✨ RosaNetwork: new CRD & reconciler to provision network infrastructure for ROSA-HCP

[mzazrivec]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This pull request implements CRD and a controller for provisioning complete networking infrastructure required to install a ROSA-HCP cluster in AWS. The proposal for this implementation has been described in #5381.

Under the hood, the implementation uses cloudformation stack and a static (i.e. no possibility of customization) cloudformation template from (rosa-cli)[https://github.com/openshift/rosa/blob/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml].

This pull request depends on openshift/rosa#2904

Quick howto:

$ export ROSA_NETWORK_NAME=rosa-net-01
$ export AWS_REGION=us-west-2
$ export AVAILABILITY_ZONE_COUNT=2
$ export CIDR_BLOCK=10.0.0.0/16
$ clusterctl generate yaml --from templates/rosa-network.yaml > rosa-net-01.yaml
$ kubectl apply -f rosa-net-01.yaml

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

[k8s-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign andidog for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

No need to add the caBundle.

[serngawy]

Suggested change

	ID string `json:"ID"`
	Id string `json:"id"`

Or resourceId

[serngawy]

Suggested change

	Resource string `json:"resource"`
	Name string `json:"name"`

OR resourceName

[serngawy]

message is better I guess ?

Suggested change

	Reason string `json:"reason"`
	Message string `json:"message"`

[serngawy]

Suggested change

	// ID of the public subnet
	// Public subnet Id ex; subnet-xxxxxxxxxx

[serngawy]

I don't think we need a new feature gate, we can have it under ROSA feature gate

[mzazrivec]

Yes. I did not mean a new feature gate here, just the existing rosa FG.

[serngawy]

you also need to update the ValidatingWebhookConfiguration and MutatingWebhookConfiguration here

[serngawy]

/ok-to-test

[serngawy]

Not sure, if we want to provide this option to end user. We don't do that with RosaControlPlane only default aws identity. However, we should provide OCM identityRef

[mzazrivec]

Why shouldn't we provide this option to the end user? We need to specify the ref to the aws secret somehow. Here I'm just reusing existing structures & code.

What do you mean by OCM identity ref? OCM will not be involved here in any way.

[serngawy]

well, to use openshift/rosa and establish ocm client you need to have ocm authentication. Is this not the case with the RosaNetwork CF stack creation?

[mzazrivec]

No. No OCM credentials are needed for rosanet, just AWS credentials.

[marek-veber]

The conversion webhook wil not be implemented?

[marek-veber]

This line should be uncommented, is't it?

[mzazrivec]

Yep, uncommented. Thanks.

[mzazrivec]

you also need to update the ValidatingWebhookConfiguration and MutatingWebhookConfiguration here

Is that really needed at this point? (there are no webhooks implemented for rosanet yet).

[k8s-ci-robot]

@mzazrivec: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-provider-aws-build	e7f18ec	link	true	/test pull-cluster-api-provider-aws-build
pull-cluster-api-provider-aws-test	e7f18ec	link	true	/test pull-cluster-api-provider-aws-test
pull-cluster-api-provider-aws-verify	e7f18ec	link	true	/test pull-cluster-api-provider-aws-verify
pull-cluster-api-provider-aws-build-docker	e7f18ec	link	true	/test pull-cluster-api-provider-aws-build-docker
pull-cluster-api-provider-aws-e2e-blocking	e7f18ec	link	true	/test pull-cluster-api-provider-aws-e2e-blocking

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.