✨ ROSANetwork: new CRD & reconciler to provision network infrastructure for ROSA-HCP

[mzazrivec]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This pull request implements CRD and a controller for provisioning complete networking infrastructure required to install a ROSA-HCP cluster in AWS. The proposal for this implementation has been described in #5381.

Under the hood, the implementation uses cloudformation stack and a static (i.e. no possibility of customization) cloudformation template from rosa-cli

This pull request depends on openshift/rosa#2904 (now merged).

Quick howto:

$ export ROSA_NETWORK_NAME=rosa-net-01
$ export AWS_REGION=us-west-2
$ export AVAILABILITY_ZONE_COUNT=2
$ export CIDR_BLOCK=10.0.0.0/16
$ clusterctl generate yaml --from templates/rosa-network.yaml > rosa-net-01.yaml
$ kubectl apply -f rosa-net-01.yaml

To use the ROSANetwork from ROSA control plane:

apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: ROSAControlPlane
metadata:
  name: rosa-hcp01-control-plane
  namespace: default
spec:
  rosaNetworkRef:
    name: rosa-net01

and skip / remove subnets and availability zones from the CP spec.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

New API for provisioning network infrastructure for ROSA clusters

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign andidog for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

No need to add the caBundle.

[serngawy]

Suggested change

	ID string `json:"ID"`
	Id string `json:"id"`

Or resourceId

[serngawy]

Suggested change

	Resource string `json:"resource"`
	Name string `json:"name"`

OR resourceName

[serngawy]

message is better I guess ?

Suggested change

	Reason string `json:"reason"`
	Message string `json:"message"`

[serngawy]

Suggested change

	// ID of the public subnet
	// Public subnet Id ex; subnet-xxxxxxxxxx

[serngawy]

I don't think we need a new feature gate, we can have it under ROSA feature gate

[mzazrivec]

Yes. I did not mean a new feature gate here, just the existing rosa FG.

[serngawy]

you also need to update the ValidatingWebhookConfiguration and MutatingWebhookConfiguration here

[serngawy]

/ok-to-test

[serngawy]

Not sure, if we want to provide this option to end user. We don't do that with RosaControlPlane only default aws identity. However, we should provide OCM identityRef

[mzazrivec]

Why shouldn't we provide this option to the end user? We need to specify the ref to the aws secret somehow. Here I'm just reusing existing structures & code.

What do you mean by OCM identity ref? OCM will not be involved here in any way.

[serngawy]

well, to use openshift/rosa and establish ocm client you need to have ocm authentication. Is this not the case with the RosaNetwork CF stack creation?

[mzazrivec]

No. No OCM credentials are needed for rosanet, just AWS credentials.

[nrb]

@serngawy Are you satisfied with the answers here?

[serngawy]

@mzazrivec I do remember we discuss that, but after checking the ROSANetwork cloud formation stack template , there are tags added as rosa_hcp_policy and roas service here.
Those tags I think is used to check for privileges ?
I think we have to authenticate the ocm credential. Even if we don't need to create the CF stack but enduser must be a valid OCM user.

[mzazrivec]

@serngawy What does creating VPC with certain tags and checking OCM credentials have to do with each other?

[serngawy]

okay, as we discussed no need to have ocm authentication.

[serngawy]

please add release note, stating add new ROSA network API

[mzazrivec]

please add release note, stating add new ROSA network API

Added.

[nrb]

This isn't a blocker because we'll need to revisit this across the entire project, but conditions will be changing upstream and we'll need to revisit these to make sure they're conforming to the accepted proposal.

[mzazrivec]

Yep, you mentioned in my proposal PR that the Reason field needs to be set also in the case of success, which is what this PR does.

[nrb]

I have some suggestions for idiomatic Go style that shouldn't affect the functionality of the PR.

Also have some questions about a few of the interface design decisions.

Once those are answered and we have some baseline testing for the ROSANetwork controller, I think we'll be in good shape.

[nrb]

Most other packages in the repo put these finalizer definitions in the corresponding api/<version>/<name>_types.go files, but I see there's other ROSA files that put their finalizers in the controller package.

Ideally we'd clean this up, but it's not a blocker.

[serngawy]

agree, moving this to the API is better

[mzazrivec]

@nrb yep, moved.

[nrb]

We do nothing with the error at all? Should we perhaps log it, so the user can at least see that errors are causing reconcile loops?

[mzazrivec]

I'm glad you asked, because I asked this very question within my team last week.

Short answer to your original question would be: this same pattern is in several places in CAPA.

Of course, I can add the error logging there. But probably same thing should have to be done in

controlplane/rosa/controllers/rosacontrolplane_controller.go
exp/controllers/awsfargatepool_controller.go
exp/controllers/awsmanagedmachinepool_controller.go
exp/controllers/rosamachinepool_controller.go

[serngawy]

@mzazrivec just return the error here , other controllers can be done in another PR.

[nrb]

Suggested change

	for i := 1; i <= len(rosaNetScope.ROSANetwork.Spec.AvailabilityZones); i++ {
	cfParams[fmt.Sprintf("AZ%d", i)] = rosaNetScope.ROSANetwork.Spec.AvailabilityZones[i-1]
	}
	for i, zone := range rosaNetScope.ROSANetwork.Spec.AvailabilityZones) {
	cfParams[fmt.Sprintf("AZ%d", i)] = zone
	}

is more Go-native.

[mzazrivec]

@nrb yep, changed

[nrb]

Should probably have some tags identifying the resources in AWS, in case an administrator is looking at the AWS console and wondering where the CF resources came from.

You can look into how we do it for clusterawsadm, and find a Tag type in the API.

[mzazrivec]

I'm not entirely sure I understand what you mean here.

The particular stack resources (VPC, subnets, ...) are already being tagged as is defined in the CF template from rosa-cli.

If you're talking about tagging the CF stack object itself, then I don't see clusterawsadm bootstrap creating those.

[serngawy]

Expose tags field to ROSANetworkSpec so administrator (endUser) can add tags to the created VPC. Its a common use of tags with aws resources.

[nrb]

Let's use https://pkg.go.dev/strings#HasPrefix

[mzazrivec]

Sure, done.

[nrb]

Suggested change

	i := 0
	for _, v := range subnets {
	rosaNet.Status.Subnets[i] = *v
	i++
	}
	rosaNet.Status.Subnets = make([]expinfrav1.ROSANetworkSubnet)
	rosaNet.Status.Subnets = append(rosaNet.Status.Subnets, subnets...)

will copy the entries into a new slice. Note that if you specify a length with the make call when doing it this way, you'll see double the number of entries that you'd expect.

It also doesn't look like we're doing anything with i here. If you want the index produced by range, you can do for i, v := range subnets.

[mzazrivec]

Not sure I understand. rosaNet.Status.Subnets should in the end be an array of objects, looking like this:

kind: ROSANetwork
metadata:
  name: rosa-network-01
  namespace: default
status:
  subnets:
  - availabilityZone: us-west-2a
    privateSubnet: subnet-1d9f28ba992a83514
    publicSubnet: subnet-0d9f28ba991b93514
  - availabilityZone: us-west-2b
    privateSubnet: subnet-2d7f58c09f1b43512
    publicSubnet: subnet-2d7f18c09f1b43512
  - availabilityZone: us-west-2c
    privateSubnet: subnet-7d7e19c0af1f4d57f
    publicSubnet: subnet-1d7e19c0af1c4c57f

In my code subnets is a map (subnets := make(map[string]*expinfrav1.ROSANetworkSubnet)), so len(subnets) should return the number of keys, which is what I want. I certainly don't want to append subnets to rosaNet.Status.Subnets, just its values.

[serngawy]

@mzazrivec better to use native function to get the map values instead of doing for loop , check here

[nrb]

Why have this extra function if it only calls PatchObject and returns any error it gets?

[mzazrivec]

Yeah. Again, something that all the other scope objects do. I can change it of course, but this is a pattern and if it's not desirable, it should be probably changed everywhere.

[nrb]

Why is the controller being exposed here?

[mzazrivec]

Because I need the controller name when constructing key to session cache in pkg/cloud/scope/session.go (see my change in getSessionName() there). Without that change we could hit conflicts in the cache, should for example both the rosanet and rosacp be named the same and be placed in the same namespace.

[nrb]

Will other identity types be supported in the future?

[mzazrivec]

Yep, all the current identities should work with rosanet.

[nrb]

It would be nice to have some basic tests for the controller.

[mzazrivec]

Yes, I added basic exp/controllers/rosanetwork_controller_test.go, which I want to keep on extending.

[k8s-ci-robot]

@mzazrivec: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-aws-apidiff-main	2c7bf06	link	false	/test pull-cluster-api-provider-aws-apidiff-main
pull-cluster-api-provider-aws-verify	2c7bf06	link	true	/test pull-cluster-api-provider-aws-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.