Remove helm condition for aws vpc cni deletion

Makefile

@@ -149,7 +149,7 @@ EKS_SOURCE_TEMPLATE ?= eks/cluster-template-eks-control-plane-only.yaml
 
 # set up `setup-envtest` to install kubebuilder dependency
 export KUBEBUILDER_ENVTEST_KUBERNETES_VERSION ?= 1.28.3
-SETUP_ENVTEST_VER := v0.0.0-20230131074648-f5014c077fc3
+SETUP_ENVTEST_VER := v0.0.0-20240531134648-6636df17d67b
 SETUP_ENVTEST_BIN := setup-envtest
 SETUP_ENVTEST := $(abspath $(TOOLS_BIN_DIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER))
 SETUP_ENVTEST_PKG := sigs.k8s.io/controller-runtime/tools/setup-envtest

api/v1beta1/awscluster_conversion.go

@@ -105,6 +105,18 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.NetworkSpec.VPC.PrivateDNSHostnameTypeOnLaunch = restored.Spec.NetworkSpec.VPC.PrivateDNSHostnameTypeOnLaunch
 	dst.Spec.NetworkSpec.VPC.CarrierGatewayID = restored.Spec.NetworkSpec.VPC.CarrierGatewayID
 
+	if restored.Spec.NetworkSpec.VPC.ElasticIPPool != nil {
+		if dst.Spec.NetworkSpec.VPC.ElasticIPPool == nil {
+			dst.Spec.NetworkSpec.VPC.ElasticIPPool = &infrav2.ElasticIPPool{}
+		}
+		if restored.Spec.NetworkSpec.VPC.ElasticIPPool.PublicIpv4Pool != nil {
+			dst.Spec.NetworkSpec.VPC.ElasticIPPool.PublicIpv4Pool = restored.Spec.NetworkSpec.VPC.ElasticIPPool.PublicIpv4Pool
+		}
+		if restored.Spec.NetworkSpec.VPC.ElasticIPPool.PublicIpv4PoolFallBackOrder != nil {
+			dst.Spec.NetworkSpec.VPC.ElasticIPPool.PublicIpv4PoolFallBackOrder = restored.Spec.NetworkSpec.VPC.ElasticIPPool.PublicIpv4PoolFallBackOrder
+		}
+	}
+
 	// Restore SubnetSpec.ResourceID, SubnetSpec.ParentZoneName, and SubnetSpec.ZoneType fields, if any.
 	for _, subnet := range restored.Spec.NetworkSpec.Subnets {
 		for i, dstSubnet := range dst.Spec.NetworkSpec.Subnets {

api/v1beta1/awsmachine_conversion.go

@@ -41,6 +41,17 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.PlacementGroupPartition = restored.Spec.PlacementGroupPartition
 	dst.Spec.PrivateDNSName = restored.Spec.PrivateDNSName
 	dst.Spec.SecurityGroupOverrides = restored.Spec.SecurityGroupOverrides
+	if restored.Spec.ElasticIPPool != nil {
+		if dst.Spec.ElasticIPPool == nil {
+			dst.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
+		}
+		if restored.Spec.ElasticIPPool.PublicIpv4Pool != nil {
+			dst.Spec.ElasticIPPool.PublicIpv4Pool = restored.Spec.ElasticIPPool.PublicIpv4Pool
+		}
+		if restored.Spec.ElasticIPPool.PublicIpv4PoolFallBackOrder != nil {
+			dst.Spec.ElasticIPPool.PublicIpv4PoolFallBackOrder = restored.Spec.ElasticIPPool.PublicIpv4PoolFallBackOrder
+		}
+	}
 
 	return nil
 }
@@ -91,6 +102,17 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.Template.Spec.PlacementGroupPartition = restored.Spec.Template.Spec.PlacementGroupPartition
 	dst.Spec.Template.Spec.PrivateDNSName = restored.Spec.Template.Spec.PrivateDNSName
 	dst.Spec.Template.Spec.SecurityGroupOverrides = restored.Spec.Template.Spec.SecurityGroupOverrides
+	if restored.Spec.Template.Spec.ElasticIPPool != nil {
+		if dst.Spec.Template.Spec.ElasticIPPool == nil {
+			dst.Spec.Template.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
+		}
+		if restored.Spec.Template.Spec.ElasticIPPool.PublicIpv4Pool != nil {
+			dst.Spec.Template.Spec.ElasticIPPool.PublicIpv4Pool = restored.Spec.Template.Spec.ElasticIPPool.PublicIpv4Pool
+		}
+		if restored.Spec.Template.Spec.ElasticIPPool.PublicIpv4PoolFallBackOrder != nil {
+			dst.Spec.Template.Spec.ElasticIPPool.PublicIpv4PoolFallBackOrder = restored.Spec.Template.Spec.ElasticIPPool.PublicIpv4PoolFallBackOrder
+		}
+	}
 
 	return nil
 }

api/v1beta2/awscluster_webhook.go

@@ -264,8 +264,22 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 	}
 
 	for _, rule := range r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules {
-		if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
+		allErrs = append(allErrs, r.validateIngressRule(rule)...)
+	}
+
+	if r.Spec.NetworkSpec.VPC.ElasticIPPool != nil {
+		eipp := r.Spec.NetworkSpec.VPC.ElasticIPPool
+		if eipp.PublicIpv4Pool != nil {
+			if eipp.PublicIpv4PoolFallBackOrder == nil {
+				return append(allErrs, field.Invalid(field.NewPath("elasticIpPool.publicIpv4PoolFallbackOrder"), r.Spec.NetworkSpec.VPC.ElasticIPPool, "publicIpv4PoolFallbackOrder must be set when publicIpv4Pool is defined."))
+			}
+			awsPublicIpv4PoolPrefix := "ipv4pool-ec2-"
+			if !strings.HasPrefix(*eipp.PublicIpv4Pool, awsPublicIpv4PoolPrefix) {
+				return append(allErrs, field.Invalid(field.NewPath("elasticIpPool.publicIpv4Pool"), r.Spec.NetworkSpec.VPC.ElasticIPPool, fmt.Sprintf("publicIpv4Pool must start with %s.", awsPublicIpv4PoolPrefix)))
+			}
+		}
+		if eipp.PublicIpv4Pool == nil && eipp.PublicIpv4PoolFallBackOrder != nil {
+			return append(allErrs, field.Invalid(field.NewPath("elasticIpPool.publicIpv4PoolFallbackOrder"), r.Spec.NetworkSpec.VPC.ElasticIPPool, "publicIpv4Pool must be set when publicIpv4PoolFallbackOrder is defined."))
 		}
 	}
 
@@ -307,9 +321,7 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		}
 
 		for _, rule := range cp.IngressRules {
-			if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
-				allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
-			}
+			allErrs = append(allErrs, r.validateIngressRule(rule)...)
 		}
 	}
 
@@ -351,11 +363,19 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		}
 	}
 
-	for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
+	return allErrs
+}
+
+func (r *AWSCluster) validateIngressRule(rule IngressRule) field.ErrorList {
+	var allErrs field.ErrorList
+	if rule.NatGatewaysIPsSource {
+		if rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil || rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
+		}
+	} else {
 		if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
 		}
 	}
-
 	return allErrs
 }

api/v1beta2/awscluster_webhook_test.go

@@ -408,6 +408,59 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "rejects ingress rules with cidr block, source security group id, role and nat gateway IP source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:                 SecurityGroupProtocolTCP,
+								IPv6CidrBlocks:           []string{"test"},
+								SourceSecurityGroupIDs:   []string{"test"},
+								SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
+								NatGatewaysIPsSource:     true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects ingress rules with source security role and nat gateway IP source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:                 SecurityGroupProtocolTCP,
+								SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
+								NatGatewaysIPsSource:     true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects ingress rules with cidr block and nat gateway IP source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:             SecurityGroupProtocolTCP,
+								IPv6CidrBlocks:       []string{"test"},
+								NatGatewaysIPsSource: true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "accepts ingress rules with cidr block",
 			cluster: &AWSCluster{
@@ -424,6 +477,22 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "accepts ingress rules with nat gateway IPs source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:             SecurityGroupProtocolTCP,
+								NatGatewaysIPsSource: true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "accepts ingress rules with source security group role",
 			cluster: &AWSCluster{

api/v1beta2/awsmachine_types.go

@@ -113,6 +113,11 @@ type AWSMachineSpec struct {
 	// +optional
 	PublicIP *bool `json:"publicIP,omitempty"`
 
+	// ElasticIPPool is the configuration to allocate Public IPv4 address (Elastic IP/EIP) from user-defined pool.
+	//
+	// +optional
+	ElasticIPPool *ElasticIPPool `json:"elasticIpPool,omitempty"`
+
 	// AdditionalSecurityGroups is an array of references to security groups that should be applied to the
 	// instance. These security groups would be set in addition to any security groups defined
 	// at the cluster level or in the actuator. It is possible to specify either IDs of Filters. Using Filters

api/v1beta2/awsmachine_webhook.go

@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -64,6 +65,7 @@ func (r *AWSMachine) ValidateCreate() (admission.Warnings, error) {
 	allErrs = append(allErrs, r.validateSSHKeyName()...)
 	allErrs = append(allErrs, r.validateAdditionalSecurityGroups()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
+	allErrs = append(allErrs, r.validateNetworkElasticIPPool()...)
 
 	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
@@ -334,6 +336,31 @@ func (r *AWSMachine) validateRootVolume() field.ErrorList {
 	return allErrs
 }
 
+func (r *AWSMachine) validateNetworkElasticIPPool() field.ErrorList {
+	var allErrs field.ErrorList
+
+	if r.Spec.ElasticIPPool == nil {
+		return allErrs
+	}
+	if !ptr.Deref(r.Spec.PublicIP, false) {
+		allErrs = append(allErrs, field.Required(field.NewPath("spec.elasticIpPool"), "publicIp must be set to 'true' to assign custom public IPv4 pools with elasticIpPool"))
+	}
+	eipp := r.Spec.ElasticIPPool
+	if eipp.PublicIpv4Pool != nil {
+		if eipp.PublicIpv4PoolFallBackOrder == nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec.elasticIpPool.publicIpv4PoolFallbackOrder"), r.Spec.ElasticIPPool, "publicIpv4PoolFallbackOrder must be set when publicIpv4Pool is defined."))
+		}
+		awsPublicIpv4PoolPrefix := "ipv4pool-ec2-"
+		if !strings.HasPrefix(*eipp.PublicIpv4Pool, awsPublicIpv4PoolPrefix) {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec.elasticIpPool.publicIpv4Pool"), r.Spec.ElasticIPPool, fmt.Sprintf("publicIpv4Pool must start with %s.", awsPublicIpv4PoolPrefix)))
+		}
+	} else if eipp.PublicIpv4PoolFallBackOrder != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec.elasticIpPool.publicIpv4PoolFallbackOrder"), r.Spec.ElasticIPPool, "publicIpv4Pool must be set when publicIpv4PoolFallbackOrder is defined."))
+	}
+
+	return allErrs
+}
+
 func (r *AWSMachine) validateNonRootVolumes() field.ErrorList {
 	var allErrs field.ErrorList
 

api/v1beta2/awsmachine_webhook_test.go

@@ -368,6 +368,74 @@ func TestAWSMachineCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "create with valid BYOIPv4",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "type",
+					PublicIP:     aws.Bool(true),
+					ElasticIPPool: &ElasticIPPool{
+						PublicIpv4Pool:              aws.String("ipv4pool-ec2-0123456789abcdef0"),
+						PublicIpv4PoolFallBackOrder: ptr.To(PublicIpv4PoolFallbackOrderAmazonPool),
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "error when BYOIPv4 without fallback",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "type",
+					PublicIP:     aws.Bool(true),
+					ElasticIPPool: &ElasticIPPool{
+						PublicIpv4Pool: aws.String("ipv4pool-ec2-0123456789abcdef0"),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "error when BYOIPv4 without public ipv4 pool",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "type",
+					PublicIP:     aws.Bool(true),
+					ElasticIPPool: &ElasticIPPool{
+						PublicIpv4PoolFallBackOrder: ptr.To(PublicIpv4PoolFallbackOrderAmazonPool),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "error when BYOIPv4 with non-public IP set",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "type",
+					PublicIP:     aws.Bool(false),
+					ElasticIPPool: &ElasticIPPool{
+						PublicIpv4Pool:              aws.String("ipv4pool-ec2-0123456789abcdef0"),
+						PublicIpv4PoolFallBackOrder: ptr.To(PublicIpv4PoolFallbackOrderAmazonPool),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "error when BYOIPv4 with invalid pool name",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "type",
+					PublicIP:     aws.Bool(true),
+					ElasticIPPool: &ElasticIPPool{
+						PublicIpv4Pool:              aws.String("ipv4poolx-ec2-0123456789abcdef"),
+						PublicIpv4PoolFallBackOrder: ptr.To(PublicIpv4PoolFallbackOrderAmazonPool),
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {