CORS-4072: [Draft] Dual stack support for AWS

[tthvo]

Important

A rough draft of installer changes required to support dual-stack environment on AWS.

This PR is only for previewing the changes and experimenting with upstream CAPA PR. I will close this and open another PR with finalized sets of changes.

This PR also includes commits (message starting with hack: ) to "imitate" CCM, MAPI, and Cluster Ingress Operator to create necessary resources for cluster ingress (i.e. NLB, Route53 records, Security Groups, etc) and enable Ipv6 primary (if applicable). These commits are to be removed, assuming dual-stack is supported in operators later on.

This depends on upstream CAPA PR: kubernetes-sigs/cluster-api-provider-aws#5603

How to install

Below is the details of how to reproduce the installation.

$ export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE=quay.io/thvo/origin-release:v4.22.0-preview-ds
$ export AWS_PROFILE=<profile-admin>
$ ./openshift-install create cluster --dir=.

Custom release image

Custom release image: quay.io/thvo/origin-release:v4.22.0-preview-ds

This includes the following operator changes:

• CORS-4209: ensure NodeIPFamilies field is kept as-is after transforming cluster-cloud-controller-manager-operator#426
• CORS-4220: pass dualstack cluster cidrs as an comma-separated list argument cluster-kube-controller-manager-operator#889
• CORS-4208: set default KUBELET_NODE_IPS for dualstack nodes machine-config-operator#5384
• cluster-network-operator: tthvo/cluster-network-operator@617e05f (quick test without feature gates)

For the cluster-network-operator, we have the open PR here with feature gate checking: openshift/cluster-network-operator/pull/2804

Install Config

Use the below install-config snippet to configure networking and AWS platform.

Note: machineNetwork does not contain IPv6 CIDR as it is unknown at install time (i.e. will be patched later when infra is ready). The cluster network and service network contain ULA IPv6 CIDR.

IPv4 Primary:

networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  - cidr: fd01::/48
    hostPrefix: 64
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16
  - fd02::/112
platform:
  aws:
    region: us-east-1
    ipFamily: DualStackIPv4Primary
featureSet: TechPreviewNoUpgrade

IPv6 Primary:

networking:
  clusterNetwork:
  - cidr: fd01::/48
    hostPrefix: 64
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - fd02::/112
  - 172.30.0.0/16
platform:
  aws:
    region: us-east-1
    ipFamily: DualStackIPv6Primary
featureSet: TechPreviewNoUpgrade

Important notes: [IPv6-primary only] The ingress operator will be stuck as health check on targets are failing because the k8s Service for ingress routers only have IPv6 cluster IP. The hacks only configures the ingress LB target group as IPv4, thus the connection cannot switch to IPv6 when travelling internally.

You must edit the that service openshift-ingress/router-nodeport-default to set its ipFamilyPolicy to PreferDualStack. For example:

$ kubectl -n openshift-ingress patch svc router-nodeport-default \
    -p '{"spec":{"ipFamilyPolicy":"PreferDualStack"}}'

Updated: There is a new commit to "hack" enable IPv6 primary on ec2 instances for cluster nodes. So, above step is no longer needed. The Target Group for dual-stack IPv6 primary is now also IPv6.

Installer binary

The installer binary can be built normally from these commits (i.e. capa is vendored from my fork). So, just:

./hack/build.sh

/hold
/label platform/aws

[openshift-ci-robot]

@tthvo: This pull request references CORS-4072 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.21." or "openshift-4.21.", but it targets "openshift-4.20" instead.

Details

In response to this:

A rough draft of installer changes required to support dual-stack environment on AWS.

Important

This PR is only for previewing the changes and supposed to be closed after done experimenting. I will open another PR with finalized sets of changes.

Notes

• Commits with message hack: are changes to "imitate" CCM and Cluster Ingress Operator to create necessary resources for cluster ingress (i.e. NLB, Route53 records, Security Groups, etc).
• This depends on upstream CAPA PR: ✨ IPv6 support for self-managed clusters kubernetes-sigs/cluster-api-provider-aws#5603

/hold
/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/cc @sadasu @barbacbd @rna-afk

[tthvo]

/cc @mtulio

Just rough hacks but in case you are interested :D

[openshift-ci-robot]

@tthvo: This pull request references CORS-4072 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.21." or "openshift-4.21.", but it targets "openshift-4.20" instead.

Details

In response to this:

A rough draft of installer changes required to support dual-stack environment on AWS.

This PR is only for previewing the changes and experimenting with upstream CAPA PR. I will close this and open another PR with finalized sets of changes.

How to install

Below is the details of how to reproduce the installation.

$ export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE=quay.io/thvo/origin-release:v4.21.0-preview
$ export AWS_PROFILE=<profile-admin>
$ ./openshift-install create cluster --dir=.

Custom release image

Custom release image: quay.io/thvo/origin-release:v4.21.0-preview.

This includes the following operator changes:

• cluster-cloud-controller-manager-operator: tthvo/cluster-cloud-controller-manager-operator@d1a105d
• cluster-network-operator: tthvo/cluster-network-operator@617e05f
• kube-controller-manager-operator: tthvo/cluster-kube-controller-manager-operator@3658370

Install Config

Use the below install-config snippet to configure networking and AWS platform.

networking:
 clusterNetwork:
 - cidr: 10.128.0.0/14
   hostPrefix: 23
 - cidr: fd01::/48
   hostPrefix: 64
 machineNetwork:
 - cidr: 10.0.0.0/16
 networkType: OVNKubernetes
 serviceNetwork:
 - 172.30.0.0/16
 - fd02::/112
platform:
 aws:
   region: us-east-1
   infraStack: DualStack

Note that machineNetwork does not contain IPv6 CIDR as it is unknown at install time (i.e. will be patched later when infra is ready). The cluster network and service network contain ULA IPv6 CIDR.

Installer binary

It looks the installer binary can be built from these commits despite a reference to my local CAPA fork. So, just:

./hack/build.sh

Important

• Commits with message hack: are changes to "imitate" CCM and Cluster Ingress Operator to create necessary resources for cluster ingress (i.e. NLB, Route53 records, Security Groups, etc). See log with prefix INFO CCM: .
• This depends on upstream CAPA PR: ✨ IPv6 support for self-managed clusters kubernetes-sigs/cluster-api-provider-aws#5603 (not finalized yet).

/hold
/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/test e2e-aws-default-config e2e-aws-ovn-shared-vpc-custom-security-groups

[tthvo]

/retitle CORS-4072: [Draft] Dual stack support for AWS

This PR is for experimenting and collecting info about what changes are needed. I will separate the commits into smaller PRs :D

PTAL 🙏 All reviews and nitpicks are appreciated!

[tthvo]

The rebase is to stay on top of upstream/main and remove the hack for MCO (9fa264d) as MCO should handle setting the approriate 0.0.0.0/:: to --node-ip argument of kubelet. See PR description more details 😁 🙏

[tthvo]

I rebuilt another release image: quay.io/thvo/origin-release:v4.21.0-preview-1. This includes the changes for openshift/cluster-network-operator#2804 instead of my own hack tthvo/cluster-network-operator@617e05f.

If you'd like to use the new custom release image, you need to set the techpreview feature set:

featureSet: TechPreviewNoUpgrade

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sadasu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@tthvo: This pull request references CORS-4072 which is a valid jira issue.

Details

In response to this:

Important

A rough draft of installer changes required to support dual-stack environment on AWS.

This PR is only for previewing the changes and experimenting with upstream CAPA PR. I will close this and open another PR with finalized sets of changes.

This PR also includes commits (message starting with hack: ) to "imitate" CCM, MAPI, and Cluster Ingress Operator to create necessary resources for cluster ingress (i.e. NLB, Route53 records, Security Groups, etc) and enable Ipv6 primary (if applicable). These commits are to be removed, assuming dual-stack is supported in operators later on.

This depends on upstream CAPA PR: kubernetes-sigs/cluster-api-provider-aws#5603

How to install

Below is the details of how to reproduce the installation.

$ export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE=quay.io/thvo/origin-release:v4.22.0-preview-ds
$ export AWS_PROFILE=<profile-admin>
$ ./openshift-install create cluster --dir=.

Custom release image

Custom release image: quay.io/thvo/origin-release:v4.22.0-preview-ds

This includes the following operator changes:

• CORS-4209: ensure NodeIPFamilies field is kept as-is after transforming cluster-cloud-controller-manager-operator#426
• CORS-4220: pass dualstack cluster cidrs as an comma-separated list argument cluster-kube-controller-manager-operator#889
• CORS-4208: set default KUBELET_NODE_IPS for dualstack nodes machine-config-operator#5384
• cluster-network-operator: tthvo/cluster-network-operator@617e05f (quick test without feature gates)

For the cluster-network-operator, we have the open PR here with feature gate checking: openshift/cluster-network-operator/pull/2804

Install Config

Use the below install-config snippet to configure networking and AWS platform.

Note: machineNetwork does not contain IPv6 CIDR as it is unknown at install time (i.e. will be patched later when infra is ready). The cluster network and service network contain ULA IPv6 CIDR.

IPv4 Primary:

networking:
 clusterNetwork:
 - cidr: 10.128.0.0/14
   hostPrefix: 23
 - cidr: fd01::/48
   hostPrefix: 64
 machineNetwork:
 - cidr: 10.0.0.0/16
 networkType: OVNKubernetes
 serviceNetwork:
 - 172.30.0.0/16
 - fd02::/112
platform:
 aws:
   region: us-east-1
   ipFamily: DualStackIPv4Primary

IPv6 Primary:

networking:
 clusterNetwork:
 - cidr: fd01::/48
   hostPrefix: 64
 - cidr: 10.128.0.0/14
   hostPrefix: 23
 machineNetwork:
 - cidr: 10.0.0.0/16
 networkType: OVNKubernetes
 serviceNetwork:
 - fd02::/112
 - 172.30.0.0/16
platform:
 aws:
   region: us-east-1
   ipFamily: DualStackIPv6Primary

Important notes: [IPv6-primary only] The ingress operator will be stuck as health check on targets are failing because the k8s Service for ingress routers only have IPv6 cluster IP. The hacks only configures the ingress LB target group as IPv4, thus the connection cannot switch to IPv6 when travelling internally.

You must edit the that service openshift-ingress/router-nodeport-default to set its ipFamilyPolicy to PreferDualStack. For example:

$ kubectl -n openshift-ingress patch svc router-nodeport-default \
   -p '{"spec":{"ipFamilyPolicy":"PreferDualStack"}}'

Updated: There is a new commit to "hack" enable IPv6 primary on ec2 instances for cluster nodes. So, above step is no longer needed. The Target Group for dual-stack IPv6 primary is now also IPv6.

Installer binary

The installer binary can be built normally from these commits (i.e. capa is vendored from my fork). So, just:

./hack/build.sh

/hold
/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@tthvo: This pull request references CORS-4072 which is a valid jira issue.

Details

In response to this:

Important

A rough draft of installer changes required to support dual-stack environment on AWS.

This PR is only for previewing the changes and experimenting with upstream CAPA PR. I will close this and open another PR with finalized sets of changes.

This PR also includes commits (message starting with hack: ) to "imitate" CCM, MAPI, and Cluster Ingress Operator to create necessary resources for cluster ingress (i.e. NLB, Route53 records, Security Groups, etc) and enable Ipv6 primary (if applicable). These commits are to be removed, assuming dual-stack is supported in operators later on.

This depends on upstream CAPA PR: kubernetes-sigs/cluster-api-provider-aws#5603

How to install

Below is the details of how to reproduce the installation.

$ export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE=quay.io/thvo/origin-release:v4.22.0-preview-ds
$ export AWS_PROFILE=<profile-admin>
$ ./openshift-install create cluster --dir=.

Custom release image

Custom release image: quay.io/thvo/origin-release:v4.22.0-preview-ds

This includes the following operator changes:

• CORS-4209: ensure NodeIPFamilies field is kept as-is after transforming cluster-cloud-controller-manager-operator#426
• CORS-4220: pass dualstack cluster cidrs as an comma-separated list argument cluster-kube-controller-manager-operator#889
• CORS-4208: set default KUBELET_NODE_IPS for dualstack nodes machine-config-operator#5384
• cluster-network-operator: tthvo/cluster-network-operator@617e05f (quick test without feature gates)

For the cluster-network-operator, we have the open PR here with feature gate checking: openshift/cluster-network-operator/pull/2804

Install Config

Use the below install-config snippet to configure networking and AWS platform.

Note: machineNetwork does not contain IPv6 CIDR as it is unknown at install time (i.e. will be patched later when infra is ready). The cluster network and service network contain ULA IPv6 CIDR.

IPv4 Primary:

networking:
 clusterNetwork:
 - cidr: 10.128.0.0/14
   hostPrefix: 23
 - cidr: fd01::/48
   hostPrefix: 64
 machineNetwork:
 - cidr: 10.0.0.0/16
 networkType: OVNKubernetes
 serviceNetwork:
 - 172.30.0.0/16
 - fd02::/112
platform:
 aws:
   region: us-east-1
   ipFamily: DualStackIPv4Primary
featureSet: TechPreviewNoUpgrade

IPv6 Primary:

networking:
 clusterNetwork:
 - cidr: fd01::/48
   hostPrefix: 64
 - cidr: 10.128.0.0/14
   hostPrefix: 23
 machineNetwork:
 - cidr: 10.0.0.0/16
 networkType: OVNKubernetes
 serviceNetwork:
 - fd02::/112
 - 172.30.0.0/16
platform:
 aws:
   region: us-east-1
   ipFamily: DualStackIPv6Primary
featureSet: TechPreviewNoUpgrade

Important notes: [IPv6-primary only] The ingress operator will be stuck as health check on targets are failing because the k8s Service for ingress routers only have IPv6 cluster IP. The hacks only configures the ingress LB target group as IPv4, thus the connection cannot switch to IPv6 when travelling internally.

You must edit the that service openshift-ingress/router-nodeport-default to set its ipFamilyPolicy to PreferDualStack. For example:

$ kubectl -n openshift-ingress patch svc router-nodeport-default \
   -p '{"spec":{"ipFamilyPolicy":"PreferDualStack"}}'

Updated: There is a new commit to "hack" enable IPv6 primary on ec2 instances for cluster nodes. So, above step is no longer needed. The Target Group for dual-stack IPv6 primary is now also IPv6.

Installer binary

The installer binary can be built normally from these commits (i.e. capa is vendored from my fork). So, just:

./hack/build.sh

/hold
/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

The PR is rebased on top of main with latest capa IPv6 PR changes; and adjusted to match #10207 implementation for the install-config field. I also rebuilt a new custom release image based on 4.22.0-ec.0: quay.io/thvo/origin-release:v4.22.0-preview-ds.

Both dual-stack Ipv4 primary and dual-stack IPv6 primary install (using install-config in the PR description) should proceed to the end successfully (and "seamlessly") 😄

[patrickdillon]

Looks good on first pass

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-resourcegroup	49c133a	link	false	/test e2e-azure-ovn-resourcegroup
ci/prow/e2e-aws-custom-dns-techpreview	49c133a	link	false	/test e2e-aws-custom-dns-techpreview
ci/prow/okd-scos-e2e-aws-ovn	44dfeb3	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-azure-ovn	0985757	link	true	/test e2e-azure-ovn
ci/prow/e2e-aws-ovn-heterogeneous	0985757	link	false	/test e2e-aws-ovn-heterogeneous
ci/prow/e2e-gcp-custom-dns	0985757	link	false	/test e2e-gcp-custom-dns
ci/prow/e2e-azurestack	0985757	link	false	/test e2e-azurestack

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tthvo]

I have started on splitting the changes in this PR into smaller individual PRs for easy review. But this PR is still kept open for quick testing.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.