Immutable Infrastructure

Infrastructure Resources for Huawei Cloud Stack

TOC

OverviewBefore Writing YAMLCredential Secret InputsCompute ValuesNetwork InventoryControl Plane ELB Address PlanFixed-address planningOperational constraintsStatic IP Pool PlanValue-to-YAML MappingNext Steps

Overview

Before you write YAML for a Huawei Cloud Stack (HCS) cluster, prepare all required HCS inputs first. This page lists the values, sources, and constraints that must be ready before you fill any Secret, HCSMachineConfigPool, HCSMachineTemplate, KubeadmControlPlane, or HCSCluster manifest.

Use this page as the preparation checklist. After you complete it, continue with Creating Clusters on Huawei Cloud Stack and Managing Nodes on Huawei Cloud Stack for the manifest workflow.

INFO

Namespace Requirement

All HCS infrastructure resources must be deployed in the cpaas-system namespace to ensure proper integration with the platform as business clusters.

Before Writing YAML

Prepare the following inputs before you create or edit any cluster manifests:

InputUsed bySourceRequired before YAMLNotes
Cluster nameCluster, KubeadmControlPlane, HCSCluster, templates, poolsYour cluster naming planYesUse the same cluster name consistently across all related resources
Kubernetes version and component baselineCluster, KubeadmControlPlaneApproved release baseline and OS Support MatrixYesPrepare the validated Kubernetes version, image repository, DNS image repository and tag, etcd image tag, Kube-OVN version, Pod CIDR, Service CIDR, and Kube-OVN join CIDR
accessKey and secretKeyHCS credential SecretHCS My Settings > Access KeysYesBase64-encode these values before applying the Secret
projectIDHCS credential SecretHCS My Settings > Resource SpacesYesUse the Resource Space ID, not the display name
externalGlobalDomainHCS credential SecretHCS platform access domainYesUse the HCS platform domain that the provider should call
regionHCS credential SecretHCS administratorYesTenant administrators cannot retrieve this value from the HCS UI
imageNameHCSMachineTemplateHCS image inventoryYesUse the validated HCS image name for the selected MicroOS image
flavorNameHCSMachineTemplateHCS administratorYesUse the provider-recognized HCS API value matched against Flavor.Name, not the tenant UI display name
availabilityZoneHCSMachineTemplateHCS administratorYesUse the provider-recognized HCS API value matched against ZoneName, not the tenant UI display name
Root and data volume layoutHCSMachineTemplateCluster storage planYesPlan disk sizes and mount points before you write the template. Include /var/lib/etcd, /var/lib/kubelet, /var/lib/containerd, and /var/cpaas where required
VPC name and security group nameHCSClusterHCS network inventoryYesConfirm that the referenced VPC and security group already exist and are usable
Cluster subnet inventoryHCSCluster, HCSMachineConfigPool, control plane ELBHCS network inventoryYesPrepare every subnet name, CIDR, and planned free IP range that the cluster will use
Control plane and worker hostnames and static IPsHCSMachineConfigPoolHCS subnet planningYes for static IP workflowsPrepare at least one entry per planned replica
vipAddress and vipSubnetNameHCSCluster.spec.controlPlaneLoadBalancerHCS ELB address planYes when you want fixed ELB addressesvipAddress must belong to vipSubnetName
elbVirsubnetL4Ips and elbVirsubnetL7IpsHCSCluster.spec.controlPlaneLoadBalancerHCS ELB address planYes when you want fixed ELB addressesEach L4 or L7 entry must include exactly two IPs
vipDomainNameHCSCluster.spec.controlPlaneLoadBalancerHCS Cloud DNS Private ZonesRecommendedConfigure the domain so it already resolves to vipAddress
controlPlaneEndpointCluster.status / derived cluster endpointController-managedNoDo not prepare or write this field in create manifests; the controller fills it after the ELB is ready

Credential Secret Inputs

Create the HCS credential Secret only after you collect all required values.

Secret keyMeaningWhere to get it
accessKeyHCS access key IDHCS My Settings > Access Keys
secretKeyHCS secret access keyHCS My Settings > Access Keys
projectIDResource Space IDHCS My Settings > Resource Spaces
externalGlobalDomainHCS platform access domainHCS platform domain provided for API access
regionHCS region API value used by the providerHCS administrator

Note: Tenant administrators cannot retrieve region from the HCS UI. Get the exact provider-recognized value from the HCS administrator before you encode the Secret.

Compute Values

Prepare the VM image, flavor, availability zone, and disk layout before you write the HCSMachineTemplate.

InputGuidance
imageNameUse the validated HCS image name for the MicroOS image you want to deploy
flavorNameUse the provider-recognized HCS API value matched against Flavor.Name. Do not use the tenant UI display name
availabilityZoneUse the provider-recognized HCS API value matched against ZoneName. Do not use the tenant UI display name
Root and data volumesPlan system and data disks in advance. Control plane templates typically require /var/lib/etcd, /var/lib/kubelet, /var/lib/containerd, and /var/cpaas. Worker templates typically require /var/lib/kubelet, /var/lib/containerd, and /var/cpaas

Note: Tenant administrators cannot retrieve the provider-recognized flavorName and availabilityZone values from the HCS UI. Get the exact API values from the HCS administrator before you write the manifest.

Network Inventory

Prepare the complete cluster network inventory before you write HCSCluster or HCSMachineConfigPool resources.

Your network plan must include:

  • The target VPC name
  • The target security group name
  • Every subnet name the cluster will use
  • The CIDR of each subnet
  • The planned free IP ranges for control plane nodes, worker nodes, the ELB VIP, and ELB L4/L7 virtual subnet IPs

If a single cluster uses multiple subnets, those subnets must belong to the same VPC and must allow cluster nodes to reach each other.

Important: HCSCluster.spec.network.subnets is the cluster subnet inventory. Every subnetName referenced by HCSMachineConfigPool, vipSubnetName, elbVirsubnetL4Ips[].subnetName, and elbVirsubnetL7Ips[].subnetName must already exist in that list.

Control Plane ELB Address Plan

The HCS provider creates the control plane ELB automatically. Plan the ELB inputs before you write HCSCluster.

Fixed-address planning

When you want to fix all ELB-related addresses, prepare:

  • vipSubnetName
  • vipAddress
  • elbVirsubnetL4Ips with exactly two L4 IPs
  • elbVirsubnetL7Ips with exactly two L7 IPs
  • Optional vipDomainName

If you set vipDomainName, configure HCS Cloud DNS Private Zones so the domain already resolves to vipAddress.

Operational constraints

  • The provider creates the ELB and enables Hybrid Load Balancing so cluster nodes can reach the API server through the ELB address.
  • Do not disable Hybrid Load Balancing on the HCS ELB after the cluster is created.
  • Do not write spec.controlPlaneEndpoint in the create manifest. The controller fills that field after the ELB is ready.

Static IP Pool Plan

This page focuses on the planned static IP workflow.

Prepare the following before you create HCSMachineConfigPool resources:

  • Control plane hostnames and static IPs
  • Worker hostnames and static IPs, if workers are created
  • Enough entries to cover the initial replica count

For static IP control planes, the recommended upgrade path uses KubeadmControlPlane.spec.rolloutStrategy.rollingUpdate.maxSurge: 0. This scale-down-then-scale-up approach usually does not require extra control plane IPs. Prepare additional hostname and IP slots only when you plan to increase control plane replicas or set maxSurge greater than 0.

Value-to-YAML Mapping

Use the following mapping after you complete the preparation checklist:

Prepared inputYAML fields
accessKey, secretKey, projectID, externalGlobalDomain, regionSecret.data.*
imageName, flavorName, availabilityZone, disk layoutHCSMachineTemplate.spec.template.spec.*
Control plane and worker hostnames and static IPsHCSMachineConfigPool.spec.configs[]
VPC name, subnet inventory, security group nameHCSCluster.spec.network.*
vipAddress, vipSubnetName, vipDomainName, elbVirsubnetL4Ips, elbVirsubnetL7IpsHCSCluster.spec.controlPlaneLoadBalancer.*
Kubernetes version and component baselineKubeadmControlPlane.spec.version, Cluster.spec.clusterNetwork.*, cluster annotations, and related bootstrap settings

Next Steps

After you complete the preparation checklist: