✨ Add AWSMachine fields to control vpc placement for the instance #4541
Conversation
k8s-ci-robot
added
kind/feature
cnmcavoy
force-pushed
the
awsmachine-vpc-selection
branch
from
5101fd6 to
d7dad18
Compare
k8s-ci-robot
added
release-note
cnmcavoy
force-pushed
the
awsmachine-vpc-selection
branch
from
d7dad18 to
0e9ae1f
Compare
|
Some verification of this I did with one of our clusters: |
|
/test ? |
|
@Skarlso: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-cluster-api-provider-aws-e2e-eks |
api/v1beta2/awsmachine_types.go
Outdated
| // VPC is a reference to the VPC to use when picking a subnet to use for this | ||
| // instance. Only valid if the subnet (id or filters) is also specified. | ||
| // +optional | ||
| VPC *AWSResourceReference `json:"vpc,omitempty"` |
There was a problem hiding this comment.
Reading the related use case, I was wondering if we should be able to infer the VPC id from the subnet identifier?
What could confuse a bit users with the changes proposed here is that we have AdditionalSecurityGroups and now SecurityGroupOverrides, which might conflict with each other?
There was a problem hiding this comment.
Reading the related use case, I was wondering if we should be able to infer the VPC id from the subnet identifier?
I think this is possible, it would require rewriting the existing logic to always look up the VPC, but it does have the advantage of simplifying the fields for the AWSMachine. I'll take a look at doing this.
What could confuse a bit users with the changes proposed here is that we have AdditionalSecurityGroups and now SecurityGroupOverrides, which might conflict with each other?
I agree there is some confusion because of the two fields for managing the same concept in AWS. The problem I tried to solve is that we need a different set of "default" SGs in the other VPC, because SGs are bound to a particular VPC, and we can't re-use the cluster default SGs. So I provided a way for the user to supply their own. AdditionalSecurityGroups is insufficient because we need default SGs that are present in the secondary VPC. I don't care about SecurityGroupOverrides as a field, except as a way to provide SGs for the secondary VPC.
So the other option is we could eliminate the SecurityGroupOverrides field and instead have the CAPA duplicate the SGs from the cluster VPC into any secondary VPC, and use those for these nodes. But there would also be no good way to tell when we could tear down these SGs, without tracking them at the cluster level too. We'd probably have to add them to the AWSCluster or AWSManagedCluster's status field to keep track. Otherwise they might get left dangling after a cluster is torn down. Can you think of a better way to make this work?
There was a problem hiding this comment.
@vincepri updated to look up the VPC as needed, if you want to give it another look.
cnmcavoy
force-pushed
the
awsmachine-vpc-selection
branch
from
be505a6 to
e4775a2
Compare
cnmcavoy
changed the title
|
/test pull-cluster-api-provider-aws-e2e-eks |
cnmcavoy
force-pushed
the
awsmachine-vpc-selection
branch
2 times, most recently
from
62b8935 to
f60d5b2
Compare
|
/approve cc @vincepri for another look as you had comments |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Ankitasw The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
the
lgtm
cnmcavoy
force-pushed
the
awsmachine-vpc-selection
branch
from
f60d5b2 to
78d5c86
Compare
k8s-ci-robot
removed
the
lgtm
|
Rebased to fix tests. |
|
/test pull-cluster-api-provider-aws-test |
k8s-ci-robot
added
the
needs-rebase
cnmcavoy
force-pushed
the
awsmachine-vpc-selection
branch
from
78d5c86 to
0fa2337
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/lgtm |
k8s-ci-robot
added
lgtm
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds fields to the AWSMachine and AWSMachineTemplate resources to allow VPC selection, as well as overriding the security groups chosen for various infrastructure roles.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #4540
Special notes for your reviewer:
Checklist:
Release note: