aws/publicIpv4Pool: validate if Public IPv4 pool exists

mtulio · mtulio · commit 61810a6db065 · 2024-02-21T15:10:45.000-03:00
Validate if Public IPv4 Pool (platform.aws.publicIpv4PoolId)
exists, and has enough free IPs in the pool when installing
a cluster with publish strategy external.
diff --git a/pkg/asset/installconfig/aws/ec2.go b/pkg/asset/installconfig/aws/ec2.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -28,3 +29,24 @@ func DescribeSecurityGroups(ctx context.Context, session *session.Session, secur
 	}
 	return sgOutput.SecurityGroups, nil
 }
+
+// DescribePublicIpv4Pool returns the ec2 public IPv4 Pool attributes from the given ID.
+func DescribePublicIpv4Pool(ctx context.Context, session *session.Session, region string, poolID string) (*ec2.PublicIpv4Pool, error) {
+	client := ec2.New(session, aws.NewConfig().WithRegion(region))
+
+	cctx, cancel := context.WithTimeout(ctx, 1*time.Minute)
+	defer cancel()
+
+	poolOutputs, err := client.DescribePublicIpv4PoolsWithContext(cctx, &ec2.DescribePublicIpv4PoolsInput{PoolIds: []*string{aws.String(poolID)}})
+	if err != nil {
+		return nil, err
+	}
+	if len(poolOutputs.PublicIpv4Pools) == 0 {
+		return nil, fmt.Errorf("public IPv4 Pool not found: %s", poolID)
+	}
+	// it should not happen
+	if len(poolOutputs.PublicIpv4Pools) > 1 {
+		return nil, fmt.Errorf("more than one Public IPv4 Pool: %s", poolID)
+	}
+	return poolOutputs.PublicIpv4Pools[0], nil
+}
diff --git a/pkg/asset/installconfig/aws/validation.go b/pkg/asset/installconfig/aws/validation.go
@@ -46,6 +46,7 @@ func Validate(ctx context.Context, meta *Metadata, config *types.InstallConfig)
 		return errors.New(field.Required(field.NewPath("platform", "aws"), "AWS validation requires an AWS platform configuration").Error())
 	}
 	allErrs = append(allErrs, validateAMI(ctx, config)...)
+	allErrs = append(allErrs, validatePublicIpv4Pool(ctx, meta, field.NewPath("platform", "aws", "publicIpv4PoolId"), config)...)
 	allErrs = append(allErrs, validatePlatform(ctx, meta, field.NewPath("platform", "aws"), config.Platform.AWS, config.Networking, config.Publish)...)
 
 	if config.ControlPlane != nil {
@@ -141,6 +142,47 @@ func validateAMI(ctx context.Context, config *types.InstallConfig) field.ErrorLi
 	return field.ErrorList{field.Required(field.NewPath("platform", "aws", "amiID"), "AMI must be provided")}
 }
 
+func validatePublicIpv4Pool(ctx context.Context, meta *Metadata, fldPath *field.Path, config *types.InstallConfig) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if config.Platform.AWS.PublicIpv4Pool == "" {
+		return nil
+	}
+	poolID := config.Platform.AWS.PublicIpv4Pool
+	if config.Publish != types.ExternalPublishingStrategy {
+		return append(allErrs, field.Invalid(fldPath, poolID, fmt.Errorf("publish strategy %s can't be used with custom Public IPv4 Pools", config.Publish).Error()))
+	}
+
+	// Pool validations
+	// Resources claiming Public IPv4 from Pool in regular 'External' installations:
+	// 1* for Bootsrtap
+	// N*Zones for NAT Gateways
+	// N*Zones for API LB
+	// N*Zones for Ingress LB
+	allzones, err := meta.AvailabilityZones(ctx)
+	if err != nil {
+		return append(allErrs, field.InternalError(fldPath, err))
+	}
+	totalPublicIPRequired := int64(1 + (len(allzones) * 3))
+
+	sess, err := meta.Session(ctx)
+	if err != nil {
+		return append(allErrs, field.Invalid(fldPath, nil, fmt.Sprintf("unable to start a session: %s", err.Error())))
+	}
+	publicIpv4Pool, err := DescribePublicIpv4Pool(ctx, sess, config.Platform.AWS.Region, poolID)
+	if err != nil {
+		return append(allErrs, field.Invalid(fldPath, poolID, err.Error()))
+	}
+
+	got := aws.Int64Value(publicIpv4Pool.TotalAvailableAddressCount)
+	if got < totalPublicIPRequired {
+		err = fmt.Errorf("required a minimum of %d Public IPv4 IPs available in the pool %s, got %d", totalPublicIPRequired, poolID, got)
+		return append(allErrs, field.InternalError(fldPath, err))
+	}
+
+	return nil
+}
+
 func validateSubnets(ctx context.Context, meta *Metadata, fldPath *field.Path, subnets []string, networking *types.Networking, publish types.PublishingStrategy) field.ErrorList {
 	allErrs := field.ErrorList{}
 	privateSubnets, err := meta.PrivateSubnets(ctx)
diff --git a/pkg/asset/installconfig/aws/validation_test.go b/pkg/asset/installconfig/aws/validation_test.go
@@ -807,6 +807,17 @@ func TestValidate(t *testing.T) {
 		publicSubnets:  validPublicSubnets(),
 		proxy:          "http://proxy.com",
 		expectErr:      `^\Qplatform.aws.serviceEndpoints[0].url: Invalid value: "http://test": Head "http://test": dial tcp: lookup test\E.*: no such host$`,
+	}, {
+		name: "invalid public ipv4 pool private installation",
+		installConfig: func() *types.InstallConfig {
+			c := validInstallConfig()
+			c.Publish = types.InternalPublishingStrategy
+			c.Platform.AWS.PublicIpv4Pool = "ipv4pool-ec2-123"
+			c.Platform.AWS.Subnets = []string{}
+			return c
+		}(),
+		availZones: validAvailZones(),
+		expectErr:  `^platform.aws.publicIpv4PoolId: Invalid value: "ipv4pool-ec2-123": publish strategy Internal can't be used with custom Public IPv4 Pools$`,
 	}}
 
 	for _, test := range tests {
