Merge pull request #973 from stackhpc/disable-api-server-fip

✨ Allow clusters without a floating IP for the API server

Author: k8s-ci-robot

api/v1alpha4/openstackcluster_types.go

@@ -58,16 +58,41 @@ type OpenStackClusterSpec struct {
 	ExternalNetworkID string `json:"externalNetworkId,omitempty"`
 
 	// ManagedAPIServerLoadBalancer defines whether a LoadBalancer for the
-	// APIServer should be created. If set to true the following properties are
-	// mandatory: APIServerFloatingIP, APIServerPort
+	// APIServer should be created.
 	// +optional
 	ManagedAPIServerLoadBalancer bool `json:"managedAPIServerLoadBalancer"`
 
-	// APIServerFloatingIP is the floatingIP which will be associated
-	// to the APIServer. The floatingIP will be created if it not
-	// already exists.
+	// DisableAPIServerFloatingIP determines whether or not to attempt to attach a floating
+	// IP to the API server. This allows for the creation of clusters when attaching a floating
+	// IP to the API server (and hence, in many cases, exposing the API server to the internet)
+	// is not possible or desirable, e.g. if using a shared VLAN for communication between
+	// management and workload clusters or when the management cluster is inside the
+	// project network.
+	// This option requires that the API server use a VIP on the cluster network so that the
+	// underlying machines can change without changing ControlPlaneEndpoint.Host.
+	// When using a managed load balancer, this VIP will be managed automatically.
+	// If not using a managed load balancer, cluster configuration will fail without additional
+	// configuration to manage the VIP on the control plane machines, which falls outside of
+	// the scope of this controller.
+	// +optional
+	DisableAPIServerFloatingIP bool `json:"disableAPIServerFloatingIP"`
+
+	// APIServerFloatingIP is the floatingIP which will be associated with the API server.
+	// The floatingIP will be created if it does not already exist.
+	// If not specified, a new floatingIP is allocated.
+	// This field is not used if DisableAPIServerFloatingIP is set to true.
 	APIServerFloatingIP string `json:"apiServerFloatingIP,omitempty"`
 
+	// APIServerFixedIP is the fixed IP which will be associated with the API server.
+	// In the case where the API server has a floating IP but not a managed load balancer,
+	// this field is not used.
+	// If a managed load balancer is used and this field is not specified, a fixed IP will
+	// be dynamically allocated for the load balancer.
+	// If a managed load balancer is not used AND the API server floating IP is disabled,
+	// this field MUST be specified and should correspond to a pre-allocated port that
+	// holds the fixed IP to be used as a VIP.
+	APIServerFixedIP string `json:"apiServerFixedIP,omitempty"`
+
 	// APIServerPort is the port on which the listener on the APIServer
 	// will be created
 	APIServerPort int `json:"apiServerPort,omitempty"`

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml

@@ -1078,10 +1078,22 @@ spec:
                   groups are configured so that all ingress and egress between cluster
                   nodes is permitted, allowing CNIs other than Calico to be used.
                 type: boolean
+              apiServerFixedIP:
+                description: APIServerFixedIP is the fixed IP which will be associated
+                  with the API server. In the case where the API server has a floating
+                  IP but not a managed load balancer, this field is not used. If a
+                  managed load balancer is used and this field is not specified, a
+                  fixed IP will be dynamically allocated for the load balancer. If
+                  a managed load balancer is not used AND the API server floating
+                  IP is disabled, this field MUST be specified and should correspond
+                  to a pre-allocated port that holds the fixed IP to be used as a
+                  VIP.
+                type: string
               apiServerFloatingIP:
                 description: APIServerFloatingIP is the floatingIP which will be associated
-                  to the APIServer. The floatingIP will be created if it not already
-                  exists.
+                  with the API server. The floatingIP will be created if it does not
+                  already exist. If not specified, a new floatingIP is allocated.
+                  This field is not used if DisableAPIServerFloatingIP is set to true.
                 type: string
               apiServerLoadBalancerAdditionalPorts:
                 description: APIServerLoadBalancerAdditionalPorts adds additional
@@ -1451,6 +1463,21 @@ spec:
                 - host
                 - port
                 type: object
+              disableAPIServerFloatingIP:
+                description: DisableAPIServerFloatingIP determines whether or not
+                  to attempt to attach a floating IP to the API server. This allows
+                  for the creation of clusters when attaching a floating IP to the
+                  API server (and hence, in many cases, exposing the API server to
+                  the internet) is not possible or desirable, e.g. if using a shared
+                  VLAN for communication between management and workload clusters
+                  or when the management cluster is inside the project network. This
+                  option requires that the API server use a VIP on the cluster network
+                  so that the underlying machines can change without changing ControlPlaneEndpoint.Host.
+                  When using a managed load balancer, this VIP will be managed automatically.
+                  If not using a managed load balancer, cluster configuration will
+                  fail without additional configuration to manage the VIP on the control
+                  plane machines, which falls outside of the scope of this controller.
+                type: boolean
               disablePortSecurity:
                 description: DisablePortSecurity disables the port security of the
                   network created for the Kubernetes cluster, which also disables
@@ -1554,9 +1581,8 @@ spec:
                 - name
                 type: object
               managedAPIServerLoadBalancer:
-                description: 'ManagedAPIServerLoadBalancer defines whether a LoadBalancer
-                  for the APIServer should be created. If set to true the following
-                  properties are mandatory: APIServerFloatingIP, APIServerPort'
+                description: ManagedAPIServerLoadBalancer defines whether a LoadBalancer
+                  for the APIServer should be created.
                 type: boolean
               managedSecurityGroups:
                 description: ManagedSecurityGroups determines whether OpenStack security

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml

@@ -57,10 +57,24 @@ spec:
                           and egress between cluster nodes is permitted, allowing
                           CNIs other than Calico to be used.
                         type: boolean
+                      apiServerFixedIP:
+                        description: APIServerFixedIP is the fixed IP which will be
+                          associated with the API server. In the case where the API
+                          server has a floating IP but not a managed load balancer,
+                          this field is not used. If a managed load balancer is used
+                          and this field is not specified, a fixed IP will be dynamically
+                          allocated for the load balancer. If a managed load balancer
+                          is not used AND the API server floating IP is disabled,
+                          this field MUST be specified and should correspond to a
+                          pre-allocated port that holds the fixed IP to be used as
+                          a VIP.
+                        type: string
                       apiServerFloatingIP:
                         description: APIServerFloatingIP is the floatingIP which will
-                          be associated to the APIServer. The floatingIP will be created
-                          if it not already exists.
+                          be associated with the API server. The floatingIP will be
+                          created if it does not already exist. If not specified,
+                          a new floatingIP is allocated. This field is not used if
+                          DisableAPIServerFloatingIP is set to true.
                         type: string
                       apiServerLoadBalancerAdditionalPorts:
                         description: APIServerLoadBalancerAdditionalPorts adds additional
@@ -438,6 +452,23 @@ spec:
                         - host
                         - port
                         type: object
+                      disableAPIServerFloatingIP:
+                        description: DisableAPIServerFloatingIP determines whether
+                          or not to attempt to attach a floating IP to the API server.
+                          This allows for the creation of clusters when attaching
+                          a floating IP to the API server (and hence, in many cases,
+                          exposing the API server to the internet) is not possible
+                          or desirable, e.g. if using a shared VLAN for communication
+                          between management and workload clusters or when the management
+                          cluster is inside the project network. This option requires
+                          that the API server use a VIP on the cluster network so
+                          that the underlying machines can change without changing
+                          ControlPlaneEndpoint.Host. When using a managed load balancer,
+                          this VIP will be managed automatically. If not using a managed
+                          load balancer, cluster configuration will fail without additional
+                          configuration to manage the VIP on the control plane machines,
+                          which falls outside of the scope of this controller.
+                        type: boolean
                       disablePortSecurity:
                         description: DisablePortSecurity disables the port security
                           of the network created for the Kubernetes cluster, which
@@ -545,10 +576,8 @@ spec:
                         - name
                         type: object
                       managedAPIServerLoadBalancer:
-                        description: 'ManagedAPIServerLoadBalancer defines whether
-                          a LoadBalancer for the APIServer should be created. If set
-                          to true the following properties are mandatory: APIServerFloatingIP,
-                          APIServerPort'
+                        description: ManagedAPIServerLoadBalancer defines whether
+                          a LoadBalancer for the APIServer should be created.
                         type: boolean
                       managedSecurityGroups:
                         description: ManagedSecurityGroups determines whether OpenStack

controllers/openstackcluster_controller.go

@@ -438,44 +438,75 @@ func reconcileNetworkComponents(log logr.Logger, osProviderClient *gophercloud.P
 			return errors.Errorf("failed to reconcile router: %v", err)
 		}
 	}
-	if !openStackCluster.Spec.ControlPlaneEndpoint.IsValid() {
-		var port int32
-		if openStackCluster.Spec.APIServerPort == 0 {
-			port = 6443
-		} else {
-			port = int32(openStackCluster.Spec.APIServerPort)
-		}
-		fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, openStackCluster.Spec.APIServerFloatingIP)
-		if err != nil {
-			handleUpdateOSCError(openStackCluster, errors.Errorf("Floating IP cannot be got or created: %v", err))
-			return errors.Errorf("Floating IP cannot be got or created: %v", err)
-		}
-		// Set APIEndpoints so the Cluster API Cluster Controller can pull them
-		openStackCluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
-			Host: fp.FloatingIP,
-			Port: port,
-		}
-	}
 
 	err = networkingService.ReconcileSecurityGroups(openStackCluster, clusterName)
 	if err != nil {
 		handleUpdateOSCError(openStackCluster, errors.Errorf("failed to reconcile security groups: %v", err))
 		return errors.Errorf("failed to reconcile security groups: %v", err)
 	}
 
+	// Calculate the port that we will use for the API server
+	var apiServerPort int
+	switch {
+	case openStackCluster.Spec.ControlPlaneEndpoint.IsValid():
+		apiServerPort = int(openStackCluster.Spec.ControlPlaneEndpoint.Port)
+	case openStackCluster.Spec.APIServerPort != 0:
+		apiServerPort = openStackCluster.Spec.APIServerPort
+	default:
+		apiServerPort = 6443
+	}
+
 	if openStackCluster.Spec.ManagedAPIServerLoadBalancer {
 		loadBalancerService, err := loadbalancer.NewService(osProviderClient, clientOpts, log)
 		if err != nil {
 			return err
 		}
 
-		err = loadBalancerService.ReconcileLoadBalancer(openStackCluster, clusterName)
+		err = loadBalancerService.ReconcileLoadBalancer(openStackCluster, clusterName, apiServerPort)
 		if err != nil {
 			handleUpdateOSCError(openStackCluster, errors.Errorf("failed to reconcile load balancer: %v", err))
 			return errors.Errorf("failed to reconcile load balancer: %v", err)
 		}
 	}
 
+	if !openStackCluster.Spec.ControlPlaneEndpoint.IsValid() {
+		var host string
+		// If there is a load balancer use the floating IP for it if set, falling back to the internal IP
+		switch {
+		case openStackCluster.Spec.ManagedAPIServerLoadBalancer:
+			if openStackCluster.Status.Network.APIServerLoadBalancer.IP != "" {
+				host = openStackCluster.Status.Network.APIServerLoadBalancer.IP
+			} else {
+				host = openStackCluster.Status.Network.APIServerLoadBalancer.InternalIP
+			}
+		case !openStackCluster.Spec.DisableAPIServerFloatingIP:
+			// If floating IPs are not disabled, get one to use as the VIP for the control plane
+			fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, openStackCluster.Spec.APIServerFloatingIP)
+			if err != nil {
+				handleUpdateOSCError(openStackCluster, errors.Errorf("Floating IP cannot be got or created: %v", err))
+				return errors.Errorf("Floating IP cannot be got or created: %v", err)
+			}
+			host = fp.FloatingIP
+		case openStackCluster.Spec.APIServerFixedIP != "":
+			// If a fixed IP was specified, assume that the user is providing the extra configuration
+			// to use that IP as the VIP for the API server, e.g. using keepalived or kube-vip
+			host = openStackCluster.Spec.APIServerFixedIP
+		default:
+			// For now, we do not provide a managed VIP without either a load balancer or a floating IP
+			// In the future, we could manage a VIP port on the cluster network and set allowedAddressPairs
+			// accordingly when creating control plane machines
+			// However this would require us to deploy software on the control plane hosts to manage the
+			// VIP (e.g. keepalived/kube-vip)
+			return errors.New("unable to determine VIP for API server")
+		}
+
+		// Set APIEndpoints so the Cluster API Cluster Controller can pull them
+		openStackCluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
+			Host: host,
+			Port: int32(apiServerPort),
+		}
+	}
+
 	return nil
 }
 

controllers/openstackmachine_controller.go

@@ -360,8 +360,12 @@ func (r *OpenStackMachineReconciler) reconcileNormal(ctx context.Context, logger
 			handleUpdateMachineError(logger, openStackMachine, errors.Errorf("LoadBalancerMember cannot be reconciled: %v", err))
 			return ctrl.Result{}, nil
 		}
-	} else if util.IsControlPlaneMachine(machine) {
-		fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, openStackCluster.Spec.ControlPlaneEndpoint.Host)
+	} else if util.IsControlPlaneMachine(machine) && !openStackCluster.Spec.DisableAPIServerFloatingIP {
+		floatingIPAddress := openStackCluster.Spec.ControlPlaneEndpoint.Host
+		if openStackCluster.Spec.APIServerFloatingIP != "" {
+			floatingIPAddress = openStackCluster.Spec.APIServerFloatingIP
+		}
+		fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, floatingIPAddress)
 		if err != nil {
 			handleUpdateMachineError(logger, openStackMachine, errors.Errorf("Floating IP cannot be got or created: %v", err))
 			return ctrl.Result{}, nil

docs/book/src/clusteropenstack/configuration.md

@@ -14,7 +14,8 @@
 - [Optional Configuration](#optional-configuration)
   - [Log level](#log-level)
   - [External network](#external-network)
-  - [Floating IP](#floating-ip)
+  - [API server floating IP](#api-server-floating-ip)
+    - [Disabling the API server floating IP](#disabling-the-api-server-floating-ip)
   - [Network Filters](#network-filters)
   - [Multiple Networks](#multiple-networks)
   - [Subnet Filters](#subnet-filters)
@@ -134,9 +135,11 @@ openstack network list --external
 
 Note: If your openstack cluster does not already have a public network, you should contact your cloud service provider. We will not review how to troubleshoot this here.
 
-## Floating IP
+## API server floating IP
 
-A floating IP is automatically created and associated with the load balancer or controller node, but you can specify the floating IP explicitly by `spec.apiServerFloatingIP` of `OpenStackCluster`.
+Unless explicitly disabled, a floating IP is automatically created and associated with the load balancer
+or controller node. If required, you can specify the floating IP explicitly by `spec.apiServerFloatingIP`
+of `OpenStackCluster`.
 
 You have to be able to create a floating IP in your OpenStack in advance. You can create one using,
 
@@ -146,6 +149,31 @@ openstack floating ip create <public network>
 
 Note: Only user with admin role can create a floating IP with specific IP.
 
+### Disabling the API server floating IP
+
+It is possible to provision a cluster without a floating IP for the API server by setting
+`OpenStackCluster.spec.disableAPIServerFloatingIP: true` (the default is `false`). This will
+prevent a floating IP from being allocated.
+
+> **WARNING**
+>
+> If the API server does not have a floating IP, workload clusters will only deploy successfully
+> when the management cluster and workload cluster control plane nodes are on the same network.
+> This can be a project-specific network, if the management cluster lives in the same project
+> as the workload cluster, or a network that is shared across multiple projects.
+>
+> In particular, this means that the cluster **cannot** use `OpenStackCluster.spec.nodeCidr`
+> to provision a new network for the cluster. Instead, use `OpenStackCluster.spec.network`
+> to explicitly specify the same network as the management cluster is on.
+
+When the API server floating IP is disabled, it is **not possible** to provision a cluster
+without a load balancer without additional configuration (an advanced use-case that is not
+documented here). This is because the API server must still have a
+[virtual IP](https://en.wikipedia.org/wiki/Virtual_IP_address) that is not associated with
+a particular control plane node in order to allow the nodes to change underneath, e.g.
+during an upgrade. When the API server has a floating IP, this role is fulfilled by the
+floating IP even if there is no load balancer. When the API server does not have a floating
+IP, the load balancer virtual IP on the cluster network is used.
 
 ## Network Filters