Skip to content

OCPBUGS-60162: reject byo vpc/subnets with CAPI owned cluster tag #9913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-60162: reject byo vpc/subnets with CAPI owned cluster tag #9913

wants to merge 1 commit into from
+96 −9

Conversation

tthvo
Copy link
Member

@tthvo tthvo commented Aug 25, 2025
edited
Loading

This adds an additional check for CAPI owned cluster tag sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned.

Since the destroy code is also searching for this tag to clean up cluster resources, it is reasonable to safe-guard against this case.

References (metadata.json)

installer/pkg/asset/cluster/aws/aws.go

Lines 30 to 32 in d0aabcc

{fmt.Sprintf("kubernetes.io/cluster/%s", infraID): "owned"},
{"openshiftClusterID": clusterID},
{fmt.Sprintf("sigs.k8s.io/cluster-api-provider-aws/cluster/%s", infraID): "owned"},

Notes

It seems unlikely that a vpc/subnet has a tag sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned but doesn't have the corresponding kubernetes.io/cluster/<id>:owned tag... 💭

But "unlikely" does not mean it won't happen and the destroy code is also searching that CAPA tag. So, I thought we could just add this additional check.

The tag search order is:

  1. kubernetes.io/cluster/<id>:owned
  2. sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned if none is found in 1.

@tthvo
OCPBUGS-60162: reject byo vpc/subnets with CAPI owned cluster tag
821253f 
This commit adds an additional check for CAPI owned cluster tag
sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned.

Since the destroy code is also searching for this tag to clean up
cluster resources[1], it is reasonable to safe-guard against this case.

The tag search order is:
1. kubernetes.io/cluster/<id>:owned
2. sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned

References:
- https://github.com/openshift/installer/blob/d0aabcc2a97cc8d383d6dd957169ca6713be94af/pkg/asset/cluster/aws/aws.go#L30-L32
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Aug 25, 2025
@openshift-ci-robot
Copy link
Contributor

@tthvo: This pull request references Jira Issue OCPBUGS-60162, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This adds an additional check for CAPI owned cluster tag sigs.k8s.io/cluster-api-provider-aws/cluster/:owned.

Since the destroy code is also searching for this tag to clean up cluster resources[1], it is reasonable to safe-guard against this case.

References (metadata.json)

installer/pkg/asset/cluster/aws/aws.go

Lines 30 to 32 in d0aabcc

{fmt.Sprintf("kubernetes.io/cluster/%s", infraID): "owned"},
{"openshiftClusterID": clusterID},
{fmt.Sprintf("sigs.k8s.io/cluster-api-provider-aws/cluster/%s", infraID): "owned"},

Notes

It seems unlikely that a vpc/subnet has a tag sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned but doesn't have the corresponding kubernetes.io/cluster/<id>:owned tag... 💭

But "unlikely" does not mean it won't happen and the destroy code is also searching that CAPA tag. So, I thought we could just add this additional check.

The tag search order is:

  1. kubernetes.io/cluster/<id>:owned
  2. sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned if none is found in 1.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tthvo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot requested review from mtulio and patrickdillon August 25, 2025 23:03
@tthvo
Copy link
Member Author

tthvo commented Aug 25, 2025

/cc @yunjiang29

@openshift-ci openshift-ci bot requested a review from yunjiang29 August 25, 2025 23:04
@openshift-ci-robot
Copy link
Contributor

@tthvo: This pull request references Jira Issue OCPBUGS-60162, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

This adds an additional check for CAPI owned cluster tag sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned.

Since the destroy code is also searching for this tag to clean up cluster resources, it is reasonable to safe-guard against this case.

References (metadata.json)

installer/pkg/asset/cluster/aws/aws.go

Lines 30 to 32 in d0aabcc

{fmt.Sprintf("kubernetes.io/cluster/%s", infraID): "owned"},
{"openshiftClusterID": clusterID},
{fmt.Sprintf("sigs.k8s.io/cluster-api-provider-aws/cluster/%s", infraID): "owned"},

Notes

It seems unlikely that a vpc/subnet has a tag sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned but doesn't have the corresponding kubernetes.io/cluster/<id>:owned tag... 💭

But "unlikely" does not mean it won't happen and the destroy code is also searching that CAPA tag. So, I thought we could just add this additional check.

The tag search order is:

  1. kubernetes.io/cluster/<id>:owned
  2. sigs.k8s.io/cluster-api-provider-aws/cluster/<id>:owned if none is found in 1.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 26, 2025

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-ovn-resourcegroup 821253f link false /test e2e-azure-ovn-resourcegroup
ci/prow/e2e-aws-custom-dns-techpreview 821253f link false /test e2e-aws-custom-dns-techpreview
ci/prow/okd-scos-e2e-aws-ovn 821253f link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-vsphere-ovn-multi-network 821253f link false /test e2e-vsphere-ovn-multi-network
ci/prow/e2e-aws-ovn-heterogeneous 821253f link false /test e2e-aws-ovn-heterogeneous
ci/prow/e2e-vsphere-host-groups-ovn-techpreview 821253f link false /test e2e-vsphere-host-groups-ovn-techpreview

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtulio mtulio Awaiting requested review from mtulio

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

@yunjiang29 yunjiang29 Awaiting requested review from yunjiang29

Assignees
No one assigned
Labels
jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tthvo @openshift-ci-robot