Merge pull request #7672 from vincepri/capi-manifests

CORS-2852: Introduce Cluster API Infrastructure manifest generation

Author: openshift-merge-bot[bot]

go.mod

@@ -59,7 +59,7 @@ require (
 	github.com/microsoftgraph/msgraph-sdk-go v0.47.0
 	github.com/nutanix-cloud-native/prism-go-client v0.2.1-0.20220804130801-c8a253627c64
 	github.com/onsi/gomega v1.28.1
-	github.com/openshift/api v0.0.0-20231020115248-f404f2bc3524
+	github.com/openshift/api v0.0.0-20231120145327-841b3aa7251d
 	github.com/openshift/assisted-image-service v0.0.0-20230829160050-0b98ec74397b
 	github.com/openshift/assisted-service/api v0.0.0
 	github.com/openshift/assisted-service/client v0.0.0

go.sum

@@ -954,8 +954,8 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA
 github.com/openshift/api v0.0.0-20200326160804-ecb9283fe820/go.mod h1:RKMJ5CBnljLfnej+BJ/xnOWc3kZDvJUaIAEq2oKSPtE=
 github.com/openshift/api v0.0.0-20200827090112-c05698d102cf/go.mod h1:M3xexPhgM8DISzzRpuFUy+jfPjQPIcs9yqEYj17mXV8=
 github.com/openshift/api v0.0.0-20200829102639-8a3a835f1acf/go.mod h1:M3xexPhgM8DISzzRpuFUy+jfPjQPIcs9yqEYj17mXV8=
-github.com/openshift/api v0.0.0-20231020115248-f404f2bc3524 h1:+hOy0dbg/WIQ2TpBh+aWmoKTHYB82nSM8CfIZtjBmr8=
-github.com/openshift/api v0.0.0-20231020115248-f404f2bc3524/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
+github.com/openshift/api v0.0.0-20231120145327-841b3aa7251d h1:8vowDTdM3QSfReuzk7L+66yguCySV8ayKkQX7uEpef4=
+github.com/openshift/api v0.0.0-20231120145327-841b3aa7251d/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
 github.com/openshift/assisted-image-service v0.0.0-20230829160050-0b98ec74397b h1:wLVEgmzQjs3t4Z96gZzSLF/ws6ULliAks7z1lozNJrE=
 github.com/openshift/assisted-image-service v0.0.0-20230829160050-0b98ec74397b/go.mod h1:KTt/pnfs9gt0McDPrb0zVTkwd0xIFNik/ZJROIBzsbc=
 github.com/openshift/assisted-service/api v0.0.0-20230831114549-1922eda29cf8 h1:+fZLKbycDo4JeLwPGVSAgf2XPaJGLM341l9ZfrrlxG0=

pkg/asset/asset.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
@@ -42,6 +43,16 @@ type WritableAsset interface {
 	Load(FileFetcher) (found bool, err error)
 }
 
+// WritableRuntimeAsset is a WriteableAsset that has files that can be written to disk,
+// in addition to a manifest file that contains the runtime object.
+type WritableRuntimeAsset interface {
+	WritableAsset
+
+	// RuntimeFiles returns the manifest files along with their
+	// instantiated runtime object.
+	RuntimeFiles() []*RuntimeFile
+}
+
 // File is a file for an Asset.
 type File struct {
 	// Filename is the name of the file.
@@ -50,6 +61,13 @@ type File struct {
 	Data []byte
 }
 
+// RuntimeFile is a file that contains a manifest file and a runtime object.
+type RuntimeFile struct {
+	File
+
+	Object client.Object `json:"-"`
+}
+
 // PersistToFile writes all of the files of the specified asset into the specified
 // directory.
 func PersistToFile(asset WritableAsset, directory string) error {
@@ -107,3 +125,8 @@ func isDirEmpty(name string) (bool, error) {
 func SortFiles(files []*File) {
 	sort.Slice(files, func(i, j int) bool { return files[i].Filename < files[j].Filename })
 }
+
+// SortManifestFiles sorts the specified files by file name.
+func SortManifestFiles(files []*RuntimeFile) {
+	sort.Slice(files, func(i, j int) bool { return files[i].Filename < files[j].Filename })
+}

pkg/asset/manifests/aws/cluster.go

@@ -0,0 +1,234 @@
+package aws
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+	capa "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/installconfig"
+	"github.com/openshift/installer/pkg/asset/manifests/capiutils"
+)
+
+// GenerateClusterAssets generates the manifests for the cluster-api.
+func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID *installconfig.ClusterID) (*capiutils.GenerateClusterAssetsOutput, error) {
+	manifests := []*asset.RuntimeFile{}
+	mainCIDR := capiutils.CIDRFromInstallConfig(installConfig)
+
+	zones, err := installConfig.AWS.AvailabilityZones(context.TODO())
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get availability zones")
+	}
+
+	awsCluster := &capa.AWSCluster{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      clusterID.InfraID,
+			Namespace: capiutils.Namespace,
+		},
+		Spec: capa.AWSClusterSpec{
+			Region: installConfig.Config.AWS.Region,
+			NetworkSpec: capa.NetworkSpec{
+				VPC: capa.VPCSpec{
+					CidrBlock:                  mainCIDR.String(),
+					AvailabilityZoneUsageLimit: ptr.To(len(zones)),
+					AvailabilityZoneSelection:  &capa.AZSelectionSchemeOrdered,
+				},
+				CNI: &capa.CNISpec{
+					CNIIngressRules: capa.CNIIngressRules{
+						{
+							Description: "ICMP",
+							Protocol:    capa.SecurityGroupProtocolICMP,
+							FromPort:    -1,
+							ToPort:      -1,
+						},
+						{
+							Description: "Port 22 (TCP)",
+							Protocol:    capa.SecurityGroupProtocolTCP,
+							FromPort:    22,
+							ToPort:      22,
+						},
+						{
+							Description: "Port 4789 (UDP) for VXLAN",
+							Protocol:    capa.SecurityGroupProtocolUDP,
+							FromPort:    4789,
+							ToPort:      4789,
+						},
+						{
+							Description: "Port 6081 (UDP) for geneve",
+							Protocol:    capa.SecurityGroupProtocolUDP,
+							FromPort:    6081,
+							ToPort:      6081,
+						},
+						{
+							Description: "Port 500 (UDP) for IKE",
+							Protocol:    capa.SecurityGroupProtocolUDP,
+							FromPort:    500,
+							ToPort:      500,
+						},
+						{
+							Description: "Port 4500 (UDP) for IKE NAT",
+							Protocol:    capa.SecurityGroupProtocolUDP,
+							FromPort:    4500,
+							ToPort:      4500,
+						},
+						{
+							Description: "ESP",
+							Protocol:    capa.SecurityGroupProtocolESP,
+							FromPort:    -1,
+							ToPort:      -1,
+						},
+						{
+							Description: "Port 6441-6442 (TCP) for ovndb",
+							Protocol:    capa.SecurityGroupProtocolTCP,
+							FromPort:    6441,
+							ToPort:      6442,
+						},
+						{
+							Description: "Port 9000-9999 for node ports (TCP)",
+							Protocol:    capa.SecurityGroupProtocolTCP,
+							FromPort:    9000,
+							ToPort:      9999,
+						},
+						{
+							Description: "Port 9000-9999 for node ports (UDP)",
+							Protocol:    capa.SecurityGroupProtocolUDP,
+							FromPort:    9000,
+							ToPort:      9999,
+						},
+						{
+							Description: "Service node ports (TCP)",
+							Protocol:    capa.SecurityGroupProtocolTCP,
+							FromPort:    30000,
+							ToPort:      32767,
+						},
+						{
+							Description: "Service node ports (UDP)",
+							Protocol:    capa.SecurityGroupProtocolUDP,
+							FromPort:    30000,
+							ToPort:      32767,
+						},
+					},
+				},
+				AdditionalControlPlaneIngressRules: []capa.IngressRule{
+					{
+						Description:              "MCS traffic from cluster network",
+						Protocol:                 capa.SecurityGroupProtocolTCP,
+						FromPort:                 22623,
+						ToPort:                   22623,
+						SourceSecurityGroupRoles: []capa.SecurityGroupRole{"node", "controlplane"},
+					},
+					{
+						Description:              "controller-manager",
+						Protocol:                 capa.SecurityGroupProtocolTCP,
+						FromPort:                 10257,
+						ToPort:                   10257,
+						SourceSecurityGroupRoles: []capa.SecurityGroupRole{"controlplane", "node"},
+					},
+					{
+						Description:              "kube-scheduler",
+						Protocol:                 capa.SecurityGroupProtocolTCP,
+						FromPort:                 10259,
+						ToPort:                   10259,
+						SourceSecurityGroupRoles: []capa.SecurityGroupRole{"controlplane", "node"},
+					},
+					{
+						Description: "SSH everyone",
+						Protocol:    capa.SecurityGroupProtocolTCP,
+						FromPort:    22,
+						ToPort:      22,
+						CidrBlocks:  []string{"0.0.0.0/0"},
+					},
+				},
+			},
+			S3Bucket: &capa.S3Bucket{
+				Name:                 fmt.Sprintf("openshift-bootstrap-data-%s", clusterID.InfraID),
+				PresignedURLDuration: &metav1.Duration{Duration: 1 * time.Hour},
+			},
+			ControlPlaneLoadBalancer: &capa.AWSLoadBalancerSpec{
+				Name:             ptr.To(clusterID.InfraID + "-ext"),
+				LoadBalancerType: capa.LoadBalancerTypeNLB,
+				Scheme:           &capa.ELBSchemeInternetFacing,
+				AdditionalListeners: []capa.AdditionalListenerSpec{
+					{
+						Port:     22623,
+						Protocol: capa.ELBProtocolTCP,
+					},
+				},
+			},
+		},
+	}
+
+	// If the install config has subnets, use them.
+	if len(installConfig.AWS.Subnets) > 0 {
+		privateSubnets, err := installConfig.AWS.PrivateSubnets(context.TODO())
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get private subnets")
+		}
+		for _, subnet := range privateSubnets {
+			awsCluster.Spec.NetworkSpec.Subnets = append(awsCluster.Spec.NetworkSpec.Subnets, capa.SubnetSpec{
+				ID:               subnet.ID,
+				CidrBlock:        subnet.CIDR,
+				AvailabilityZone: subnet.Zone.Name,
+				IsPublic:         subnet.Public,
+			})
+		}
+		publicSubnets, err := installConfig.AWS.PublicSubnets(context.TODO())
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get public subnets")
+		}
+
+		for _, subnet := range publicSubnets {
+			awsCluster.Spec.NetworkSpec.Subnets = append(awsCluster.Spec.NetworkSpec.Subnets, capa.SubnetSpec{
+				ID:               subnet.ID,
+				CidrBlock:        subnet.CIDR,
+				AvailabilityZone: subnet.Zone.Name,
+				IsPublic:         subnet.Public,
+			})
+		}
+
+		vpc, err := installConfig.AWS.VPC(context.TODO())
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get VPC")
+		}
+		awsCluster.Spec.NetworkSpec.VPC = capa.VPCSpec{
+			ID: vpc,
+		}
+	}
+
+	manifests = append(manifests, &asset.RuntimeFile{
+		Object: awsCluster,
+		File:   asset.File{Filename: "02_infra-cluster.yaml"},
+	})
+
+	id := &capa.AWSClusterControllerIdentity{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: capiutils.Namespace,
+		},
+		Spec: capa.AWSClusterControllerIdentitySpec{
+			AWSClusterIdentitySpec: capa.AWSClusterIdentitySpec{
+				AllowedNamespaces: &capa.AllowedNamespaces{}, // Allow all namespaces.
+			},
+		},
+	}
+	manifests = append(manifests, &asset.RuntimeFile{
+		Object: id,
+		File:   asset.File{Filename: "01_aws-cluster-controller-identity-default.yaml"},
+	})
+
+	return &capiutils.GenerateClusterAssetsOutput{
+		Manifests: manifests,
+		InfrastructureRef: &corev1.ObjectReference{
+			APIVersion: "infrastructure.cluster.x-k8s.io/v1beta2",
+			Kind:       "AWSCluster",
+			Name:       awsCluster.Name,
+			Namespace:  awsCluster.Namespace,
+		},
+	}, nil
+}