-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pcp 2946 #901
base: PCP-2946-v1
Are you sure you want to change the base?
Pcp 2946 #901
Conversation
Signed-off-by: Dario Tranchitella <[email protected]>
🌱ROSA Cleanup & Documentation
✨ Log full ARN in GC error messages
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.3.3...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…ot/go_modules/hack/tools/github.com/go-git/go-git/v5-5.11.0 🌱 Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.11.0 in /hack/tools
…-wrap-error 🐛 Wrap error when AWSMachinePool reconciler fails to get infra provider cluster
…ot/go_modules/golang.org/x/crypto-0.17.0 🌱 Bump golang.org/x/crypto from 0.15.0 to 0.17.0
…ot/go_modules/hack/tools/github.com/cloudflare/circl-1.3.7 🌱 Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 in /hack/tools
Allow to configure garbage collector using clusterawsadm
This commit introduces several improvements to the rosa control plane: - Add ROSAControlPlaneReadyCondition - Add helpers for ocmclient - Add WorkerRoleARN field to the API to satisfy latest ocm API requirements
- ensure RosaClusterName is valid using kubebuild validation - moved ocmClient to a seperate package and renamed to rosaClient - updated cluster-template-rosa.yaml - set ControlPlane.Status.Initialized - requeue ROSAControlPlane to poll cluster status until ready
This introduces basic support to create/delete ROSAMachinePools Lifecycle is captured in RosaMchinePoolReady condition - add cluster-template-rosa-machinepool.yaml
…log-spam 🐛 cleanup: eliminate log spam when using S3 secrets
🌱 Fix some logging and error cases
Currently the S3 bucket is always created in us-east-1, regardless of where the cluster is located. In addition, this PR always ensures that we add a policy to ensure transport encryption is enabled, even when using presigned URLs. Signed-off-by: Vince Prignano <[email protected]>
…t-vpc-sg ✨ Remove ingress and egress rules from vpc default security group
- reset CommandLine flagSet before calling klog.InitFlags(nil) to avoid conflicts if an imported package already called it.
✨ ROSA machinePools support
…ile-only-with-finalizer ✨ Skip AWSCluster deletion reconciliation once CAPA finalizer is gone
…ndpolicy 🐛 S3 Bucket should be created in the same region, always add transport encryption policy
* use k8s.io/utils/ptr instead of pointer * reference local copy of noderefutil following the deprecation of noderefutil, the package has now been removed from cluster-api * bump deps for capi v1.6.1, fix changes * e2e: fix pointer panic in RefreshVPCState * fix: remove unnecessary fmt * wip: set patch version Go 1.21.5 for netlify * wip: add debugging on VPC creation failure
Signed-off-by: Marcus Noble <[email protected]>
Bumps the dependencies group with 1 update: [actions/cache](https://github.com/actions/cache). Updates `actions/cache` from 3 to 4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v3...v4) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies ... Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: typeid <[email protected]>
Add tests to validate optional health check override for all ELBv2 instances and it's listeners (api and additionals).
Some deployments requires customizations in the health check configurations, such as protocol, probe periods and checks. This change introduce health check override for all Load Balancers and listeners (API and additional). The override for the API target group are limited to the probe configuration, and customizing the Path, Port and Protocol for the Target Group for the Kube API Server is not allowed.
Expose the target health check attributes/API allowing customizations for both API (default from LB), and additional listeners, for each Load Balancer. Considering the risk of wrong configurations, the The customization for the target group attributes of API listener is limited to the health check probe configurations (interval, timeout, threshold, etc). The health check for the additional listeners can be customized, including health check protocol, port, path, etc
…ealthcheck ✨ Feat: ELBv2/TGs - Add health check customization
🌱 refactor route discover/creation flow
Introducing the mechanism to query the zone information from the subnet's AvailabilityZone, saving the ZoneType and the ParentZoneName in the SubnetSpec, both for managed and unmanaged. The ZoneType is used to group the zones from regular and the edge zones. Regular zones are with type 'availability-zone', and the edge zones are types 'local-zone' and 'wavelength-zone'. The following statements are valid for edge subnets: - private subnets supports egress traffic only using NAT Gateway in the region. - IPv6 subnets is not supported in edge zones - subnet tags (kubernetes.io/role/*) for load balancer are not set in edge subnets. Edge subnets should not be elected by CCM to create service load balancers. Use ALB ingress instead. ✨ edge subnets/test: unit for subnets in Local Zones Added unit tests to validate scenarios suing managed and unmanaged subnets in AWS Local Zones, alongside new describe availability zones API calls introduced in the subnet reconciliation loop. ✨ edge subnets/unit: fixes unit tests to describe zone calls The edge subnets feature introduce a new AWS API call to describe zones, DescribeAvailabilityZonesWithContext, to lookup zone attributes based in the zone names in the reconciliator, and the create subnets. The two new calls is required to support unmanaged subnets (BYO VPC), where the method createSubnet() is not called. There are some unit tests calling the create subnet flow, this change add the mock calls for those calls.
✨ edge subnets/routes: supporting custom routes for Local Zones Isolate the route table lookup into dedicated methods for private and public subnets to allow more complex requirements for edge zones, as well introduce unit tests for each scenario to cover edge cases. There is no change for private and public subnets for regular zones (standard flow), and the routes will be assigned accordainly the existing flow: private subnets uses nat gateways per public zone, and internet gateway for public zones's tables. For private and public subnets in edge zones, the following changes is introduced according to each rule: General: - IPv6 subnets is not be supported in AWS Local Zones, zone, consequently no ip6 routes will be created - nat gateways is not supported, default gateway's route for private subnets will use nat gateways from the zones in the Region (availability-zone's zone type) - one route table by zone's role by zone (standard flow) Private tables for Local Zones: - default route's gateways is assigned using nat gateway created in the region (availability-zones). Public tables for Local Zones: - default route's gateway is assigned using internet gateway The changes in the standard flow (without edge subnets' support) was isolated in the PR kubernetes-sigs#4900 ✨ edge subnets/nat-gw: support private routing in Local Zones Introduce the support to lookup a nat gateway for edge zones when creating private subnets. Currently CAPA requires a NAT Gateway in the public subnet for each zone which requires private subnets to define default nat gateway in the private route table for each zone. NAT Gateway resource isn't globally supported by Local Zones, thus private subnets in Local Zones are created with default route gateway using a nat gateway selected in the Region (regular availability zones) based in the Parent Zone* for the edge subnet. *each edge zone is "tied" to a zone named "Parent Zone", a zone type availability-zone (regular zones) in the region.
This change introduce support of required network components to deploy subnets on AWS Local Zones infrastructure. The SubnetSpec API is introducing the field ZoneType and ParentZoneName to handle the zone information for the subnet, discovered when reconciling the subnet. ✨ edge subnets/API/gen: introduce edge subnets for Local Zones Generate API changes to suppoer edge subnets for Local Zones. ✨ edge subnets/API/test: added unit to Local Zones Testing new methods and workflow added to the API to SubnetSpec (zone information). ✨ edge subnets/docs: added guide subnets on Local and Wavelength zones Create a dedicated document, "topic", with instructions to deploy network infrastructure (subnets, gateways and route tables) in "edge zones" - Local Zone and Wavelength Zone infrastructure.
Signed-off-by: Nolan Brubaker <[email protected]>
Using the LB's name as prefix has the potential of exceeding the 32 characters limit.
✨ Introduce edge subnets to support AWS Local Zones
🐛 Use release branch when generating changelog
…c-docs 🐛 ROSA: Fix missing permissions & Add external OIDC docs
✨ s3: allow best effort delete for objects
🐛 Fix Target Group's name exceeding 32 characters
Signed-off-by: Nolan Brubaker <[email protected]>
Create a dedicated document, "topic", with instructions to deploy network infrastructure (subnets, gateways and route tables) in "edge zones" - Local Zone and Wavelength Zone infrastructure.
This change introduce support of required network components to deploy subnets on AWS Wavelength Zones infrastructure. The NetworkSpec API handles the CarrierGatewayId on NetworkSpec with the unique identifier of Carrier Gateway resource attached to the VPC.
Subnets in AWS Wavelength Zone is a classified as a type of edge subnets, not used to create regular control plane resources, like nodes, NAT Gateways or API Load Balancers. The ZoneType is used to group the zones from regular and the edge zones. Regular zones are with type 'availability-zone', and the edge zones are types 'local-zone' and 'wavelength-zone'. The following statements are valid for edge subnets: - private subnets supports egress traffic only using NAT Gateway in the region. - public subnets in Wavelength must be attached to a route table with valid Carrier Gateway as a default route. - public subnets in Wavelength zones does not support map public ip on launch flag, instead, the runInstance must set the network interface flag to assign public ip from carrier gateway - IPv6 subnets is not supported in edge zones - subnet tags for load balancer are not set in edge subnets. Edge subnets should not be elected by CCM to create service load balancers. Use ALB ingress instead
✨ edge subnets/cagw: carrier gateway for public subnets in Wavelength Introduce Carrier Gateway resource reconciliator in the network service. Carrier Gateway is the gateway responsible to route ingress and egress traffic **in/out the Wavelength Zone**, located in the Carrier Infrastructure - communications service providers’ (CSP) 5G networks. Carrier Gateway is similar Internet Gatewat resource, responsible for the network border groups in the Region and Local Zones for public subnets. ✨ edge subnets/routes: supporting custom routes for Wavelength For private and public subnets in edge zones, the following changes is introduced according to each rule: General: - IPv6 subnets is not be supported in AWS Local Zones and Wavelength zone, consequently no ip6 routes will be created - nat gateways is not supported, default gateway's route for private subnets will use nat gateways from the zones in the Region (availability-zone's zone type) - one route table by zone's role by zone (standard flow) Private tables for Local Zones and Wavelength: - default route's gateways is assigned using nat gateway created in the region (availability-zones). Public tables for Wavelength zones: - default route's gateways is assigned using Carrier Gateway, resource introduced in the edge zone's feature. The changes in the standard flow (without edge subnets' support) was isolated in the PR kubernetes-sigs#4900
Add IAM policy on cloudformation templates for clusterawsadm to manipulate gateways in Wavelength zone: carrier gateway.
…gth-zones ✨ Support of managing subnets on AWS Wavelength Zones
🌱 Bump CAPI to v1.7.1
Signed-off-by: Nolan Brubaker <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Kun483 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist: