Merge pull request openshift#8532 from mjturek/permitted-network

OCPBUGS-34978: Power VS: Ensure that VPC has prerequesite resources for private

Author: openshift-merge-bot[bot]

pkg/asset/installconfig/powervs/client.go

@@ -41,7 +41,10 @@ type API interface {
 	GetDNSZones(ctx context.Context, publish types.PublishingStrategy) ([]DNSZoneResponse, error)
 	GetDNSInstancePermittedNetworks(ctx context.Context, dnsID string, dnsZone string) ([]string, error)
 	GetDNSCustomResolverIP(ctx context.Context, dnsID string, vpcID string) (string, error)
+	CreateDNSCustomResolver(ctx context.Context, name string, dnsID string, vpcID string) (*dnssvcsv1.CustomResolver, error)
+	EnableDNSCustomResolver(ctx context.Context, dnsID string, resolverID string) (*dnssvcsv1.CustomResolver, error)
 	CreateDNSRecord(ctx context.Context, publish types.PublishingStrategy, crnstr string, baseDomain string, hostname string, cname string) error
+	AddVPCToPermittedNetworks(ctx context.Context, vpcCRN string, dnsID string, dnsZone string) error
 
 	// VPC
 	GetVPCByName(ctx context.Context, vpcName string) (*vpcv1.VPC, error)
@@ -295,6 +298,46 @@ func (c *Client) GetDNSCustomResolverIP(ctx context.Context, dnsID string, vpcID
 	return "", fmt.Errorf("DNS server IP of custom resolver for %q not found", dnsID)
 }
 
+// CreateDNSCustomResolver creates a custom resolver associated with the specified VPC in the specified DNS zone.
+func (c *Client) CreateDNSCustomResolver(ctx context.Context, name string, dnsID string, vpcID string) (*dnssvcsv1.CustomResolver, error) {
+	createCustomResolverOptions := c.dnsServicesAPI.NewCreateCustomResolverOptions(dnsID)
+	createCustomResolverOptions.SetName(name)
+
+	subnets, err := c.GetVPCSubnets(ctx, vpcID)
+	if err != nil {
+		return nil, err
+	}
+
+	locations := []dnssvcsv1.LocationInput{}
+	for _, subnet := range subnets {
+		location, err := c.dnsServicesAPI.NewLocationInput(*subnet.CRN)
+		if err != nil {
+			return nil, err
+		}
+		location.Enabled = core.BoolPtr(true)
+		locations = append(locations, *location)
+	}
+	createCustomResolverOptions.SetLocations(locations)
+
+	customResolver, _, err := c.dnsServicesAPI.CreateCustomResolverWithContext(ctx, createCustomResolverOptions)
+	if err != nil {
+		return nil, err
+	}
+	return customResolver, nil
+}
+
+// EnableDNSCustomResolver enables a specified custom resolver.
+func (c *Client) EnableDNSCustomResolver(ctx context.Context, dnsID string, resolverID string) (*dnssvcsv1.CustomResolver, error) {
+	updateCustomResolverOptions := c.dnsServicesAPI.NewUpdateCustomResolverOptions(dnsID, resolverID)
+	updateCustomResolverOptions.SetEnabled(true)
+
+	customResolver, _, err := c.dnsServicesAPI.UpdateCustomResolverWithContext(ctx, updateCustomResolverOptions)
+	if err != nil {
+		return nil, err
+	}
+	return customResolver, nil
+}
+
 // GetDNSZoneIDByName gets the CIS zone ID from its domain name.
 func (c *Client) GetDNSZoneIDByName(ctx context.Context, name string, publish types.PublishingStrategy) (string, error) {
 	zones, err := c.GetDNSZones(ctx, publish)
@@ -416,6 +459,24 @@ func (c *Client) GetDNSInstancePermittedNetworks(ctx context.Context, dnsID stri
 	return networks, nil
 }
 
+// AddVPCToPermittedNetworks adds the specified VPC to the specified DNS zone.
+func (c *Client) AddVPCToPermittedNetworks(ctx context.Context, vpcCRN string, dnsID string, dnsZone string) error {
+	createPermittedNetworkOptions := c.dnsServicesAPI.NewCreatePermittedNetworkOptions(dnsID, dnsZone)
+	permittedNetwork, err := c.dnsServicesAPI.NewPermittedNetworkVpc(vpcCRN)
+	if err != nil {
+		return err
+	}
+
+	createPermittedNetworkOptions.SetPermittedNetwork(permittedNetwork)
+	createPermittedNetworkOptions.SetType("vpc")
+
+	_, _, err = c.dnsServicesAPI.CreatePermittedNetworkWithContext(ctx, createPermittedNetworkOptions)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // CreateDNSRecord Creates a DNS CNAME record in the given base domain and CRN.
 func (c *Client) CreateDNSRecord(ctx context.Context, publish types.PublishingStrategy, crnstr string, baseDomain string, hostname string, cname string) error {
 	switch publish {

pkg/asset/installconfig/powervs/metadata.go

@@ -246,6 +246,36 @@ func (m *Metadata) IsVPCPermittedNetwork(ctx context.Context, vpcName string, ba
 	return false, nil
 }
 
+// EnsureVPCIsPermittedNetwork checks if a VPC is permitted to the DNS zone and adds it if it is not.
+func (m *Metadata) EnsureVPCIsPermittedNetwork(ctx context.Context, vpcName string) error {
+	dnsCRN, err := crn.Parse(m.dnsInstanceCRN)
+	if err != nil {
+		return fmt.Errorf("failed to parse DNSInstanceCRN: %w", err)
+	}
+
+	isVPCPermittedNetwork, err := m.IsVPCPermittedNetwork(ctx, vpcName, m.BaseDomain)
+	if err != nil {
+		return fmt.Errorf("failed to determine if VPC is permitted network: %w", err)
+	}
+
+	if !isVPCPermittedNetwork {
+		vpc, err := m.client.GetVPCByName(ctx, vpcName)
+		if err != nil {
+			return fmt.Errorf("failed to find VPC by name: %w", err)
+		}
+
+		zoneID, err := m.client.GetDNSZoneIDByName(ctx, m.BaseDomain, types.InternalPublishingStrategy)
+		if err != nil {
+			return fmt.Errorf("failed to get DNS zone ID: %w", err)
+		}
+		err = m.client.AddVPCToPermittedNetworks(ctx, *vpc.CRN, dnsCRN.ServiceInstance, zoneID)
+		if err != nil {
+			return fmt.Errorf("failed to add permitted network: %w", err)
+		}
+	}
+	return nil
+}
+
 // GetSubnetID gets the ID of a VPC subnet by name and region.
 func (m *Metadata) GetSubnetID(ctx context.Context, subnetName string, vpcRegion string) (string, error) {
 	subnet, err := m.client.GetSubnetByName(ctx, subnetName, vpcRegion)
@@ -281,7 +311,35 @@ func (m *Metadata) GetDNSServerIP(ctx context.Context, vpcName string) (string,
 	}
 	dnsServerIP, err := m.client.GetDNSCustomResolverIP(ctx, dnsCRN.ServiceInstance, *vpc.ID)
 	if err != nil {
-		return "", err
+		// There is no custom resolver, try to create one.
+		customResolverName := fmt.Sprintf("%s-custom-resolver", vpcName)
+		customResolver, err := m.client.CreateDNSCustomResolver(ctx, customResolverName, dnsCRN.ServiceInstance, *vpc.ID)
+		if err != nil {
+			return "", err
+		}
+		// Wait for the custom resolver to be enabled.
+		backoff := wait.Backoff{
+			Duration: 15 * time.Second,
+			Factor:   1.1,
+			Cap:      leftInContext(ctx),
+			Steps:    math.MaxInt32}
+
+		customResolverID := *customResolver.ID
+		var lastErr error
+		err = wait.ExponentialBackoffWithContext(ctx, backoff, func(context.Context) (bool, error) {
+			customResolver, lastErr = m.client.EnableDNSCustomResolver(ctx, dnsCRN.ServiceInstance, customResolverID)
+			if lastErr == nil {
+				return true, nil
+			}
+			return false, nil
+		})
+		if err != nil {
+			if lastErr != nil {
+				err = lastErr
+			}
+			return "", fmt.Errorf("failed to enable custom resolver %s: %w", *customResolver.ID, err)
+		}
+		dnsServerIP = *customResolver.Locations[0].DnsServerIp
 	}
 	return dnsServerIP, nil
 }

pkg/asset/installconfig/powervs/mock/powervsclient_generated.go

@@ -181,6 +181,12 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 	// If a VPC was specified, pass all subnets in it to cluster API
 	if installConfig.Config.Platform.PowerVS.VPCName != "" {
 		logrus.Debugf("GenerateClusterAssets: VPCName = %s", installConfig.Config.Platform.PowerVS.VPCName)
+		if installConfig.Config.Publish == types.InternalPublishingStrategy {
+			err = installConfig.PowerVS.EnsureVPCIsPermittedNetwork(context.TODO(), installConfig.Config.PowerVS.VPCName)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("error ensuring VPC is permitted: %s %w", installConfig.Config.PowerVS.VPCName, err)
+		}
 		subnets, err := installConfig.PowerVS.GetVPCSubnets(context.TODO(), vpcName)
 		if err != nil {
 			return nil, fmt.Errorf("error getting subnets in specified VPC: %s %w", installConfig.Config.PowerVS.VPCName, err)