Provide network type migration as preparation for MEP-4. (#620)

Author: Gerrit91

cmd/metal-api/internal/datastore/migrations/09_networktype.go

@@ -0,0 +1,90 @@
+package migrations
+
+import (
+	"slices"
+
+	"github.com/metal-stack/metal-lib/pkg/pointer"
+
+	"github.com/metal-stack/metal-api/cmd/metal-api/internal/datastore"
+	"github.com/metal-stack/metal-api/cmd/metal-api/internal/metal"
+
+	r "gopkg.in/rethinkdb/rethinkdb-go.v6"
+)
+
+func init() {
+	datastore.MustRegisterMigration(datastore.Migration{
+		Name:    "migrate networks to have proper networkType set",
+		Version: 9,
+		Up: func(db *r.Term, session r.QueryExecutor, ds *datastore.RethinkStore) error {
+			nws, err := ds.ListNetworks()
+			if err != nil {
+				return err
+			}
+
+			// first detect all shared vrf ids
+			// maps vrfid > count
+			var (
+				vrfCount   = make(map[uint]int)
+				sharedVrfs []uint
+			)
+
+			for _, nw := range nws {
+				if nw.Vrf == 0 {
+					continue
+				}
+				count, ok := vrfCount[nw.Vrf]
+				if !ok {
+					vrfCount[nw.Vrf] = 1
+				} else {
+					vrfCount[nw.Vrf] = count + 1
+				}
+			}
+
+			for vrf, count := range vrfCount {
+				if count > 1 {
+					sharedVrfs = append(sharedVrfs, vrf)
+				}
+			}
+
+			// now convert all networks
+			for _, old := range nws {
+				new := old
+
+				// assume external network by default
+				new.NetworkType = pointer.Pointer(metal.ExternalNetworkType)
+
+				if old.Shared && old.ParentNetworkID != "" {
+					new.NetworkType = pointer.Pointer(metal.ChildSharedNetworkType)
+				}
+				if old.Shared && old.ParentNetworkID == "" {
+					new.NetworkType = pointer.Pointer(metal.ExternalNetworkType)
+				}
+				if !old.Shared && old.ParentNetworkID != "" && !slices.Contains(sharedVrfs, old.Vrf) {
+					new.NetworkType = pointer.Pointer(metal.ChildNetworkType)
+				}
+				if old.ProjectID == "" && old.ParentNetworkID == "" && !slices.Contains(sharedVrfs, old.Vrf) {
+					new.NetworkType = pointer.Pointer(metal.ExternalNetworkType)
+				}
+				if old.PrivateSuper {
+					new.NetworkType = pointer.Pointer(metal.SuperNetworkType)
+				}
+				if old.Underlay {
+					new.NetworkType = pointer.Pointer(metal.UnderlayNetworkType)
+				}
+
+				if old.Nat {
+					new.NATType = pointer.Pointer(metal.IPv4MasqueradeNATType)
+				} else {
+					new.NATType = pointer.Pointer(metal.NoneNATType)
+				}
+
+				err := ds.UpdateNetwork(&old, &new)
+				if err != nil {
+					return err
+				}
+			}
+
+			return nil
+		},
+	})
+}

cmd/metal-api/internal/datastore/migrations_integration/migrate_integration_test.go

@@ -330,3 +330,94 @@ func Test_MigrationChildPrefixLength(t *testing.T) {
 	require.NotNil(t, n4fetched.DefaultChildPrefixLength)
 	require.Equal(t, uint8(22), n4fetched.DefaultChildPrefixLength[metal.IPv4AddressFamily])
 }
+
+func Test_MigrationNetworkType(t *testing.T) {
+	container, c, err := test.StartRethink(t)
+	require.NoError(t, err)
+	defer func() {
+		_ = container.Terminate(context.Background())
+	}()
+
+	log := slog.New(slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelInfo}))
+
+	rs := datastore.New(log, c.IP+":"+c.Port, c.DB, c.User, c.Password)
+	rs.VRFPoolRangeMin = 10000
+	rs.VRFPoolRangeMax = 10010
+	rs.ASNPoolRangeMin = 10000
+	rs.ASNPoolRangeMax = 10010
+
+	err = rs.Connect()
+	require.NoError(t, err)
+	err = rs.Initialize()
+	require.NoError(t, err)
+
+	nws := []*metal.Network{
+		{Base: metal.Base{ID: "internet"}, Vrf: 10, Nat: true, Shared: false},
+		{Base: metal.Base{ID: "underlay"}, Underlay: true},
+		{Base: metal.Base{ID: "dc-interconnect"}, Vrf: 201},
+		{Base: metal.Base{ID: "dc-interconnect-child-1"}, ParentNetworkID: "tenant-super", Vrf: 201},
+		{Base: metal.Base{ID: "dc-interconnect-child-2"}, ParentNetworkID: "tenant-super", Vrf: 201},
+		{Base: metal.Base{ID: "tenant-super"}, PrivateSuper: true},
+		{Base: metal.Base{ID: "private-network-1"}, ParentNetworkID: "tenant-super", Vrf: 101},
+		{Base: metal.Base{ID: "private-network-2"}, ParentNetworkID: "tenant-super", Vrf: 102},
+		{Base: metal.Base{ID: "private-network-3"}, ParentNetworkID: "tenant-super", Vrf: 103},
+		{Base: metal.Base{ID: "private-network-4"}, ParentNetworkID: "tenant-super", Vrf: 104},
+		{Base: metal.Base{ID: "partition-storage"}, ParentNetworkID: "tenant-super", Vrf: 105, Shared: true},
+	}
+
+	for _, nw := range nws {
+		err := rs.CreateNetwork(nw)
+		require.NoError(t, err)
+	}
+
+	err = rs.Migrate(nil, false)
+	require.NoError(t, err)
+
+	internet, err := rs.FindNetworkByID("internet")
+	require.NoError(t, err)
+	require.NotNil(t, internet)
+	require.Equal(t, metal.IPv4MasqueradeNATType, *internet.NATType)
+	require.Equal(t, metal.ExternalNetworkType, *internet.NetworkType)
+
+	underlay, err := rs.FindNetworkByID("underlay")
+	require.NoError(t, err)
+	require.NotNil(t, underlay)
+	require.Equal(t, metal.NoneNATType, *underlay.NATType)
+	require.Equal(t, metal.UnderlayNetworkType, *underlay.NetworkType)
+
+	tenantSuper, err := rs.FindNetworkByID("tenant-super")
+	require.NoError(t, err)
+	require.NotNil(t, tenantSuper)
+	require.Equal(t, metal.NoneNATType, *tenantSuper.NATType)
+	require.Equal(t, metal.SuperNetworkType, *tenantSuper.NetworkType)
+
+	private1, err := rs.FindNetworkByID("private-network-1")
+	require.NoError(t, err)
+	require.NotNil(t, private1)
+	require.Equal(t, metal.NoneNATType, *private1.NATType)
+	require.Equal(t, metal.ChildNetworkType, *private1.NetworkType)
+
+	private2, err := rs.FindNetworkByID("private-network-2")
+	require.NoError(t, err)
+	require.NotNil(t, private2)
+	require.Equal(t, metal.NoneNATType, *private2.NATType)
+	require.Equal(t, metal.ChildNetworkType, *private2.NetworkType)
+
+	private3, err := rs.FindNetworkByID("private-network-3")
+	require.NoError(t, err)
+	require.NotNil(t, private3)
+	require.Equal(t, metal.NoneNATType, *private3.NATType)
+	require.Equal(t, metal.ChildNetworkType, *private3.NetworkType)
+
+	private4, err := rs.FindNetworkByID("private-network-4")
+	require.NoError(t, err)
+	require.NotNil(t, private4)
+	require.Equal(t, metal.NoneNATType, *private4.NATType)
+	require.Equal(t, metal.ChildNetworkType, *private4.NetworkType)
+
+	partitionStorage, err := rs.FindNetworkByID("partition-storage")
+	require.NoError(t, err)
+	require.NotNil(t, partitionStorage)
+	require.Equal(t, metal.NoneNATType, *partitionStorage.NATType)
+	require.Equal(t, metal.ChildSharedNetworkType, *partitionStorage.NetworkType)
+}

cmd/metal-api/internal/metal/network.go

@@ -283,29 +283,48 @@ func (p *Prefix) equals(other *Prefix) bool {
 
 // Network is a network in a metal as a service infrastructure.
 // TODO specify rethinkdb restrictions.
-type Network struct {
-	Base
-	Prefixes                 Prefixes          `rethinkdb:"prefixes" json:"prefixes"`
-	DestinationPrefixes      Prefixes          `rethinkdb:"destinationprefixes" json:"destinationprefixes"`
-	DefaultChildPrefixLength ChildPrefixLength `rethinkdb:"defaultchildprefixlength" json:"defaultchildprefixlength" description:"if privatesuper, this defines the bitlen of child prefixes per addressfamily if not nil"`
-	PartitionID              string            `rethinkdb:"partitionid" json:"partitionid"`
-	ProjectID                string            `rethinkdb:"projectid" json:"projectid"`
-	ParentNetworkID          string            `rethinkdb:"parentnetworkid" json:"parentnetworkid"`
-	Vrf                      uint              `rethinkdb:"vrf" json:"vrf"`
-	PrivateSuper             bool              `rethinkdb:"privatesuper" json:"privatesuper"`
-	Nat                      bool              `rethinkdb:"nat" json:"nat"`
-	Underlay                 bool              `rethinkdb:"underlay" json:"underlay"`
-	Shared                   bool              `rethinkdb:"shared" json:"shared"`
-	Labels                   map[string]string `rethinkdb:"labels" json:"labels"`
-	// AddressFamilies            AddressFamilies   `rethinkdb:"addressfamilies" json:"addressfamilies"`
-	AdditionalAnnouncableCIDRs []string `rethinkdb:"additionalannouncablecidrs" json:"additionalannouncablecidrs" description:"list of cidrs which are added to the route maps per tenant private network, these are typically pod- and service cidrs, can only be set in a supernetwork"`
-}
+type (
+	Network struct {
+		Base
+		Prefixes                   Prefixes          `rethinkdb:"prefixes" json:"prefixes"`
+		DestinationPrefixes        Prefixes          `rethinkdb:"destinationprefixes" json:"destinationprefixes"`
+		DefaultChildPrefixLength   ChildPrefixLength `rethinkdb:"defaultchildprefixlength" json:"defaultchildprefixlength" description:"if privatesuper, this defines the bitlen of child prefixes per addressfamily if not nil"`
+		PartitionID                string            `rethinkdb:"partitionid" json:"partitionid"`
+		ProjectID                  string            `rethinkdb:"projectid" json:"projectid"`
+		ParentNetworkID            string            `rethinkdb:"parentnetworkid" json:"parentnetworkid"`
+		Vrf                        uint              `rethinkdb:"vrf" json:"vrf"`
+		Labels                     map[string]string `rethinkdb:"labels" json:"labels"`
+		AdditionalAnnouncableCIDRs []string          `rethinkdb:"additionalannouncablecidrs" json:"additionalannouncablecidrs" description:"list of cidrs which are added to the route maps per tenant private network, these are typically pod- and service cidrs, can only be set in a supernetwork"`
+		NetworkType                *NetworkTypeV2    `rethinkdb:"networktype"`
+		NATType                    *NATType          `rethinkdb:"nattype"`
+
+		// PrivateSuper if set identifies this Network as a Super Network for private networks
+		//
+		// Deprecated: use SuperNetworkType instead
+		PrivateSuper bool `rethinkdb:"privatesuper"`
+		// Underlay if set indicates as a underlay network for firewalls and switches
+		//
+		// Deprecated: use UnderlayNetworkType instead
+		Underlay bool `rethinkdb:"underlay"`
+		// Shared if set indicates that this network can be used from other projects to acquire ips from
+		//
+		// Deprecated: use ChildSharedNetworkType instead
+		Shared bool `rethinkdb:"shared"`
+		// Nat if set, traffic entering this network is masqueraded behind the interface entering this network
+		//
+		// Deprecated: use IPv4MasqueradeNATType instead
+		Nat bool `rethinkdb:"nat"`
+	}
 
-type ChildPrefixLength map[AddressFamily]uint8
+	ChildPrefixLength map[AddressFamily]uint8
 
-// AddressFamily identifies IPv4/IPv6
-type AddressFamily string
-type AddressFamilies []AddressFamily
+	// AddressFamily identifies IPv4/IPv6
+	AddressFamily   string
+	AddressFamilies []AddressFamily
+
+	NATType       string
+	NetworkTypeV2 string
+)
 
 const (
 	// InvalidAddressFamily identifies a invalid Addressfamily
@@ -314,6 +333,28 @@ const (
 	IPv4AddressFamily = AddressFamily("IPv4")
 	// IPv6AddressFamily identifies IPv6
 	IPv6AddressFamily = AddressFamily("IPv6")
+
+	// NetworkType
+	// ExternalNetworkType identifies a network where ips can be allocated from different projects
+	ExternalNetworkType = NetworkTypeV2("external")
+	// UnderlayNetworkType identifies a underlay network
+	UnderlayNetworkType = NetworkTypeV2("underlay")
+
+	// SuperNetworkType identifies a super network where child networks can be allocated from
+	SuperNetworkType = NetworkTypeV2("super")
+	// SuperNamespacedNetworkType identifies a super network where child networks can be allocated from, namespaced per project
+	SuperNamespacedNetworkType = NetworkTypeV2("super-namespaced")
+	// ChildNetworkType identifies a child network which is only used in one project for machines and firewalls without external connectivity
+	ChildNetworkType = NetworkTypeV2("child")
+	// ChildSharedNetworkType identifies a child network which can be shared, e.g. ips allocated from different projects
+	ChildSharedNetworkType = NetworkTypeV2("child-shared")
+
+	// NATType
+	InvalidNATType = NATType("invalid")
+	// NoneNATType no nat in place when traffic leaves this network
+	NoneNATType = NATType("none")
+	// IPv4MasqueradeNATType masquerade ipv4 behind gateway ip
+	IPv4MasqueradeNATType = NATType("ipv4-masq")
 )
 
 // ToAddressFamily will convert a string af to a AddressFamily

cmd/metal-api/internal/service/network-service.go

@@ -412,6 +412,19 @@ func (r *networkResource) createNetwork(request *restful.Request, response *rest
 		}
 	}
 
+	nwType := metal.ExternalNetworkType
+	if privateSuper {
+		nwType = metal.SuperNetworkType
+	}
+	if underlay {
+		nwType = metal.UnderlayNetworkType
+	}
+
+	natType := metal.NoneNATType
+	if nat {
+		natType = metal.IPv4MasqueradeNATType
+	}
+
 	nw := &metal.Network{
 		Base: metal.Base{
 			ID:          id,
@@ -429,6 +442,8 @@ func (r *networkResource) createNetwork(request *restful.Request, response *rest
 		Vrf:                        vrf,
 		Labels:                     labels,
 		AdditionalAnnouncableCIDRs: requestPayload.AdditionalAnnouncableCIDRs,
+		NetworkType:                &nwType,
+		NATType:                    &natType,
 	}
 
 	ctx := request.Request.Context()
@@ -686,6 +701,16 @@ func (r *networkResource) createChildNetwork(ctx context.Context, nwSpec *metal.
 		childPrefixes = append(childPrefixes, *childPrefix)
 	}
 
+	nwType := metal.ChildNetworkType
+	if nwSpec.Shared {
+		nwType = metal.ChildSharedNetworkType
+	}
+
+	natType := metal.NoneNATType
+	if nwSpec.Nat {
+		natType = metal.IPv4MasqueradeNATType
+	}
+
 	nw := &metal.Network{
 		Base: metal.Base{
 			Name:        nwSpec.Name,
@@ -702,6 +727,8 @@ func (r *networkResource) createChildNetwork(ctx context.Context, nwSpec *metal.
 		Vrf:                 *vrf,
 		ParentNetworkID:     parent.ID,
 		Labels:              nwSpec.Labels,
+		NetworkType:         &nwType,
+		NATType:             &natType,
 	}
 
 	err = r.ds.CreateNetwork(nw)