Alibaba: support existing VPC, VSwitchs and PrivateZone

[bd233]

This PR is based on #5378
If the user wants the Installer to install the cluster in an existing network, it is now supported.

[openshift-ci]

Hi @bd233. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[staebler]

In the future, please refrain from adding so many separate parts in one commit.
For example, it would have been better to have one commit each for the existing VPC, the existing VSwitches, and the existing private zones. They could also be done as separate PRs, which would make it much faster to get approval.

[staebler]

Why would the cluster destroy delete the VPC? Is that because the VPC must be in the existing resource group? If so, then we are missing some validation. If not, then I don't think that the cluster destroy should delete the existing VPC.

[bd233]

I think there is no clear description here. If VpcID is empty, a new VPC will be created, and released when the cluster is destroyed.

[staebler]

My suggestion is to remove the language around deleting the VPC.

	// VpcID is the ID of the VPC into which the cluster's machines will be created.
	// Leave the VPC ID unset to have the installer create a VPC on your behalf.

[staebler]

This should be checked via static validation in pkg/types/alibabacloud/validation/platform.go.

[staebler]

Globally, replace VSwitchs with VSwitches.

Suggested change

	// VSwitchIDs is the ID list of already existing VSwitchs where the master should be created.
	// VSwitchIDs is the ID list of already existing VSwitches where the masters should be created.

[staebler]

The vswitches are not just for the masters.

[bd233]

@staebler I have updated, please continue to review

[jstuever]

/uncc

[patrickdillon]

/ok-to-test

[staebler]

Suggested change

	description = "The availability zones in which to create the masters. The length of this list must match master_count."
	description = "The availability zones in which to create the masters. The length of this list must match instance_count."

[kwoodson]

@bd233 Please update, thanks.

[staebler]

This count is not correct when the installer is creating the vSwitches. Using length(var.zone_ids) assumes that the zones in var.zone_ids are unique. If the master replica count is greater than the number of availability zones used, then this will create multiple vSwitches in some of the zones, and those extras will be omitted from the mapping from zone ID to vSwitch ID.

[bd233]

I can solve this by length(toset(var.zone_ids)), but I think this may not be the most suitable solution. I should ensure that the zones in var_zone_ids is unique, at the same time, the length of ali_zone_ids need not be equal master_count. WDYT?

[staebler]

Yes, var.zone_ids should be a distinct list of availability zones. It should also include zones for the workers, which appears to be missing currently.

[bd233]

Yes, thank you for your reminder, the worker zones is missing currently, I will create a new PR to update.

[bd233]

Yes, var.zone_ids should be a distinct list of availability zones. It should also include zones for the workers, which appears to be missing currently.

@staebler #5438

[staebler]

Suggested change

	if ic.AlibabaCloud.VSwitchIDs != nil {
	if len(ic.AlibabaCloud.VSwitchIDs) != 0 {

[staebler]

See above for the comment regarding deleting the VPC.

[staebler]

I assume that since the vSwitch is part of the VPC, that the vSwitches can only be user-provided if the VPC is also user-provided. If so, then there should (1) be text to that affect in this description, (2) be validation that the VPC ID is specified when the vSwitch IDs are specified, and (3) be validation that the vSwitches are part of the VPC.

[bd233]

Regarding (2) and (3), relevant validation have already been made, and I will add text in this description

that the vSwitches can only be user-provided if the VPC is also user-provided.

I disagree with this point. I think it’s okay for the user to only provide the VPC ID, and the installer will create the VSwitches

[staebler]

Sorry, I thought that I had deleted parts (2) and (3) after re-checking that the validation was indeed already there.

that the vSwitches can only be user-provided if the VPC is also user-provided.

I disagree with this point. I think it’s okay for the user to only provide the VPC ID, and the installer will create the VSwitches

Yes, I agree that it is OK to use a user-provided VPC and installer-generated VSwitches. My point is the converse. If the user provides the VSwitches, then they must all provide the VPC. I would like to call that out specifically in the description for the field so that the user does not assume that the installer will deduce the VPC to use from the VSwitches (which the installer could presumably do).

[staebler]

nit not related to this PR: This would be a lot easier to read if it used the max function.

Suggested change

	newbits = tonumber(split("/", var.vpc_cidr_block)[1]) < 16 ? 20 - tonumber(split("/", var.vpc_cidr_block)[1]) : 4
	newbits = max(4, 20 - tonumber(split("/", var.vpc_cidr_block)[1]))

[bd233]

Okey, thanks

[bd233]

PR #5414

[staebler]

Use a map instead of a list.

[staebler]

Include the index to the duplicate in the field path.

[staebler]

Still need to include the index in the field path.

Suggested change

	allErrs = append(allErrs, field.Duplicate(fldPath.Child("vswitchIDs"), vswitchID))
	allErrs = append(allErrs, field.Duplicate(fldPath.Child("vswitchIDs").Index(i), vswitchID))

[staebler]

Is this strictly true? Or could the user-supplied VPC be in the resource group?

[bd233]

In fact, it has no effect if it is not empty. we will not query and destroy resources through resource group. So this description is incorrect, I will delete it.

[staebler]

Will the destroyer delete the resource group if it is user-supplied?

[staebler]

In what way are these values going to be used while destroying the cluster?

[bd233]

I have to admit that these are not used, I will delete it.

[bd233]

@staebler I should have updated everything, please continue to review

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[kwoodson]

@staebler Looks like an error in the AWS terraform generation. Any ideas on this one?

level=error
level=error msg=Error: Provider produced inconsistent result after apply
level=error
level=error msg=When applying changes to module.vpc.aws_vpc_dhcp_options_association.main[0],
level=error msg=provider "registry.terraform.io/-/aws" produced an unexpected new value for
level=error msg=was present, but now absent.
level=error
level=error msg=This is a bug in the provider, which should be reported in the provider's own
level=error msg=issue tracker.
level=error
level=fatal msg=failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply Terraform: failed to complete the change

[mtulio]

@kwoodson this looks like a possible flake similar to what was reported in hashicorp/terraform-provider-aws#16142
/retest-required

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[mtulio]

/test e2e-aws

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@bd233: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-libvirt	4be9a0b	link	false	/test e2e-libvirt
ci/prow/e2e-aws-single-node	4be9a0b	link	false	/test e2e-aws-single-node
ci/prow/e2e-aws-workers-rhel7	4be9a0b	link	false	/test e2e-aws-workers-rhel7
ci/prow/okd-e2e-aws	4be9a0b	link	false	/test okd-e2e-aws
ci/prow/e2e-aws-fips	4be9a0b	link	false	/test e2e-aws-fips
ci/prow/e2e-crc	4be9a0b	link	false	/test e2e-crc

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.