openshift · openshift-merge-bot · Mar 5, 2025 · Feb 28, 2025
diff --git a/...ft-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml b/...ft-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml
@@ -295,11 +295,12 @@ tests:
     test:
     - chain: openshift-upgrade-qe-test
     workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service
-- as: aws-ipi-workers-marketplace-f28
+- as: aws-ipi-workers-marketplace-mini-perm-f28
   cron: 12 6 26 * *
   steps:
     cluster_profile: aws-qe
     env:
+      AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
       BASE_DOMAIN: qe.devcluster.openshift.com
     test:
     - chain: openshift-upgrade-qe-test

diff --git a/...ft/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml b/...ft/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml
@@ -121,6 +121,20 @@ tests:
       ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false"
       OCP_ARCH: arm64
     workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role
+- as: aws-ipi-byo-subnets-only-public-mini-perm-arm-f14
+  cron: 34 18 1,17 * *
+  steps:
+    cluster_profile: aws-qe
+    dependencies:
+      OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest
+    env:
+      AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: m6g.xlarge
+      CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge
+      OCP_ARCH: arm64
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
+    workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets
 - as: aws-ipi-default-mini-perm-arm-f7
   cron: 56 23 6,15,22,29 * *
   steps:

diff --git a/...ft/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml b/...ft/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml
@@ -121,6 +121,20 @@ tests:
       ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false"
       OCP_ARCH: arm64
     workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role
+- as: aws-ipi-byo-subnets-only-public-mini-perm-arm-f14
+  cron: 32 8 8,24 * *
+  steps:
+    cluster_profile: aws-qe
+    dependencies:
+      OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest
+    env:
+      AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: m6g.xlarge
+      CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge
+      OCP_ARCH: arm64
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
+    workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets
 - as: aws-ipi-default-mini-perm-arm-f7
   cron: 7 21 4,11,20,27 * *
   steps:

diff --git a/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml b/...ift/openshift-tests-private/openshift-openshift-tests-private-release-4.19-periodics.yaml
@@ -2367,7 +2367,7 @@ periodics:
     ci-operator.openshift.io/variant: amd64-nightly-4.19-upgrade-from-stable-4.18
     ci.openshift.io/generator: prowgen
     pj-rehearse.openshift.io/can-be-rehearsed: "true"
-  name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-f28
+  name: periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-4.19-upgrade-from-stable-4.18-aws-ipi-workers-marketplace-mini-perm-f28
   spec:
     containers:
     - args:
@@ -2377,7 +2377,7 @@ periodics:
       - --oauth-token-path=/usr/local/github-credentials/oauth
       - --report-credentials-file=/etc/report/credentials
       - --secret-dir=/secrets/ci-pull-credentials
-      - --target=aws-ipi-workers-marketplace-f28
+      - --target=aws-ipi-workers-marketplace-mini-perm-f28
       - --variant=amd64-nightly-4.19-upgrade-from-stable-4.18
       command:
       - ci-operator

diff --git a/...ator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml b/...ator/jobs/openshift/verification-tests/openshift-verification-tests-master-periodics.yaml
@@ -12529,6 +12529,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 34 18 1,17 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: verification-tests
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: installation-nightly-4.18
+    ci.openshift.io/generator: prowgen
+    job-release: "4.18"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-mini-perm-arm-f14
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=aws-ipi-byo-subnets-only-public-mini-perm-arm-f14
+      - --variant=installation-nightly-4.18
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 56 23 6,15,22,29 * *
@@ -17556,6 +17631,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  cron: 32 8 8,24 * *
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: verification-tests
+  labels:
+    ci-operator.openshift.io/cloud: aws
+    ci-operator.openshift.io/cloud-cluster-profile: aws-qe
+    ci-operator.openshift.io/variant: installation-nightly-4.19
+    ci.openshift.io/generator: prowgen
+    job-release: "4.19"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-verification-tests-master-installation-nightly-4.19-aws-ipi-byo-subnets-only-public-mini-perm-arm-f14
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=aws-ipi-byo-subnets-only-public-mini-perm-arm-f14
+      - --variant=installation-nightly-4.19
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   cron: 7 21 4,11,20,27 * *

diff --git a/...r/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh b/...r/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh
@@ -31,19 +31,24 @@ fi
 
 echo "infra_id: $infra_id"
 vpc_id=$(head -n 1 ${SHARED_DIR}/vpc_id)
-private_subnet_ids=$(yq-go r -j ${SHARED_DIR}/private_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g")
 
-if [[ -z $vpc_id ]] || [[ -z $private_subnet_ids ]] || [[ -z $infra_id ]] || [[ "${infra_id}" == "null" ]]; then
+if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" == "true" ]]; then
+    subnet_ids=$(yq-go r -j ${SHARED_DIR}/public_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g")
+else
+    subnet_ids=$(yq-go r -j ${SHARED_DIR}/private_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g")
+fi
+
+if [[ -z $vpc_id ]] || [[ -z $subnet_ids ]] || [[ -z $infra_id ]] || [[ "${infra_id}" == "null" ]]; then
   echo "Error: Can not get VPC id or private subnets, exit"
-  echo "vpc: $vpc_id, private_subnet_ids: $private_subnet_ids"
+  echo "vpc: $vpc_id, subnet_ids: $subnet_ids"
   exit 1
 fi
 
 echo "Adding tags for VPC: $vpc_id, tags: kubernetes.io/cluster/${infra_id}, value: shared."
 aws --region $REGION ec2 create-tags --resources $vpc_id --tags Key=kubernetes.io/cluster/${infra_id},Value=shared
 
-echo "Adding tags for private subnets:$private_subnet_ids, tags: kubernetes.io/role/internal-elb, value is empty."
-aws --region $REGION ec2 create-tags --resources $private_subnet_ids --tags Key=kubernetes.io/role/internal-elb,Value=
+echo "Adding tags for subnets:$subnet_ids, tags: kubernetes.io/role/internal-elb, value is empty."
+aws --region $REGION ec2 create-tags --resources $subnet_ids --tags Key=kubernetes.io/role/internal-elb,Value=
 
 if [[ ${ENABLE_AWS_EDGE_ZONE} == "yes" ]] && [[ ${EDGE_ZONE_TYPES} == "outpost" ]]; then
   edge_zone_public_subnet_id=$(head -n 1 "${SHARED_DIR}/edge_zone_public_subnet_id")

diff --git a/...ator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-ref.yaml b/...ator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-ref.yaml
@@ -19,6 +19,10 @@ ref:
     default: "no"
   - name: EDGE_ZONE_TYPES
     default: "local-zone"
+  - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
+    default: ""
+    documentation: |-
+      Whether to use only public subnets for AWS. Implies no NAT Gateways.
   documentation: |-
     Create required tags for BYO VPC, see [1][2] for more details.
     [1] https://bugzilla.redhat.com/show_bug.cgi?id=2075072