OCM-14545 | ci: Support security group and proxy settings for hosted-cp shared vpc profile

Author: yuwang-RH

tests/ci/data/profiles/rosa-hcp.yaml

@@ -176,7 +176,7 @@ profiles:
     autoscale: true
     kms_key: true
     networking: true
-    proxy_enabled: false
+    proxy_enabled: true
     label_enabled: false
     zones: ""
     tag_enabled: true
@@ -188,7 +188,7 @@ profiles:
     volume_size: 75
     disable_uwm: true
     autoscaler_enabled: false
-    additional_sg_number: 0
+    additional_sg_number: 3
     registries_config: true
     blocked_registries: true
   account-role:

tests/utils/handler/cluster_handler.go

@@ -538,8 +538,11 @@ func (ch *clusterHandler) GenerateClusterCreateFlags() ([]string, error) {
 		ch.clusterConfig.Networking = networking
 	}
 	if ch.profile.ClusterConfig.BYOVPC {
-		var vpc *vpc_client.VPC
-		var err error
+		var (
+			vpc            *vpc_client.VPC
+			err            error
+			securityGroups []string
+		)
 		vpcPrefix := helper.TrimNameByLength(clusterName, 20)
 		log.Logger.Info("Got BYOVPC set to true. Going to prepare subnets")
 		cidrValue := constants.DefaultVPCCIDRValue
@@ -572,15 +575,57 @@ func (ch *clusterHandler) GenerateClusterCreateFlags() ([]string, error) {
 		}
 		flags = append(flags,
 			"--subnet-ids", subnetsFlagValue)
+		if ch.profile.ClusterConfig.AdditionalSGNumber != 0 {
+			securityGroups, err = resourcesHandler.
+				PrepareAdditionalSecurityGroups(ch.profile.ClusterConfig.AdditionalSGNumber, vpcPrefix)
+			if err != nil {
+				return flags, err
+			}
+			computeSGs := strings.Join(securityGroups, ",")
+			infraSGs := strings.Join(securityGroups, ",")
+			controlPlaneSGs := strings.Join(securityGroups, ",")
+			if ch.profile.ClusterConfig.HCP {
+				flags = append(flags,
+					"--additional-compute-security-group-ids", computeSGs,
+				)
+				ch.clusterConfig.AdditionalSecurityGroups = &ClusterConfigure.AdditionalSecurityGroups{
+					WorkerSecurityGroups: computeSGs,
+				}
+			} else {
+				flags = append(flags,
+					"--additional-infra-security-group-ids", infraSGs,
+					"--additional-control-plane-security-group-ids", controlPlaneSGs,
+					"--additional-compute-security-group-ids", computeSGs,
+				)
+				ch.clusterConfig.AdditionalSecurityGroups = &ClusterConfigure.AdditionalSecurityGroups{
+					ControlPlaneSecurityGroups: controlPlaneSGs,
+					InfraSecurityGroups:        infraSGs,
+					WorkerSecurityGroups:       computeSGs,
+				}
+			}
+		}
 
 		if ch.profile.ClusterConfig.SharedVPC {
-			subnetArns, err := resourcesHandler.PrepareSubnetArns(subnetsFlagValue)
+			var (
+				securityGroupARns  []string
+				sharedResourceArns []string
+			)
+			sharedResourceArns, err = resourcesHandler.PrepareSubnetArns(subnetsFlagValue)
 			if err != nil {
 				return flags, err
 			}
 
+			if len(securityGroups) > 0 {
+				securityGroupARns, err = resourcesHandler.PrepareSecurityGroupArns(securityGroups, true)
+
+				if err != nil {
+					return flags, err
+				}
+				sharedResourceArns = append(sharedResourceArns, securityGroupARns...)
+			}
+
 			resourceShareName := fmt.Sprintf("%s-%s", sharedVPCRolePrefix, "resource-share")
-			_, err = resourcesHandler.PrepareResourceShare(resourceShareName, subnetArns)
+			_, err = resourcesHandler.PrepareResourceShare(resourceShareName, sharedResourceArns)
 			if err != nil {
 				return flags, err
 			}
@@ -626,35 +671,7 @@ func (ch *clusterHandler) GenerateClusterCreateFlags() ([]string, error) {
 				}
 			}
 		}
-		if ch.profile.ClusterConfig.AdditionalSGNumber != 0 {
-			securityGroups, err := resourcesHandler.
-				PrepareAdditionalSecurityGroups(ch.profile.ClusterConfig.AdditionalSGNumber, vpcPrefix)
-			if err != nil {
-				return flags, err
-			}
-			computeSGs := strings.Join(securityGroups, ",")
-			infraSGs := strings.Join(securityGroups, ",")
-			controlPlaneSGs := strings.Join(securityGroups, ",")
-			if ch.profile.ClusterConfig.HCP {
-				flags = append(flags,
-					"--additional-compute-security-group-ids", computeSGs,
-				)
-				ch.clusterConfig.AdditionalSecurityGroups = &ClusterConfigure.AdditionalSecurityGroups{
-					WorkerSecurityGroups: computeSGs,
-				}
-			} else {
-				flags = append(flags,
-					"--additional-infra-security-group-ids", infraSGs,
-					"--additional-control-plane-security-group-ids", controlPlaneSGs,
-					"--additional-compute-security-group-ids", computeSGs,
-				)
-				ch.clusterConfig.AdditionalSecurityGroups = &ClusterConfigure.AdditionalSecurityGroups{
-					ControlPlaneSecurityGroups: controlPlaneSGs,
-					InfraSecurityGroups:        infraSGs,
-					WorkerSecurityGroups:       computeSGs,
-				}
-			}
-		}
+
 		if ch.profile.ClusterConfig.ProxyEnabled {
 			proxyName := vpc.VPCName
 			if proxyName == "" {
@@ -679,7 +696,6 @@ func (ch *clusterHandler) GenerateClusterCreateFlags() ([]string, error) {
 				"--no-proxy", proxy.NoProxy,
 				"--additional-trust-bundle-file", proxy.CABundleFilePath,
 			)
-
 		}
 	}
 	if ch.profile.ClusterConfig.BillingAccount != "" {

tests/utils/handler/interface.go

@@ -84,6 +84,7 @@ type Resources struct {
 	VpcID                        string                `json:"vpc_id,omitempty"`
 	HCPRoute53ShareRole          string                `json:"hcp_route53_share_role,omitempty"`
 	HCPVPCEndpointShareRole      string                `json:"hcp_vpc_endpoint_share_role,omitempty"`
+	ProxyInstanceID              string                `json:"proxy_instance_id,omitempty"`
 }
 
 type FromSharedAWSAccount struct {
@@ -108,4 +109,5 @@ type ProxyDetail struct {
 	HTTPProxy        string
 	CABundleFilePath string
 	NoProxy          string
+	InstanceID       string
 }

tests/utils/handler/resources_handler.go

@@ -208,6 +208,17 @@ func (rh *resourcesHandler) DestroyResources() (errors []error) {
 			rh.registerDNSDomain("")
 		}
 	}
+	// Delete proxy resourses
+	if resources.ProxyInstanceID != "" {
+		err = rh.CleanupProxyResources(
+			resources.ProxyInstanceID,
+			resources.FromSharedAWSAccount != nil && resources.FromSharedAWSAccount.VPC,
+		)
+		success := destroyLog(err, "proxy resources")
+		if success {
+			rh.registerProxyInstanceID("")
+		}
+	}
 	// delete resource share
 	if resources.ResourceShareArn != "" {
 		log.Logger.Infof("Find prepared resource share: %s", resources.ResourceShareArn)
@@ -453,6 +464,11 @@ func (rh *resourcesHandler) registerVPC(vpc *vpc_client.VPC) error {
 	return rh.saveToFile()
 }
 
+func (rh *resourcesHandler) registerProxyInstanceID(proxyInsID string) error {
+	rh.resources.ProxyInstanceID = proxyInsID
+	return rh.saveToFile()
+}
+
 func (rh *resourcesHandler) GetVPC() *vpc_client.VPC {
 	return rh.vpc
 }

tests/utils/handler/resources_handler_clean.go

@@ -1,8 +1,15 @@
 package handler
 
 import (
+	"context"
+	"fmt"
 	"strings"
+	"time"
 
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/openshift-online/ocm-common/pkg/aws/aws_client"
 	"github.com/openshift-online/ocm-common/pkg/test/kms_key"
 	"github.com/openshift-online/ocm-common/pkg/test/vpc_client"
@@ -151,3 +158,146 @@ func (rh *resourcesHandler) DeleteAccountRoles() error {
 	}
 	return nil
 }
+
+func (rh *resourcesHandler) GetEIPAssociationAndAllocationIDsByInstanceID(
+	publicIP string, sharedVPC bool,
+) (string, string, error) {
+	var (
+		err       error
+		awsClient *aws_client.AWSClient
+	)
+	if sharedVPC {
+		awsClient, err = rh.GetAWSClient(true)
+	} else {
+		awsClient, err = rh.GetAWSClient(false)
+	}
+	if err != nil {
+		log.Logger.Errorf("Get AWS Client failed: %s", err)
+		return "", "", err
+	}
+	input := &ec2.DescribeAddressesInput{
+		PublicIps: []string{publicIP},
+	}
+	output, err := awsClient.Ec2Client.DescribeAddresses(context.TODO(), input)
+	if err != nil {
+		log.Logger.Errorf("Failed to describe addresses: %s", err)
+		return "", "", err
+	}
+
+	if len(output.Addresses) == 0 {
+		return "", "", fmt.Errorf("no EIP association found for instance ID %s", publicIP)
+	}
+
+	associationID := *output.Addresses[0].AssociationId
+	allocationID := *output.Addresses[0].AllocationId
+	return associationID, allocationID, nil
+}
+
+func (rh *resourcesHandler) CleanupProxyResources(instID string, sharedVPC bool) error {
+	var (
+		err       error
+		awsClient *aws_client.AWSClient
+	)
+
+	if sharedVPC {
+		awsClient, err = rh.GetAWSClient(true)
+	} else {
+		awsClient, err = rh.GetAWSClient(false)
+	}
+	if err != nil {
+		log.Logger.Errorf("Get AWS Client failed: %s", err)
+		return err
+	}
+	insOut, err := awsClient.Ec2Client.DescribeInstances(
+		context.TODO(),
+		&ec2.DescribeInstancesInput{
+			InstanceIds: []string{instID},
+		},
+	)
+	if err != nil {
+		log.Logger.Errorf("Describe proxy instance failed: %s", err)
+		return err
+	}
+	if len(insOut.Reservations) == 0 || len(insOut.Reservations[0].Instances) == 0 {
+		err = fmt.Errorf("instance %s not found", rh.resources.ProxyInstanceID)
+		return err
+	}
+	instance := insOut.Reservations[0].Instances[0]
+	// release EIP
+	associationID, allocationID, err := rh.GetEIPAssociationAndAllocationIDsByInstanceID(
+		*instance.PublicIpAddress, sharedVPC,
+	)
+	keyName := *instance.KeyName
+	SGID := *instance.SecurityGroups[0].GroupId
+	if err != nil {
+		log.Logger.Errorf("Get EIP Association ID failed: %s", err)
+		return err
+	}
+	_, err = awsClient.DisassociateAddress(associationID)
+	if err != nil {
+		log.Logger.Errorf("Disassociate Addrress failed: %s", err)
+		return err
+	}
+	_, err = awsClient.ReleaseAddress(allocationID)
+	if err != nil {
+		log.Logger.Errorf("Release Address failed: %s", err)
+		return err
+	}
+	log.Logger.Infof("Released EIP: %s", allocationID)
+
+	// terminate proxy instance
+	_, err = awsClient.Ec2Client.TerminateInstances(context.TODO(), &ec2.TerminateInstancesInput{
+		InstanceIds: []string{instID},
+	})
+	if err != nil {
+		log.Logger.Errorf("Terminate instance failed: %s", err)
+		return err
+	}
+	log.Logger.Infof("Terminating instance: %s", instID)
+
+	err = wait.PollUntilContextTimeout(
+		context.TODO(),
+		30*time.Second,
+		10*time.Minute,
+		false,
+		func(ctx context.Context) (bool, error) {
+			output, err := awsClient.Ec2Client.DescribeInstances(ctx, &ec2.DescribeInstancesInput{
+				InstanceIds: []string{instID},
+			})
+			if err != nil {
+				return false, err
+			}
+			if len(output.Reservations) == 0 || len(output.Reservations[0].Instances) == 0 {
+				return false, nil
+			}
+			instance := output.Reservations[0].Instances[0]
+			if instance.State != nil && instance.State.Name == types.InstanceStateNameTerminated {
+				return true, nil
+			}
+			return false, nil
+		},
+	)
+	if err != nil {
+		log.Logger.Errorf("Instance termination confirmation failed: %s", err)
+		return err
+	}
+	log.Logger.Infof("Instance %s is terminated", instID)
+
+	// Delete secrity group
+	_, err = awsClient.DeleteSecurityGroup(SGID)
+	if err != nil {
+		log.Logger.Errorf("Delete security group failed: %s", err)
+		return err
+	}
+	log.Logger.Infof("Deleted security group: %s", SGID)
+
+	// Delete key pair
+	_, err = awsClient.DeleteKeyPair(keyName)
+	if err != nil {
+		log.Logger.Errorf("Delete key pair failed: %s", err)
+		return err
+	}
+	log.Logger.Infof("Deleted key pair: %s", keyName)
+
+	return nil
+}