Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PCP2946 #900

Closed
wants to merge 1,486 commits into from
Closed

PCP2946 #900

wants to merge 1,486 commits into from

Conversation

Kun483
Copy link

@Kun483 Kun483 commented Jun 3, 2024

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

prometherion and others added 30 commits January 4, 2024 13:17
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](cloudflare/circl@v1.3.3...v1.3.7)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
…ot/go_modules/hack/tools/github.com/go-git/go-git/v5-5.11.0

🌱 Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.11.0 in /hack/tools
…-wrap-error

🐛 Wrap error when AWSMachinePool reconciler fails to get infra provider cluster
…ot/go_modules/golang.org/x/crypto-0.17.0

🌱 Bump golang.org/x/crypto from 0.15.0 to 0.17.0
…ot/go_modules/hack/tools/github.com/cloudflare/circl-1.3.7

🌱 Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 in /hack/tools
Allow to configure garbage collector using clusterawsadm
    This commit introduces several improvements to the rosa control plane:
    - Add ROSAControlPlaneReadyCondition
    - Add helpers for ocmclient
    - Add WorkerRoleARN field to the API to satisfy latest ocm API requirements
- ensure RosaClusterName is valid using kubebuild validation
- moved ocmClient to a seperate package and renamed to rosaClient
- updated cluster-template-rosa.yaml
- set ControlPlane.Status.Initialized
- requeue ROSAControlPlane to poll cluster status until ready
This introduces basic support to create/delete ROSAMachinePools
Lifecycle is captured in RosaMchinePoolReady condition

- add cluster-template-rosa-machinepool.yaml
…log-spam

🐛 cleanup: eliminate log spam when using S3 secrets
Currently the S3 bucket is always created in us-east-1, regardless of
where the cluster is located. In addition, this PR always ensures that
we add a policy to ensure transport encryption is enabled, even when
using presigned URLs.

Signed-off-by: Vince Prignano <[email protected]>
…t-vpc-sg

✨ Remove ingress and egress rules from vpc default security group
- reset CommandLine flagSet before calling klog.InitFlags(nil) to avoid conflicts if an imported package already called it.
…ile-only-with-finalizer

✨ Skip AWSCluster deletion reconciliation once CAPA finalizer is gone
…ndpolicy

🐛 S3 Bucket should be created in the same region, always add transport encryption policy
* use k8s.io/utils/ptr instead of pointer

* reference local copy of noderefutil

following the deprecation of noderefutil, the package has now been removed from cluster-api

* bump deps for capi v1.6.1, fix changes

* e2e: fix pointer panic in RefreshVPCState

* fix: remove unnecessary fmt

* wip: set patch version Go 1.21.5 for netlify

* wip: add debugging on VPC creation failure
Bumps the dependencies group with 1 update: [actions/cache](https://github.com/actions/cache).


Updates `actions/cache` from 3 to 4
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v3...v4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
mtulio and others added 26 commits April 19, 2024 15:45
Add tests to validate optional health check override for
all ELBv2 instances and it's listeners (api and additionals).
Some deployments requires customizations in the
health check configurations, such as protocol,
probe periods and checks.

This change introduce health check override for
all Load Balancers and listeners (API and additional).

The override for the API target group are limited to the probe
configuration, and customizing the Path, Port and Protocol for the
Target Group for the Kube API Server is not allowed.
Expose the target health check attributes/API
allowing customizations for both API (default from LB),
and additional listeners, for each Load Balancer.

Considering the risk of wrong configurations, the The customization
for the target group attributes of API listener is limited to the
health check probe configurations (interval, timeout, threshold, etc).

The health check for the additional listeners can be customized,
including health check protocol, port, path, etc
…ealthcheck

✨ Feat: ELBv2/TGs - Add health check customization
Introducing the mechanism to query the zone information
from the subnet's AvailabilityZone, saving the ZoneType and
the ParentZoneName in the SubnetSpec, both for managed and unmanaged.

The ZoneType is used to group the zones from regular and the edge zones.
Regular zones are with type 'availability-zone', and the edge zones are
types 'local-zone' and 'wavelength-zone'.

The following statements are valid for edge subnets:
- private subnets supports egress traffic only using NAT Gateway in the
  region.
- IPv6 subnets is not supported in edge zones
- subnet tags (kubernetes.io/role/*) for load balancer are not set in
  edge subnets. Edge subnets should not be elected by CCM to create
  service load balancers. Use ALB ingress instead.

✨ edge subnets/test: unit for subnets in Local Zones

Added unit tests to validate scenarios suing managed and unmanaged
subnets in AWS Local Zones, alongside new describe availability zones
API calls introduced in the subnet reconciliation loop.

✨ edge subnets/unit: fixes unit tests to describe zone calls

The edge subnets feature introduce a new AWS API call to describe zones,
DescribeAvailabilityZonesWithContext, to lookup zone attributes based in
the zone names in the reconciliator, and the create subnets.

The two new calls is required to support unmanaged subnets (BYO VPC),
where the method createSubnet() is not called.

There are some unit tests calling the create subnet flow, this change
add the mock calls for those calls.
✨ edge subnets/routes: supporting custom routes for Local Zones

Isolate the route table lookup into dedicated methods for private and
public subnets to allow more complex requirements for edge zones, as
well introduce unit tests for each scenario to cover edge cases.

There is no change for private and public subnets for regular
zones (standard flow), and the routes will be assigned accordainly
the existing flow: private subnets uses nat gateways per public zone,
and internet gateway for public zones's tables.

For private and public subnets in edge zones, the following changes is
introduced according to each rule:

General:

- IPv6 subnets is not be supported in AWS Local Zones,
  zone, consequently no ip6 routes will be created
- nat gateways is not supported, default gateway's route for private
  subnets will use nat gateways from the zones in the Region
(availability-zone's zone type)
- one route table by zone's role by zone (standard flow)

Private tables for Local Zones:
- default route's gateways is assigned using nat gateway created in
  the region (availability-zones).

Public tables for Local Zones:
- default route's gateway is assigned using internet gateway

The changes in the standard flow (without edge subnets' support) was
isolated in the PR kubernetes-sigs#4900

✨ edge subnets/nat-gw: support private routing in Local Zones

Introduce the support to lookup a nat gateway for edge zones when
creating private subnets.

Currently CAPA requires a NAT Gateway in the public subnet for each zone
which requires private subnets to define default nat gateway in the
private route table for each zone.

NAT Gateway resource isn't globally supported by Local Zones, thus
private subnets in Local Zones are created with default route gateway
using a nat gateway selected in the Region (regular availability zones)
based in the Parent Zone* for the edge subnet.

*each edge zone is "tied" to a zone named "Parent Zone", a zone type
availability-zone (regular zones) in the region.
This change introduce support of required network components to deploy
subnets on AWS Local Zones infrastructure.

The SubnetSpec API is introducing the field ZoneType and ParentZoneName
to handle the zone information for the subnet, discovered when
reconciling the subnet.

✨ edge subnets/API/gen: introduce edge subnets for Local Zones

Generate API changes to suppoer edge subnets for Local Zones.

✨ edge subnets/API/test: added unit to Local Zones

Testing new methods and workflow added to the API to
SubnetSpec (zone information).

✨ edge subnets/docs: added guide subnets on Local and Wavelength zones

Create a dedicated document, "topic", with instructions to deploy
network infrastructure (subnets, gateways and route tables) in "edge
zones" - Local Zone and Wavelength Zone infrastructure.
Using the LB's name as prefix has the potential of exceeding the 32
characters limit.
✨  Introduce edge subnets to support AWS Local Zones
🐛 Use release branch when generating changelog
…c-docs

🐛 ROSA: Fix missing permissions & Add external OIDC docs
✨ s3: allow best effort delete for objects
🐛 Fix Target Group's name exceeding 32 characters
Signed-off-by: Nolan Brubaker <[email protected]>
Create a dedicated document, "topic", with instructions to deploy
network infrastructure (subnets, gateways and route tables) in "edge
zones" - Local Zone and Wavelength Zone infrastructure.
    This change introduce support of required network components to deploy
    subnets on AWS Wavelength Zones infrastructure.

    The NetworkSpec API handles the CarrierGatewayId on NetworkSpec with
    the unique identifier of Carrier Gateway resource attached to the VPC.
    Subnets in AWS Wavelength Zone is a classified as a type of
    edge subnets, not used to create regular control plane resources, like
    nodes, NAT Gateways or API Load Balancers.

    The ZoneType is used to group the zones from regular and the edge zones.
    Regular zones are with type 'availability-zone', and the edge zones are
    types 'local-zone' and 'wavelength-zone'.

    The following statements are valid for edge subnets:
    - private subnets supports egress traffic only using NAT Gateway in the
      region.
    - public subnets in Wavelength must be attached to a route table with
      valid Carrier Gateway as a default route.
    - public subnets in Wavelength zones does not support map public ip on
      launch flag, instead, the runInstance must set the network interface
      flag to assign public ip from carrier gateway
    - IPv6 subnets is not supported in edge zones
    - subnet tags for load balancer are not set in edge subnets. Edge
      subnets should not be elected by CCM to create service load balancers.
      Use ALB ingress instead
✨ edge subnets/cagw: carrier gateway for public subnets in Wavelength

Introduce Carrier Gateway resource reconciliator in the network service.

Carrier Gateway is the gateway responsible to route ingress and egress
traffic **in/out the Wavelength Zone**, located in the Carrier
Infrastructure - communications service providers’ (CSP) 5G networks.

Carrier Gateway is similar Internet Gatewat resource, responsible for
the network border groups in the Region and Local Zones for public
subnets.

✨ edge subnets/routes: supporting custom routes for Wavelength

For private and public subnets in edge zones, the following changes is
introduced according to each rule:

General:

- IPv6 subnets is not be supported in AWS Local Zones and Wavelength
  zone, consequently no ip6 routes will be created
- nat gateways is not supported, default gateway's route for private
  subnets will use nat gateways from the zones in the Region
(availability-zone's zone type)
- one route table by zone's role by zone (standard flow)

Private tables for Local Zones and Wavelength:
- default route's gateways is assigned using nat gateway created in
  the region (availability-zones).

Public tables for Wavelength zones:
- default route's gateways is assigned using Carrier Gateway, resource
  introduced in the edge zone's feature.

The changes in the standard flow (without edge subnets' support) was
isolated in the PR kubernetes-sigs#4900
Add IAM policy on cloudformation templates for clusterawsadm to
manipulate gateways in Wavelength zone: carrier gateway.
…gth-zones

✨ Support of managing subnets on AWS Wavelength Zones
Signed-off-by: Nolan Brubaker <[email protected]>
@spectro-prow
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Kun483
To complete the pull request process, please assign after the PR has been reviewed.
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Kun483 Kun483 changed the title Pcp 2946 PCP2946 Jun 3, 2024
@Kun483 Kun483 closed this Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.