-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Introduce edge subnets to support AWS Local Zones #4882
✨ Introduce edge subnets to support AWS Local Zones #4882
Conversation
Hi @mtulio. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5fd5cf9
to
a7ace3c
Compare
/assign @vincepri @nrb |
Hey @vincepri @nrb would you mind stamp |
/ok-to-test |
a7ace3c
to
b0c9f0f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM so far. Left a few nitpick comments, feel free to ignore.
12ceddc
to
846e806
Compare
Thanks @r4f4 . Feedback addressed. 👍🏽 I also removed some references of Wavelength Zones which will be addressed as "edge zone" in another PR. |
846e806
to
9ee7479
Compare
Thanks @r4f4 . Rebased from current master, /test pull-cluster-api-provider-aws-e2e |
Timeout. |
/test pull-cluster-api-provider-aws-e2e |
@nrb @richardcase okay, e2e* are passing after rebase. 🚀 |
@mtulio - would you be able to squash your commits? It doesn't have to be squashed into 1 if you want to tell a story by the separate commits. |
Introducing the mechanism to query the zone information from the subnet's AvailabilityZone, saving the ZoneType and the ParentZoneName in the SubnetSpec, both for managed and unmanaged. The ZoneType is used to group the zones from regular and the edge zones. Regular zones are with type 'availability-zone', and the edge zones are types 'local-zone' and 'wavelength-zone'. The following statements are valid for edge subnets: - private subnets supports egress traffic only using NAT Gateway in the region. - IPv6 subnets is not supported in edge zones - subnet tags (kubernetes.io/role/*) for load balancer are not set in edge subnets. Edge subnets should not be elected by CCM to create service load balancers. Use ALB ingress instead. ✨ edge subnets/test: unit for subnets in Local Zones Added unit tests to validate scenarios suing managed and unmanaged subnets in AWS Local Zones, alongside new describe availability zones API calls introduced in the subnet reconciliation loop. ✨ edge subnets/unit: fixes unit tests to describe zone calls The edge subnets feature introduce a new AWS API call to describe zones, DescribeAvailabilityZonesWithContext, to lookup zone attributes based in the zone names in the reconciliator, and the create subnets. The two new calls is required to support unmanaged subnets (BYO VPC), where the method createSubnet() is not called. There are some unit tests calling the create subnet flow, this change add the mock calls for those calls.
✨ edge subnets/routes: supporting custom routes for Local Zones Isolate the route table lookup into dedicated methods for private and public subnets to allow more complex requirements for edge zones, as well introduce unit tests for each scenario to cover edge cases. There is no change for private and public subnets for regular zones (standard flow), and the routes will be assigned accordainly the existing flow: private subnets uses nat gateways per public zone, and internet gateway for public zones's tables. For private and public subnets in edge zones, the following changes is introduced according to each rule: General: - IPv6 subnets is not be supported in AWS Local Zones, zone, consequently no ip6 routes will be created - nat gateways is not supported, default gateway's route for private subnets will use nat gateways from the zones in the Region (availability-zone's zone type) - one route table by zone's role by zone (standard flow) Private tables for Local Zones: - default route's gateways is assigned using nat gateway created in the region (availability-zones). Public tables for Local Zones: - default route's gateway is assigned using internet gateway The changes in the standard flow (without edge subnets' support) was isolated in the PR kubernetes-sigs#4900 ✨ edge subnets/nat-gw: support private routing in Local Zones Introduce the support to lookup a nat gateway for edge zones when creating private subnets. Currently CAPA requires a NAT Gateway in the public subnet for each zone which requires private subnets to define default nat gateway in the private route table for each zone. NAT Gateway resource isn't globally supported by Local Zones, thus private subnets in Local Zones are created with default route gateway using a nat gateway selected in the Region (regular availability zones) based in the Parent Zone* for the edge subnet. *each edge zone is "tied" to a zone named "Parent Zone", a zone type availability-zone (regular zones) in the region.
5103d91
to
e417b92
Compare
Hey @richardcase , sure! Thanks for the feedback. I just squashed into 3 commits. Let me know if it looks better. Thanks! |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Just the one comment around adding some CEL validation (or even a validation to the webhook).
// private route table to egress traffic to the internet. | ||
// | ||
// +optional | ||
ParentZoneName *string `json:"parentZoneName,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to have CEL to enforce the cross field validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or use validation in the webhook.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richardcase I am thiking the best strategy here. I think we need to prevent the ParentZoneName when not local-zone
for ZoneType
, so something like this:
// SubnetSpec configures an AWS Subnet.
+// +kubebuilder:validation:XValidation:rule="has(self.zoneType) && self.zoneType == 'local-zone' ? (has(self.parentZoneName) && size(self.parentZoneName) > 0)
: !has(self.parentZoneName)",message="parentZoneName must be set if zoneType is 'local-zone'"
type SubnetSpec struct {
// ID defines a unique identifier to reference this resource.
....
Do you think it makes sense? is it enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or use validation in the webhook.
yeah, when thinking in the follow up PRs (Wavelength), it seems to be better to create a validation in the webhook. Let me do it instead of CEL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Webhook added
This change introduce support of required network components to deploy subnets on AWS Local Zones infrastructure. The SubnetSpec API is introducing the field ZoneType and ParentZoneName to handle the zone information for the subnet, discovered when reconciling the subnet. ✨ edge subnets/API/gen: introduce edge subnets for Local Zones Generate API changes to suppoer edge subnets for Local Zones. ✨ edge subnets/API/test: added unit to Local Zones Testing new methods and workflow added to the API to SubnetSpec (zone information). ✨ edge subnets/docs: added guide subnets on Local and Wavelength zones Create a dedicated document, "topic", with instructions to deploy network infrastructure (subnets, gateways and route tables) in "edge zones" - Local Zone and Wavelength Zone infrastructure.
e417b92
to
2011294
Compare
Hey @nrb @richardcase validation added in the subnet's webhook to prevent setting empty |
if subnet.ZoneType != nil && subnet.IsEdge() { | ||
if subnet.ParentZoneName == nil { | ||
allErrs = append(allErrs, field.Invalid(field.NewPath("subnets"), r.Spec.NetworkSpec.Subnets, "ParentZoneName must be set when ZoneType is 'local-zone'.")) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note for the reviewer:
// IsEdge returns the true when the subnet is created in the edge zone,
// Local Zones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
We should follow-up on a CAPA approach to CEL vs validation webhooks. But lets not let that block this. So from my side: /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
This PR implements support of managed subnets and carrier gateway for AWS Local Zones. Feature request #4874 .
There API is changed to introduce the following fields:
SubnetSpec.ZoneType
: representation of subnet's zone typeSubnetSpec.ParentZoneName
: representation of subnet's parent zone name (an availability zone in the Region which the edge zone is tied)The subnets in AWS Local Zones are not eligible to create core components for the cluster, like NAT Gateway, Control Plane nodes, and Network Load Balancers, keeping compatibility with existing flow when edge subnets are added.
To create subnets in edge zones, the subnet must be added for each zone you want to create the subnet in
NetworkSpec.Subnets
. For example to create subnets in Local Zoneus-east-1-nyc-1a
, set:Which issue(s) this PR fixes: Relates to (not fixes completely) #4874
Special notes for your reviewer:
Checklist:
Release note: