OCPBUGS-54502: ensure ctrplane nodes can access bootstrap MCS

[tthvo]

When using BYO subnets, users might define subnets in aws.vpc.subnets and define the machineCIDRs in the installconfig from those subnets.

Previously, an SG is attached to api lb that only allows ingress to tcp/22623 (MCS) from the only the first machineCIDR, which blocks master nodes from reaching MCS on bootstrap node.

This commit adjusts the source for the SG to allow ingress from control plane nodes via SG reference instead of relying on the machineCIDR field.

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-54502, which is invalid:

• expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When using BYO subnets, users might define subnets in aws.vpc.subnets and define the machineCIDRs in the installconfig from those subnets.

Previously, an SG is attached to api lb that only allows ingress to tcp/22623 (MCS) from the only the first machineCIDR, which blocks master nodes from reaching MCS on bootstrap node.

This commit adjusts the source for the SG to allow ingress from control plane nodes via SG reference instead of relying on the machineCIDR field.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/jira refresh
/label platform/aws

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-54502, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

Details

In response to this:

/jira refresh
/label platform/aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/test e2e-aws-default-config
/test okd-scos-e2e-aws-ovn
/test e2e-aws-ovn-single-node

[patrickdillon]

openshift/release#64578 for the aws-default-config failure

[patrickdillon]

This change looks good to me and I think it is the best approach to use these node labels.

One side-effect, though, is that this would likely require changes to the BYO RHEL host workflow (openshift-ansible), which is no longer supported in 4.19, but something we must consider if we're going to backport this.

[patrickdillon]

/test ?

[openshift-ci]

@patrickdillon: The following commands are available to trigger required jobs:

/test altinfra-images

/test aro-unit

/test artifacts-images

/test e2e-agent-compact-ipv4

/test e2e-aws-ovn

/test e2e-aws-ovn-edge-zones-manifest-validation

/test e2e-aws-ovn-upi

/test e2e-azure-ovn

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upi

/test e2e-metal-ipi-ovn-ipv6

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test e2e-vsphere-ovn-upi

/test gofmt

/test golint

/test govet

/test images

/test integration-tests

/test integration-tests-nodejoiner

/test openstack-manifests

/test terraform-images

/test terraform-okd-scos-images

/test terraform-okd-scos-verify-vendor

/test terraform-verify-vendor

/test unit

/test verify-codegen

/test verify-deps

/test verify-vendor

The following commands are available to trigger optional jobs:

/test altinfra-e2e-aws-custom-security-groups

/test altinfra-e2e-aws-ovn

/test altinfra-e2e-aws-ovn-fips

/test altinfra-e2e-aws-ovn-imdsv2

/test altinfra-e2e-aws-ovn-localzones

/test altinfra-e2e-aws-ovn-proxy

/test altinfra-e2e-aws-ovn-shared-vpc

/test altinfra-e2e-aws-ovn-shared-vpc-local-zones

/test altinfra-e2e-aws-ovn-shared-vpc-wavelength-zones

/test altinfra-e2e-aws-ovn-single-node

/test altinfra-e2e-aws-ovn-wavelengthzones

/test altinfra-e2e-azure-capi-ovn

/test altinfra-e2e-azure-ovn-shared-vpc

/test altinfra-e2e-gcp-capi-ovn

/test altinfra-e2e-gcp-ovn-byo-network-capi

/test altinfra-e2e-gcp-ovn-secureboot-capi

/test altinfra-e2e-gcp-ovn-xpn-capi

/test altinfra-e2e-ibmcloud-capi-ovn

/test altinfra-e2e-nutanix-capi-ovn

/test altinfra-e2e-openstack-capi-ccpmso

/test altinfra-e2e-openstack-capi-ccpmso-zone

/test altinfra-e2e-openstack-capi-dualstack

/test altinfra-e2e-openstack-capi-dualstack-upi

/test altinfra-e2e-openstack-capi-dualstack-v6primary

/test altinfra-e2e-openstack-capi-externallb

/test altinfra-e2e-openstack-capi-nfv-intel

/test altinfra-e2e-openstack-capi-ovn

/test altinfra-e2e-openstack-capi-proxy

/test altinfra-e2e-vsphere-capi-multi-vcenter-ovn

/test altinfra-e2e-vsphere-capi-ovn

/test altinfra-e2e-vsphere-capi-static-ovn

/test altinfra-e2e-vsphere-capi-zones

/test azure-ovn-marketplace-images

/test e2e-agent-4control-ipv4

/test e2e-agent-5control-ipv4

/test e2e-agent-compact-ipv4-appliance-diskimage

/test e2e-agent-compact-ipv4-none-platform

/test e2e-agent-compact-ipv6-minimaliso

/test e2e-agent-ha-dualstack

/test e2e-agent-sno-ipv4-pxe

/test e2e-agent-sno-ipv6

/test e2e-aws-default-config

/test e2e-aws-overlay-mtu-ovn-1200

/test e2e-aws-ovn-custom-iam-profile

/test e2e-aws-ovn-edge-zones

/test e2e-aws-ovn-fips

/test e2e-aws-ovn-heterogeneous

/test e2e-aws-ovn-imdsv2

/test e2e-aws-ovn-proxy

/test e2e-aws-ovn-public-ipv4-pool

/test e2e-aws-ovn-public-ipv4-pool-disabled

/test e2e-aws-ovn-public-subnets

/test e2e-aws-ovn-shared-vpc-custom-security-groups

/test e2e-aws-ovn-shared-vpc-edge-zones

/test e2e-aws-ovn-single-node

/test e2e-aws-ovn-techpreview

/test e2e-aws-ovn-upgrade

/test e2e-aws-ovn-user-provisioned-dns

/test e2e-aws-upi-proxy

/test e2e-azure-default-config

/test e2e-azure-ovn-resourcegroup

/test e2e-azure-ovn-shared-vpc

/test e2e-azure-ovn-techpreview

/test e2e-azure-ovn-upi

/test e2e-azurestack

/test e2e-azurestack-upi

/test e2e-crc

/test e2e-external-aws

/test e2e-external-aws-ccm

/test e2e-gcp-default-config

/test e2e-gcp-ovn-byo-vpc

/test e2e-gcp-ovn-heterogeneous

/test e2e-gcp-ovn-techpreview

/test e2e-gcp-ovn-xpn

/test e2e-gcp-secureboot

/test e2e-gcp-upgrade

/test e2e-gcp-upi-xpn

/test e2e-gcp-user-provisioned-dns

/test e2e-ibmcloud-ovn

/test e2e-metal-assisted

/test e2e-metal-ipi-ovn

/test e2e-metal-ipi-ovn-dualstack

/test e2e-metal-ipi-ovn-swapped-hosts

/test e2e-metal-ipi-ovn-virtualmedia

/test e2e-metal-ovn-two-node-arbiter

/test e2e-metal-single-node-live-iso

/test e2e-nutanix-ovn

/test e2e-openstack-ccpmso

/test e2e-openstack-ccpmso-zone

/test e2e-openstack-dualstack

/test e2e-openstack-dualstack-upi

/test e2e-openstack-externallb

/test e2e-openstack-nfv-intel

/test e2e-openstack-proxy

/test e2e-openstack-singlestackv6

/test e2e-powervs-capi-ovn

/test e2e-vsphere-externallb-ovn

/test e2e-vsphere-host-groups-ovn-custom-no-upgrade

/test e2e-vsphere-multi-vcenter-ovn

/test e2e-vsphere-ovn-multi-disk

/test e2e-vsphere-ovn-multi-network

/test e2e-vsphere-ovn-multi-network-techpreview

/test e2e-vsphere-ovn-techpreview

/test e2e-vsphere-ovn-upi-zones

/test e2e-vsphere-ovn-zones

/test e2e-vsphere-ovn-zones-techpreview

/test e2e-vsphere-static-ovn

/test okd-scos-e2e-aws-ovn

/test okd-scos-images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-installer-main-altinfra-e2e-aws-ovn

pull-ci-openshift-installer-main-altinfra-images

pull-ci-openshift-installer-main-aro-unit

pull-ci-openshift-installer-main-artifacts-images

pull-ci-openshift-installer-main-e2e-aws-default-config

pull-ci-openshift-installer-main-e2e-aws-ovn

pull-ci-openshift-installer-main-e2e-aws-ovn-edge-zones

pull-ci-openshift-installer-main-e2e-aws-ovn-edge-zones-manifest-validation

pull-ci-openshift-installer-main-e2e-aws-ovn-fips

pull-ci-openshift-installer-main-e2e-aws-ovn-heterogeneous

pull-ci-openshift-installer-main-e2e-aws-ovn-imdsv2

pull-ci-openshift-installer-main-e2e-aws-ovn-shared-vpc-custom-security-groups

pull-ci-openshift-installer-main-e2e-aws-ovn-shared-vpc-edge-zones

pull-ci-openshift-installer-main-e2e-aws-ovn-single-node

pull-ci-openshift-installer-main-e2e-azure-ovn-resourcegroup

pull-ci-openshift-installer-main-e2e-vsphere-externallb-ovn

pull-ci-openshift-installer-main-e2e-vsphere-ovn-multi-network

pull-ci-openshift-installer-main-e2e-vsphere-static-ovn

pull-ci-openshift-installer-main-gofmt

pull-ci-openshift-installer-main-golint

pull-ci-openshift-installer-main-govet

pull-ci-openshift-installer-main-images

pull-ci-openshift-installer-main-okd-scos-e2e-aws-ovn

pull-ci-openshift-installer-main-okd-scos-images

pull-ci-openshift-installer-main-terraform-images

pull-ci-openshift-installer-main-terraform-okd-scos-images

pull-ci-openshift-installer-main-unit

pull-ci-openshift-installer-main-verify-codegen

pull-ci-openshift-installer-main-verify-deps

pull-ci-openshift-installer-main-verify-vendor

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[patrickdillon]

This may also affect upi. which is probably more relevant than byo rhel host

/test e2e-aws-ovn-upi

[patrickdillon]

hm perhaps upi typically already includes the node security group, so maybe we're ok. We'll see what the test says.

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/asset/manifests/aws/OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

not sure if it is relevant but good to run?

/test e2e-aws-upi-proxy
/test e2e-aws-ovn-public-ipv4-pool

[tthvo]

Those extra tests we just launched failed during image build with libvirt 😓 No idea, any pointers?

{  error occurred handling build libvirt-installer-amd64: could not get build libvirt-installer-amd64: builds.build.openshift.io "libvirt-installer-amd64" not found}

[patrickdillon]

/lgtm

After discussion, my backport concerns are relieved: UPI would (obviously) not have these ingress rules defined so would not be affected; rhel nodes don't pull ignition from the mcs.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e7d5a17 and 2 for PR HEAD 9f87777 in total

[patrickdillon]

Those extra tests we just launched failed during image build with libvirt 😓 No idea, any pointers?

{  error occurred handling build libvirt-installer-amd64: could not get build libvirt-installer-amd64: builds.build.openshift.io "libvirt-installer-amd64" not found}

Quickly looking at these logs, these look like CI infrastructure issues to me (rather than a problem in the build configuration). I THINK it's a blip, but let's keep an eye out if we see it in other places.

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere-ovn-multi-network	9f87777	link	false	/test e2e-vsphere-ovn-multi-network
ci/prow/e2e-aws-default-config	9f87777	link	false	/test e2e-aws-default-config
ci/prow/okd-scos-e2e-aws-ovn	9f87777	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-public-ipv4-pool	9f87777	link	false	/test e2e-aws-ovn-public-ipv4-pool
ci/prow/e2e-aws-upi-proxy	9f87777	link	false	/test e2e-aws-upi-proxy

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD e7d5a17 and 2 for PR HEAD 9f87777 in total

[openshift-ci-robot]

@tthvo: Jira Issue OCPBUGS-54502: All pull requests linked via external trackers have merged:

• openshift/installer#9689

Jira Issue OCPBUGS-54502 has been moved to the MODIFIED state.

Details

In response to this:

When using BYO subnets, users might define subnets in aws.vpc.subnets and define the machineCIDRs in the installconfig from those subnets.

Previously, an SG is attached to api lb that only allows ingress to tcp/22623 (MCS) from the only the first machineCIDR, which blocks master nodes from reaching MCS on bootstrap node.

This commit adjusts the source for the SG to allow ingress from control plane nodes via SG reference instead of relying on the machineCIDR field.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-installer
This PR has been included in build ose-installer-container-v4.20.0-202505080511.p0.g7a7c356.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-baremetal-installer
This PR has been included in build ose-baremetal-installer-container-v4.20.0-202505080511.p0.g7a7c356.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-artifacts
This PR has been included in build ose-installer-artifacts-container-v4.20.0-202505080511.p0.g7a7c356.assembly.stream.el9.
All builds following this will include this PR.

[tthvo]

/cherry-pick release-4.19

[openshift-cherrypick-robot]

@tthvo: new pull request created: #9768

Details

In response to this:

/cherry-pick release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.