Amrita42 · August 1, 2022 19:26
diff --git a/gistfile2.txt b/gistfile2.txt
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-secret-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc

 ifeval::["{context}" == "installing-aws-network-customizations"]
 :with-networking:
 endif::[]
 ifeval::["{context}" != "installing-aws-network-customizations"]
 :without-networking:
 endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :vpc:
 endif::[]
 ifeval::["{context}" == "installing-aws-private"]
 :vpc:
 :private:
 endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
 :vpc:
 :private:
 :gov:
 endif::[]
 ifeval::["{context}" == "installing-aws-secret-region"]
 :vpc:
 :private:
 :secret:
 endif::[]
 ifeval::["{context}" == "installing-aws-china-region"]
 :vpc:
 :private:
 :china:
 endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :restricted:
 endif::[]

 :_content-type: REFERENCE
 [id="installation-aws-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for AWS

 You can customize the installation configuration file (`install-config.yaml`) to specify more details about
 your {product-title} cluster's platform or modify the values of the required
 parameters.

 ifndef::china,gov,secret[]
 [IMPORTANT]
 ====
 This sample YAML file is provided for reference only. You must obtain your
 `install-config.yaml` file by using the installation program and modify it.
 ====
 endif::china,gov,secret[]

 ifdef::china,gov,secret[]
 [IMPORTANT]
 ====
 This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually.
 ====
 endif::china,gov,secret[]

 [source,yaml]
 ----
 apiVersion: v1
 baseDomain: example.com <1>
 credentialsMode: Mint <2>
 controlPlane: <3> <4>
  hyperthreading: Enabled <5>
  name: master
  platform:
    aws:
      zones:
 ifdef::china[]
      - cn-north-1a
      - cn-north-1b
 endif::china[]
 ifdef::gov[]
      - us-gov-west-1a
      - us-gov-west-1b
 endif::gov[]
 ifdef::secret[]
      - us-iso-east-1a
      - us-iso-east-1b
 endif::secret[]
 ifndef::gov,china,secret[]
      - us-west-2a
      - us-west-2b
 endif::gov,china,secret[]
      rootVolume:
        iops: 4000
        size: 500
        type: io1 <6>
      metadataService:
        authentication: Optional <7>
      type: m6i.xlarge
  replicas: 3
 compute: <3>
 - hyperthreading: Enabled <5>
  name: worker
  platform:
    aws:
      rootVolume:
        iops: 2000
        size: 500
        type: io1 <6>
      metadataService:
        authentication: Optional <7>
      type: c5.4xlarge
      zones:
 ifdef::china[]
      - cn-north-1a
 endif::china[]
 ifdef::gov[]
      - us-gov-west-1c
 endif::gov[]
 ifdef::secret[]
      - us-iso-east-1a
      - us-iso-east-1b
 endif::secret[]
 ifndef::gov,china,secret[]
      - us-west-2c
 endif::gov,china,secret[]
  replicas: 3
 metadata:
  name: test-cluster <1>
 ifdef::without-networking[]
 networking:
 endif::[]
 ifdef::with-networking[]
 networking: <3>
 endif::[]
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
 ifndef::openshift-origin[]
  networkType: OpenShiftSDN
 endif::openshift-origin[]
 ifdef::openshift-origin[]
  networkType: OVNKubernetes
 endif::openshift-origin[]
  serviceNetwork:
  - 172.30.0.0/16
 platform:
  aws:
 ifndef::gov,china,secret[]
    region: us-west-2 <1>
    propagateUserTags: true <3>
 endif::gov,china,secret[]
 ifdef::china[]
    region: cn-north-1 <1>
    propagateUserTags: true <3>
 endif::china[]
 ifdef::gov[]
    region: us-gov-west-1 <1>
    propagateUserTags: true <3>
 endif::gov[]
 ifdef::secret[]
    region: us-iso-east-1 <1>
    propagateUserTags: true <3>
 endif::secret[]
    userTags:
      adminContact: jdoe
      costCenter: 7536
 ifdef::vpc,restricted[]
    subnets: <8>
    - subnet-1
    - subnet-2
    - subnet-3
 ifndef::secret,china[]
    amiID: ami-96c6f8f7 <9>
 endif::secret,china[]
 ifdef::secret,china[]
    amiID: ami-96c6f8f7 <1> <9>
 endif::secret,china[]
    serviceEndpoints: <10>
      - name: ec2
 ifndef::china[]
        url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
 endif::china[]
 ifdef::china[]
        url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn
 endif::china[]
    hostedZone: Z3URY6TWQ91KVV <11>
 endif::vpc,restricted[]
 ifndef::vpc,restricted[]
    amiID: ami-96c6f8f7 <8>
    serviceEndpoints: <9>
      - name: ec2
        url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
 endif::vpc,restricted[]
 ifdef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <12>
 sshKey: ssh-ed25519 AAAA... <13>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <12>
 endif::openshift-origin[]
 endif::vpc,restricted[]
 ifndef::vpc,restricted[]
 ifndef::openshift-origin[]
 fips: false <10>
 sshKey: ssh-ed25519 AAAA... <11>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 sshKey: ssh-ed25519 AAAA... <10>
 endif::openshift-origin[]
 endif::vpc,restricted[]
 ifdef::private[]
 ifndef::openshift-origin[]
 publish: Internal <14>
 endif::openshift-origin[]
 endif::private[]
 ifndef::restricted[]
 pullSecret: '{"auths": ...}' <1>
 endif::restricted[]
 ifdef::restricted[]
 ifndef::openshift-origin[]
 pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <14>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <13>
 endif::openshift-origin[]
 endif::restricted[]
 ifdef::secret[]
 ifndef::openshift-origin[]
 additionalTrustBundle: | <15>
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
 endif::openshift-origin[]
 endif::secret[]
 ifdef::private[]
 ifdef::openshift-origin[]
 publish: Internal <13>
 endif::openshift-origin[]
 endif::private[]
 ifdef::secret[]
 ifdef::openshift-origin[]
 additionalTrustBundle: | <14>
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
 endif::openshift-origin[]
 endif::secret[]
 ifdef::restricted[]
 ifndef::openshift-origin[]
 additionalTrustBundle: | <15>
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
 imageContentSources: <16>
 - mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-release
 - mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 additionalTrustBundle: | <14>
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
 imageContentSources: <15>
 - mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-release
 - mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
 endif::openshift-origin[]
 endif::restricted[]
 capabilities:
  baselineCapabilitySet: None
  additionalEnabledCapabilities:
  - openshift-samples

 ----
 ifndef::gov,secret,china[]
 <1> Required. The installation program prompts you for this value.
 endif::gov,secret,china[]
 ifdef::gov,secret,china[]
 <1> Required.
 endif::gov,secret,china[]
 <2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode, instead of having the CCO dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the _Cloud Credential Operator_ entry in the _Red Hat Operators reference_ content.
 <3> If you do not provide these parameters and values, the installation program
 provides the default value.
 <4> The `controlPlane` section is a single mapping, but the compute section is a
 sequence of mappings. To meet the requirements of the different data structures,
 the first line of the `compute` section must begin with a hyphen, `-`, and the
 first line of the `controlPlane` section must not. Although both sections
 currently define a single machine pool, it is possible that future versions
 of {product-title} will support defining multiple compute pools during
 installation. Only one control plane pool is used.
 <5> Whether to enable or disable simultaneous multithreading, or
 `hyperthreading`. By default, simultaneous multithreading is enabled
 to increase the performance of your machines' cores. You can disable it by
 setting the parameter value to `Disabled`. If you disable simultaneous
 multithreading in some cluster machines, you must disable it in all cluster
 machines.
 +
 [IMPORTANT]
 ====
 If you disable simultaneous multithreading, ensure that your capacity planning
 accounts for the dramatically decreased machine performance. Use larger
 instance types, such as `m4.2xlarge` or `m5.2xlarge`, for your machines if you
 disable simultaneous multithreading.
 ====
 <6> To configure faster storage for etcd, especially for larger clusters, set the
 storage type as `io1` and set `iops` to `2000`.
 <7> Whether to require the link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service v2] (IMDSv2). To require IMDSv2, set the parameter value to `Required`. To allow the use of both IMDSv1 and IMDSv2, set the parameter value to `Optional`. If no value is specified, both IMDSv1 and IMDSv2 are allowed.
 +
 [NOTE]
 ====
 The IMDS configuration for control plane machines that is set during cluster installation can only be changed by using the AWS CLI. The IMDS configuration for compute machines can be changed by using machine sets.
 ====
 ifdef::vpc,restricted[]
 <8> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
 <9> The ID of the AMI used to boot machines for the cluster. If set, the AMI
 must belong to the same region as the cluster.
 <10> The AWS service endpoints. Custom endpoints are required when installing to
 an unknown AWS region. The endpoint URL must use the `https` protocol and the
 host must trust the certificate.
 <11> The ID of your existing Route 53 private hosted zone. Providing an existing hosted zone requires that you supply your own VPC and the hosted zone is already associated with the VPC prior to installing your cluster. If undefined, the installation program creates a new hosted zone.
 ifndef::openshift-origin[]
 <12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
 [IMPORTANT]
 ====
 The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
 ====
 <13> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 <12> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
 endif::vpc,restricted[]
 ifndef::vpc,restricted[]
 <8> The ID of the AMI used to boot machines for the cluster. If set, the AMI
 must belong to the same region as the cluster.
 <9> The AWS service endpoints. Custom endpoints are required when installing to
 an unknown AWS region. The endpoint URL must use the `https` protocol and the
 host must trust the certificate.
 ifndef::openshift-origin[]
 <10> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
 +
 [IMPORTANT]
 ====
 The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
 ====
 <11> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 <10> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
 endif::vpc,restricted[]
 +
 [NOTE]
 ====
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
 ====
 ifdef::private[]
 ifndef::openshift-origin[]
 <14> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 <13> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
 endif::openshift-origin[]
 endif::private[]
 ifdef::secret[]
 ifndef::openshift-origin[]
 <15> The custom CA certificate. This is required when deploying to the SC2S or C2S Regions because the AWS API requires a custom CA trust bundle.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 <14> The custom CA certificate. This is required when deploying to the SC2S or C2S Regions because the AWS API requires a custom CA trust bundle.
 endif::openshift-origin[]
 endif::secret[]
 ifdef::restricted[]
 ifndef::openshift-origin[]
 <14> For `<local_registry>`, specify the registry domain name, and optionally the
 port, that your mirror registry uses to serve content. For example
 `registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
 specify the base64-encoded user name and password for your mirror registry.
 <15> Provide the contents of the certificate file that you used for your mirror registry.
 <16> Provide the `imageContentSources` section from the output of the command to mirror the repository.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
 <13> For `<local_registry>`, specify the registry domain name, and optionally the
 port, that your mirror registry uses to serve content. For example
 `registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
 specify the base64-encoded user name and password for your mirror registry.
 <14> Provide the contents of the certificate file that you used for your mirror registry.
 <15> Provide the `imageContentSources` section from the output of the command to mirror the repository.
 endif::openshift-origin[]
 endif::restricted[]

 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!with-networking:
 endif::[]
 ifeval::["{context}" != "installing-aws-network-customizations"]
 :!without-networking:
 endif::[]
 ifeval::["{context}" == "installing-aws-vpc"]
 :!vpc:
 endif::[]
 ifeval::["{context}" == "installing-aws-private"]
 :!vpc:
 :!private:
 endif::[]
 ifeval::["{context}" == "installing-aws-government-region"]
 :!vpc:
 :!private:
 :!gov:
 endif::[]
 ifeval::["{context}" == "installing-aws-secret-region"]
 :!vpc:
 :!private:
 :!secret:
 endif::[]
 ifeval::["{context}" == "installing-aws-china-region"]
 :!vpc:
 :!private:
 :!china:
 endif::[]
 ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
 :!restricted:
 endif::[]
	// Module included in the following assemblies:
	//
	// * installing/installing_aws/installing-aws-customizations.adoc
	// * installing/installing_aws/installing-aws-government-region.adoc
	// * installing/installing_aws/installing-aws-secret-region.adoc
	// * installing/installing_aws/installing-aws-network-customizations.adoc
	// * installing/installing_aws/installing-aws-private.adoc
	// * installing/installing_aws/installing-aws-vpc.adoc
	// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc

	ifeval::["{context}" == "installing-aws-network-customizations"]
	:with-networking:
	endif::[]
	ifeval::["{context}" != "installing-aws-network-customizations"]
	:without-networking:
	endif::[]
	ifeval::["{context}" == "installing-aws-vpc"]
	:vpc:
	endif::[]
	ifeval::["{context}" == "installing-aws-private"]
	:vpc:
	:private:
	endif::[]
	ifeval::["{context}" == "installing-aws-government-region"]
	:vpc:
	:private:
	:gov:
	endif::[]
	ifeval::["{context}" == "installing-aws-secret-region"]
	:vpc:
	:private:
	:secret:
	endif::[]
	ifeval::["{context}" == "installing-aws-china-region"]
	:vpc:
	:private:
	:china:
	endif::[]
	ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
	:restricted:
	endif::[]

	:_content-type: REFERENCE
	[id="installation-aws-config-yaml_{context}"]
	= Sample customized `install-config.yaml` file for AWS

	You can customize the installation configuration file (`install-config.yaml`) to specify more details about
	your {product-title} cluster's platform or modify the values of the required
	parameters.

	ifndef::china,gov,secret[]
	[IMPORTANT]
	====
	This sample YAML file is provided for reference only. You must obtain your
	`install-config.yaml` file by using the installation program and modify it.
	====
	endif::china,gov,secret[]

	ifdef::china,gov,secret[]
	[IMPORTANT]
	====
	This sample YAML file is provided for reference only. Use it as a resource to enter parameter values into the installation configuration file that you created manually.
	====
	endif::china,gov,secret[]

	[source,yaml]
	----
	apiVersion: v1
	baseDomain: example.com <1>
	credentialsMode: Mint <2>
	controlPlane: <3> <4>
	hyperthreading: Enabled <5>
	name: master
	platform:
	aws:
	zones:
	ifdef::china[]
	- cn-north-1a
	- cn-north-1b
	endif::china[]
	ifdef::gov[]
	- us-gov-west-1a
	- us-gov-west-1b
	endif::gov[]
	ifdef::secret[]
	- us-iso-east-1a
	- us-iso-east-1b
	endif::secret[]
	ifndef::gov,china,secret[]
	- us-west-2a
	- us-west-2b
	endif::gov,china,secret[]
	rootVolume:
	iops: 4000
	size: 500
	type: io1 <6>
	metadataService:
	authentication: Optional <7>
	type: m6i.xlarge
	replicas: 3
	compute: <3>
	- hyperthreading: Enabled <5>
	name: worker
	platform:
	aws:
	rootVolume:
	iops: 2000
	size: 500
	type: io1 <6>
	metadataService:
	authentication: Optional <7>
	type: c5.4xlarge
	zones:
	ifdef::china[]
	- cn-north-1a
	endif::china[]
	ifdef::gov[]
	- us-gov-west-1c
	endif::gov[]
	ifdef::secret[]
	- us-iso-east-1a
	- us-iso-east-1b
	endif::secret[]
	ifndef::gov,china,secret[]
	- us-west-2c
	endif::gov,china,secret[]
	replicas: 3
	metadata:
	name: test-cluster <1>
	ifdef::without-networking[]
	networking:
	endif::[]
	ifdef::with-networking[]
	networking: <3>
	endif::[]
	clusterNetwork:
	- cidr: 10.128.0.0/14
	hostPrefix: 23
	machineNetwork:
	- cidr: 10.0.0.0/16
	ifndef::openshift-origin[]
	networkType: OpenShiftSDN
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	networkType: OVNKubernetes
	endif::openshift-origin[]
	serviceNetwork:
	- 172.30.0.0/16
	platform:
	aws:
	ifndef::gov,china,secret[]
	region: us-west-2 <1>
	propagateUserTags: true <3>
	endif::gov,china,secret[]
	ifdef::china[]
	region: cn-north-1 <1>
	propagateUserTags: true <3>
	endif::china[]
	ifdef::gov[]
	region: us-gov-west-1 <1>
	propagateUserTags: true <3>
	endif::gov[]
	ifdef::secret[]
	region: us-iso-east-1 <1>
	propagateUserTags: true <3>
	endif::secret[]
	userTags:
	adminContact: jdoe
	costCenter: 7536
	ifdef::vpc,restricted[]
	subnets: <8>
	- subnet-1
	- subnet-2
	- subnet-3
	ifndef::secret,china[]
	amiID: ami-96c6f8f7 <9>
	endif::secret,china[]
	ifdef::secret,china[]
	amiID: ami-96c6f8f7 <1> <9>
	endif::secret,china[]
	serviceEndpoints: <10>
	- name: ec2
	ifndef::china[]
	url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
	endif::china[]
	ifdef::china[]
	url: https://vpce-id.ec2.cn-north-1.vpce.amazonaws.com.cn
	endif::china[]
	hostedZone: Z3URY6TWQ91KVV <11>
	endif::vpc,restricted[]
	ifndef::vpc,restricted[]
	amiID: ami-96c6f8f7 <8>
	serviceEndpoints: <9>
	- name: ec2
	url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
	endif::vpc,restricted[]
	ifdef::vpc,restricted[]
	ifndef::openshift-origin[]
	fips: false <12>
	sshKey: ssh-ed25519 AAAA... <13>
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	sshKey: ssh-ed25519 AAAA... <12>
	endif::openshift-origin[]
	endif::vpc,restricted[]
	ifndef::vpc,restricted[]
	ifndef::openshift-origin[]
	fips: false <10>
	sshKey: ssh-ed25519 AAAA... <11>
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	sshKey: ssh-ed25519 AAAA... <10>
	endif::openshift-origin[]
	endif::vpc,restricted[]
	ifdef::private[]
	ifndef::openshift-origin[]
	publish: Internal <14>
	endif::openshift-origin[]
	endif::private[]
	ifndef::restricted[]
	pullSecret: '{"auths": ...}' <1>
	endif::restricted[]
	ifdef::restricted[]
	ifndef::openshift-origin[]
	pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <14>
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}}' <13>
	endif::openshift-origin[]
	endif::restricted[]
	ifdef::secret[]
	ifndef::openshift-origin[]
	additionalTrustBundle: \| <15>
	-----BEGIN CERTIFICATE-----
	<MY_TRUSTED_CA_CERT>
	-----END CERTIFICATE-----
	endif::openshift-origin[]
	endif::secret[]
	ifdef::private[]
	ifdef::openshift-origin[]
	publish: Internal <13>
	endif::openshift-origin[]
	endif::private[]
	ifdef::secret[]
	ifdef::openshift-origin[]
	additionalTrustBundle: \| <14>
	-----BEGIN CERTIFICATE-----
	<MY_TRUSTED_CA_CERT>
	-----END CERTIFICATE-----
	endif::openshift-origin[]
	endif::secret[]
	ifdef::restricted[]
	ifndef::openshift-origin[]
	additionalTrustBundle: \| <15>
	-----BEGIN CERTIFICATE-----
	<MY_TRUSTED_CA_CERT>
	-----END CERTIFICATE-----
	imageContentSources: <16>
	- mirrors:
	- <local_registry>/<local_repository_name>/release
	source: quay.io/openshift-release-dev/ocp-release
	- mirrors:
	- <local_registry>/<local_repository_name>/release
	source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	additionalTrustBundle: \| <14>
	-----BEGIN CERTIFICATE-----
	<MY_TRUSTED_CA_CERT>
	-----END CERTIFICATE-----
	imageContentSources: <15>
	- mirrors:
	- <local_registry>/<local_repository_name>/release
	source: quay.io/openshift-release-dev/ocp-release
	- mirrors:
	- <local_registry>/<local_repository_name>/release
	source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
	endif::openshift-origin[]
	endif::restricted[]
	capabilities:
	baselineCapabilitySet: None
	additionalEnabledCapabilities:
	- openshift-samples

	----
	ifndef::gov,secret,china[]
	<1> Required. The installation program prompts you for this value.
	endif::gov,secret,china[]
	ifdef::gov,secret,china[]
	<1> Required.
	endif::gov,secret,china[]
	<2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode, instead of having the CCO dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the _Cloud Credential Operator_ entry in the _Red Hat Operators reference_ content.
	<3> If you do not provide these parameters and values, the installation program
	provides the default value.
	<4> The `controlPlane` section is a single mapping, but the compute section is a
	sequence of mappings. To meet the requirements of the different data structures,
	the first line of the `compute` section must begin with a hyphen, `-`, and the
	first line of the `controlPlane` section must not. Although both sections
	currently define a single machine pool, it is possible that future versions
	of {product-title} will support defining multiple compute pools during
	installation. Only one control plane pool is used.
	<5> Whether to enable or disable simultaneous multithreading, or
	`hyperthreading`. By default, simultaneous multithreading is enabled
	to increase the performance of your machines' cores. You can disable it by
	setting the parameter value to `Disabled`. If you disable simultaneous
	multithreading in some cluster machines, you must disable it in all cluster
	machines.
	+
	[IMPORTANT]
	====
	If you disable simultaneous multithreading, ensure that your capacity planning
	accounts for the dramatically decreased machine performance. Use larger
	instance types, such as `m4.2xlarge` or `m5.2xlarge`, for your machines if you
	disable simultaneous multithreading.
	====
	<6> To configure faster storage for etcd, especially for larger clusters, set the
	storage type as `io1` and set `iops` to `2000`.
	<7> Whether to require the link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service v2] (IMDSv2). To require IMDSv2, set the parameter value to `Required`. To allow the use of both IMDSv1 and IMDSv2, set the parameter value to `Optional`. If no value is specified, both IMDSv1 and IMDSv2 are allowed.
	+
	[NOTE]
	====
	The IMDS configuration for control plane machines that is set during cluster installation can only be changed by using the AWS CLI. The IMDS configuration for compute machines can be changed by using machine sets.
	====
	ifdef::vpc,restricted[]
	<8> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
	<9> The ID of the AMI used to boot machines for the cluster. If set, the AMI
	must belong to the same region as the cluster.
	<10> The AWS service endpoints. Custom endpoints are required when installing to
	an unknown AWS region. The endpoint URL must use the `https` protocol and the
	host must trust the certificate.
	<11> The ID of your existing Route 53 private hosted zone. Providing an existing hosted zone requires that you supply your own VPC and the hosted zone is already associated with the VPC prior to installing your cluster. If undefined, the installation program creates a new hosted zone.
	ifndef::openshift-origin[]
	<12> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
	+
	[IMPORTANT]
	====
	The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
	====
	<13> You can optionally provide the `sshKey` value that you use to access the
	machines in your cluster.
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	<12> You can optionally provide the `sshKey` value that you use to access the
	machines in your cluster.
	endif::openshift-origin[]
	endif::vpc,restricted[]
	ifndef::vpc,restricted[]
	<8> The ID of the AMI used to boot machines for the cluster. If set, the AMI
	must belong to the same region as the cluster.
	<9> The AWS service endpoints. Custom endpoints are required when installing to
	an unknown AWS region. The endpoint URL must use the `https` protocol and the
	host must trust the certificate.
	ifndef::openshift-origin[]
	<10> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
	+
	[IMPORTANT]
	====
	The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
	====
	<11> You can optionally provide the `sshKey` value that you use to access the
	machines in your cluster.
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	<10> You can optionally provide the `sshKey` value that you use to access the
	machines in your cluster.
	endif::openshift-origin[]
	endif::vpc,restricted[]
	+
	[NOTE]
	====
	For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
	====
	ifdef::private[]
	ifndef::openshift-origin[]
	<14> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	<13> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
	endif::openshift-origin[]
	endif::private[]
	ifdef::secret[]
	ifndef::openshift-origin[]
	<15> The custom CA certificate. This is required when deploying to the SC2S or C2S Regions because the AWS API requires a custom CA trust bundle.
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	<14> The custom CA certificate. This is required when deploying to the SC2S or C2S Regions because the AWS API requires a custom CA trust bundle.
	endif::openshift-origin[]
	endif::secret[]
	ifdef::restricted[]
	ifndef::openshift-origin[]
	<14> For `<local_registry>`, specify the registry domain name, and optionally the
	port, that your mirror registry uses to serve content. For example
	`registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
	specify the base64-encoded user name and password for your mirror registry.
	<15> Provide the contents of the certificate file that you used for your mirror registry.
	<16> Provide the `imageContentSources` section from the output of the command to mirror the repository.
	endif::openshift-origin[]
	ifdef::openshift-origin[]
	<13> For `<local_registry>`, specify the registry domain name, and optionally the
	port, that your mirror registry uses to serve content. For example
	`registry.example.com` or `registry.example.com:5000`. For `<credentials>`,
	specify the base64-encoded user name and password for your mirror registry.
	<14> Provide the contents of the certificate file that you used for your mirror registry.
	<15> Provide the `imageContentSources` section from the output of the command to mirror the repository.
	endif::openshift-origin[]
	endif::restricted[]

	ifeval::["{context}" == "installing-aws-network-customizations"]
	:!with-networking:
	endif::[]
	ifeval::["{context}" != "installing-aws-network-customizations"]
	:!without-networking:
	endif::[]
	ifeval::["{context}" == "installing-aws-vpc"]
	:!vpc:
	endif::[]
	ifeval::["{context}" == "installing-aws-private"]
	:!vpc:
	:!private:
	endif::[]
	ifeval::["{context}" == "installing-aws-government-region"]
	:!vpc:
	:!private:
	:!gov:
	endif::[]
	ifeval::["{context}" == "installing-aws-secret-region"]
	:!vpc:
	:!private:
	:!secret:
	endif::[]
	ifeval::["{context}" == "installing-aws-china-region"]
	:!vpc:
	:!private:
	:!china:
	endif::[]
	ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
	:!restricted:
	endif::[]