Add basic control plane configuration and cisco nxos reconciliation

Author: felix-kaestner

Tiltfile

@@ -5,8 +5,13 @@
 # Don't track us.
 analytics_settings(False)
 
+update_settings(k8s_upsert_timeout_secs=60)
+
 allow_k8s_contexts(['minikube', 'kind-network'])
 
+load('ext://cert_manager', 'deploy_cert_manager')
+deploy_cert_manager(version='v1.18.2')
+
 docker_build('controller:latest', '.', ignore=['*/*/zz_generated.deepcopy.go', 'config/crd/bases/*'], only=[
     'api/', 'cmd/', 'hack/', 'internal/', 'go.mod', 'go.sum', 'Makefile',
 ])
@@ -20,7 +25,10 @@ k8s_resource('network-operator-controller-manager', resource_deps=['controller-g
 
 # Sample resources with manual trigger mode
 k8s_yaml('./config/samples/v1alpha1_device.yaml')
-k8s_resource(new_name='leaf1', objects=['leaf1:device'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='credentials', objects=['secret-basic-auth:secret'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='leaf1', objects=['leaf1:device'], resource_deps=['credentials'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='issuer', objects=['network-operator:issuer'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='certificate', objects=['network-operator-ca:certificate'], resource_deps=['issuer'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
 k8s_yaml('./config/samples/v1alpha1_interface.yaml')
 k8s_resource(new_name='lo0', objects=['lo0:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)

api/v1alpha1/device_types.go

@@ -4,6 +4,8 @@
 package v1alpha1
 
 import (
+	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -67,24 +69,26 @@ type DeviceSpec struct {
 	Banner *TemplateSource `json:"banner,omitempty"`
 }
 
+func (d *DeviceSpec) Validate() error {
+	for _, acl := range d.ACL {
+		if err := acl.Validate(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 type TLS struct {
 	// The CA certificate to verify the server's identity.
 	// +required
-	CA *CertificateAuthority `json:"ca"`
+	CA *corev1.SecretKeySelector `json:"ca"`
 
 	// The client certificate and private key to use for mutual TLS authentication.
 	// Leave empty if mTLS is not desired.
 	// +optional
 	Certificate *CertificateSource `json:"certificate,omitempty"`
 }
 
-// CertificateAuthority represents a source for the value of a certificate authority.
-type CertificateAuthority struct {
-	// The secret must contain the following key: 'ca.crt'.
-	// +required
-	SecretRef *corev1.SecretReference `json:"secretRef,omitempty"`
-}
-
 // Bootstrap defines the configuration for device bootstrap.
 type Bootstrap struct {
 	// Template defines the multiline string template that contains the initial configuration for the device.
@@ -155,6 +159,20 @@ type ACL struct {
 	Entries []*ACLEntry `json:"entries"`
 }
 
+func (acl *ACL) Validate() error {
+	set := map[int]struct{}{}
+	for _, entry := range acl.Entries {
+		if _, exists := set[entry.Sequence]; exists {
+			return fmt.Errorf("duplicate sequence number %d in ACL %q", entry.Sequence, acl.Name)
+		}
+		set[entry.Sequence] = struct{}{}
+		if err := entry.Validate(); err != nil {
+			return fmt.Errorf("invalid entry in acl %q: %w", acl.Name, err)
+		}
+	}
+	return nil
+}
+
 type ACLEntry struct {
 	// The sequence number of the ACL entry.
 	// +required
@@ -164,15 +182,35 @@ type ACLEntry struct {
 	// +required
 	Action ACLAction `json:"action"`
 
+	// The protocol to match. If not specified, defaults to "ip" (IPv4).
+	// +kubebuilder:validation:Enum=ahp;eigrp;esp;gre;icmp;igmp;ip;nos;ospf;pcp;pim;tcp;udf;udp
+	// +kubebuilder:default=ip
+	// +optional
+	Protocol string `json:"protocol,omitempty"`
+
 	// Source IPv4 address prefix. Use 0.0.0.0/0 to represent 'any'.
-	// +kubebuilder:validation:Pattern=`^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$`
 	// +required
-	SourceAddress string `json:"sourceAddress"`
+	SourceAddress IPPrefix `json:"sourceAddress"`
 
 	// Destination IPv4 address prefix. Use 0.0.0.0/0 to represent 'any'.
-	// +kubebuilder:validation:Pattern=`^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$`
 	// +required
-	DestinationAddress string `json:"destinationAddress"`
+	DestinationAddress IPPrefix `json:"destinationAddress"`
+}
+
+func (e *ACLEntry) Validate() error {
+	if !e.SourceAddress.IsValid() {
+		return fmt.Errorf("invalid IP prefix: %s", e.SourceAddress.String())
+	}
+	if !e.SourceAddress.Addr().Is4() {
+		return fmt.Errorf("source address must be an IPv4 address: %s", e.SourceAddress.String())
+	}
+	if !e.DestinationAddress.IsValid() {
+		return fmt.Errorf("invalid IP prefix: %s", e.SourceAddress.String())
+	}
+	if !e.DestinationAddress.Addr().Is4() {
+		return fmt.Errorf("destination address must be an IPv4 address: %s", e.DestinationAddress.String())
+	}
+	return nil
 }
 
 // ACLAction represents the type of action that can be taken by an ACL rule.
@@ -230,7 +268,7 @@ type LogServer struct {
 
 	// The destination port number for syslog UDP messages to
 	// the server. The default is 514.
-	// +kubebuilder:validation:Default=514
+	// +kubebuilder:default=514
 	// +optional
 	Port int64 `json:"port"`
 }
@@ -436,7 +474,7 @@ type CertificateSource struct {
 type PasswordSource struct {
 	// Selects a key of a secret.
 	// +required
-	SecretKeyRef *corev1.SecretReference `json:"secretKeyRef,omitempty"`
+	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
 }
 
 // DeviceStatus defines the observed state of Device.
@@ -494,6 +532,57 @@ type Device struct {
 	Status DeviceStatus `json:"status,omitempty"`
 }
 
+// GetSecretRefs returns the list of secrets referenced in the [Device] resource.
+func (d *Device) GetSecretRefs() []corev1.SecretReference {
+	refs := []corev1.SecretReference{}
+	if d.Spec.SecretRef != nil {
+		refs = append(refs, *d.Spec.SecretRef)
+	}
+	if d.Spec.TLS != nil {
+		refs = append(refs, corev1.SecretReference{Name: d.Spec.TLS.CA.Name})
+		if d.Spec.TLS.Certificate != nil {
+			refs = append(refs, *d.Spec.TLS.Certificate.SecretRef)
+		}
+	}
+	if d.Spec.Bootstrap != nil && d.Spec.Bootstrap.Template != nil {
+		if d.Spec.Bootstrap.Template.SecretRef != nil {
+			refs = append(refs, corev1.SecretReference{Name: d.Spec.Bootstrap.Template.SecretRef.Name})
+		}
+	}
+	if d.Spec.PKI != nil {
+		for _, cert := range d.Spec.PKI.Certificates {
+			if cert.Source != nil && cert.Source.SecretRef != nil {
+				refs = append(refs, *cert.Source.SecretRef)
+			}
+		}
+	}
+	for _, user := range d.Spec.User {
+		refs = append(refs, corev1.SecretReference{Name: user.Password.SecretKeyRef.Name})
+	}
+	for i := range refs {
+		if refs[i].Namespace == "" {
+			refs[i].Namespace = d.Namespace
+		}
+	}
+	return refs
+}
+
+// GetConfigMapRefs returns the list of configmaps referenced in the [Device] resource.
+func (d *Device) GetConfigMapRefs() []corev1.ObjectReference {
+	refs := []corev1.ObjectReference{}
+	if d.Spec.Bootstrap != nil && d.Spec.Bootstrap.Template != nil {
+		if d.Spec.Bootstrap.Template.ConfigMapRef != nil {
+			refs = append(refs, corev1.ObjectReference{Name: d.Spec.Bootstrap.Template.ConfigMapRef.Name})
+		}
+	}
+	for i := range refs {
+		if refs[i].Namespace == "" {
+			refs[i].Namespace = d.Namespace
+		}
+	}
+	return refs
+}
+
 // +kubebuilder:object:root=true
 
 // DeviceList contains a list of Device.

api/v1alpha1/groupversion_info.go

@@ -67,3 +67,15 @@ const (
 	// AllResourcesReadyReason indicates that all resources owned by the resource are ready.
 	AllResourcesReadyReason = "AllResourcesReady"
 )
+
+// Device reasons that are used specifically for Device objects.
+const (
+	// UnreachableReason indicates that the device is not reachable over the network.
+	DeviceUnreachableReason string = "Unreachable"
+
+	// UnsupportedReason indicates that the device platform is not supported.
+	DeviceUnsupportedReason string = "Unsupported"
+
+	// UnauthenticatedReason indicates that the provided device credentials are not valid.
+	DeviceUnauthenticatedReason string = "Unauthenticated"
+)

api/v1alpha1/prefix_types.go

@@ -0,0 +1,77 @@
+package v1alpha1
+
+import (
+	"encoding/json"
+	"net/netip"
+)
+
+// IPPrefix represents an IP prefix in CIDR notation.
+// It is used to define a range of IP addresses in a network.
+//
+// +kubebuilder:validation:Type=string
+// +kubebuilder:validation:Pattern=`^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$`
+// +kubebuilder:validation:Example="192.168.1.0/24"
+// +kubebuilder:validation:Example="2001:db8::/32"
+// +kubebuilder:object:generate=false
+type IPPrefix struct {
+	netip.Prefix `json:"-"`
+}
+
+func ParsePrefix(s string) (IPPrefix, error) {
+	prefix, err := netip.ParsePrefix(s)
+	if err != nil {
+		return IPPrefix{}, err
+	}
+	return IPPrefix{prefix}, nil
+}
+
+func MustParsePrefix(s string) IPPrefix {
+	prefix := netip.MustParsePrefix(s)
+	return IPPrefix{prefix}
+}
+
+// IsZero reports whether p represents the zero value
+func (p IPPrefix) IsZero() bool {
+	return !p.IsValid()
+}
+
+// MarshalJSON implements [json.Marshaler].
+func (p IPPrefix) MarshalJSON() ([]byte, error) {
+	if !p.IsValid() {
+		return []byte("null"), nil
+	}
+	return json.Marshal(p.String())
+}
+
+// UnmarshalJSON implements [json.Unmarshaler].
+func (p *IPPrefix) UnmarshalJSON(data []byte) error {
+	var str string
+	if err := json.Unmarshal(data, &str); err != nil {
+		return err
+	}
+	if str == "" || str == "null" {
+		*p = IPPrefix{}
+		return nil
+	}
+	prefix, err := netip.ParsePrefix(str)
+	if err != nil {
+		return err
+	}
+	*p = IPPrefix{prefix}
+	return nil
+}
+
+// DeepCopyInto copies all properties of this object into another object of the same type
+func (in *IPPrefix) DeepCopyInto(out *IPPrefix) {
+	*out = *in
+}
+
+// DeepCopy creates a deep copy of the IPPrefix
+func (in *IPPrefix) DeepCopy() *IPPrefix {
+	if in == nil {
+		return nil
+	}
+	out := new(IPPrefix)
+	in.DeepCopyInto(out)
+	return out
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -35,6 +35,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	// Import all supported provider implementations.
+	_ "github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos"
 	_ "github.com/ironcore-dev/network-operator/internal/provider/openconfig"
 
 	"github.com/ironcore-dev/network-operator/api/v1alpha1"