Skip to content

HOSTEDCP-1419: Always include AWS default security group in worker security groups #3527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Feb 8, 2024
Merged

HOSTEDCP-1419: Always include AWS default security group in worker security groups #3527

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/hypershift/v1alpha1/hostedcluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1987,8 +1987,8 @@ type PlatformStatus struct {
// AWSPlatformStatus contains status specific to the AWS platform
type AWSPlatformStatus struct {
// DefaultWorkerSecurityGroupID is the ID of a security group created by
// the control plane operator. It is used for NodePools that don't specify a
// security group.
// the control plane operator. It is always added to worker machines in
// addition to any security groups specified in the NodePool.
// +optional
DefaultWorkerSecurityGroupID string `json:"defaultWorkerSecurityGroupID,omitempty"`
}
Expand Down
4 changes: 2 additions & 2 deletions api/hypershift/v1beta1/hostedcluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2086,8 +2086,8 @@ type PlatformStatus struct {
// AWSPlatformStatus contains status specific to the AWS platform
type AWSPlatformStatus struct {
// DefaultWorkerSecurityGroupID is the ID of a security group created by
// the control plane operator. It is used for NodePools that don't specify a
// security group.
// the control plane operator. It is always added to worker machines in
// addition to any security groups specified in the NodePool.
// +optional
DefaultWorkerSecurityGroupID string `json:"defaultWorkerSecurityGroupID,omitempty"`
}
Expand Down
1 change: 0 additions & 1 deletion cmd/cluster/aws/create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,6 @@ func applyPlatformSpecificsValues(ctx context.Context, exampleOptions *apifixtur
Region: infra.Region,
Zones: zones,
VPCID: infra.VPCID,
SecurityGroupID: infra.SecurityGroupID,
InstanceProfile: iamInfo.ProfileName,
InstanceType: instanceType,
Roles: iamInfo.Roles,
Expand Down
5 changes: 0 additions & 5 deletions cmd/infra/aws/create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@ type CreateInfraOutput struct {
MachineCIDR string `json:"machineCIDR"`
VPCID string `json:"vpcID"`
Zones []*CreateInfraOutputZone `json:"zones"`
SecurityGroupID string `json:"securityGroupID"`
Name string `json:"Name"`
BaseDomain string `json:"baseDomain"`
BaseDomainPrefix string `json:"baseDomainPrefix"`
Expand Down Expand Up @@ -179,10 +178,6 @@ func (o *CreateInfraOptions) CreateInfra(ctx context.Context, l logr.Logger) (*C
if err != nil {
return nil, err
}
result.SecurityGroupID, err = o.CreateWorkerSecurityGroup(ec2Client, result.VPCID)
if err != nil {
return nil, err
}

// Per zone resources
var endpointRouteTableIds []*string
Expand Down
157 changes: 0 additions & 157 deletions cmd/infra/aws/ec2_sg.go
View file
Open in desktop

This file was deleted.

8 changes: 4 additions & 4 deletions cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4036,8 +4036,8 @@ spec:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down Expand Up @@ -8296,8 +8296,8 @@ spec:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down
8 changes: 4 additions & 4 deletions cmd/install/assets/hypershift-operator/hypershift.openshift.io_hostedcontrolplanes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4035,8 +4035,8 @@ spec:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down Expand Up @@ -8265,8 +8265,8 @@ spec:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down
4 changes: 2 additions & 2 deletions docs/content/reference/api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1484,8 +1484,8 @@ string
<td>
<em>(Optional)</em>
<p>DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don&rsquo;t specify a
security group.</p>
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.</p>
</td>
</tr>
</tbody>
Expand Down
5 changes: 0 additions & 5 deletions examples/fixtures/example.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -636,11 +636,6 @@ func (o ExampleOptions) Resources() *ExampleResources {
Subnet: &hyperv1.AWSResourceReference{
ID: zone.SubnetID,
},
SecurityGroups: []hyperv1.AWSResourceReference{
{
ID: &o.AWS.SecurityGroupID,
},
},
RootVolume: &hyperv1.Volume{
Size: o.AWS.RootVolumeSize,
Type: o.AWS.RootVolumeType,
Expand Down
1 change: 0 additions & 1 deletion examples/fixtures/example_aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ type ExampleAWSOptions struct {
Region string
Zones []ExampleAWSOptionsZones
VPCID string
SecurityGroupID string
InstanceProfile string
InstanceType string
Roles hyperv1.AWSRolesRef
Expand Down
16 changes: 8 additions & 8 deletions hack/app-sre/saas_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40347,8 +40347,8 @@ objects:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down Expand Up @@ -44624,8 +44624,8 @@ objects:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down Expand Up @@ -49089,8 +49089,8 @@ objects:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down Expand Up @@ -53336,8 +53336,8 @@ objects:
defaultWorkerSecurityGroupID:
description: |-
DefaultWorkerSecurityGroupID is the ID of a security group created by
the control plane operator. It is used for NodePools that don't specify a
security group.
the control plane operator. It is always added to worker machines in
addition to any security groups specified in the NodePool.
type: string
type: object
type: object
Expand Down
4 changes: 2 additions & 2 deletions hypershift-operator/controllers/nodepool/aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func awsMachineTemplateSpec(infraName, ami string, hostedCluster *hyperv1.Hosted

securityGroups := []capiaws.AWSResourceReference{}
for _, sg := range nodePool.Spec.Platform.AWS.SecurityGroups {
filters := []capiaws.Filter{}
var filters []capiaws.Filter
for _, f := range sg.Filters {
filters = append(filters, capiaws.Filter{
Name: f.Name,
Expand All @@ -67,7 +67,7 @@ func awsMachineTemplateSpec(infraName, ami string, hostedCluster *hyperv1.Hosted
Filters: filters,
})
}
if len(securityGroups) == 0 && defaultSG {
if defaultSG {
if hostedCluster.Status.Platform == nil || hostedCluster.Status.Platform.AWS == nil || hostedCluster.Status.Platform.AWS.DefaultWorkerSecurityGroupID == "" {
return nil, &NotReadyError{fmt.Errorf("the default security group for the HostedCluster has not been created")}
}
Expand Down
Loading