Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.15.z
-
Moderate
-
No
-
False
-
Description
Description of problem:
When creating HCP cluster in a VPC with multiple CIDR ranges, the security group created in the hosted cluster aws console will have the CIDR for the first range only, which causes the worker node created in the other CIDR range cannot be successful.
Version-Release number of selected component (if applicable):
4.15
How reproducible:
always
Steps to Reproduce:
1. Setup VPC in AWS, with default CIDR, like 10.0.0.1/16
2. Add additional associate CIDR range in the VPC, like 10.1.0.0/16
3. Create the HCP cluster with machine-cidr set to a broader range to include both, like --machine-cird=10.0.0.0/8
4. Check the security group created in the guest aws console
Actual results:
The security group will be created with the first CIDR range only.
Expected results:
It should follow the value specified in machine-cidr
Additional info:
The code in the hypershift controller is:
https://github.com/openshift/hypershift/blob/main/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go#L4580C1-L4580C60
We can see it create the default SG with the value of "Vpcs[0].CidrBlock"
From the AWS client, the return when fetching the VPC:
{
"CidrBlock": "10.0.0.0/16", <-----------
"DhcpOptionsId": "dopt-1d155e67",
"State": "available",
"VpcId": "vpc-0d8e7a32557b5c292",
"OwnerId": "xxxxxxxxxxx",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-02e67148281421e84",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
},
{
"AssociationId": "vpc-cidr-assoc-049a58bb03a52be4a",
"CidrBlock": "10.1.0.0/16", <-------------
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "bmeng-hcp"
}
]
},
The same setup works well for normal OCP clusters.
