Merge pull request #9992 from barbacbd/CORS-4258

CORS-4258: Create a Private DNS Zone for PSC

Author: openshift-merge-bot[bot]

data/data/install.openshift.io_installconfigs.yaml

@@ -5847,6 +5847,14 @@ spec:
                   endpoint:
                     description: Endpoint is the private service connect endpoint.
                     properties:
+                      clusterUseOnly:
+                        description: |-
+                          ClusterUseOnly should be set to true when the installer should use
+                          the public api endpoints and all cluster operators should use the
+                          api endpoint overrides. The value should be false when the installer
+                          and cluster operators should use the api endpoint overrides; that is,
+                          the installer is being run in the same network as the cluster.
+                        type: boolean
                       name:
                         description: Name contains the name of the private service
                           connect endpoint.

pkg/asset/cluster/gcp/gcp.go

@@ -28,6 +28,6 @@ func Metadata(config *types.InstallConfig) *gcp.Metadata {
 		NetworkProjectID:     config.Platform.GCP.NetworkProjectID,
 		PrivateZoneDomain:    privateZoneDomain,
 		PrivateZoneProjectID: privateZoneProject,
-		ServiceEndpoints:     config.Platform.GCP.ServiceEndpoints,
+		Endpoint:             config.Platform.GCP.Endpoint,
 	}
 }

pkg/asset/cluster/tfvars/tfvars.go

@@ -12,6 +12,7 @@ import (
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"google.golang.org/api/option"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/yaml"
 
@@ -452,7 +453,7 @@ func (t *TerraformVariables) Generate(ctx context.Context, parents asset.Parents
 			ServiceAccount:   string(sess.Credentials.JSON),
 		}
 
-		client, err := gcpconfig.NewClient(context.Background(), installConfig.Config.GCP.ServiceEndpoints)
+		client, err := gcpconfig.NewClient(context.Background(), installConfig.Config.GCP.Endpoint)
 		if err != nil {
 			return err
 		}
@@ -527,7 +528,13 @@ func (t *TerraformVariables) Generate(ctx context.Context, parents asset.Parents
 		ctx, cancel := context.WithTimeout(ctx, 60*time.Second)
 		defer cancel()
 
-		storageClient, err := gcpconfig.GetStorageService(ctx, installConfig.Config.GCP.ServiceEndpoints)
+		opts := []option.ClientOption{}
+		endpoint := installConfig.Config.GCP.Endpoint
+		if gcp.ShouldUseEndpointForInstaller(endpoint) {
+			opts = append(opts, gcpconfig.CreateEndpointOption(endpoint.Name, gcpconfig.ServiceNameGCPStorage))
+		}
+
+		storageClient, err := gcpconfig.GetStorageService(ctx, opts...)
 		if err != nil {
 			return fmt.Errorf("failed to create storage client: %w", err)
 		}

pkg/asset/installconfig/basedomain.go

@@ -64,7 +64,7 @@ func (a *baseDomain) Generate(_ context.Context, parents asset.Parents) error {
 		a.BaseDomain = zone.Name
 		return platform.Azure.SetBaseDomain(zone.ID)
 	case gcp.Name:
-		a.BaseDomain, err = gcpconfig.GetBaseDomain(platform.GCP.ProjectID, platform.GCP.ServiceEndpoints)
+		a.BaseDomain, err = gcpconfig.GetBaseDomain(platform.GCP.ProjectID, platform.GCP.Endpoint)
 
 		// We are done if success (err == nil) or an err besides forbidden/throttling
 		if !(gcpconfig.IsForbidden(err) || gcpconfig.IsThrottled(err)) {

pkg/asset/installconfig/gcp/client.go

@@ -20,7 +20,6 @@ import (
 	serviceusage "google.golang.org/api/serviceusage/v1beta1"
 	"k8s.io/apimachinery/pkg/util/sets"
 
-	configv1 "github.com/openshift/api/config/v1"
 	gcpconsts "github.com/openshift/installer/pkg/constants/gcp"
 	gcptypes "github.com/openshift/installer/pkg/types/gcp"
 )
@@ -60,56 +59,76 @@ type API interface {
 	GetNamespacedTagValue(ctx context.Context, tagNamespacedName string) (*cloudresourcemanager.TagValue, error)
 	GetKeyRing(ctx context.Context, kmsKeyRef *gcptypes.KMSKeyReference) (*kmspb.KeyRing, error)
 	UpdateDNSPrivateZoneLabels(ctx context.Context, baseDomain, project, zoneName string, labels map[string]string) error
+	GetPrivateServiceConnectEndpoint(ctx context.Context, project string, endpoint *gcptypes.PSCEndpoint) (*compute.ForwardingRule, error)
 }
 
 // Client makes calls to the GCP API.
 type Client struct {
-	ssn       *Session
-	endpoints []configv1.GCPServiceEndpoint
+	ssn          *Session
+	endpointName string
 }
 
 // NewClient initializes a client with a session.
-func NewClient(ctx context.Context, endpoints []configv1.GCPServiceEndpoint) (*Client, error) {
+func NewClient(ctx context.Context, endpoint *gcptypes.PSCEndpoint) (*Client, error) {
 	ssn, err := GetSession(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get session")
 	}
 
-	modifiedEndpoints := FormatGCPEndpointList(endpoints, FormatGCPEndpointInput{SkipPath: false})
+	endpointName := ""
+	if gcptypes.ShouldUseEndpointForInstaller(endpoint) {
+		endpointName = endpoint.Name
+	}
 
 	client := &Client{
-		ssn:       ssn,
-		endpoints: modifiedEndpoints,
+		ssn:          ssn,
+		endpointName: endpointName,
 	}
 	return client, nil
 }
 
 func (c *Client) getComputeService(ctx context.Context) (*compute.Service, error) {
-	svc, err := GetComputeService(ctx, c.endpoints)
+	opts := []option.ClientOption{}
+	if c.endpointName != "" {
+		opts = append(opts, CreateEndpointOption(c.endpointName, ServiceNameGCPCompute))
+	}
+	svc, err := GetComputeService(ctx, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("client failed to create compute service: %w", err)
 	}
 	return svc, nil
 }
 
 func (c *Client) getDNSService(ctx context.Context) (*dns.Service, error) {
-	svc, err := GetDNSService(ctx, c.endpoints)
+	opts := []option.ClientOption{}
+	if c.endpointName != "" {
+		opts = append(opts, CreateEndpointOption(c.endpointName, ServiceNameGCPDNS))
+	}
+	svc, err := GetDNSService(ctx, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("client failed to create dns service: %w", err)
 	}
 	return svc, nil
 }
 
 func (c *Client) getCloudResourceService(ctx context.Context) (*cloudresourcemanager.Service, error) {
-	svc, err := GetCloudResourceService(ctx, c.endpoints)
+	opts := []option.ClientOption{}
+	if c.endpointName != "" {
+		opts = append(opts, CreateEndpointOption(c.endpointName, ServiceNameGCPCloudResource))
+	}
+	svc, err := GetCloudResourceService(ctx, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("client failed to create cloud resource service: %w", err)
 	}
 	return svc, nil
 }
 
 func (c *Client) getServiceUsageService(ctx context.Context) (*serviceusage.APIService, error) {
-	svc, err := GetServiceUsageService(ctx, c.endpoints)
+	opts := []option.ClientOption{}
+	if c.endpointName != "" {
+		opts = append(opts, CreateEndpointOption(c.endpointName, ServiceNameGCPServiceUsage))
+	}
+	svc, err := GetServiceUsageService(ctx, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("client failed to create service usage service: %w", err)
 	}
@@ -576,7 +595,11 @@ func (c *Client) GetEnabledServices(ctx context.Context, project string) ([]stri
 
 // GetServiceAccount retrieves a service account from a project if it exists.
 func (c *Client) GetServiceAccount(ctx context.Context, project, serviceAccount string) (string, error) {
-	svc, err := GetIAMService(ctx, c.endpoints)
+	opts := []option.ClientOption{}
+	if c.endpointName != "" {
+		opts = append(opts, CreateEndpointOption(c.endpointName, ServiceNameGCPIAM))
+	}
+	svc, err := GetIAMService(ctx, opts...)
 	if err != nil {
 		return "", errors.Wrapf(err, "failed create IAM service")
 	}
@@ -740,3 +763,40 @@ func (c *Client) GetKeyRing(ctx context.Context, kmsKeyRef *gcptypes.KMSKeyRefer
 	}
 	return nil, fmt.Errorf("failed to find kms key ring with name %s", keyRingName)
 }
+
+// GetPrivateServiceConnectEndpoint finds the GCP compute forwarding rule that is associated with the endpoint.
+func GetPrivateServiceConnectEndpoint(client *compute.Service, project string, endpoint *gcptypes.PSCEndpoint) (*compute.ForwardingRule, error) {
+	if endpoint == nil {
+		return nil, nil
+	}
+
+	var forwardingRules *compute.ForwardingRuleList
+	var forwardingRuleErr error
+	if endpoint.Region != "" {
+		forwardingRules, forwardingRuleErr = client.ForwardingRules.List(project, endpoint.Region).Do()
+	} else {
+		forwardingRules, forwardingRuleErr = client.GlobalForwardingRules.List(project).Do()
+	}
+	if forwardingRuleErr != nil {
+		return nil, fmt.Errorf("failed to list forwarding rules: %w", forwardingRuleErr)
+	}
+
+	if forwardingRules != nil {
+		// Iterate through forwarding rules to find the PSC endpoint
+		for _, rule := range forwardingRules.Items {
+			if rule.Name == endpoint.Name {
+				return rule, nil
+			}
+		}
+	}
+	return nil, fmt.Errorf("failed to find forwarding rule for private service connect endpoint %s", endpoint.Name)
+}
+
+// GetPrivateServiceConnectEndpoint will get the forwarding rule associated with a private service connect endpoint.
+func (c *Client) GetPrivateServiceConnectEndpoint(ctx context.Context, project string, endpoint *gcptypes.PSCEndpoint) (*compute.ForwardingRule, error) {
+	svc, err := c.getComputeService(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Compute service: %w", err)
+	}
+	return GetPrivateServiceConnectEndpoint(svc, project, endpoint)
+}

pkg/asset/installconfig/gcp/dns.go

@@ -11,12 +11,12 @@ import (
 	"github.com/pkg/errors"
 	"google.golang.org/api/googleapi"
 
-	configv1 "github.com/openshift/api/config/v1"
+	gcptypes "github.com/openshift/installer/pkg/types/gcp"
 )
 
 // GetBaseDomain returns a base domain chosen from among the project's public DNS zones.
-func GetBaseDomain(project string, endpoints []configv1.GCPServiceEndpoint) (string, error) {
-	client, err := NewClient(context.TODO(), endpoints)
+func GetBaseDomain(project string, endpoint *gcptypes.PSCEndpoint) (string, error) {
+	client, err := NewClient(context.TODO(), endpoint)
 	if err != nil {
 		return "", err
 	}