💎 Add support to reconcile subnet's Nat Gateway

Author: fiunchinho

api/v1alpha3/azurecluster_conversion.go

@@ -70,6 +70,8 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error { // nolint
 					}
 				}
 				dst.Spec.NetworkSpec.Subnets[i].SecurityGroup.SecurityRules = append(dst.Spec.NetworkSpec.Subnets[i].SecurityGroup.SecurityRules, restoredOutboundRules...)
+				dst.Spec.NetworkSpec.Subnets[i].NatGateway = restoredSubnet.NatGateway
+
 				break
 			}
 		}

api/v1alpha3/zz_generated.conversion.go

@@ -175,6 +175,11 @@ func (c *AzureCluster) setNodeOutboundLBDefaults() {
 		if c.Spec.NetworkSpec.APIServerLB.Type == Internal {
 			return
 		}
+		nodeSubnet, err := c.Spec.NetworkSpec.GetNodeSubnet()
+		// Only one outbound mechanism can be defined, so if Nat Gateway is defined, we don't default the LB.
+		if err == nil && nodeSubnet.NatGateway.Name != "" {
+			return
+		}
 		c.Spec.NetworkSpec.NodeOutboundLB = &LoadBalancerSpec{}
 	}
 

api/v1alpha4/azurecluster_default.go

@@ -123,15 +123,19 @@ func validateNetworkSpec(networkSpec NetworkSpec, old NetworkSpec, fldPath *fiel
 	}
 
 	var cidrBlocks []string
-	subnet, err := networkSpec.GetControlPlaneSubnet()
+	controlPlaneSubnet, err := networkSpec.GetControlPlaneSubnet()
 	if err != nil {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("subnets"), networkSpec.Subnets, "ControlPlaneSubnet invalid"))
 	}
-	cidrBlocks = subnet.CIDRBlocks
+	nodeSubnet, err := networkSpec.GetNodeSubnet()
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("subnets"), networkSpec.Subnets, "NodeSubnet invalid"))
+	}
+	cidrBlocks = controlPlaneSubnet.CIDRBlocks
 
 	allErrs = append(allErrs, validateAPIServerLB(networkSpec.APIServerLB, old.APIServerLB, cidrBlocks, fldPath.Child("apiServerLB"))...)
 
-	allErrs = append(allErrs, validateNodeOutboundLB(networkSpec.NodeOutboundLB, old.NodeOutboundLB, networkSpec.APIServerLB, fldPath.Child("nodeOutboundLB"))...)
+	allErrs = append(allErrs, validateNodeOutboundLB(networkSpec.NodeOutboundLB, old.NodeOutboundLB, networkSpec.APIServerLB, nodeSubnet, fldPath.Child("nodeOutboundLB"))...)
 
 	allErrs = append(allErrs, validatePrivateDNSZoneName(networkSpec, fldPath)...)
 
@@ -349,14 +353,19 @@ func validateAPIServerLB(lb LoadBalancerSpec, old LoadBalancerSpec, cidrs []stri
 	return allErrs
 }
 
-func validateNodeOutboundLB(lb *LoadBalancerSpec, old *LoadBalancerSpec, apiserverLB LoadBalancerSpec, fldPath *field.Path) field.ErrorList {
+func validateNodeOutboundLB(lb *LoadBalancerSpec, old *LoadBalancerSpec, apiserverLB LoadBalancerSpec, nodeSubnet SubnetSpec, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 
 	// LB can be nil when disabled for private clusters.
 	if lb == nil && apiserverLB.Type == Internal {
 		return allErrs
 	}
 
+	// no need to validate LB when using nat gateway.
+	if lb == nil && nodeSubnet.NatGateway.Name != "" {
+		return allErrs
+	}
+
 	if lb == nil {
 		allErrs = append(allErrs, field.Required(fldPath, "Node outbound load balancer cannot be nil for public clusters."))
 		return allErrs

api/v1alpha4/azurecluster_validation.go

@@ -273,10 +273,13 @@ func TestNetworkSpecWithPreexistingVnetLackRequiredSubnets(t *testing.T) {
 
 	t.Run(testCase.name, func(t *testing.T) {
 		errs := validateNetworkSpec(testCase.networkSpec, NetworkSpec{}, field.NewPath("spec").Child("networkSpec"))
-		g.Expect(errs).To(HaveLen(1))
+		g.Expect(errs).To(HaveLen(2))
 		g.Expect(errs[0].Type).To(Equal(field.ErrorTypeRequired))
 		g.Expect(errs[0].Field).To(Equal("spec.networkSpec.subnets"))
 		g.Expect(errs[0].Error()).To(ContainSubstring("required role node not included"))
+		g.Expect(errs[1].Type).To(Equal(field.ErrorTypeInvalid))
+		g.Expect(errs[1].Field).To(Equal("spec.networkSpec.subnets"))
+		g.Expect(errs[1].Error()).To(ContainSubstring("NodeSubnet invalid"))
 	})
 }
 
@@ -956,13 +959,15 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 		lb          *LoadBalancerSpec
 		old         *LoadBalancerSpec
 		apiServerLB LoadBalancerSpec
+		nodeSubnet  SubnetSpec
 		wantErr     bool
 		expectedErr field.Error
 	}{
 		{
 			name:        "no lb for public clusters",
 			lb:          nil,
 			apiServerLB: LoadBalancerSpec{Type: Public},
+			nodeSubnet:  createValidNodeSubnet(),
 			wantErr:     true,
 			expectedErr: field.Error{
 				Type:     "FieldValueRequired",
@@ -985,7 +990,8 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 			old: &LoadBalancerSpec{
 				ID: "old-id",
 			},
-			wantErr: true,
+			nodeSubnet: createValidNodeSubnet(),
+			wantErr:    true,
 			expectedErr: field.Error{
 				Type:     "FieldValueForbidden",
 				Field:    "nodeOutboundLB.id",
@@ -1001,7 +1007,8 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 			old: &LoadBalancerSpec{
 				Name: "old-name",
 			},
-			wantErr: true,
+			nodeSubnet: createValidNodeSubnet(),
+			wantErr:    true,
 			expectedErr: field.Error{
 				Type:     "FieldValueForbidden",
 				Field:    "nodeOutboundLB.name",
@@ -1017,7 +1024,8 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 			old: &LoadBalancerSpec{
 				SKU: "old-sku",
 			},
-			wantErr: true,
+			nodeSubnet: createValidNodeSubnet(),
+			wantErr:    true,
 			expectedErr: field.Error{
 				Type:     "FieldValueForbidden",
 				Field:    "nodeOutboundLB.sku",
@@ -1037,7 +1045,8 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 					Name: "old-frontend-ip",
 				}},
 			},
-			wantErr: true,
+			nodeSubnet: createValidNodeSubnet(),
+			wantErr:    true,
 			expectedErr: field.Error{
 				Type:  "FieldValueForbidden",
 				Field: "nodeOutboundLB.frontendIPs[0]",
@@ -1062,28 +1071,37 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 					Name: "old-frontend-ip",
 				}},
 			},
-			wantErr: false,
+			nodeSubnet: createValidNodeSubnet(),
+			wantErr:    false,
 		},
 		{
 			name: "frontend ips count exceeds max value",
 			lb: &LoadBalancerSpec{
 				FrontendIPsCount: pointer.Int32Ptr(100),
 			},
-			wantErr: true,
+			nodeSubnet: createValidNodeSubnet(),
+			wantErr:    true,
 			expectedErr: field.Error{
 				Type:     "FieldValueInvalid",
 				Field:    "nodeOutboundLB.frontendIPsCount",
 				BadValue: 100,
 				Detail:   "Max front end ips allowed is 16",
 			},
 		},
+		{
+			name:        "no lb when using nat gateway",
+			lb:          nil,
+			apiServerLB: LoadBalancerSpec{Type: Public},
+			nodeSubnet:  createValidNodeSubnetWithNatGateway(),
+			wantErr:     false,
+		},
 	}
 
 	for _, test := range testcases {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
 			t.Parallel()
-			err := validateNodeOutboundLB(test.lb, test.old, test.apiServerLB, field.NewPath("nodeOutboundLB"))
+			err := validateNodeOutboundLB(test.lb, test.old, test.apiServerLB, test.nodeSubnet, field.NewPath("nodeOutboundLB"))
 			if test.wantErr {
 				g.Expect(err).NotTo(HaveLen(0))
 				found := false
@@ -1234,6 +1252,21 @@ func createValidSubnets() Subnets {
 	}
 }
 
+func createValidNodeSubnetWithNatGateway() SubnetSpec {
+	return SubnetSpec{
+		Role:       "node",
+		Name:       "node-subnet",
+		NatGateway: NatGateway{Name: "node-natgateway"},
+	}
+}
+
+func createValidNodeSubnet() SubnetSpec {
+	return SubnetSpec{
+		Role: "node",
+		Name: "node-subnet",
+	}
+}
+
 func createValidVnet() VnetSpec {
 	return VnetSpec{
 		ResourceGroup: "custom-vnet",

api/v1alpha4/azurecluster_validation_test.go

@@ -112,6 +112,14 @@ type RouteTable struct {
 	Name string `json:"name,omitempty"`
 }
 
+// NatGateway defines an Azure Nat Gateway.
+// NAT gateway resources are part of Vnet NAT and provide outbound Internet connectivity for subnets of a virtual network.
+type NatGateway struct {
+	ID           string       `json:"id,omitempty"`
+	Name         string       `json:"name,omitempty"`
+	NatGatewayIP PublicIPSpec `json:"ip,omitempty"`
+}
+
 // SecurityGroupProtocol defines the protocol type for a security group rule.
 type SecurityGroupProtocol string
 
@@ -477,6 +485,10 @@ type SubnetSpec struct {
 	// RouteTable defines the route table that should be attached to this subnet.
 	// +optional
 	RouteTable RouteTable `json:"routeTable,omitempty"`
+
+	// NatGateway associated with this subnet.
+	// +optional
+	NatGateway NatGateway `json:"natGateway,omitempty"`
 }
 
 // GetControlPlaneSubnet returns the cluster control plane subnet.

api/v1alpha4/types.go

@@ -97,6 +97,11 @@ func GenerateFrontendIPConfigName(lbName string) string {
 	return fmt.Sprintf("%s-%s", lbName, "frontEnd")
 }
 
+// GenerateNatGatewayIPName generates a nat gateway IP name.
+func GenerateNatGatewayIPName(clusterName, subnetName string) string {
+	return fmt.Sprintf("pip-%s-%s-natgw", clusterName, subnetName)
+}
+
 // GenerateNodeOutboundIPName generates a public IP name, based on the cluster name.
 func GenerateNodeOutboundIPName(clusterName string) string {
 	return fmt.Sprintf("pip-%s-node-outbound", clusterName)
@@ -195,6 +200,11 @@ func SecurityGroupID(subscriptionID, resourceGroup, nsgName string) string {
 	return fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/networkSecurityGroups/%s", subscriptionID, resourceGroup, nsgName)
 }
 
+// NatGatewayID returns the azure resource ID for a given nat gateway.
+func NatGatewayID(subscriptionID, resourceGroup, natgatewayName string) string {
+	return fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/natGateways/%s", subscriptionID, resourceGroup, natgatewayName)
+}
+
 // NetworkInterfaceID returns the azure resource ID for a given network interface.
 func NetworkInterfaceID(subscriptionID, resourceGroup, nicName string) string {
 	return fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/networkInterfaces/%s", subscriptionID, resourceGroup, nicName)

api/v1alpha4/zz_generated.deepcopy.go

@@ -68,6 +68,7 @@ type NetworkDescriber interface {
 	IsIPv6Enabled() bool
 	NodeRouteTable() infrav1.RouteTable
 	ControlPlaneRouteTable() infrav1.RouteTable
+	NodeNatGateway() infrav1.NatGateway
 	APIServerLBName() string
 	APIServerLBPoolName(string) string
 	IsAPIServerPrivate() bool