✨ ROSANetwork: new CRD & reconciler to provision network infrastructure for ROSA-HCP

[mzazrivec]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This pull request implements CRD and a controller for provisioning complete networking infrastructure required to install a ROSA-HCP cluster in AWS. The proposal for this implementation has been described in #5381.

Under the hood, the implementation uses cloudformation stack and a static (i.e. no possibility of customization) cloudformation template from rosa-cli

This pull request depends on openshift/rosa#2904 (now merged).

Quick howto:

$ export ROSA_NETWORK_NAME=rosa-net-01
$ export AWS_REGION=us-west-2
$ export AVAILABILITY_ZONE_COUNT=2
$ export CIDR_BLOCK=10.0.0.0/16
$ clusterctl generate yaml --from templates/rosa-network.yaml > rosa-net-01.yaml
$ kubectl apply -f rosa-net-01.yaml

To use the ROSANetwork from ROSA control plane:

apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: ROSAControlPlane
metadata:
  name: rosa-hcp01-control-plane
  namespace: default
spec:
  rosaNetworkRef:
    name: rosa-net01

and skip / remove subnets and availability zones from the CP spec.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emoji in title
• adds unit tests
• adds or updates e2e tests

Release note:

New API for provisioning network infrastructure for ROSA clusters

[k8s-ci-robot]

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

No need to add the caBundle.

[serngawy]

Suggested change

	ID string `json:"ID"`
	Id string `json:"id"`

Or resourceId

[serngawy]

Suggested change

	Resource string `json:"resource"`
	Name string `json:"name"`

OR resourceName

[serngawy]

message is better I guess ?

Suggested change

	Reason string `json:"reason"`
	Message string `json:"message"`

[serngawy]

Suggested change

	// ID of the public subnet
	// Public subnet Id ex; subnet-xxxxxxxxxx

[serngawy]

I don't think we need a new feature gate, we can have it under ROSA feature gate

[mzazrivec]

Yes. I did not mean a new feature gate here, just the existing rosa FG.

[serngawy]

you also need to update the ValidatingWebhookConfiguration and MutatingWebhookConfiguration here

[serngawy]

/ok-to-test

[serngawy]

Not sure, if we want to provide this option to end user. We don't do that with RosaControlPlane only default aws identity. However, we should provide OCM identityRef

[mzazrivec]

Why shouldn't we provide this option to the end user? We need to specify the ref to the aws secret somehow. Here I'm just reusing existing structures & code.

What do you mean by OCM identity ref? OCM will not be involved here in any way.

[serngawy]

well, to use openshift/rosa and establish ocm client you need to have ocm authentication. Is this not the case with the RosaNetwork CF stack creation?

[mzazrivec]

No. No OCM credentials are needed for rosanet, just AWS credentials.

[nrb]

@serngawy Are you satisfied with the answers here?

[serngawy]

@mzazrivec I do remember we discuss that, but after checking the ROSANetwork cloud formation stack template , there are tags added as rosa_hcp_policy and roas service here.
Those tags I think is used to check for privileges ?
I think we have to authenticate the ocm credential. Even if we don't need to create the CF stack but enduser must be a valid OCM user.

[mzazrivec]

@serngawy What does creating VPC with certain tags and checking OCM credentials have to do with each other?

[serngawy]

okay, as we discussed no need to have ocm authentication.

[damdo]

This changes the session name in all the places already using this (not only ROSA ones). Is this a backward compatible change? (cc. @richardcase @punkwalker)

[serngawy]

I guess it should be okay as when the capa-manager update happen all cache sessions will be re-created with the new session name.
Does the cache stored some how even when the pod re-created, we need to fail safe when loading session fail ?

[damdo]

A minute seems quite a lot here, no?

[mzazrivec]

It takes about 5 minutes to create the cloudformation stack, i.e. approximately 5 cycles through the reconciliation loop. I'm fine with making it smaller (suggestions welcome), but not quite sure how it would help or improve the situation.

[damdo]

Ok and do we need to requeue after or are we watching and we should get a reconciliation event anyway?

[damdo]

/lgtm

Thanks for addressing my comments

/assign @nrb @richardcase

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 5f64d3fa3341e2ef3426645208e69a234b4147e3

[damdo]

Based on the convo at https://kubernetes.slack.com/archives/CD6U2V71N/p1759420550389709

/cherry-pick release-2.9

[k8s-infra-cherrypick-robot]

@damdo: once the present PR merges, I will cherry-pick it on top of release-2.9 in a new PR and assign it to you.

In response to this:

Based on the convo at https://kubernetes.slack.com/archives/CD6U2V71N/p1759420550389709

/cherry-pick release-2.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[richardcase]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[damdo]

/cherry-pick release-2.9

[k8s-infra-cherrypick-robot]

@damdo: once the present PR merges, I will cherry-pick it on top of release-2.9 in a new PR and assign it to you.

In response to this:

/cherry-pick release-2.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mzazrivec]

/retest

[damdo]

Re-adding LGTM after rebase

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: ebc14b0e8b4a2ee7c8be29ba1b22cc7b2fbbb814

[k8s-infra-cherrypick-robot]

@damdo: #5464 failed to apply on top of branch "release-2.9":

Applying: RosaNetwork: new CRD & reconciler to provision net infra for ROSA-HCP
Using index info to reconstruct a base tree...
M	PROJECT
M	config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
M	config/crd/kustomization.yaml
M	config/rbac/role.yaml
M	controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
M	controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go
M	controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
M	controlplane/rosa/controllers/rosacontrolplane_controller.go
M	exp/api/v1beta2/zz_generated.deepcopy.go
M	go.mod
M	main.go
Falling back to patching base and 3-way merge...
Auto-merging main.go
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
Auto-merging exp/api/v1beta2/zz_generated.deepcopy.go
CONFLICT (content): Merge conflict in exp/api/v1beta2/zz_generated.deepcopy.go
Auto-merging controlplane/rosa/controllers/rosacontrolplane_controller.go
CONFLICT (content): Merge conflict in controlplane/rosa/controllers/rosacontrolplane_controller.go
Auto-merging controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
CONFLICT (content): Merge conflict in controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
Auto-merging controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go
CONFLICT (content): Merge conflict in controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go
Auto-merging controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
CONFLICT (content): Merge conflict in controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
Auto-merging config/rbac/role.yaml
CONFLICT (content): Merge conflict in config/rbac/role.yaml
Auto-merging config/crd/kustomization.yaml
CONFLICT (content): Merge conflict in config/crd/kustomization.yaml
Auto-merging config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
CONFLICT (content): Merge conflict in config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
Auto-merging PROJECT
CONFLICT (content): Merge conflict in PROJECT
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 RosaNetwork: new CRD & reconciler to provision net infra for ROSA-HCP

In response to this:

/cherry-pick release-2.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[serngawy]

/cherry-pick release-2.9

[k8s-infra-cherrypick-robot]

@serngawy: new pull request created: #5701

In response to this:

/cherry-pick release-2.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.