictions, + | |
+networkType
+
+
+NetworkType
+
+
+ |
+
+(Optional)
+ networkType specifies the SDN provider used for cluster networking. +Defaults to OVNKubernetes. +This field is required and immutable. +kubebuilder:validation:XValidation:rule=“self == oldSelf”, message=“networkType is immutable” + |
+|
+apiServer
+
+
+APIServerNetworking
+
+
+ |
+
+(Optional)
+ apiServer contains advanced network settings for the API server that affect +how the APIServer is exposed inside a hosted cluster node. + |
+|
+allocateNodeCIDRs
+
+
+AllocateNodeCIDRsMode
+
+
+ |
+
+(Optional)
+ allocateNodeCIDRs controls whether the kube-controller-manager manages node CIDR allocation. +When using networkType=Other, it is recommended to set this field to “Enabled” +if Flannel is used as the CNI, as it relies on this behavior. +Default is “Disabled”. +This field can only be set to “Enabled” when NetworkType is “Other”. Setting it to “Enabled” +with any other NetworkType will result in a validation error during cluster creation. + |
+
+(Appears on: +OperatorConfiguration) +
++
ClusterVersionOperatorSpec is the specification of the desired behavior of the Cluster Version Operator.
+ +| Field | +Description | +
|---|---|
+operatorLogLevel
+
+
+LogLevel
+
+
+ |
+
+(Optional)
+ operatorLogLevel is an intent based logging for the operator itself. It does not give fine-grained control, +but it is a simple way to manage coarse grained logging choices that operators have to interpret for themselves. +Valid values are: “Normal”, “Debug”, “Trace”, “TraceAll”. +Defaults to “Normal”. + |
+
+(Appears on: +HostedClusterStatus, +HostedControlPlaneStatus) +
++
ClusterVersionStatus reports the status of the cluster versioning, +including any upgrades that are in progress. The current field will +be set to whichever version the cluster is reconciling to, and the +conditions array will report whether the update succeeded, is in +progress, or is failing.
+ +| Field | +Description | +
|---|---|
+desired
+
+
+github.com/openshift/api/config/v1.Release
+
+
+ |
+
+ desired is the version that the cluster is reconciling towards. +If the cluster is not yet fully initialized desired will be set +with the information available, which may be an image or a tag. + |
+
+history
+
+
+[]github.com/openshift/api/config/v1.UpdateHistory
+
+
+ |
+
+(Optional)
+ history contains a list of the most recent versions applied to the cluster. +This value may be empty during cluster startup, and then will be updated +when a new update is being applied. The newest update is first in the +list and it is ordered by recency. Updates in the history have state +Completed if the rollout completed - if an update was failing or halfway +applied the state will be Partial. Only a limited amount of update history +is preserved. + |
+
+observedGeneration
+
+int64
+
+ |
+
+ observedGeneration reports which version of the spec is being synced. +If this value is not equal to metadata.generation, then the desired +and conditions fields may represent a previous version. + |
+
+availableUpdates
+
+
+[]github.com/openshift/api/config/v1.Release
+
+
+ |
+
+ availableUpdates contains updates recommended for this +cluster. Updates which appear in conditionalUpdates but not in +availableUpdates may expose this cluster to known issues. This list +may be empty if no updates are recommended, if the update service +is unavailable, or if an invalid channel has been specified. + |
+
+conditionalUpdates
+
+
+[]github.com/openshift/api/config/v1.ConditionalUpdate
+
+
+ |
+
+(Optional)
+ conditionalUpdates contains the list of updates that may be +recommended for this cluster if it meets specific required +conditions. Consumers interested in the set of updates that are +actually recommended for this cluster should use +availableUpdates. This list may be empty if no updates are +recommended, if the update service is unavailable, or if an empty +or invalid channel has been specified. + |
+
+(Appears on: +ControlPlaneComponentStatus) +
++
ComponentResource defines a resource reconciled by a ControlPlaneComponent.
+ +| Field | +Description | +
|---|---|
+kind
+
+string
+
+ |
+
+ kind is the name of the resource schema. + |
+
+group
+
+string
+
+ |
+
+ group is the API group for this resource type. + |
+
+name
+
+string
+
+ |
+
+ name is the name of this resource. + |
+
+
+| Value | +Description | +
|---|---|
"AWSDefaultSecurityGroupCreated" |
+AWSDefaultSecurityGroupCreated indicates whether the default security group +for AWS workers has been created. +A failure here indicates that NodePools without a security group will be +blocked from creating machines. + |
+
"AWSDefaultSecurityGroupDeleted" |
+AWSDefaultSecurityGroupDeleted indicates whether the default security group +for AWS workers has been deleted. +A failure here indicates that the Security Group has some dependencies that +there are still pending cloud resources to be deleted that are using that SG. + |
+
"AWSEndpointAvailable" |
+AWSEndpointServiceAvailable indicates whether the AWS Endpoint has been +created in the guest VPC + |
+
"AWSEndpointServiceAvailable" |
+AWSEndpointServiceAvailable indicates whether the AWS Endpoint Service +has been created for the specified NLB in the management VPC + |
+
"AggregatedAPIServicesAvailable" |
+AggregatedAPIServicesAvailable indicates whether all aggregated APIServices +in the guest cluster are available. This includes OpenShift API Server, +OAuth API Server (when enabled), and OLM PackageServer APIServices. +This condition is an HCP implementation detail set by the HCCO and is not +bubbled up to the HostedCluster level. + |
+
"AutoNodeEnabled" |
+AutoNodeEnabled indicates whether AutoNode is configured and operational for this HostedCluster. +True means AutoNode is configured in the HostedCluster spec and the Karpenter components are fully rolled out and ready. +False / AutoNodeProgressing means AutoNode is being enabled or disabled — the operation is in progress. +False / AutoNodeNotConfigured means AutoNode is not configured in the spec and all Karpenter components have been removed. + |
+
"AzureInternalLoadBalancerAvailable" |
+AzureInternalLoadBalancerAvailable indicates the ILB has been provisioned with a frontend IP + |
+
"AzurePLSCreated" |
+AzurePLSCreated indicates the Azure Private Link Service has been created in the management cluster resource group + |
+
"AzurePrivateDNSAvailable" |
+AzurePrivateDNSAvailable indicates the Private DNS zone and A records have been created + |
+
"AzurePrivateEndpointAvailable" |
+AzurePrivateEndpointAvailable indicates the Private Endpoint has been created in the guest VNet + |
+
"AzurePrivateLinkServiceAvailable" |
+AzurePrivateLinkServiceAvailable indicates overall PLS infrastructure availability + |
+
"BackupCompleted" |
+BackupCompleted indicates whether the etcd backup has completed. + |
+
"CVOScaledDown" |
++ |
"CloudResourcesDestroyed" |
+CloudResourcesDestroyed bubbles up the same condition from HCP. It signals if the cloud provider infrastructure created by Kubernetes +in the consumer cloud provider account was destroyed. +A failure here may require external user intervention to resolve. E.g. cloud provider perms were corrupted. E.g. the guest cluster was broken +and kube resource deletion that affects cloud infra like service type load balancer can’t succeed. + |
+
"ClusterVersionAvailable" |
+ClusterVersionAvailable bubbles up Failing configv1.OperatorAvailable from the CVO. + |
+
"ClusterVersionFailing" |
+ClusterVersionFailing bubbles up Failing from the CVO. + |
+
"ClusterVersionProgressing" |
+ClusterVersionProgressing bubbles up configv1.OperatorProgressing from the CVO. + |
+
"ClusterVersionReleaseAccepted" |
+ClusterVersionReleaseAccepted bubbles up Failing ReleaseAccepted from the CVO. + |
+
"ClusterVersionRetrievedUpdates" |
+ClusterVersionRetrievedUpdates bubbles up RetrievedUpdates from the CVO. + |
+
"ClusterVersionSucceeding" |
+ClusterVersionSucceeding indicates the current status of the desired release +version of the HostedCluster as indicated by the Failing condition in the +underlying cluster’s ClusterVersion. + |
+
"ClusterVersionUpgradeable" |
+ClusterVersionUpgradeable indicates the Upgradeable condition in the +underlying cluster’s ClusterVersion. + |
+
"Available" |
+ControlPlaneComponentAvailable indicates whether the ControlPlaneComponent is available. + |
+
"RolloutComplete" |
+ControlPlaneComponentRolloutComplete indicates whether the ControlPlaneComponent has completed its rollout. + |
+
"ControlPlaneConnectionAvailable" |
+ControlPlaneConnectionAvailable indicates whether data plane workloads have a successful +network connection to the control plane components. This condition is computed using +a 3-replica Deployment that tests the full data path (DNS resolution of kubernetes.default.svc +-> advertise address on lo -> apiserver proxy -> KAS on HCP) and reports results to a shared +ConfigMap. The HCCO evaluates the staleness of the lastSucceeded timestamp in the ConfigMap. +True means the data plane can successfully reach the control plane (a recent successful check was recorded). +False means there are connectivity failures preventing the data plane from reaching the control plane, +or the last successful check is stale (older than 5 minutes). +Unknown means the status cannot be determined due to true inability to inspect (e.g., no worker nodes exist or inspection cannot be performed), +not due to missing required components. + |
+
"DataPlaneConnectionAvailable" |
+DataPlaneConnectionAvailable indicates whether the control plane has a successful +network connection to the data plane components. +True means the control plane can successfully reach the data plane nodes. +False means there are network connection issues preventing the control plane from reaching the data plane. +A failure here suggests potential issues such as: network policy restrictions, firewall rules, missing data plane nodes, or problems with infrastructure -components like the konnectivity-agent workload. +components like the konnectivity-agent workload. +Unknown means the status cannot be determined (e.g., no worker nodes available or unable to inspect). + |
+
"EtcdAvailable" |
+EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. +A failure here often means a software bug or a non-stable cluster. + |
+
"EtcdBackupSucceeded" |
+EtcdBackupSucceeded bubbles up from HCP. It indicates the result of the +most recent etcd backup. True means the last backup completed successfully; +False means a backup is in progress or the last backup failed. + |
+
"EtcdRecoveryActive" |
+EtcdRecoveryActive indicates that the Etcd cluster is failing and the +recovery job was triggered. + |
+
"EtcdSnapshotRestored" |
++ |
"ExternalDNSReachable" |
+ExternalDNSReachable bubbles up the same condition from HCP. It signals if the configured external DNS is reachable. +A failure here requires external user intervention to resolve. E.g. changing the external DNS domain or making sure the domain is created +and registered correctly. + |
+
"GCPDNSAvailable" |
+GCPDNSAvailable indicates whether the DNS configuration has been +created in the customer VPC + |
+
"GCPEndpointAvailable" |
+GCPEndpointAvailable indicates whether the GCP PSC Endpoint has been +created in the customer VPC + |
+
"GCPPrivateServiceConnectAvailable" |
+GCPPrivateServiceConnectAvailable indicates overall PSC infrastructure availability + |
+
"GCPServiceAttachmentAvailable" |
+GCPServiceAttachmentAvailable indicates whether the GCP Service Attachment +has been created for the specified Internal Load Balancer in the management VPC + |
+
"Available" |
+HostedClusterAvailable indicates whether the HostedCluster has a healthy +control plane. +When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. + |
+
"Degraded" |
+HostedClusterDegraded indicates whether the HostedCluster is encountering +an error that may require user intervention to resolve. + |
+
"HostedClusterDestroyed" |
+HostedClusterDestroyed indicates that a hosted has finished destroying and that it is waiting for a destroy grace period to go away. +The grace period is determined by the hypershift.openshift.io/destroy-grace-period annotation in the HostedCluster if present. + |
+
"Progressing" |
+HostedClusterProgressing indicates whether the HostedCluster is attempting +an initial deployment or upgrade. +When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. + |
+
"HostedClusterRestoredFromBackup" |
+HostedClusterRestoredFromBackup indicates that the HostedCluster was restored from backup. +This condition is set to true when the HostedCluster is restored from backup and the recovery process is complete. +This condition is used to track the status of the recovery process and to determine if the HostedCluster +is ready to be used after restoration. + |
+
"Available" |
++ |
"Degraded" |
++ |
"IgnitionEndpointAvailable" |
+IgnitionEndpointAvailable indicates whether the ignition server for the +HostedCluster is available to handle ignition requests. +A failure here often means a software bug or a non-stable cluster. + |
+
"IgnitionServerValidReleaseInfo" |
+IgnitionServerValidReleaseInfo indicates if the release contains all the images used by the local ignition provider +and reports missing images if any. + |
+
"InfrastructureReady" |
+InfrastructureReady bubbles up the same condition from HCP. It signals if the infrastructure for a control plane to be operational, +e.g. load balancers were created successfully. +A failure here may require external user intervention to resolve. E.g. hitting quotas on the cloud provider. + |
+
"KubeAPIServerAvailable" |
+KubeAPIServerAvailable bubbles up the same condition from HCP. It signals if the kube API server is available. +A failure here often means a software bug or a non-stable cluster. + |
+
"KubeVirtNodesLiveMigratable" |
+KubeVirtNodesLiveMigratable indicates if all nodes (VirtualMachines) of the kubevirt +hosted cluster can be live migrated without experiencing a node restart + |
+
"PlatformCredentialsFound" |
+PlatformCredentialsFound indicates that credentials required for the +desired platform are valid. +A failure here is unlikely to resolve without the changing user input. + |
+
"ReconciliationActive" |
+ReconciliationActive indicates if reconciliation of the HostedCluster is +active or paused hostedCluster.spec.pausedUntil. + |
+
"ReconciliationSucceeded" |
+ReconciliationSucceeded indicates if the HostedCluster reconciliation +succeeded. +A failure here often means a software bug or a non-stable cluster. + |
+
"SupportedHostedCluster" |
+SupportedHostedCluster indicates whether a HostedCluster is supported by +the current configuration of the hypershift-operator. +e.g. If HostedCluster requests endpointAcess Private but the hypershift-operator +is running on a management cluster outside AWS or is not configured with AWS +credentials, the HostedCluster is not supported. +A failure here is unlikely to resolve without the changing user input. + |
+
"UnmanagedEtcdAvailable" |
+UnmanagedEtcdAvailable indicates whether a user-managed etcd cluster is +healthy. + |
+
"ValidAWSIdentityProvider" |
+ValidAWSIdentityProvider indicates if the Identity Provider referenced +in the cloud credentials is healthy. E.g. for AWS the idp ARN is referenced in the iam roles. +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Effect”: “Allow”, +“Principal”: { +“Federated”: “{{ .ProviderARN }}” +}, +“Action”: “sts:AssumeRoleWithWebIdentity”, +“Condition”: { +“StringEquals”: { +“{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} +} +} +} +] +A failure here may require external user intervention to resolve. + |
+
"ValidAWSKMSConfig" |
+ValidAWSKMSConfig indicates whether the AWS KMS role and encryption key are valid and operational +A failure here indicates that the role or the key are invalid, or the role doesn’t have access to use the key. + |
+
"ValidAzureKMSConfig" |
+ValidAzureKMSConfig indicates whether the given KMS input for the Azure platform is valid and operational +A failure here indicates that the input is invalid, or permissions are missing to use the encryption key. + |
+
"ValidGCPCredentials" |
+ValidGCPCredentials indicates if GCP credentials are valid and operational +for the HostedCluster. This includes service account authentication and +proper IAM permissions for CAPG controllers. +A failure here may require external user intervention to resolve. + |
+
"ValidGCPWorkloadIdentity" |
+ValidGCPWorkloadIdentity indicates if GCP Workload Identity Federation +is properly configured and operational for the cluster. +A failure here may require external user intervention to resolve. + |
+
"ValidConfiguration" |
+ValidHostedClusterConfiguration signals if the hostedCluster input is valid and +supported by the underlying management cluster. +A failure here is unlikely to resolve without the changing user input. + |
+
"ValidHostedControlPlaneConfiguration" |
+ValidHostedControlPlaneConfiguration bubbles up the same condition from HCP. It signals if the hostedControlPlane input is valid and +supported by the underlying management cluster. +A failure here is unlikely to resolve without the changing user input. + |
+
"ValidIDPConfiguration" |
+ValidIDPConfiguration indicates if the Identity Provider configuration is valid. +A failure here may require external user intervention to resolve +e.g. the user-provided IDP configuration provided is invalid or the IDP is not reachable. + |
+
"ValidKubeVirtInfraNetworkMTU" |
+ValidKubeVirtInfraNetworkMTU indicates if the MTU configured on an infra cluster +hosting a guest cluster utilizing kubevirt platform is a sufficient value that will avoid +performance degradation due to fragmentation of the double encapsulation in ovn-kubernetes + |
+
"ValidOIDCConfiguration" |
+ValidOIDCConfiguration indicates if an AWS cluster’s OIDC condition is +detected as invalid. +A failure here may require external user intervention to resolve. E.g. oidc was deleted out of band. + |
+
"ValidProxyConfiguration" |
+ValidProxyConfiguration indicates if the proxy CA bundle is valid. +A failure here may require external user intervention to resolve. E.g. certificates in the CA bundle have expired. + |
+
"ValidReleaseImage" |
+ValidReleaseImage indicates if the release image set in the spec is valid +for the HostedCluster. For example, this can be set false if the +HostedCluster itself attempts an unsupported version before 4.9 or an +unsupported upgrade e.g y-stream upgrade before 4.11. +A failure here is unlikely to resolve without the changing user input. + |
+
"ValidReleaseInfo" |
+ValidReleaseInfo bubbles up the same condition from HCP. It indicates if the release contains all the images used by hypershift +and reports missing images if any. + |
+
+(Appears on: +HostedClusterStatus, +HostedControlPlaneStatus) +
++
ConfigurationStatus contains the status of HostedCluster configuration
+ +| Field | +Description | +
|---|---|
+authentication
+
+
+github.com/openshift/api/config/v1.AuthenticationStatus
+
+
+ |
+
+(Optional)
+ authentication contains the observed authentication configuration status from the hosted cluster. +This field reflects the current state of the cluster authentication including OAuth metadata, +OIDC client status, and other authentication-related configurations. + |
+
+
ControlPlaneComponent specifies the state of a ControlPlane Component
+ +| Field | +Description | +
|---|---|
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+(Optional)
+ metadata is the metadata for the ControlPlaneComponent. +Refer to the Kubernetes API documentation for the fields of the +metadata field.
+ |
+
+spec
+
+
+ControlPlaneComponentSpec
+
+
+ |
+
+(Optional)
+ spec is the specification for the ControlPlaneComponent. ++ + |
+
+status
+
+
+ControlPlaneComponentStatus
+
+
+ |
+
+(Optional)
+ status is the status of the ControlPlaneComponent. + |
+
+(Appears on: +ControlPlaneComponent) +
++
ControlPlaneComponentSpec defines the desired state of ControlPlaneComponent
+ +###ControlPlaneComponentStatus { #hypershift.openshift.io/v1beta1.ControlPlaneComponentStatus } ++(Appears on: +ControlPlaneComponent) +
++
ControlPlaneComponentStatus defines the observed state of ControlPlaneComponent
+ +| Field | +Description | +
|---|---|
+conditions
+
+
+[]Kubernetes meta/v1.Condition
+
+
+ |
+
+(Optional)
+ conditions contains details for the current state of the ControlPlane Component. +If there is an error, then the Available condition will be false. +Current condition types are: “Available” + |
+
+version
+
+string
+
+ |
+
+(Optional)
+ version reports the current version of this component. + |
+
+resources
+
+
+[]ComponentResource
+
+
+ |
+
+(Optional)
+ resources is a list of the resources reconciled by this component. + |
+
+(Appears on: +AzureResourceManagedIdentities) +
++
ControlPlaneManagedIdentities contains the managed identities on the HCP control plane needing to authenticate with +Azure’s API.
+ +| Field | +Description | +|
|---|---|---|
+managedIdentitiesKeyVault
+
+
+ManagedAzureKeyVault
+
+
|
-||
"EtcdAvailable" |
-EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. -A failure here often means a software bug or a non-stable cluster. + |
+ managedIdentitiesKeyVault contains information on the management cluster’s managed identities Azure Key Vault. +This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the +Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring +authentication with Azure API. +More information on how the Secrets Store CSI driver works to do this can be found here: +https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. |
-
"EtcdBackupSucceeded" |
-EtcdBackupSucceeded bubbles up from HCP. It indicates the result of the -most recent etcd backup. True means the last backup completed successfully; -False means a backup is in progress or the last backup failed. + | |
+cloudProvider
+
+
+ManagedIdentity
+
+
|
-||
"EtcdRecoveryActive" |
-EtcdRecoveryActive indicates that the Etcd cluster is failing and the -recovery job was triggered. + |
+ cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller +manager. |
-
"EtcdSnapshotRestored" |
-- | |
"ExternalDNSReachable" |
-ExternalDNSReachable bubbles up the same condition from HCP. It signals if the configured external DNS is reachable. -A failure here requires external user intervention to resolve. E.g. changing the external DNS domain or making sure the domain is created -and registered correctly. + | |
+nodePoolManagement
+
+
+ManagedIdentity
+
+
|
-||
"GCPDNSAvailable" |
-GCPDNSAvailable indicates whether the DNS configuration has been -created in the customer VPC + |
+ nodePoolManagement is a pre-existing managed identity associated with the operator managing the NodePools. |
-
"GCPEndpointAvailable" |
-GCPEndpointAvailable indicates whether the GCP PSC Endpoint has been -created in the customer VPC + | |
+controlPlaneOperator
+
+
+ManagedIdentity
+
+
|
-||
"GCPPrivateServiceConnectAvailable" |
-GCPPrivateServiceConnectAvailable indicates overall PSC infrastructure availability + |
+ controlPlaneOperator is a pre-existing managed identity associated with the control plane operator. |
-
"GCPServiceAttachmentAvailable" |
-GCPServiceAttachmentAvailable indicates whether the GCP Service Attachment -has been created for the specified Internal Load Balancer in the management VPC + | |
+imageRegistry
+
+
+ManagedIdentity
+
+
|
-||
"Available" |
-HostedClusterAvailable indicates whether the HostedCluster has a healthy -control plane. -When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. + |
+(Optional)
+ imageRegistry is a pre-existing managed identity associated with the cluster-image-registry-operator. |
-
"Degraded" |
-HostedClusterDegraded indicates whether the HostedCluster is encountering -an error that may require user intervention to resolve. + | |
+ingress
+
+
+ManagedIdentity
+
+
|
-||
"HostedClusterDestroyed" |
-HostedClusterDestroyed indicates that a hosted has finished destroying and that it is waiting for a destroy grace period to go away. -The grace period is determined by the hypershift.openshift.io/destroy-grace-period annotation in the HostedCluster if present. + |
+ ingress is a pre-existing managed identity associated with the cluster-ingress-operator. |
-
"Progressing" |
-HostedClusterProgressing indicates whether the HostedCluster is attempting -an initial deployment or upgrade. -When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. + | |
+network
+
+
+ManagedIdentity
+
+
|
-||
"HostedClusterRestoredFromBackup" |
-HostedClusterRestoredFromBackup indicates that the HostedCluster was restored from backup. -This condition is set to true when the HostedCluster is restored from backup and the recovery process is complete. -This condition is used to track the status of the recovery process and to determine if the HostedCluster -is ready to be used after restoration. + |
+ network is a pre-existing managed identity associated with the cluster-network-operator. |
-
"Available" |
-- | |
"Degraded" |
-- | |
"IgnitionEndpointAvailable" |
-IgnitionEndpointAvailable indicates whether the ignition server for the -HostedCluster is available to handle ignition requests. -A failure here often means a software bug or a non-stable cluster. + | |
+disk
+
+
+ManagedIdentity
+
+
+ |
+
+ disk is a pre-existing managed identity associated with the azure-disk-controller. + |
+|
+file
+
+
+ManagedIdentity
+
+
+ |
+
+ file is a pre-existing managed identity associated with the azure-disk-controller. + |
+
+(Appears on: +ControlPlaneVersionStatus) +
++
ControlPlaneUpdateHistory is a record of a single version transition for management-side +control plane components. Each entry captures the target version, its release image, when +the rollout started, and when (or whether) it completed.
+ +| Field | +Description | +
|---|---|
+state
+
+
+github.com/openshift/api/config/v1.UpdateState
+
+
+ |
+
+ state reflects whether the update was fully applied. The Partial state +indicates the update is not fully applied, while the Completed state +indicates the update was successfully rolled out. + |
+
+startedTime,omitempty,omitzero
+
+
+Kubernetes meta/v1.Time
+
+
+ |
+
+ startedTime is the time at which the update was started. + |
+
+completionTime,omitempty,omitzero
+
+
+Kubernetes meta/v1.Time
+
+
+ |
+
+(Optional)
+ completionTime is the time at which the update completed. It is set +when all management-side components have reached the target version. +It is not set while the update is in progress. + |
+
+version
+
+string
+
+ |
+
+ version is a semantic version string identifying the update version +(e.g. “4.20.1”). + |
+
+image
+
+string
+
+ |
+
+ image is the release image pullspec used for this update. + |
+
+(Appears on: +HostedClusterStatus, +HostedControlPlaneStatus) +
++
ControlPlaneVersionStatus tracks the rollout state of management-side control plane components. +It records the desired release, a pruned history of version transitions (newest first), and +the last observed generation of the HostedControlPlane spec.
+ +| Field | +Description | +|
|---|---|---|
+desired,omitempty,omitzero
+
+
+github.com/openshift/api/config/v1.Release
+
+
|
-||
"IgnitionServerValidReleaseInfo" |
-IgnitionServerValidReleaseInfo indicates if the release contains all the images used by the local ignition provider -and reports missing images if any. + |
+ desired is the release version that the control plane is reconciling towards. +It is derived from the HostedControlPlane release image fields. |
-
"InfrastructureReady" |
-InfrastructureReady bubbles up the same condition from HCP. It signals if the infrastructure for a control plane to be operational, -e.g. load balancers were created successfully. -A failure here may require external user intervention to resolve. E.g. hitting quotas on the cloud provider. + | |
+history
+
+
+[]ControlPlaneUpdateHistory
+
+
|
-||
"KubeAPIServerAvailable" |
-KubeAPIServerAvailable bubbles up the same condition from HCP. It signals if the kube API server is available. -A failure here often means a software bug or a non-stable cluster. + |
+(Optional)
+ history contains a list of versions applied to management-side control plane components. The newest entry is +first in the list. Entries have state Completed when all ControlPlaneComponent resources report the target +version with RolloutComplete=True. Entries have state Partial when the rollout is in progress or has failed. |
-
"KubeVirtNodesLiveMigratable" |
-KubeVirtNodesLiveMigratable indicates if all nodes (VirtualMachines) of the kubevirt -hosted cluster can be live migrated without experiencing a node restart + | |
+observedGeneration,omitempty,omitzero
+
+int64
+
|
-||
"PlatformCredentialsFound" |
-PlatformCredentialsFound indicates that credentials required for the -desired platform are valid. -A failure here is unlikely to resolve without the changing user input. + |
+(Optional)
+ observedGeneration reports which generation of the HostedControlPlane spec is being synced. |
-
"ReconciliationActive" |
-ReconciliationActive indicates if reconciliation of the HostedCluster is -active or paused hostedCluster.spec.pausedUntil. + |
+(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
DNSSpec specifies the DNS configuration for the hosted cluster ingress.
+ +| Field | +Description | +|
|---|---|---|
+baseDomain
+
+string
+
|
-||
"ReconciliationSucceeded" |
-ReconciliationSucceeded indicates if the HostedCluster reconciliation -succeeded. -A failure here often means a software bug or a non-stable cluster. + |
+ baseDomain is the base domain of the hosted cluster. +It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. +If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. +Once set, this field is immutable. +When the value is the empty string “”, the controller might default to a value depending on the platform. |
-
"SupportedHostedCluster" |
-SupportedHostedCluster indicates whether a HostedCluster is supported by -the current configuration of the hypershift-operator. -e.g. If HostedCluster requests endpointAcess Private but the hypershift-operator -is running on a management cluster outside AWS or is not configured with AWS -credentials, the HostedCluster is not supported. -A failure here is unlikely to resolve without the changing user input. + | |
+baseDomainPrefix
+
+string
+
|
-||
"UnmanagedEtcdAvailable" |
-UnmanagedEtcdAvailable indicates whether a user-managed etcd cluster is -healthy. + |
+(Optional)
+ baseDomainPrefix is the base domain prefix for the hosted cluster ingress. +It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. +If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. +Set baseDomainPrefix to an empty string “”, if you don’t want a prefix at all (not even hostedCluster.name) to be prepended to baseDomain. +This field is immutable. |
-
"ValidAWSIdentityProvider" |
-ValidAWSIdentityProvider indicates if the Identity Provider referenced -in the cloud credentials is healthy. E.g. for AWS the idp ARN is referenced in the iam roles. -“Version”: “2012-10-17”, -“Statement”: [ -{ -“Effect”: “Allow”, -“Principal”: { -“Federated”: “{{ .ProviderARN }}” -}, -“Action”: “sts:AssumeRoleWithWebIdentity”, -“Condition”: { -“StringEquals”: { -“{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} -} -} -} -] -A failure here may require external user intervention to resolve. + | |
+publicZoneID
+
+string
+
|
-||
"ValidAWSKMSConfig" |
-ValidAWSKMSConfig indicates whether the AWS KMS role and encryption key are valid and operational -A failure here indicates that the role or the key are invalid, or the role doesn’t have access to use the key. + |
+(Optional)
+ publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. +This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. +Once set, this value is immutable. +On Azure, this is a full Azure resource ID for a DNS Zone in the format: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/dnsZones/{zoneName} +The maximum length of 258 is derived from Azure resource naming limits +(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): +/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90) |
-
"ValidAzureKMSConfig" |
-ValidAzureKMSConfig indicates whether the given KMS input for the Azure platform is valid and operational -A failure here indicates that the input is invalid, or permissions are missing to use the encryption key. + | |
+privateZoneID
+
+string
+
|
-||
"ValidGCPCredentials" |
-ValidGCPCredentials indicates if GCP credentials are valid and operational -for the HostedCluster. This includes service account authentication and -proper IAM permissions for CAPG controllers. -A failure here may require external user intervention to resolve. + |
+(Optional)
+ privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. +This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. +Once set, this value is immutable. +On Azure, this is a full Azure resource ID for a Private DNS Zone in the format: +/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/privateDnsZones/{zoneName} +The maximum length of 265 is derived from Azure resource naming limits +(see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules): +/subscriptions/ (15) + UUID (36) + /resourceGroups/ (16) + resource group name (90) |
-
"ValidGCPWorkloadIdentity" |
-ValidGCPWorkloadIdentity indicates if GCP Workload Identity Federation -is properly configured and operational for the cluster. -A failure here may require external user intervention to resolve. + |
+(Appears on: +GCPPrivateServiceConnectStatus) +
++
DNSZoneStatus represents a single DNS zone and its records
+ +| Field | +Description | +|
|---|---|---|
+name
+
+string
+
|
-||
"ValidConfiguration" |
-ValidHostedClusterConfiguration signals if the hostedCluster input is valid and -supported by the underlying management cluster. -A failure here is unlikely to resolve without the changing user input. + |
+ name is the DNS zone name |
-
"ValidHostedControlPlaneConfiguration" |
-ValidHostedControlPlaneConfiguration bubbles up the same condition from HCP. It signals if the hostedControlPlane input is valid and -supported by the underlying management cluster. -A failure here is unlikely to resolve without the changing user input. + | |
+records
+
+[]string
+
|
-||
"ValidIDPConfiguration" |
-ValidIDPConfiguration indicates if the Identity Provider configuration is valid. -A failure here may require external user intervention to resolve -e.g. the user-provided IDP configuration provided is invalid or the IDP is not reachable. + |
+(Optional)
+ records lists the DNS records created in this zone |
-
"ValidKubeVirtInfraNetworkMTU" |
-ValidKubeVirtInfraNetworkMTU indicates if the MTU configured on an infra cluster -hosting a guest cluster utilizing kubevirt platform is a sufficient value that will avoid -performance degradation due to fragmentation of the double encapsulation in ovn-kubernetes + |
+(Appears on: +AzureResourceManagedIdentities) +
++
DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to +authenticate with Azure’s API.
+ +| Field | +Description | +|
|---|---|---|
+imageRegistryMSIClientID
+
+string
+
|
-||
"ValidOIDCConfiguration" |
-ValidOIDCConfiguration indicates if an AWS cluster’s OIDC condition is -detected as invalid. -A failure here may require external user intervention to resolve. E.g. oidc was deleted out of band. + |
+ imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image +registry controller. |
-
"ValidProxyConfiguration" |
-ValidProxyConfiguration indicates if the proxy CA bundle is valid. -A failure here may require external user intervention to resolve. E.g. certificates in the CA bundle have expired. + | |
+diskMSIClientID
+
+string
+
|
-||
"ValidReleaseImage" |
-ValidReleaseImage indicates if the release image set in the spec is valid -for the HostedCluster. For example, this can be set false if the -HostedCluster itself attempts an unsupported version before 4.9 or an -unsupported upgrade e.g y-stream upgrade before 4.11. -A failure here is unlikely to resolve without the changing user input. + |
+ diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. |
-
"ValidReleaseInfo" |
-ValidReleaseInfo bubbles up the same condition from HCP. It indicates if the release contains all the images used by hypershift -and reports missing images if any. + | |
+fileMSIClientID
+
+string
+
|
-
+ fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. + |
+
+
(Appears on: -HostedClusterStatus, -HostedControlPlaneStatus) +AzureNodePoolPlatform)
-
ConfigurationStatus contains the status of HostedCluster configuration
+Diagnostics specifies the diagnostics settings for a virtual machine.
-authentication
+storageAccountType
-
-github.com/openshift/api/config/v1.AuthenticationStatus
+
+AzureDiagnosticsStorageAccountType
|
(Optional)
- authentication contains the observed authentication configuration status from the hosted cluster. -This field reflects the current state of the cluster authentication including OAuth metadata, -OIDC client status, and other authentication-related configurations. +storageAccountType determines if the storage account for storing the diagnostics data +should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). + |
+
+userManaged
+
+
+UserManagedDiagnostics
+
+
+ |
+
+(Optional)
+ userManaged specifies the diagnostics settings for a virtual machine when the storage account is managed by the user. |
-
ControlPlaneComponent specifies the state of a ControlPlane Component
+(Appears on: +EtcdSpec) + ++
EtcdManagementType is a enum specifying the strategy for managing the cluster’s etcd instance
+ +| Value | +Description | +
|---|---|
"Managed" |
+Managed means HyperShift should provision and operator the etcd cluster +automatically. + |
+
"Unmanaged" |
+Unmanaged means HyperShift will not provision or manage the etcd cluster, +and the user is responsible for doing so. + |
+
+(Appears on: +HostedClusterSpec, +HostedControlPlaneSpec) +
++
EtcdSpec specifies configuration for a control plane etcd cluster.
-metadata
+managementType
-
-Kubernetes meta/v1.ObjectMeta
+
+EtcdManagementType
|
-(Optional)
- metadata is the metadata for the ControlPlaneComponent. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
+managementType defines how the etcd cluster is managed. +This can be either Managed or Unmanaged. +This field is immutable. |
-spec
+managed
-
-ControlPlaneComponentSpec
+
+ManagedEtcdSpec
|
(Optional)
- spec is the specification for the ControlPlaneComponent. -- - managed specifies the behavior of an etcd cluster managed by HyperShift. |
-status
+unmanaged
-
-ControlPlaneComponentStatus
+
+UnmanagedEtcdSpec
|
(Optional)
- status is the status of the ControlPlaneComponent. +unmanaged specifies configuration which enables the control plane to +integrate with an externally managed etcd cluster. |
(Appears on: -ControlPlaneComponent) +UnmanagedEtcdSpec)
-
ControlPlaneComponentSpec defines the desired state of ControlPlaneComponent
+EtcdTLSConfig specifies TLS configuration for HTTPS etcd client endpoints.
-###ControlPlaneComponentStatus { #hypershift.openshift.io/v1beta1.ControlPlaneComponentStatus } +| Field | +Description | +
|---|---|
+clientSecret
+
+
+Kubernetes core/v1.LocalObjectReference
+
+
+ |
+
+ clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It +may have the following key/value pairs: +
+ |
+
(Appears on: -ControlPlaneComponent) +ClusterAutoscaling)
-
ControlPlaneComponentStatus defines the observed state of ControlPlaneComponent
+ExpanderString contains the name of an expander to be used by the cluster autoscaler.
+ +| Value | +Description | +
|---|---|
"LeastWaste" |
++ |
"Priority" |
+Selects the node group with the least idle resources. + |
+
"Random" |
+Selects the node group with the highest priority. + |
+
+(Appears on: +AWSResourceReference) +
++
Filter is a filter used to identify an AWS resource
-conditions
+name
-
-[]Kubernetes meta/v1.Condition
+string
+
+ |
+
+ name is the name of the filter. + |
+
+values
+
+[]string
+
+ |
+
+ values is a list of values for the filter. + |
+
+(Appears on: +NetworkFilter, +RouterFilter, +SubnetFilter) +
++
+| Field | +Description | +
|---|---|
+tags
+
+
+[]NeutronTag
|
(Optional)
- conditions contains details for the current state of the ControlPlane Component. -If there is an error, then the Available condition will be false. -Current condition types are: “Available” +tags is a list of tags to filter by. If specified, the resource must +have all of the tags specified to be included in the result. + |
+
+tagsAny
+
+
+[]NeutronTag
+
+
+ |
+
+(Optional)
+ tagsAny is a list of tags to filter by. If specified, the resource +must have at least one of the tags specified to be included in the +result. |
-version
+notTags
-string
+
+[]NeutronTag
+
|
(Optional)
- version reports the current version of this component. +notTags is a list of tags to filter by. If specified, resources which +contain all of the given tags will be excluded from the result. |
-resources
+notTagsAny
-
-[]ComponentResource
+
+[]NeutronTag
|
(Optional)
- resources is a list of the resources reconciled by this component. +notTagsAny is a list of tags to filter by. If specified, resources +which contain any of the given tags will be excluded from the result. |
(Appears on: -AzureResourceManagedIdentities) +GCPNodePoolPlatform)
-
ControlPlaneManagedIdentities contains the managed identities on the HCP control plane needing to authenticate with -Azure’s API.
+GCPBootDisk specifies configuration for the boot disk of GCP node instances.
-managedIdentitiesKeyVault
+diskSizeGB
-
-ManagedAzureKeyVault
-
+int64
|
- managedIdentitiesKeyVault contains information on the management cluster’s managed identities Azure Key Vault. -This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the -Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring -authentication with Azure API. -More information on how the Secrets Store CSI driver works to do this can be found here: -https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. +(Optional) +diskSizeGB specifies the size of the boot disk in gigabytes. +Must be at least 20 GB for RHCOS images. |
-cloudProvider
+diskType
-
-ManagedIdentity
-
+string
|
- cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller -manager. +(Optional) +diskType specifies the disk type for the boot disk. +Valid values include: +- “pd-standard” - Standard persistent disk (magnetic) +- “pd-ssd” - SSD persistent disk +- “pd-balanced” - Balanced persistent disk (recommended) +If not specified, defaults to “pd-balanced”. |
-nodePoolManagement
+encryptionKey,omitzero
-
-ManagedIdentity
+
+GCPDiskEncryptionKey
|
- nodePoolManagement is a pre-existing managed identity associated with the operator managing the NodePools. +(Optional) +encryptionKey specifies customer-managed encryption key (CMEK) configuration. +If not specified, Google-managed encryption keys are used. |
+(Appears on: +GCPBootDisk) +
++
GCPDiskEncryptionKey specifies configuration for customer-managed encryption keys.
+ +
-controlPlaneOperator
-
-
-ManagedIdentity
-
-
- |
-
- controlPlaneOperator is a pre-existing managed identity associated with the control plane operator. - |
+Field | +Description |
|---|---|---|---|
-imageRegistry
+kmsKeyName
-
-ManagedIdentity
-
+string
|
-(Optional)
- imageRegistry is a pre-existing managed identity associated with the cluster-image-registry-operator. +kmsKeyName is the resource name of the Cloud KMS key used for disk encryption. +Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key} |
+(Appears on: +GCPPlatformSpec) +
++
GCPEndpointAccessType defines the endpoint access type for GCP clusters. +Equivalent to AWS EndpointAccessType but adapted for GCP networking model.
+ +
-ingress
-
-
-ManagedIdentity
-
-
- |
-
- ingress is a pre-existing managed identity associated with the cluster-ingress-operator. - |
+Value | +Description |
|---|---|---|---|
-network
-
-
-ManagedIdentity
-
-
+ | |||
"Private" |
+GCPEndpointAccessPrivate endpoint access allows only private API server access and private +node communication with the control plane via Private Service Connect. |
-
- network is a pre-existing managed identity associated with the cluster-network-operator. + | |
"PublicAndPrivate" |
+GCPEndpointAccessPublicAndPrivate endpoint access allows public API server access and +private node communication with the control plane via Private Service Connect. |
+
+(Appears on: +GCPPlatformSpec) +
++
GCPNetworkConfig specifies VPC configuration for GCP clusters and Private Service Connect endpoint creation.
+ +| Field | +Description |
|---|---|
-disk
+network,omitzero
-
-ManagedIdentity
+
+GCPResourceReference
|
- disk is a pre-existing managed identity associated with the azure-disk-controller. +network is the VPC network name |
-file
+privateServiceConnectSubnet,omitzero
-
-ManagedIdentity
+
+GCPResourceReference
|
- file is a pre-existing managed identity associated with the azure-disk-controller. +privateServiceConnectSubnet is the subnet for Private Service Connect endpoints |
(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +NodePoolPlatform)
-
DNSSpec specifies the DNS configuration for the hosted cluster ingress.
+GCPNodePoolPlatform specifies the configuration of a NodePool when operating on GCP. +This follows the AWS and Azure patterns for platform-specific NodePool configuration.
-baseDomain
+machineType
string
|
- baseDomain is the base domain of the hosted cluster. -It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. -If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. -Once set, this field is immutable. -When the value is the empty string “”, the controller might default to a value depending on the platform. +machineType is the GCP machine type for node instances (e.g. n2-standard-4). +Must follow GCP machine type naming conventions as documented at: +https://cloud.google.com/compute/docs/machine-resource#machine_type_comparison +Valid machine type formats: +- predefined: n1-standard-1, n2-highmem-4, c2-standard-8, etc. +- custom: custom-{cpus}-{memory} (e.g. custom-4-8192) +- custom with extended memory: custom-{cpus}-{memory}-ext (e.g. custom-2-13312-ext) |
-baseDomainPrefix
+zone
string
|
-(Optional)
- baseDomainPrefix is the base domain prefix for the hosted cluster ingress. -It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. -If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. -Set baseDomainPrefix to an empty string “”, if you don’t want a prefix at all (not even hostedCluster.name) to be prepended to baseDomain. -This field is immutable. +zone is the GCP zone where node instances will be created. +Must be a valid zone within the cluster’s region. +Format: {region}-{zone} (e.g. us-central1-a, europe-west2-b) +See https://cloud.google.com/compute/docs/regions-zones for available zones. |
-publicZoneID
+subnet
-string
+
+GCPResourceName
+
|
-(Optional)
- publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. -This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. -Once set, this value is immutable. +subnet is the name of the subnet where node instances will be created. +Must be a subnet within the VPC network specified in the HostedCluster’s +networkConfig and located in the same region as the zone. +The subnet must have enough IP addresses available for the expected number of nodes. |
-privateZoneID
+image
string
|
(Optional)
- privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. -This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. -Once set, this value is immutable. +image specifies the boot image for node instances. +If unspecified, the default RHCOS image will be used based on the NodePool release payload. +Can be: +- A family name: projects/rhel-cloud/global/images/family/rhel-8 +- A specific image: projects/rhel-cloud/global/images/rhel-8-v20231010 +- A full resource URL: https://www.googleapis.com/compute/v1/projects/rhel-cloud/global/images/rhel-8-v20231010 |
-(Appears on: -GCPPrivateServiceConnectStatus) -
--
DNSZoneStatus represents a single DNS zone and its records
- -| Field | -Description | +
+bootDisk
+
+
+GCPBootDisk
+
+
+ |
+
+(Optional)
+ bootDisk specifies the configuration for the boot disk of node instances. + |
|---|---|---|---|
-name
+serviceAccount
-string
+
+GCPNodeServiceAccount
+
|
- name is the DNS zone name +(Optional) +serviceAccount configures the Google Service Account attached to node instances. +If not specified, uses the default compute service account for the project. |
||
-records
+resourceLabels
-[]string
+
+[]GCPResourceLabel
+
|
(Optional)
- records lists the DNS records created in this zone +resourceLabels is an optional list of additional labels to apply to GCP node +instances and their associated resources (disks, etc.). +Labels will be merged with cluster-level resource labels, with NodePool labels +taking precedence in case of conflicts. +Keys and values must conform to GCP labeling requirements: +- Keys: 1–63 chars, must start with a lowercase letter; allowed [a-z0-9-] +- Values: empty or 1–63 chars; allowed [a-z0-9-] +- Maximum 60 user labels per resource (GCP limit is 64 total, with ~4 reserved) |
-(Appears on: -AzureResourceManagedIdentities) -
--
DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to -authenticate with Azure’s API.
- -| Field | -Description | -
|---|---|
-imageRegistryMSIClientID
+networkTags
-string
+
+[]GCPResourceName
+
|
- imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image -registry controller. +(Optional) +networkTags is an optional list of network tags to apply to node instances. +These tags are used by GCP firewall rules to control network access. +Tags must conform to GCP naming conventions: +- 1-63 characters +- Lowercase letters, numbers, and hyphens only +- Must start with lowercase letter +- Cannot end with hyphen |
-diskMSIClientID
+provisioningModel
-string
+
+GCPProvisioningModel
+
|
- diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. +(Optional) +provisioningModel specifies the provisioning model for node instances. +Spot and Preemptible instances cost less but can be terminated by GCP with 30 seconds notice. +Spot instances are recommended over Preemptible as they have no maximum runtime limit. +Standard instances are regular VMs that run until explicitly stopped. +If not specified, defaults to “Standard”. |
-fileMSIClientID
+onHostMaintenance
-string
+
+GCPOnHostMaintenance
+
|
- fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. +(Optional) +onHostMaintenance specifies the behavior when host maintenance occurs. +For Spot and Preemptible instances, this must be “TERMINATE”. +For Standard instances, can be “MIGRATE” (live migrate) or “TERMINATE”. +If not specified, defaults to “MIGRATE” for Standard instances and “TERMINATE” for Spot/Preemptible. |
(Appears on: -AzureNodePoolPlatform) +GCPNodePoolPlatform)
-
Diagnostics specifies the diagnostics settings for a virtual machine.
+GCPNodeServiceAccount specifies the Google Service Account configuration for node instances.
-storageAccountType
+email
-
-AzureDiagnosticsStorageAccountType
+
+GCPServiceAccountEmail
|
(Optional)
- storageAccountType determines if the storage account for storing the diagnostics data -should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). +email specifies the email address of the Google Service Account to use for node instances. +If not specified, uses the default compute service account for the project. +The service account must have the necessary permissions for the node to function: +- Logging writer +- Monitoring metric writer +- Storage object viewer (for pulling container images) |
-userManaged
+scopes
-
-UserManagedDiagnostics
-
+[]string
|
(Optional)
- userManaged specifies the diagnostics settings for a virtual machine when the storage account is managed by the user. +scopes specifies the access scopes for the service account. +If not specified, defaults to standard compute scopes. +Common scopes include: +- “https://www.googleapis.com/auth/devstorage.read_only” - Storage read-only +- “https://www.googleapis.com/auth/logging.write” - Logging write +- “https://www.googleapis.com/auth/monitoring.write” - Monitoring write +- “https://www.googleapis.com/auth/cloud-platform” - Full access (use with caution) |
(Appears on: -EtcdSpec) +GCPNodePoolPlatform)
-
EtcdManagementType is a enum specifying the strategy for managing the cluster’s etcd instance
+GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
| Description | -|
|---|---|
"Managed" |
-Managed means HyperShift should provision and operator the etcd cluster -automatically. + |
"MIGRATE" |
+GCPOnHostMaintenanceMigrate causes Compute Engine to live migrate an instance during host maintenance. |
-
"Unmanaged" |
-Unmanaged means HyperShift will not provision or manage the etcd cluster, -and the user is responsible for doing so. + |
"TERMINATE" |
+GCPOnHostMaintenanceTerminate causes Compute Engine to stop an instance during host maintenance. |
(Appears on: -HostedClusterSpec, -HostedControlPlaneSpec) +PlatformSpec)
-
EtcdSpec specifies configuration for a control plane etcd cluster.
+GCPPlatformSpec specifies configuration for clusters running on Google Cloud Platform.
-managementType
+project
-
-EtcdManagementType
-
+string
|
- managementType defines how the etcd cluster is managed. -This can be either Managed or Unmanaged. -This field is immutable. +project is the GCP project ID.
+A valid project ID must satisfy the following rules:
+length: Must be between 6 and 30 characters, inclusive
+characters: Only lowercase letters ( |
-managed
+region
-
-ManagedEtcdSpec
-
+string
|
-(Optional)
- managed specifies the behavior of an etcd cluster managed by HyperShift. +region is the GCP region in which the cluster resides (e.g., us-central1, europe-west2). +Must start with lowercase letters, contain exactly one hyphen, and end with digits. +For a full list of valid regions, see: https://cloud.google.com/compute/docs/regions-zones. |
-unmanaged
+networkConfig,omitzero
-
-UnmanagedEtcdSpec
+
+GCPNetworkConfig
|
-(Optional)
- unmanaged specifies configuration which enables the control plane to -integrate with an externally managed etcd cluster. +networkConfig specifies VPC configuration for Private Service Connect. +Required for VPC configuration in Private Service Connect deployments. |
-(Appears on: -UnmanagedEtcdSpec) -
--
EtcdTLSConfig specifies TLS configuration for HTTPS etcd client endpoints.
- -| Field | -Description | -
|---|---|
-clientSecret
+endpointAccess
-
-Kubernetes core/v1.LocalObjectReference
+
+GCPEndpointAccessType
|
- clientSecret refers to a secret for client mTLS authentication with the etcd cluster. It -may have the following key/value pairs: -
- |
-
-(Appears on: -ClusterAutoscaling) -
--
ExpanderString contains the name of an expander to be used by the cluster autoscaler.
- -| Value | -Description | -
|---|---|
"LeastWaste" |
-- |
"Priority" |
-Selects the node group with the least idle resources. - |
-
"Random" |
-Selects the node group with the highest priority. +(Optional) +endpointAccess controls API endpoint accessibility for the HostedControlPlane on GCP. +Allowed values: “Private”, “PublicAndPrivate”. Defaults to “Private”. |
-
-(Appears on: -AWSResourceReference) -
--
Filter is a filter used to identify an AWS resource
- -| Field | -Description |
|---|---|
-name
+resourceLabels
-string
+
+[]GCPResourceLabel
+
|
- name is the name of the filter. +(Optional) +resourceLabels are applied to all GCP resources created for the cluster. +Labels are key-value pairs used for organizing and managing GCP resources. +Changes to this field will be propagated in-place to GCP resources where supported. +GCP supports a maximum of 64 labels per resource. HyperShift reserves approximately 4 labels for system use. +For GCP labeling guidance, see https://cloud.google.com/compute/docs/labeling-resources |
-values
+workloadIdentity,omitzero
-[]string
+
+GCPWorkloadIdentityConfig
+
|
- values is a list of values for the filter. +workloadIdentity configures Workload Identity Federation for the cluster. +This enables secure, short-lived token-based authentication without storing +long-term service account keys. These fields are immutable after cluster creation +to prevent breaking the authentication chain. +Prerequisites for WIF setup: +- Workload Identity Pool and Provider must exist in the GCP project +- Provider must be configured with audience mapping for OpenShift SA tokens +- Target Google Service Account must have roles/iam.workloadIdentityUser +granted to the workload pool principal (e.g., principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/system:serviceaccount:kube-system:capi-gcp-controller-manager) +- Attribute mappings on the provider should include google.subject for token subject verification |
(Appears on: -NetworkFilter, -RouterFilter, -SubnetFilter) +GCPPrivateServiceConnect)
+
GCPPrivateServiceConnectSpec defines the desired state of PSC infrastructure
-tags
+loadBalancerIP
-
-[]NeutronTag
-
+string
|
-(Optional)
- tags is a list of tags to filter by. If specified, the resource must -have all of the tags specified to be included in the result. +loadBalancerIP is the IP address of the Internal Load Balancer +Populated by the observer from service status +This value must be a valid IPv4 or IPv6 address. |
-tagsAny
+forwardingRuleName
-
-[]NeutronTag
+
+GCPResourceName
|
(Optional)
- tagsAny is a list of tags to filter by. If specified, the resource -must have at least one of the tags specified to be included in the -result. +forwardingRuleName is the name of the Internal Load Balancer forwarding rule +Populated by the reconciler via GCP API lookup |
-notTags
+consumerAcceptList
-
-[]NeutronTag
-
+[]string
|
-(Optional)
- notTags is a list of tags to filter by. If specified, resources which -contain all of the given tags will be excluded from the result. +consumerAcceptList specifies which customer projects can connect. +Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”). +A maximum of 50 entries are allowed. +See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project ID and number formats. |
-notTagsAny
+natSubnet
-
-[]NeutronTag
+
+GCPResourceName
|
(Optional)
- notTagsAny is a list of tags to filter by. If specified, resources -which contain any of the given tags will be excluded from the result. +natSubnet is the subnet used for NAT by the Service Attachment +Auto-populated by the HyperShift Operator |
(Appears on: -GCPNodePoolPlatform) +GCPPrivateServiceConnect)
-
GCPBootDisk specifies configuration for the boot disk of GCP node instances.
+GCPPrivateServiceConnectStatus defines the observed state of PSC infrastructure
-diskSizeGB
+conditions
-int64
+
+[]Kubernetes meta/v1.Condition
+
|
(Optional)
- diskSizeGB specifies the size of the boot disk in gigabytes. -Must be at least 20 GB for RHCOS images. +conditions represent the current state of PSC infrastructure +Current condition types are: “GCPPrivateServiceConnectAvailable”, “GCPServiceAttachmentAvailable”, “GCPEndpointAvailable”, “GCPDNSAvailable” |
-diskType
+serviceAttachmentName
string
|
(Optional)
- diskType specifies the disk type for the boot disk. -Valid values include: -- “pd-standard” - Standard persistent disk (magnetic) -- “pd-ssd” - SSD persistent disk -- “pd-balanced” - Balanced persistent disk (recommended) -If not specified, defaults to “pd-balanced”. +serviceAttachmentName is the name of the created Service Attachment |
-encryptionKey
+serviceAttachmentURI
-
-GCPDiskEncryptionKey
-
+string
|
(Optional)
- encryptionKey specifies customer-managed encryption key (CMEK) configuration. -If not specified, Google-managed encryption keys are used. +serviceAttachmentURI is the URI customers use to connect. +Format: projects/{project}/regions/{region}/serviceAttachments/{name} +See https://cloud.google.com/vpc/docs/configure-private-service-connect-producer for service attachment details. |
-(Appears on: -GCPBootDisk) -
--
GCPDiskEncryptionKey specifies configuration for customer-managed encryption keys.
- -| Field | -Description | +
+endpointIP
+
+string
+
+ |
+
+(Optional)
+ endpointIP is the reserved IP address for the PSC endpoint +This value must be a valid IPv4 or IPv6 address. + |
|---|---|---|---|
-kmsKeyName
+dnsZones
-string
+
+[]DNSZoneStatus
+
|
- kmsKeyName is the resource name of the Cloud KMS key used for disk encryption. -Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key} +dnsZones contains DNS zone information created for this cluster |
(Appears on: -GCPPlatformSpec) +GCPNodePoolPlatform)
-
GCPEndpointAccessType defines the endpoint access type for GCP clusters. -Equivalent to AWS EndpointAccessType but adapted for GCP networking model.
+GCPProvisioningModel defines the provisioning model for GCP node instances. +Follows GCP’s provisioning model terminology for compute instances.
| Description | -|
|---|---|
"Private" |
-GCPEndpointAccessPrivate endpoint access allows only private API server access and private -node communication with the control plane via Private Service Connect. + |
"Preemptible" |
+GCPProvisioningModelPreemptible specifies preemptible instances (legacy). +Preemptible instances are lower-cost instances that can be terminated by GCP +with 30 seconds notice when capacity is needed elsewhere. +Note: Preemptible instances have a maximum runtime of 24 hours. +Consider using Spot instances instead, which have no maximum runtime limit. |
-
"PublicAndPrivate" |
-GCPEndpointAccessPublicAndPrivate endpoint access allows public API server access and -private node communication with the control plane via Private Service Connect. + |
"Spot" |
+GCPProvisioningModelSpot specifies Spot instances. +Spot instances are lower-cost instances that can be terminated by GCP +with 30 seconds notice when capacity is needed elsewhere. +Unlike preemptible instances, Spot instances have no maximum runtime limit. +This is the recommended option for cost-effective, interruptible workloads. + |
+
"Standard" |
+GCPProvisioningModelStandard specifies standard (non-preemptible) instances. +Standard instances run until explicitly stopped and are not subject to automatic termination. |
(Appears on: +GCPNodePoolPlatform, GCPPlatformSpec)
-
GCPNetworkConfig specifies VPC configuration for GCP clusters and Private Service Connect endpoint creation.
+GCPResourceLabel is a label to apply to GCP resources created for the cluster. +Labels are key-value pairs used for organizing and managing GCP resources. +See https://cloud.google.com/compute/docs/labeling-resources for GCP labeling guidance.
-network
+key
-
-GCPResourceReference
-
+string
|
- network is the VPC network name +key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty. +For Compute Engine resources (VMs, disks, networks created by CAPG), keys must: +- Start with a lowercase letter +- Contain only lowercase letters, digits, underscores, or hyphens +- End with a lowercase letter or digit (not a hyphen or underscore) +- Be 1-63 characters long +GCP reserves the ‘goog’ prefix for system labels. +See https://cloud.google.com/compute/docs/labeling-resources for Compute Engine label requirements. |
-privateServiceConnectSubnet
+value
-
-GCPResourceReference
-
+string
|
- privateServiceConnectSubnet is the subnet for Private Service Connect endpoints +value is the value part of the label. A label value can have a maximum of 63 characters. +Empty values are allowed by GCP. If non-empty, it must start with a lowercase letter, +contain only lowercase letters, digits, underscores, or hyphens, and end with a lowercase letter or digit. +See https://cloud.google.com/compute/docs/labeling-resources for Compute Engine label requirements. |
(Appears on: -NodePoolPlatform) +GCPNodePoolPlatform, +GCPPrivateServiceConnectSpec, +GCPResourceReference)
-
GCPNodePoolPlatform specifies the configuration of a NodePool when operating on GCP. -This follows the AWS and Azure patterns for platform-specific NodePool configuration.
+GCPResourceName is the name of a GCP resource following RFC 1035 naming conventions. +Must start with a lowercase letter, contain only lowercase letters, digits, and hyphens, +must not end with a hyphen, and be 1-63 characters long. +See https://cloud.google.com/compute/docs/naming-resources for details.
-| Field | -Description | -|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-machineType
-
-string
-
- |
-
- machineType is the GCP machine type for node instances (e.g. n2-standard-4). -Must follow GCP machine type naming conventions as documented at: -https://cloud.google.com/compute/docs/machine-resource#machine_type_comparison -Valid machine type formats: -- predefined: n1-standard-1, n2-highmem-4, c2-standard-8, etc. -- custom: custom-{cpus}-{memory} (e.g. custom-4-8192) -- custom with extended memory: custom-{cpus}-{memory}-ext (e.g. custom-2-13312-ext) - |
-|||||||||||||||
-zone
-
-string
-
- |
-
- zone is the GCP zone where node instances will be created. -Must be a valid zone within the cluster’s region. -Format: {region}-{zone} (e.g. us-central1-a, europe-west2-b) -See https://cloud.google.com/compute/docs/regions-zones for available zones. - |
-
-subnet
-
-string
-
- |
-
- subnet is the name of the subnet where node instances will be created. -Must be a subnet within the VPC network specified in the HostedCluster’s -networkConfig and located in the same region as the zone. -The subnet must have enough IP addresses available for the expected number of nodes. - |
+Field | +Description |
|---|---|---|---|
-image
+name
-string
+
+GCPResourceName
+
|
-(Optional)
- image specifies the boot image for node instances. -If unspecified, the default RHCOS image will be used based on the NodePool release payload. -Can be: -- A family name: projects/rhel-cloud/global/images/family/rhel-8 -- A specific image: projects/rhel-cloud/global/images/rhel-8-v20231010 -- A full resource URL: https://www.googleapis.com/compute/v1/projects/rhel-cloud/global/images/rhel-8-v20231010 +name is the name of the GCP resource. +Must conform to GCP resource naming standards: lowercase letters, numbers, and hyphens only. +Must start with a lowercase letter and end with a lowercase letter or number, max 63 characters. +Pattern: “^a-z?$” (max 63 chars), per GCP naming requirements. +See https://cloud.google.com/compute/docs/naming-resources for details. |
+(Appears on: +GCPNodeServiceAccount, +GCPServiceAccountsEmails) +
++
GCPServiceAccountEmail is the email address of a Google Service Account. +Format: service-account-name@project-id.iam.gserviceaccount.com +See https://cloud.google.com/iam/docs/service-accounts-create for service account naming rules.
+ +###GCPServiceAccountsEmails { #hypershift.openshift.io/v1beta1.GCPServiceAccountsEmails } ++(Appears on: +GCPWorkloadIdentityConfig) +
++
GCPServiceAccountsEmails contains email addresses of Google Service Accounts for different controllers. +Each service account should have the appropriate IAM permissions for its specific role.
+ +
-bootDisk
-
-
-GCPBootDisk
-
-
- |
-
-(Optional)
- bootDisk specifies the configuration for the boot disk of node instances. - |
+Field | +Description |
|---|---|---|---|
-serviceAccount
+nodePool
-
-GCPNodeServiceAccount
+
+GCPServiceAccountEmail
|
-(Optional)
- serviceAccount configures the Google Service Account attached to node instances. -If not specified, uses the default compute service account for the project. +nodePool is the Google Service Account email for CAPG controllers +that manage NodePool infrastructure (VMs, networks, disks, etc.). +This GSA requires the following IAM roles: +- roles/compute.instanceAdmin.v1 (Compute Instance Admin v1) +- roles/compute.networkAdmin (Compute Network Admin) +- roles/iam.serviceAccountUser (Service Account User - to attach service accounts to VMs) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
||
-resourceLabels
+controlPlane
-
-[]GCPResourceLabel
+
+GCPServiceAccountEmail
|
-(Optional)
- resourceLabels is an optional list of additional labels to apply to GCP node -instances and their associated resources (disks, etc.). -Labels will be merged with cluster-level resource labels, with NodePool labels -taking precedence in case of conflicts. -Keys and values must conform to GCP labeling requirements: -- Keys: 1–63 chars, must start with a lowercase letter; allowed [a-z0-9-] -- Values: empty or 1–63 chars; allowed [a-z0-9-] -- Maximum 60 user labels per resource (GCP limit is 64 total, with ~4 reserved) +controlPlane is the Google Service Account email for the Control Plane Operator +that manages control plane infrastructure and resources. +This GSA requires the following IAM roles: +- roles/dns.admin (DNS Admin - for managing DNS records) +- roles/compute.networkAdmin (Compute Network Admin - for network management) +- roles/compute.viewer (Compute Viewer - for CCM to read instance metadata) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
||
-networkTags
+cloudController
-[]string
+
+GCPServiceAccountEmail
+
|
-(Optional)
- networkTags is an optional list of network tags to apply to node instances. -These tags are used by GCP firewall rules to control network access. -Tags must conform to GCP naming conventions: -- 1-63 characters -- Lowercase letters, numbers, and hyphens only -- Must start with lowercase letter -- Cannot end with hyphen +cloudController is the Google Service Account email for the Cloud Controller Manager +that manages LoadBalancer services and node lifecycle in the hosted cluster. +This GSA requires the following IAM roles: +- roles/compute.loadBalancerAdmin (Load Balancer Admin - for provisioning GCP load balancers) +- roles/compute.securityAdmin (Security Admin - for managing firewall rules) +- roles/compute.viewer (Compute Viewer - for reading instance metadata for node management) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
||
-provisioningModel
+storage
-
-GCPProvisioningModel
+
+GCPServiceAccountEmail
|
-(Optional)
- provisioningModel specifies the provisioning model for node instances. -Spot and Preemptible instances cost less but can be terminated by GCP with 30 seconds notice. -Spot instances are recommended over Preemptible as they have no maximum runtime limit. -Standard instances are regular VMs that run until explicitly stopped. -If not specified, defaults to “Standard”. +storage is the Google Service Account email for the GCP PD CSI Driver +that manages Persistent Disk storage operations (create, attach, delete volumes). +This GSA requires the following IAM roles: +- roles/compute.storageAdmin (Compute Storage Admin - for managing persistent disks) +- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for attaching disks to VMs) +- roles/iam.serviceAccountUser (Service Account User - for impersonation) +- roles/resourcemanager.tagUser (Tag User - for applying resource tags to disks) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
||
-onHostMaintenance
+imageRegistry
-string
+
+GCPServiceAccountEmail
+
|
-(Optional)
- onHostMaintenance specifies the behavior when host maintenance occurs. -For Spot and Preemptible instances, this must be “TERMINATE”. -For Standard instances, can be “MIGRATE” (live migrate) or “TERMINATE”. -If not specified, defaults to “MIGRATE” for Standard instances and “TERMINATE” for Spot/Preemptible. +imageRegistry is the Google Service Account email for the Image Registry Operator +that manages GCS storage for the internal container image registry. +This GSA requires the following IAM roles: +- roles/storage.admin (Storage Admin - for creating and managing GCS buckets and objects) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com +This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of |
(Appears on: -GCPNodePoolPlatform) +GCPPlatformSpec)
-
GCPNodeServiceAccount specifies the Google Service Account configuration for node instances.
+GCPWorkloadIdentityConfig configures Workload Identity Federation for GCP clusters. +This enables secure, short-lived token-based authentication without storing +long-term service account keys.
-email
+projectNumber
string
|
-(Optional)
- email specifies the email address of the Google Service Account to use for node instances. -If not specified, uses the default compute service account for the project. -The service account must have the necessary permissions for the node to function: -- Logging writer -- Monitoring metric writer -- Storage object viewer (for pulling container images) +projectNumber is the numeric GCP project identifier for WIF configuration. +This differs from the project ID and is required for workload identity pools. +Must be a numeric string representing the GCP project number. +See https://cloud.google.com/resource-manager/docs/creating-managing-projects for project number details. +This is a user-provided value obtained from GCP (found in GCP Console or via |
-scopes
+poolID
-[]string
+string
|
-(Optional)
- scopes specifies the access scopes for the service account. -If not specified, defaults to standard compute scopes. -Common scopes include: -- “https://www.googleapis.com/auth/devstorage.read_only” - Storage read-only -- “https://www.googleapis.com/auth/logging.write” - Logging write -- “https://www.googleapis.com/auth/monitoring.write” - Monitoring write -- “https://www.googleapis.com/auth/cloud-platform” - Full access (use with caution) +poolID is the workload identity pool identifier within the project. +This pool is used to manage external identity mappings. +Must be 4-32 characters and start with a lowercase letter. +Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). +Cannot start or end with a hyphen. +The prefix “gcp-” is reserved by Google and cannot be used. +See https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers for naming rules. +This is a user-provided value referencing a pre-created Workload Identity Pool.
+Typically obtained from the output of |
-
GCPOnHostMaintenance defines the behavior when a host maintenance event occurs.
- -| Value | -Description | +
+providerID
+
+string
+
+ |
+
+ providerID is the workload identity provider identifier within the pool. +This provider handles the token exchange between external and GCP identities. +Must be 4-32 characters and start with a lowercase letter. +Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). +Cannot start or end with a hyphen. +The prefix “gcp-” is reserved by Google and cannot be used. +See https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers for naming rules. +This is a user-provided value referencing a pre-created OIDC Provider within the WIF Pool.
+Typically obtained from the output of |
|---|---|---|---|
"MIGRATE" |
-GCPOnHostMaintenanceMigrate causes Compute Engine to live migrate an instance during host maintenance. + | ||
+serviceAccountsEmails,omitzero
+
+
+GCPServiceAccountsEmails
+
+
|
-|||
"TERMINATE" |
-GCPOnHostMaintenanceTerminate causes Compute Engine to stop an instance during host maintenance. + |
+ serviceAccountsEmails contains email addresses of various Google Service Accounts +required to enable integrations for different controllers and operators. +This follows the AWS pattern of having different roles for different purposes. |
-
(Appears on: -PlatformSpec) +HCPEtcdBackupStorage)
-
GCPPlatformSpec specifies configuration for clusters running on Google Cloud Platform.
+HCPEtcdBackupAzureBlob defines the Azure Blob storage configuration for etcd backups.
-project
+container
string
|
- project is the GCP project ID.
-A valid project ID must satisfy the following rules:
-length: Must be between 6 and 30 characters, inclusive
-characters: Only lowercase letters ( container is the name of the Azure Blob container where backups are stored. +Must be 3-63 characters, lowercase letters, numbers, and hyphens only. +Must start and end with a letter or number. Consecutive hyphens are not allowed. +See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#container-names |
-region
+storageAccount
string
|
- region is the GCP region in which the cluster resides.
-Must be in the form of storageAccount is the name of the Azure Storage Account. +Must be 3-24 characters, lowercase letters and numbers only. +See https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview#storage-account-name |
-networkConfig
+keyPrefix
-
-GCPNetworkConfig
-
+string
|
- networkConfig specifies VPC configuration for Private Service Connect. -Required for VPC configuration in Private Service Connect deployments. +keyPrefix is the blob name prefix for the backup file. +Must consist of valid blob name characters: alphanumeric characters, forward slashes, +hyphens, underscores, and periods. +See https://learn.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers–blobs–and-metadata#blob-names |
-endpointAccess
+credentials,omitzero
-
-GCPEndpointAccessType
+
+SecretReference
|
-(Optional)
- endpointAccess controls API endpoint accessibility for the HostedControlPlane on GCP. -Allowed values: “Private”, “PublicAndPrivate”. Defaults to “Private”. +credentials references a Secret containing Azure credentials for uploading +to Blob Storage. The Secret must exist in the Hypershift Operator namespace. |
-resourceLabels
+encryptionKeyURL
-
-[]GCPResourceLabel
-
+string
|
(Optional)
- resourceLabels are applied to all GCP resources created for the cluster. -Labels are key-value pairs used for organizing and managing GCP resources. -Changes to this field will be propagated in-place to GCP resources where supported. -GCP supports a maximum of 64 labels per resource. HyperShift reserves approximately 4 labels for system use. -For GCP labeling guidance, see https://cloud.google.com/compute/docs/labeling-resources - |
-
-workloadIdentity,omitzero
-
-
-GCPWorkloadIdentityConfig
-
-
- |
-
- workloadIdentity configures Workload Identity Federation for the cluster. -This enables secure, short-lived token-based authentication without storing -long-term service account keys. These fields are immutable after cluster creation -to prevent breaking the authentication chain. -Prerequisites for WIF setup: -- Workload Identity Pool and Provider must exist in the GCP project -- Provider must be configured with audience mapping for OpenShift SA tokens -- Target Google Service Account must have roles/iam.workloadIdentityUser -granted to the workload pool principal (e.g., principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/system:serviceaccount:kube-system:capi-gcp-controller-manager) -- Attribute mappings on the provider should include google.subject for token subject verification +encryptionKeyURL is the URL of the Azure Key Vault key used for encryption.
+Must be a valid Azure Key Vault key URL in the format
+“https:// |
(Appears on: -GCPPrivateServiceConnect) +ManagedEtcdSpec)
-
GCPPrivateServiceConnectSpec defines the desired state of PSC infrastructure
+HCPEtcdBackupConfig defines the backup encryption configuration that is propagated +from the HostedCluster to the HostedControlPlane via ManagedEtcdSpec. +Exactly one platform-specific block must be specified, matching the platform discriminator.
-loadBalancerIP
+platform
-string
+
+HCPEtcdBackupConfigPlatform
+
|
- loadBalancerIP is the IP address of the Internal Load Balancer -Populated by the observer from service status -This value must be a valid IPv4 or IPv6 address. +platform specifies the cloud platform for backup encryption configuration. +Valid values are “AWS” for AWS KMS encryption and “Azure” for Azure Key Vault encryption. |
-forwardingRuleName
+aws,omitzero
-string
+
+HCPEtcdBackupConfigAWS
+
|
(Optional)
- forwardingRuleName is the name of the Internal Load Balancer forwarding rule -Populated by the reconciler via GCP API lookup +aws contains AWS-specific backup encryption configuration. +Required when platform is “AWS”, and forbidden otherwise. |
-consumerAcceptList
+azure,omitzero
-[]string
+
+HCPEtcdBackupConfigAzure
+
|
- consumerAcceptList specifies which customer projects can connect -Accepts both project IDs (e.g. “my-project-123”) and project numbers (e.g. “123456789012”) +(Optional) +azure contains Azure-specific backup encryption configuration. +Required when platform is “Azure”, and forbidden otherwise. |
+(Appears on: +HCPEtcdBackupConfig) +
++
HCPEtcdBackupConfigAWS defines AWS-specific encryption settings for etcd backups.
+ +| Field | +Description | +
|---|---|
-natSubnet
+kmsKeyARN
string
|
-(Optional)
- natSubnet is the subnet used for NAT by the Service Attachment -Auto-populated by the HyperShift Operator +kmsKeyARN is the ARN of the AWS KMS key to use for encrypting etcd backup artifacts in S3.
+Must be a valid AWS KMS key ARN in the format
+“arn: |
(Appears on: -GCPPrivateServiceConnect) +HCPEtcdBackupConfig)
-
GCPPrivateServiceConnectStatus defines the observed state of PSC infrastructure
+HCPEtcdBackupConfigAzure defines Azure-specific encryption settings for etcd backups.
-conditions
+encryptionKeyURL
-
-[]Kubernetes meta/v1.Condition
-
+string
|
-(Optional)
- conditions represent the current state of PSC infrastructure -Current condition types are: “GCPPrivateServiceConnectAvailable”, “GCPServiceAttachmentAvailable”, “GCPEndpointAvailable”, “GCPDNSAvailable” +encryptionKeyURL is the URL of the Azure Key Vault key to use for encrypting etcd backup artifacts.
+Must be a valid Azure Key Vault key URL in the format
+“https:// |
+(Appears on: +HCPEtcdBackupConfig) +
++
HCPEtcdBackupConfigPlatform identifies the cloud platform for backup encryption configuration.
+ +
-serviceAttachmentName
-
-string
-
+ | Value | +Description | +
|---|---|---|
"AWS" |
+AWSBackupConfigPlatform indicates AWS KMS encryption for backup artifacts. |
-
-(Optional)
- serviceAttachmentName is the name of the created Service Attachment + |
"Azure" |
+AzureBackupConfigPlatform indicates Azure Key Vault encryption for backup artifacts. |
+
+(Appears on: +HCPEtcdBackupStatus) +
++
HCPEtcdBackupEncryptionMetadata contains platform-specific metadata about the +encryption applied to the backup artifact in cloud storage. +The presence of a platform block indicates that encryption was applied.
+ +| Field | +Description |
|---|---|
-serviceAttachmentURI
+aws,omitzero
-string
+
+HCPEtcdBackupEncryptionMetadataAWS
+
|
(Optional)
- serviceAttachmentURI is the URI customers use to connect -Format: projects/{project}/regions/{region}/serviceAttachments/{name} +aws contains AWS-specific encryption metadata for the backup. |
-endpointIP
+azure,omitzero
-string
+
+HCPEtcdBackupEncryptionMetadataAzure
+
|
(Optional)
- endpointIP is the reserved IP address for the PSC endpoint -This value must be a valid IPv4 or IPv6 address. +azure contains Azure-specific encryption metadata for the backup. |
+(Appears on: +HCPEtcdBackupEncryptionMetadata) +
++
HCPEtcdBackupEncryptionMetadataAWS contains AWS-specific encryption metadata. +The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
+ +| Field | +Description | +
|---|---|
-dnsZones
+kmsKeyARN
-
-[]DNSZoneStatus
-
+string
|
- dnsZones contains DNS zone information created for this cluster +kmsKeyARN is the ARN of the KMS key used for server-side encryption of the backup in S3.
+Must be a valid AWS KMS key ARN in the format
+“arn: |
(Appears on: -GCPNodePoolPlatform) +HCPEtcdBackupEncryptionMetadata)
-
GCPProvisioningModel defines the provisioning model for GCP node instances. -Follows GCP’s provisioning model terminology for compute instances.
+HCPEtcdBackupEncryptionMetadataAzure contains Azure-specific encryption metadata. +The values here reflect the encryption settings from the HCPEtcdBackupConfig input.
| Value | +Field | Description |
|---|---|---|
"Preemptible" |
-GCPProvisioningModelPreemptible specifies preemptible instances (legacy). -Preemptible instances are lower-cost instances that can be terminated by GCP -with 30 seconds notice when capacity is needed elsewhere. -Note: Preemptible instances have a maximum runtime of 24 hours. -Consider using Spot instances instead, which have no maximum runtime limit. - |
-|
"Spot" |
-GCPProvisioningModelSpot specifies Spot instances. -Spot instances are lower-cost instances that can be terminated by GCP -with 30 seconds notice when capacity is needed elsewhere. -Unlike preemptible instances, Spot instances have no maximum runtime limit. -This is the recommended option for cost-effective, interruptible workloads. + | |
+encryptionKeyURL
+
+string
+
|
-||
"Standard" |
-GCPProvisioningModelStandard specifies standard (non-preemptible) instances. -Standard instances run until explicitly stopped and are not subject to automatic termination. + |
+ encryptionKeyURL is the URL of the Azure Key Vault key used for encryption of the backup.
+Must be a valid Azure Key Vault key URL in the format
+“https:// |
-
(Appears on: -GCPNodePoolPlatform, -GCPPlatformSpec) +HCPEtcdBackupStorage)
-
GCPResourceLabel is a label to apply to GCP resources created for the cluster. -Labels are key-value pairs used for organizing and managing GCP resources. -See https://cloud.google.com/compute/docs/labeling-resources for GCP labeling guidance.
+HCPEtcdBackupS3 defines the S3 storage configuration for etcd backups.
(Appears on: -GCPNetworkConfig) +HCPEtcdBackup)
-
GCPResourceReference represents a reference to a GCP resource by name. -Follows GCP naming patterns (name-based APIs, not ID-based like AWS). -See https://google.aip.dev/122 for GCP resource name standards.
+HCPEtcdBackupSpec defines the desired state of HCPEtcdBackup. +HCPEtcdBackup is a one-shot backup request; the entire spec is immutable once created.
-name
+storage,omitzero
-string
+
+HCPEtcdBackupStorage
+
|
- name is the name of the GCP resource. -Must conform to GCP resource naming standards: lowercase letters, numbers, and hyphens only. -Must start with a lowercase letter and end with a lowercase letter or number, max 63 characters. -Pattern: “^a-z?$” (max 63 chars), per GCP naming requirements. -See https://cloud.google.com/compute/docs/naming-resources for details. +storage defines the cloud storage backend where the etcd snapshot will be uploaded. |
(Appears on: -GCPWorkloadIdentityConfig) +HCPEtcdBackup)
-
GCPServiceAccountsEmails contains email addresses of Google Service Accounts for different controllers. -Each service account should have the appropriate IAM permissions for its specific role.
+HCPEtcdBackupStatus defines the observed state of HCPEtcdBackup.
-nodePool
-
-string
-
- |
-
- nodePool is the Google Service Account email for CAPG controllers -that manage NodePool infrastructure (VMs, networks, disks, etc.). -This GSA requires the following IAM roles: -- roles/compute.instanceAdmin.v1 (Compute Instance Admin v1) -- roles/compute.networkAdmin (Compute Network Admin) -- roles/iam.serviceAccountUser (Service Account User - to attach service accounts to VMs) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of |
-
-controlPlane
+conditions
-string
+
+[]Kubernetes meta/v1.Condition
+
|
- controlPlane is the Google Service Account email for the Control Plane Operator -that manages control plane infrastructure and resources. -This GSA requires the following IAM roles: -- roles/dns.admin (DNS Admin - for managing DNS records) -- roles/compute.networkAdmin (Compute Network Admin - for network management) -- roles/compute.viewer (Compute Viewer - for CCM to read instance metadata) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of conditions contains details for the current state of the etcd backup. +The following condition types are expected: +- “BackupCompleted”: indicates whether the etcd backup has completed (True=success, False=failure). |
-cloudController
+snapshotURL
string
|
- cloudController is the Google Service Account email for the Cloud Controller Manager -that manages LoadBalancer services and node lifecycle in the hosted cluster. -This GSA requires the following IAM roles: -- roles/compute.loadBalancerAdmin (Load Balancer Admin - for provisioning GCP load balancers) -- roles/compute.securityAdmin (Security Admin - for managing firewall rules) -- roles/compute.viewer (Compute Viewer - for reading instance metadata for node management) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of snapshotURL is the URL of the completed backup snapshot in cloud storage. +Must be a valid URL with scheme https or s3. |
-storage
+encryptionMetadata,omitzero
-string
+
+HCPEtcdBackupEncryptionMetadata
+
|
- storage is the Google Service Account email for the GCP PD CSI Driver -that manages Persistent Disk storage operations (create, attach, delete volumes). -This GSA requires the following IAM roles: -- roles/compute.storageAdmin (Compute Storage Admin - for managing persistent disks) -- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for attaching disks to VMs) -- roles/iam.serviceAccountUser (Service Account User - for impersonation) -- roles/resourcemanager.tagUser (Tag User - for applying resource tags to disks) -See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. -Format: service-account-name@project-id.iam.gserviceaccount.com -This is a user-provided value referencing a pre-created Google Service Account.
-Typically obtained from the output of encryptionMetadata contains metadata about the encryption of the backup. +When present, at least one platform-specific encryption block must be set. |
(Appears on: -GCPPlatformSpec) +HCPEtcdBackupSpec)
-
GCPWorkloadIdentityConfig configures Workload Identity Federation for GCP clusters. -This enables secure, short-lived token-based authentication without storing -long-term service account keys.
+HCPEtcdBackupStorage defines the cloud storage backend configuration for the backup. +Exactly one storage backend must be specified, matching the storageType discriminator.
-projectNumber
+storageType
-string
+
+HCPEtcdBackupStorageType
+
|
- projectNumber is the numeric GCP project identifier for WIF configuration. -This differs from the project ID and is required for workload identity pools. -Must be a numeric string representing the GCP project number. -This is a user-provided value obtained from GCP (found in GCP Console or via storageType specifies the type of cloud storage backend for the etcd backup. +Valid values are “S3” for AWS S3 storage and “AzureBlob” for Azure Blob Storage. |
-poolID
+s3,omitzero
-string
+
+HCPEtcdBackupS3
+
|
- poolID is the workload identity pool identifier within the project. -This pool is used to manage external identity mappings. -Must be 4-32 characters and start with a lowercase letter. -Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). -Cannot start or end with a hyphen. -The prefix “gcp-” is reserved by Google and cannot be used. -This is a user-provided value referencing a pre-created Workload Identity Pool.
-Typically obtained from the output of s3 specifies the S3 storage configuration for the etcd backup. +Required when storageType is “S3”, and forbidden otherwise. |
-providerID
+azureBlob,omitzero
-string
+
+HCPEtcdBackupAzureBlob
+
|
- providerID is the workload identity provider identifier within the pool. -This provider handles the token exchange between external and GCP identities. -Must be 4-32 characters and start with a lowercase letter. -Allowed characters: lowercase letters (a-z), digits (0-9), hyphens (-). -Cannot start or end with a hyphen. -The prefix “gcp-” is reserved by Google and cannot be used. -This is a user-provided value referencing a pre-created OIDC Provider within the WIF Pool.
-Typically obtained from the output of azureBlob specifies the Azure Blob storage configuration for the etcd backup. +Required when storageType is “AzureBlob”, and forbidden otherwise. |
+(Appears on: +HCPEtcdBackupStorage) +
++
HCPEtcdBackupStorageType is the type of storage for etcd backups.
+ +
-serviceAccountsEmails,omitzero
-
-
-GCPServiceAccountsEmails
-
-
+ | Value | +Description | +
|---|---|---|
"AzureBlob" |
+AzureBlobBackupStorage indicates that the backup is stored in Azure Blob Storage. |
-
- serviceAccountsEmails contains email addresses of various Google Service Accounts -required to enable integrations for different controllers and operators. -This follows the AWS pattern of having different roles for different purposes. + |
"S3" |
+S3BackupStorage indicates that the backup is stored in AWS S3. |
-
@@ -7247,7 +8921,8 @@ AutoNode
autoNode specifies the configuration for the autoNode feature.
+autoNode specifies the configuration for automatic node provisioning and lifecycle management. +When set, the provisioner(e.g. Karpenter) will be used to provision nodes for targeted workloads.
controlPlaneVersion,omitzero
+
+
+ControlPlaneVersionStatus
+
+
+controlPlaneVersion tracks the rollout status of the control plane +components running on the management cluster, independently from +the data-plane version reported in the version field.
+version
@@ -7744,6 +9435,20 @@ PlatformStatus
autoNode,omitzero
+
+
+AutoNodeStatus
+
+
+autoNode contains the observed state of the autoNode (Karpenter) provisioner.
+configuration
@@ -8214,7 +9919,10 @@ AutoNode
autoNode specifies the configuration for the autoNode feature.
+autoNode specifies the configuration for automatic node provisioning +and lifecycle management. When set, nodes are automatically provisioned +using the specified provisioner (e.g. Karpenter) instead of requiring +manual NodePool management.
controlPlaneVersion,omitzero
+
+
+ControlPlaneVersionStatus
+
+
+controlPlaneVersion tracks the rollout status of the control plane +components running on the management cluster, independently from +the data-plane version reported in the version field.
+versionStatus
@@ -8513,6 +10237,20 @@ int
autoNode,omitzero
+
+
+AutoNodeStatus
+
+
+autoNode contains the observed state of the autoNode (Karpenter) provisioner.
+configuration
@@ -9084,6 +10822,7 @@ AzureKMSSpec
KarpenterConfig)
+
KarpenterAWSConfig specifies AWS-specific configuration for the Karpenter provisioner.
|
- roleARN specifies the ARN of the Karpenter provisioner. +roleARN specifies the ARN of the IAM role that Karpenter assumes to provision +and manage EC2 instances in the hosted cluster’s AWS account. +The referenced role must have a trust relationship that allows it to be assumed
+by the karpenter service account in the hosted cluster via OIDC.
+Example:
+{
+“Version”: “2012-10-17”,
+“Statement”: [
+{
+“Effect”: “Allow”,
+“Principal”: {
+“Federated”: “ The following is an example of the policy document for this role. +{ +“Version”: “2012-10-17”, +“Statement”: [ +{ +“Sid”: “AllowScopedEC2InstanceAccessActions”, +“Effect”: “Allow”, +“Resource”: [ +“arn::ec2:::image/”, +“arn::ec2:::snapshot/”, +“arn::ec2:::security-group/”, +“arn::ec2:::subnet/” +], +“Action”: [ +“ec2:RunInstances”, +“ec2:CreateFleet” +] +}, +{ +“Sid”: “AllowScopedEC2LaunchTemplateAccessActions”, +“Effect”: “Allow”, +“Resource”: “arn::ec2:::launch-template/”, +“Action”: [ +“ec2:RunInstances”, +“ec2:CreateFleet” +] +}, +{ +“Sid”: “AllowScopedEC2InstanceActionsWithTags”, +“Effect”: “Allow”, +“Resource”: [ +“arn::ec2:::fleet/”, +“arn::ec2:::instance/”, +“arn::ec2:::volume/”, +“arn::ec2:::network-interface/”, +“arn::ec2:::launch-template/”, +“arn::ec2:::spot-instances-request/” +], +“Action”: [ +“ec2:RunInstances”, +“ec2:CreateFleet”, +“ec2:CreateLaunchTemplate” +], +“Condition”: { +“StringLike”: { +“aws:RequestTag/karpenter.sh/nodepool”: “” +} +} +}, +{ +“Sid”: “AllowScopedResourceCreationTagging”, +“Effect”: “Allow”, +“Resource”: [ +“arn::ec2:::fleet/”, +“arn::ec2:::instance/”, +“arn::ec2:::volume/”, +“arn::ec2:::network-interface/”, +“arn::ec2:::launch-template/”, +“arn::ec2:::spot-instances-request/” +], +“Action”: “ec2:CreateTags”, +“Condition”: { +“StringEquals”: { +“ec2:CreateAction”: [ +“RunInstances”, +“CreateFleet”, +“CreateLaunchTemplate” +] +}, +“StringLike”: { +“aws:RequestTag/karpenter.sh/nodepool”: “” +} +} +}, +{ +“Sid”: “AllowScopedResourceTagging”, +“Effect”: “Allow”, +“Resource”: “arn::ec2:::instance/”, +“Action”: “ec2:CreateTags”, +“Condition”: { +“StringLike”: { +“aws:ResourceTag/karpenter.sh/nodepool”: “” +} +} +}, +{ +“Sid”: “AllowScopedDeletion”, +“Effect”: “Allow”, +“Resource”: [ +“arn::ec2:::instance/”, +“arn::ec2:::launch-template/” +], +“Action”: [ +“ec2:TerminateInstances”, +“ec2:DeleteLaunchTemplate” +], +“Condition”: { +“StringLike”: { +“aws:ResourceTag/karpenter.sh/nodepool”: “” +} +} +}, +{ +“Sid”: “AllowRegionalReadActions”, +“Effect”: “Allow”, +“Resource”: “”, +“Action”: [ +“ec2:DescribeImages”, +“ec2:DescribeInstances”, +“ec2:DescribeInstanceTypeOfferings”, +“ec2:DescribeInstanceTypes”, +“ec2:DescribeLaunchTemplates”, +“ec2:DescribeSecurityGroups”, +“ec2:DescribeSpotPriceHistory”, +“ec2:DescribeSubnets” +] +}, +{ +“Sid”: “AllowSSMReadActions”, +“Effect”: “Allow”, +“Resource”: “arn::ssm:::parameter/aws/service/”, +“Action”: “ssm:GetParameter” +}, +{ +“Sid”: “AllowPricingReadActions”, +“Effect”: “Allow”, +“Resource”: “”, +“Action”: “pricing:GetProducts” +}, +{ +“Sid”: “AllowInterruptionQueueActions”, +“Effect”: “Allow”, +“Resource”: “”, +“Action”: [ +“sqs:DeleteMessage”, +“sqs:GetQueueUrl”, +“sqs:ReceiveMessage” +] +}, +{ +“Sid”: “AllowPassingInstanceRole”, +“Effect”: “Allow”, +“Resource”: “arn::iam:::role/”, +“Action”: “iam:PassRole”, +“Condition”: { +“StringEquals”: { +“iam:PassedToService”: [ +“ec2.amazonaws.com”, +“ec2.amazonaws.com.cn” +] +} +} +}, +{ +“Sid”: “AllowScopedInstanceProfileCreationActions”, +“Effect”: “Allow”, +“Resource”: “arn::iam:::instance-profile/”, +“Action”: [ +“iam:CreateInstanceProfile” +], +“Condition”: { +“StringLike”: { +“aws:RequestTag/karpenter.k8s.aws/ec2nodeclass”: “” +} +} +}, +{ +“Sid”: “AllowScopedInstanceProfileTagActions”, +“Effect”: “Allow”, +“Resource”: “arn::iam:::instance-profile/”, +“Action”: [ +“iam:TagInstanceProfile” +], +“Condition”: { +“StringLike”: { +“aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass”: “”, +“aws:RequestTag/karpenter.k8s.aws/ec2nodeclass”: “” +} +} +}, +{ +“Sid”: “AllowScopedInstanceProfileActions”, +“Effect”: “Allow”, +“Resource”: “arn::iam:::instance-profile/”, +“Action”: [ +“iam:AddRoleToInstanceProfile”, +“iam:RemoveRoleFromInstanceProfile”, +“iam:DeleteInstanceProfile” +], +“Condition”: { +“StringLike”: { +“aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass”: “” +} +} +}, +{ +“Sid”: “AllowInstanceProfileReadActions”, +“Effect”: “Allow”, +“Resource”: “arn::iam:::instance-profile/”, +“Action”: “iam:GetInstanceProfile” +}, +{ +“Sid”: “AllowUnscopedInstanceProfileListAction”, +“Effect”: “Allow”, +“Resource”: “”, +“Action”: “iam:ListInstanceProfiles” +} +] +} |
@@ -9112,6 +11081,8 @@ string
ProvisionerConfig)
|
- platform specifies the platform-specific configuration for Karpenter. +platform specifies the infrastructure platform that Karpenter should provision nodes on. |
|
+backup,omitzero
+
+
+HCPEtcdBackupConfig
+
+
+ |
+
+(Optional)
+ backup defines the backup configuration for managed etcd, including +optional KMS key settings for artifact encryption in cloud storage. +This configuration is only used when an HCPEtcdBackup CR exists. + |
+
(Appears on: -CapacityReservationOptions) +CapacityReservationOptions, +PlacementOptions)
-
MarketType describes the market type of the CapacityReservation for an Instance.
+MarketType describes the market type for EC2 instances.
"CapacityBlocks" |
-MarketTypeCapacityBlock is a MarketType enum value + | MarketTypeCapacityBlock is a MarketType enum value for Capacity Blocks. |
"OnDemand" |
-MarketTypeOnDemand is a MarketType enum value + | MarketTypeOnDemand is a MarketType enum value for standard on-demand instances. + |
+
"Spot" |
+MarketTypeSpot is a MarketType enum value for Spot instances. +Spot instances use spare EC2 capacity at reduced prices but may be interrupted. |
+(Appears on: +NodePoolStatus) +
++
NodePoolNodesInfo aggregates observed information about nodes belonging to this NodePool.
+ +| Field | +Description | +
|---|---|
+nodeVersions
+
+
+[]NodeVersion
+
+
+ |
+
+ nodeVersions summarizes the versions and health of nodes belonging +to this NodePool. Each entry represents a distinct version combination +and the number of ready/unready nodes running it. + |
+
(Appears on: @@ -11306,6 +13331,21 @@ the NodePool.
nodesInfo,omitzero
+
+
+NodePoolNodesInfo
+
+
+nodesInfo contains aggregated information observed from nodes belonging +to this NodePool.
+platform
@@ -11377,6 +13417,73 @@ assigned when the service is created.
+(Appears on: +NodePoolNodesInfo) +
++
NodeVersion represents a version combination and the count of ready and unready nodes running it.
+ +| Field | +Description | +
|---|---|
+ocpVersion
+
+string
+
+ |
+
+ ocpVersion is the OpenShift release version this node was provisioned +or upgraded with. + |
+
+kubeletVersion
+
+string
+
+ |
+
+ kubeletVersion is the kubelet version reported by the node, as observed +from Machine.Status.NodeInfo.KubeletVersion. + |
+
+readyNodeCount
+
+int32
+
+ |
+
+ readyNodeCount is the number of nodes running this version where the +CAPI NodeHealthy condition is True. + |
+
+unreadyNodeCount
+
+int32
+
+ |
+
+ unreadyNodeCount is the number of nodes running this version where the +CAPI NodeHealthy condition is not True. Useful for tracking upgrade +progress and detecting stuck nodes. + |
+
(Appears on: @@ -11494,6 +13601,28 @@ this means no opinions and the default configuration is used. Check individual fields within ipv4 for details of default values.
+mtu
+
+int32
+
+mtu is the MTU to use for the tunnel interface on hosted cluster nodes. +This must be 100 bytes smaller than the uplink MTU. +When unset, the cluster-network-operator will determine the MTU automatically +based on the infrastructure (e.g., for commercial AWS regions, it defaults +to 8901 based on the 9001 uplink MTU minus 100 bytes overhead). +Some non-commercial AWS regions do not support 9001 uplink MTU, +requiring this field to be explicitly set to a lower value. +The maximum is 9216, which is the standard jumbo frame upper limit +supported by datacenter and cloud network interfaces. +The minimum is 576, which is the minimum IPv4 MTU per RFC 791. +This field is immutable once set.
+
PlacementOptions specifies the placement options for the EC2 instances.
+The instance market type is determined by the marketType field: +- “OnDemand” (default): Standard on-demand instances +- “Spot”: Spot instances using spare EC2 capacity at reduced prices +- “CapacityBlocks”: Scheduled pre-purchased compute capacity for ML workloads
+marketType
+
+
+MarketType
+
+
+ |
+
+(Optional)
+ marketType specifies the EC2 instance purchasing model. +Supported values are “OnDemand” for standard on-demand instances, +“Spot” for spot instances that use spare EC2 capacity at reduced prices +but may be interrupted (optionally accepts spot options and requires +terminationHandlerQueueURL on the HostedCluster), and “CapacityBlocks” for scheduled pre-purchased +compute capacity recommended for GPU/ML workloads (requires +capacityReservation with a specific reservation ID). +When omitted, the default is “OnDemand”. + |
+|
+spot,omitzero
+
+
+SpotOptions
+
+
+ |
+
+(Optional)
+ spot configures optional Spot instance overrides. +When omitted, Spot instances use AWS defaults. +Spot instances use spare EC2 capacity at reduced prices but may be interrupted +with a 2-minute warning. Requires terminationHandlerQueueURL to be set on the +HostedCluster’s AWS platform spec for graceful handling of interruptions. + |
+|
capacityReservation
@@ -12023,6 +14195,7 @@ CapacityReservationOptions
capacityReservation specifies Capacity Reservation options for the NodePool instances. Cannot be specified when tenancy is set to “host” as Dedicated Hosts do not support Capacity Reservations. Compatible with “default” and “dedicated” tenancy. +Required when marketType is “CapacityBlocks”. |
"Karpenter" |
-+ | ProvisionerKarpenter indicates that Karpenter is used for automatic node provisioning. + |
-
ProvisionerConfig is a enum specifying the strategy for auto managing Nodes.
+ProvisionerConfig specifies the provisioner used for automatic node management +and its associated configuration.
|
- name specifies the name of the provisioner to use. +name specifies the name of the provisioner to use for automatic node management. |
+(Appears on: +HCPEtcdBackupAzureBlob, +HCPEtcdBackupS3) +
++
SecretReference contains a reference to a Secret by name. +The Secret must exist in the same namespace as the referencing resource.
+ +| Field | +Description | +
|---|---|
+name
+
+string
+
+ |
+
+ name is the name of the Secret. It must be a valid DNS-1123 subdomain: at most +253 characters, consisting of lowercase alphanumeric characters, hyphens, and periods. +Each period-separated segment must start and end with an alphanumeric character. + |
+
(Appears on: @@ -13741,6 +15949,44 @@ ServicePublishingStrategy
ServiceType defines what control plane services can be exposed from the management control plane.
+###SpotOptions { #hypershift.openshift.io/v1beta1.SpotOptions } ++(Appears on: +PlacementOptions) +
++
SpotOptions configures options for Spot instances.
+Spot instances use spare EC2 capacity at reduced prices but may be interrupted +with a 2-minute warning when EC2 needs the capacity back.
+ +| Field | +Description | +
|---|---|
+maxPrice
+
+string
+
+ |
+
+(Optional)
+ maxPrice defines the maximum price the user is willing to pay for Spot instances. +If not specified, the on-demand price is used as the maximum (you pay the actual spot price). +The value should be a decimal number representing the price per hour in USD. +For example, “0.50” means 50 cents per hour. +Note: AWS recommends NOT setting maxPrice to reduce interruption frequency. +When omitted, you pay the current Spot price (capped at On-Demand price). +AWS minimum allowed value is $0.001. + |
+
(Appears on:
From 14acc458a63f82185435a7969992ddcbc32d8e77 Mon Sep 17 00:00:00 2001
From: OpenShift CI Bot hypershift infra create gcp w
the required service accounts with appropriate IAM roles and WIF bindings.
network
+
+
+GCPServiceAccountEmail
+
+
+network is the Google Service Account email for the Cloud Network Config Controller +that manages cloud-level network configurations (egress IPs, subnets). +This GSA requires the following IAM roles: +- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for managing network interfaces) +- roles/compute.networkUser (Compute Network User - for using subnets) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com
+This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of hypershift infra create gcp which creates
+the required service accounts with appropriate IAM roles and WIF bindings.
hypershift infra create gcp w
the required service accounts with appropriate IAM roles and WIF bindings.
+network
+
+
+GCPServiceAccountEmail
+
+
+network is the Google Service Account email for the Cloud Network Config Controller +that manages cloud-level network configurations (egress IPs, subnets). +This GSA requires the following IAM roles: +- roles/compute.instanceAdmin.v1 (Compute Instance Admin - for managing network interfaces) +- roles/compute.networkUser (Compute Network User - for using subnets) +See cmd/infra/gcp/iam-bindings.json for the authoritative role definitions. +Format: service-account-name@project-id.iam.gserviceaccount.com
+This is a user-provided value referencing a pre-created Google Service Account.
+Typically obtained from the output of hypershift infra create gcp which creates
+the required service accounts with appropriate IAM roles and WIF bindings.