Allow to specify an own IPv6 IPAM pool (#1573)

* Allow to specify an own IPv6 IPAM pool.

* Add intergration test for ipam pool.

* Provide type for IPAM pool config.

* Add documentation

* Make generate

* Address review comments.

Author: axel7born

docs/usage/ipv6.md

@@ -153,6 +153,31 @@ To create an IPv6 shoot cluster or a dual-stack shoot within your own Virtual Pr
 ![bring your own vpc](./images/bring-your-own-vpc.png)
 An egress-only internet gateway is required for outbound internet traffic (IPv6) from the instances within your VPC. Please create one egress-only internet gateway and attach it to the VPC. Please also make sure that the VPC has an attached internet gateway and the following attributes set: `enableDnsHostnames` and `enableDnsSupport` as described under [usage](usage.md#infrastructureConfig).
 
+### Configuring a Custom IPv6 IPAM Pool
+
+By default, AWS will assign an Amazon-provided IPv6 CIDR block to a newly created VPC for IPv6 / dual-stack shoot clusters. If you want to control from which pool the VPC IPv6 CIDR is allocated (for example to ensure consistent addressing across multiple clusters or accounts), you can reference an existing AWS IPAM pool via the `infrastructureConfig.networks.vpc.ipv6IpamPool` field.
+
+```yaml
+provider:
+  type: aws
+  infrastructureConfig:
+    apiVersion: aws.provider.extensions.gardener.cloud/v1alpha1
+    kind: InfrastructureConfig
+    networks:
+      vpc:
+        ipv6IpamPool:
+          id: ipam-pool-0123456789abcdef0
+...
+```
+
+Requirements & notes:
+* The referenced pool must exist in the same AWS account & region as the shoot infrastructure.
+* The pool must be IPv6 and have available capacity for a /56 CIDR; otherwise VPC creation will fail.
+* Only the pool ID is used; the extension currently always requests an IPv6 netmask length of /56 (not configurable yet).
+* Changing the pool after creation is not supported (VPC IPv6 CIDRs are immutable once associated).
+
+Use this option when you operate centralized IP address management and need deterministic allocation ranges across shoots.
+
 ### Migration of IPv4-only Shoot Clusters to Dual-Stack
 
 To migrate an IPv4-only shoot cluster to Dual-Stack simply change the `.spec.networking.ipFamilies` field in the `Shoot` resource from `IPv4` to `IPv4, IPv6` as shown below.

hack/api-reference/api.md

@@ -959,6 +959,37 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="aws.provider.extensions.gardener.cloud/v1alpha1.IPAMPool">IPAMPool
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#aws.provider.extensions.gardener.cloud/v1alpha1.VPC">VPC</a>)
+</p>
+<p>
+<p>IPAMPool represents an AWS IPAM pool referenced for IPv6 address allocation of the VPC.
+Currently only the ID is required; future fields may extend configuration.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>id</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>ID is the IPAM pool id.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="aws.provider.extensions.gardener.cloud/v1alpha1.IgnoreTags">IgnoreTags
 </h3>
 <p>
@@ -1839,6 +1870,22 @@ string
 <p>GatewayEndpoints service names to configure as gateway endpoints in the VPC.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>ipv6IpamPool</code></br>
+<em>
+<a href="#aws.provider.extensions.gardener.cloud/v1alpha1.IPAMPool">
+IPAMPool
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Ipv6IpamPool references an AWS IPv6 IPAM pool used to allocate the VPC&rsquo;s IPv6 CIDR block.
+If specified, the extension will request the VPC&rsquo;s IPv6 CIDR from this pool instead of
+letting AWS auto-assign one. The pool must already exist in the target account/region.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="aws.provider.extensions.gardener.cloud/v1alpha1.VPCStatus">VPCStatus

pkg/apis/aws/types_infrastructure.go

@@ -115,6 +115,14 @@ type VPC struct {
 	CIDR *string
 	// GatewayEndpoints service names to configure as gateway endpoints in the VPC.
 	GatewayEndpoints []string
+	// Ipv6IpamPool references an AWS IPv6 IPAM pool used to allocate the VPC's IPv6 CIDR block.
+	Ipv6IpamPool *IPAMPool
+}
+
+// IPAMPool references an AWS IPAM pool that should be used to allocate the VPC's CIDR.
+type IPAMPool struct {
+	// ID is the IPAM pool id.
+	ID *string
 }
 
 // VPCStatus contains information about a generated VPC or resources inside an existing VPC.

pkg/apis/aws/v1alpha1/types_infrastructure.go

@@ -127,6 +127,18 @@ type VPC struct {
 	// GatewayEndpoints service names to configure as gateway endpoints in the VPC.
 	// +optional
 	GatewayEndpoints []string `json:"gatewayEndpoints,omitempty"`
+	// Ipv6IpamPool references an AWS IPv6 IPAM pool used to allocate the VPC's IPv6 CIDR block.
+	// If specified, the extension will request the VPC's IPv6 CIDR from this pool instead of
+	// letting AWS auto-assign one. The pool must already exist in the target account/region.
+	// +optional
+	Ipv6IpamPool *IPAMPool `json:"ipv6IpamPool,omitempty"`
+}
+
+// IPAMPool represents an AWS IPAM pool referenced for IPv6 address allocation of the VPC.
+// Currently only the ID is required; future fields may extend configuration.
+type IPAMPool struct {
+	// ID is the IPAM pool id.
+	ID *string `json:"id"`
 }
 
 // VPCStatus contains information about a generated VPC or resources inside an existing VPC.

pkg/apis/aws/v1alpha1/zz_generated.conversion.go

@@ -801,6 +801,8 @@ func (c *Client) CreateVpc(ctx context.Context, desired *VPC) (*VPC, error) {
 		AmazonProvidedIpv6CidrBlock: aws.Bool(desired.AssignGeneratedIPv6CidrBlock),
 		TagSpecifications:           desired.ToTagSpecifications(ec2types.ResourceTypeVpc),
 		InstanceTenancy:             desired.InstanceTenancy,
+		Ipv6IpamPoolId:              desired.Ipv6IpamPoolId,
+		Ipv6NetmaskLength:           desired.Ipv6NetmaskLength,
 	}
 	output, err := c.EC2.CreateVpc(ctx, input)
 	if err != nil {

pkg/apis/aws/v1alpha1/zz_generated.deepcopy.go

@@ -234,6 +234,8 @@ type VPC struct {
 	EnableDnsSupport             bool
 	EnableDnsHostnames           bool
 	AssignGeneratedIPv6CidrBlock bool
+	Ipv6IpamPoolId               *string
+	Ipv6NetmaskLength            *int32
 	DhcpOptionsId                *string
 	InstanceTenancy              ec2types.Tenancy
 	State                        *string

pkg/apis/aws/zz_generated.deepcopy.go

@@ -31,11 +31,12 @@ import (
 )
 
 const (
-	defaultTimeout     = 90 * time.Second
-	defaultLongTimeout = 3 * time.Minute
-	allIPv4            = "0.0.0.0/0"
-	allIPv6            = "::/0"
-	nat64Prefix        = "64:ff9b::/96"
+	defaultTimeout         = 90 * time.Second
+	defaultLongTimeout     = 3 * time.Minute
+	allIPv4                = "0.0.0.0/0"
+	allIPv6                = "::/0"
+	nat64Prefix            = "64:ff9b::/96"
+	defaultIPv6NetmaskSize = 56
 )
 
 // Reconcile creates and runs the flow to reconcile the AWS infrastructure.
@@ -198,12 +199,21 @@ func (c *FlowContext) ensureManagedVpc(ctx context.Context) error {
 		instanceTenancy = ec2types.TenancyDedicated
 	}
 	desired := &awsclient.VPC{
-		Tags:                         c.commonTags,
-		EnableDnsSupport:             true,
-		EnableDnsHostnames:           true,
-		AssignGeneratedIPv6CidrBlock: (c.config.DualStack != nil && c.config.DualStack.Enabled) || isIPv6(c.getIpFamilies()),
-		DhcpOptionsId:                c.state.Get(IdentifierDHCPOptions),
-		InstanceTenancy:              instanceTenancy,
+		Tags:               c.commonTags,
+		EnableDnsSupport:   true,
+		EnableDnsHostnames: true,
+		DhcpOptionsId:      c.state.Get(IdentifierDHCPOptions),
+		InstanceTenancy:    instanceTenancy,
+	}
+
+	if (c.config.DualStack != nil && c.config.DualStack.Enabled) || isIPv6(c.getIpFamilies()) {
+		if c.config.Networks.VPC.Ipv6IpamPool != nil && c.config.Networks.VPC.Ipv6IpamPool.ID != nil {
+			desired.AssignGeneratedIPv6CidrBlock = false
+			desired.Ipv6IpamPoolId = c.config.Networks.VPC.Ipv6IpamPool.ID
+			desired.Ipv6NetmaskLength = ptr.To(int32(defaultIPv6NetmaskSize))
+		} else {
+			desired.AssignGeneratedIPv6CidrBlock = true
+		}
 	}
 
 	if c.config.Networks.VPC.CIDR == nil {