Add custom role support (#313)

* Add support for custom roles in NSG/Subnet
oracle · Aug 5, 2023 · 45e5b26 · 45e5b26
1 parent bb5aea3
commit 45e5b26
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 2 deletions.
diff --git a/api/v1beta2/ocicluster_webhook_test.go b/api/v1beta2/ocicluster_webhook_test.go
@@ -244,6 +244,29 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
  errorMgsShouldContain: "subnet role invalid",
  expectErr: true,
  },
+ {
+ name: "allow subnet custom role",
+ c: &OCICluster{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: goodClusterName,
+ },
+ Spec: OCIClusterSpec{
+ CompartmentId: "ocid",
+ OCIResourceIdentifier: "uuid",
+ NetworkSpec: NetworkSpec{
+ Vcn: VCN{
+ CIDR: "10.0.0.0/16",
+ Subnets: []*Subnet{
+ &Subnet{
+ Role: Custom,
+ },
+ },
+ },
+ },
+ },
+ },
+ expectErr: false,
+ },
  {
  name: "shouldn't allow invalid role",
  c: &OCICluster{
@@ -393,6 +416,26 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
  errorMgsShouldContain: "networkSecurityGroup role invalid",
  expectErr: true,
  },
+ {
+ name: "allow nsg custom role",
+ c: &OCICluster{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: goodClusterName,
+ },
+ Spec: OCIClusterSpec{
+ CompartmentId: "ocid",
+ OCIResourceIdentifier: "uuid",
+ NetworkSpec: NetworkSpec{
+ Vcn: VCN{
+ NetworkSecurityGroup: NetworkSecurityGroup{List: []*NSG{{
+ Role: Custom,
+ }}},
+ },
+ },
+ },
+ },
+ expectErr: false,
+ },
  {
  name: "should allow blank region",
  c: &OCICluster{

diff --git a/api/v1beta2/ocimanagedcluster_webhook_test.go b/api/v1beta2/ocimanagedcluster_webhook_test.go
@@ -267,6 +267,30 @@ func TestOCIManagedCluster_ValidateCreate(t *testing.T) {
  errorMgsShouldContain: "subnet role invalid",
  expectErr: true,
  },
+ {
+ name: "should allow custom subnet role",
+ c: &OCIManagedCluster{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: goodClusterName,
+ },
+ Spec: OCIManagedClusterSpec{
+ Region: "",
+ CompartmentId: "ocid",
+ OCIResourceIdentifier: "uuid",
+ NetworkSpec: NetworkSpec{
+ Vcn: VCN{
+ CIDR: "10.0.0.0/16",
+ Subnets: []*Subnet{
+ &Subnet{
+ Role: Custom,
+ },
+ },
+ },
+ },
+ },
+ },
+ expectErr: false,
+ },
  {
  name: "should allow empty subnet name",
  c: &OCIManagedCluster{
@@ -380,6 +404,28 @@ func TestOCIManagedCluster_ValidateCreate(t *testing.T) {
  errorMgsShouldContain: "networkSecurityGroup role invalid",
  expectErr: true,
  },
+ {
+ name: "should allow custom NSG role",
+ c: &OCIManagedCluster{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: goodClusterName,
+ },
+ Spec: OCIManagedClusterSpec{
+ CompartmentId: "ocid",
+ OCIResourceIdentifier: "uuid",
+ NetworkSpec: NetworkSpec{
+ Vcn: VCN{
+ NetworkSecurityGroup: NetworkSecurityGroup{
+ List: []*NSG{{
+ Role: Custom,
+ }},
+ },
+ },
+ },
+ },
+ },
+ expectErr: false,
+ },
  {
  name: "should allow blank region",
  c: &OCIManagedCluster{

diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -24,13 +24,14 @@ const (
  PodRole = "pod"
  Private = "private"
  Public = "public"
+ Custom = "custom"
 )
 
 // OCIClusterSubnetRoles a slice of all the subnet roles for self managed cluster
-var OCIClusterSubnetRoles = []Role{ControlPlaneRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole}
+var OCIClusterSubnetRoles = []Role{ControlPlaneRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole, Custom}
 
 // OCIManagedClusterSubnetRoles a slice of all the subnet roles for managed cluster
-var OCIManagedClusterSubnetRoles = []Role{PodRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole}
+var OCIManagedClusterSubnetRoles = []Role{PodRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole, Custom}
 
 // NetworkDetails defines the configuration options for the network
 type NetworkDetails struct {

diff --git a/docs/src/networking/custom-networking.md b/docs/src/networking/custom-networking.md
@@ -300,6 +300,45 @@ spec:
  loadBalancerType: "lb"
 ```
 
+## Example spec to use custom role
+
+CAPOCI can be used to create Subnet/NSG in the VCN for custom workloads such as private load balancers,
+dedicated subnet for DB connection etc. The roles for such custom subnest must be defined as `custom`.
+The following spec shows an example for this scenario.
+
+```yaml
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+kind: OCICluster
+metadata:
+ name: "${CLUSTER_NAME}"
+spec:
+ compartmentId: "${OCI_COMPARTMENT_ID}"
+ networkSpec:
+ vcn:
+ name: ${CLUSTER_NAME}
+ subnets:
+ - name: db
+ role: custom
+ type: public
+ cidr: "172.16.5.0/28"
+ networkSecurityGroup:
+ list:
+ - name: db
+ role: custom
+ egressRules:
+ - egressRule:
+ isStateless: false
+ destination: "172.16.5.0/28"
+ protocol: "6"
+ destinationType: "CIDR_BLOCK"
+ description: "All traffic to control plane nodes"
+ tcpOptions:
+ destinationPortRange:
+ max: 6443
+ min: 6443
+```
+
 [sl-vs-nsg]: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityrules.htm#comparison
 [externally-managed-cluster-infrastructure]: ../gs/externally-managed-cluster-infrastructure.md#example-spec-for-externally-managed-vcn-infrastructure
 [oci-nlb]: https://docs.oracle.com/en-us/iaas/Content/NetworkLoadBalancer/introducton.htm#Overview