NE-1530: IngressController LB Subnet Selection in AWS

[gcs278]

Allows users to specify subnets (i.e. Availability Zones) for IngressControllers using load balancers in AWS. Introduce
under the IngressControllerLBSubnetsAWS FeatureGate. Works for both CLB and NLBs.

Enhancement: openshift/enhancements#1595
Epic: https://issues.redhat.com/browse/NE-705

[openshift-ci-robot]

@gcs278: This pull request references NE-705 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.16." or "openshift-4.16.", but it targets "openshift-4.13" instead.

In response to this:

Allows users to specify subnets (i.e. Availability Zones) for IngressControllers in AWS. Introduce under the
AWSLoadBalancerSubnetSelection FeatureGate. Works for both CLB and NLBs.

Enhancement: openshift/enhancements#1595
RFE: https://issues.redhat.com/browse/RFE-1717.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @gcs278! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@gcs278: This pull request references NE-1530 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Allows users to specify subnets (i.e. Availability Zones) for IngressControllers in AWS. Introduce under the
AWSLoadBalancerSubnetSelection FeatureGate. Works for both CLB and NLBs.

Enhancement: openshift/enhancements#1595
RFE: https://issues.redhat.com/browse/RFE-1717.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gcs278: This pull request references NE-1530 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Allows users to specify subnets (i.e. Availability Zones) for IngressControllers in AWS. Introduce under the
AWSLoadBalancerSubnetSelection FeatureGate. Works for both CLB and NLBs.

Enhancement: openshift/enhancements#1595
Epic: https://issues.redhat.com/browse/NE-705

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gcs278: This pull request references NE-1530 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Allows users to specify subnets (i.e. Availability Zones) for IngressControllers using load balancers in AWS. Introduce
under the IngressControllerLBSubnetsAWS FeatureGate. Works for both CLB and NLBs.

Enhancement: openshift/enhancements#1595
Epic: https://issues.redhat.com/browse/NE-705

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gcs278]

/hold
EP is still under review and it's likely we will add a ingresses.config.openshift.io.spec.loadBalancer.platform.aws.subnets field as well.

[JoelSpeed]

Can you find anything that suggests only specific characters are allowed in either the name or ID?

[JoelSpeed]

Needs a listType tag, its this atomic?

[gcs278]

I've read the docs (https://github.com/kubernetes/kube-openapi/blob/master/pkg/idl/doc.go and https://kubernetes.io/docs/reference/using-api/server-side-apply/), but I'm struggling to totally grasp the difference between an atomic and set listType. I don't totally understand the implications as it relates to my field. I see set:

// Sets are lists that must not have multiple times the same value. Each
// value must be a scalar (or another atomic type).

And atomic:

// Atomic lists will be entirely replaced when updated. This tag may be
// used on any type of list (struct, scalar, ...).

Sounds like atomic only allows one "manager" for server side apply. That seems acceptable for this field.

I also see atomic is the default, so I'll go with that.

[candita]

/assign

[gcs278]

Yikes, I messed up this rebase bad. Fixing.

[candita]

An example failure from verify-crd-schema. Is it in development?

error running generator schemacheck on group operator.openshift.io:
could not run schemacheck generator for group/version operator.openshift.io/v1:
error in operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/ingresscontrollers.operator.openshift.io version/v1 field/^.spec.namespaceSelector.matchExpressions must set x-kubernetes-list-type
error in operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/ingresscontrollers.operator.openshift.io version/v1 field/^.spec.namespaceSelector.matchExpressions[*].values must set x-kubernetes-list-type

/test verify-crd-schema

[gcs278]

An example failure from verify-crd-schema. Is it in development?

error running generator schemacheck on group operator.openshift.io:
could not run schemacheck generator for group/version operator.openshift.io/v1:
error in operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/ingresscontrollers.operator.openshift.io version/v1 field/^.spec.namespaceSelector.matchExpressions must set x-kubernetes-list-type
error in operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/ingresscontrollers.operator.openshift.io version/v1 field/^.spec.namespaceSelector.matchExpressions[*].values must set x-kubernetes-list-type

/test verify-crd-schema

@candita I saw that too, but at the end of the logs is:

This verifier checks all files that have changed. In some cases you may have changed or
renamed a file that already contained api violations, but you are not introducing a new
violation. In such cases it is appropriate to /override the failing CI job.

And I reviewed the logs and don't see any issue with my added subnets API. Instead, all of the errors are from existing fields. So I think I will require an override when the time comes to it.

[candita]

/retest

[candita]

nit: For network edge features, the contact person is @Miciah , but I don't know if there are rules about it having to be the team lead or not. Otherwise, it should be your github handle.

[gcs278]

Sure. I'll put "miciah" down.

[candita]

nit:

Suggested change

	- name: Subnets should be able to add after IC creation.
	- name: Should be able to add subnets after IC creation.

[gcs278]

Done.

[candita]

Suggested change

	// * The load balancer service must be deleted.
	// * The load balancer service must be recreated to pick up new values.

[gcs278]

Done.

[candita]

If I understand this correctly:

Suggested change

	// When omitted, the subnets will be auto-discovered per availability zone.
	// If omitted, the subnets will be auto-discovered per availability zone.
	// When subnets are auto-discovered, they do not propagate to this list.

[gcs278]

Sure. Done.

[candita]

Do you know if this validation is case-sensitive? The subnet names can be, so there could correctly be both subnetB and subnetb in the list. You could just add a test to the test yaml.

[candita]

I don't know how much it matters, but I tested this with two empty subnets and that returns false. https://playcel.undistro.io/?content=H4sIAAAAAAAAA6tWSk7NUbJSKk7NSdNLzMnRqNBRALNTKzKLS4rj8%2FNSNSp1FCoUbG0VKjU1lXSUUhJLEj3zCkpLoLqsYvIUFHQVICRQPjc%2FJRUoBTK2FgCZjmKCXgAAAA%3D%3D

[gcs278]

Do you know if this validation is case-sensitive? The subnet names can be, so there could correctly be both subnetB and subnetb in the list. You could just add a test to the test yaml.

Good question. It is indeed case-sensitive. Good idea, I will do that.

I don't know how much it matters, but I tested this with two empty subnets and that returns false.

Oh nice, I didn't know about this CEL playground website.

Good point. The CEL is working as expected with two empty subnets, but an empty length subnet is not a valid subnet reference. Adding // +kubebuilder:validation:MinLength=1

[candita]

Suggested change

	// be a subnet ID or name.
	// an AWS subnet ID or a generic name.

[gcs278]

Done.

[candita]

No major concerns on my part, just a few comments/nits.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: candita, gcs278
Once this PR has been reviewed and has the lgtm label, please assign spadgett for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[gcs278]

Thanks for the review @candita

Changes here: https://github.com/openshift/api/compare/81aaf82a567be6f4b42e236e2276d65569c7f056..e8783c84b59e430682265cbbe441614b32ee8ee6

[gcs278]

Sure. I'll put "miciah" down.

[gcs278]

Thanks. That's consistent with my experiments that allowed me to create a subnet name tag with every character my keyboard has. I don't think we can restrict characters on the basis of subnet names.

However, after some tedious experimenting, I found that though , is a valid in a subnet name, but is impossible to specify in the annotation since it uses that as the delimiter. I will add a restriction for that.

[gcs278]

Done.

[gcs278]

Done.

[gcs278]

Sure. Done.

[gcs278]

Do you know if this validation is case-sensitive? The subnet names can be, so there could correctly be both subnetB and subnetb in the list. You could just add a test to the test yaml.

Good question. It is indeed case-sensitive. Good idea, I will do that.

I don't know how much it matters, but I tested this with two empty subnets and that returns false.

Oh nice, I didn't know about this CEL playground website.

Good point. The CEL is working as expected with two empty subnets, but an empty length subnet is not a valid subnet reference. Adding // +kubebuilder:validation:MinLength=1

[gcs278]

Done.

[openshift-ci]

@gcs278: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crd-schema	e8783c8	link	true	/test verify-crd-schema

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.