From 6b6a2b9ce45bd9c694863b28ad4359947728bdb4 Mon Sep 17 00:00:00 2001
From: Andrew Block <andy.block@gmail.com>
Date: Thu, 15 May 2025 04:16:25 -0500
Subject: [PATCH] Automated creation of Azure NAT Gateway

Signed-off-by: Andrew Block <andy.block@gmail.com>
---
 README.md                      |  9 +---
 ansible/azure-nat-gateway.yaml | 89 ++++++++++++++++++++++++++++++++++
 values-simple.yaml             |  4 ++
 3 files changed, 94 insertions(+), 8 deletions(-)
 create mode 100644 ansible/azure-nat-gateway.yaml

diff --git a/README.md b/README.md
index ae9ffd69..1adc8a3c 100644
--- a/README.md
+++ b/README.md
@@ -27,9 +27,6 @@ Future work includes:
 - If not using ARO you must either provide your own CA signed certs, or use let's encrypt.
 - Must be on 4.16.14 or later.
 
-> [!IMPORTANT]
-> Users must provide a NAT Gateway attached to the worker node subnet when using Azure.
-
 ## Major versions
 
 ### `2.*`
@@ -90,11 +87,6 @@ This only has to be done once.
 > [!NOTE]
 > Once generated this script will not override secrets. Be careful when doing multiple tests.
 
-#### Check your cluster on Azure has a NAT gateway attached
-OpenShift does not require a NAT gateway by default, however, peer-pods do require a NAT gateway attached to the worker node subnet.
-
-> [!NOTE]
-> 
 #### Configuring let's encrypt.
 
 > [!IMPORTANT]
@@ -148,6 +140,7 @@ Red Hat a demo platform. This allows easy access for Red Hat associates and part
 2. Get access to an [Azure Subscription Based Blank Open Environment](https://catalog.demo.redhat.com/catalog?category=Open_Environments&search=azure&item=babylon-catalog-prod%2Fazure-gpte.open-environment-azure-subscription.prod).
 3. Import the required azure environmental variables (see coded block):
    ```
+      export GUID=
       export CLIENT_ID=
       export PASSWORD=
       export TENANT=
diff --git a/ansible/azure-nat-gateway.yaml b/ansible/azure-nat-gateway.yaml
new file mode 100644
index 00000000..6ff012c4
--- /dev/null
+++ b/ansible/azure-nat-gateway.yaml
@@ -0,0 +1,89 @@
+---
+
+- name: Configure Azure NAT Gateway
+  become: false
+  connection: local
+  hosts: localhost
+  gather_facts: false
+  vars:
+    kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
+    resource_prefix: "coco"
+  tasks:
+    - name: Get Azure credentials
+      kubernetes.core.k8s_info:
+        kind: Secret
+        namespace: openshift-cloud-controller-manager
+        name: azure-cloud-credentials
+      register: azure_credentials
+      retries: 20
+      delay: 5
+
+    - name: Get Azure credentials
+      kubernetes.core.k8s_info:
+        kind: ConfigMap
+        namespace: openshift-cloud-controller-manager
+        name: cloud-conf
+      register: azure_cloud_conf
+      retries: 20
+      delay: 5
+
+    - name: Set facts
+      ansible.builtin.set_fact:
+        azure_subscription_id: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['subscriptionId'] }}"
+        azure_tenant_id: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['tenantId'] }}"
+        azure_resource_group: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['vnetResourceGroup'] }}"
+        azure_client_id: "{{ azure_credentials.resources[0]['data']['azure_client_id'] | b64decode }}"
+        azure_client_secret: "{{ azure_credentials.resources[0]['data']['azure_client_secret'] | b64decode }}"
+        azure_vnet: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['vnetName'] }}"
+        azure_subnet: "{{ (azure_cloud_conf.resources[0]['data']['cloud.conf'] | from_json)['subnetName'] }}"
+        coco_public_ip_name: "{{ resource_prefix }}-pip"
+        coco_nat_gateway_name: "{{ resource_prefix }}-nat-gateway"
+      no_log: true
+
+    - name: Create Public IP for NAT Gateway
+      azure_rm_publicipaddress:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_public_ip_name }}"
+        sku: "standard"
+        allocation_method: "static"
+
+    - name: Retrieve Public IP for NAT Gateway
+      azure_rm_publicipaddress_info:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_public_ip_name }}"
+      register: coco_gw_public_ip
+
+    - name: Create NAT Gateway
+      azure.azcollection.azure_rm_natgateway:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ coco_nat_gateway_name }}"
+        idle_timeout_in_minutes: 10
+        sku:
+          name: standard
+        public_ip_addresses:
+          - "{{ coco_gw_public_ip.publicipaddresses[0].id }}"
+      register: coco_natgw
+
+    - name: Update the worker subnet to associate NAT gateway
+      azure.azcollection.azure_rm_subnet:
+        subscription_id: "{{ azure_subscription_id }}"
+        tenant: "{{ azure_tenant_id }}"
+        client_id: "{{ azure_client_id }}"
+        secret: "{{ azure_client_secret }}"
+        resource_group: "{{ azure_resource_group }}"
+        name: "{{ azure_subnet }}"
+        virtual_network_name: "{{ azure_vnet }}"
+        nat_gateway: "{{ coco_nat_gateway_name }}"
+...
diff --git a/values-simple.yaml b/values-simple.yaml
index 3663c479..86a54035 100644
--- a/values-simple.yaml
+++ b/values-simple.yaml
@@ -126,6 +126,10 @@ clusterGroup:
       #image: quay.io/hybridcloudpatterns/ansible-edge-gitops-ee:latest
       verbosity: -vvv
       timeout: 3600
+    - name: configure-azure-nat-gateway
+      playbook: ansible/azure-nat-gateway.yaml
+      verbosity: -vvv
+      timeout: 3600
   managedClusterGroups:
     exampleRegion:
       name: group-one