feat: support IPAM Manager for VPC creation

Author: MaxFedotov

api/v1beta1/awscluster_conversion.go

@@ -54,6 +54,14 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Network.SecurityGroups[role] = sg
 	}
 
+	if restored.Spec.NetworkSpec.VPC.IPAMPool != nil {
+		if dst.Spec.NetworkSpec.VPC.IPAMPool == nil {
+			dst.Spec.NetworkSpec.VPC.IPAMPool = &infrav2.IPAMPool{}
+		}
+
+		restoreIPAMPool(restored.Spec.NetworkSpec.VPC.IPAMPool, dst.Spec.NetworkSpec.VPC.IPAMPool)
+	}
+
 	return nil
 }
 
@@ -66,6 +74,14 @@ func restoreControlPlaneLoadBalancerStatus(restored, dst *infrav2.LoadBalancer)
 	dst.ELBListeners = restored.ELBListeners
 }
 
+// restoreIPAMPool manually restores the ipam pool data.
+// Assumes restored and dst are non-nil.
+func restoreIPAMPool(restored, dst *infrav2.IPAMPool) {
+	dst.ID = restored.ID
+	dst.Name = restored.Name
+	dst.NetmaskLength = restored.NetmaskLength
+}
+
 // restoreControlPlaneLoadBalancer manually restores the control plane loadbalancer data.
 // Assumes restored and dst are non-nil.
 func restoreControlPlaneLoadBalancer(restored, dst *infrav2.AWSLoadBalancerSpec) {

api/v1beta1/conversion.go

@@ -82,3 +82,7 @@ func Convert_v1beta2_LoadBalancer_To_v1beta1_ClassicELB(in *v1beta2.LoadBalancer
 func Convert_v1beta2_IngressRule_To_v1beta1_IngressRule(in *v1beta2.IngressRule, out *IngressRule, s conversion.Scope) error {
 	return autoConvert_v1beta2_IngressRule_To_v1beta1_IngressRule(in, out, s)
 }
+
+func Convert_v1beta2_VPCSpec_To_v1beta1_VPCSpec(in *v1beta2.VPCSpec, out *VPCSpec, s conversion.Scope) error {
+	return autoConvert_v1beta2_VPCSpec_To_v1beta1_VPCSpec(in, out, s)
+}

api/v1beta1/zz_generated.conversion.go

@@ -189,6 +189,15 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("subnets"), r.Spec.NetworkSpec.Subnets, "IPv6 cannot be used with unmanaged clusters at this time."))
 		}
 	}
+
+	if r.Spec.NetworkSpec.VPC.CidrBlock != "" && r.Spec.NetworkSpec.VPC.IPAMPool != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("cidrBlock"), r.Spec.NetworkSpec.VPC.CidrBlock, "cidrBlock and ipamPool cannot be used together"))
+	}
+
+	if r.Spec.NetworkSpec.VPC.IPAMPool != nil && r.Spec.NetworkSpec.VPC.IPAMPool.ID == "" && r.Spec.NetworkSpec.VPC.IPAMPool.Name == "" {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("ipamPool"), r.Spec.NetworkSpec.VPC.IPAMPool, "ipamPool must have either id or name"))
+	}
+
 	return allErrs
 }
 

api/v1beta2/awscluster_webhook.go

@@ -335,6 +335,33 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "rejects cidrBlock and ipamPool if set together",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+							IPAMPool:  &IPAMPool{},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects ipamPool if id or name not set",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							IPAMPool: &IPAMPool{},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

api/v1beta2/awscluster_webhook_test.go

@@ -245,6 +245,18 @@ type IPv6 struct {
 	EgressOnlyInternetGatewayID *string `json:"egressOnlyInternetGatewayId,omitempty"`
 }
 
+// IPAMPool defines the IPAM pool to be used for VPC.
+type IPAMPool struct {
+	// ID is the ID of the IPAM pool this provider should use to create VPC.
+	ID string `json:"id,omitempty"`
+	// Name is the name of the IPAM pool this provider should use to create VPC.
+	Name string `json:"name,omitempty"`
+	// The netmask length of the IPv4 CIDR you want to allocate to VPC from
+	// an Amazon VPC IP Address Manager (IPAM) pool.
+	// Defaults to /16 for IPv4 if not specified.
+	NetmaskLength int64 `json:"netmaskLength,omitempty"`
+}
+
 // VPCSpec configures an AWS VPC.
 type VPCSpec struct {
 	// ID is the vpc-id of the VPC this provider should use to create resources.
@@ -254,6 +266,9 @@ type VPCSpec struct {
 	// Defaults to 10.0.0.0/16.
 	CidrBlock string `json:"cidrBlock,omitempty"`
 
+	// IPAMPool defines the IPAM pool to be used for VPC.
+	IPAMPool *IPAMPool `json:"ipamPool,omitempty"`
+
 	// IPv6 contains ipv6 specific settings for the network. Supported only in managed clusters.
 	// This field cannot be set on AWSCluster object.
 	// +optional

api/v1beta2/network_types.go

@@ -81,6 +81,8 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 			Effect:   iamv1.EffectAllow,
 			Resource: iamv1.Resources{iamv1.Any},
 			Action: iamv1.Actions{
+				"ec2:DescribeIpamPools",
+				"ec2:AllocateIpamPoolCidr",
 				"ec2:AttachNetworkInterface",
 				"ec2:DetachNetworkInterface",
 				"ec2:AllocateAddress",

api/v1beta2/zz_generated.deepcopy.go

@@ -140,6 +140,8 @@ Resources:
       PolicyDocument:
         Statement:
         - Action:
+          - ec2:DescribeIpamPools
+          - ec2:AllocateIpamPoolCidr
           - ec2:AttachNetworkInterface
           - ec2:DetachNetworkInterface
           - ec2:AllocateAddress

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -140,6 +140,8 @@ Resources:
       PolicyDocument:
         Statement:
         - Action:
+          - ec2:DescribeIpamPools
+          - ec2:AllocateIpamPoolCidr
           - ec2:AttachNetworkInterface
           - ec2:DetachNetworkInterface
           - ec2:AllocateAddress