eksctl-io · aclevername · Nov 8, 2021 · Oct 28, 2021 · Oct 28, 2021 · Oct 28, 2021
diff --git a/go.mod b/go.mod
@@ -295,7 +295,7 @@ require (
 	github.com/uudashr/gocognit v1.0.5 // indirect
 	github.com/vektra/mockery v1.1.2
 	github.com/voxelbrain/goptions v0.0.0-20180630082107-58cddc247ea2 // indirect
-	github.com/weaveworks/goformation/v4 v4.10.2-0.20211018090247-36559b6b4f71
+	github.com/weaveworks/goformation/v4 v4.10.2-0.20211028132421-158884031b1b
 	github.com/weaveworks/launcher v0.0.2-0.20200715141516-1ca323f1de15
 	github.com/weaveworks/schemer v0.0.0-20210802122110-338b258ad2ca
 	github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0

diff --git a/go.sum b/go.sum
@@ -1669,10 +1669,8 @@ github.com/voxelbrain/goptions v0.0.0-20180630082107-58cddc247ea2 h1:txplJASvd6b
 github.com/voxelbrain/goptions v0.0.0-20180630082107-58cddc247ea2/go.mod h1:DGCIhurYgnLz8J9ga1fMV/fbLDyUvTyrWXVWUIyJon4=
 github.com/weaveworks/aws-sdk-go v0.0.0-20211026093156-d6e6822f58db h1:K6lacvb3qzF/bHvx2RsPDw8cYA8VccOecn9e6xDEBY0=
 github.com/weaveworks/aws-sdk-go v0.0.0-20211026093156-d6e6822f58db/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
-github.com/weaveworks/goformation/v4 v4.10.2-0.20211012141859-cd360fb1f843 h1:9v19OzMM+kFcm0r2yZeoMMAvT71H/apnNWeoMKMxUz0=
-github.com/weaveworks/goformation/v4 v4.10.2-0.20211012141859-cd360fb1f843/go.mod h1:x92o12+Azh6DQ4yoXT5oEuE7dhQHR5V2vy/fmZ6pO7k=
-github.com/weaveworks/goformation/v4 v4.10.2-0.20211018090247-36559b6b4f71 h1:r0uEFnXNXamKxelHxLL7quo7R70JznL2WMyENyUHAZw=
-github.com/weaveworks/goformation/v4 v4.10.2-0.20211018090247-36559b6b4f71/go.mod h1:x92o12+Azh6DQ4yoXT5oEuE7dhQHR5V2vy/fmZ6pO7k=
+github.com/weaveworks/goformation/v4 v4.10.2-0.20211028132421-158884031b1b h1:VZPFl/yFhgVjlzsTNU4/5nZlxr4zyf3l5CFXZgG/rr8=
+github.com/weaveworks/goformation/v4 v4.10.2-0.20211028132421-158884031b1b/go.mod h1:x92o12+Azh6DQ4yoXT5oEuE7dhQHR5V2vy/fmZ6pO7k=
 github.com/weaveworks/launcher v0.0.2-0.20200715141516-1ca323f1de15 h1:i/RhLevywqC6cuUWtGdoaNrsJd+/zWh3PXbkXZIyZsU=
 github.com/weaveworks/launcher v0.0.2-0.20200715141516-1ca323f1de15/go.mod h1:w9Z1vnQmPobkEZ0F3oyiqRYP+62qDqTGnK6t5uhe1kg=
 github.com/weaveworks/mesh v0.0.0-20170419100114-1f158d31de55/go.mod h1:mcON9Ws1aW0crSErpXWp7U1ErCDEKliDX2OhVlbWRKk=

diff --git a/pkg/apis/eksctl.io/v1alpha5/assets/schema.json b/pkg/apis/eksctl.io/v1alpha5/assets/schema.json
@@ -585,6 +585,12 @@
             "IPv6"
           ]
         },
+        "ipv6Cidr": {
+          "type": "string"
+        },
+        "ipv6Pool": {
+          "type": "string"
+        },
         "manageSharedNodeSecurityGroupRules": {
           "type": "boolean",
           "description": "Automatically add security group rules to and from the default cluster security group and the shared node security group. This allows unmanaged nodes to communicate with the control plane and managed nodes. This option cannot be disabled when using eksctl created security groups.",
@@ -622,6 +628,8 @@
         "id",
         "cidr",
         "ipFamily",
+        "ipv6Cidr",
+        "ipv6Pool",
         "securityGroup",
         "subnets",
         "extraCIDRs",

diff --git a/pkg/apis/eksctl.io/v1alpha5/schema.go b/pkg/apis/eksctl.io/v1alpha5/schema.go
diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -174,8 +174,13 @@ func (c *ClusterConfig) ValidateVPCConfig() error {
 	if c.VPC.IPFamily != IPV4Family && c.VPC.IPFamily != IPV6Family {
 		return fmt.Errorf("invalid value %s for ipFamily; allowed are %s and %s", c.VPC.IPFamily, IPV4Family, IPV6Family)
 	}
+
 	// This is the new vpc check, I need this check when the user sets it.
 	if c.VPC.IPFamily == IPV6Family {
+		if err := c.ipv6CidrsValid(); err != nil {
+			return err
+		}
+
 		if missing := c.addonContainsManagedAddons([]string{VPCCNIAddon, CoreDNSAddon, KubeProxyAddon}); len(missing) != 0 {
 			return fmt.Errorf("the default core addons must be defined in case of IPv6; missing addon(s): %s", strings.Join(missing, ", "))
 		}
@@ -202,13 +207,26 @@ func (c *ClusterConfig) ValidateVPCConfig() error {
 		}
 	}
 
+	if c.VPC.IPFamily == IPV4Family {
+		if c.VPC.IPv6Cidr != "" || c.VPC.IPv6Pool != "" {
+			return fmt.Errorf("Ipv6Cidr and Ipv6CidrPool is only supportd when IPFamily is set to IPv6")
+		}
+	}
+
 	// manageSharedNodeSecurityGroupRules cannot be disabled if using eksctl managed security groups
 	if c.VPC.SharedNodeSecurityGroup == "" && IsDisabled(c.VPC.ManageSharedNodeSecurityGroupRules) {
 		return errors.New("vpc.manageSharedNodeSecurityGroupRules must be enabled when using ekstcl-managed security groups")
 	}
 	return nil
 }
 
+func (c *ClusterConfig) ipv6CidrsValid() error {
+	if (c.VPC.IPv6Cidr == "" && c.VPC.IPv6Pool == "") || (c.VPC.IPv6Cidr != "" && c.VPC.IPv6Pool != "") {
+		return nil
+	}
+	return fmt.Errorf("Ipv6Cidr and Ipv6Pool must both be configured to use a custom IPv6 CIDR and address pool")
+}
+
 // addonContainsManagedAddons finds managed addons in the config and returns those it couldn't find.
 func (c *ClusterConfig) addonContainsManagedAddons(addons []string) []string {
 	var missing []string

diff --git a/pkg/apis/eksctl.io/v1alpha5/validation_test.go b/pkg/apis/eksctl.io/v1alpha5/validation_test.go
@@ -546,6 +546,8 @@ var _ = Describe("ClusterConfig validation", func() {
 				It("accepts that setting", func() {
 					cfg.VPC.NAT = nil
 					cfg.VPC.IPFamily = api.IPV6Family
+					cfg.VPC.IPv6Cidr = "foo"
+					cfg.VPC.IPv6Pool = "bar"
 					cfg.Addons = append(cfg.Addons,
 						&api.Addon{Name: api.KubeProxyAddon},
 						&api.Addon{Name: api.CoreDNSAddon},
@@ -708,6 +710,38 @@ var _ = Describe("ClusterConfig validation", func() {
 			})
 		})
 
+		Context("ipv6 CIDRs", func() {
+			When("IPv6Cidr or IPv6CidrPool is provided and ipv6 is not set", func() {
+				It("returns an error", func() {
+					cfg.VPC.IPFamily = api.IPV4Family
+					cfg.VPC.IPv6Cidr = "foo"
+					err = cfg.ValidateVPCConfig()
+					Expect(err).To(MatchError("Ipv6Cidr and Ipv6CidrPool is only supportd when IPFamily is set to IPv6"))
+
+					cfg.VPC.IPFamily = api.IPV4Family
+					cfg.VPC.IPv6Cidr = ""
+					cfg.VPC.IPv6Pool = "bar"
+					err = cfg.ValidateVPCConfig()
+					Expect(err).To(MatchError("Ipv6Cidr and Ipv6CidrPool is only supportd when IPFamily is set to IPv6"))
+				})
+			})
+
+			When("only one of IPv6Cidr or IPv6CidrPool is provided and ipv6 is set", func() {
+				It("returns an error", func() {
+					cfg.VPC.IPFamily = api.IPV6Family
+					cfg.VPC.IPv6Cidr = "foo"
+					err = cfg.ValidateVPCConfig()
+					Expect(err).To(MatchError("Ipv6Cidr and Ipv6Pool must both be configured to use a custom IPv6 CIDR and address pool"))
+
+					cfg.VPC.IPFamily = api.IPV6Family
+					cfg.VPC.IPv6Cidr = ""
+					cfg.VPC.IPv6Pool = "bar"
+					err = cfg.ValidateVPCConfig()
+					Expect(err).To(MatchError("Ipv6Cidr and Ipv6Pool must both be configured to use a custom IPv6 CIDR and address pool"))
+				})
+			})
+		})
+
 		Context("extraIPv6CIDRs", func() {
 			It("validates cidrs", func() {
 				cfg.VPC.IPFamily = api.IPV6Family

diff --git a/pkg/apis/eksctl.io/v1alpha5/vpc.go b/pkg/apis/eksctl.io/v1alpha5/vpc.go
@@ -190,6 +190,10 @@ type (
 		// Valid variants are `IPFamily` constants
 		// +optional
 		IPFamily string `json:"ipFamily,omitempty"`
+		// +optional
+		IPv6Cidr string `json:"ipv6Cidr,omitempty"`
+		// +optional
+		IPv6Pool string `json:"ipv6Pool,omitempty"`
 	}
 	// ClusterNAT NAT config
 	ClusterNAT struct {

diff --git a/pkg/cfn/builder/fakes/fake_cfn_template.go b/pkg/cfn/builder/fakes/fake_cfn_template.go
@@ -66,7 +66,8 @@ type Properties struct {
 	MapPublicIPOnLaunch                                     bool
 	AssignIpv6AddressOnCreation                             *bool
 
-	Ipv6CidrBlock           map[string][]interface{}
+	Ipv6CidrBlock           interface{}
+	Ipv6Pool                string
 	CidrBlock               interface{}
 	KubernetesNetworkConfig KubernetesNetworkConfig
 

diff --git a/pkg/cfn/builder/vpc_ipv4_test.go b/pkg/cfn/builder/vpc_ipv4_test.go
@@ -385,33 +385,10 @@ var _ = Describe("VPC Template Builder", func() {
 			It("adds the correct subnet resources to the resource set", func() {
 				Expect(vpcTemplate.Resources).To(HaveKey("PublicUSWEST2ACIDRv6"))
 				Expect(vpcTemplate.Resources["PublicUSWEST2ACIDRv6"].Properties.SubnetID).To(Equal(makeRef(publicSubnetRef1)))
-				Expect(vpcTemplate.Resources["PublicUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"]).To(HaveLen(2))
-				Expect(vpcTemplate.Resources["PublicUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][0].(float64)).To(BeNumerically("~", 0, 8))
-				actualFnCIDR, err := json.Marshal(vpcTemplate.Resources["PublicUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][1])
-				Expect(err).NotTo(HaveOccurred())
-				Expect(actualFnCIDR).To(MatchJSON([]byte(expectedFnCIDR)))
-
-				Expect(vpcTemplate.Resources).To(HaveKey("PublicUSWEST2BCIDRv6"))
-				Expect(vpcTemplate.Resources["PublicUSWEST2BCIDRv6"].Properties.SubnetID).To(Equal(makeRef(publicSubnetRef2)))
-				Expect(vpcTemplate.Resources["PublicUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"]).To(HaveLen(2))
-				Expect(vpcTemplate.Resources["PublicUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][0].(float64)).To(BeNumerically("~", 0, 8))
-				actualFnCIDR, err = json.Marshal(vpcTemplate.Resources["PublicUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][1])
-				Expect(err).NotTo(HaveOccurred())
-				Expect(actualFnCIDR).To(MatchJSON([]byte(expectedFnCIDR)))
-
-				Expect(vpcTemplate.Resources["PrivateUSWEST2ACIDRv6"].Properties.SubnetID).To(Equal(makeRef(privateSubnetRef1)))
-				Expect(vpcTemplate.Resources["PrivateUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"]).To(HaveLen(2))
-				Expect(vpcTemplate.Resources["PrivateUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][0].(float64)).To(BeNumerically("~", 0, 8))
-				actualFnCIDR, err = json.Marshal(vpcTemplate.Resources["PrivateUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][1])
-				Expect(err).NotTo(HaveOccurred())
-				Expect(actualFnCIDR).To(MatchJSON([]byte(expectedFnCIDR)))
-
-				Expect(vpcTemplate.Resources["PrivateUSWEST2BCIDRv6"].Properties.SubnetID).To(Equal(makeRef(privateSubnetRef2)))
-				Expect(vpcTemplate.Resources["PrivateUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"]).To(HaveLen(2))
-				Expect(vpcTemplate.Resources["PrivateUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][0].(float64)).To(BeNumerically("~", 0, 8))
-				actualFnCIDR, err = json.Marshal(vpcTemplate.Resources["PrivateUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock["Fn::Select"][1])
-				Expect(err).NotTo(HaveOccurred())
-				Expect(actualFnCIDR).To(MatchJSON([]byte(expectedFnCIDR)))
+				assertIpv6CidrBlockCreatedWithSelect(vpcTemplate.Resources["PublicUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock, expectedFnCIDR)
+				assertIpv6CidrBlockCreatedWithSelect(vpcTemplate.Resources["PublicUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock, expectedFnCIDR)
+				assertIpv6CidrBlockCreatedWithSelect(vpcTemplate.Resources["PrivateUSWEST2BCIDRv6"].Properties.Ipv6CidrBlock, expectedFnCIDR)
+				assertIpv6CidrBlockCreatedWithSelect(vpcTemplate.Resources["PrivateUSWEST2ACIDRv6"].Properties.Ipv6CidrBlock, expectedFnCIDR)
 			})
 		})
 
@@ -557,3 +534,13 @@ func makeRTOutput(subnetIds []string, main bool) *ec2.DescribeRouteTablesOutput
 		}},
 	}
 }
+
+func assertIpv6CidrBlockCreatedWithSelect(cidrBlock interface{}, expectedFnCIDR string) {
+	ExpectWithOffset(1, cidrBlock.(map[string]interface{})).To(HaveKey("Fn::Select"))
+	fnSelectValue := cidrBlock.(map[string]interface{})["Fn::Select"].([]interface{})
+	ExpectWithOffset(1, fnSelectValue).To(HaveLen(2))
+	ExpectWithOffset(1, fnSelectValue[0].(float64)).To(BeNumerically("~", 0, 8))
+	actualFnCIDR, err := json.Marshal(fnSelectValue[1])
+	ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	ExpectWithOffset(1, actualFnCIDR).To(MatchJSON([]byte(expectedFnCIDR)))
+}
diff --git a/pkg/cfn/builder/vpc_ipv6.go b/pkg/cfn/builder/vpc_ipv6.go
@@ -36,11 +36,7 @@ func (v *IPv6VPCResourceSet) CreateTemplate() (*gfnt.Value, *SubnetDetails, erro
 		EnableDnsHostnames: gfnt.True(),
 	})
 
-	v.rs.newResource(IPv6CIDRBlockKey, &gfnec2.VPCCidrBlock{
-		AmazonProvidedIpv6CidrBlock: gfnt.True(),
-		VpcId:                       gfnt.MakeRef(VPCResourceKey),
-	})
-
+	v.addIpv6CidrBlock()
 	refIGW := v.rs.newResource(IGWKey, &gfnec2.InternetGateway{})
 
 	v.rs.newResource(GAKey, &gfnec2.VPCGatewayAttachment{
@@ -147,6 +143,23 @@ func (v *IPv6VPCResourceSet) CreateTemplate() (*gfnt.Value, *SubnetDetails, erro
 	}, nil
 }
 
+func (v *IPv6VPCResourceSet) addIpv6CidrBlock() {
+	if v.clusterConfig.VPC.IPv6Cidr != "" {
+		v.rs.newResource(IPv6CIDRBlockKey, &gfnec2.VPCCidrBlock{
+			AmazonProvidedIpv6CidrBlock: gfnt.False(),
+			Ipv6CidrBlock:               v.clusterConfig.VPC.IPv6Cidr,
+			Ipv6Pool:                    v.clusterConfig.VPC.IPv6Pool,
+			VpcId:                       gfnt.MakeRef(VPCResourceKey),
+		})
+		return
+	}
+
+	v.rs.newResource(IPv6CIDRBlockKey, &gfnec2.VPCCidrBlock{
+		AmazonProvidedIpv6CidrBlock: gfnt.True(),
+		VpcId:                       gfnt.MakeRef(VPCResourceKey),
+	})
+}
+
 func (v *IPv6VPCResourceSet) RenderJSON() ([]byte, error) {
 	return v.rs.renderJSON()
 }