openshift
diff --git a/‎config/v1/0000_10_config-operator_01_dns.crd.yaml‎
Lines changed: 41 additions & 0 deletions b/‎config/v1/0000_10_config-operator_01_dns.crd.yaml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎config/v1/stable.dns.testsuite.yaml‎
Lines changed: 91 additions & 0 deletions b/‎config/v1/stable.dns.testsuite.yaml‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎config/v1/types_dns.go‎
Lines changed: 37 additions & 0 deletions b/‎config/v1/types_dns.go‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.deepcopy.go‎
Lines changed: 38 additions & 0 deletions b/‎config/v1/zz_generated.deepcopy.go‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.swagger_doc_generated.go‎
Lines changed: 20 additions & 0 deletions b/‎config/v1/zz_generated.swagger_doc_generated.go‎
Lines changed: 20 additions & 0 deletions
@@ -39,6 +39,47 @@ spec:
                 baseDomain:
                   description: "baseDomain is the base domain of the cluster. All managed DNS records will be sub-domains of this base. \n For example, given the base domain `openshift.example.com`, an API server DNS record may be created for `cluster-api.openshift.example.com`. \n Once set, this field cannot be changed."
                   type: string
+                platform:
+                  description: platform holds configuration specific to the underlying infrastructure provider for DNS. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time.
+                  type: object
+                  required:
+                    - type
+                  properties:
+                    aws:
+                      description: aws contains DNS configuration specific to the Amazon Web Services cloud provider.
+                      type: object
+                      properties:
+                        privateZoneIAMRole:
+                          description: privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing operations on the cluster's private hosted zone specified in the cluster DNS config. When left empty, no role should be assumed.
+                          type: string
+                          pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$
+                    type:
+                      description: "type is the underlying infrastructure provider for the cluster. Allowed values: \"\", \"AWS\". \n Individual components may not support all platforms, and must handle unrecognized platforms with best-effort defaults."
+                      type: string
+                      enum:
+                        - ""
+                        - AWS
+                        - Azure
+                        - BareMetal
+                        - GCP
+                        - Libvirt
+                        - OpenStack
+                        - None
+                        - VSphere
+                        - oVirt
+                        - IBMCloud
+                        - KubeVirt
+                        - EquinixMetal
+                        - PowerVS
+                        - AlibabaCloud
+                        - Nutanix
+                        - External
+                      x-kubernetes-validations:
+                        - rule: self in ['','AWS']
+                          message: allowed values are '' and 'AWS'
+                  x-kubernetes-validations:
+                    - rule: 'has(self.type) && self.type == ''AWS'' ?  has(self.aws) : !has(self.aws)'
+                      message: aws configuration is required when platform is AWS, and forbidden otherwise
                 privateZone:
                   description: "privateZone is the location where all the DNS records that are only available internally to the cluster exist. \n If this field is nil, no private records should be created. \n Once set, this field cannot be changed."
                   type: object
 
@@ -12,3 +12,94 @@ tests:
       apiVersion: config.openshift.io/v1
       kind: DNS
       spec: {}
+  - name: Should be able to specify an AWS role ARN for a private hosted zone
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: AWS
+          aws:
+            privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: AWS
+          aws:
+            privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+  - name: Should not be able to specify unsupported platform
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: Azure
+          azure:
+            privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+    expectedError: "Invalid value: \"string\": allowed values are '' and 'AWS'"
+  - name: Should not be able to specify invalid AWS role ARN
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      metadata:
+        name: cluster
+      spec:
+        platform:
+          type: AWS
+          aws:
+            privateZoneIAMRole: arn:aws:iam:bad:123456789012:role/foo
+    expectedError: "DNS.config.openshift.io \"cluster\" is invalid: spec.platform.aws.privateZoneIAMRole: Invalid value: \"arn:aws:iam:bad:123456789012:role/foo\": spec.platform.aws.privateZoneIAMRole in body should match '^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\\/.*$'"
+  - name: Should not be able to specify different type and platform
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: ""
+          aws:
+            privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+    expectedError: "Invalid value: \"object\": aws configuration is required when platform is AWS, and forbidden otherwise"
+  onUpdate:
+  - name: Can switch from empty (default), to AWS
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: ""
+    updated: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: AWS
+          aws:
+            privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: AWS
+          aws:
+            privateZoneIAMRole: arn:aws:iam::123456789012:role/foo
+  - name: Upgrade case is valid
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec: {} # No spec is required for a DNS
+    updated: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: ""
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: DNS
+      spec:
+        platform:
+          type: ""
+
@@ -50,6 +50,12 @@ type DNSSpec struct {
 	//
 	// +optional
 	PrivateZone *DNSZone `json:"privateZone,omitempty"`
+	// platform holds configuration specific to the underlying
+	// infrastructure provider for DNS.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// +optional
+	Platform DNSPlatformSpec `json:"platform,omitempty"`
 }
 
 // DNSZone is used to define a DNS hosted zone.
@@ -90,3 +96,34 @@ type DNSList struct {
 
 	Items []DNS `json:"items"`
 }
+
+// DNSPlatformSpec holds cloud-provider-specific configuration
+// for DNS administration.
+// +union
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ?  has(self.aws) : !has(self.aws)",message="aws configuration is required when platform is AWS, and forbidden otherwise"
+type DNSPlatformSpec struct {
+	// type is the underlying infrastructure provider for the cluster.
+	// Allowed values: "", "AWS".
+	//
+	// Individual components may not support all platforms,
+	// and must handle unrecognized platforms with best-effort defaults.
+	//
+	// +unionDiscriminator
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:rule="self in ['','AWS']",message="allowed values are '' and 'AWS'"
+	Type PlatformType `json:"type"`
+
+	// aws contains DNS configuration specific to the Amazon Web Services cloud provider.
+	// +optional
+	AWS *AWSDNSSpec `json:"aws"`
+}
+
+// AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider.
+type AWSDNSSpec struct {
+	// privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
+	// operations on the cluster's private hosted zone specified in the cluster DNS config.
+	// When left empty, no role should be assumed.
+	// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$`
+	// +optional
+	PrivateZoneIAMRole string `json:"privateZoneIAMRole"`
+}