openshift · codyhoag · Apr 30, 2021 · Apr 6, 2021
diff --git a/modules/installation-aws-config-yaml.adoc b/modules/installation-aws-config-yaml.adoc
@@ -123,6 +123,7 @@ ifdef::vpc[]
     serviceEndpoints: <9>
       - name: ec2
         url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
+    hostedZone: Z3URY6TWQ91KVV <10>
 endif::vpc[]
 ifndef::vpc[]
     amiID: ami-96c6f8f7 <7>
@@ -133,11 +134,11 @@ endif::vpc[]
 pullSecret: '{"auths": ...}' <1>
 ifdef::vpc[]
 ifndef::openshift-origin[]
-fips: false <10>
-sshKey: ssh-ed25519 AAAA... <11>
+fips: false <11>
+sshKey: ssh-ed25519 AAAA... <12>
 endif::openshift-origin[]
 ifdef::openshift-origin[]
-sshKey: ssh-ed25519 AAAA... <10>
+sshKey: ssh-ed25519 AAAA... <11>
 endif::openshift-origin[]
 endif::vpc[]
 ifndef::vpc[]
@@ -151,25 +152,25 @@ endif::openshift-origin[]
 endif::vpc[]
 ifdef::private[]
 ifndef::openshift-origin[]
-publish: Internal <12>
+publish: Internal <13>
 endif::openshift-origin[]
 endif::private[]
 ifdef::gov[]
 ifndef::openshift-origin[]
-additionalTrustBundle: | <13>
+additionalTrustBundle: | <14>
     -----BEGIN CERTIFICATE-----
     <MY_TRUSTED_CA_CERT>
     -----END CERTIFICATE-----
 endif::openshift-origin[]
 endif::gov[]
 ifdef::private[]
 ifdef::openshift-origin[]
-publish: Internal <11>
+publish: Internal <12>
 endif::openshift-origin[]
 endif::private[]
 ifdef::gov[]
 ifdef::openshift-origin[]
-additionalTrustBundle: | <12>
+additionalTrustBundle: | <13>
     -----BEGIN CERTIFICATE-----
     <MY_TRUSTED_CA_CERT>
     -----END CERTIFICATE-----
@@ -215,13 +216,14 @@ must belong to the same region as the cluster.
 <9> The AWS service endpoints. Custom endpoints are required when installing to
 an unknown AWS region. The endpoint URL must use the `https` protocol and the
 host must trust the certificate.
+<10> The ID of your existing Route 53 private hosted zone. Providing an existing hosted zone requires that you supply your own VPC and the hosted zone is already associated with the VPC prior to installing your cluster. If undefined, the installation program creates a new hosted zone.
 ifndef::openshift-origin[]
-<10> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
-<11> You can optionally provide the `sshKey` value that you use to access the
+<11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
+<12> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
 ifdef::openshift-origin[]
-<10> You can optionally provide the `sshKey` value that you use to access the
+<11> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::openshift-origin[]
 endif::vpc[]
@@ -247,10 +249,10 @@ endif::vpc[]
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
 ====
 ifdef::private[]
-<12> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the Internet. The default value is `External`.
+<13> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the Internet. The default value is `External`.
 endif::private[]
 ifdef::gov[]
-<13> The custom CA certificate. This is required when deploying to the AWS C2S Secret Region because the AWS API requires a custom CA trust bundle.
+<14> The custom CA certificate. This is required when deploying to the AWS C2S Secret Region because the AWS API requires a custom CA trust bundle.
 endif::gov[]
 
 ifeval::["{context}" == "installing-aws-network-customizations"]

diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc
@@ -388,6 +388,10 @@ control plane machine pool.
 belong to the same region as the cluster. This is required for regions that require a custom {op-system} AMI.
 |Any published or custom {op-system} AMI that belongs to the set AWS region.
 
+|`platform.aws.hostedZone`
+|An existing Route 53 private hosted zone for the cluster. You can only use a pre-existing hosted zone when also supplying your own VPC. The hosted zone must already be associated with the user-provided VPC before installation. Also, the domain of the hosted zone must be the cluster domain or a parent of the cluster domain. If undefined, the installation program creates a new hosted zone.
+|String, for example `Z3URY6TWQ91KVV`.
+
 |`platform.aws.serviceEndpoints.name`
 |The AWS service endpoint name. Custom endpoints are only required for cases
 where alternative AWS endpoints, like FIPS, must be used. Custom API endpoints

diff --git a/modules/installation-custom-aws-vpc.adoc b/modules/installation-custom-aws-vpc.adoc
@@ -30,7 +30,7 @@ Your VPC must meet the following characteristics:
 
 * The VPC's CIDR block must contain the `Networking.MachineCIDR` range, which is the IP address pool for cluster machines.
 * The VPC must not use the `kubernetes.io/cluster/.*: owned` tag.
-* You must enable the `enableDnsSupport` and `enableDnsHostnames` attributes in your VPC so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support[DNS Support in Your VPC] in the AWS documentation.
+* You must enable the `enableDnsSupport` and `enableDnsHostnames` attributes in your VPC so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support[DNS Support in Your VPC] in the AWS documentation. If you prefer using your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the `platform.aws.hostedZone` field in the `install-config.yaml` file.
 
 If you use a cluster with public access, you must create a public and a private subnet for each availability zone that your cluster uses. The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify.