Merge branch 'openshift:main' into nutanixInfraChange

Author: abhay-nutanix

.ci-operator.yaml

@@ -1,4 +1,4 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: rhel-9-release-golang-1.24-openshift-4.20
+  tag: rhel-9-release-golang-1.24-openshift-4.21

Dockerfile.rhel

@@ -1,9 +1,9 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.20 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
 WORKDIR /go/src/github.com/openshift/cluster-capi-operator
 COPY . .
 RUN make build
 
-FROM registry.ci.openshift.org/ocp/4.20:base-rhel9
+FROM registry.ci.openshift.org/ocp/4.21:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/cluster-capi-operator/bin/cluster-capi-operator .
 COPY --from=builder /go/src/github.com/openshift/cluster-capi-operator/bin/machine-api-migration .
 COPY --from=builder /go/src/github.com/openshift/cluster-capi-operator/manifests /manifests

cmd/cluster-capi-operator/main.go

@@ -419,6 +419,11 @@ func getDefaultCacheOptions(capiNamespace string, sync time.Duration) cache.Opti
 					defaultMachineAPINamespace: {},
 				},
 			},
+			&mapiv1beta1.Machine{}: {
+				Namespaces: map[string]cache.Config{
+					defaultMachineAPINamespace: {},
+				},
+			},
 		},
 	}
 }

manifests-gen/customizations.go

@@ -62,20 +62,13 @@ func processObjects(objs []unstructured.Unstructured, providerName string) map[r
 			setNoUpgradeAnnotations(obj)
 			providerConfigMapObjs = append(providerConfigMapObjs, obj)
 		case "MutatingWebhookConfiguration":
-			// Explicitly remove defaulting webhooks for the cluster-api provider.
-			// We don't need CAPI to set any default to the cluster object because
-			// we have a custom controller for reconciling it.
-			// For more information: https://issues.redhat.com/browse/OCPCLOUD-1506
-			removeClusterDefaultingWebhooks(&obj)
 			replaceCertManagerAnnotations(&obj)
 			providerConfigMapObjs = append(providerConfigMapObjs, obj)
 		case "ValidatingWebhookConfiguration":
-			removeClusterValidatingWebhooks(&obj)
 			replaceCertManagerAnnotations(&obj)
 			providerConfigMapObjs = append(providerConfigMapObjs, obj)
 		case "CustomResourceDefinition":
 			replaceCertManagerAnnotations(&obj)
-			removeConversionWebhook(&obj)
 			setOpenShiftAnnotations(obj, true)
 			// Apply NoUpgrade annotations unless IPAM CRDs,
 			// as those are in General Availability.
@@ -276,17 +269,6 @@ func replaceCertMangerServiceSecret(obj *unstructured.Unstructured, serviceSecre
 	}
 }
 
-func removeConversionWebhook(obj *unstructured.Unstructured) {
-	crd := &apiextensionsv1.CustomResourceDefinition{}
-	if err := scheme.Convert(obj, crd, nil); err != nil {
-		panic(err)
-	}
-	crd.Spec.Conversion = nil
-	if err := scheme.Convert(crd, obj, nil); err != nil {
-		panic(err)
-	}
-}
-
 // isCRDGroup checks whether the object provided is a CRD for the specified API group.
 func isCRDGroup(obj *unstructured.Unstructured, group string) bool {
 	switch obj.GetKind() {

manifests-gen/providercustomizations.go

@@ -1,9 +1,6 @@
 package main
 
 import (
-	"regexp"
-
-	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -105,63 +102,3 @@ func powerVSCustomizations(obj *unstructured.Unstructured) {
 		}
 	}
 }
-
-func removeClusterDefaultingWebhooks(obj *unstructured.Unstructured) {
-	var providerWebhooks = regexp.MustCompile(`^default\.[a-z]+cluster[a-z]*\.infrastructure\.cluster\.x-k8s\.io$`)
-
-	mutatingWebhookConfiguration := &admissionregistrationv1.MutatingWebhookConfiguration{}
-	if err := scheme.Convert(obj, mutatingWebhookConfiguration, nil); err != nil {
-		panic(err)
-	}
-
-	webhooks := []admissionregistrationv1.MutatingWebhook{}
-	for _, webhook := range mutatingWebhookConfiguration.Webhooks {
-		// We don't need these specific webhooks.
-		if webhook.Name == "default.cluster.cluster.x-k8s.io" || webhook.Name == "default.clusterclass.cluster.x-k8s.io" || webhook.Name == "default.clusterresourceset.addons.cluster.x-k8s.io" {
-			continue
-		}
-
-		// We also don't need provider webhooks for clusters.
-		if providerWebhooks.MatchString(webhook.Name) {
-			continue
-		}
-
-		webhooks = append(webhooks, webhook)
-	}
-
-	mutatingWebhookConfiguration.Webhooks = webhooks
-
-	if err := scheme.Convert(mutatingWebhookConfiguration, obj, nil); err != nil {
-		panic(err)
-	}
-}
-
-func removeClusterValidatingWebhooks(obj *unstructured.Unstructured) {
-	var providerWebhooks = regexp.MustCompile(`^validation\.[a-z]+cluster[a-z]*\.infrastructure\.cluster\.x-k8s\.io$`)
-
-	validatingWebhookConfiguration := &admissionregistrationv1.ValidatingWebhookConfiguration{}
-	if err := scheme.Convert(obj, validatingWebhookConfiguration, nil); err != nil {
-		panic(err)
-	}
-
-	webhooks := []admissionregistrationv1.ValidatingWebhook{}
-	for _, webhook := range validatingWebhookConfiguration.Webhooks {
-		// We don't need these specific webhooks.
-		if webhook.Name == "validation.cluster.cluster.x-k8s.io" || webhook.Name == "validation.clusterclass.cluster.x-k8s.io" || webhook.Name == "default.clusterresourceset.addons.cluster.x-k8s.io" {
-			continue
-		}
-
-		// We also don't need provider webhooks for clusters.
-		if providerWebhooks.MatchString(webhook.Name) {
-			continue
-		}
-
-		webhooks = append(webhooks, webhook)
-	}
-
-	validatingWebhookConfiguration.Webhooks = webhooks
-
-	if err := scheme.Convert(validatingWebhookConfiguration, obj, nil); err != nil {
-		panic(err)
-	}
-}

manifests/0000_30_cluster-api_09_admission-policies.yaml

@@ -236,6 +236,40 @@ data:
       policyName: openshift-only-create-mapi-machine-if-authoritative-api-capi
       validationActions:
           - Deny
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: openshift-prevent-migration-when-machine-updating
+    spec:
+      failurePolicy: Fail
+
+      matchConstraints:
+        resourceRules:
+          - apiGroups: ["machine.openshift.io"]
+            apiVersions: ["*"]
+            operations: ["UPDATE"]
+            resources: ["machines"]
+      
+      # All validations must evaluate to true
+      validations:
+      - expression: '!(has(object.status) && has(object.status.phase) && object.status.phase == "Provisioning" && (oldObject.spec.authoritativeAPI != object.spec.authoritativeAPI))'
+        message: 'Cannot update .spec.authoritativeAPI when machine is in Provisioning phase'
+      - expression: '!(has(object.metadata.deletionTimestamp) && (oldObject.spec.authoritativeAPI != object.spec.authoritativeAPI))'
+        message: 'Cannot update .spec.authoritativeAPI when machine has a non-zero deletion timestamp'
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: openshift-prevent-migration-when-machine-updating
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-machine-api
+      policyName: openshift-prevent-migration-when-machine-updating
+      validationActions:
+          - Deny
 ---
 apiVersion: v1
 kind: ConfigMap

pkg/controllers/infracluster/aws.go

@@ -17,34 +17,50 @@ package infracluster
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/url"
 	"strconv"
+	"strings"
 
 	"github.com/go-logr/logr"
 	cerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
 	awsv1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	mapiv1beta1 "github.com/openshift/api/machine/v1beta1"
+)
+
+var (
+	// ErrNoControlPlaneLoadBalancerConfigured indicates there is no control plane load balancer configuration present.
+	ErrNoControlPlaneLoadBalancerConfigured = errors.New("no control plane load balancer configured")
+	// ErrNilProviderSpec indicates a nil provider spec raw extension.
+	ErrNilProviderSpec = errors.New("provider spec is nil")
+	// ErrInvalidNumberOfControlPlaneLoadBalancers indicates an invalid number of control plane load balancers has been configured.
+	ErrInvalidNumberOfControlPlaneLoadBalancers = errors.New("invalid number of control plane load balancers")
+	// ErrUnsupportedLoadBalancerType indicates an unsupported load balancer type.
+	ErrUnsupportedLoadBalancerType = errors.New("unsupported load balancer type")
 )
 
 // ensureAWSCluster ensures the AWSCluster cluster object exists.
 func (r *InfraClusterController) ensureAWSCluster(ctx context.Context, log logr.Logger) (client.Object, error) {
-	target := &awsv1.AWSCluster{ObjectMeta: metav1.ObjectMeta{
+	awsCluster := &awsv1.AWSCluster{ObjectMeta: metav1.ObjectMeta{
 		Name:      r.Infra.Status.InfrastructureName,
-		Namespace: defaultCAPINamespace,
+		Namespace: r.CAPINamespace,
 	}}
 
 	// Checking whether InfraCluster object exists. If it doesn't, create it.
-
-	if err := r.Get(ctx, client.ObjectKeyFromObject(target), target); err != nil && !cerrors.IsNotFound(err) {
+	if err := r.Get(ctx, client.ObjectKeyFromObject(awsCluster), awsCluster); err != nil && !cerrors.IsNotFound(err) {
 		return nil, fmt.Errorf("failed to get InfraCluster: %w", err)
 	} else if err == nil {
-		return target, nil
+		return awsCluster, nil
 	}
 
-	log.Info(fmt.Sprintf("AWSCluster %s/%s does not exist, creating it", target.Namespace, target.Name))
+	log = log.WithValues("AWSCluster", klog.KObj(awsCluster))
+	log.Info("AWSCluster does not exist, creating it")
 
 	apiURL, err := url.Parse(r.Infra.Status.APIServerInternalURL)
 	if err != nil {
@@ -60,10 +76,35 @@ func (r *InfraClusterController) ensureAWSCluster(ctx context.Context, log logr.
 		return nil, fmt.Errorf("infrastructure PlatformStatus should not be nil: %w", err)
 	}
 
-	target = &awsv1.AWSCluster{
+	providerSpec, err := r.getAWSMAPIProviderSpec(ctx, r.Client)
+	if err != nil {
+		return nil, fmt.Errorf("unable to obtain MAPI ProviderSpec: %w", err)
+	}
+
+	awsCluster, err = r.newAWSCluster(providerSpec, apiURL, int32(port))
+	if err != nil {
+		return nil, fmt.Errorf("failed to get AWSCluster: %w", err)
+	}
+
+	if err := r.Create(ctx, awsCluster); err != nil {
+		return nil, fmt.Errorf("failed to create AWSCluster: %w", err)
+	}
+
+	log.Info("AWSCluster successfully created")
+
+	return awsCluster, nil
+}
+
+func (r *InfraClusterController) newAWSCluster(providerSpec *mapiv1beta1.AWSMachineProviderConfig, apiURL *url.URL, port int32) (*awsv1.AWSCluster, error) {
+	controlPlaneLoadBalancer, secondaryControlPlaneLoadBalancer, err := extractLoadBalancerConfigFromMAPIAWSProviderSpec(providerSpec)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract control plane load balancer configuration: %w", err)
+	}
+
+	target := &awsv1.AWSCluster{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      r.Infra.Status.InfrastructureName,
-			Namespace: defaultCAPINamespace,
+			Namespace: r.CAPINamespace,
 			// The ManagedBy Annotation is set so CAPI infra providers ignore the InfraCluster object,
 			// as that's managed externally, in this case by this controller.
 			Annotations: map[string]string{
@@ -74,7 +115,7 @@ func (r *InfraClusterController) ensureAWSCluster(ctx context.Context, log logr.
 			Region: r.Infra.Status.PlatformStatus.AWS.Region,
 			ControlPlaneEndpoint: clusterv1.APIEndpoint{
 				Host: apiURL.Hostname(),
-				Port: int32(port),
+				Port: port,
 			},
 			// This default IdentityRef will be created by the controlleridentitycreator controller.
 			// Leaving it as nil works the same as this value, but fills the log with log messages
@@ -84,14 +125,80 @@ func (r *InfraClusterController) ensureAWSCluster(ctx context.Context, log logr.
 				Kind: awsv1.ControllerIdentityKind,
 				Name: "default",
 			},
+			// Set control plane load balancer configuration extracted from MAPI machines
+			ControlPlaneLoadBalancer:          controlPlaneLoadBalancer,
+			SecondaryControlPlaneLoadBalancer: secondaryControlPlaneLoadBalancer,
 		},
 	}
 
-	if err := r.Create(ctx, target); err != nil {
-		return nil, fmt.Errorf("failed to create InfraCluster: %w", err)
+	return target, nil
+}
+
+func (r *InfraClusterController) getAWSMAPIProviderSpec(ctx context.Context, cl client.Client) (*mapiv1beta1.AWSMachineProviderConfig, error) {
+	return getMAPIProviderSpec[mapiv1beta1.AWSMachineProviderConfig](ctx, cl, r.getRawMAPIProviderSpec)
+}
+
+// extractLoadBalancerConfigFromMAPIAWSProviderSpec extracts one or two control plane load balancers from a MAPI machine's provider spec.
+// When two load balancers are present, the one whose name ends with "-int" is preferred as the return value.
+// Returns an error if zero or more than two load balancers are defined.
+func extractLoadBalancerConfigFromMAPIAWSProviderSpec(providerSpec *mapiv1beta1.AWSMachineProviderConfig) (*awsv1.AWSLoadBalancerSpec, *awsv1.AWSLoadBalancerSpec, error) {
+	if providerSpec == nil {
+		return nil, nil, ErrNilProviderSpec
 	}
 
-	log.Info(fmt.Sprintf("InfraCluster '%s/%s' successfully created", defaultCAPINamespace, r.Infra.Status.InfrastructureName))
+	switch len(providerSpec.LoadBalancers) {
+	case 0:
+		return nil, nil, ErrNoControlPlaneLoadBalancerConfigured
+	case 1:
+		lbPrimary := providerSpec.LoadBalancers[0]
+
+		lbType, err := convertMAPILoadBalancerTypeToCAPI(lbPrimary.Type)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to convert load balancer type: %w", err)
+		}
+
+		return &awsv1.AWSLoadBalancerSpec{
+			Name:             &lbPrimary.Name,
+			LoadBalancerType: lbType,
+		}, nil, nil
+	case 2:
+		lbFirst := providerSpec.LoadBalancers[0]
+		lbSecond := providerSpec.LoadBalancers[1]
+		// Prefer the load balancer with "-int" suffix as primary when two are present.
+		if strings.HasSuffix(lbSecond.Name, "-int") && !strings.HasSuffix(lbFirst.Name, "-int") {
+			lbFirst, lbSecond = lbSecond, lbFirst
+		}
+
+		lbTypeFirst, err := convertMAPILoadBalancerTypeToCAPI(lbFirst.Type)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to convert load balancer type: %w", err)
+		}
+
+		lbTypeSecond, err := convertMAPILoadBalancerTypeToCAPI(lbSecond.Type)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to convert load balancer type: %w", err)
+		}
+
+		return &awsv1.AWSLoadBalancerSpec{
+				Name:             &lbFirst.Name,
+				LoadBalancerType: lbTypeFirst,
+			}, &awsv1.AWSLoadBalancerSpec{
+				Name:             &lbSecond.Name,
+				LoadBalancerType: lbTypeSecond,
+			}, nil
+	default:
+		return nil, nil, fmt.Errorf("%w: expected 1 or 2, got %d", ErrInvalidNumberOfControlPlaneLoadBalancers, len(providerSpec.LoadBalancers))
+	}
+}
 
-	return target, nil
+// convertMAPILoadBalancerTypeToCAPI converts MAPI AWSLoadBalancerType to CAPI LoadBalancerType.
+func convertMAPILoadBalancerTypeToCAPI(mapiType mapiv1beta1.AWSLoadBalancerType) (awsv1.LoadBalancerType, error) {
+	switch mapiType {
+	case mapiv1beta1.ClassicLoadBalancerType:
+		return awsv1.LoadBalancerTypeClassic, nil
+	case mapiv1beta1.NetworkLoadBalancerType:
+		return awsv1.LoadBalancerTypeNLB, nil
+	default:
+		return "", fmt.Errorf("%w: unknown load balancer type: %s", ErrUnsupportedLoadBalancerType, mapiType)
+	}
 }