diff --git a/api/v1beta2/ocicluster_webhook_test.go b/api/v1beta2/ocicluster_webhook_test.go index db335471..933ea58e 100644 --- a/api/v1beta2/ocicluster_webhook_test.go +++ b/api/v1beta2/ocicluster_webhook_test.go @@ -244,6 +244,29 @@ func TestOCICluster_ValidateCreate(t *testing.T) { errorMgsShouldContain: "subnet role invalid", expectErr: true, }, + { + name: "allow subnet custom role", + c: &OCICluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: goodClusterName, + }, + Spec: OCIClusterSpec{ + CompartmentId: "ocid", + OCIResourceIdentifier: "uuid", + NetworkSpec: NetworkSpec{ + Vcn: VCN{ + CIDR: "10.0.0.0/16", + Subnets: []*Subnet{ + &Subnet{ + Role: Custom, + }, + }, + }, + }, + }, + }, + expectErr: false, + }, { name: "shouldn't allow invalid role", c: &OCICluster{ @@ -393,6 +416,26 @@ func TestOCICluster_ValidateCreate(t *testing.T) { errorMgsShouldContain: "networkSecurityGroup role invalid", expectErr: true, }, + { + name: "allow nsg custom role", + c: &OCICluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: goodClusterName, + }, + Spec: OCIClusterSpec{ + CompartmentId: "ocid", + OCIResourceIdentifier: "uuid", + NetworkSpec: NetworkSpec{ + Vcn: VCN{ + NetworkSecurityGroup: NetworkSecurityGroup{List: []*NSG{{ + Role: Custom, + }}}, + }, + }, + }, + }, + expectErr: false, + }, { name: "should allow blank region", c: &OCICluster{ diff --git a/api/v1beta2/ocimanagedcluster_webhook_test.go b/api/v1beta2/ocimanagedcluster_webhook_test.go index 1c25c9ad..365ad83d 100644 --- a/api/v1beta2/ocimanagedcluster_webhook_test.go +++ b/api/v1beta2/ocimanagedcluster_webhook_test.go @@ -267,6 +267,30 @@ func TestOCIManagedCluster_ValidateCreate(t *testing.T) { errorMgsShouldContain: "subnet role invalid", expectErr: true, }, + { + name: "should allow custom subnet role", + c: &OCIManagedCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: goodClusterName, + }, + Spec: OCIManagedClusterSpec{ + Region: "", + CompartmentId: "ocid", + OCIResourceIdentifier: "uuid", + NetworkSpec: NetworkSpec{ + Vcn: VCN{ + CIDR: "10.0.0.0/16", + Subnets: []*Subnet{ + &Subnet{ + Role: Custom, + }, + }, + }, + }, + }, + }, + expectErr: false, + }, { name: "should allow empty subnet name", c: &OCIManagedCluster{ @@ -380,6 +404,28 @@ func TestOCIManagedCluster_ValidateCreate(t *testing.T) { errorMgsShouldContain: "networkSecurityGroup role invalid", expectErr: true, }, + { + name: "should allow custom NSG role", + c: &OCIManagedCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: goodClusterName, + }, + Spec: OCIManagedClusterSpec{ + CompartmentId: "ocid", + OCIResourceIdentifier: "uuid", + NetworkSpec: NetworkSpec{ + Vcn: VCN{ + NetworkSecurityGroup: NetworkSecurityGroup{ + List: []*NSG{{ + Role: Custom, + }}, + }, + }, + }, + }, + }, + expectErr: false, + }, { name: "should allow blank region", c: &OCIManagedCluster{ diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go index 38bcfae4..f7be929b 100644 --- a/api/v1beta2/types.go +++ b/api/v1beta2/types.go @@ -24,13 +24,14 @@ const ( PodRole = "pod" Private = "private" Public = "public" + Custom = "custom" ) // OCIClusterSubnetRoles a slice of all the subnet roles for self managed cluster -var OCIClusterSubnetRoles = []Role{ControlPlaneRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole} +var OCIClusterSubnetRoles = []Role{ControlPlaneRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole, Custom} // OCIManagedClusterSubnetRoles a slice of all the subnet roles for managed cluster -var OCIManagedClusterSubnetRoles = []Role{PodRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole} +var OCIManagedClusterSubnetRoles = []Role{PodRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole, Custom} // NetworkDetails defines the configuration options for the network type NetworkDetails struct { diff --git a/docs/src/networking/custom-networking.md b/docs/src/networking/custom-networking.md index 47967b20..c8708ec6 100644 --- a/docs/src/networking/custom-networking.md +++ b/docs/src/networking/custom-networking.md @@ -300,6 +300,45 @@ spec: loadBalancerType: "lb" ``` +## Example spec to use custom role + +CAPOCI can be used to create Subnet/NSG in the VCN for custom workloads such as private load balancers, +dedicated subnet for DB connection etc. The roles for such custom subnest must be defined as `custom`. +The following spec shows an example for this scenario. + +```yaml +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 +kind: OCICluster +metadata: + name: "${CLUSTER_NAME}" +spec: + compartmentId: "${OCI_COMPARTMENT_ID}" + networkSpec: + vcn: + name: ${CLUSTER_NAME} + subnets: + - name: db + role: custom + type: public + cidr: "172.16.5.0/28" + networkSecurityGroup: + list: + - name: db + role: custom + egressRules: + - egressRule: + isStateless: false + destination: "172.16.5.0/28" + protocol: "6" + destinationType: "CIDR_BLOCK" + description: "All traffic to control plane nodes" + tcpOptions: + destinationPortRange: + max: 6443 + min: 6443 +``` + [sl-vs-nsg]: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityrules.htm#comparison [externally-managed-cluster-infrastructure]: ../gs/externally-managed-cluster-infrastructure.md#example-spec-for-externally-managed-vcn-infrastructure [oci-nlb]: https://docs.oracle.com/en-us/iaas/Content/NetworkLoadBalancer/introducton.htm#Overview