Merge pull request #4898 from AndiDog/secondary-vpc-cidr

✨ Support adding custom secondary VPC CIDR blocks in `AWSCluster`

Author: k8s-ci-robot

api/v1beta1/awscluster_conversion.go

@@ -106,6 +106,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.NetworkSpec.VPC.PrivateDNSHostnameTypeOnLaunch = restored.Spec.NetworkSpec.VPC.PrivateDNSHostnameTypeOnLaunch
 	dst.Spec.NetworkSpec.VPC.CarrierGatewayID = restored.Spec.NetworkSpec.VPC.CarrierGatewayID
 	dst.Spec.NetworkSpec.VPC.SubnetSchema = restored.Spec.NetworkSpec.VPC.SubnetSchema
+	dst.Spec.NetworkSpec.VPC.SecondaryCidrBlocks = restored.Spec.NetworkSpec.VPC.SecondaryCidrBlocks
 
 	if restored.Spec.NetworkSpec.VPC.ElasticIPPool != nil {
 		if dst.Spec.NetworkSpec.VPC.ElasticIPPool == nil {

api/v1beta1/zz_generated.conversion.go

@@ -283,6 +283,14 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 		}
 	}
 
+	secondaryCidrBlocks := r.Spec.NetworkSpec.VPC.SecondaryCidrBlocks
+	secondaryCidrBlocksField := field.NewPath("spec", "network", "vpc", "secondaryCidrBlocks")
+	for _, cidrBlock := range secondaryCidrBlocks {
+		if r.Spec.NetworkSpec.VPC.CidrBlock != "" && r.Spec.NetworkSpec.VPC.CidrBlock == cidrBlock.IPv4CidrBlock {
+			allErrs = append(allErrs, field.Invalid(secondaryCidrBlocksField, secondaryCidrBlocks, fmt.Sprintf("AWSCluster.spec.network.vpc.secondaryCidrBlocks must not contain the primary AWSCluster.spec.network.vpc.cidrBlock %v", r.Spec.NetworkSpec.VPC.CidrBlock)))
+		}
+	}
+
 	return allErrs
 }
 

api/v1beta2/awscluster_webhook.go

@@ -388,6 +388,13 @@ type IPAMPool struct {
 	NetmaskLength int64 `json:"netmaskLength,omitempty"`
 }
 
+// VpcCidrBlock defines the CIDR block and settings to associate with the managed VPC. Currently, only IPv4 is supported.
+type VpcCidrBlock struct {
+	// IPv4CidrBlock is the IPv4 CIDR block to associate with the managed VPC.
+	// +kubebuilder:validation:MinLength=1
+	IPv4CidrBlock string `json:"ipv4CidrBlock"`
+}
+
 // VPCSpec configures an AWS VPC.
 type VPCSpec struct {
 	// ID is the vpc-id of the VPC this provider should use to create resources.
@@ -398,6 +405,12 @@ type VPCSpec struct {
 	// Mutually exclusive with IPAMPool.
 	CidrBlock string `json:"cidrBlock,omitempty"`
 
+	// SecondaryCidrBlocks are additional CIDR blocks to be associated when the provider creates a managed VPC.
+	// Defaults to none. Mutually exclusive with IPAMPool. This makes sense to use if, for example, you want to use
+	// a separate IP range for pods (e.g. Cilium ENI mode).
+	// +optional
+	SecondaryCidrBlocks []VpcCidrBlock `json:"secondaryCidrBlocks,omitempty"`
+
 	// IPAMPool defines the IPAMv4 pool to be used for VPC.
 	// Mutually exclusive with CidrBlock.
 	IPAMPool *IPAMPool `json:"ipamPool,omitempty"`

api/v1beta2/network_types.go

@@ -90,6 +90,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:AssignPrivateIpAddresses",
 				"ec2:UnassignPrivateIpAddresses",
 				"ec2:AssociateRouteTable",
+				"ec2:AssociateVpcCidrBlock",
 				"ec2:AttachInternetGateway",
 				"ec2:AuthorizeSecurityGroupIngress",
 				"ec2:CreateCarrierGateway",
@@ -104,6 +105,7 @@ func (t Template) ControllersPolicy() *iamv1.PolicyDocument {
 				"ec2:CreateTags",
 				"ec2:CreateVpc",
 				"ec2:CreateVpcEndpoint",
+				"ec2:DisassociateVpcCidrBlock",
 				"ec2:ModifyVpcAttribute",
 				"ec2:ModifyVpcEndpoint",
 				"ec2:DeleteCarrierGateway",

api/v1beta2/zz_generated.deepcopy.go

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml

@@ -155,6 +155,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -169,6 +170,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml

@@ -149,6 +149,7 @@ Resources:
           - ec2:AssignPrivateIpAddresses
           - ec2:UnassignPrivateIpAddresses
           - ec2:AssociateRouteTable
+          - ec2:AssociateVpcCidrBlock
           - ec2:AttachInternetGateway
           - ec2:AuthorizeSecurityGroupIngress
           - ec2:CreateCarrierGateway
@@ -163,6 +164,7 @@ Resources:
           - ec2:CreateTags
           - ec2:CreateVpc
           - ec2:CreateVpcEndpoint
+          - ec2:DisassociateVpcCidrBlock
           - ec2:ModifyVpcAttribute
           - ec2:ModifyVpcEndpoint
           - ec2:DeleteCarrierGateway