terraform/aws: remove option to use an existing vpc in aws #654
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
size/M
|
Needs a rebase? |
staebler
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
wking
reviewed
Nov 16, 2018
wking
reviewed
Nov 16, 2018
wking
reviewed
Nov 16, 2018
|
I strongly believe we need to keep both the CIDR and the existing VPC support. In fact, we may want to enhance it a bit to use all or a subset of AZs. Can we instead fix/protect the destroy logic? |
openshift-bot
added
the
needs-rebase
openshift-ci-robot
added
size/L
openshift-bot
removed
the
needs-rebase
|
/retest We are going to punt on this functionality until after 4.0. |
openshift-ci-robot
added
lgtm
|
@staebler: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
openshift-ci-robot
added
needs-rebase
|
Needs a rebase :). |
wking
reviewed
Dec 5, 2018
wking
reviewed
Dec 5, 2018
wking
reviewed
Dec 5, 2018
|
@wking can you take another look otherwise this is /approve |
wking
reviewed
Dec 13, 2018
data/data/aws/bootstrap/main.tf
Outdated
| @@ -109,7 +109,7 @@ resource "aws_instance" "bootstrap" { | |||
| subnet_id = "${var.subnet_id}" | |||
| user_data = "${data.ignition_config.redirect.rendered}" | |||
| vpc_security_group_ids = ["${var.vpc_security_group_ids}"] | |||
| associate_public_ip_address = "${var.associate_public_ip_address}" | |||
| associate_public_ip_address = "true" | |||
wking
reviewed
Dec 13, 2018
data/data/aws/main.tf
Outdated
| @@ -1,7 +1,7 @@ | |||
| locals { | |||
| private_endpoints = "${var.aws_endpoints == "public" ? false : true}" | |||
| public_endpoints = "${var.aws_endpoints == "private" ? false : true}" | |||
| private_zone_id = "${var.aws_external_private_zone != "" ? var.aws_external_private_zone : join("", aws_route53_zone.int.*.zone_id)}" | |||
| private_zone_id = "${join("", aws_route53_zone.int.*.zone_id)}" | |||
There was a problem hiding this comment.
Do we know what this join is about? I'd expect "${aws_route53_zone.int.zone_id}".
There was a problem hiding this comment.
@wking The join is used to convert the list to a single value, knowing that the list will only have a single element. With the changes in this PR, the join is no longer necessary aws_route53_zone is no longer a collection of resources: it is a single resource.
There was a problem hiding this comment.
And to be clear, the code in the PR is what you are expecting "${aws_route53_zone.int.zone_id}". Your comment is using an outdated version.
There was a problem hiding this comment.
Ah, I had been going through commit by commit. Maybe you can squash the join removal further back. Or just leave it, since it gets fixed by the end of the PR.
There was a problem hiding this comment.
I try to make the end result of each commit a working product. After that commit, the join is still needed since at that point aws_route53_zone is still a collection of resources.
For the limited scope of the installer, we do not want the user to have the ability to share the VPC between clusters. A shared VPC could potentially be deleted when destroying one of the clusters, leaving the rest of the clusters using the shared VPC in an unusable state. Fixes https://jira.coreos.com/browse/CORS-873
With the removal of the option to use an external VPC, the following variables are not used and are removed. aws_external_master_subnet_ids aws_external_private_zone aws_external_worker_subnet_ids https://jira.coreos.com/browse/CORS-873
aws_endpoints aws_installer_role aws_master_custom_subnets aws_master_extra_sg_ids aws_worker_custom_subnets https://jira.coreos.com/browse/CORS-873
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, crawford, staebler, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
wking
added a commit
to wking/hive
that referenced
this pull request
Dec 19, 2018
Catching up with openshift/installer@6f55e673 (terraform/aws: remove option to use an existing vpc in aws, 2018-11-11, openshift/installer#654).
wking
added a commit
to wking/openshift-installer
that referenced
this pull request
Jan 11, 2019
Centralize extra-tag inclusion on aws/main.tf. This reduces the
number of places we need to think about what tags should be ;).
Also keep kubernetes.io/cluster/{name} localized in the aws module.
See 8a37f72 (modules/aws/bootstrap: Pull AWS bootstrap setup into a
module, 2018-09-05, openshift#217) for why we need to keep it on the bootstrap
instance. But the bootstrap resources will be removed after the
bootstrap-complete event comes through, and we don't want Kubernetes
controllers trying to pick them up.
This commit updates the internal Route 53 zone from KubernetesCluster
to kubernetes.io/cluster/{name}: owned, catching it up to
kubernetes/kubernetes@0b5ae539 (AWS: Support shared tag, 2017-02-18,
kubernetes/kubernetes#41695). That tag originally landed on the zone
back in 75fb49a (platforms/aws: apply tags to internal route53 zone,
2017-05-02, coreos/tectonic-installer#465).
Only the master instances need the clusterid tag, as described in
6c7a5f0 (Tag master machines for adoption by machine controller,
2018-10-17, openshift#479).
A number of VPC resources have moved from "shared" to "owned". The
shared values are from 45dfc2b (modules/aws,azure: use the new tag
format for k8s 1.6, 2017-05-04, coreos/tectonic-installer#469). The
commit message doesn't have much to say for motivation, but Brad Ison
said [1]:
I'm not really sure if anything in Kubernetes actually uses the
owned vs. shared values at the moment, but in any case, it might
make more sense to mark subnets as shared. That was actually one of
the main use cases for moving to this style of tagging -- being able
to share subnets between clusters.
But we aren't sharing these resources; see 6f55e67 (terraform/aws:
remove option to use an existing vpc in aws, 2018-11-11, openshift#654).
[1]: coreos/tectonic-installer#469 (comment)
wking
added a commit
to wking/openshift-installer
that referenced
this pull request
Jan 11, 2019
Centralize extra-tag inclusion on aws/main.tf. This reduces the
number of places we need to think about what tags should be ;).
Also keep kubernetes.io/cluster/{name} localized in the aws module.
See 8a37f72 (modules/aws/bootstrap: Pull AWS bootstrap setup into a
module, 2018-09-05, openshift#217) for why we need to keep it on the bootstrap
instance. But the bootstrap resources will be removed after the
bootstrap-complete event comes through, and we don't want Kubernetes
controllers trying to pick them up.
This commit updates the internal Route 53 zone from KubernetesCluster
to kubernetes.io/cluster/{name}: owned, catching it up to
kubernetes/kubernetes@0b5ae539 (AWS: Support shared tag, 2017-02-18,
kubernetes/kubernetes#41695). That tag originally landed on the zone
back in 75fb49a (platforms/aws: apply tags to internal route53 zone,
2017-05-02, coreos/tectonic-installer#465).
Only the master instances need the clusterid tag, as described in
6c7a5f0 (Tag master machines for adoption by machine controller,
2018-10-17, openshift#479).
A number of VPC resources have moved from "shared" to "owned". The
shared values are from 45dfc2b (modules/aws,azure: use the new tag
format for k8s 1.6, 2017-05-04, coreos/tectonic-installer#469). The
commit message doesn't have much to say for motivation, but Brad Ison
said [1]:
I'm not really sure if anything in Kubernetes actually uses the
owned vs. shared values at the moment, but in any case, it might
make more sense to mark subnets as shared. That was actually one of
the main use cases for moving to this style of tagging -- being able
to share subnets between clusters.
But we aren't sharing these resources; see 6f55e67 (terraform/aws:
remove option to use an existing vpc in aws, 2018-11-11, openshift#654).
[1]: coreos/tectonic-installer#469 (comment)
wking
added a commit
to wking/openshift-installer
that referenced
this pull request
Jan 11, 2019
Centralize extra-tag inclusion on aws/main.tf. This reduces the
number of places we need to think about what tags should be ;).
Also keep kubernetes.io/cluster/{name} localized in the aws module.
See 8a37f72 (modules/aws/bootstrap: Pull AWS bootstrap setup into a
module, 2018-09-05, openshift#217) for why we need to keep it on the bootstrap
instance. But the bootstrap resources will be removed after the
bootstrap-complete event comes through, and we don't want Kubernetes
controllers trying to pick them up.
This commit updates the internal Route 53 zone from KubernetesCluster
to kubernetes.io/cluster/{name}: owned, catching it up to
kubernetes/kubernetes@0b5ae539 (AWS: Support shared tag, 2017-02-18,
kubernetes/kubernetes#41695). That tag originally landed on the zone
back in 75fb49a (platforms/aws: apply tags to internal route53 zone,
2017-05-02, coreos/tectonic-installer#465).
Only the master instances need the clusterid tag, as described in
6c7a5f0 (Tag master machines for adoption by machine controller,
2018-10-17, openshift#479).
A number of VPC resources have moved from "shared" to "owned". The
shared values are from 45dfc2b (modules/aws,azure: use the new tag
format for k8s 1.6, 2017-05-04, coreos/tectonic-installer#469). The
commit message doesn't have much to say for motivation, but Brad Ison
said [1]:
I'm not really sure if anything in Kubernetes actually uses the
owned vs. shared values at the moment, but in any case, it might
make more sense to mark subnets as shared. That was actually one of
the main use cases for moving to this style of tagging -- being able
to share subnets between clusters.
But we aren't sharing these resources; see 6f55e67 (terraform/aws:
remove option to use an existing vpc in aws, 2018-11-11, openshift#654).
[1]: coreos/tectonic-installer#469 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For the limited scope of the installer, we do not want the user to
have the ability to share the VPC between clusters. A shared VPC
could potentially be deleted when destroying one of the clusters,
leaving the rest of the clusters using the shared VPC in an unusable
state.
Fixes https://jira.coreos.com/browse/CORS-873