DNM/SPLAT-1860: aws - track CAPA 4917

[mtulio]

No description provided.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[mtulio]

/test ?

[openshift-ci]

@mtulio: The following commands are available to trigger required jobs:

• /test altinfra-images
• /test aro-unit
• /test artifacts-images
• /test e2e-agent-compact-ipv4
• /test e2e-aws-ovn
• /test e2e-aws-ovn-edge-zones-manifest-validation
• /test e2e-aws-ovn-upi
• /test e2e-azure-ovn
• /test e2e-azure-ovn-upi
• /test e2e-gcp-ovn
• /test e2e-gcp-ovn-upi
• /test e2e-metal-ipi-ovn-ipv6
• /test e2e-openstack-ovn
• /test e2e-vsphere-ovn
• /test e2e-vsphere-ovn-upi
• /test gofmt
• /test golint
• /test govet
• /test images
• /test integration-tests
• /test integration-tests-nodejoiner
• /test okd-images
• /test okd-unit
• /test okd-verify-codegen
• /test openstack-manifests
• /test shellcheck
• /test terraform-images
• /test terraform-verify-vendor
• /test tf-lint
• /test unit
• /test verify-codegen
• /test verify-vendor
• /test yaml-lint

The following commands are available to trigger optional jobs:

• /test altinfra-e2e-aws-custom-security-groups
• /test altinfra-e2e-aws-ovn
• /test altinfra-e2e-aws-ovn-fips
• /test altinfra-e2e-aws-ovn-imdsv2
• /test altinfra-e2e-aws-ovn-localzones
• /test altinfra-e2e-aws-ovn-proxy
• /test altinfra-e2e-aws-ovn-shared-vpc
• /test altinfra-e2e-aws-ovn-shared-vpc-local-zones
• /test altinfra-e2e-aws-ovn-shared-vpc-wavelength-zones
• /test altinfra-e2e-aws-ovn-single-node
• /test altinfra-e2e-aws-ovn-wavelengthzones
• /test altinfra-e2e-azure-capi-ovn
• /test altinfra-e2e-azure-ovn-shared-vpc
• /test altinfra-e2e-gcp-capi-ovn
• /test altinfra-e2e-gcp-ovn-byo-network-capi
• /test altinfra-e2e-gcp-ovn-secureboot-capi
• /test altinfra-e2e-gcp-ovn-xpn-capi
• /test altinfra-e2e-ibmcloud-capi-ovn
• /test altinfra-e2e-nutanix-capi-ovn
• /test altinfra-e2e-openstack-capi-ccpmso
• /test altinfra-e2e-openstack-capi-ccpmso-zone
• /test altinfra-e2e-openstack-capi-dualstack
• /test altinfra-e2e-openstack-capi-dualstack-upi
• /test altinfra-e2e-openstack-capi-dualstack-v6primary
• /test altinfra-e2e-openstack-capi-externallb
• /test altinfra-e2e-openstack-capi-nfv-intel
• /test altinfra-e2e-openstack-capi-ovn
• /test altinfra-e2e-openstack-capi-proxy
• /test altinfra-e2e-vsphere-capi-multi-vcenter-ovn
• /test altinfra-e2e-vsphere-capi-ovn
• /test altinfra-e2e-vsphere-capi-static-ovn
• /test altinfra-e2e-vsphere-capi-zones
• /test azure-ovn-marketplace-images
• /test e2e-agent-compact-ipv4-add-nodes
• /test e2e-agent-compact-ipv4-appliance-diskimage
• /test e2e-agent-compact-ipv4-none-platform
• /test e2e-agent-ha-dualstack
• /test e2e-agent-sno-ipv4-pxe
• /test e2e-agent-sno-ipv6
• /test e2e-aws-overlay-mtu-ovn-1200
• /test e2e-aws-ovn-custom-iam-profile
• /test e2e-aws-ovn-edge-zones
• /test e2e-aws-ovn-fips
• /test e2e-aws-ovn-heterogeneous
• /test e2e-aws-ovn-imdsv2
• /test e2e-aws-ovn-min-perms
• /test e2e-aws-ovn-proxy
• /test e2e-aws-ovn-public-ipv4-pool
• /test e2e-aws-ovn-public-ipv4-pool-disabled
• /test e2e-aws-ovn-public-subnets
• /test e2e-aws-ovn-shared-vpc-custom-security-groups
• /test e2e-aws-ovn-shared-vpc-edge-zones
• /test e2e-aws-ovn-single-node
• /test e2e-aws-ovn-techpreview
• /test e2e-aws-ovn-upgrade
• /test e2e-aws-ovn-workers-rhel8
• /test e2e-aws-upi-proxy
• /test e2e-azure-ovn-resourcegroup
• /test e2e-azure-ovn-shared-vpc
• /test e2e-azure-ovn-techpreview
• /test e2e-azurestack
• /test e2e-azurestack-upi
• /test e2e-crc
• /test e2e-external-aws
• /test e2e-external-aws-ccm
• /test e2e-gcp-ovn-byo-vpc
• /test e2e-gcp-ovn-heterogeneous
• /test e2e-gcp-ovn-techpreview
• /test e2e-gcp-ovn-xpn
• /test e2e-gcp-secureboot
• /test e2e-gcp-upgrade
• /test e2e-gcp-upi-xpn
• /test e2e-ibmcloud-ovn
• /test e2e-metal-assisted
• /test e2e-metal-ipi-ovn
• /test e2e-metal-ipi-ovn-dualstack
• /test e2e-metal-ipi-ovn-swapped-hosts
• /test e2e-metal-ipi-ovn-virtualmedia
• /test e2e-metal-single-node-live-iso
• /test e2e-nutanix-ovn
• /test e2e-openstack-ccpmso
• /test e2e-openstack-ccpmso-zone
• /test e2e-openstack-dualstack
• /test e2e-openstack-dualstack-upi
• /test e2e-openstack-externallb
• /test e2e-openstack-nfv-intel
• /test e2e-openstack-proxy
• /test e2e-openstack-singlestackv6
• /test e2e-powervs-capi-ovn
• /test e2e-vsphere-multi-vcenter-ovn
• /test e2e-vsphere-ovn-multi-network
• /test e2e-vsphere-ovn-techpreview
• /test e2e-vsphere-ovn-upi-zones
• /test e2e-vsphere-ovn-zones
• /test e2e-vsphere-ovn-zones-techpreview
• /test e2e-vsphere-static-ovn
• /test okd-e2e-aws-ovn
• /test okd-e2e-aws-ovn-upgrade
• /test okd-e2e-gcp
• /test okd-e2e-gcp-ovn-upgrade
• /test okd-e2e-vsphere
• /test okd-scos-images
• /test tf-fmt

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-installer-master-altinfra-e2e-aws-ovn
• pull-ci-openshift-installer-master-altinfra-images
• pull-ci-openshift-installer-master-aro-unit
• pull-ci-openshift-installer-master-artifacts-images
• pull-ci-openshift-installer-master-azure-ovn-marketplace-images
• pull-ci-openshift-installer-master-e2e-aws-ovn
• pull-ci-openshift-installer-master-e2e-aws-ovn-edge-zones
• pull-ci-openshift-installer-master-e2e-aws-ovn-edge-zones-manifest-validation
• pull-ci-openshift-installer-master-e2e-aws-ovn-fips
• pull-ci-openshift-installer-master-e2e-aws-ovn-heterogeneous
• pull-ci-openshift-installer-master-e2e-aws-ovn-imdsv2
• pull-ci-openshift-installer-master-e2e-aws-ovn-shared-vpc-custom-security-groups
• pull-ci-openshift-installer-master-e2e-aws-ovn-shared-vpc-edge-zones
• pull-ci-openshift-installer-master-e2e-aws-ovn-single-node
• pull-ci-openshift-installer-master-e2e-azure-ovn
• pull-ci-openshift-installer-master-e2e-azure-ovn-shared-vpc
• pull-ci-openshift-installer-master-e2e-azurestack
• pull-ci-openshift-installer-master-e2e-external-aws-ccm
• pull-ci-openshift-installer-master-e2e-gcp-ovn
• pull-ci-openshift-installer-master-e2e-gcp-ovn-byo-vpc
• pull-ci-openshift-installer-master-e2e-gcp-ovn-xpn
• pull-ci-openshift-installer-master-e2e-gcp-secureboot
• pull-ci-openshift-installer-master-gofmt
• pull-ci-openshift-installer-master-golint
• pull-ci-openshift-installer-master-govet
• pull-ci-openshift-installer-master-images
• pull-ci-openshift-installer-master-okd-unit
• pull-ci-openshift-installer-master-okd-verify-codegen
• pull-ci-openshift-installer-master-shellcheck
• pull-ci-openshift-installer-master-tf-fmt
• pull-ci-openshift-installer-master-tf-lint
• pull-ci-openshift-installer-master-unit
• pull-ci-openshift-installer-master-verify-codegen
• pull-ci-openshift-installer-master-verify-vendor
• pull-ci-openshift-installer-master-yaml-lint

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mtulio]

/test altinfra-e2e-aws-ovn-shared-vpc

[mtulio]

cc @r4f4 to track OCP impact by kubernetes-sigs/cluster-api-provider-aws#5175 on managed/unmapaned VPC scenarios.

[openshift-ci-robot]

@mtulio: This pull request references SPLAT-1860 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.18.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtulio]

/test altinfra-e2e-aws-ovn-shared-vpc

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign barbacbd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtulio]

IIUC not at all jobs are exercising tags, specially for BYO VPC to test CAPA#5171. Testing the basic changes;

/test e2e-aws-ovn

[r4f4]

@mtulio it seems to be fine? It kept existing tags, including the "k8s: shared" installer-added one.

    - id: subnet-022372a8a97126bd4
      resourceid: subnet-022372a8a97126bd4
      cidrblock: 10.0.48.0/20
      ipv6cidrblock: ""
      availabilityzone: us-east-1a
      ispublic: false
      isipv6: false
      routetableid: rtb-0c2f14d8ac0816126
      natgatewayid: null
      tags:
        aws:cloudformation:logical-id: PrivateSubnet
        aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:460538899914:stack/ci-op-nybl0rdv-85edf-shared-vpc/c0c489a0-917d-11ef-8df4-0affc13b32f3
        aws:cloudformation:stack-name: ci-op-nybl0rdv-85edf-shared-vpc
        ci-build-info: 1849178330570428416_pull-ci-openshift-installer-master-altinfra-e2e-aws-ovn-shared-vpc
        expirationDate: 2024-10-24T00:31+00:00
        kubernetes.io/cluster/ci-op-nybl0rdv-85edf-clz9j: shared
      zonetype: availability-zone
      parentzonename: null

which is very similar to the output from another job without the CAPA changes:

    - id: subnet-03227b5289b4a64f4
      resourceid: subnet-03227b5289b4a64f4
      cidrblock: 10.0.48.0/20
      ipv6cidrblock: ""
      availabilityzone: us-west-2a
      ispublic: false
      isipv6: false
      routetableid: rtb-08fbaea9464237fec
      natgatewayid: null
      tags:
        aws:cloudformation:logical-id: PrivateSubnet
        aws:cloudformation:stack-id: arn:aws:cloudformation:us-west-2:460538899914:stack/ci-op-1m6j03lr-ff55c-shared-vpc/3694ef90-9092-11ef-8c85-06fb3556500d
        aws:cloudformation:stack-name: ci-op-1m6j03lr-ff55c-shared-vpc
        ci-build-info: 1848743677787115520_pull-ci-openshift-installer-master-e2e-aws-ovn-shared-vpc-custom-security-groups
        expirationDate: 2024-10-22T20:25+00:00
        kubernetes.io/cluster/ci-op-1m6j03lr-ff55c-7p4zm: shared
      zonetype: availability-zone
      parentzonename: null

[mtulio]

In the job 1849178330570428416 (BYO VPC deployment), I can see the custom tags on install-config:

platform:
  aws:
    subnets:
    - 'subnet-022372a8a97126bd4'
...
    region: us-east-1
    userTags:
      expirationDate: 2024-10-24T04:33+00:00
      clusterName: ci-op-nybl0rdv-85edf

And the subnet on CAPA cluster object has only original tags from subnet:

    subnets:
    - id: subnet-022372a8a97126bd4
      resourceid: subnet-022372a8a97126bd4
      cidrblock: 10.0.48.0/20
      ipv6cidrblock: ""
      availabilityzone: us-east-1a
      ispublic: false
      isipv6: false
      routetableid: rtb-0c2f14d8ac0816126
      natgatewayid: null
      tags:
        aws:cloudformation:logical-id: PrivateSubnet
        aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:[..]:stack/ci-op-nybl0rdv-85edf-shared-vpc/c0c489a0-917d-11ef-8df4-0affc13b32f3
        aws:cloudformation:stack-name: ci-op-nybl0rdv-85edf-shared-vpc
        ci-build-info: 1849178330570428416_pull-ci-openshift-installer-master-altinfra-e2e-aws-ovn-shared-vpc
        expirationDate: 2024-10-24T00:31+00:00
        kubernetes.io/cluster/ci-op-nybl0rdv-85edf-clz9j: shared
      zonetype: availability-zone
      parentzonename: null

I can confirm that the object hasn't the expected tag:

$ aws ec2 describe-subnets --subnet-ids subnet-022372a8a97126bd4 --region us-east-1 | jq -rc '.Subnets[].Tags[]'
{"Key":"aws:cloudformation:stack-id","Value":"arn:aws:cloudformation:us-east-1:[...]:stack/ci-op-nybl0rdv-85edf-shared-vpc/c0c489a0-917d-11ef-8df4-0affc13b32f3"}
{"Key":"aws:cloudformation:logical-id","Value":"PrivateSubnet"}
{"Key":"openshift_creationDate","Value":"2024-10-23T21:05:42.610615+00:00"}
{"Key":"ci-build-info","Value":"1849178330570428416_pull-ci-openshift-installer-master-altinfra-e2e-aws-ovn-shared-vpc"}
{"Key":"kubernetes.io/cluster/ci-op-nybl0rdv-85edf-clz9j","Value":"shared"}
{"Key":"aws:cloudformation:stack-name","Value":"ci-op-nybl0rdv-85edf-shared-vpc"}
{"Key":"expirationDate","Value":"2024-10-24T00:31+00:00"}

Need to check:

• is the platform.aws.userTags filling the subnet tags object on BYO VPC scenario?
  • if not, forcing the tags in subnet object the CAPA#4917 will apply tags to existing subnet?
• why platform.aws.userTags are not applied to subnets?

[r4f4]

* why platform.aws.userTags are not applied to subnets?

For BYO subnets, we don't want them to be applied. Customers can tag their own BYO resources. The userTags is just for installer/CAPA-created resources, right?

[openshift-ci]

@mtulio: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mtulio]

* why platform.aws.userTags are not applied to subnets?

For BYO subnets, we don't want them to be applied. Customers can tag their own BYO resources.The userTags is just for installer/CAPA-created resources, right?

Yes:

$ openshift-install explain installconfig.platform.aws.userTags
KIND:     InstallConfig
VERSION:  v1

RESOURCE: <object>
  UserTags additional keys and values that the installer will add as tags to all resources that it creates.
  Resources created by the cluster itself may not include these tags.

And looks like CAPA follow the same meaning: https://github.com/kubernetes-sigs/cluster-api-provider-aws/pull/5175/files#r1814372499

Although, CAPA#5175 intents to address that scenario (tag BYO subnet), I just checked we are not setting tags to subnets: https://github.com/openshift/installer/blob/master/pkg/asset/manifests/aws/zones.go

Probably we'll not affected by that change/fix.

[r4f4]

Probably we'll not affected by that change/fix.

@mtulio thanks for checking and for keeping an eye on possibly impactful changes in upstream CAPA!