Add vrf association to Interface resource

This change introduces a new field on the `Interface` resource to allow
to configure an interface as part of a specified `VRF` (Network
Instance) instead of configuring them in the DEFAULT_INSTANCE vrf where
they are configured by default. This configuration is only allowed in L3
interfaces.

Author: felix-kaestner

Tiltfile

@@ -49,6 +49,7 @@ k8s_resource(new_name='eth1-2', objects=['eth1-2:interface'], trigger_mode=TRIGG
 k8s_resource(new_name='eth1-10', objects=['eth1-10:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 k8s_resource(new_name='po10', objects=['po-10:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 k8s_resource(new_name='svi-10', objects=['svi-10:interface'], resource_deps=['vlan-10'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='eth1-30', objects=['eth1-30:interface'], resource_deps=['vrf-vpc-keepalive'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
 k8s_yaml('./config/samples/v1alpha1_banner.yaml')
 k8s_resource(new_name='banner', objects=['banner:banner'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
@@ -83,6 +84,7 @@ k8s_resource(new_name='isis-underlay', objects=['underlay:isis'], resource_deps=
 k8s_yaml('./config/samples/v1alpha1_vrf.yaml')
 k8s_resource(new_name='vrf-admin', objects=['vrf-cc-admin:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 k8s_resource(new_name='vrf-001', objects=['vrf-cc-prod-001:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='vrf-vpc-keepalive', objects=['vpc-keepalive:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
 k8s_yaml('./config/samples/v1alpha1_pim.yaml')
 k8s_resource(new_name='pim', objects=['pim:pim'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)

api/core/v1alpha1/groupversion_info.go

@@ -50,6 +50,10 @@ const AggregateLabel = "networking.metal.ironcore.dev/aggregate-name"
 // the name of the RoutedVLAN interface that provides Layer 3 routing for the VLAN.
 const RoutedVLANLabel = "networking.metal.ironcore.dev/routed-vlan-name"
 
+// VRFLabel is a label applied to interfaces to indicate
+// the name of the VRF they belong to.
+const VRFLabel = "networking.metal.ironcore.dev/vrf-name"
+
 // Condition types that are used across different objects.
 const (
 	// ReadyCondition is the top-level status condition that reports if an object is ready.
@@ -122,4 +126,7 @@ const (
 
 	// VLANAlreadyInUseReason indicates that a VLAN is already in use by another routed VLAN interface.
 	VLANAlreadyInUseReason = "VLANAlreadyInUse"
+
+	// VRFNotFoundReason indicates that a referenced VRF was not found.
+	VRFNotFoundReason = "VRFNotFound"
 )

api/core/v1alpha1/interface_types.go

@@ -18,6 +18,8 @@ import (
 // +kubebuilder:validation:XValidation:rule="self.type == 'RoutedVLAN' || !has(self.vlanRef)", message="vlanRef must only be specified on interfaces of type RoutedVLAN"
 // +kubebuilder:validation:XValidation:rule="self.type != 'RoutedVLAN' || !has(self.switchport)", message="switchport must not be specified for interfaces of type RoutedVLAN"
 // +kubebuilder:validation:XValidation:rule="self.type != 'RoutedVLAN' || !has(self.aggregation)", message="aggregation must not be specified for interfaces of type RoutedVLAN"
+// +kubebuilder:validation:XValidation:rule="self.type != 'Aggregate' || !has(self.vrfRef)", message="vrfRef must not be specified for interfaces of type Aggregate"
+// +kubebuilder:validation:XValidation:rule="self.type != 'Physical' || !has(self.switchport) || !has(self.vrfRef)", message="vrfRef must not be specified for Physical interfaces with switchport configuration"
 type InterfaceSpec struct {
 	// DeviceName is the name of the Device this object belongs to. The Device object must exist in the same namespace.
 	// Immutable.
@@ -76,6 +78,13 @@ type InterfaceSpec struct {
 	// The referenced VLAN must exist in the same namespace.
 	// +optional
 	VlanRef *LocalObjectReference `json:"vlanRef,omitempty"`
+
+	// VrfRef is a reference to the VRF resource that this interface belongs to.
+	// If not specified, the interface will be part of the default VRF.
+	// This is only applicable for Layer 3 interfaces.
+	// The referenced VRF must exist in the same namespace.
+	// +optional
+	VrfRef *LocalObjectReference `json:"vrfRef,omitempty"`
 }
 
 // AdminState represents the administrative state of the interface.

api/core/v1alpha1/zz_generated.deepcopy.go

@@ -345,6 +345,24 @@ spec:
                 - name
                 type: object
                 x-kubernetes-map-type: atomic
+              vrfRef:
+                description: |-
+                  VrfRef is a reference to the VRF resource that this interface belongs to.
+                  If not specified, the interface will be part of the default VRF.
+                  This is only applicable for Layer 3 interfaces.
+                  The referenced VRF must exist in the same namespace.
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    maxLength: 63
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
             required:
             - adminState
             - deviceRef
@@ -373,6 +391,11 @@ spec:
               rule: self.type != 'RoutedVLAN' || !has(self.switchport)
             - message: aggregation must not be specified for interfaces of type RoutedVLAN
               rule: self.type != 'RoutedVLAN' || !has(self.aggregation)
+            - message: vrfRef must not be specified for interfaces of type Aggregate
+              rule: self.type != 'Aggregate' || !has(self.vrfRef)
+            - message: vrfRef must not be specified for Physical interfaces with switchport
+                configuration
+              rule: self.type != 'Physical' || !has(self.switchport) || !has(self.vrfRef)
           status:
             description: |-
               Status of the resource. This is set and updated automatically.

charts/network-operator/templates/crd/networking.metal.ironcore.dev_interfaces.yaml

@@ -339,6 +339,24 @@ spec:
                 - name
                 type: object
                 x-kubernetes-map-type: atomic
+              vrfRef:
+                description: |-
+                  VrfRef is a reference to the VRF resource that this interface belongs to.
+                  If not specified, the interface will be part of the default VRF.
+                  This is only applicable for Layer 3 interfaces.
+                  The referenced VRF must exist in the same namespace.
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    maxLength: 63
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
             required:
             - adminState
             - deviceRef
@@ -367,6 +385,11 @@ spec:
               rule: self.type != 'RoutedVLAN' || !has(self.switchport)
             - message: aggregation must not be specified for interfaces of type RoutedVLAN
               rule: self.type != 'RoutedVLAN' || !has(self.aggregation)
+            - message: vrfRef must not be specified for interfaces of type Aggregate
+              rule: self.type != 'Aggregate' || !has(self.vrfRef)
+            - message: vrfRef must not be specified for Physical interfaces with switchport
+                configuration
+              rule: self.type != 'Physical' || !has(self.switchport) || !has(self.vrfRef)
           status:
             description: |-
               Status of the resource. This is set and updated automatically.

config/crd/bases/networking.metal.ironcore.dev_interfaces.yaml

@@ -155,3 +155,24 @@ spec:
   ipv4:
     addresses:
       - 192.168.10.254/24
+---
+apiVersion: networking.metal.ironcore.dev/v1alpha1
+kind: Interface
+metadata:
+  labels:
+    app.kubernetes.io/name: network-operator
+    app.kubernetes.io/managed-by: kustomize
+    networking.metal.ironcore.dev/device-name: leaf1
+  name: eth1-30
+spec:
+  deviceRef:
+    name: leaf1
+  name: eth1/30
+  description: vPC Keepalive
+  adminState: Up
+  type: Physical
+  ipv4:
+    addresses:
+      - 10.1.1.1/30
+  vrfRef:
+    name: vpc-keepalive

config/samples/v1alpha1_interface.yaml

@@ -50,3 +50,17 @@ spec:
         - IPv4
         - IPv4EVPN
       action: Both
+---
+apiVersion: networking.metal.ironcore.dev/v1alpha1
+kind: VRF
+metadata:
+  labels:
+    app.kubernetes.io/name: network-operator
+    app.kubernetes.io/managed-by: kustomize
+    networking.metal.ironcore.dev/device-name: leaf1
+  name: vpc-keepalive
+spec:
+  deviceRef:
+    name: leaf1
+  name: VPC_KEEPALIVE
+  description: VRF for vPC Keepalive

config/samples/v1alpha1_vrf.yaml

@@ -205,7 +205,7 @@ func main() {
 	case "create":
 		switch resource := obj.(type) {
 		case *v1alpha1.Interface:
-			err = ip.EnsureInterface(ctx, &provider.InterfaceRequest{
+			err = ip.EnsureInterface(ctx, &provider.EnsureInterfaceRequest{
 				Interface:      resource,
 				ProviderConfig: nil,
 			})

hack/provider/main.go

@@ -59,6 +59,7 @@ type InterfaceReconciler struct {
 // +kubebuilder:rbac:groups=networking.metal.ironcore.dev,resources=interfaces/finalizers,verbs=update
 // +kubebuilder:rbac:groups=networking.metal.ironcore.dev,resources=vlans,verbs=get;list;watch
 // +kubebuilder:rbac:groups=networking.metal.ironcore.dev,resources=vlans/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.metal.ironcore.dev,resources=vrfs,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
@@ -189,6 +190,7 @@ var (
 	interfaceTypeKey          = ".spec.type"
 	interfaceUnnumberedRefKey = ".spec.ipv4.unnumbered.interfaceRef.name"
 	interfaceVlanRefKey       = ".spec.vlanRef.name"
+	interfaceVrfRefKey        = ".spec.vrfRef.name"
 )
 
 // SetupWithManager sets up the controller with the Manager.
@@ -234,6 +236,16 @@ func (r *InterfaceReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Man
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(ctx, &v1alpha1.Interface{}, interfaceVrfRefKey, func(obj client.Object) []string {
+		intf := obj.(*v1alpha1.Interface)
+		if intf.Spec.VrfRef == nil {
+			return nil
+		}
+		return []string{intf.Spec.VrfRef.Name}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1alpha1.Interface{}).
 		Named("interface").
@@ -279,6 +291,20 @@ func (r *InterfaceReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Man
 				},
 			}),
 		).
+		// Watches enqueues Interfaces for updates in referenced VRF resources.
+		// Only triggers on create and delete events since VRF names are immutable.
+		Watches(
+			&v1alpha1.VRF{},
+			handler.EnqueueRequestsFromMapFunc(r.vrfToInterface),
+			builder.WithPredicates(predicate.Funcs{
+				UpdateFunc: func(e event.UpdateEvent) bool {
+					return false
+				},
+				GenericFunc: func(e event.GenericEvent) bool {
+					return false
+				},
+			}),
+		).
 		Complete(r)
 }
 
@@ -332,6 +358,15 @@ func (r *InterfaceReconciler) reconcile(ctx context.Context, s *scope) (_ ctrl.R
 		}
 	}
 
+	var vrf *v1alpha1.VRF
+	if s.Interface.Spec.VrfRef != nil {
+		var err error
+		vrf, err = r.reconcileVRF(ctx, s)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	var ip provider.IPv4
 	if s.Interface.Spec.IPv4 != nil {
 		var err error
@@ -351,13 +386,14 @@ func (r *InterfaceReconciler) reconcile(ctx context.Context, s *scope) (_ ctrl.R
 	}()
 
 	// Ensure the Interface is realized on the provider.
-	err := s.Provider.EnsureInterface(ctx, &provider.InterfaceRequest{
+	err := s.Provider.EnsureInterface(ctx, &provider.EnsureInterfaceRequest{
 		Interface:      s.Interface,
 		ProviderConfig: s.ProviderConfig,
 		IPv4:           ip,
 		Members:        members,
 		MultiChassisID: multiChassisID,
 		VLAN:           vlan,
+		VRF:            vrf,
 	})
 
 	cond := conditions.FromError(err)
@@ -509,6 +545,50 @@ func (r *InterfaceReconciler) reconcileVLAN(ctx context.Context, s *scope) (*v1a
 	return vlan, nil
 }
 
+// reconcileVRF ensures that the referenced VRF exists and belongs to the same device as the Interface.
+// It also adds a label to the Interface indicating which VRF it belongs to. This can be used for lookup purposes.
+func (r *InterfaceReconciler) reconcileVRF(ctx context.Context, s *scope) (*v1alpha1.VRF, error) {
+	key := client.ObjectKey{
+		Name:      s.Interface.Spec.VrfRef.Name,
+		Namespace: s.Interface.Namespace,
+	}
+
+	vrf := new(v1alpha1.VRF)
+	if err := r.Get(ctx, key, vrf); err != nil {
+		if apierrors.IsNotFound(err) {
+			conditions.Set(s.Interface, metav1.Condition{
+				Type:    v1alpha1.ConfiguredCondition,
+				Status:  metav1.ConditionFalse,
+				Reason:  v1alpha1.VRFNotFoundReason,
+				Message: fmt.Sprintf("referenced VRF %q not found", key),
+			})
+			return nil, reconcile.TerminalError(fmt.Errorf("referenced VRF %q not found", key))
+		}
+		return nil, fmt.Errorf("failed to get referenced VRF %q: %w", key, err)
+	}
+
+	if vrf.Spec.DeviceRef.Name != s.Device.Name {
+		conditions.Set(s.Interface, metav1.Condition{
+			Type:    v1alpha1.ConfiguredCondition,
+			Status:  metav1.ConditionFalse,
+			Reason:  v1alpha1.CrossDeviceReferenceReason,
+			Message: fmt.Sprintf("referenced VRF %q does not belong to device %q", vrf.Name, s.Device.Name),
+		})
+		return nil, reconcile.TerminalError(fmt.Errorf("referenced VRF %q does not belong to device %q", vrf.Name, s.Device.Name))
+	}
+
+	// Add label to interface indicating which VRF it belongs to
+	if s.Interface.Labels == nil {
+		s.Interface.Labels = make(map[string]string)
+	}
+
+	if s.Interface.Labels[v1alpha1.VRFLabel] != vrf.Name {
+		s.Interface.Labels[v1alpha1.VRFLabel] = vrf.Name
+	}
+
+	return vrf, nil
+}
+
 // reconcileMemberInterfaces ensures that all member interfaces exist and belong to the same device as the aggregate interface.
 // It also updates the member interfaces to reference the aggregate interface by setting their MemberOf status field and [v1alpha1.AggregateLabel] label.
 func (r *InterfaceReconciler) reconcileMemberInterfaces(ctx context.Context, s *scope) ([]*v1alpha1.Interface, error) {
@@ -767,3 +847,36 @@ func (r *InterfaceReconciler) vlanToRoutedVLAN(ctx context.Context, obj client.O
 
 	return requests
 }
+
+// vrfToInterface is a [handler.MapFunc] to be used to enqueue requests for reconciliation
+// for Interfaces when their referenced VRF changes.
+func (r *InterfaceReconciler) vrfToInterface(ctx context.Context, obj client.Object) []ctrl.Request {
+	vrf, ok := obj.(*v1alpha1.VRF)
+	if !ok {
+		panic(fmt.Sprintf("Expected a VRF but got a %T", obj))
+	}
+
+	log := ctrl.LoggerFrom(ctx, "VRF", klog.KObj(vrf))
+
+	interfaces := new(v1alpha1.InterfaceList)
+	if err := r.List(ctx, interfaces, client.InNamespace(vrf.Namespace), client.MatchingFields{interfaceVrfRefKey: vrf.Name}); err != nil {
+		log.Error(err, "Failed to list Interfaces")
+		return nil
+	}
+
+	requests := []ctrl.Request{}
+	for _, i := range interfaces.Items {
+		if i.Spec.VrfRef != nil && i.Spec.VrfRef.Name == vrf.Name {
+			log.Info("Enqueuing Interface for reconciliation", "Interface", klog.KObj(&i))
+
+			requests = append(requests, ctrl.Request{
+				NamespacedName: client.ObjectKey{
+					Name:      i.Name,
+					Namespace: i.Namespace,
+				},
+			})
+		}
+	}
+
+	return requests
+}