diff --git a/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml b/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml index 7575d8371c99e..084b25cec10e9 100644 --- a/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml +++ b/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml @@ -1,7 +1,6 @@ chain: as: ipi-aws-pre-publicsubnets steps: - - chain: ipi-conf-aws-publicsubnets - chain: ipi-install documentation: |- The IPI setup step contains all steps that provision an OpenShift cluster diff --git a/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh b/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh index 57f36f11a7b0d..ae2af567c9828 100755 --- a/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh +++ b/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh @@ -4,7 +4,16 @@ set -o nounset set -o errexit set -o pipefail -export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred" +if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY:-true}" != "true" ]]; then + return +fi + +if [[ -f "${SHARED_DIR}/aws_minimal_permission" ]]; then + echo "Setting AWS credential with minimal permision for installer" + export AWS_SHARED_CREDENTIALS_FILE=${SHARED_DIR}/aws_minimal_permission +else + export AWS_SHARED_CREDENTIALS_FILE=${CLUSTER_PROFILE_DIR}/.awscred +fi function join_by { local IFS="$1"; shift; echo "$*"; } @@ -190,8 +199,7 @@ Outputs: EOF # The above cloudformation template's max zones account is 3 -if [[ "${ZONES_COUNT}" -gt 3 ]] -then +if [[ "${ZONES_COUNT}" -gt 3 ]]; then ZONES_COUNT=3 fi diff --git a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh index be58e2aeb4b14..b3d944e2e046a 100644 --- a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh +++ b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh @@ -60,7 +60,6 @@ if [ "${FIPS_ENABLED:-false}" = "true" ]; then export OPENSHIFT_INSTALL_SKIP_HOSTCRYPT_VALIDATION=true fi - if [[ "${AWS_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred" @@ -84,191 +83,191 @@ if [[ "${AWS_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then USER_POLICY_FILE="${SHARED_DIR}/${USER_POLICY_FILENAME}" PERMISION_LIST="${ARTIFACT_DIR}/permision_list.txt" - if ((ocp_major_version < 4 || (ocp_major_version == 4 && ocp_minor_version < 18))); then + if [[ ${ocp_major_version} -lt 4 || (${ocp_major_version} -eq 4 && ${ocp_minor_version} -lt 18) ]]; then # There is no installer support for generating permissions prior to 4.18, so we generate one ourselves - cat <"${PERMISION_LIST}" -autoscaling:DescribeAutoScalingGroups -ec2:AllocateAddress -ec2:AssociateAddress -ec2:AssociateDhcpOptions -ec2:AssociateRouteTable -ec2:AttachInternetGateway -ec2:AttachNetworkInterface -ec2:AuthorizeSecurityGroupEgress -ec2:AuthorizeSecurityGroupIngress -ec2:CopyImage -ec2:CreateDhcpOptions -ec2:CreateInternetGateway -ec2:CreateNatGateway -ec2:CreateNetworkInterface -ec2:CreateRoute -ec2:CreateRouteTable -ec2:CreateSecurityGroup -ec2:CreateSubnet -ec2:CreateTags -ec2:CreateVolume -ec2:CreateVpc -ec2:CreateVpcEndpoint -ec2:DeleteDhcpOptions -ec2:DeleteInternetGateway -ec2:DeleteNatGateway -ec2:DeleteNetworkInterface -ec2:DeleteRoute -ec2:DeleteRouteTable -ec2:DeleteSecurityGroup -ec2:DeleteSnapshot -ec2:DeleteSubnet -ec2:DeleteTags -ec2:DeleteVolume -ec2:DeleteVpc -ec2:DeleteVpcEndpoints -ec2:DeregisterImage -ec2:DescribeAccountAttributes -ec2:DescribeAddresses -ec2:DescribeAvailabilityZones -ec2:DescribeDhcpOptions -ec2:DescribeImages -ec2:DescribeInstanceAttribute -ec2:DescribeInstanceCreditSpecifications -ec2:DescribeInstances -ec2:DescribeInstanceTypeOfferings -ec2:DescribeInstanceTypes -ec2:DescribeInternetGateways -ec2:DescribeKeyPairs -ec2:DescribeNatGateways -ec2:DescribeNetworkAcls -ec2:DescribeNetworkInterfaces -ec2:DescribePrefixLists -ec2:DescribeRegions -ec2:DescribeRouteTables -ec2:DescribeSecurityGroups -ec2:DescribeSubnets -ec2:DescribeTags -ec2:DescribeVolumes -ec2:DescribeVpcAttribute -ec2:DescribeVpcClassicLink -ec2:DescribeVpcClassicLinkDnsSupport -ec2:DescribeVpcEndpoints -ec2:DescribeVpcs -ec2:DetachInternetGateway -ec2:DisassociateRouteTable -ec2:GetEbsDefaultKmsKeyId -ec2:ModifyInstanceAttribute -ec2:ModifyNetworkInterfaceAttribute -ec2:ModifySubnetAttribute -ec2:ModifyVpcAttribute -ec2:ReleaseAddress -ec2:ReplaceRouteTableAssociation -ec2:RevokeSecurityGroupEgress -ec2:RevokeSecurityGroupIngress -ec2:RunInstances -ec2:TerminateInstances -elasticloadbalancing:AddTags -elasticloadbalancing:ApplySecurityGroupsToLoadBalancer -elasticloadbalancing:AttachLoadBalancerToSubnets -elasticloadbalancing:ConfigureHealthCheck -elasticloadbalancing:CreateListener -elasticloadbalancing:CreateLoadBalancer -elasticloadbalancing:CreateLoadBalancerListeners -elasticloadbalancing:CreateTargetGroup -elasticloadbalancing:DeleteLoadBalancer -elasticloadbalancing:DeleteTargetGroup -elasticloadbalancing:DeregisterInstancesFromLoadBalancer -elasticloadbalancing:DeregisterTargets -elasticloadbalancing:DescribeInstanceHealth -elasticloadbalancing:DescribeListeners -elasticloadbalancing:DescribeLoadBalancerAttributes -elasticloadbalancing:DescribeLoadBalancers -elasticloadbalancing:DescribeTags -elasticloadbalancing:DescribeTargetGroupAttributes -elasticloadbalancing:DescribeTargetGroups -elasticloadbalancing:DescribeTargetHealth -elasticloadbalancing:ModifyLoadBalancerAttributes -elasticloadbalancing:ModifyTargetGroup -elasticloadbalancing:ModifyTargetGroupAttributes -elasticloadbalancing:RegisterInstancesWithLoadBalancer -elasticloadbalancing:RegisterTargets -elasticloadbalancing:SetLoadBalancerPoliciesOfListener -iam:AddRoleToInstanceProfile -iam:CreateInstanceProfile -iam:CreateRole -iam:DeleteAccessKey -iam:DeleteInstanceProfile -iam:DeleteRole -iam:DeleteRolePolicy -iam:DeleteUser -iam:DeleteUserPolicy -iam:GetInstanceProfile -iam:GetRole -iam:GetRolePolicy -iam:GetUser -iam:GetUserPolicy -iam:ListAccessKeys -iam:ListAttachedRolePolicies -iam:ListInstanceProfiles -iam:ListInstanceProfilesForRole -iam:ListRolePolicies -iam:ListRoles -iam:ListUserPolicies -iam:ListUsers -iam:PassRole -iam:PutRolePolicy -iam:PutUserPolicy -iam:RemoveRoleFromInstanceProfile -iam:SimulatePrincipalPolicy -iam:TagRole -iam:TagUser -iam:UntagRole -route53:ChangeResourceRecordSets -route53:ChangeTagsForResource -route53:CreateHostedZone -route53:DeleteHostedZone -route53:GetChange -route53:GetHostedZone -route53:ListHostedZones -route53:ListHostedZonesByName -route53:ListResourceRecordSets -route53:ListTagsForResource -route53:UpdateHostedZoneComment -s3:AbortMultipartUpload -s3:CreateBucket -s3:DeleteBucket -s3:DeleteObject -s3:GetAccelerateConfiguration -s3:GetBucketAcl -s3:GetBucketCors -s3:GetBucketLocation -s3:GetBucketLogging -s3:GetBucketObjectLockConfiguration -s3:GetBucketPublicAccessBlock -s3:GetBucketReplication -s3:GetBucketRequestPayment -s3:GetBucketTagging -s3:GetBucketVersioning -s3:GetBucketWebsite -s3:GetEncryptionConfiguration -s3:GetLifecycleConfiguration -s3:GetObject -s3:GetObjectAcl -s3:GetObjectTagging -s3:GetObjectVersion -s3:GetReplicationConfiguration -s3:HeadBucket -s3:ListBucket -s3:ListBucketMultipartUploads -s3:ListBucketVersions -s3:PutBucketAcl -s3:PutBucketPublicAccessBlock -s3:PutBucketTagging -s3:PutEncryptionConfiguration -s3:PutLifecycleConfiguration -s3:PutObject -s3:PutObjectAcl -s3:PutObjectTagging -servicequotas:ListAWSDefaultServiceQuotas -tag:GetResources -EOF + cat <<-EOF > "${PERMISION_LIST}" + autoscaling:DescribeAutoScalingGroups + ec2:AllocateAddress + ec2:AssociateAddress + ec2:AssociateDhcpOptions + ec2:AssociateRouteTable + ec2:AttachInternetGateway + ec2:AttachNetworkInterface + ec2:AuthorizeSecurityGroupEgress + ec2:AuthorizeSecurityGroupIngress + ec2:CopyImage + ec2:CreateDhcpOptions + ec2:CreateInternetGateway + ec2:CreateNatGateway + ec2:CreateNetworkInterface + ec2:CreateRoute + ec2:CreateRouteTable + ec2:CreateSecurityGroup + ec2:CreateSubnet + ec2:CreateTags + ec2:CreateVolume + ec2:CreateVpc + ec2:CreateVpcEndpoint + ec2:DeleteDhcpOptions + ec2:DeleteInternetGateway + ec2:DeleteNatGateway + ec2:DeleteNetworkInterface + ec2:DeleteRoute + ec2:DeleteRouteTable + ec2:DeleteSecurityGroup + ec2:DeleteSnapshot + ec2:DeleteSubnet + ec2:DeleteTags + ec2:DeleteVolume + ec2:DeleteVpc + ec2:DeleteVpcEndpoints + ec2:DeregisterImage + ec2:DescribeAccountAttributes + ec2:DescribeAddresses + ec2:DescribeAvailabilityZones + ec2:DescribeDhcpOptions + ec2:DescribeImages + ec2:DescribeInstanceAttribute + ec2:DescribeInstanceCreditSpecifications + ec2:DescribeInstances + ec2:DescribeInstanceTypeOfferings + ec2:DescribeInstanceTypes + ec2:DescribeInternetGateways + ec2:DescribeKeyPairs + ec2:DescribeNatGateways + ec2:DescribeNetworkAcls + ec2:DescribeNetworkInterfaces + ec2:DescribePrefixLists + ec2:DescribeRegions + ec2:DescribeRouteTables + ec2:DescribeSecurityGroups + ec2:DescribeSubnets + ec2:DescribeTags + ec2:DescribeVolumes + ec2:DescribeVpcAttribute + ec2:DescribeVpcClassicLink + ec2:DescribeVpcClassicLinkDnsSupport + ec2:DescribeVpcEndpoints + ec2:DescribeVpcs + ec2:DetachInternetGateway + ec2:DisassociateRouteTable + ec2:GetEbsDefaultKmsKeyId + ec2:ModifyInstanceAttribute + ec2:ModifyNetworkInterfaceAttribute + ec2:ModifySubnetAttribute + ec2:ModifyVpcAttribute + ec2:ReleaseAddress + ec2:ReplaceRouteTableAssociation + ec2:RevokeSecurityGroupEgress + ec2:RevokeSecurityGroupIngress + ec2:RunInstances + ec2:TerminateInstances + elasticloadbalancing:AddTags + elasticloadbalancing:ApplySecurityGroupsToLoadBalancer + elasticloadbalancing:AttachLoadBalancerToSubnets + elasticloadbalancing:ConfigureHealthCheck + elasticloadbalancing:CreateListener + elasticloadbalancing:CreateLoadBalancer + elasticloadbalancing:CreateLoadBalancerListeners + elasticloadbalancing:CreateTargetGroup + elasticloadbalancing:DeleteLoadBalancer + elasticloadbalancing:DeleteTargetGroup + elasticloadbalancing:DeregisterInstancesFromLoadBalancer + elasticloadbalancing:DeregisterTargets + elasticloadbalancing:DescribeInstanceHealth + elasticloadbalancing:DescribeListeners + elasticloadbalancing:DescribeLoadBalancerAttributes + elasticloadbalancing:DescribeLoadBalancers + elasticloadbalancing:DescribeTags + elasticloadbalancing:DescribeTargetGroupAttributes + elasticloadbalancing:DescribeTargetGroups + elasticloadbalancing:DescribeTargetHealth + elasticloadbalancing:ModifyLoadBalancerAttributes + elasticloadbalancing:ModifyTargetGroup + elasticloadbalancing:ModifyTargetGroupAttributes + elasticloadbalancing:RegisterInstancesWithLoadBalancer + elasticloadbalancing:RegisterTargets + elasticloadbalancing:SetLoadBalancerPoliciesOfListener + iam:AddRoleToInstanceProfile + iam:CreateInstanceProfile + iam:CreateRole + iam:DeleteAccessKey + iam:DeleteInstanceProfile + iam:DeleteRole + iam:DeleteRolePolicy + iam:DeleteUser + iam:DeleteUserPolicy + iam:GetInstanceProfile + iam:GetRole + iam:GetRolePolicy + iam:GetUser + iam:GetUserPolicy + iam:ListAccessKeys + iam:ListAttachedRolePolicies + iam:ListInstanceProfiles + iam:ListInstanceProfilesForRole + iam:ListRolePolicies + iam:ListRoles + iam:ListUserPolicies + iam:ListUsers + iam:PassRole + iam:PutRolePolicy + iam:PutUserPolicy + iam:RemoveRoleFromInstanceProfile + iam:SimulatePrincipalPolicy + iam:TagRole + iam:TagUser + iam:UntagRole + route53:ChangeResourceRecordSets + route53:ChangeTagsForResource + route53:CreateHostedZone + route53:DeleteHostedZone + route53:GetChange + route53:GetHostedZone + route53:ListHostedZones + route53:ListHostedZonesByName + route53:ListResourceRecordSets + route53:ListTagsForResource + route53:UpdateHostedZoneComment + s3:AbortMultipartUpload + s3:CreateBucket + s3:DeleteBucket + s3:DeleteObject + s3:GetAccelerateConfiguration + s3:GetBucketAcl + s3:GetBucketCors + s3:GetBucketLocation + s3:GetBucketLogging + s3:GetBucketObjectLockConfiguration + s3:GetBucketPublicAccessBlock + s3:GetBucketReplication + s3:GetBucketRequestPayment + s3:GetBucketTagging + s3:GetBucketVersioning + s3:GetBucketWebsite + s3:GetEncryptionConfiguration + s3:GetLifecycleConfiguration + s3:GetObject + s3:GetObjectAcl + s3:GetObjectTagging + s3:GetObjectVersion + s3:GetReplicationConfiguration + s3:HeadBucket + s3:ListBucket + s3:ListBucketMultipartUploads + s3:ListBucketVersions + s3:PutBucketAcl + s3:PutBucketPublicAccessBlock + s3:PutBucketTagging + s3:PutEncryptionConfiguration + s3:PutLifecycleConfiguration + s3:PutObject + s3:PutObjectAcl + s3:PutObjectTagging + servicequotas:ListAWSDefaultServiceQuotas + tag:GetResources + EOF if [[ ${CREDENTIALS_MODE} == "Mint" ]] || [[ ${CREDENTIALS_MODE} == "" ]]; then echo "iam:CreateAccessKey" >> "${PERMISION_LIST}" @@ -278,40 +277,40 @@ EOF # additional permisions for 4.11+ if ((ocp_minor_version >= 11 && ocp_major_version == 4)); then # base - echo "ec2:DeletePlacementGroup" >>"${PERMISION_LIST}" - echo "s3:GetBucketPolicy" >>"${PERMISION_LIST}" + echo "ec2:DeletePlacementGroup" >> "${PERMISION_LIST}" + echo "s3:GetBucketPolicy" >> "${PERMISION_LIST}" fi # additional permisions for 4.14+ if ((ocp_minor_version >= 14 && ocp_major_version == 4)); then # base - echo "ec2:DescribeSecurityGroupRules" >>"${PERMISION_LIST}" + echo "ec2:DescribeSecurityGroupRules" >> "${PERMISION_LIST}" fi # additional permisions for 4.15+ if ((ocp_minor_version >= 15 && ocp_major_version == 4)); then # base - echo "iam:TagInstanceProfile" >>"${PERMISION_LIST}" + echo "iam:TagInstanceProfile" >> "${PERMISION_LIST}" fi # additional permisions for 4.16+ if ((ocp_minor_version >= 16 && ocp_major_version == 4)); then # base - echo "elasticloadbalancing:SetSecurityGroups" >>"${PERMISION_LIST}" - echo "s3:PutBucketPolicy" >>"${PERMISION_LIST}" + echo "elasticloadbalancing:SetSecurityGroups" >> "${PERMISION_LIST}" + echo "s3:PutBucketPolicy" >> "${PERMISION_LIST}" fi # Shared-VPC (4.14+) # https://issues.redhat.com/browse/OCPBUGS-17751 # platform.aws.hostedZoneRole if grep -q "hostedZoneRole" "${CONFIG}"; then - echo "sts:AssumeRole" >>"${PERMISION_LIST}" + echo "sts:AssumeRole" >> "${PERMISION_LIST}" fi # byo public ipv4 pool (4.16+) # platform.aws.publicIpv4Pool if grep -q "publicIpv4Pool" "${CONFIG}"; then - echo "ec2:DisassociateAddress" >>"${PERMISION_LIST}" + echo "ec2:DisassociateAddress" >> "${PERMISION_LIST}" fi # byo IAM Profile (4.17+) @@ -320,14 +319,14 @@ EOF # compute[0].platform.aws.iamProfile # controlPlane.platform.aws.iamProfile if grep -q "iamProfile" "${CONFIG}"; then - echo "tag:UntagResources" >>"${PERMISION_LIST}" - echo "iam:UntagInstanceProfile" >>"${PERMISION_LIST}" + echo "tag:UntagResources" >> "${PERMISION_LIST}" + echo "iam:UntagInstanceProfile" >> "${PERMISION_LIST}" fi # Shared network # platform.aws.subnets if grep -q "subnets" "${CONFIG}"; then - echo "tag:UntagResources" >>"${PERMISION_LIST}" + echo "tag:UntagResources" >> "${PERMISION_LIST}" fi else @@ -355,9 +354,19 @@ EOF rm -rf "${dir}" fi - - create_jsoner_py + # Force all clusters when not configured + # explicitly to use public IP avoiding NAT + if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY:-true}" == "true" ]]; then + cat >> "${PERMISION_LIST}" <<-EOF + sqs:* + cloudformation:CreateStack + cloudformation:DescribeStacks + EOF + fi + + create_jsoner_py + # generate policy file and save it to shared dir so later steps have access to it. cat "${PERMISION_LIST}" | sort | uniq | python3 ${JSONER_PY} >"${USER_POLICY_FILE}" @@ -369,60 +378,61 @@ else echo "Custom AWS user with minimal permissions is disabled for installer. Using AWS user from cluster profile." fi - - if [[ "${AWS_CCOCTL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then USER_POLICY_FILENAME="aws-permissions-policy-creds-ccoctl.json" USER_POLICY_FILE="${SHARED_DIR}/${USER_POLICY_FILENAME}" PERMISION_LIST="${ARTIFACT_DIR}/permision_list_ccoctl.txt" - cat < "${PERMISION_LIST}" -cloudfront:ListCloudFrontOriginAccessIdentities -cloudfront:ListDistributions -cloudfront:ListTagsForResource -iam:CreateOpenIDConnectProvider -iam:CreateRole -iam:DeleteOpenIDConnectProvider -iam:DeleteRole -iam:DeleteRolePolicy -iam:GetOpenIDConnectProvider -iam:GetRole -iam:GetUser -iam:ListOpenIDConnectProviders -iam:ListRolePolicies -iam:ListRoles -iam:PutRolePolicy -iam:TagOpenIDConnectProvider -iam:TagRole -s3:CreateBucket -s3:DeleteBucket -s3:DeleteObject -s3:GetBucketAcl -s3:GetBucketTagging -s3:GetObject -s3:GetObjectAcl -s3:GetObjectTagging -s3:ListBucket -s3:PutBucketAcl -s3:PutBucketPolicy -s3:PutBucketPublicAccessBlock -s3:PutBucketTagging -s3:PutObject -s3:PutObjectAcl -s3:PutObjectTagging -EOF + cat <<-EOF > "${PERMISION_LIST}" + cloudfront:ListCloudFrontOriginAccessIdentities + cloudfront:ListDistributions + cloudfront:ListTagsForResource + iam:CreateOpenIDConnectProvider + iam:CreateRole + iam:DeleteOpenIDConnectProvider + iam:DeleteRole + iam:DeleteRolePolicy + iam:GetOpenIDConnectProvider + iam:GetRole + iam:GetUser + iam:ListOpenIDConnectProviders + iam:ListRolePolicies + iam:ListRoles + iam:PutRolePolicy + iam:TagOpenIDConnectProvider + iam:TagRole + s3:CreateBucket + s3:DeleteBucket + s3:DeleteObject + s3:GetBucketAcl + s3:GetBucketTagging + s3:GetObject + s3:GetObjectAcl + s3:GetObjectTagging + s3:ListBucket + s3:PutBucketAcl + s3:PutBucketPolicy + s3:PutBucketPublicAccessBlock + s3:PutBucketTagging + s3:PutObject + s3:PutObjectAcl + s3:PutObjectTagging + EOF + if [[ "${STS_USE_PRIVATE_S3}" == "yes" ]]; then # enable option --create-private-s3-bucket - echo "cloudfront:CreateCloudFrontOriginAccessIdentity" >> "${PERMISION_LIST}" - echo "cloudfront:CreateDistribution" >> "${PERMISION_LIST}" - echo "cloudfront:DeleteCloudFrontOriginAccessIdentity" >> "${PERMISION_LIST}" - echo "cloudfront:DeleteDistribution" >> "${PERMISION_LIST}" - echo "cloudfront:GetCloudFrontOriginAccessIdentity" >> "${PERMISION_LIST}" - echo "cloudfront:GetCloudFrontOriginAccessIdentityConfig" >> "${PERMISION_LIST}" - echo "cloudfront:GetDistribution" >> "${PERMISION_LIST}" - echo "cloudfront:TagResource" >> "${PERMISION_LIST}" - echo "cloudfront:UpdateDistribution" >> "${PERMISION_LIST}" + cat <<-EOF > "${PERMISION_LIST}" + cloudfront:CreateCloudFrontOriginAccessIdentity + cloudfront:CreateDistribution + cloudfront:DeleteCloudFrontOriginAccessIdentity + cloudfront:DeleteDistribution + cloudfront:GetCloudFrontOriginAccessIdentity + cloudfront:GetCloudFrontOriginAccessIdentityConfig + cloudfront:GetDistribution + cloudfront:TagResource + cloudfront:UpdateDistributio + EOF fi create_jsoner_py diff --git a/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml b/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml index 6356cff928ee1..0489ab3d24b7b 100644 --- a/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml +++ b/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml @@ -41,7 +41,7 @@ ref: - name: EDGE_NODE_WORKER_ASSIGN_PUBLIC_IP default: "no" - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY - default: "" + default: "true" documentation: "Whether to use public only subnets. Implies no NAT gateways. Requires a VPC to be configured prior to install" - name: TF_LOG default: "INFO" diff --git a/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml b/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml index eb422b8c6b2c9..3480dde5ac5bd 100644 --- a/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml +++ b/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml @@ -56,7 +56,7 @@ ref: default: "false" documentation: "Use AWS Spot Instances for *master* nodes. Set to 'true' to opt into spot instances. Explicitly set to 'false' to opt out. Leave unset for the default, which may change. Note that spot masters are only supported when installing with a) CAPI; or b) newer installer versions (see https://github.com/openshift/installer/pull/8349). A preflight check will fail if this variable is set to 'true' for an unsupported configuration." - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY - default: "" + default: "true" documentation: "Whether to use only public subnets for AWS. Implies no NAT Gateways. Requires a VPC to be configured prior to install." dependencies: - name: "release:latest" diff --git a/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml b/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml index 7c772c2d6f15d..4ccd1052e7525 100644 --- a/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml +++ b/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml @@ -4,6 +4,7 @@ chain: - ref: ipi-install-rbac - ref: openshift-cluster-bot-rbac - ref: ipi-install-hosted-loki + - ref: ipi-conf-aws-publicsubnets - ref: ipi-install-install - ref: ipi-install-times-collection - ref: nodes-readiness