RosaNetwork: new CRD & reconciler to provision net infra for ROSA-HCP

Author: mzazrivec

PROJECT

@@ -58,3 +58,6 @@ resources:
 - group: infrastructure
   version: v1beta2
   kind: AWSManagedCluster
+- group: infrastructure
+  kind: ROSANetwork
+  version: v1beta2

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -776,6 +776,22 @@ spec:
                 x-kubernetes-validations:
                 - message: rosaClusterName is immutable
                   rule: self == oldSelf
+              rosaNetworkRef:
+                description: |-
+                  ROSANetworkRef references ROSANetwork custom resource that contains the networking infrastructure
+                  for Rosa HCP cluster
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               subnets:
                 description: |-
                   The Subnet IDs to use when installing the cluster.
@@ -809,14 +825,12 @@ spec:
                   to worker instances.
                 type: string
             required:
-            - availabilityZones
             - channelGroup
             - installerRoleARN
             - oidcID
             - region
             - rolesRef
             - rosaClusterName
-            - subnets
             - supportRoleARN
             - version
             - versionGate

config/crd/bases/infrastructure.cluster.x-k8s.io_rosanetworks.yaml

@@ -0,0 +1,218 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.19.0
+  name: rosanetworks.infrastructure.cluster.x-k8s.io
+spec:
+  group: infrastructure.cluster.x-k8s.io
+  names:
+    categories:
+    - cluster-api
+    kind: ROSANetwork
+    listKind: ROSANetworkList
+    plural: rosanetworks
+    shortNames:
+    - rosanet
+    singular: rosanetwork
+  scope: Namespaced
+  versions:
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: ROSANetwork is the schema for the rosanetworks API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ROSANetworkSpec defines the desired state of ROSANetwork
+            properties:
+              availabilityZoneCount:
+                default: 1
+                description: |-
+                  The number of availability zones to be used for creation of the network infrastructure.
+                  You can specify anything between one and four, depending on the chosen AWS region.
+                type: integer
+              availabilityZones:
+                description: |-
+                  The list of availability zones to be used for creation of the network infrastructure.
+                  You can specify anything between one and four valid availability zones from a given region.
+                  Should you specify both the availabilityZoneCount and availabilityZones, the list of availability zones takes preference.
+                items:
+                  type: string
+                type: array
+              cidrBlock:
+                description: CIDR block to be used for the VPC
+                format: cidr
+                type: string
+              identityRef:
+                description: |-
+                  IdentityRef is a reference to an identity to be used when reconciling rosa network.
+                  If no identity is specified, the default identity for this controller will be used.
+                properties:
+                  kind:
+                    description: Kind of the identity.
+                    enum:
+                    - AWSClusterControllerIdentity
+                    - AWSClusterRoleIdentity
+                    - AWSClusterStaticIdentity
+                    type: string
+                  name:
+                    description: Name of the identity.
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+              region:
+                description: The AWS region in which the components of ROSA network
+                  infrastruture are to be crated
+                type: string
+              stackName:
+                description: The name of the cloudformation stack under which the
+                  network infrastructure would be created
+                type: string
+              stackTags:
+                additionalProperties:
+                  type: string
+                description: |-
+                  StackTags is an optional set of tags to add to the created cloudformation stack.
+                  The stack tags will then be automatically applied to the supported AWS resources (VPC, subnets, ...).
+                type: object
+            required:
+            - cidrBlock
+            - region
+            - stackName
+            type: object
+          status:
+            description: ROSANetworkStatus defines the observed state of ROSANetwork
+            properties:
+              conditions:
+                description: Conditions specifies the conditions for ROSANetwork
+                items:
+                  description: Condition defines an observation of a Cluster API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This field may be empty.
+                      maxLength: 10240
+                      minLength: 1
+                      type: string
+                    reason:
+                      description: |-
+                        reason is the reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may be empty.
+                      maxLength: 256
+                      minLength: 1
+                      type: string
+                    severity:
+                      description: |-
+                        severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      maxLength: 32
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      maxLength: 256
+                      minLength: 1
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              resources:
+                description: Resources created in the cloudformation stack
+                items:
+                  description: CFResource groups information pertaining to a resource
+                    created as a part of a cloudformation stack
+                  properties:
+                    logicalId:
+                      description: LogicalResourceID of the created resource.
+                      type: string
+                    physicalId:
+                      description: PhysicalResourceID of the created resource.
+                      type: string
+                    reason:
+                      description: Message pertaining to the status of the resource
+                      type: string
+                    resource:
+                      description: 'Type of the created resource: AWS::EC2::VPC, AWS::EC2::Subnet,
+                        ...'
+                      type: string
+                    status:
+                      description: 'Status of the resource: CREATE_IN_PROGRESS, CREATE_COMPLETE,
+                        ...'
+                      type: string
+                  required:
+                  - logicalId
+                  - physicalId
+                  - reason
+                  - resource
+                  - status
+                  type: object
+                type: array
+              subnets:
+                description: Array of created private, public subnets and availability
+                  zones, grouped by availability zones
+                items:
+                  description: ROSANetworkSubnet groups public and private subnet
+                    and the availability zone in which the two subnets got created
+                  properties:
+                    availabilityZone:
+                      description: Availability zone of the subnet pair, for example
+                        us-west-2a
+                      type: string
+                    privateSubnet:
+                      description: ID of the private subnet, for example subnet-07a20d6c41af2b725
+                      type: string
+                    publicSubnet:
+                      description: ID of the public subnet, for example subnet-0f7e49a3ce68ff338
+                      type: string
+                  required:
+                  - availabilityZone
+                  - privateSubnet
+                  - publicSubnet
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/kustomization.yaml

@@ -26,6 +26,7 @@ resources:
 - bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
 - bases/infrastructure.cluster.x-k8s.io_rosaclusters.yaml
 - bases/infrastructure.cluster.x-k8s.io_rosamachinepools.yaml
+- bases/infrastructure.cluster.x-k8s.io_rosanetworks.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -57,6 +58,7 @@ patchesStrategicMerge:
 - patches/cainjection_in_awsmanagedclustertemplates.yaml
 - patches/cainjection_in_eksconfigs.yaml
 - patches/cainjection_in_eksconfigtemplates.yaml
+- patches/cainjection_in_rosanetworks.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [LABEL] To enable label, uncomment all the sections with [LABEL] prefix.

config/crd/patches/cainjection_in_rosanetworks.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: rosanetworks.infrastructure.cluster.x-k8s.io

config/crd/patches/webhook_in_rosanetworks.yaml

@@ -0,0 +1,14 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: rosanetworks.infrastructure.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhookClientConfig:
+      service:
+        namespace: system
+        name: webhook-service
+        path: /convert

config/rbac/role.yaml

@@ -176,6 +176,7 @@ rules:
   - awsfargateprofiles/status
   - rosaclusters/status
   - rosamachinepools/status
+  - rosanetworks/status
   verbs:
   - get
   - patch
@@ -197,6 +198,7 @@ rules:
   - infrastructure.cluster.x-k8s.io
   resources:
   - awsmachines
+  - rosanetworks
   verbs:
   - create
   - delete

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -95,12 +95,14 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 
 	// The Subnet IDs to use when installing the cluster.
 	// SubnetIDs should come in pairs; two per availability zone, one private and one public.
-	Subnets []string `json:"subnets"`
+	// +optional
+	Subnets []string `json:"subnets,omitempty"`
 
 	// AvailabilityZones describe AWS AvailabilityZones of the worker nodes.
 	// should match the AvailabilityZones of the provided Subnets.
 	// a machinepool will be created for each availabilityZone.
-	AvailabilityZones []string `json:"availabilityZones"`
+	// +optional
+	AvailabilityZones []string `json:"availabilityZones,omitempty"`
 
 	// The AWS Region the cluster lives in.
 	Region string `json:"region"`
@@ -231,6 +233,11 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// ClusterRegistryConfig represents registry config used with the cluster.
 	// +optional
 	ClusterRegistryConfig *RegistryConfig `json:"clusterRegistryConfig,omitempty"`
+
+	// ROSANetworkRef references ROSANetwork custom resource that contains the networking infrastructure
+	// for Rosa HCP cluster
+	// +optional
+	ROSANetworkRef *corev1.LocalObjectReference `json:"rosaNetworkRef,omitempty"`
 }
 
 // RegistryConfig for ROSA-HCP cluster

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -61,6 +61,10 @@ func (*rosaControlPlaneWebhook) ValidateCreate(_ context.Context, obj runtime.Ob
 	allErrs = append(allErrs, r.validateNetwork()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
+	if err := r.validateROSANetwork(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	if len(allErrs) == 0 {
 		return nil, nil
 	}
@@ -179,6 +183,23 @@ func (r *ROSAControlPlane) validateExternalAuthProviders() *field.Error {
 	return nil
 }
 
+func (r *ROSAControlPlane) validateROSANetwork() *field.Error {
+	if r.Spec.ROSANetworkRef != nil {
+		if r.Spec.Subnets != nil {
+			return field.Forbidden(field.NewPath("spec.rosaNetworkRef"), "spec.subnets and spec.rosaNetworkRef are mutually exclusive")
+		}
+		if r.Spec.AvailabilityZones != nil {
+			return field.Forbidden(field.NewPath("spec.rosaNetworkRef"), "spec.availabilityZones and spec.rosaNetworkRef are mutually exclusive")
+		}
+	}
+
+	if r.Spec.ROSANetworkRef == nil && (r.Spec.Subnets == nil || r.Spec.AvailabilityZones == nil) {
+		return field.Required(field.NewPath("spec.subnets"), "spec.subnets and spec.availabilityZones cannot be empty when spec.rosaNetworkRef is unspecified")
+	}
+
+	return nil
+}
+
 // Default implements admission.Defaulter.
 func (*rosaControlPlaneWebhook) Default(_ context.Context, obj runtime.Object) error {
 	r, ok := obj.(*ROSAControlPlane)