Allow clusters without floating IPs

Matt Pryor · Matt Pryor · commit 98f95b27fd4e · 2021-09-22T08:59:08.000+01:00
diff --git a/api/v1alpha4/openstackcluster_types.go b/api/v1alpha4/openstackcluster_types.go
@@ -58,14 +58,29 @@ type OpenStackClusterSpec struct {
 	ExternalNetworkID string `json:"externalNetworkId,omitempty"`
 
 	// ManagedAPIServerLoadBalancer defines whether a LoadBalancer for the
-	// APIServer should be created. If set to true the following properties are
-	// mandatory: APIServerFloatingIP, APIServerPort
+	// APIServer should be created.
 	// +optional
 	ManagedAPIServerLoadBalancer bool `json:"managedAPIServerLoadBalancer"`
 
-	// APIServerFloatingIP is the floatingIP which will be associated
-	// to the APIServer. The floatingIP will be created if it not
-	// already exists.
+	// DisableAPIServerFloatingIP determines whether or not to attempt to attach a floating
+	// IP to the API server. This allows for the creation of clusters when attaching a floating
+	// IP to the API server (and hence, in many cases, exposing the API server to the internet)
+	// is not possible or desirable, e.g. if using a shared VLAN for communication between
+	// management and workload clusters or when the management cluster is inside the
+	// project network.
+	// This option requires that the API server use a VIP on the cluster network so that the
+	// underlying machines can change without changing ControlPlaneEndpoint.Host.
+	// When using a managed load balancer, this VIP will be managed automatically.
+	// If not using a managed load balancer, cluster configuration will fail without additional
+	// configuration to manage the VIP on the control plane machines, which falls outside of
+	// the scope of this controller.
+	// +optional
+	DisableAPIServerFloatingIP bool `json:"disableAPIServerFloatingIP"`
+
+	// APIServerFloatingIP is the floatingIP which will be associated with the API server.
+	// The floatingIP will be created if it does not already exist.
+	// If not specified, a new floatingIP is allocated.
+	// This field is not used if DisableAPIServerFloatingIP is set.
 	APIServerFloatingIP string `json:"apiServerFloatingIP,omitempty"`
 
 	// APIServerPort is the port on which the listener on the APIServer
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
@@ -1080,8 +1080,9 @@ spec:
                 type: boolean
               apiServerFloatingIP:
                 description: APIServerFloatingIP is the floatingIP which will be associated
-                  to the APIServer. The floatingIP will be created if it not already
-                  exists.
+                  with the API server. The floatingIP will be created if it does not
+                  already exist. If not specified, a new floatingIP is allocated.
+                  This field is not used if DisableAPIServerFloatingIP is set.
                 type: string
               apiServerLoadBalancerAdditionalPorts:
                 description: APIServerLoadBalancerAdditionalPorts adds additional
@@ -1451,6 +1452,21 @@ spec:
                 - host
                 - port
                 type: object
+              disableAPIServerFloatingIP:
+                description: DisableAPIServerFloatingIP determines whether or not
+                  to attempt to attach a floating IP to the API server. This allows
+                  for the creation of clusters when attaching a floating IP to the
+                  API server (and hence, in many cases, exposing the API server to
+                  the internet) is not possible or desirable, e.g. if using a shared
+                  VLAN for communication between management and workload clusters
+                  or when the management cluster is inside the project network. This
+                  option requires that the API server use a VIP on the cluster network
+                  so that the underlying machines can change without changing ControlPlaneEndpoint.Host.
+                  When using a managed load balancer, this VIP will be managed automatically.
+                  If not using a managed load balancer, cluster configuration will
+                  fail without additional configuration to manage the VIP on the control
+                  plane machines, which falls outside of the scope of this controller.
+                type: boolean
               disablePortSecurity:
                 description: DisablePortSecurity disables the port security of the
                   network created for the Kubernetes cluster, which also disables
@@ -1554,9 +1570,8 @@ spec:
                 - name
                 type: object
               managedAPIServerLoadBalancer:
-                description: 'ManagedAPIServerLoadBalancer defines whether a LoadBalancer
-                  for the APIServer should be created. If set to true the following
-                  properties are mandatory: APIServerFloatingIP, APIServerPort'
+                description: ManagedAPIServerLoadBalancer defines whether a LoadBalancer
+                  for the APIServer should be created.
                 type: boolean
               managedSecurityGroups:
                 description: ManagedSecurityGroups determines whether OpenStack security
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
@@ -59,8 +59,10 @@ spec:
                         type: boolean
                       apiServerFloatingIP:
                         description: APIServerFloatingIP is the floatingIP which will
-                          be associated to the APIServer. The floatingIP will be created
-                          if it not already exists.
+                          be associated with the API server. The floatingIP will be
+                          created if it does not already exist. If not specified,
+                          a new floatingIP is allocated. This field is not used if
+                          DisableAPIServerFloatingIP is set.
                         type: string
                       apiServerLoadBalancerAdditionalPorts:
                         description: APIServerLoadBalancerAdditionalPorts adds additional
@@ -438,6 +440,23 @@ spec:
                         - host
                         - port
                         type: object
+                      disableAPIServerFloatingIP:
+                        description: DisableAPIServerFloatingIP determines whether
+                          or not to attempt to attach a floating IP to the API server.
+                          This allows for the creation of clusters when attaching
+                          a floating IP to the API server (and hence, in many cases,
+                          exposing the API server to the internet) is not possible
+                          or desirable, e.g. if using a shared VLAN for communication
+                          between management and workload clusters or when the management
+                          cluster is inside the project network. This option requires
+                          that the API server use a VIP on the cluster network so
+                          that the underlying machines can change without changing
+                          ControlPlaneEndpoint.Host. When using a managed load balancer,
+                          this VIP will be managed automatically. If not using a managed
+                          load balancer, cluster configuration will fail without additional
+                          configuration to manage the VIP on the control plane machines,
+                          which falls outside of the scope of this controller.
+                        type: boolean
                       disablePortSecurity:
                         description: DisablePortSecurity disables the port security
                           of the network created for the Kubernetes cluster, which
@@ -545,10 +564,8 @@ spec:
                         - name
                         type: object
                       managedAPIServerLoadBalancer:
-                        description: 'ManagedAPIServerLoadBalancer defines whether
-                          a LoadBalancer for the APIServer should be created. If set
-                          to true the following properties are mandatory: APIServerFloatingIP,
-                          APIServerPort'
+                        description: ManagedAPIServerLoadBalancer defines whether
+                          a LoadBalancer for the APIServer should be created.
                         type: boolean
                       managedSecurityGroups:
                         description: ManagedSecurityGroups determines whether OpenStack
diff --git a/controllers/openstackcluster_controller.go b/controllers/openstackcluster_controller.go
@@ -438,44 +438,69 @@ func reconcileNetworkComponents(log logr.Logger, osProviderClient *gophercloud.P
 			return errors.Errorf("failed to reconcile router: %v", err)
 		}
 	}
-	if !openStackCluster.Spec.ControlPlaneEndpoint.IsValid() {
-		var port int32
-		if openStackCluster.Spec.APIServerPort == 0 {
-			port = 6443
-		} else {
-			port = int32(openStackCluster.Spec.APIServerPort)
-		}
-		fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, openStackCluster.Spec.APIServerFloatingIP)
-		if err != nil {
-			handleUpdateOSCError(openStackCluster, errors.Errorf("Floating IP cannot be got or created: %v", err))
-			return errors.Errorf("Floating IP cannot be got or created: %v", err)
-		}
-		// Set APIEndpoints so the Cluster API Cluster Controller can pull them
-		openStackCluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
-			Host: fp.FloatingIP,
-			Port: port,
-		}
-	}
 
 	err = networkingService.ReconcileSecurityGroups(openStackCluster, clusterName)
 	if err != nil {
 		handleUpdateOSCError(openStackCluster, errors.Errorf("failed to reconcile security groups: %v", err))
 		return errors.Errorf("failed to reconcile security groups: %v", err)
 	}
 
+	// Calculate the port that we will use for the API server
+	var apiServerPort int
+	if openStackCluster.Spec.ControlPlaneEndpoint.IsValid() {
+		apiServerPort = int(openStackCluster.Spec.ControlPlaneEndpoint.Port)
+	} else if openStackCluster.Spec.APIServerPort != 0 {
+		apiServerPort = openStackCluster.Spec.APIServerPort
+	} else {
+		apiServerPort = 6443
+	}
+
 	if openStackCluster.Spec.ManagedAPIServerLoadBalancer {
 		loadBalancerService, err := loadbalancer.NewService(osProviderClient, clientOpts, log)
 		if err != nil {
 			return err
 		}
 
-		err = loadBalancerService.ReconcileLoadBalancer(openStackCluster, clusterName)
+		err = loadBalancerService.ReconcileLoadBalancer(openStackCluster, clusterName, apiServerPort)
 		if err != nil {
 			handleUpdateOSCError(openStackCluster, errors.Errorf("failed to reconcile load balancer: %v", err))
 			return errors.Errorf("failed to reconcile load balancer: %v", err)
 		}
 	}
 
+	if !openStackCluster.Spec.ControlPlaneEndpoint.IsValid() {
+		var host string
+		// If there is a load balancer use the floating IP for it if set, falling back to the internal IP
+		if openStackCluster.Spec.ManagedAPIServerLoadBalancer {
+			if openStackCluster.Status.Network.APIServerLoadBalancer.IP != "" {
+				host = openStackCluster.Status.Network.APIServerLoadBalancer.IP
+			} else {
+				host = openStackCluster.Status.Network.APIServerLoadBalancer.InternalIP
+			}
+		} else if !openStackCluster.Spec.DisableAPIServerFloatingIP {
+			// If floating IPs are not disabled, get one to use as the VIP for the control plane
+			fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, openStackCluster.Spec.APIServerFloatingIP)
+			if err != nil {
+				handleUpdateOSCError(openStackCluster, errors.Errorf("Floating IP cannot be got or created: %v", err))
+				return errors.Errorf("Floating IP cannot be got or created: %v", err)
+			}
+			host = fp.FloatingIP
+		} else {
+			// This case is not managed for now (i.e. no load balancer + no floating IP)
+			// We could manage a VIP port on the cluster network and set allowedAddressPairs accordingly
+			// when creating control plane machines, but this would require us to deploy software on the
+			// control plane hosts to manage the VIP (e.g. keepalived/kube-vip)
+			// It is still possible for a user to deploy this case manually using existing options
+			return errors.New("unable to determine VIP for API server - either load balancer or floating IP must be enabled")
+		}
+
+		// Set APIEndpoints so the Cluster API Cluster Controller can pull them
+		openStackCluster.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{
+			Host: host,
+			Port: int32(apiServerPort),
+		}
+	}
+
 	return nil
 }
 
diff --git a/controllers/openstackmachine_controller.go b/controllers/openstackmachine_controller.go
@@ -360,8 +360,12 @@ func (r *OpenStackMachineReconciler) reconcileNormal(ctx context.Context, logger
 			handleUpdateMachineError(logger, openStackMachine, errors.Errorf("LoadBalancerMember cannot be reconciled: %v", err))
 			return ctrl.Result{}, nil
 		}
-	} else if util.IsControlPlaneMachine(machine) {
-		fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, openStackCluster.Spec.ControlPlaneEndpoint.Host)
+	} else if util.IsControlPlaneMachine(machine) && !openStackCluster.Spec.DisableAPIServerFloatingIP {
+		floatingIPAddress := openStackCluster.Spec.ControlPlaneEndpoint.Host
+		if openStackCluster.Spec.APIServerFloatingIP != "" {
+			floatingIPAddress = openStackCluster.Spec.APIServerFloatingIP
+		}
+		fp, err := networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, floatingIPAddress)
 		if err != nil {
 			handleUpdateMachineError(logger, openStackMachine, errors.Errorf("Floating IP cannot be got or created: %v", err))
 			return ctrl.Result{}, nil
diff --git a/pkg/cloud/services/loadbalancer/loadbalancer.go b/pkg/cloud/services/loadbalancer/loadbalancer.go
@@ -40,7 +40,7 @@ const (
 	kubeapiLBSuffix string = "kubeapi"
 )
 
-func (s *Service) ReconcileLoadBalancer(openStackCluster *infrav1.OpenStackCluster, clusterName string) error {
+func (s *Service) ReconcileLoadBalancer(openStackCluster *infrav1.OpenStackCluster, clusterName string, apiServerPort int) error {
 	loadBalancerName := getLoadBalancerName(clusterName)
 	s.logger.Info("Reconciling load balancer", "name", loadBalancerName)
 
@@ -49,19 +49,25 @@ func (s *Service) ReconcileLoadBalancer(openStackCluster *infrav1.OpenStackClust
 		return err
 	}
 
-	floatingIPAddress := openStackCluster.Spec.ControlPlaneEndpoint.Host
-	if openStackCluster.Spec.APIServerFloatingIP != "" {
-		floatingIPAddress = openStackCluster.Spec.APIServerFloatingIP
-	}
-	fp, err := s.networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, floatingIPAddress)
-	if err != nil {
-		return err
-	}
-	if err = s.networkingService.AssociateFloatingIP(openStackCluster, fp, lb.VipPortID); err != nil {
-		return err
+	var lbFloatingIP string
+	if !openStackCluster.Spec.DisableAPIServerFloatingIP {
+		var floatingIPAddress string
+		if openStackCluster.Spec.APIServerFloatingIP != "" {
+			floatingIPAddress = openStackCluster.Spec.APIServerFloatingIP
+		} else if openStackCluster.Spec.ControlPlaneEndpoint.IsValid() {
+			floatingIPAddress = openStackCluster.Spec.ControlPlaneEndpoint.Host
+		}
+		fp, err := s.networkingService.GetOrCreateFloatingIP(openStackCluster, clusterName, floatingIPAddress)
+		if err != nil {
+			return err
+		}
+		if err = s.networkingService.AssociateFloatingIP(openStackCluster, fp, lb.VipPortID); err != nil {
+			return err
+		}
+		lbFloatingIP = fp.FloatingIP
 	}
 
-	portList := []int{int(openStackCluster.Spec.ControlPlaneEndpoint.Port)}
+	portList := []int{apiServerPort}
 	portList = append(portList, openStackCluster.Spec.APIServerLoadBalancerAdditionalPorts...)
 	for _, port := range portList {
 		lbPortObjectsName := fmt.Sprintf("%s-%d", loadBalancerName, port)
@@ -84,7 +90,7 @@ func (s *Service) ReconcileLoadBalancer(openStackCluster *infrav1.OpenStackClust
 		Name:       lb.Name,
 		ID:         lb.ID,
 		InternalIP: lb.VipAddress,
-		IP:         fp.FloatingIP,
+		IP:         lbFloatingIP,
 	}
 	return nil
 }
diff --git a/pkg/cloud/services/networking/floatingip.go b/pkg/cloud/services/networking/floatingip.go
@@ -17,6 +17,7 @@ limitations under the License.
 package networking
 
 import (
+	"errors"
 	"time"
 
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/attributestags"
@@ -46,6 +47,11 @@ func (s *Service) GetOrCreateFloatingIP(openStackCluster *infrav1.OpenStackClust
 		fpCreateOpts.FloatingIP = ip
 	}
 
+	// Trying to create a new floating IP is not possible without an external network
+	if openStackCluster.Status.ExternalNetwork == nil || openStackCluster.Status.ExternalNetwork.ID == "" {
+		return nil, errors.New("cannot create floating IP without external network")
+	}
+
 	fpCreateOpts.FloatingNetworkID = openStackCluster.Status.ExternalNetwork.ID
 	fpCreateOpts.Description = names.GetDescription(clusterName)
 
diff --git a/pkg/cloud/services/networking/network.go b/pkg/cloud/services/networking/network.go
@@ -72,7 +72,10 @@ func (s *Service) ReconcileExternalNetwork(openStackCluster *infrav1.OpenStackCl
 
 	switch len(networkList) {
 	case 0:
-		return fmt.Errorf("external network not found")
+		// Not finding an external network is fine
+		openStackCluster.Status.ExternalNetwork = &infrav1.Network{}
+		s.logger.Info("No external network found - proceeding with internal network only")
+		return nil
 	case 1:
 		openStackCluster.Status.ExternalNetwork = &infrav1.Network{
 			ID:   networkList[0].ID,
