feat: create vpc objects in explicitly provided availability zones

synthe102 · synthe102 · commit d9b6061b7b16 · 2025-07-28T12:23:34.000Z
diff --git a/api/v1beta1/awscluster_conversion.go b/api/v1beta1/awscluster_conversion.go
@@ -90,6 +90,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.NetworkSpec.AdditionalControlPlaneIngressRules = restored.Spec.NetworkSpec.AdditionalControlPlaneIngressRules
 	dst.Spec.NetworkSpec.AdditionalNodeIngressRules = restored.Spec.NetworkSpec.AdditionalNodeIngressRules
 	dst.Spec.NetworkSpec.NodePortIngressRuleCidrBlocks = restored.Spec.NetworkSpec.NodePortIngressRuleCidrBlocks
+	dst.Spec.NetworkSpec.VPC.AvailabilityZones = restored.Spec.NetworkSpec.VPC.AvailabilityZones
 
 	if restored.Spec.NetworkSpec.VPC.IPAMPool != nil {
 		if dst.Spec.NetworkSpec.VPC.IPAMPool == nil {
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awscluster_webhook.go b/api/v1beta2/awscluster_webhook.go
@@ -356,6 +356,10 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 		}
 	}
 
+	if err := r.Spec.NetworkSpec.VPC.ValidateAvailabilityZones(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	return allErrs
 }
 
diff --git a/api/v1beta2/defaults.go b/api/v1beta2/defaults.go
@@ -18,6 +18,7 @@ package v1beta2
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	clusterv1 "sigs.k8s.io/cluster-api/cmd/clusterctl/api/v1alpha3"
 )
@@ -51,6 +52,15 @@ func SetDefaults_NetworkSpec(obj *NetworkSpec) { //nolint:golint,stylecheck
 			},
 		}
 	}
+	// If AvailabilityZones are not set, set defaults for AZ selection
+	if obj.VPC.AvailabilityZones == nil {
+		if obj.VPC.AvailabilityZoneUsageLimit == nil {
+			obj.VPC.AvailabilityZoneUsageLimit = ptr.To(3)
+		}
+		if obj.VPC.AvailabilityZoneSelection == nil {
+			obj.VPC.AvailabilityZoneSelection = &AZSelectionSchemeOrdered
+		}
+	}
 }
 
 // SetDefaults_AWSClusterSpec is used by defaulter-gen.
diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 )
 
@@ -454,7 +455,7 @@ type VPCSpec struct {
 	// should be used in a region when automatically creating subnets. If a region has more
 	// than this number of AZs then this number of AZs will be picked randomly when creating
 	// default subnets. Defaults to 3
-	// +kubebuilder:default=3
+	// +optional
 	// +kubebuilder:validation:Minimum=1
 	AvailabilityZoneUsageLimit *int `json:"availabilityZoneUsageLimit,omitempty"`
 
@@ -463,10 +464,16 @@ type VPCSpec struct {
 	// Ordered - selects based on alphabetical order
 	// Random - selects AZs randomly in a region
 	// Defaults to Ordered
-	// +kubebuilder:default=Ordered
+	// +optional
 	// +kubebuilder:validation:Enum=Ordered;Random
 	AvailabilityZoneSelection *AZSelectionScheme `json:"availabilityZoneSelection,omitempty"`
 
+	// AvailabilityZones defines a list of Availability Zones in which to create network resources in.
+	// Cannot be defined at the same time as AvailabilityZoneSelection and AvailabilityZoneUsageLimit.
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	AvailabilityZones []string `json:"availabilityZones,omitempty"`
+
 	// EmptyRoutesDefaultVPCSecurityGroup specifies whether the default VPC security group ingress
 	// and egress rules should be removed.
 	//
@@ -539,6 +546,15 @@ func (v *VPCSpec) GetPublicIpv4Pool() *string {
 	return nil
 }
 
+// ValidateAvailabilityZones returns an error if the availability zones field combination is invalid.
+func (v *VPCSpec) ValidateAvailabilityZones() *field.Error {
+	if len(v.AvailabilityZones) > 0 && (v.AvailabilityZoneSelection != nil || v.AvailabilityZoneUsageLimit != nil) {
+		availabilityZonesField := field.NewPath("spec", "network", "vpc", "availabilityZones")
+		return field.Invalid(availabilityZonesField, v.AvailabilityZoneSelection, "availabilityZones cannot be set if availabilityZoneUsageLimit and availabilityZoneSelection are set")
+	}
+	return nil
+}
+
 // SubnetSpec configures an AWS Subnet.
 type SubnetSpec struct {
 	// ID defines a unique identifier to reference this resource.
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -674,7 +674,6 @@ spec:
                     description: VPC configuration.
                     properties:
                       availabilityZoneSelection:
-                        default: Ordered
                         description: |-
                           AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs
                           in a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes:
@@ -686,14 +685,21 @@ spec:
                         - Random
                         type: string
                       availabilityZoneUsageLimit:
-                        default: 3
                         description: |-
                           AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that
                           should be used in a region when automatically creating subnets. If a region has more
                           than this number of AZs then this number of AZs will be picked randomly when creating
                           default subnets. Defaults to 3
                         minimum: 1
                         type: integer
+                      availabilityZones:
+                        description: |-
+                          AvailabilityZones defines a list of Availability Zones in which to create network resources in.
+                          Cannot be defined at the same time as AvailabilityZoneSelection and AvailabilityZoneUsageLimit.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
                       carrierGatewayId:
                         description: |-
                           CarrierGatewayID is the id of the internet gateway associated with the VPC,
@@ -2813,7 +2819,6 @@ spec:
                     description: VPC configuration.
                     properties:
                       availabilityZoneSelection:
-                        default: Ordered
                         description: |-
                           AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs
                           in a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes:
@@ -2825,14 +2830,21 @@ spec:
                         - Random
                         type: string
                       availabilityZoneUsageLimit:
-                        default: 3
                         description: |-
                           AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that
                           should be used in a region when automatically creating subnets. If a region has more
                           than this number of AZs then this number of AZs will be picked randomly when creating
                           default subnets. Defaults to 3
                         minimum: 1
                         type: integer
+                      availabilityZones:
+                        description: |-
+                          AvailabilityZones defines a list of Availability Zones in which to create network resources in.
+                          Cannot be defined at the same time as AvailabilityZoneSelection and AvailabilityZoneUsageLimit.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
                       carrierGatewayId:
                         description: |-
                           CarrierGatewayID is the id of the internet gateway associated with the VPC,
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -1626,7 +1626,6 @@ spec:
                     description: VPC configuration.
                     properties:
                       availabilityZoneSelection:
-                        default: Ordered
                         description: |-
                           AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs
                           in a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes:
@@ -1638,14 +1637,21 @@ spec:
                         - Random
                         type: string
                       availabilityZoneUsageLimit:
-                        default: 3
                         description: |-
                           AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that
                           should be used in a region when automatically creating subnets. If a region has more
                           than this number of AZs then this number of AZs will be picked randomly when creating
                           default subnets. Defaults to 3
                         minimum: 1
                         type: integer
+                      availabilityZones:
+                        description: |-
+                          AvailabilityZones defines a list of Availability Zones in which to create network resources in.
+                          Cannot be defined at the same time as AvailabilityZoneSelection and AvailabilityZoneUsageLimit.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
                       carrierGatewayId:
                         description: |-
                           CarrierGatewayID is the id of the internet gateway associated with the VPC,
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
@@ -1214,7 +1214,6 @@ spec:
                             description: VPC configuration.
                             properties:
                               availabilityZoneSelection:
-                                default: Ordered
                                 description: |-
                                   AvailabilityZoneSelection specifies how AZs should be selected if there are more AZs
                                   in a region than specified by AvailabilityZoneUsageLimit. There are 2 selection schemes:
@@ -1226,14 +1225,21 @@ spec:
                                 - Random
                                 type: string
                               availabilityZoneUsageLimit:
-                                default: 3
                                 description: |-
                                   AvailabilityZoneUsageLimit specifies the maximum number of availability zones (AZ) that
                                   should be used in a region when automatically creating subnets. If a region has more
                                   than this number of AZs then this number of AZs will be picked randomly when creating
                                   default subnets. Defaults to 3
                                 minimum: 1
                                 type: integer
+                              availabilityZones:
+                                description: |-
+                                  AvailabilityZones defines a list of Availability Zones in which to create network resources in.
+                                  Cannot be defined at the same time as AvailabilityZoneSelection and AvailabilityZoneUsageLimit.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
                               carrierGatewayId:
                                 description: |-
                                   CarrierGatewayID is the id of the internet gateway associated with the VPC,
diff --git a/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go b/controlplane/eks/api/v1beta2/awsmanagedcontrolplane_webhook.go
@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -489,6 +490,10 @@ func (r *AWSManagedControlPlane) validateNetwork() field.ErrorList {
 		allErrs = append(allErrs, field.Invalid(ipamPoolField, r.Spec.NetworkSpec.VPC.IPv6.IPAMPool, "ipamPool must have either id or name"))
 	}
 
+	if err := r.Spec.NetworkSpec.VPC.ValidateAvailabilityZones(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	return allErrs
 }
 
@@ -520,6 +525,16 @@ func (*awsManagedControlPlaneWebhook) Default(_ context.Context, obj runtime.Obj
 		}
 	}
 
+	// If AvailabilityZones are not set, set defaults for AZ selection
+	if r.Spec.NetworkSpec.VPC.AvailabilityZones == nil {
+		if r.Spec.NetworkSpec.VPC.AvailabilityZoneUsageLimit == nil {
+			r.Spec.NetworkSpec.VPC.AvailabilityZoneUsageLimit = ptr.To(3)
+		}
+		if r.Spec.NetworkSpec.VPC.AvailabilityZoneSelection == nil {
+			r.Spec.NetworkSpec.VPC.AvailabilityZoneSelection = &infrav1.AZSelectionSchemeOrdered
+		}
+	}
+
 	infrav1.SetDefaults_Bastion(&r.Spec.Bastion)
 	infrav1.SetDefaults_NetworkSpec(&r.Spec.NetworkSpec)
 
diff --git a/pkg/cloud/services/network/subnets.go b/pkg/cloud/services/network/subnets.go
@@ -237,32 +237,18 @@ func (s *Service) reconcileZoneInfo(subnets infrav1.Subnets) error {
 }
 
 func (s *Service) getDefaultSubnets() (infrav1.Subnets, error) {
-	zones, err := s.getAvailableZones()
-	if err != nil {
-		return nil, err
-	}
-
-	maxZones := defaultMaxNumAZs
-	if s.scope.VPC().AvailabilityZoneUsageLimit != nil {
-		maxZones = *s.scope.VPC().AvailabilityZoneUsageLimit
-	}
-	selectionScheme := infrav1.AZSelectionSchemeOrdered
-	if s.scope.VPC().AvailabilityZoneSelection != nil {
-		selectionScheme = *s.scope.VPC().AvailabilityZoneSelection
-	}
+	var (
+		// By default, take the set availability zones. If they are not defined,
+		// fall back to `availabilityZoneUsageLimit`/`availabilityZoneSelection`
+		zones = s.scope.VPC().AvailabilityZones
+		err   error
+	)
 
-	if len(zones) > maxZones {
-		s.scope.Debug("region has more than AvailabilityZoneUsageLimit availability zones, picking zones to use", "region", s.scope.Region(), "AvailabilityZoneUsageLimit", maxZones)
-		if selectionScheme == infrav1.AZSelectionSchemeRandom {
-			rand.Shuffle(len(zones), func(i, j int) {
-				zones[i], zones[j] = zones[j], zones[i]
-			})
-		}
-		if selectionScheme == infrav1.AZSelectionSchemeOrdered {
-			sort.Strings(zones)
+	if len(zones) == 0 {
+		zones, err = s.selectZones()
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to select availability zones")
 		}
-		zones = zones[:maxZones]
-		s.scope.Debug("zones selected", "region", s.scope.Region(), "zones", zones)
 	}
 
 	// 1 private subnet for each AZ plus 1 other subnet that will be further sub-divided for the public subnets or vice versa if
@@ -352,6 +338,39 @@ func (s *Service) getDefaultSubnets() (infrav1.Subnets, error) {
 	return subnets, nil
 }
 
+func (s *Service) selectZones() ([]string, error) {
+	zones, err := s.getAvailableZones()
+	if err != nil {
+		return nil, err
+	}
+
+	maxZones := defaultMaxNumAZs
+	if s.scope.VPC().AvailabilityZoneUsageLimit != nil {
+		maxZones = *s.scope.VPC().AvailabilityZoneUsageLimit
+	}
+	selectionScheme := infrav1.AZSelectionSchemeOrdered
+	if s.scope.VPC().AvailabilityZoneSelection != nil {
+		selectionScheme = *s.scope.VPC().AvailabilityZoneSelection
+	}
+
+	if len(zones) > maxZones {
+		s.scope.Debug("region has more than AvailabilityZoneUsageLimit availability zones, picking zones to use", "region", s.scope.Region(), "AvailabilityZoneUsageLimit", maxZones)
+		switch selectionScheme {
+		case infrav1.AZSelectionSchemeRandom:
+			rand.Shuffle(len(zones), func(i, j int) {
+				zones[i], zones[j] = zones[j], zones[i]
+			})
+		case infrav1.AZSelectionSchemeOrdered:
+			sort.Strings(zones)
+		default:
+		}
+		zones = zones[:maxZones]
+		s.scope.Debug("zones selected", "region", s.scope.Region(), "zones", zones)
+	}
+
+	return zones, nil
+}
+
 func (s *Service) deleteSubnets() error {
 	if s.scope.VPC().IsUnmanaged(s.scope.Name()) {
 		s.scope.Trace("Skipping subnets deletion in unmanaged mode")
diff --git a/pkg/cloud/services/network/subnets_test.go b/pkg/cloud/services/network/subnets_test.go

Original file line number	Diff line number	Diff line change
`@@ -356,6 +356,10 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {`
`356`	`356`	`}`
`357`	`357`	`}`
`358`	`358`
	`359`	`+ if err := r.Spec.NetworkSpec.VPC.ValidateAvailabilityZones(); err != nil {`
	`360`	`+ allErrs = append(allErrs, err)`
	`361`	`+ }`
	`362`	`+`
`359`	`363`	`return allErrs`
`360`	`364`	`}`
`361`	`365`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ package v1beta2`
`18`	`18`
`19`	`19`	`import (`
`20`	`20`	`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
	`21`	`+ "k8s.io/utils/ptr"`
`21`	`22`
`22`	`23`	`clusterv1 "sigs.k8s.io/cluster-api/cmd/clusterctl/api/v1alpha3"`
`23`	`24`	`)`
`@@ -51,6 +52,15 @@ func SetDefaults_NetworkSpec(obj *NetworkSpec) { //nolint:golint,stylecheck`
`51`	`52`	`},`
`52`	`53`	`}`
`53`	`54`	`}`
	`55`	`+ // If AvailabilityZones are not set, set defaults for AZ selection`
	`56`	`+ if obj.VPC.AvailabilityZones == nil {`
	`57`	`+ if obj.VPC.AvailabilityZoneUsageLimit == nil {`
	`58`	`+ obj.VPC.AvailabilityZoneUsageLimit = ptr.To(3)`
	`59`	`+ }`
	`60`	`+ if obj.VPC.AvailabilityZoneSelection == nil {`
	`61`	`+ obj.VPC.AvailabilityZoneSelection = &AZSelectionSchemeOrdered`
	`62`	`+ }`
	`63`	`+ }`
`54`	`64`	`}`
`55`	`65`
`56`	`66`	`// SetDefaults_AWSClusterSpec is used by defaulter-gen.`