Merge pull request #3044 from adriananeci/add-support-for-private-link

Add support for private endpoints

Author: k8s-ci-robot

api/v1alpha3/azurecluster_conversion.go

@@ -104,8 +104,8 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error {
 			}
 			dst.Spec.NetworkSpec.Subnets[i].SecurityGroup.SecurityRules = append(dst.Spec.NetworkSpec.Subnets[i].SecurityGroup.SecurityRules, restoredOutboundRules...)
 			dst.Spec.NetworkSpec.Subnets[i].NatGateway = restoredSubnet.NatGateway
-
 			dst.Spec.NetworkSpec.Subnets[i].ServiceEndpoints = restoredSubnet.ServiceEndpoints
+			dst.Spec.NetworkSpec.Subnets[i].PrivateEndpoints = restoredSubnet.PrivateEndpoints
 
 			break
 		}

api/v1alpha3/azuremanagedcontrolplane_conversion.go

@@ -43,6 +43,7 @@ func (src *AzureManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.AddonProfiles = restored.Spec.AddonProfiles
 	dst.Spec.VirtualNetwork.ResourceGroup = restored.Spec.VirtualNetwork.ResourceGroup
 	dst.Spec.VirtualNetwork.Subnet.ServiceEndpoints = restored.Spec.VirtualNetwork.Subnet.ServiceEndpoints
+	dst.Spec.VirtualNetwork.Subnet.PrivateEndpoints = restored.Spec.VirtualNetwork.Subnet.PrivateEndpoints
 	dst.Spec.AutoScalerProfile = restored.Spec.AutoScalerProfile
 	dst.Spec.OutboundType = restored.Spec.OutboundType
 

api/v1alpha3/zz_generated.conversion.go

@@ -70,17 +70,18 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error {
 		}
 	}
 
-	// Restore NAT Gateway IP tags and ServiceEndpoints.
+	// Restore NAT Gateway IP tags, ServiceEndpoints and PrivateEndpoints.
 	for _, restoredSubnet := range restored.Spec.NetworkSpec.Subnets {
 		for i, dstSubnet := range dst.Spec.NetworkSpec.Subnets {
 			if dstSubnet.Name == restoredSubnet.Name {
 				dst.Spec.NetworkSpec.Subnets[i].NatGateway.NatGatewayIP.IPTags = restoredSubnet.NatGateway.NatGatewayIP.IPTags
 				dst.Spec.NetworkSpec.Subnets[i].ServiceEndpoints = restoredSubnet.ServiceEndpoints
+				dst.Spec.NetworkSpec.Subnets[i].PrivateEndpoints = restoredSubnet.PrivateEndpoints
 			}
 		}
 	}
 
-	// Restore Azure Bastion IP tags.
+	// Restore Azure Bastion IP tags, ServiceEndpoints and PrivateEndpoints.
 	if restored.Spec.BastionSpec.AzureBastion != nil && dst.Spec.BastionSpec.AzureBastion != nil {
 		if restored.Spec.BastionSpec.AzureBastion.PublicIP.Name == dst.Spec.BastionSpec.AzureBastion.PublicIP.Name {
 			dst.Spec.BastionSpec.AzureBastion.PublicIP.IPTags = restored.Spec.BastionSpec.AzureBastion.PublicIP.IPTags
@@ -89,6 +90,7 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error {
 			dst.Spec.BastionSpec.AzureBastion.Subnet.NatGateway.NatGatewayIP.IPTags = restored.Spec.BastionSpec.AzureBastion.Subnet.NatGateway.NatGatewayIP.IPTags
 		}
 		dst.Spec.BastionSpec.AzureBastion.Subnet.ServiceEndpoints = restored.Spec.BastionSpec.AzureBastion.Subnet.ServiceEndpoints
+		dst.Spec.BastionSpec.AzureBastion.Subnet.PrivateEndpoints = restored.Spec.BastionSpec.AzureBastion.Subnet.PrivateEndpoints
 	}
 
 	// Restore load balancers' backend pool name

api/v1alpha4/azurecluster_conversion.go

@@ -40,6 +40,7 @@ func (src *AzureManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Status.Conditions = restored.Status.Conditions
 	dst.Spec.VirtualNetwork.ResourceGroup = restored.Spec.VirtualNetwork.ResourceGroup
 	dst.Spec.VirtualNetwork.Subnet.ServiceEndpoints = restored.Spec.VirtualNetwork.Subnet.ServiceEndpoints
+	dst.Spec.VirtualNetwork.Subnet.PrivateEndpoints = restored.Spec.VirtualNetwork.Subnet.PrivateEndpoints
 	dst.Spec.AutoScalerProfile = restored.Spec.AutoScalerProfile
 	dst.Spec.OutboundType = restored.Spec.OutboundType
 

api/v1alpha4/azuremanagedcontrolplane_conversion.go

@@ -55,6 +55,10 @@ const (
 	serviceEndpointServiceRegexPattern = `^Microsoft\.[a-zA-Z]{1,42}[a-zA-Z0-9]{0,42}$`
 	// Must start with an alpha character and then can include alnum OR be only *.
 	serviceEndpointLocationRegexPattern = `^([a-z]{1,42}\d{0,5}|[*])$`
+	// described in https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules.
+	privateEndpointRegex = `^[-\w\._]+$`
+	// resource ID Pattern.
+	resourceIDPattern = `(?i)subscriptions/(.+)/resourceGroups/(.+)/providers/(.+?)/(.+?)/(.+)`
 )
 
 var (
@@ -207,6 +211,10 @@ func validateSubnets(subnets Subnets, vnet VnetSpec, fldPath *field.Path) field.
 		if len(subnet.ServiceEndpoints) > 0 {
 			allErrs = append(allErrs, validateServiceEndpoints(subnet.ServiceEndpoints, fldPath.Index(i).Child("serviceEndpoints"))...)
 		}
+
+		if len(subnet.PrivateEndpoints) > 0 {
+			allErrs = append(allErrs, validatePrivateEndpoints(subnet.PrivateEndpoints, subnet.CIDRBlocks, fldPath.Index(i).Child("privateEndpoints"))...)
+		}
 	}
 	for k, v := range requiredSubnetRoles {
 		if !v {
@@ -611,3 +619,82 @@ func validateServiceEndpointLocationName(location string, fldPath *field.Path) *
 	}
 	return nil
 }
+
+func validatePrivateEndpoints(privateEndpointSpecs []PrivateEndpointSpec, subnetCIDRs []string, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	for i, pe := range privateEndpointSpecs {
+		if err := validatePrivateEndpointName(pe.Name, fldPath.Index(i).Child("name")); err != nil {
+			allErrs = append(allErrs, err)
+		}
+
+		if len(pe.PrivateLinkServiceConnections) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), pe.PrivateLinkServiceConnections, "privateLinkServiceConnections cannot be empty"))
+		}
+
+		for j, privateLinkServiceConnection := range pe.PrivateLinkServiceConnections {
+			if privateLinkServiceConnection.PrivateLinkServiceID == "" {
+				allErrs = append(allErrs, field.Required(fldPath.Index(i).Child("privateLinkServiceConnections").Index(j), "privateLinkServiceID is required for all privateLinkServiceConnections in private endpoints"))
+			} else {
+				if err := validatePrivateEndpointPrivateLinkServiceConnection(privateLinkServiceConnection, fldPath.Index(i).Child("privateLinkServiceConnections").Index(j)); err != nil {
+					allErrs = append(allErrs, err)
+				}
+			}
+		}
+
+		for _, privateIP := range pe.PrivateIPAddresses {
+			if err := validatePrivateEndpointIPAddress(privateIP, subnetCIDRs, fldPath.Index(i).Child("privateIPAddresses")); err != nil {
+				allErrs = append(allErrs, err)
+			}
+		}
+	}
+
+	return allErrs
+}
+
+// validatePrivateEndpointName validates the Name of a Private Endpoint.
+func validatePrivateEndpointName(name string, fldPath *field.Path) *field.Error {
+	if name == "" {
+		return field.Invalid(fldPath, name, "name of private endpoint cannot be empty")
+	}
+
+	if success, _ := regexp.MatchString(privateEndpointRegex, name); !success {
+		return field.Invalid(fldPath, name,
+			fmt.Sprintf("name of private endpoint doesn't match regex %s", privateEndpointRegex))
+	}
+	return nil
+}
+
+// validatePrivateEndpointServiceID validates the service ID of a Private Endpoint.
+func validatePrivateEndpointPrivateLinkServiceConnection(privateLinkServiceConnection PrivateLinkServiceConnection, fldPath *field.Path) *field.Error {
+	if success, _ := regexp.MatchString(resourceIDPattern, privateLinkServiceConnection.PrivateLinkServiceID); !success {
+		return field.Invalid(fldPath, privateLinkServiceConnection.PrivateLinkServiceID,
+			fmt.Sprintf("private endpoint privateLinkServiceConnection service ID doesn't match regex %s", resourceIDPattern))
+	}
+	if privateLinkServiceConnection.Name != "" {
+		if success, _ := regexp.MatchString(privateEndpointRegex, privateLinkServiceConnection.Name); !success {
+			return field.Invalid(fldPath, privateLinkServiceConnection.Name,
+				fmt.Sprintf("private endpoint privateLinkServiceConnection name doesn't match regex %s", privateEndpointRegex))
+		}
+	}
+	return nil
+}
+
+// validatePrivateEndpointIPAddress validates a Private Endpoint IP Address.
+func validatePrivateEndpointIPAddress(address string, cidrs []string, fldPath *field.Path) *field.Error {
+	ip := net.ParseIP(address)
+	if ip == nil {
+		return field.Invalid(fldPath, address,
+			"Private Endpoint IP address isn't a valid IPv4 or IPv6 address")
+	}
+
+	for _, cidr := range cidrs {
+		_, subnet, _ := net.ParseCIDR(cidr)
+		if subnet != nil && subnet.Contains(ip) {
+			return nil
+		}
+	}
+
+	return field.Invalid(fldPath, address,
+		fmt.Sprintf("Private Endpoint IP address needs to be in subnet range (%s)", cidrs))
+}

api/v1alpha4/zz_generated.conversion.go

@@ -245,6 +245,10 @@ type ManagedControlPlaneSubnet struct {
 	// ServiceEndpoints is a slice of Virtual Network service endpoints to enable for the subnets.
 	// +optional
 	ServiceEndpoints ServiceEndpoints `json:"serviceEndpoints,omitempty"`
+
+	// PrivateEndpoints is a slice of Virtual Network private endpoints to create for the subnets.
+	// +optional
+	PrivateEndpoints PrivateEndpoints `json:"privateEndpoints,omitempty"`
 }
 
 // AzureManagedControlPlaneStatus defines the observed state of AzureManagedControlPlane.

api/v1beta1/azurecluster_validation.go

@@ -255,7 +255,7 @@ func (m *AzureManagedControlPlane) ValidateDelete(_ client.Client) error {
 	return nil
 }
 
-// Validate the Azure Machine Pool and return an aggregate error.
+// Validate the Azure Managed Control Plane and return an aggregate error.
 func (m *AzureManagedControlPlane) Validate(cli client.Client) error {
 	validators := []func(client client.Client) error{
 		m.validateName,
@@ -434,6 +434,10 @@ func (m *AzureManagedControlPlane) validateManagedClusterNetwork(cli client.Clie
 		}
 	}
 
+	if errs := validatePrivateEndpoints(m.Spec.VirtualNetwork.Subnet.PrivateEndpoints, []string{m.Spec.VirtualNetwork.Subnet.CIDRBlock}, field.NewPath("Spec", "VirtualNetwork.Subnet.PrivateEndpoints")); len(errs) > 0 {
+		allErrs = append(allErrs, errs...)
+	}
+
 	if len(allErrs) > 0 {
 		return kerrors.NewAggregate(allErrs.ToAggregate().Errors())
 	}
@@ -471,7 +475,7 @@ func (m *AzureManagedControlPlane) validateAPIServerAccessProfileUpdate(old *Azu
 	return allErrs
 }
 
-// validateVirtualNetworkUpdate validates update to APIServerAccessProfile.
+// validateVirtualNetworkUpdate validates update to VirtualNetwork.
 func (m *AzureManagedControlPlane) validateVirtualNetworkUpdate(old *AzureManagedControlPlane) field.ErrorList {
 	var allErrs field.ErrorList
 	if old.Spec.VirtualNetwork.Name != m.Spec.VirtualNetwork.Name {

api/v1beta1/azuremanagedcontrolplane_types.go

@@ -128,6 +128,8 @@ const (
 	DisksReadyCondition clusterv1.ConditionType = "DisksReady"
 	// NetworkInterfaceReadyCondition means the network interfaces exist and are ready to be used.
 	NetworkInterfaceReadyCondition clusterv1.ConditionType = "NetworkInterfacesReady"
+	// PrivateEndpointsReadyCondition means the private endpoints exist and are ready to be used.
+	PrivateEndpointsReadyCondition clusterv1.ConditionType = "PrivateEndpointsReady"
 
 	// CreatingReason means the resource is being created.
 	CreatingReason = "Creating"