Merge pull request #5133 from relu/support-ec2-instance-nat-egresses

Add ability to use ec2 nat instance as egress
kubernetes · May 10, 2018 · 02ab1f9 · 02ab1f9
2 parents 64d817a + cc8371c
commit 02ab1f9
Show file tree

Hide file tree

Showing 9 changed files with 383 additions and 16 deletions.
diff --git a/cmd/kops/create_cluster_integration_test.go b/cmd/kops/create_cluster_integration_test.go
@@ -89,6 +89,12 @@ func TestCreateClusterWithNGWSpecified(t *testing.T) {
 	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ngwspecified", "v1alpha2")
 }
 
+// TestCreateClusterWithINGWSpecified runs kops create cluster private.example.com --zones us-test-1a --master-zones us-test-1a
+func TestCreateClusterWithINGWSpecified(t *testing.T) {
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ingwspecified", "v1alpha1")
+	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/ingwspecified", "v1alpha2")
+}
+
 // TestCreateClusterSharedVPC runs kops create cluster vpc.example.com --zones us-test-1a --master-zones us-test-1a --vpc vpc-12345678
 func TestCreateClusterSharedVPC(t *testing.T) {
 	runCreateClusterIntegrationTest(t, "../../tests/integration/create_cluster/shared_vpc", "v1alpha1")

diff --git a/pkg/apis/kops/validation/legacy.go b/pkg/apis/kops/validation/legacy.go
@@ -457,8 +457,8 @@ func ValidateCluster(c *kops.Cluster, strict bool) *field.Error {
 	{
 		for i, s := range c.Spec.Subnets {
 			fieldSubnet := fieldSpec.Child("Subnets").Index(i)
-			if s.Egress != "" && !strings.HasPrefix(s.Egress, "nat-") {
-				return field.Invalid(fieldSubnet.Child("Egress"), s.Egress, "egress must be of type NAT Gateway")
+			if s.Egress != "" && !strings.HasPrefix(s.Egress, "nat-") && !strings.HasPrefix(s.Egress, "i-") {
+				return field.Invalid(fieldSubnet.Child("Egress"), s.Egress, "egress must be of type NAT Gateway or NAT EC2 Instance")
 			}
 			if s.Egress != "" && !(s.Type == "Private") {
 				return field.Invalid(fieldSubnet.Child("Egress"), s.Egress, "egress can only be specified for Private subnets")

diff --git a/pkg/model/network.go b/pkg/model/network.go
@@ -246,6 +246,7 @@ func (b *NetworkModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 
 		var ngw *awstasks.NatGateway
+		var in *awstasks.Instance
 		if b.Cluster.Spec.Subnets[i].Egress != "" {
 			if strings.HasPrefix(b.Cluster.Spec.Subnets[i].Egress, "nat-") {
 
@@ -262,8 +263,20 @@ func (b *NetworkModelBuilder) Build(c *fi.ModelBuilderContext) error {
 
 				c.AddTask(ngw)
 
+			} else if strings.HasPrefix(b.Cluster.Spec.Subnets[i].Egress, "i-") {
+
+				in = &awstasks.Instance{
+					Name:      s(b.Cluster.Spec.Subnets[i].Egress),
+					Lifecycle: b.Lifecycle,
+					ID:        s(b.Cluster.Spec.Subnets[i].Egress),
+					Shared:    fi.Bool(true),
+					Tags:      b.CloudTags(zone+"."+b.ClusterName(), true),
+				}
+
+				c.AddTask(in)
+
 			} else {
-				return fmt.Errorf("kops currently only supports re-use of NAT Gateways. We will support more eventually! Please see https://github.com/kubernetes/kops/issues/1530")
+				return fmt.Errorf("kops currently only supports re-use of either NAT EC2 Instances or NAT Gateways. We will support more eventually! Please see https://github.com/kubernetes/kops/issues/1530")
 			}
 
 		} else {
@@ -327,13 +340,28 @@ func (b *NetworkModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		//
 		// Routes for the private route table.
 		// Will route to the NAT Gateway
-		c.AddTask(&awstasks.Route{
-			Name:       s("private-" + zone + "-0.0.0.0/0"),
-			Lifecycle:  b.Lifecycle,
-			CIDR:       s("0.0.0.0/0"),
-			RouteTable: rt,
-			NatGateway: ngw,
-		})
+		var r *awstasks.Route
+		if in != nil {
+
+			r = &awstasks.Route{
+				Name:       s("private-" + zone + "-0.0.0.0/0"),
+				Lifecycle:  b.Lifecycle,
+				CIDR:       s("0.0.0.0/0"),
+				RouteTable: rt,
+				Instance:   in,
+			}
+
+		} else {
+
+			r = &awstasks.Route{
+				Name:       s("private-" + zone + "-0.0.0.0/0"),
+				Lifecycle:  b.Lifecycle,
+				CIDR:       s("0.0.0.0/0"),
+				RouteTable: rt,
+				NatGateway: ngw,
+			}
+		}
+		c.AddTask(r)
 
 	}
 

diff --git a/tests/integration/create_cluster/ingwspecified/expected-v1alpha1.yaml b/tests/integration/create_cluster/ingwspecified/expected-v1alpha1.yaml
@@ -0,0 +1,107 @@
+apiVersion: kops/v1alpha1
+kind: Cluster
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  name: private.example.com
+spec:
+  adminAccess:
+  - 0.0.0.0/0
+  api:
+    loadBalancer:
+      type: Public
+  authorization:
+    rbac: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://tests/private.example.com
+  etcdClusters:
+  - etcdMembers:
+    - name: a
+      zone: us-test-1a
+    name: main
+  - etcdMembers:
+    - name: a
+      zone: us-test-1a
+    name: events
+  iam:
+    allowContainerRegistry: true
+    legacy: false
+  kubernetesVersion: v1.4.8
+  masterPublicName: api.private.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    kopeio: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  topology:
+    bastion:
+      enable: true
+      name: bastion.private.example.com
+    dns:
+      type: Public
+    masters: private
+    nodes: private
+  zones:
+  - cidr: 172.20.0.0/22
+    egress: i-09123456
+    name: us-test-1a
+    privateCIDR: 172.20.32.0/19
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: private.example.com
+  name: bastions
+spec:
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2017-07-28
+  machineType: t2.micro
+  maxSize: 1
+  minSize: 1
+  nodeLabels:
+    kops.k8s.io/instancegroup: bastions
+  role: Bastion
+  zones:
+  - utility-us-test-1a
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: private.example.com
+  name: master-us-test-1a
+spec:
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2017-07-28
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  nodeLabels:
+    kops.k8s.io/instancegroup: master-us-test-1a
+  role: Master
+  zones:
+  - us-test-1a
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: private.example.com
+  name: nodes
+spec:
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2017-07-28
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  nodeLabels:
+    kops.k8s.io/instancegroup: nodes
+  role: Node
+  zones:
+  - us-test-1a
diff --git a/tests/integration/create_cluster/ingwspecified/expected-v1alpha2.yaml b/tests/integration/create_cluster/ingwspecified/expected-v1alpha2.yaml
@@ -0,0 +1,113 @@
+apiVersion: kops/v1alpha2
+kind: Cluster
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  name: private.example.com
+spec:
+  api:
+    loadBalancer:
+      type: Public
+  authorization:
+    rbac: {}
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://tests/private.example.com
+  etcdClusters:
+  - etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: a
+    name: main
+  - etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: a
+    name: events
+  iam:
+    allowContainerRegistry: true
+    legacy: false
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  kubernetesVersion: v1.4.8
+  masterPublicName: api.private.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    kopeio: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  subnets:
+  - cidr: 172.20.32.0/19
+    egress: i-09123456
+    name: us-test-1a
+    type: Private
+    zone: us-test-1a
+  - cidr: 172.20.0.0/22
+    name: utility-us-test-1a
+    type: Utility
+    zone: us-test-1a
+  topology:
+    bastion:
+      bastionPublicName: bastion.private.example.com
+    dns:
+      type: Public
+    masters: private
+    nodes: private
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: private.example.com
+  name: bastions
+spec:
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2017-07-28
+  machineType: t2.micro
+  maxSize: 1
+  minSize: 1
+  nodeLabels:
+    kops.k8s.io/instancegroup: bastions
+  role: Bastion
+  subnets:
+  - utility-us-test-1a
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: private.example.com
+  name: master-us-test-1a
+spec:
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2017-07-28
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  nodeLabels:
+    kops.k8s.io/instancegroup: master-us-test-1a
+  role: Master
+  subnets:
+  - us-test-1a
+
+---
+
+apiVersion: kops/v1alpha2
+kind: InstanceGroup
+metadata:
+  creationTimestamp: 2017-01-01T00:00:00Z
+  labels:
+    kops.k8s.io/cluster: private.example.com
+  name: nodes
+spec:
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2017-07-28
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  nodeLabels:
+    kops.k8s.io/instancegroup: nodes
+  role: Node
+  subnets:
+  - us-test-1a
diff --git a/tests/integration/create_cluster/ingwspecified/options.yaml b/tests/integration/create_cluster/ingwspecified/options.yaml
@@ -0,0 +1,9 @@
+ClusterName: private.example.com
+Zones:
+- us-test-1a
+Cloud: aws
+Topology: private
+Networking: kopeio-vxlan
+Bastion: true
+Egress: i-09123456
+KubernetesVersion: v1.4.8
diff --git a/upup/pkg/fi/cloudup/awstasks/BUILD.bazel b/upup/pkg/fi/cloudup/awstasks/BUILD.bazel
@@ -28,6 +28,7 @@ go_library(
         "iamrolepolicy_fitask.go",
         "instance.go",
         "instance_elasticip_attachment.go",
+        "instance_fitask.go",
         "instance_volume_attachment.go",
         "internetgateway.go",
         "internetgateway_fitask.go",