✨ ROSANetwork: new CRD & reconciler to provision network infrastructure for ROSA-HCP

[mzazrivec]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This pull request implements CRD and a controller for provisioning complete networking infrastructure required to install a ROSA-HCP cluster in AWS. The proposal for this implementation has been described in #5381.

Under the hood, the implementation uses cloudformation stack and a static (i.e. no possibility of customization) cloudformation template from rosa-cli

This pull request depends on openshift/rosa#2904 (now merged).

Quick howto:

$ export ROSA_NETWORK_NAME=rosa-net-01
$ export AWS_REGION=us-west-2
$ export AVAILABILITY_ZONE_COUNT=2
$ export CIDR_BLOCK=10.0.0.0/16
$ clusterctl generate yaml --from templates/rosa-network.yaml > rosa-net-01.yaml
$ kubectl apply -f rosa-net-01.yaml

To use the ROSANetwork from ROSA control plane:

apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: ROSAControlPlane
metadata:
  name: rosa-hcp01-control-plane
  namespace: default
spec:
  rosaNetworkRef:
    name: rosa-net01

and skip / remove subnets and availability zones from the CP spec.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

New API for provisioning network infrastructure for ROSA clusters

[k8s-ci-robot]

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

No need to add the caBundle.

[serngawy]

Suggested change

	ID string `json:"ID"`
	Id string `json:"id"`

Or resourceId

[serngawy]

Suggested change

	Resource string `json:"resource"`
	Name string `json:"name"`

OR resourceName

[serngawy]

message is better I guess ?

Suggested change

	Reason string `json:"reason"`
	Message string `json:"message"`

[serngawy]

Suggested change

	// ID of the public subnet
	// Public subnet Id ex; subnet-xxxxxxxxxx

[serngawy]

I don't think we need a new feature gate, we can have it under ROSA feature gate

[mzazrivec]

Yes. I did not mean a new feature gate here, just the existing rosa FG.

[serngawy]

you also need to update the ValidatingWebhookConfiguration and MutatingWebhookConfiguration here

[serngawy]

/ok-to-test

[serngawy]

Not sure, if we want to provide this option to end user. We don't do that with RosaControlPlane only default aws identity. However, we should provide OCM identityRef

[mzazrivec]

Why shouldn't we provide this option to the end user? We need to specify the ref to the aws secret somehow. Here I'm just reusing existing structures & code.

What do you mean by OCM identity ref? OCM will not be involved here in any way.

[serngawy]

well, to use openshift/rosa and establish ocm client you need to have ocm authentication. Is this not the case with the RosaNetwork CF stack creation?

[mzazrivec]

No. No OCM credentials are needed for rosanet, just AWS credentials.

[nrb]

@serngawy Are you satisfied with the answers here?

[serngawy]

@mzazrivec I do remember we discuss that, but after checking the ROSANetwork cloud formation stack template , there are tags added as rosa_hcp_policy and roas service here.
Those tags I think is used to check for privileges ?
I think we have to authenticate the ocm credential. Even if we don't need to create the CF stack but enduser must be a valid OCM user.

[mzazrivec]

@serngawy What does creating VPC with certain tags and checking OCM credentials have to do with each other?

[serngawy]

okay, as we discussed no need to have ocm authentication.

[serngawy]

remove comment line

[mzazrivec]

Removed.

[serngawy]

Better golang style and avoiding extra loop

Suggested change

	subnets := make(map[string]*expinfrav1.ROSANetworkSubnet)
	for _, resource := range rosaNet.Status.Resources {
	if resource.ResourceType != "AWS::EC2::Subnet" { // Skip all non subnets
	continue
	}
	az, err := r.awsClient.GetSubnetAvailabilityZone(resource.PhysicalID)
	if err != nil {
	return err
	}
	if subnets[az] == nil {
	subnets[az] = &expinfrav1.ROSANetworkSubnet{
	AvailabilityZone: az,
	PublicSubnet: "",
	PrivateSubnet: "",
	}
	}
	if strings.HasPrefix(resource.LogicalID, "SubnetPrivate") {
	subnets[az].PrivateSubnet = resource.PhysicalID
	} else {
	subnets[az].PublicSubnet = resource.PhysicalID
	}
	}
	rosaNet.Status.Subnets = make([]expinfrav1.ROSANetworkSubnet, len(subnets))
	for i, v := range slices.Collect(maps.Values(subnets)) {
	rosaNet.Status.Subnets[i] = *v
	}
	return nil
	subnets := make(map[string]expinfrav1.ROSANetworkSubnet)
	for _, resource := range rosaNet.Status.Resources {
	if resource.ResourceType != "AWS::EC2::Subnet" {
	continue
	}
	az, err := r.awsClient.GetSubnetAvailabilityZone(resource.PhysicalID)
	if err != nil {
	return fmt.Errorf("failed to get AZ for subnet %s: %w", resource.PhysicalID, err)
	}
	subnet := subnets[az]
	subnet.AvailabilityZone = az
	if strings.HasPrefix(resource.LogicalID, "SubnetPrivate") {
	subnet.PrivateSubnet = resource.PhysicalID
	} else {
	subnet.PublicSubnet = resource.PhysicalID
	}
	subnets[az] = subnet
	}
	rosaNet.Status.Subnets = slices.Collect(maps.Values(subnets))
	return nil

[mzazrivec]

Added.

[serngawy]

please add watchFilterValue string

Suggested change

	Client: mgr.GetClient(),
	Client: mgr.GetClient(),
	WatchFilterValue: watchFilterValue,

[mzazrivec]

Added

[serngawy]

Please add the WatchFilterValue to the struct

Suggested change

	Log logr.Logger
	Log logr.Logger
	WatchFilterValue string

[mzazrivec]

Added

[serngawy]

No need for the webhook patch file as it is not included in kustomization.yaml

[mzazrivec]

Removed

[damdo]

/assign @nrb @damdo @richardcase

[damdo]

/label tide/merge-method-squash

[damdo]

This changes the session name in all the places already using this (not only ROSA ones). Is this a backward compatible change? (cc. @richardcase @punkwalker)

[serngawy]

I guess it should be okay as when the capa-manager update happen all cache sessions will be re-created with the new session name.
Does the cache stored some how even when the pod re-created, we need to fail safe when loading session fail ?

[damdo]

A minute seems quite a lot here, no?

[mzazrivec]

It takes about 5 minutes to create the cloudformation stack, i.e. approximately 5 cycles through the reconciliation loop. I'm fine with making it smaller (suggestions welcome), but not quite sure how it would help or improve the situation.

[damdo]

Ok and do we need to requeue after or are we watching and we should get a reconciliation event anyway?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from nrb. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[damdo]

/lgtm

Thanks for addressing my comments

/assign @nrb @richardcase

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 5f64d3fa3341e2ef3426645208e69a234b4147e3