CORS-4067: Add support for single zone NAT gateway

[rna-afk]

Adding the option for the users to create a NAT gateway for the compute nodes as an option to replace the traditional load balancer setup. This is only for a single NAT gateway in the compute subnet as CAPZ expects an outbound LB for control planes.

[openshift-ci-robot]

@rna-afk: This pull request references CORS-4067 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

Details

In response to this:

Adding the option for the users to create a NAT gateway for the compute nodes as an option to replace the traditional load balancer setup. This is only for a single NAT gateway in the compute subnet as CAPZ expects an outbound LB for control planes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[patrickdillon]

At a high level, this looks good. I do think we need to work out the install config API questions before moving forward ( see my comment in the PR)

It would be good to include some testing results and also it should be pretty simple to add pre-submit tests for this functionality so we can test this PR in CI. Happy to collaborate on that.

[patrickdillon]

Is this correct? For NATGateway our current thinking is that control plane nodes will still use the API load balancer for outbound access, so I'm not certain we want this change.

[patrickdillon]

There are a few more annotations that need to be fixed:

installer/pkg/types/azure/platform.go

Line 12 in 4bec6f4

// +kubebuilder:validation:Enum="";Loadbalancer;NatGateway;UserDefinedRouting

https://github.com/openshift/installer/blob/main/pkg/types/azure/platform.go#L79

For that last one, it would be good to include details about the NAT Gateway (repeating the comment text for the constant would be fine), because I believe those are the details included in the explain text.

And then the crd would need to be regenerated with go generate ./pkg/types/installconfig.go

[jhixson74]

I'm coming in late here, but this LGTM ;-)

[patrickdillon]

Let's get openshift/release#65568 in (needs some slight changes) so we can test this PR.

[rna-afk]

/test ci/prow/e2e-azure-nat-gateway-single-zone

[openshift-ci]

@rna-afk: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test aro-unit

/test artifacts-images

/test e2e-agent-compact-ipv4

/test e2e-aws-ovn

/test e2e-aws-ovn-edge-zones-manifest-validation

/test e2e-aws-ovn-upi

/test e2e-azure-nat-gateway-single-zone

/test e2e-azure-ovn

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upi

/test e2e-metal-ipi-ovn-ipv6

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test e2e-vsphere-ovn-upi

/test gofmt

/test golint

/test govet

/test images

/test integration-tests

/test integration-tests-nodejoiner

/test openstack-manifests

/test unit

/test verify-codegen

/test verify-deps

/test verify-vendor

The following commands are available to trigger optional jobs:

/test aws-private

/test azure-ovn-marketplace-images

/test azure-private

/test e2e-agent-4control-ipv4

/test e2e-agent-5control-ipv4

/test e2e-agent-compact-ipv4-appliance-diskimage

/test e2e-agent-compact-ipv4-none-platform

/test e2e-agent-compact-ipv6-minimaliso

/test e2e-agent-ha-dualstack

/test e2e-agent-sno-ipv4-pxe

/test e2e-agent-sno-ipv6

/test e2e-aws-byo-subnet-role-security-groups

/test e2e-aws-default-config

/test e2e-aws-overlay-mtu-ovn-1200

/test e2e-aws-ovn-custom-iam-profile

/test e2e-aws-ovn-edge-zones

/test e2e-aws-ovn-fips

/test e2e-aws-ovn-heterogeneous

/test e2e-aws-ovn-imdsv2

/test e2e-aws-ovn-proxy

/test e2e-aws-ovn-public-ipv4-pool

/test e2e-aws-ovn-public-ipv4-pool-disabled

/test e2e-aws-ovn-public-subnets

/test e2e-aws-ovn-shared-vpc-custom-security-groups

/test e2e-aws-ovn-shared-vpc-edge-zones

/test e2e-aws-ovn-single-node

/test e2e-aws-ovn-techpreview

/test e2e-aws-ovn-upgrade

/test e2e-aws-ovn-user-provisioned-dns

/test e2e-aws-upi-proxy

/test e2e-azure-default-config

/test e2e-azure-ovn-multidisk-techpreview

/test e2e-azure-ovn-resourcegroup

/test e2e-azure-ovn-shared-vpc

/test e2e-azure-ovn-techpreview

/test e2e-azure-ovn-upi

/test e2e-azurestack

/test e2e-azurestack-upi

/test e2e-crc

/test e2e-external-aws

/test e2e-external-aws-ccm

/test e2e-gcp-default-config

/test e2e-gcp-ovn-byo-vpc

/test e2e-gcp-ovn-heterogeneous

/test e2e-gcp-ovn-techpreview

/test e2e-gcp-ovn-xpn

/test e2e-gcp-secureboot

/test e2e-gcp-upgrade

/test e2e-gcp-upi-xpn

/test e2e-gcp-user-provisioned-dns

/test e2e-ibmcloud-ovn

/test e2e-metal-assisted

/test e2e-metal-ipi-ovn

/test e2e-metal-ipi-ovn-dualstack

/test e2e-metal-ipi-ovn-swapped-hosts

/test e2e-metal-ipi-ovn-virtualmedia

/test e2e-metal-ovn-two-node-arbiter

/test e2e-metal-ovn-two-node-fencing

/test e2e-metal-single-node-live-iso

/test e2e-nutanix-ovn

/test e2e-openstack-ccpmso

/test e2e-openstack-ccpmso-zone

/test e2e-openstack-dualstack

/test e2e-openstack-dualstack-upi

/test e2e-openstack-externallb

/test e2e-openstack-nfv-intel

/test e2e-openstack-proxy

/test e2e-openstack-singlestackv6

/test e2e-powervs-capi-ovn

/test e2e-vsphere-externallb-ovn

/test e2e-vsphere-host-groups-ovn-custom-no-upgrade

/test e2e-vsphere-multi-vcenter-ovn

/test e2e-vsphere-ovn-hybrid-env

/test e2e-vsphere-ovn-multi-disk

/test e2e-vsphere-ovn-multi-network

/test e2e-vsphere-ovn-multi-network-techpreview

/test e2e-vsphere-ovn-techpreview

/test e2e-vsphere-ovn-upi-zones

/test e2e-vsphere-ovn-zones

/test e2e-vsphere-ovn-zones-techpreview

/test e2e-vsphere-static-ovn

/test gcp-private

/test okd-scos-e2e-aws-ovn

/test okd-scos-images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-installer-main-aro-unit

pull-ci-openshift-installer-main-artifacts-images

pull-ci-openshift-installer-main-azure-ovn-marketplace-images

pull-ci-openshift-installer-main-azure-private

pull-ci-openshift-installer-main-e2e-aws-ovn

pull-ci-openshift-installer-main-e2e-azure-default-config

pull-ci-openshift-installer-main-e2e-azure-ovn

pull-ci-openshift-installer-main-e2e-azure-ovn-resourcegroup

pull-ci-openshift-installer-main-e2e-azure-ovn-shared-vpc

pull-ci-openshift-installer-main-e2e-azurestack

pull-ci-openshift-installer-main-e2e-vsphere-externallb-ovn

pull-ci-openshift-installer-main-e2e-vsphere-ovn-multi-network

pull-ci-openshift-installer-main-e2e-vsphere-static-ovn

pull-ci-openshift-installer-main-gofmt

pull-ci-openshift-installer-main-golint

pull-ci-openshift-installer-main-govet

pull-ci-openshift-installer-main-images

pull-ci-openshift-installer-main-okd-scos-e2e-aws-ovn

pull-ci-openshift-installer-main-okd-scos-images

pull-ci-openshift-installer-main-unit

pull-ci-openshift-installer-main-verify-codegen

pull-ci-openshift-installer-main-verify-deps

pull-ci-openshift-installer-main-verify-vendor

Details

In response to this:

/test ci/prow/e2e-azure-nat-gateway-single-zone

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[patrickdillon]

/test e2e-azure-nat-gateway-single-zone

[rna-afk]

/test e2e-azure-nat-gateway-single-zone

[openshift-ci]

@rna-afk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	9ea9f83	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-azurestack	9ea9f83	link	false	/test e2e-azurestack
ci/prow/e2e-azure-ovn-resourcegroup	9ea9f83	link	false	/test e2e-azure-ovn-resourcegroup
ci/prow/e2e-vsphere-externallb-ovn	9ea9f83	link	false	/test e2e-vsphere-externallb-ovn
ci/prow/e2e-vsphere-ovn-multi-network	9ea9f83	link	false	/test e2e-vsphere-ovn-multi-network

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[patrickdillon]

/approve

shoot, I thought we merged this a while ago... I can tag in a moment, just going to do a final test

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[patrickdillon]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 97a12cf and 2 for PR HEAD 9ea9f83 in total

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-installer
This PR has been included in build ose-installer-container-v4.20.0-202508080613.p0.g569bbc8.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-baremetal-installer
This PR has been included in build ose-baremetal-installer-container-v4.20.0-202508080613.p0.g569bbc8.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-installer-artifacts
This PR has been included in build ose-installer-artifacts-container-v4.20.0-202508080613.p0.g569bbc8.assembly.stream.el9.
All builds following this will include this PR.