Merge pull request openshift#7983 from mtulio/aws-byoip

SPLAT-1434: aws: add support of BYO public ipv4 pool

Author: openshift-merge-bot[bot]

data/data/aws/bootstrap/main.tf

@@ -249,3 +249,11 @@ resource "aws_security_group_rule" "bootstrap_journald_gateway" {
   from_port   = 19531
   to_port     = 19531
 }
+
+resource "aws_eip" "bootstrap" {
+  domain           = "vpc"
+  instance         = aws_instance.bootstrap.id
+  public_ipv4_pool = var.aws_public_ipv4_pool == "" ? null : var.aws_public_ipv4_pool
+
+  depends_on = [aws_instance.bootstrap]
+}

data/data/aws/cluster/main.tf

@@ -109,6 +109,8 @@ module "vpc" {
   edge_parent_gw_map = var.aws_edge_parent_zones_index
   edge_zones_type    = var.aws_edge_zones_type
 
+  public_ipv4_pool = var.aws_public_ipv4_pool
+
   tags = local.tags
 }
 

data/data/aws/cluster/vpc/master-elb.tf

@@ -24,10 +24,18 @@ resource "aws_lb" "api_external" {
 
   name                             = "${var.cluster_id}-ext"
   load_balancer_type               = "network"
-  subnets                          = data.aws_subnet.public.*.id
   internal                         = false
   enable_cross_zone_load_balancing = true
 
+  dynamic "subnet_mapping" {
+    for_each = range(length(data.aws_subnet.public))
+
+    content {
+      subnet_id     = data.aws_subnet.public[subnet_mapping.key].id
+      allocation_id = aws_eip.api_nlb_public[subnet_mapping.key].id
+    }
+  }
+
   tags = merge(
     {
       "Name" = "${var.cluster_id}-ext"
@@ -38,7 +46,24 @@ resource "aws_lb" "api_external" {
   timeouts {
     create = "20m"
   }
+}
+
+resource "aws_eip" "api_nlb_public" {
+  count  = length(var.availability_zones)
+  domain = "vpc"
+
+  public_ipv4_pool = var.public_ipv4_pool == "" ? null : var.public_ipv4_pool
+
+  tags = merge(
+    {
+      "Name" = "${var.cluster_id}-eip-${var.availability_zones[count.index]}-lb-api"
+    },
+    var.tags,
+  )
 
+  # Terraform does not declare an explicit dependency towards the internet gateway.
+  # this can cause the internet gateway to be deleted/detached before the EIPs.
+  # https://github.com/coreos/tectonic-installer/issues/1017#issuecomment-307780549
   depends_on = [aws_internet_gateway.igw]
 }
 

data/data/aws/cluster/vpc/variables.tf

@@ -59,4 +59,9 @@ variable "public_subnets" {
 variable "private_subnets" {
   type        = list(string)
   description = "Existing private subnets into which the cluster should be installed."
+}
+
+variable "public_ipv4_pool" {
+  type        = string
+  description = "An Public IPv4 Pool"
 }

data/data/aws/cluster/vpc/vpc-public.tf

@@ -95,6 +95,8 @@ resource "aws_eip" "nat_eip" {
   count = var.public_subnets == null ? length(var.availability_zones) : 0
   vpc   = true
 
+  public_ipv4_pool = var.public_ipv4_pool == "" ? null : var.public_ipv4_pool
+
   tags = merge(
     {
       "Name" = "${var.cluster_id}-eip-${var.availability_zones[count.index]}"

data/data/aws/variables-aws.tf

@@ -226,4 +226,16 @@ a Public Route Table and the default route entry pointing to the carrier gateway
 
 Example: `{ "us-east-1-nyc-1a"=local-zone, "us-east-1-wl1-nyc-wlz-1"=wavelength-zone }`
 EOF
-}
+}
+
+variable "aws_public_ipv4_pool" {
+  type = string
+
+  description = <<EOF
+(optional) Indicates the installation process to use Public IPv4 address
+that you bring to your AWS account with BYOIP to create resources which consumes
+Elastic IPs when the publish strategy is External.
+EOF
+
+  default = ""
+}

data/data/install.openshift.io_installconfigs.yaml

@@ -2287,6 +2287,11 @@ spec:
                       operators to include the specified user tags in the tags of
                       the AWS resources that the operators create.
                     type: boolean
+                  publicIpv4Pool:
+                    description: PublicIpv4Pool is an optional field that can be used
+                      to tell the installation process to use Public IPv4 address
+                      that you bring to your AWS account with BYOIP.
+                    type: string
                   region:
                     description: Region specifies the AWS region where the cluster
                       will be created.

docs/user/aws/custom_public_ipv4.md

@@ -0,0 +1,38 @@
+# Install OpenShift on AWS using custom/owned Public IPv4 Pool
+
+Steps to create a cluster on AWS using Public IPv4 address pool
+that you bring to your AWS account with BYOIP.
+
+## Prerequisites
+
+- Public IPv4 Pool Provisioned in the Account
+- Total of ( (Zones*3 ) + 1) of Public IPv4 available in the pool, where: Zones is the total numbber of AWS zones used to deploy the OpenShift cluster.
+    - Example to query the IPv4 pools available in the account, which returns the  `TotalAvailableAddressCount`:
+```
+aws ec2 describe-public-ipv4-pools --region us-east-1
+```
+
+## Steps
+
+- Create the install config setting the field `platform.aws.publicIpv4PoolId`, and create the cluster:
+
+```yaml
+apiVersion: v1
+baseDomain: ${CLUSTER_BASE_DOMAIN}
+metadata:
+  name: ocp-byoip
+platform:
+  aws:
+    region: ${REGION}
+    publicIpv4Pool: ipv4pool-ec2-123456789abcde
+publish: External
+pullSecret: '...'
+sshKey: |
+  '...'
+```
+
+- Create the cluster
+
+```sh
+openshift-install create cluster
+```

pkg/asset/cluster/tfvars/tfvars.go

@@ -333,6 +333,7 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			Proxy:                     installConfig.Config.Proxy,
 			PreserveBootstrapIgnition: installConfig.Config.AWS.PreserveBootstrapIgnition,
 			MasterSecurityGroups:      securityGroups,
+			PublicIpv4Pool:            installConfig.Config.AWS.PublicIpv4Pool,
 		})
 		if err != nil {
 			return errors.Wrapf(err, "failed to get %s Terraform variables", platform)

pkg/asset/installconfig/aws/ec2.go

@@ -2,6 +2,7 @@ package aws
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -28,3 +29,24 @@ func DescribeSecurityGroups(ctx context.Context, session *session.Session, secur
 	}
 	return sgOutput.SecurityGroups, nil
 }
+
+// DescribePublicIpv4Pool returns the ec2 public IPv4 Pool attributes from the given ID.
+func DescribePublicIpv4Pool(ctx context.Context, session *session.Session, region string, poolID string) (*ec2.PublicIpv4Pool, error) {
+	client := ec2.New(session, aws.NewConfig().WithRegion(region))
+
+	cctx, cancel := context.WithTimeout(ctx, 1*time.Minute)
+	defer cancel()
+
+	poolOutputs, err := client.DescribePublicIpv4PoolsWithContext(cctx, &ec2.DescribePublicIpv4PoolsInput{PoolIds: []*string{aws.String(poolID)}})
+	if err != nil {
+		return nil, err
+	}
+	if len(poolOutputs.PublicIpv4Pools) == 0 {
+		return nil, fmt.Errorf("public IPv4 Pool not found: %s", poolID)
+	}
+	// it should not happen
+	if len(poolOutputs.PublicIpv4Pools) > 1 {
+		return nil, fmt.Errorf("more than one Public IPv4 Pool: %s", poolID)
+	}
+	return poolOutputs.PublicIpv4Pools[0], nil
+}