Support adding custom secondary VPC CIDR blocks in AWSCluster

Author: AndiDog

api/v1beta1/awscluster_conversion.go

@@ -104,6 +104,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.NetworkSpec.VPC.EmptyRoutesDefaultVPCSecurityGroup = restored.Spec.NetworkSpec.VPC.EmptyRoutesDefaultVPCSecurityGroup
 	dst.Spec.NetworkSpec.VPC.PrivateDNSHostnameTypeOnLaunch = restored.Spec.NetworkSpec.VPC.PrivateDNSHostnameTypeOnLaunch
 	dst.Spec.NetworkSpec.VPC.CarrierGatewayID = restored.Spec.NetworkSpec.VPC.CarrierGatewayID
+	dst.Spec.NetworkSpec.VPC.SecondaryCidrBlocks = restored.Spec.NetworkSpec.VPC.SecondaryCidrBlocks
 
 	// Restore SubnetSpec.ResourceID, SubnetSpec.ParentZoneName, and SubnetSpec.ZoneType fields, if any.
 	for _, subnet := range restored.Spec.NetworkSpec.Subnets {

api/v1beta1/zz_generated.conversion.go

@@ -269,6 +269,14 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 		}
 	}
 
+	secondaryCidrBlocks := r.Spec.NetworkSpec.VPC.SecondaryCidrBlocks
+	secondaryCidrBlocksField := field.NewPath("spec", "network", "vpc", "secondaryCidrBlocks")
+	for _, cidrBlock := range secondaryCidrBlocks {
+		if r.Spec.NetworkSpec.VPC.CidrBlock != "" && r.Spec.NetworkSpec.VPC.CidrBlock == cidrBlock.IPv4CidrBlock {
+			allErrs = append(allErrs, field.Invalid(secondaryCidrBlocksField, secondaryCidrBlocks, fmt.Sprintf("AWSCluster.spec.network.vpc.secondaryCidrBlocks must not contain the primary AWSCluster.spec.network.vpc.cidrBlock %v", r.Spec.NetworkSpec.VPC.CidrBlock)))
+		}
+	}
+
 	return allErrs
 }
 

api/v1beta2/awscluster_webhook.go

@@ -388,6 +388,13 @@ type IPAMPool struct {
 	NetmaskLength int64 `json:"netmaskLength,omitempty"`
 }
 
+// VpcCidrBlock defines the CIDR block and settings to associate with the managed VPC. Currently, only IPv4 is supported.
+type VpcCidrBlock struct {
+	// IPv4CidrBlock is the IPv4 CIDR block to associate with the managed VPC.
+	// +kubebuilder:validation:MinLength=1
+	IPv4CidrBlock string `json:"ipv4CidrBlock"`
+}
+
 // VPCSpec configures an AWS VPC.
 type VPCSpec struct {
 	// ID is the vpc-id of the VPC this provider should use to create resources.
@@ -398,6 +405,12 @@ type VPCSpec struct {
 	// Mutually exclusive with IPAMPool.
 	CidrBlock string `json:"cidrBlock,omitempty"`
 
+	// SecondaryCidrBlocks are additional CIDR blocks to be associated when the provider creates a managed VPC.
+	// Defaults to none. Mutually exclusive with IPAMPool. This makes sense to use if, for example, you want to use
+	// a separate IP range for pods (e.g. Cilium ENI mode).
+	// +optional
+	SecondaryCidrBlocks []VpcCidrBlock `json:"secondaryCidrBlocks,omitempty"`
+
 	// IPAMPool defines the IPAMv4 pool to be used for VPC.
 	// Mutually exclusive with CidrBlock.
 	IPAMPool *IPAMPool `json:"ipamPool,omitempty"`
@@ -715,6 +728,17 @@ func (s Subnets) FilterPrivate() (res Subnets) {
 	return
 }
 
+// FilterNonCni returns the subnets that are NOT intended for usage with the CNI pod network
+// (i.e. do NOT have the `sigs.k8s.io/cluster-api-provider-aws/association=secondary` tag).
+func (s Subnets) FilterNonCni() (res Subnets) {
+	for _, x := range s {
+		if x.Tags[NameAWSSubnetAssociation] != SecondarySubnetTagValue {
+			res = append(res, x)
+		}
+	}
+	return
+}
+
 // FilterPublic returns a slice containing all subnets marked as public.
 func (s Subnets) FilterPublic() (res Subnets) {
 	for _, x := range s {

api/v1beta2/network_types.go

@@ -90,6 +90,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:AssignPrivateIpAddresses",
 				"ec2:UnassignPrivateIpAddresses",
 				"ec2:AssociateRouteTable",
+				"ec2:AssociateVpcCidrBlock",
 				"ec2:AttachInternetGateway",
 				"ec2:AuthorizeSecurityGroupIngress",
 				"ec2:CreateCarrierGateway",
@@ -104,6 +105,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:CreateTags",
 				"ec2:CreateVpc",
 				"ec2:CreateVpcEndpoint",
+				"ec2:DisassociateVpcCidrBlock",
 				"ec2:ModifyVpcAttribute",
 				"ec2:ModifyVpcEndpoint",
 				"ec2:DeleteCarrierGateway",

api/v1beta2/zz_generated.deepcopy.go

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml

@@ -155,6 +155,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -169,6 +170,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml

@@ -155,6 +155,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -169,6 +170,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_allow_assume_role.yaml

@@ -155,6 +155,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -169,6 +170,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml

@@ -155,6 +155,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -169,6 +170,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml

@@ -722,6 +722,25 @@ spec:
                         - ip-name
                         - resource-name
                         type: string
+                      secondaryCidrBlocks:
+                        description: |-
+                          SecondaryCidrBlocks are additional CIDR blocks to be associated when the provider creates a managed VPC.
+                          Defaults to none. Mutually exclusive with IPAMPool. This makes sense to use if, for example, you want to use
+                          a separate IP range for pods (e.g. Cilium ENI mode).
+                        items:
+                          description: VpcCidrBlock defines the CIDR block and settings
+                            to associate with the managed VPC. Currently, only IPv4
+                            is supported.
+                          properties:
+                            ipv4CidrBlock:
+                              description: IPv4CidrBlock is the IPv4 CIDR block to
+                                associate with the managed VPC.
+                              minLength: 1
+                              type: string
+                          required:
+                          - ipv4CidrBlock
+                          type: object
+                        type: array
                       tags:
                         additionalProperties:
                           type: string
@@ -2672,6 +2691,25 @@ spec:
                         - ip-name
                         - resource-name
                         type: string
+                      secondaryCidrBlocks:
+                        description: |-
+                          SecondaryCidrBlocks are additional CIDR blocks to be associated when the provider creates a managed VPC.
+                          Defaults to none. Mutually exclusive with IPAMPool. This makes sense to use if, for example, you want to use
+                          a separate IP range for pods (e.g. Cilium ENI mode).
+                        items:
+                          description: VpcCidrBlock defines the CIDR block and settings
+                            to associate with the managed VPC. Currently, only IPv4
+                            is supported.
+                          properties:
+                            ipv4CidrBlock:
+                              description: IPv4CidrBlock is the IPv4 CIDR block to
+                                associate with the managed VPC.
+                              minLength: 1
+                              type: string
+                          required:
+                          - ipv4CidrBlock
+                          type: object
+                        type: array
                       tags:
                         additionalProperties:
                           type: string