azure_rm_openshiftmanagedcluster API server will revert to "Public" endpoints regardless if "Private" is selected

[redhatstuart]

SUMMARY

When creating an ARO cluster, both the Ingress and API servers can have public (external) endpoints or private (internal only) endpoints. This is done by declaring "visibility" to be either "Public" or "Private" (case sensitive). The ingress controller will respect and configure the endpoints appropriately however the API server profile will create only external/public endpoints even if "Private" is specified.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_openshiftmanagedcluster

ANSIBLE VERSION

ansible 2.9.11
  config file = None
  configured module search path = ['/home/stkirk/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.8.5 (default, Aug 12 2020, 00:00:00) [GCC 10.2.1 20200723 (Red Hat 10.2.1-1)]

CONFIGURATION

None

OS / ENVIRONMENT

[stkirk@stkirk-fedora ansible-aro]$ pip list |egrep '(azure|ansible)'
ansible 2.9.11
azure-ai-formrecognizer 1.0.0b4
azure-ai-nspkg 1.0.0
azure-ai-textanalytics 1.0.0
azure-appconfiguration 1.0.0
azure-applicationinsights 0.1.0
azure-batch 9.0.0
azure-cli-command-modules-nspkg 2.0.3
azure-cli-core 2.0.35
azure-cli-nspkg 3.0.2
azure-cli-telemetry 1.0.4
azure-cognitiveservices-anomalydetector 0.2.0
azure-cognitiveservices-formrecognizer 0.1.0
azure-cognitiveservices-inkrecognizer 1.0.0b1
azure-cognitiveservices-knowledge-nspkg 3.0.0
azure-cognitiveservices-knowledge-qnamaker 0.2.0
azure-cognitiveservices-language-luis 0.7.0
azure-cognitiveservices-language-nspkg 3.0.1
azure-cognitiveservices-language-spellcheck 2.0.0
azure-cognitiveservices-language-textanalytics 0.2.0
azure-cognitiveservices-nspkg 3.0.1
azure-cognitiveservices-personalizer 0.1.0
azure-cognitiveservices-search-autosuggest 0.2.0
azure-cognitiveservices-search-customimagesearch 0.2.0
azure-cognitiveservices-search-customsearch 0.3.0
azure-cognitiveservices-search-entitysearch 2.0.0
azure-cognitiveservices-search-imagesearch 2.0.0
azure-cognitiveservices-search-newssearch 2.0.0
azure-cognitiveservices-search-nspkg 3.0.1
azure-cognitiveservices-search-videosearch 2.0.0
azure-cognitiveservices-search-visualsearch 0.2.0
azure-cognitiveservices-search-websearch 2.0.0
azure-cognitiveservices-vision-computervision 0.6.0
azure-cognitiveservices-vision-contentmoderator 1.0.0
azure-cognitiveservices-vision-customvision 3.0.0
azure-cognitiveservices-vision-face 0.4.1
azure-cognitiveservices-vision-nspkg 3.0.1
azure-common 1.1.11
azure-core 1.7.0
azure-core-tracing-opencensus 1.0.0b6
azure-core-tracing-opentelemetry 1.0.0b6
azure-cosmos 4.0.0
azure-datalake-store 0.0.48
azure-devtools 1.1.1
azure-eventgrid 1.3.0
azure-eventhub 5.1.0
azure-eventhub-checkpointstoreblob 1.1.0
azure-eventhub-checkpointstoreblob-aio 1.1.0
azure-functions-devops-build 0.0.22
azure-graphrbac 0.61.1
azure-identity 1.3.1
azure-keyvault 1.0.0a1
azure-keyvault-certificates 4.1.0
azure-keyvault-keys 4.1.0
azure-keyvault-nspkg 1.0.0
azure-keyvault-secrets 4.1.0
azure-loganalytics 0.1.0
azure-mgmt-advisor 4.0.0
azure-mgmt-alertsmanagement 0.1.0
azure-mgmt-apimanagement 0.2.0
azure-mgmt-appconfiguration 0.5.0
azure-mgmt-applicationinsights 0.3.0
azure-mgmt-appplatform 0.1.0
azure-mgmt-attestation 0.1.0
azure-mgmt-authorization 0.51.1
azure-mgmt-automation 0.1.1
azure-mgmt-avs 0.1.0
azure-mgmt-azurestack 0.1.0
azure-mgmt-batch 5.0.1
azure-mgmt-batchai 2.0.0
azure-mgmt-billing 0.2.0
azure-mgmt-botservice 0.2.0
azure-mgmt-cdn 3.0.0
azure-mgmt-cognitiveservices 6.2.0
azure-mgmt-commerce 1.0.1
azure-mgmt-common 0.20.0
azure-mgmt-compute 10.0.0
azure-mgmt-consumption 3.0.0
azure-mgmt-containerinstance 1.4.0
azure-mgmt-containerregistry 2.0.0
azure-mgmt-containerservice 9.1.0
azure-mgmt-core 1.2.0
azure-mgmt-cosmosdb 0.5.2
azure-mgmt-costmanagement 0.2.0
azure-mgmt-customproviders 0.1.0
azure-mgmt-databox 0.2.0
azure-mgmt-databoxedge 0.1.0
azure-mgmt-databricks 0.1.0
azure-mgmt-datafactory 0.11.0
azure-mgmt-datalake-analytics 0.6.0
azure-mgmt-datalake-nspkg 3.0.1
azure-mgmt-datalake-store 0.5.0
azure-mgmt-datamigration 4.0.0
azure-mgmt-datashare 0.2.0
azure-mgmt-deploymentmanager 0.2.0
azure-mgmt-devspaces 0.2.0
azure-mgmt-devtestlabs 3.0.0
azure-mgmt-digitaltwins 0.1.0
azure-mgmt-dns 2.1.0
azure-mgmt-documentdb 0.1.3
azure-mgmt-edgegateway 0.1.0
azure-mgmt-eventgrid 2.2.0
azure-mgmt-eventhub 4.0.0
azure-mgmt-frontdoor 0.3.0
azure-mgmt-hanaonazure 0.14.0
azure-mgmt-hdinsight 0.1.0
azure-mgmt-healthcareapis 0.1.0
azure-mgmt-hybridcompute 0.1.1
azure-mgmt-hybridkubernetes 0.1.0
azure-mgmt-imagebuilder 0.4.0
azure-mgmt-iotcentral 3.1.0
azure-mgmt-iothub 0.7.0
azure-mgmt-iothubprovisioningservices 0.2.0
azure-mgmt-keyvault 1.1.0
azure-mgmt-kubernetesconfiguration 0.2.0
azure-mgmt-kusto 0.9.0
azure-mgmt-labservices 0.1.1
azure-mgmt-loganalytics 0.2.0
azure-mgmt-logic 3.0.0
azure-mgmt-machinelearningcompute 0.4.1
azure-mgmt-machinelearningservices 0.1.0
azure-mgmt-managedservices 1.0.0
azure-mgmt-managementgroups 0.2.0
azure-mgmt-maps 0.1.0
azure-mgmt-marketplaceordering 0.1.0
azure-mgmt-media 2.2.0
azure-mgmt-monitor 0.5.2
azure-mgmt-msi 0.2.0
azure-mgmt-netapp 0.8.0
azure-mgmt-network 10.2.0
azure-mgmt-nspkg 2.0.0
azure-mgmt-policyinsights 0.5.0
azure-mgmt-privatedns 0.1.0
azure-mgmt-rdbms 1.4.1
azure-mgmt-recoveryservices 0.4.0
azure-mgmt-recoveryservicesbackup 0.6.0
azure-mgmt-redhatopenshift 0.1.0
azure-mgmt-redis 5.0.0
azure-mgmt-relay 0.1.0
azure-mgmt-reservations 0.6.0
azure-mgmt-resource 2.1.0
azure-mgmt-search 2.1.0
azure-mgmt-security 0.4.1
azure-mgmt-servicebus 0.5.3
azure-mgmt-servicefabric 0.4.0
azure-mgmt-signalr 0.4.0
azure-mgmt-sql 0.10.0
azure-mgmt-sqlvirtualmachine 0.5.0
azure-mgmt-storage 11.1.0
azure-mgmt-trafficmanager 0.50.0
azure-mgmt-web 0.41.0
azure-multiapi-storage 0.3.5
azure-nspkg 2.0.0
azure-storage 0.35.1
azure-storage-common 1.4.2
msrestazure 0.6.2
opencensus-ext-azure 1.0.4

[stkirk@stkirk-fedora ansible-aro]$ uname -a
Linux stkirk-fedora 5.7.11-200.fc32.x86_64 #1 SMP Wed Jul 29 17:15:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE

  vars:
      # Customize These
      aro_master_subnet: "AROMasterSubnet"
      aro_master_subnet_cidr: "100.100.10.0/24"
      aro_vnet: "AROVNet"
      aro_vnet_cidr: "100.100.0.0/16"
      aro_worker_subnet: "AROWorkerSubnet"
      aro_worker_subnet_cidr: "100.100.20.0/24"
      azure_dc: "eastus"
      client_id: "X"
      client_secret: "X"
      cluster_name: "ansible-cluster"
      cluster_pull_secret: "{{ lookup('file', '~/openshift/aro4/pull-secret.txt') }}"
      master_vm_size: "Standard_D8s_v3"
      openshift_pull_secret: ""
      network_pod_cidr: "10.128.0.0/14"
      network_service_cidr: "172.30.0.0/16"
      **privacy_api: "Private"**
      privacy_ingress: "Private"
      resource_group: "aro4-ansible"
      worker_node_count: "4"
      worker_vm_size: "Standard_D4s_v3"

Playbook:
  - name: Create Azure Red Hat OpenShift 4 Cluster
    azure_rm_openshiftmanagedcluster:
      resource_group: "{{ resource_group }}"
      name: "{{ cluster_name }}"
      location: "{{ azure_dc }}"
      api_server_profile:
        **visibility: "{{ privacy_api }}"**
      cluster_profile:
        pull_secret: "{{ openshift_pull_secret }}"
      ingress_profiles:
        - name: "default"
          visibility: "{{ privacy_ingress }}"
      master_profile:
        vm_size : "{{ master_vm_size }}"
        subnet_id: "/subscriptions/{{ lookup('env', 'AZURE_SUBSCRIPTION_ID') }}/resourceGroups/{{resource_group}}/providers/Microsoft.Network/virtualNetworks/{{ aro_vnet }}/subnets/{{ aro_master_subnet }}"
      network_profile:
        pod_cidr: "{{ network_pod_cidr }}"
        service_cidr: "{{ network_service_cidr }}"
      service_principal_profile:
        client_id: "{{ client_id }}"
        client_secret: "{{ client_secret }}"
      worker_profiles:
        - name: "worker"
          vm_size : "{{ worker_vm_size }}"
          subnet_id: "/subscriptions/{{ lookup('env', 'AZURE_SUBSCRIPTION_ID') }}/resourceGroups/{{resource_group}}/providers/Microsoft.Network/virtualNetworks/{{ aro_vnet }}/subnets/{{ aro_worker_subnet }}"
          count: 4

EXPECTED RESULTS

The API server should be provisioned with an internal-only endpoint on the subnet provided by the configured VNet. It should be a non-routable "10.x.x.x" address and not externally accessible.

ACTUAL RESULTS

A public (externally facing) endpoint IP address is created for the API server

[haiyuazhang]

@stuartatmicrosoft it might be a service side issue, since at the collection side, no auto "Private" to "Public" conversion logic.

[uDuCkV]

there is a spelling on line:

azure/plugins/modules/azure_rm_openshiftmanagedcluster.py

Line 827 in 43d8833

if 'apiServerProfile' not in self.body['properties']:

should be

    if 'apiserverProfile' not in self.body['properties']:

worked for me

[redhatstuart]

@Fred-sun can this change get merged presuming @uDuCkV did a PR?

[uDuCkV]

Done. #307 needs to be reviewed.

[Fred-sun]

Done. #307 needs to be reviewed.