Enhance node controller to assign pod prefix to node object

Author: maxmoehl

pkg/cloudprovider/metal/config.go

@@ -41,11 +41,13 @@ type CloudConfig struct {
 var (
 	MetalKubeconfigPath string
 	MetalNamespace      string
+	PodPrefixSize       int
 )
 
 func AddExtraFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&MetalKubeconfigPath, "metal-kubeconfig", "", "Path to the metal cluster kubeconfig.")
 	fs.StringVar(&MetalNamespace, "metal-namespace", "", "Override metal cluster namespace.")
+	fs.IntVar(&PodPrefixSize, "pod-prefix-size", 112, "Prefix size for the pod prefix, zero or less disables pod prefix assignment.")
 }
 
 func LoadCloudProviderConfig(f io.Reader) (*CloudProviderConfig, error) {

pkg/cloudprovider/metal/node_controller.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"reflect"
 	"strings"
 
@@ -125,10 +126,52 @@ func (r *NodeReconciler) Reconcile(ctx context.Context, req ctrl.Request) error
 	} else {
 		delete(claim.Labels, metalv1alpha1.ServerMaintenanceApprovalKey)
 	}
-	if reflect.DeepEqual(claim, originalClaim) {
+	if !reflect.DeepEqual(claim, originalClaim) {
+		if err = r.metalClient.Patch(ctx, claim, client.MergeFrom(originalClaim)); err != nil {
+			return err
+		}
+	}
+
+	if PodPrefixSize <= 0 {
+		// <= 0 disables automatic assignment of pod CIDR.
+		return nil
+	}
+
+	if node.Spec.PodCIDR != "" {
+		klog.InfoS("PodCIDR is already populated; patch was not done", "Node", node.Name, "PodCIDR", node.Spec.PodCIDR)
 		return nil
 	}
-	return r.metalClient.Patch(ctx, claim, client.MergeFrom(originalClaim))
+
+	for _, addr := range node.Status.Addresses {
+		if addr.Type == corev1.NodeInternalIP {
+			ip := net.ParseIP(addr.Address)
+			if ip == nil {
+				return fmt.Errorf("invalid IP address format")
+			}
+
+			maskedIP := zeroHostBits(ip, PodPrefixSize)
+			podCIDR := fmt.Sprintf("%s/%d", maskedIP, PodPrefixSize)
+
+			nodeBase := node.DeepCopy()
+			node.Spec.PodCIDR = podCIDR
+			if node.Spec.PodCIDRs == nil {
+				node.Spec.PodCIDRs = []string{}
+			}
+			node.Spec.PodCIDRs = append(node.Spec.PodCIDRs, podCIDR)
+
+			if err := r.targetClient.Patch(ctx, node, client.MergeFrom(nodeBase)); err != nil {
+				return fmt.Errorf("failed to patch Node's PodCIDR with error %w", err)
+			}
+
+			klog.Info("Patched Node's PodCIDR and PodCIDRs", "Node", node.Name, "PodCIDR", podCIDR)
+
+			return nil
+		}
+	}
+
+	klog.Info("Node does not have a NodeInternalIP, not setting podCIDR")
+
+	return nil
 }
 
 func parseProviderID(providerID string) (types.NamespacedName, error) {
@@ -145,3 +188,13 @@ func parseProviderID(providerID string) (types.NamespacedName, error) {
 	}
 	return types.NamespacedName{Namespace: parts[0], Name: parts[1]}, nil
 }
+
+func zeroHostBits(ip net.IP, maskSize int) net.IP {
+	if ip.To4() != nil {
+		mask := net.CIDRMask(maskSize, 32)
+		return ip.Mask(mask)
+	} else {
+		mask := net.CIDRMask(maskSize, 128)
+		return ip.Mask(mask)
+	}
+}

pkg/cloudprovider/metal/node_controller_test.go

@@ -4,6 +4,8 @@
 package metal
 
 import (
+	"net"
+
 	metalv1alpha1 "github.com/ironcore-dev/metal-operator/api/v1alpha1"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -116,4 +118,105 @@ var _ = Describe("NodeReconciler", func() {
 		Eventually(Object(serverClaim)).Should(HaveField("Labels", HaveKeyWithValue(metalv1alpha1.ServerMaintenanceApprovalKey, TrueStr)))
 	})
 
+	Context("PodCIDR assignment", func() {
+		BeforeEach(func() {
+			PodPrefixSize = 24
+		})
+
+		AfterEach(func() {
+			PodPrefixSize = 0
+		})
+
+		It("should assign PodCIDR to a node with NodeInternalIP", func(ctx SpecContext) {
+			By("Setting the NodeInternalIP address on the node")
+			Eventually(UpdateStatus(node, func() {
+				node.Status.Addresses = append(node.Status.Addresses, corev1.NodeAddress{
+					Type:    corev1.NodeInternalIP,
+					Address: "10.0.5.42",
+				})
+			})).Should(Succeed())
+
+			By("Verifying PodCIDR is assigned to the node")
+			Eventually(Object(node)).Should(HaveField("Spec.PodCIDR", "10.0.5.0/24"))
+			Eventually(Object(node)).Should(HaveField("Spec.PodCIDRs", ContainElement("10.0.5.0/24")))
+		})
+
+		It("should not overwrite existing PodCIDR", func(ctx SpecContext) {
+			By("Setting the PodCIDR on the node")
+			originalNode := node.DeepCopy()
+			node.Spec.PodCIDR = "192.168.0.0/24"
+			Expect(k8sClient.Patch(ctx, node, client.MergeFrom(originalNode))).To(Succeed())
+
+			By("Setting the NodeInternalIP address on the node")
+			Eventually(UpdateStatus(node, func() {
+				node.Status.Addresses = append(node.Status.Addresses, corev1.NodeAddress{
+					Type:    corev1.NodeInternalIP,
+					Address: "10.0.5.42",
+				})
+			})).Should(Succeed())
+
+			By("Verifying PodCIDR was not overwritten")
+			Consistently(Object(node)).Should(HaveField("Spec.PodCIDR", "192.168.0.0/24"))
+		})
+
+		It("should not assign PodCIDR if node has no NodeInternalIP", func(ctx SpecContext) {
+			By("Triggering reconciliation by patching the claim")
+			originalServerClaim := serverClaim.DeepCopy()
+			serverClaim.Labels = map[string]string{
+				metalv1alpha1.ServerMaintenanceNeededLabelKey: TrueStr,
+			}
+			Expect(k8sClient.Patch(ctx, serverClaim, client.MergeFrom(originalServerClaim))).To(Succeed())
+
+			By("Verifying PodCIDR remains empty")
+			Consistently(Object(node)).Should(HaveField("Spec.PodCIDR", ""))
+		})
+
+		It("should not assign PodCIDR if PodPrefixSize is disabled", func(ctx SpecContext) {
+			By("Disabling PodCIDR assignment")
+			PodPrefixSize = 0
+
+			By("Setting the NodeInternalIP address on the node")
+			Eventually(UpdateStatus(node, func() {
+				node.Status.Addresses = append(node.Status.Addresses, corev1.NodeAddress{
+					Type:    corev1.NodeInternalIP,
+					Address: "10.0.5.42",
+				})
+			})).Should(Succeed())
+
+			By("Triggering reconciliation by patching the claim")
+			originalServerClaim := serverClaim.DeepCopy()
+			serverClaim.Labels = map[string]string{
+				metalv1alpha1.ServerMaintenanceNeededLabelKey: TrueStr,
+			}
+			Expect(k8sClient.Patch(ctx, serverClaim, client.MergeFrom(originalServerClaim))).To(Succeed())
+
+			By("Verifying PodCIDR remains empty despite having NodeInternalIP")
+			Consistently(Object(node)).Should(HaveField("Spec.PodCIDR", ""))
+		})
+	})
+})
+
+var _ = Describe("zeroHostBits", func() {
+	DescribeTable("should correctly mask IPv4 addresses",
+		func(ip string, maskSize int, expected string) {
+			result := zeroHostBits(net.ParseIP(ip), maskSize)
+			Expect(result.String()).To(Equal(expected))
+		},
+		Entry("mask /24", "10.0.5.42", 24, "10.0.5.0"),
+		Entry("mask /16", "10.0.5.42", 16, "10.0.0.0"),
+		Entry("mask /8", "10.20.30.40", 8, "10.0.0.0"),
+		Entry("mask /32", "10.0.5.42", 32, "10.0.5.42"),
+		Entry("mask /0", "10.0.5.42", 0, "0.0.0.0"),
+	)
+
+	DescribeTable("should correctly mask IPv6 addresses",
+		func(ip string, maskSize int, expected string) {
+			result := zeroHostBits(net.ParseIP(ip), maskSize)
+			Expect(result.String()).To(Equal(expected))
+		},
+		Entry("mask /64", "2001:db8::1", 64, "2001:db8::"),
+		Entry("mask /48", "2001:db8:1234:5678::1", 48, "2001:db8:1234::"),
+		Entry("mask /128", "2001:db8::1", 128, "2001:db8::1"),
+		Entry("mask /0", "2001:db8::1", 0, "::"),
+	)
 })