NE-1530: IngressController LB Subnet Selection in AWS

Allows users to specify subnets (i.e. Availability Zones) for
IngressControllers using load balancers in AWS. Introduce
under the `IngressControllerLBSubnetsAWS` FeatureGate.

features.md

@@ -24,6 +24,7 @@
 | GatewayAPI| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | HardwareSpeed| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ImagePolicy| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| IngressControllerLBSubnetsAWS| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | InsightsConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | InsightsConfigAPI| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | InsightsOnDemandDataGather| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |

features/features.go

@@ -529,4 +529,12 @@ var (
 				productScope(ocpSpecific).
 				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 				mustRegister()
+
+    FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS").
+                        reportProblemsToJiraComponent("Routing").
+                        contactPerson("gspence").
+                        productScope(ocpSpecific).
+                        enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+                        mustRegister()
+
 )

openapi/openapi.json

@@ -25433,6 +25433,15 @@
           "description": "networkLoadBalancerParameters holds configuration parameters for an AWS network load balancer. Present only if type is NLB.",
           "$ref": "#/definitions/com.github.openshift.api.operator.v1.AWSNetworkLoadBalancerParameters"
         },
+        "subnets": {
+          "description": "subnets specifies the list of subnets for the load balancer to route traffic to. The values can be either a subnet ID or name. In order for the load balancer to be provisioned with subnets: * Each subnet must exist. * Each subnet must be from a different availability zone. * The load balancer service must be deleted.\n\nWhen omitted, the subnets will be auto-discovered per availability zone.",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          },
+          "x-kubernetes-list-type": "atomic"
+        },
         "type": {
           "description": "type is the type of AWS load balancer to instantiate for an ingresscontroller.\n\nValid values are:\n\n* \"Classic\": A Classic Load Balancer that makes routing decisions at either\n  the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See\n  the following for additional details:\n\n    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb\n\n* \"NLB\": A Network Load Balancer that makes routing decisions at the\n  transport layer (TCP/SSL). See the following for additional details:\n\n    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb",
           "type": "string",
@@ -25444,7 +25453,8 @@
           "discriminator": "type",
           "fields-to-discriminateBy": {
             "classicLoadBalancer": "ClassicLoadBalancerParameters",
-            "networkLoadBalancer": "NetworkLoadBalancerParameters"
+            "networkLoadBalancer": "NetworkLoadBalancerParameters",
+            "subnets": "Subnets"
           }
         }
       ]

operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml

@@ -0,0 +1,204 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "Ingress"
+crdName: ingresscontrollers.operator.openshift.io
+featureGate: IngressControllerLBSubnetsAWS
+tests:
+  onCreate:
+    - name: Should be able to create a minimal ingresscontroller with subnets.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+    - name: Should not be able to create ingresscontroller with duplicate subnets.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+                  - subnetC
+      expectedError: "subnets cannot contain duplicates"
+  onUpdate:
+    - name: Subnets should be mutable.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+    - name: Subnets should be able to be removed once set.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+    - name: Subnets should be able to add after IC creation.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          endpointPublishingStrategy:
+            type: LoadBalancerService
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: Classic
+                  subnets:
+                  - subnetA
+                  - subnetB
+                  - subnetC

operator/v1/types_ingress.go

@@ -545,6 +545,22 @@ type AWSLoadBalancerParameters struct {
 	//
 	// +optional
 	NetworkLoadBalancerParameters *AWSNetworkLoadBalancerParameters `json:"networkLoadBalancer,omitempty"`
+
+	// subnets specifies the list of subnets for the load balancer to
+	// route traffic to. The values can be either a subnet ID or name.
+	// In order for the load balancer to be provisioned with subnets:
+	// * Each subnet must exist.
+	// * Each subnet must be from a different availability zone.
+	// * The load balancer service must be deleted.
+	//
+	// When omitted, the subnets will be auto-discovered per availability zone.
+	//
+	// +optional
+	// +listType=atomic
+	// +openshift:enable:FeatureGate=IngressControllerLBSubnetsAWS
+	// +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="subnets cannot contain duplicates"
+	// +kubebuilder:validation:MaxItems:=32
+	Subnets []AWSSubnetReference `json:"subnets,omitempty"`
 }
 
 // AWSLoadBalancerType is the type of AWS load balancer to instantiate.
@@ -556,6 +572,11 @@ const (
 	AWSNetworkLoadBalancer AWSLoadBalancerType = "NLB"
 )
 
+// AWSSubnetReference is a reference to an AWS subnet. It can be either
+// be a subnet ID or name.
+// +kubebuilder:validation:MaxLength=256
+type AWSSubnetReference string
+
 // GCPLoadBalancerParameters provides configuration settings that are
 // specific to GCP load balancers.
 type GCPLoadBalancerParameters struct {