✨ Support of managing subnets on AWS Wavelength Zones

[mtulio]

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

This PR implements support of managed subnets and carrier gateway for AWS Wavelength zones. Feature request #4874 .

There API is changed to introduce the following fields:

• VPCSpec.CarrierGatewayID: representation of Carrier Gateway resource ("internet gateway" for AWS Wavelength Zones)
• SubnetSpec.ZoneType: representation of subnet's zone type
• SubnetSpec.ParentZoneName: representation of subnet's parent zone name (an availability zone in the Region which the edge zone is tied)

The subnets in AWS Local Zones and Wavelength Zones are not eligible to create core components for the cluster, like NAT Gateway, Control Plane nodes, and Network Load Balancers, keeping compatibility with existing flow when edge subnets are added.

To create subnets in edge zones, the subnet must be added for each zone you want to create the subnet in NetworkSpec.Subnets. For example to create subnets in Wavelength Zone us-east-1-wl1-nyc-wlz-1, set:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSCluster
metadata:
  name: aws-cluster-wavelength
spec:
  region: us-east-1
  networkSpec:
    vpc:
      cidrBlock: "10.0.0.0/20"
    subnets:
    # regular zones (availability zones. Eg us-east-1a, us-east-1b...)
    [...]
    # Subnets in Wavelength Zones of New York location (public and private)
    - availabilityZone: us-east-1-wl1-nyc-wlz-1
      cidrBlock: "10.0.128.0/25"
      id: "cluster-subnet-private-us-east-1-wl1-nyc-wlz-1"
      isPublic: false
    - availabilityZone: us-east-1-wl1-nyc-wlz-1
      cidrBlock: "10.0.128.128/25"
      id: "cluster-subnet-public-us-east-1-wl1-nyc-wlz-1"
      isPublic: true

This PR is a super set and includes it's dependencies, isolated on each PRs (and it is blocked by those):

• Support of Local Zones: ✨ Introduce edge subnets to support AWS Local Zones #4882
• Fix route table error handler: 🐛 fix/network/rtb: delete rtb handling err when failed to create routes #4899
• Refeact route table/route creation: 🌱 refactor route discover/creation flow #4900
• Fix subnet information in unmanaged when failed to tag subnet 🐛 fix: update network subnets prio tag failures #4917
• Isolate nat gateway lookup 🌱 net/natgws: introduce test units for nat gateways #4923

Which issue(s) this PR fixes *

Ref #4874

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• includes emojis
• adds unit tests
• adds or updates e2e tests

Release note:

action required
Support deploying network requirements, subnets and carrier gateway, in AWS Wavelength Zones. This introduces new required IAM permissions. If you have an existing stack you will need to update it with clusterawsadm bootstrap iam create-cloudformation-stack

[k8s-ci-robot]

Hi @mtulio. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rvanderp3]

/test pull-cluster-api-provider-aws-test

[rvanderp3]

/test pull-cluster-api-provider-aws-build

[rvanderp3]

/test pull-cluster-api-provider-aws-test

[mtulio]

@richardcase , feedback addressed. 👍🏽

[mtulio]

e2e finished successfully in the first run after rebase. Triggering again after adding cloudformation permissions.

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks

/assign @richardcase

[mtulio]

e2e job 1782910662712758272 failed, looks like timeout.

/test pull-cluster-api-provider-aws-e2e

[richardcase]

e2e job 1782910662712758272 failed, looks like timeout.

It passed on a re-run

[mtulio]

e2e job 1782910662712758272 failed, looks like timeout.

It passed on a re-run

🎉 Perfect! Thanks!

@richardcase Let me know if you are ok with the current changes.

My plan to fully address the #4874, aligned w/ we discussed in last community meeting, is to create individual e2e tests for Local Zones and Wavelength Zones (or mixed to save infra/runtime) in follow up PRs. cc @damdo @nrb

[mtulio]

Just rebased to get the most recent fixes from main - used in external projects to trigger e2e. cc @nrb @damdo

[mtulio]

@richardcase Let me know if you are ok with the current changes.

My plan to fully address the #4874, aligned w/ we discussed in last community meeting, is to create individual e2e tests for Local Zones and Wavelength Zones (or mixed to save infra/runtime) in follow up PRs. cc @damdo @nrb

Hi @richardcase - let me share the e2e tests we are running on OpenShift using this version and a few details about how the e2e for edge zones is built to hear from you if it makes sense to use a similar approach on CAPA.

e2e results on OpenShift using this PR/CAPA version:

• Wavelength: Manual, Managed, Unmanaged (BYO VPC)
• Local Zones: Managed, Unmanaged

e2e details - the "edge subnets" CI workflow is built on openshift using the flow similar to this:

• pre
  • one edge zone is randomly selected from DescribeAvailabilityZones(AllZones==true)
  • the zone attribute OptInStatus is checked, and if the status is not-opted-in the zone's zone group is modified to opted-in
  • the zone is ready to create subnets
• if managed: the SubnetSpec will be created setting the public and private subnets for each regular zone, and the selected edge zone
• if un-managed/BYO VPC: the required network components are created for unmanaged/BYO net (VPC, subnets, rtbs, gateways, etc), and the SubnetSpec will be created with subnet Ids, and respective zones
• CAPA install
• e2e run
• Tear down:
  • cluster destroyed
  • if un-managed/BYO VPC, the cloudformation stacks will be deleted

Note 0: the edge zone is randomly selected to increase coverage and dynamically test new zones while AWS is adding it.
Note 1: the zone group isn't modified (opted out) to the old state as AWS requires to open a ticket to do it. There is no additional cost to keep those enabled or create subnets and carrier gateways.
Note 2: Considering "edge subnets" feature can include Local Zones (LZ) and Wavelength Zones (WL), we also created a single workflow randomly selecting one zone LZ and WL each to test creating a cluster and running e2e in a single flow, saving test time and infra costs.

cc @nrb @r4f4 @damdo

[nrb]

Thanks for the details on how OpenShift is testing this! It's good to know there's downstream testing of this feature, though of course we'd like to see similar tests added to this repo as well.

/lgtm

[richardcase]

@mtulio - just to let you know that i updated the "release note" section to mark it as action required.

[richardcase]

/test pull-cluster-api-provider-aws-e2e-eks

[richardcase]

From my side:

/approve

When the e2e passes then we can unhold to merge.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [richardcase]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nrb]

/unhold