Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Supporting externally managed Control Plane #4438

Merged
merged 3 commits into from
Feb 8, 2024
Merged

✨ Supporting externally managed Control Plane #4438

merged 3 commits into from
Feb 8, 2024

Conversation

prometherion
Copy link
Contributor

@prometherion prometherion commented Aug 4, 2023
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Cluster API allows defining externally managed control plane for the given cluster, the current code-base doesn't consider this since it nevertheless performs the following actions:

  • reconciliation of a Load Balancer, although already provisioned by the ControlPlane provider
  • blocking the EC2 creation since it requires an ELB DNS name

Which issue(s) this PR fixes:
Fixes #4437

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

Release note:

A new enum value, `disabled`, is added for the `AWSCluster.spec.controlPlaneLoadBalancer.loadBalancerType` field, which skips the reconciliation of the load balancer for the given cluster, useful for clusters which are consuming an externally managed Control Plane.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority labels Aug 4, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @prometherion!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-aws 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-aws has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 4, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @prometherion. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@prometherion prometherion mentioned this pull request Aug 4, 2023
Closed
@prometherion prometherion force-pushed the issues/4437 branch 2 times, most recently from 58dca4e to e36b61e Compare August 4, 2023 16:03
@vincepri
Copy link
Member

vincepri commented Aug 7, 2023

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 7, 2023
vincepri
vincepri reviewed Aug 7, 2023
View reviewed changes
controllers/awscluster_controller.go Outdated Show resolved Hide resolved
controllers/awscluster_controller.go Outdated Show resolved Hide resolved
controllers/awscluster_controller.go Outdated Show resolved Hide resolved
@prometherion
Copy link
Contributor Author

If the proposed approach is ok I can work on proper unit-tests for this.

@prometherion prometherion requested a review from vincepri August 10, 2023 16:58
@prometherion prometherion force-pushed the issues/4437 branch 3 times, most recently from 369c894 to 64fca56 Compare August 11, 2023 11:44
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 5, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 2, 2023
@prometherion
Copy link
Contributor Author

/retest

@richardcase
Copy link
Member

/milestone v2.4.0

@k8s-ci-robot k8s-ci-robot added this to the v2.4.0 milestone Feb 4, 2024
@richardcase
Copy link
Member

Until #4733 merges

/hold

But this looks good to me, pending any changes required after 4733.

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Feb 4, 2024
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 4, 2024
@prometherion
feat: allowing nodes creation when cp is externally managed
f7d3575 
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
@prometherion
feat: disabled load balancer enum for externally managed LBs
4ee9c54 
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
@prometherion
chore(log): capitalising debug message
fc3cb07 
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
@prometherion
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks

@prometherion
Copy link
Contributor Author

Thanks, @richardcase, rebased as requested.

The failed test seems unrelated to the changes we introduced.

@richardcase
Copy link
Member

Thanks @prometherion

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 7, 2024
@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e

@faiq
Copy link
Contributor

faiq commented Feb 7, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2024
@faiq
Copy link
Contributor

faiq commented Feb 7, 2024

the tests are all passing, and the code looks good. i think this is ready to merge

richardcase
richardcase reviewed Feb 8, 2024
View reviewed changes
controllers/awsmachine_controller.go
@@ -1178,3 +1186,22 @@ func (r *AWSMachineReconciler) ensureInstanceMetadataOptions(ec2svc services.EC2

return ec2svc.ModifyInstanceMetadataOptions(instance.ID, machine.Spec.InstanceMetadataOptions)
}

// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm undecided whether we should have all these in one place.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, this wildcard makes obsolete the following ones:

cluster-api-provider-aws/controllers/rosacluster_controller.go

Line 55 in 6193d17

// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=rosacontrolplanes;rosacontrolplanes/status,verbs=get;list;watch

cluster-api-provider-aws/bootstrap/eks/controllers/eksconfig_controller.go

Line 62 in 6193d17

// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=awsmanagedcontrolplanes,verbs=get;list;watch

cluster-api-provider-aws/controllers/awsmanagedcluster_controller.go

Line 54 in 6193d17

// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=awsmanagedcontrolplanes;awsmanagedcontrolplanes/status,verbs=get;list;watch

cluster-api-provider-aws/controllers/rosacluster_controller.go

Line 55 in 6193d17

// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=rosacontrolplanes;rosacontrolplanes/status,verbs=get;list;watch

...and many other lines.

Although we could optimize the role rules, I think these are more intuitive for developers, since it's pretty straightforward trying to understand the objects controlled by the various controllers.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move these to a single place above

api/v1beta2/awscluster_webhook.go
@@ -298,5 +298,49 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
}
}

if r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeDisabled {
if r.Spec.ControlPlaneLoadBalancer.Name != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we need a func Empty() bool on the load balancer instead of checking each sub field. But lets discuss that separately.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still would need the check of each subfield, unfortunately. We could slender the webhook file, of course, but from a UX perspective, knowing which field is breaking the validation would be helpful.

@richardcase
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 8, 2024
@k8s-ci-robot k8s-ci-robot merged commit 6193d17 into kubernetes-sigs:main Feb 8, 2024
21 checks passed
@prometherion prometherion deleted the issues/4437 branch February 9, 2024 10:42
vincepri
vincepri reviewed Feb 26, 2024
View reviewed changes
api/v1beta2/awscluster_types.go
@@ -229,7 +230,7 @@ type AWSLoadBalancerSpec struct {

// LoadBalancerType sets the type for a load balancer. The default type is classic.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a comment on what each value for this does and what the new value is useful for?

vincepri
vincepri reviewed Feb 26, 2024
View reviewed changes
api/v1beta2/awscluster_webhook.go
@@ -298,5 +298,49 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
}
}

if r.Spec.ControlPlaneLoadBalancer.LoadBalancerType == LoadBalancerTypeDisabled {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we validating somewhere that the type cannot be changed once created? How are we dealing right now if a user creates the type = disabled and then wants alb and vice-versa?

api/v1beta2/awscluster_webhook.go
Comment on lines +306 to +343
if r.Spec.ControlPlaneLoadBalancer.CrossZoneLoadBalancing {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "crossZoneLoadBalancing"), r.Spec.ControlPlaneLoadBalancer.CrossZoneLoadBalancing, "cross-zone load balancing cannot be set if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.Subnets) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "subnets"), r.Spec.ControlPlaneLoadBalancer.Subnets, "subnets cannot be set if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol != nil {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "healthCheckProtocol"), r.Spec.ControlPlaneLoadBalancer.HealthCheckProtocol, "healthcheck protocol cannot be set if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.AdditionalSecurityGroups) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "additionalSecurityGroups"), r.Spec.ControlPlaneLoadBalancer.AdditionalSecurityGroups, "additional Security Groups cannot be set if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.AdditionalListeners) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "additionalListeners"), r.Spec.ControlPlaneLoadBalancer.AdditionalListeners, "cannot set additional listeners if the LoadBalancer reconciliation is disabled"))
}

if len(r.Spec.ControlPlaneLoadBalancer.IngressRules) > 0 {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "ingress rules cannot be set if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.PreserveClientIP {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "preserveClientIP"), r.Spec.ControlPlaneLoadBalancer.PreserveClientIP, "cannot preserve client IP if the LoadBalancer reconciliation is disabled"))
}

if r.Spec.ControlPlaneLoadBalancer.DisableHostsRewrite {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "disableHostsRewrite"), r.Spec.ControlPlaneLoadBalancer.DisableHostsRewrite, "cannot disable hosts rewrite if the LoadBalancer reconciliation is disabled"))
}
}

for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should open an issue to track for the next API version to rework this, it seems to me that we're going around the current API structure to disable the control plane management

controllers/awscluster_controller.go
Comment on lines +269 to +270
func (r *AWSClusterReconciler) reconcileLoadBalancer(clusterScope *scope.ClusterScope, awsCluster *infrav1.AWSCluster) (*time.Duration, error) {
retryAfterDuration := 15 * time.Second
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we rework this to just return an error and leave the retryAfterDuration outside?

controllers/awscluster_controller.go
Comment on lines +469 to +471
func (r *AWSClusterReconciler) checkForExternalControlPlaneLoadBalancer(clusterScope *scope.ClusterScope, awsCluster *infrav1.AWSCluster) *time.Duration {
requeueAfterPeriod := 15 * time.Second

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, the retry after should be outside in a caller

controllers/awsmachine_controller.go
Comment on lines +205 to +208
cp, err := r.getControlPlane(ctx, log, cluster)
if err != nil {
return ctrl.Result{}, err
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems we're missing that the control plane is an optional reference, and this is going to panic when nil

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potentially could be solved with #4817.

controllers/awsmachine_controller.go
@@ -1178,3 +1186,22 @@ func (r *AWSMachineReconciler) ensureInstanceMetadataOptions(ec2svc services.EC2

return ec2svc.ModifyInstanceMetadataOptions(instance.ID, machine.Spec.InstanceMetadataOptions)
}

// +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move these to a single place above

pkg/cloud/scope/machine.go
@@ -371,6 +377,10 @@ func (m *MachineScope) IsEKSManaged() bool {
return m.InfraCluster.InfraCluster().GetObjectKind().GroupVersionKind().Kind == ekscontrolplanev1.AWSManagedControlPlaneKind
}

func (m *MachineScope) IsControlPlaneExternallyManaged() bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit confusing on why this is needed, the control plane reference can be anything, including a new CRD; why do we need to mark it as externally managed?

nrb added a commit to nrb/cluster-api-provider-aws that referenced this pull request Feb 26, 2024
@nrb
Revert "Merge pull request kubernetes-sigs#4438 from prometherion/iss…
768d360 
…ues/4437"

This reverts commit 6193d17, reversing
changes made to 6ffb575.
@nrb nrb mentioned this pull request Feb 26, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ankitasw Ankitasw Ankitasw left review comments

@muraee muraee muraee left review comments

@vincepri vincepri vincepri left review comments

@richardcase richardcase richardcase left review comments

@Skarlso Skarlso Skarlso left review comments

@dthorsen dthorsen Awaiting requested review from dthorsen

@shivi28 shivi28 Awaiting requested review from shivi28

@faiq faiq Awaiting requested review from faiq

Assignees

@enxebre enxebre

@faiq faiq

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v2.4.0
Development

Successfully merging this pull request may close these issues.

Supporting externally managed Control Plane
10 participants
@prometherion @k8s-ci-robot @vincepri @dlipovetsky @faiq @Ankitasw @richardcase @Skarlso @muraee @enxebre