NE-1530: Add API for AWS LB Subnet Selection

Allows users to specify subnets (i.e. Availability Zones) for
IngressControllers using load balancers in AWS. Introduce
under the `AWSLoadBalancerSubnetSelection` FeatureGate.

config/v1/feature_gates.go

@@ -588,4 +588,11 @@ var (
 						productScope(ocpSpecific).
 						enableIn(TechPreviewNoUpgrade).
 						mustRegister()
+
+	FeatureGateAWSLoadBalancerSubnetSelection = newFeatureGate("AWSLoadBalancerSubnetSelection").
+							reportProblemsToJiraComponent("Routing").
+							contactPerson("gspence").
+							productScope(ocpSpecific).
+							enableIn(TechPreviewNoUpgrade).
+							mustRegister()
 )

features.md

@@ -1,5 +1,6 @@
 | FeatureGate | Default on Hypershift | Default on SelfManagedHA | TechPreviewNoUpgrade on Hypershift | TechPreviewNoUpgrade on SelfManagedHA  |
 | ------ | --- | --- | --- | ---  |
+| AWSLoadBalancerSubnetSelection| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | AdminNetworkPolicy| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | AlertingRules| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | AutomatedEtcdBackup| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |

openapi/openapi.json

@@ -25114,6 +25114,14 @@
           "description": "networkLoadBalancerParameters holds configuration parameters for an AWS network load balancer. Present only if type is NLB.",
           "$ref": "#/definitions/com.github.openshift.api.operator.v1.AWSNetworkLoadBalancerParameters"
         },
+        "subnets": {
+          "description": "subnets specifies the list of subnets for the load balancer to route traffic to. The values can be either a subnet ID or name. Each subnet must be from a different availability zones otherwise the load balancer will not be provisioned. Additionally, if a subnet is not found, the load balancer will not be provisioned.\n\nWhen omitted, the subnets will be auto-discovered per availability zone.",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          }
+        },
         "type": {
           "description": "type is the type of AWS load balancer to instantiate for an ingresscontroller.\n\nValid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n  the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n  the following for additional details:\n\n    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n  transport layer (TCP/SSL). See the following for additional details:\n\n    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb",
           "type": "string",
@@ -25125,7 +25133,8 @@
           "discriminator": "type",
           "fields-to-discriminateBy": {
             "classicLoadBalancer": "ClassicLoadBalancerParameters",
-            "networkLoadBalancer": "NetworkLoadBalancerParameters"
+            "networkLoadBalancer": "NetworkLoadBalancerParameters",
+            "subnets": "Subnets"
           }
         }
       ]

operator/v1/tests/ingresscontrollers.operator.openshift.io/AWSLoadBalancerSubnetSelection.yaml

@@ -0,0 +1,106 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "Ingress"
+crdName: ingresscontrollers.operator.openshift.io
+featureGate: AWSLoadBalancerSubnetSelection
+tests:
+  onCreate:
+    - name: Should be able to create a minimal ingresscontroller with subnets.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+  onUpdate:
+    - name: Subnets should be immutable.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+      expectedError: "subnets is immutable once set"
+    - name: Subnets should not be able to remove once set.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+      expectedError: "subnets is immutable once set"
+

operator/v1/types_ingress.go

@@ -512,6 +512,7 @@ const (
 
 // AWSLoadBalancerParameters provides configuration settings that are
 // specific to AWS load balancers.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=AWSLoadBalancerSubnetSelection,rule="!has(oldSelf.subnets) || has(self.subnets)", message="subnets is immutable once set"
 // +union
 type AWSLoadBalancerParameters struct {
 	// type is the type of AWS load balancer to instantiate for an ingresscontroller.
@@ -545,6 +546,19 @@ type AWSLoadBalancerParameters struct {
 	//
 	// +optional
 	NetworkLoadBalancerParameters *AWSNetworkLoadBalancerParameters `json:"networkLoadBalancer,omitempty"`
+
+	// subnets specifies the list of subnets for the load balancer to
+	// route traffic to. The values can be either a subnet ID or name.
+	// Each subnet must be from a different availability zones otherwise
+	// the load balancer will not be provisioned. Additionally, if a subnet
+	// is not found, the load balancer will not be provisioned.
+	//
+	// When omitted, the subnets will be auto-discovered per availability zone.
+	//
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="subnets is immutable once set"
+	// +openshift:enable:FeatureGate=AWSLoadBalancerSubnetSelection
+	// +optional
+	Subnets []string `json:"subnets,omitempty"`
 }
 
 // AWSLoadBalancerType is the type of AWS load balancer to instantiate.