Add validation for number of CIDR ranges specified in Clusters

Signed-off-by: killianmuldoon <[email protected]>

Author: killianmuldoon

api/v1beta1/cluster_types.go

@@ -422,6 +422,8 @@ func (c *Cluster) SetConditions(conditions Conditions) {
 }
 
 // GetIPFamily returns a ClusterIPFamily from the configuration provided.
+// Note: IPFamily is not a concept in Kubernetes. It was originally introduced in CAPI for CAPD.
+// IPFamily may be dropped in a future release. More details at https://github.com/kubernetes-sigs/cluster-api/issues/7521
 func (c *Cluster) GetIPFamily() (ClusterIPFamily, error) {
 	var podCIDRs, serviceCIDRs []string
 	if c.Spec.ClusterNetwork != nil {

internal/controllers/topology/cluster/patches/variables/variables.go

@@ -77,6 +77,8 @@ type ClusterNetworkBuiltins struct {
 	// Pods is the network ranges from which Pod networks are allocated.
 	Pods []string `json:"pods,omitempty"`
 	// IPFamily is the IPFamily the Cluster is operating in. One of Invalid, IPv4, IPv6, DualStack.
+	// Note: IPFamily is not a concept in Kubernetes. It was originally introduced in CAPI for CAPD.
+	// IPFamily may be dropped in a future release. More details at https://github.com/kubernetes-sigs/cluster-api/issues/7521
 	IPFamily string `json:"ipFamily,omitempty"`
 }
 
@@ -197,10 +199,7 @@ func Global(clusterTopology *clusterv1.Topology, cluster *clusterv1.Cluster) ([]
 		},
 	}
 	if cluster.Spec.ClusterNetwork != nil {
-		clusterNetworkIPFamily, err := cluster.GetIPFamily()
-		if err != nil {
-			return nil, err
-		}
+		clusterNetworkIPFamily, _ := cluster.GetIPFamily()
 		builtin.Cluster.Network = &ClusterNetworkBuiltins{
 			IPFamily: ipFamilyToString(clusterNetworkIPFamily),
 		}

internal/test/builder/builders.go

@@ -39,6 +39,7 @@ type ClusterBuilder struct {
 	topology              *clusterv1.Topology
 	infrastructureCluster *unstructured.Unstructured
 	controlPlane          *unstructured.Unstructured
+	network               *clusterv1.ClusterNetwork
 }
 
 // Cluster returns a ClusterBuilder with the given name and namespace.
@@ -49,6 +50,12 @@ func Cluster(namespace, name string) *ClusterBuilder {
 	}
 }
 
+// WithClusterNetwork sets the ClusterNetwork for the ClusterBuilder.
+func (c *ClusterBuilder) WithClusterNetwork(clusterNetwork *clusterv1.ClusterNetwork) *ClusterBuilder {
+	c.network = clusterNetwork
+	return c
+}
+
 // WithLabels sets the labels for the ClusterBuilder.
 func (c *ClusterBuilder) WithLabels(labels map[string]string) *ClusterBuilder {
 	c.labels = labels
@@ -93,7 +100,8 @@ func (c *ClusterBuilder) Build() *clusterv1.Cluster {
 			Annotations: c.annotations,
 		},
 		Spec: clusterv1.ClusterSpec{
-			Topology: c.topology,
+			Topology:       c.topology,
+			ClusterNetwork: c.network,
 		},
 	}
 	if c.infrastructureCluster != nil {

internal/test/builder/zz_generated.deepcopy.go

@@ -19,6 +19,7 @@ package webhooks
 import (
 	"context"
 	"fmt"
+	"net"
 	"strings"
 
 	"github.com/blang/semver"
@@ -170,6 +171,19 @@ func (webhook *Cluster) validate(ctx context.Context, oldCluster, newCluster *cl
 			),
 		)
 	}
+	if newCluster.Spec.ClusterNetwork != nil {
+		// Ensure that the CIDR blocks defined under ClusterNetwork are valid.
+		if newCluster.Spec.ClusterNetwork.Pods != nil {
+			allErrs = append(allErrs, validateCIDRBlocks(specPath.Child("clusterNetwork", "pods", "cidrBlocks"),
+				newCluster.Spec.ClusterNetwork.Pods.CIDRBlocks)...)
+		}
+
+		if newCluster.Spec.ClusterNetwork.Services != nil {
+			allErrs = append(allErrs, validateCIDRBlocks(specPath.Child("clusterNetwork", "services", "cidrBlocks"),
+				newCluster.Spec.ClusterNetwork.Services.CIDRBlocks)...)
+		}
+	}
+
 	topologyPath := specPath.Child("topology")
 
 	// Validate the managed topology, if defined.
@@ -443,3 +457,17 @@ func machineDeploymentClassOfName(clusterClass *clusterv1.ClusterClass, name str
 	}
 	return nil
 }
+
+// validateCIDRBlocks ensures the passed CIDR is valid.
+func validateCIDRBlocks(fldPath *field.Path, cidrs []string) field.ErrorList {
+	var allErrs field.ErrorList
+	for i, cidr := range cidrs {
+		if _, _, err := net.ParseCIDR(cidr); err != nil {
+			allErrs = append(allErrs, field.Invalid(
+				fldPath.Index(i),
+				cidr,
+				err.Error()))
+		}
+	}
+	return allErrs
+}

internal/webhooks/cluster.go

@@ -409,6 +409,115 @@ func TestClusterValidation(t *testing.T) {
 					WithTopology(&clusterv1.Topology{}).
 					Build(),
 			},
+			{
+				name:      "pass with undefined CIDR ranges",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{}},
+						Pods: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{}},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass with nil CIDR ranges",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: nil},
+						Pods: &clusterv1.NetworkRanges{
+							CIDRBlocks: nil},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass with valid IPv4 CIDR ranges",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"10.10.10.10/24"}},
+						Pods: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"10.10.10.10/24"}},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass with valid IPv6 CIDR ranges",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"2004::1234:abcd:ffff:c0a8:101/64"}},
+						Pods: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"2004::1234:abcd:ffff:c0a8:101/64"}},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass with valid dualstack CIDR ranges",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"2004::1234:abcd:ffff:c0a8:101/64", "10.10.10.10/24"}},
+						Pods: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"2004::1234:abcd:ffff:c0a8:101/64", "10.10.10.10/24"}},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass if multiple CIDR ranges of IPv4 are passed",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"10.10.10.10/24", "11.11.11.11/24"}},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass if multiple CIDR ranges of IPv6 are passed",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"2002::1234:abcd:ffff:c0a8:101/64", "2004::1234:abcd:ffff:c0a8:101/64"}},
+					}).
+					Build(),
+			},
+			{
+				name:      "pass if too many cidr ranges are specified in the clusterNetwork pods field",
+				expectErr: false,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Pods: &clusterv1.NetworkRanges{
+							CIDRBlocks: []string{"10.10.10.10/24", "11.11.11.11/24", "12.12.12.12/24"}}}).
+					Build(),
+			},
+			{
+				name:      "fails if service cidr ranges are not valid",
+				expectErr: true,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Services: &clusterv1.NetworkRanges{
+							// Invalid ranges: missing network suffix
+							CIDRBlocks: []string{"10.10.10.10", "11.11.11.11"}}}).
+					Build(),
+			},
+			{
+				name:      "fails if pod cidr ranges are not valid",
+				expectErr: true,
+				in: builder.Cluster("fooNamespace", "cluster1").
+					WithClusterNetwork(&clusterv1.ClusterNetwork{
+						Pods: &clusterv1.NetworkRanges{
+							// Invalid ranges: missing network suffix
+							CIDRBlocks: []string{"10.10.10.10", "11.11.11.11"}}}).
+					Build(),
+			},
 		}
 	)
 	for _, tt := range tests {