updated logic

Author: rejain789

cns/NetworkContainerContract.go

@@ -129,7 +129,6 @@ type CreateNetworkContainerRequest struct {
 	EndpointPolicies           []NetworkContainerRequestPolicies
 	NCStatus                   v1alpha.NCStatus
 	NetworkInterfaceInfo       NetworkInterfaceInfo //nolint // introducing new field for backendnic, to be used later by cni code
-	Scenario                   v1alpha.NCType       //nolint // introducing new field for nnc reconciler
 }
 
 func (req *CreateNetworkContainerRequest) Validate() error {

cns/kubecontroller/nodenetworkconfig/conversion.go

@@ -67,7 +67,6 @@ func CreateNCRequestFromDynamicNC(nc v1alpha.NetworkContainer) (*cns.CreateNetwo
 			GatewayIPAddress: nc.DefaultGateway,
 		},
 		NCStatus: nc.Status,
-		Scenario: nc.Type,
 	}, nil
 }
 

cns/kubecontroller/nodenetworkconfig/conversion_linux.go

@@ -63,6 +63,5 @@ func createNCRequestFromStaticNCHelper(nc v1alpha.NetworkContainer, primaryIPPre
 		NetworkInterfaceInfo: cns.NetworkInterfaceInfo{
 			MACAddress: nc.MacAddress,
 		},
-		Scenario: nc.Type,
 	}, nil
 }

cns/restserver/internalapi.go

@@ -23,7 +23,6 @@ import (
 	"github.com/Azure/azure-container-networking/common"
 	"github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha"
 	"github.com/pkg/errors"
-	"go.uber.org/zap"
 )
 
 const (
@@ -36,9 +35,6 @@ const (
 // internal APIs (definde in internalapi.go).
 // This will be used internally (say by RequestController in case of AKS)
 
-// Initialize a zap logger instance
-var zapLogger, _ = zap.NewProduction()
-
 // GetPartitionKey - Get dnc/service partition key
 func (service *HTTPRestService) GetPartitionKey() (dncPartitionKey string) {
 	service.RLock()
@@ -634,11 +630,15 @@ func (service *HTTPRestService) CreateOrUpdateNetworkContainerInternal(req *cns.
 	if ok {
 		existingReq := existingNCInfo.CreateNetworkContainerRequest
 		if !reflect.DeepEqual(existingReq.IPConfiguration.IPSubnet, req.IPConfiguration.IPSubnet) {
-			if req.Scenario != v1alpha.Overlay { // if overlay -> potentially an overlay subnet expansion is occurring, skip this check
-				zapLogger.Error("[Azure CNS] Error. PrimaryCA is not same",
-					zap.String("NCId", req.NetworkContainerid),
-					zap.String("oldCA", fmt.Sprintf("%s/%d", existingReq.IPConfiguration.IPSubnet.IPAddress, existingReq.IPConfiguration.IPSubnet.PrefixLength)),
-					zap.String("newCA", fmt.Sprintf("%s/%d", req.IPConfiguration.IPSubnet.IPAddress, req.IPConfiguration.IPSubnet.PrefixLength)))
+			// check for potential overlay subnet expansion - checking if new subnet is a superset of old subnet
+			err := validateCIDRSuperset(req.IPConfiguration.IPSubnet.IPAddress, existingReq.IPConfiguration.IPSubnet.IPAddress)
+			if err != nil {
+				logger.Errorf("[Azure CNS] Error. PrimaryCA is not same, NCId %s, old CA %s/%d, new CA %s/%d", //nolint:staticcheck // Suppress SA1019: logger.Errorf is deprecated
+					req.NetworkContainerid,
+					existingReq.IPConfiguration.IPSubnet.IPAddress,
+					existingReq.IPConfiguration.IPSubnet.PrefixLength,
+					req.IPConfiguration.IPSubnet.IPAddress,
+					req.IPConfiguration.IPSubnet.PrefixLength)
 				return types.PrimaryCANotSame
 			}
 		}
@@ -726,3 +726,39 @@ func (service *HTTPRestService) GetIMDSNCs(ctx context.Context) (map[string]stri
 
 	return ncs, nil
 }
+
+// IsCIDRSuperset returns true if newCIDR is a superset of oldCIDR (i.e., all IPs in oldCIDR are contained in newCIDR).
+func validateCIDRSuperset(newCIDR, oldCIDR string) error {
+	_, newNet, err := net.ParseCIDR(newCIDR)
+	if err != nil {
+		return errors.Wrapf(err, "parsing newCIDR %q", newCIDR)
+	}
+	_, oldNet, err := net.ParseCIDR(oldCIDR)
+	if err != nil {
+		return errors.Wrapf(err, "parsing oldCIDR %q", oldCIDR)
+	}
+
+	// Check that the network family matches (both IPv4 or both IPv6)
+	if len(newNet.IP) != len(oldNet.IP) {
+		return errors.New("CIDRs belong to different IP families")
+	}
+
+	// Check that the old network's base IP is contained in the new network
+	if !newNet.Contains(oldNet.IP) {
+		return errors.New("old network's base IP is not contained in the new network")
+	}
+
+	// Calculate the last IP in oldNet
+	oldLastIP := make(net.IP, len(oldNet.IP))
+	for i := range oldNet.IP {
+		oldLastIP[i] = oldNet.IP[i] | ^oldNet.Mask[i]
+	}
+
+	// Check that the last IP in oldNet is also contained in newNet
+	if !newNet.Contains(oldLastIP) {
+		return errors.New("last IP of old network is not contained in new network")
+	}
+
+	// If both the first and last IPs of oldNet are in newNet, oldNet is fully contained in newNet
+	return nil
+}

cns/restserver/internalapi_test.go

@@ -66,84 +66,112 @@ func TestReconcileNCStatePrimaryIPChangeShouldFail(t *testing.T) {
 	setOrchestratorTypeInternal(cns.KubernetesCRD)
 	svc.state.ContainerStatus = make(map[string]containerstatus)
 
-	// start with a NC in state
-	ncID := "555ac5c9-89f2-4b5d-b8d0-616894d6d151"
-	svc.state.ContainerStatus[ncID] = containerstatus{
-		ID:          ncID,
-		VMVersion:   "0",
-		HostVersion: "0",
-		CreateNetworkContainerRequest: cns.CreateNetworkContainerRequest{
-			NetworkContainerid: ncID,
-			IPConfiguration: cns.IPConfiguration{
-				IPSubnet: cns.IPSubnet{
-					IPAddress:    "10.0.1.0",
-					PrefixLength: 24,
+	testCases := []struct {
+		existingIPAddress string
+		requestIPAddress  string
+	}{
+		{"", "10.240.0.0/16"},
+		{"10.240.0.0", "2001:db8::/64"},
+		{"2001:db8::/64", "10.240.0.0/16"},
+		{"10.0.1.0/22", "10.0.2.0/24"},
+		{"10.0.1.0/21", "10.0.1.0/23"},
+		{"10.0.1.0", "10.0.0.0/15"},
+		{"10.0.1.0/15", "10.0.0.0"},
+	}
+
+	// Run test cases
+	for _, tc := range testCases {
+		// start with a NC in state
+		ncID := "555ac5c9-89f2-4b5d-b8d0-616894d6d151"
+		svc.state.ContainerStatus[ncID] = containerstatus{
+			ID:          ncID,
+			VMVersion:   "0",
+			HostVersion: "0",
+			CreateNetworkContainerRequest: cns.CreateNetworkContainerRequest{
+				NetworkContainerid: ncID,
+				IPConfiguration: cns.IPConfiguration{
+					IPSubnet: cns.IPSubnet{
+						IPAddress:    tc.existingIPAddress,
+						PrefixLength: 24,
+					},
 				},
 			},
-		},
-	}
+		}
 
-	ncReqs := []*cns.CreateNetworkContainerRequest{
-		{
-			NetworkContainerid: ncID,
-			IPConfiguration: cns.IPConfiguration{
-				IPSubnet: cns.IPSubnet{
-					IPAddress:    "10.0.2.0", // note this IP has changed
-					PrefixLength: 24,
+		ncReqs := []*cns.CreateNetworkContainerRequest{
+			{
+				NetworkContainerid: ncID,
+				IPConfiguration: cns.IPConfiguration{
+					IPSubnet: cns.IPSubnet{
+						IPAddress:    tc.requestIPAddress,
+						PrefixLength: 24,
+					},
 				},
 			},
-		},
-	}
+		}
 
-	// now try to reconcile the state where the NC primary IP has changed
-	resp := svc.ReconcileIPAMStateForSwift(ncReqs, map[string]cns.PodInfo{}, &v1alpha.NodeNetworkConfig{})
+		// now try to reconcile the state where the NC primary IP has changed
+		resp := svc.ReconcileIPAMStateForSwift(ncReqs, map[string]cns.PodInfo{}, &v1alpha.NodeNetworkConfig{})
+
+		assert.Equal(t, types.PrimaryCANotSame, resp)
+	}
 
-	assert.Equal(t, types.PrimaryCANotSame, resp)
 }
 
 // TestReconcileNCStatePrimaryIPChangeShouldNotFail tests that reconciling NC state with
-// a NC whose IP has changed should not fail for overlay clusters
+// a NC whose IP has changed should not fail if new IP is superset of old IP
 func TestReconcileNCStatePrimaryIPChangeShouldNotFail(t *testing.T) {
 	restartService()
 	setEnv(t)
 	setOrchestratorTypeInternal(cns.KubernetesCRD)
 	svc.state.ContainerStatus = make(map[string]containerstatus)
 
-	// start with a NC in state
-	ncID := "555ac5c9-89f2-4b5d-b8d0-616894d6d151"
-	svc.state.ContainerStatus[ncID] = containerstatus{
-		ID:          ncID,
-		VMVersion:   "0",
-		HostVersion: "0",
-		CreateNetworkContainerRequest: cns.CreateNetworkContainerRequest{
-			NetworkContainerid: ncID,
-			IPConfiguration: cns.IPConfiguration{
-				IPSubnet: cns.IPSubnet{
-					IPAddress:    "10.0.1.0",
-					PrefixLength: 24,
+	testCases := []struct {
+		existingIPAddress string
+		requestIPAddress  string
+	}{
+		{"10.0.1.0/24", "10.0.2.0/22"},
+		{"10.0.1.0/20", "10.0.1.0/18"},
+		{"10.0.1.0/19", "10.0.0.0/15"},
+	}
+
+	// Run test cases
+	for _, tc := range testCases {
+		// start with a NC in state
+		ncID := "555ac5c9-89f2-4b5d-b8d0-616894d6d151"
+		svc.state.ContainerStatus[ncID] = containerstatus{
+			ID:          ncID,
+			VMVersion:   "0",
+			HostVersion: "0",
+			CreateNetworkContainerRequest: cns.CreateNetworkContainerRequest{
+				NetworkContainerid: ncID,
+				IPConfiguration: cns.IPConfiguration{
+					IPSubnet: cns.IPSubnet{
+						IPAddress:    tc.existingIPAddress,
+						PrefixLength: 24,
+					},
 				},
 			},
-		},
-	}
+		}
 
-	ncReqs := []*cns.CreateNetworkContainerRequest{
-		{
-			NetworkContainerid: ncID,
-			IPConfiguration: cns.IPConfiguration{
-				IPSubnet: cns.IPSubnet{
-					IPAddress:    "10.0.2.0", // note this IP has changed
-					PrefixLength: 24,
+		ncReqs := []*cns.CreateNetworkContainerRequest{
+			{
+				NetworkContainerid: ncID,
+				IPConfiguration: cns.IPConfiguration{
+					IPSubnet: cns.IPSubnet{
+						IPAddress:    tc.requestIPAddress,
+						PrefixLength: 24,
+					},
 				},
+				NetworkContainerType: cns.Kubernetes,
 			},
-			Scenario:             v1alpha.Overlay, // overlay cluster - skip primary CA check
-			NetworkContainerType: cns.Kubernetes,
-		},
-	}
+		}
 
-	// now try to reconcile the state where the NC primary IP has changed
-	resp := svc.ReconcileIPAMStateForSwift(ncReqs, map[string]cns.PodInfo{}, &v1alpha.NodeNetworkConfig{})
+		// now try to reconcile the state where the NC primary IP has changed
+		resp := svc.ReconcileIPAMStateForSwift(ncReqs, map[string]cns.PodInfo{}, &v1alpha.NodeNetworkConfig{})
 
-	assert.Equal(t, types.Success, resp)
+		assert.Equal(t, types.Success, resp)
+	}
 }
 
 // TestReconcileNCStateGatewayChange tests that NC state gets updated when reconciled