Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Supporting externally managed Control Plane #4438

Merged
merged 3 commits into from
Feb 8, 2024
Merged

✨ Supporting externally managed Control Plane #4438

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f7d3575
feat: allowing nodes creation when cp is externally managed
prometherion Aug 4, 2023
4ee9c54
feat: disabled load balancer enum for externally managed LBs
prometherion Aug 4, 2023
fc3cb07
chore(log): capitalising debug message
prometherion Oct 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions api/v1beta2/awscluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,10 +167,11 @@ type Bastion struct {
type LoadBalancerType string

var (
LoadBalancerTypeClassic = LoadBalancerType("classic")
LoadBalancerTypeELB = LoadBalancerType("elb")
LoadBalancerTypeALB = LoadBalancerType("alb")
LoadBalancerTypeNLB = LoadBalancerType("nlb")
LoadBalancerTypeClassic = LoadBalancerType("classic")
LoadBalancerTypeELB = LoadBalancerType("elb")
LoadBalancerTypeALB = LoadBalancerType("alb")
LoadBalancerTypeNLB = LoadBalancerType("nlb")
LoadBalancerTypeDisabled = LoadBalancerType("disabled")
)

// AWSLoadBalancerSpec defines the desired state of an AWS load balancer.
Expand Down Expand Up @@ -229,7 +230,7 @@ type AWSLoadBalancerSpec struct {

// LoadBalancerType sets the type for a load balancer. The default type is classic.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a comment on what each value for this does and what the new value is useful for?

// +kubebuilder:default=classic
// +kubebuilder:validation:Enum:=classic;elb;alb;nlb
// +kubebuilder:validation:Enum:=classic;elb;alb;nlb;disabled
prometherion marked this conversation as resolved.
Show resolved Hide resolved
LoadBalancerType LoadBalancerType `json:"loadBalancerType,omitempty"`

// DisableHostsRewrite disabled the hair pinning issue solution that adds the NLB's address as 127.0.0.1 to the hosts
Expand Down
44 changes: 44 additions & 0 deletions api/v1beta2/awscluster_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,5 +298,49 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
}
}

if r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeDisabled {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we validating somewhere that the type cannot be changed once created? How are we dealing right now if a user creates the type = disabled and then wants alb and vice-versa?

if r.Spec.ControlPlaneLoadBalancer.Name != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we need a func Empty() bool on the load balancer instead of checking each sub field. But lets discuss that separately.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still would need the check of each subfield, unfortunately. We could slender the webhook file, of course, but from a UX perspective, knowing which field is breaking the validation would be helpful.

allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "name"), r.Spec.ControlPlaneLoadBalancer.Name, "cannot configure a name if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.CrossZoneLoadBalancing {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "crossZoneLoadBalancing"), r.Spec.ControlPlaneLoadBalancer.CrossZoneLoadBalancing, "cross-zone load balancing cannot be set if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.Subnets) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "subnets"), r.Spec.ControlPlaneLoadBalancer.Subnets, "subnets cannot be set if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol != nil {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "healthCheckProtocol"), r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol, "healthcheck protocol cannot be set if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.AdditionalSecurityGroups) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "additionalSecurityGroups"), r.Spec.ControlPlaneLoadBalancer.AdditionalSecurityGroups, "additional Security Groups cannot be set if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.AdditionalListeners) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "additionalListeners"), r.Spec.ControlPlaneLoadBalancer.AdditionalListeners, "cannot set additional listeners if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.IngressRules) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "ingress rules cannot be set if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.PreserveClientIP {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "preserveClientIP"), r.Spec.ControlPlaneLoadBalancer.PreserveClientIP, "cannot preserve client IP if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.DisableHostsRewrite {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "disableHostsRewrite"), r.Spec.ControlPlaneLoadBalancer.DisableHostsRewrite, "cannot disable hosts rewrite if the LoadBalancer reconciliation is disabled"))
}
}

for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}
Comment on lines +306 to +343
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should open an issue to track for the next API version to rework this, it seems to me that we're going around the current API structure to disable the control plane management


return allErrs
}
121 changes: 121 additions & 0 deletions api/v1beta2/awscluster_webhook_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
. "github.com/onsi/gomega"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilfeature "k8s.io/component-base/featuregate/testing"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/client"

"sigs.k8s.io/cluster-api-provider-aws/v2/feature"
Expand All @@ -50,6 +51,126 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr bool
expect func(g *WithT, res *AWSLoadBalancerSpec)
}{
{
name: "No options are allowed when LoadBalancer is disabled (name)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
LoadBalancerType: LoadBalancerTypeDisabled,
Name: ptr.To("name"),
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (crossZoneLoadBalancing)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
CrossZoneLoadBalancing: true,
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (subnets)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
Subnets: []string{"foo", "bar"},
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (healthCheckProtocol)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
HealthCheckProtocol: &ELBProtocolTCP,
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (additionalSecurityGroups)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalSecurityGroups: []string{"foo", "bar"},
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (additionalListeners)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalListeners: []AdditionalListenerSpec{
{
Port: 6443,
Protocol: ELBProtocolTCP,
},
},
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (ingressRules)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
IngressRules: []IngressRule{
{
Description: "ingress rule",
Protocol: SecurityGroupProtocolTCP,
FromPort: 6443,
ToPort: 6443,
},
},
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (disableHostsRewrite)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
DisableHostsRewrite: true,
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
{
name: "No options are allowed when LoadBalancer is disabled (preserveClientIP)",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
PreserveClientIP: true,
LoadBalancerType: LoadBalancerTypeDisabled,
},
},
},
wantErr: true,
},
// The SSHKeyName tests were moved to sshkeyname_test.go
{
name: "Supported schemes are 'internet-facing, Internet-facing, internal, or nil', rest will be rejected",
Expand Down
3 changes: 3 additions & 0 deletions api/v1beta2/conditions_consts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ const (
LoadBalancerReadyCondition clusterv1.ConditionType = "LoadBalancerReady"
// WaitForDNSNameReason used while waiting for a DNS name for the API server to be populated.
WaitForDNSNameReason = "WaitForDNSName"
// WaitForExternalControlPlaneEndpointReason is available when the AWS Cluster is waiting for an externally managed
// Load Balancer, such as an external Control Plane provider.
WaitForExternalControlPlaneEndpointReason = "WaitForExternalControlPlaneEndpoint"
// WaitForDNSNameResolveReason used while waiting for DNS name to resolve.
WaitForDNSNameResolveReason = "WaitForDNSNameResolve"
// LoadBalancerFailedReason used when an error occurs during load balancer reconciliation.
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1109,6 +1109,7 @@ spec:
- elb
- alb
- nlb
- disabled
type: string
name:
description: Name sets the name of the classic ELB load balancer.
Expand Down Expand Up @@ -1689,6 +1690,7 @@ spec:
- elb
- alb
- nlb
- disabled
type: string
name:
description: Name sets the name of the classic ELB load balancer.
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -707,6 +707,7 @@ spec:
- elb
- alb
- nlb
- disabled
type: string
name:
description: Name sets the name of the classic ELB load
Expand Down Expand Up @@ -1316,6 +1317,7 @@ spec:
- elb
- alb
- nlb
- disabled
type: string
name:
description: Name sets the name of the classic ELB load
Expand Down
8 changes: 8 additions & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,14 @@ rules:
- get
- list
- watch
- apiGroups:
- controlplane.cluster.x-k8s.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- controlplane.cluster.x-k8s.io
resources:
Expand Down
92 changes: 68 additions & 24 deletions controllers/awscluster_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,45 @@ func (r *AWSClusterReconciler) reconcileDelete(ctx context.Context, clusterScope
return nil
}

func (r *AWSClusterReconciler) reconcileLoadBalancer(clusterScope *scope.ClusterScope, awsCluster *infrav1.AWSCluster) (*time.Duration, error) {
retryAfterDuration := 15 * time.Second
Comment on lines +269 to +270
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we rework this to just return an error and leave the retryAfterDuration outside?

if clusterScope.AWSCluster.Spec.ControlPlaneLoadBalancer.LoadBalancerType == infrav1.LoadBalancerTypeDisabled {
clusterScope.Debug("load balancer reconciliation shifted to external provider, checking external endpoint")

return r.checkForExternalControlPlaneLoadBalancer(clusterScope, awsCluster), nil
}

elbService := r.getELBService(clusterScope)

if err := elbService.ReconcileLoadbalancers(); err != nil {
clusterScope.Error(err, "failed to reconcile load balancer")
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.LoadBalancerFailedReason, infrautilconditions.ErrorConditionAfterInit(clusterScope.ClusterObj()), err.Error())
return nil, err
}

if awsCluster.Status.Network.APIServerELB.DNSName == "" {
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForDNSNameReason, clusterv1.ConditionSeverityInfo, "")
clusterScope.Info("Waiting on API server ELB DNS name")
return &retryAfterDuration, nil
}

clusterScope.Debug("Looking up IP address for DNS", "dns", awsCluster.Status.Network.APIServerELB.DNSName)
if _, err := net.LookupIP(awsCluster.Status.Network.APIServerELB.DNSName); err != nil {
clusterScope.Error(err, "failed to get IP address for dns name", "dns", awsCluster.Status.Network.APIServerELB.DNSName)
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForDNSNameResolveReason, clusterv1.ConditionSeverityInfo, "")
clusterScope.Info("Waiting on API server ELB DNS name to resolve")
return &retryAfterDuration, nil
}
conditions.MarkTrue(awsCluster, infrav1.LoadBalancerReadyCondition)

awsCluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
Host: awsCluster.Status.Network.APIServerELB.DNSName,
Port: clusterScope.APIServerPort(),
}

return nil, nil
}

func (r *AWSClusterReconciler) reconcileNormal(clusterScope *scope.ClusterScope) (reconcile.Result, error) {
clusterScope.Info("Reconciling AWSCluster")

Expand All @@ -280,7 +319,6 @@ func (r *AWSClusterReconciler) reconcileNormal(clusterScope *scope.ClusterScope)
}

ec2Service := r.getEC2Service(clusterScope)
elbService := r.getELBService(clusterScope)
networkSvc := r.getNetworkService(*clusterScope)
sgService := r.getSecurityGroupService(*clusterScope)
s3Service := s3.NewService(clusterScope)
Expand Down Expand Up @@ -310,37 +348,17 @@ func (r *AWSClusterReconciler) reconcileNormal(clusterScope *scope.ClusterScope)
}
}

if err := elbService.ReconcileLoadbalancers(); err != nil {
clusterScope.Error(err, "failed to reconcile load balancer")
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.LoadBalancerFailedReason, infrautilconditions.ErrorConditionAfterInit(clusterScope.ClusterObj()), err.Error())
if requeueAfter, err := r.reconcileLoadBalancer(clusterScope, awsCluster); err != nil {
return reconcile.Result{}, err
} else if requeueAfter != nil {
return reconcile.Result{RequeueAfter: *requeueAfter}, err
}

if err := s3Service.ReconcileBucket(); err != nil {
conditions.MarkFalse(awsCluster, infrav1.S3BucketReadyCondition, infrav1.S3BucketFailedReason, clusterv1.ConditionSeverityError, err.Error())
return reconcile.Result{}, errors.Wrapf(err, "failed to reconcile S3 Bucket for AWSCluster %s/%s", awsCluster.Namespace, awsCluster.Name)
}

if awsCluster.Status.Network.APIServerELB.DNSName == "" {
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForDNSNameReason, clusterv1.ConditionSeverityInfo, "")
clusterScope.Info("Waiting on API server ELB DNS name")
return reconcile.Result{RequeueAfter: 15 * time.Second}, nil
}

clusterScope.Debug("looking up IP address for DNS", "dns", awsCluster.Status.Network.APIServerELB.DNSName)
if _, err := net.LookupIP(awsCluster.Status.Network.APIServerELB.DNSName); err != nil {
clusterScope.Error(err, "failed to get IP address for dns name", "dns", awsCluster.Status.Network.APIServerELB.DNSName)
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForDNSNameResolveReason, clusterv1.ConditionSeverityInfo, "")
clusterScope.Info("Waiting on API server ELB DNS name to resolve")
return reconcile.Result{RequeueAfter: 15 * time.Second}, nil
}
conditions.MarkTrue(awsCluster, infrav1.LoadBalancerReadyCondition)

awsCluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
Host: awsCluster.Status.Network.APIServerELB.DNSName,
Port: clusterScope.APIServerPort(),
}

for _, subnet := range clusterScope.Subnets().FilterPrivate() {
found := false
for _, az := range awsCluster.Status.Network.APIServerELB.AvailabilityZones {
Expand Down Expand Up @@ -447,3 +465,29 @@ func (r *AWSClusterReconciler) requeueAWSClusterForUnpausedCluster(_ context.Con
}
}
}

func (r *AWSClusterReconciler) checkForExternalControlPlaneLoadBalancer(clusterScope *scope.ClusterScope, awsCluster *infrav1.AWSCluster) *time.Duration {
requeueAfterPeriod := 15 * time.Second

Comment on lines +469 to +471
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, the retry after should be outside in a caller

switch {
case len(awsCluster.Spec.ControlPlaneEndpoint.Host) == 0 && awsCluster.Spec.ControlPlaneEndpoint.Port == 0:
clusterScope.Info("AWSCluster control plane endpoint is still non-populated")
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForExternalControlPlaneEndpointReason, clusterv1.ConditionSeverityInfo, "")

return &requeueAfterPeriod
case len(awsCluster.Spec.ControlPlaneEndpoint.Host) == 0:
clusterScope.Info("AWSCluster control plane endpoint host is still non-populated")
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForExternalControlPlaneEndpointReason, clusterv1.ConditionSeverityInfo, "")

return &requeueAfterPeriod
case awsCluster.Spec.ControlPlaneEndpoint.Port == 0:
clusterScope.Info("AWSCluster control plane endpoint port is still non-populated")
conditions.MarkFalse(awsCluster, infrav1.LoadBalancerReadyCondition, infrav1.WaitForExternalControlPlaneEndpointReason, clusterv1.ConditionSeverityInfo, "")

return &requeueAfterPeriod
default:
conditions.MarkTrue(awsCluster, infrav1.LoadBalancerReadyCondition)

return nil
}
}
Loading