Add custom role support (#313)

* Add support for custom roles in NSG/Subnet

Author: shyamradhakrishnan

api/v1beta2/ocicluster_webhook_test.go

@@ -244,6 +244,29 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "subnet role invalid",
 			expectErr:             true,
 		},
+		{
+			name: "allow subnet custom role",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							CIDR: "10.0.0.0/16",
+							Subnets: []*Subnet{
+								&Subnet{
+									Role: Custom,
+								},
+							},
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
 		{
 			name: "shouldn't allow invalid role",
 			c: &OCICluster{
@@ -393,6 +416,26 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "networkSecurityGroup role invalid",
 			expectErr:             true,
 		},
+		{
+			name: "allow nsg custom role",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							NetworkSecurityGroup: NetworkSecurityGroup{List: []*NSG{{
+								Role: Custom,
+							}}},
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
 		{
 			name: "should allow blank region",
 			c: &OCICluster{

api/v1beta2/ocimanagedcluster_webhook_test.go

@@ -267,6 +267,30 @@ func TestOCIManagedCluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "subnet role invalid",
 			expectErr:             true,
 		},
+		{
+			name: "should allow custom subnet role",
+			c: &OCIManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIManagedClusterSpec{
+					Region:                "",
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							CIDR: "10.0.0.0/16",
+							Subnets: []*Subnet{
+								&Subnet{
+									Role: Custom,
+								},
+							},
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
 		{
 			name: "should allow empty subnet name",
 			c: &OCIManagedCluster{
@@ -380,6 +404,28 @@ func TestOCIManagedCluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "networkSecurityGroup role invalid",
 			expectErr:             true,
 		},
+		{
+			name: "should allow custom NSG role",
+			c: &OCIManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIManagedClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							NetworkSecurityGroup: NetworkSecurityGroup{
+								List: []*NSG{{
+									Role: Custom,
+								}},
+							},
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
 		{
 			name: "should allow blank region",
 			c: &OCIManagedCluster{

api/v1beta2/types.go

@@ -24,13 +24,14 @@ const (
 	PodRole                  = "pod"
 	Private                  = "private"
 	Public                   = "public"
+	Custom                   = "custom"
 )
 
 // OCIClusterSubnetRoles a slice of all the subnet roles for self managed cluster
-var OCIClusterSubnetRoles = []Role{ControlPlaneRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole}
+var OCIClusterSubnetRoles = []Role{ControlPlaneRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole, Custom}
 
 // OCIManagedClusterSubnetRoles a slice of all the subnet roles for managed cluster
-var OCIManagedClusterSubnetRoles = []Role{PodRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole}
+var OCIManagedClusterSubnetRoles = []Role{PodRole, ControlPlaneEndpointRole, WorkerRole, ServiceLoadBalancerRole, Custom}
 
 // NetworkDetails defines the configuration options for the network
 type NetworkDetails struct {

docs/src/networking/custom-networking.md

@@ -300,6 +300,45 @@ spec:
       loadBalancerType: "lb"
 ```
 
+## Example spec to use custom role
+
+CAPOCI can be used to create Subnet/NSG in the VCN for custom workloads such as private load balancers,
+dedicated subnet for DB connection etc. The roles for such custom subnest must be defined as `custom`.
+The following spec shows an example for this scenario.
+
+```yaml
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+kind: OCICluster
+metadata:
+  name: "${CLUSTER_NAME}"
+spec:
+  compartmentId: "${OCI_COMPARTMENT_ID}"
+  networkSpec:
+    vcn:
+      name: ${CLUSTER_NAME}
+      subnets:
+        - name: db
+          role: custom
+          type: public
+          cidr: "172.16.5.0/28"
+      networkSecurityGroup:
+        list:
+          - name: db
+            role: custom
+            egressRules:
+              - egressRule:
+                  isStateless: false
+                  destination: "172.16.5.0/28"
+                  protocol: "6"
+                  destinationType: "CIDR_BLOCK"
+                  description: "All traffic to control plane nodes"
+                  tcpOptions:
+                    destinationPortRange:
+                      max: 6443
+                      min: 6443
+```
+
 [sl-vs-nsg]: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityrules.htm#comparison
 [externally-managed-cluster-infrastructure]: ../gs/externally-managed-cluster-infrastructure.md#example-spec-for-externally-managed-vcn-infrastructure
 [oci-nlb]: https://docs.oracle.com/en-us/iaas/Content/NetworkLoadBalancer/introducton.htm#Overview