NETOBSERV-2484: improve ovn subnets detection (#2169)

* NETOBSERV-2484: improve ovn subnets detection

- Check for internal/masquerade/transitswitch subnets
- Add API server

* add configurable masquerade subnet

* Fetch kube apiserver IP, small refactoring (moving files)

* Avoid configuring cidrs already covered for apiserver endpoint

* Refactor detect subnets

- move to different file
- split into smaller functions

* Add role for reading networks

* Use EXT:* pattern for external ips

Author: jotak

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -1002,6 +1002,14 @@ spec:
           - list
           - update
           - watch
+        - apiGroups:
+          - operator.openshift.io
+          resources:
+          - networks
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:

config/rbac/role.yaml

@@ -228,6 +228,14 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - operator.openshift.io
+  resources:
+  - networks
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

helm/templates/clusterrole.yaml

@@ -227,6 +227,14 @@ rules:
       - list
       - update
       - watch
+  - apiGroups:
+      - operator.openshift.io
+    resources:
+      - networks
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:

internal/controller/flp/detect_subnets.go

@@ -0,0 +1,183 @@
+package flp
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+
+	flowslatest "github.com/netobserv/network-observability-operator/api/flowcollector/v1beta2"
+	"github.com/netobserv/network-observability-operator/internal/pkg/cluster"
+	"github.com/netobserv/network-observability-operator/internal/pkg/helper"
+	configv1 "github.com/openshift/api/config/v1"
+	operatorv1 "github.com/openshift/api/operator/v1"
+	"gopkg.in/yaml.v2"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func (r *Reconciler) getOpenShiftSubnets(ctx context.Context) ([]flowslatest.SubnetLabel, error) {
+	if !r.mgr.ClusterInfo.HasCNO() {
+		return nil, nil
+	}
+	var errs []error
+	var svcMachineCIDRs []*net.IPNet
+
+	pods, services, extIPs, err := readNetworkConfig(ctx, r)
+	if err != nil {
+		errs = append(errs, err)
+	}
+	for _, strCIDR := range services {
+		if _, parsed, err := net.ParseCIDR(strCIDR); err == nil {
+			svcMachineCIDRs = append(svcMachineCIDRs, parsed)
+		}
+	}
+
+	machines, err := readClusterConfig(ctx, r)
+	if err != nil {
+		errs = append(errs, err)
+	}
+	for _, strCIDR := range machines {
+		if _, parsed, err := net.ParseCIDR(strCIDR); err == nil {
+			svcMachineCIDRs = append(svcMachineCIDRs, parsed)
+		}
+	}
+
+	// API server
+	if apiserverIPs, err := cluster.GetAPIServerEndpointIPs(ctx, r, r.mgr.ClusterInfo); err == nil {
+		// Check if this isn't already an IP covered in Services or Machines subnets
+		for _, ip := range apiserverIPs {
+			if parsed := net.ParseIP(ip); parsed != nil {
+				var alreadyCovered bool
+				for _, cidr := range svcMachineCIDRs {
+					if cidr.Contains(parsed) {
+						alreadyCovered = true
+						break
+					}
+				}
+				if !alreadyCovered {
+					cidr := helper.IPToCIDR(ip)
+					services = append(services, cidr)
+				}
+			}
+		}
+	} else {
+		errs = append(errs, fmt.Errorf("can't get API server endpoint IPs: %w", err))
+	}
+
+	// Additional OVN subnets
+	moreMachines, err := readNetworkOperatorConfig(ctx, r)
+	if err != nil {
+		errs = append(errs, err)
+	}
+	machines = append(machines, moreMachines...)
+
+	var subnets []flowslatest.SubnetLabel
+	if len(machines) > 0 {
+		subnets = append(subnets, flowslatest.SubnetLabel{
+			Name:  "Machines",
+			CIDRs: machines,
+		})
+	}
+	if len(pods) > 0 {
+		subnets = append(subnets, flowslatest.SubnetLabel{
+			Name:  "Pods",
+			CIDRs: pods,
+		})
+	}
+	if len(services) > 0 {
+		subnets = append(subnets, flowslatest.SubnetLabel{
+			Name:  "Services",
+			CIDRs: services,
+		})
+	}
+	if len(extIPs) > 0 {
+		subnets = append(subnets, flowslatest.SubnetLabel{
+			Name:  "EXT:ExternalIP",
+			CIDRs: extIPs,
+		})
+	}
+	return subnets, errors.Join(errs...)
+}
+
+func readNetworkConfig(ctx context.Context, cl client.Client) ([]string, []string, []string, error) {
+	// Pods and Services subnets are found in CNO config
+	var pods, services, extIPs []string
+	network := &configv1.Network{}
+	if err := cl.Get(ctx, types.NamespacedName{Name: "cluster"}, network); err != nil {
+		return nil, nil, nil, fmt.Errorf("can't get Network (config) information: %w", err)
+	}
+	for _, podsNet := range network.Spec.ClusterNetwork {
+		pods = append(pods, podsNet.CIDR)
+	}
+	services = network.Spec.ServiceNetwork
+	if network.Spec.ExternalIP != nil && len(network.Spec.ExternalIP.AutoAssignCIDRs) > 0 {
+		extIPs = network.Spec.ExternalIP.AutoAssignCIDRs
+	}
+	return pods, services, extIPs, nil
+}
+
+func readClusterConfig(ctx context.Context, cl client.Client) ([]string, error) {
+	// Nodes subnet found in CM cluster-config-v1 (kube-system)
+	cm := &corev1.ConfigMap{}
+	if err := cl.Get(ctx, types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}, cm); err != nil {
+		return nil, fmt.Errorf(`can't read "cluster-config-v1" ConfigMap: %w`, err)
+	}
+	return readMachineFromConfig(cm)
+}
+
+func readMachineFromConfig(cm *corev1.ConfigMap) ([]string, error) {
+	type ClusterConfig struct {
+		Networking struct {
+			MachineNetwork []struct {
+				CIDR string `yaml:"cidr"`
+			} `yaml:"machineNetwork"`
+		} `yaml:"networking"`
+	}
+
+	var rawConfig string
+	var ok bool
+	if rawConfig, ok = cm.Data["install-config"]; !ok {
+		return nil, fmt.Errorf(`can't find key "install-config" in "cluster-config-v1" ConfigMap`)
+	}
+	var config ClusterConfig
+	if err := yaml.Unmarshal([]byte(rawConfig), &config); err != nil {
+		return nil, fmt.Errorf(`can't deserialize content of "cluster-config-v1" ConfigMap: %w`, err)
+	}
+
+	var cidrs []string
+	for _, cidr := range config.Networking.MachineNetwork {
+		cidrs = append(cidrs, cidr.CIDR)
+	}
+
+	return cidrs, nil
+}
+
+func readNetworkOperatorConfig(ctx context.Context, cl client.Client) ([]string, error) {
+	// Additional OVN subnets: https://github.com/openshift/cluster-network-operator/blob/fda7a9f07ab6f78d032d310cdd77f21d04f1289a/pkg/network/ovn_kubernetes.go#L76-L77
+	var machines []string
+	networkOp := &operatorv1.Network{}
+	if err := cl.Get(ctx, types.NamespacedName{Name: "cluster"}, networkOp); err != nil {
+		return nil, fmt.Errorf("can't get Network (operator) information: %w", err)
+	}
+	internalSubnet := "100.64.0.0/16"
+	transitSwitchSubnet := "100.88.0.0/16"
+	masqueradeSubnet := "169.254.0.0/17"
+	ovnk := networkOp.Spec.DefaultNetwork.OVNKubernetesConfig
+	if ovnk != nil {
+		if ovnk.V4InternalSubnet != "" {
+			internalSubnet = ovnk.V4InternalSubnet
+		}
+		if ovnk.IPv4 != nil && ovnk.IPv4.InternalTransitSwitchSubnet != "" {
+			transitSwitchSubnet = ovnk.IPv4.InternalTransitSwitchSubnet
+		}
+		if ovnk.GatewayConfig != nil && ovnk.GatewayConfig.IPv4.InternalMasqueradeSubnet != "" {
+			masqueradeSubnet = ovnk.GatewayConfig.IPv4.InternalMasqueradeSubnet
+		}
+	}
+	machines = append(machines, internalSubnet)
+	machines = append(machines, transitSwitchSubnet)
+	machines = append(machines, masqueradeSubnet)
+	return machines, nil
+}

internal/controller/flp/flp_controller.go

@@ -13,12 +13,9 @@ import (
 	"github.com/netobserv/network-observability-operator/internal/pkg/manager"
 	"github.com/netobserv/network-observability-operator/internal/pkg/manager/status"
 	"github.com/netobserv/network-observability-operator/internal/pkg/watchers"
-	configv1 "github.com/openshift/api/config/v1"
-	"gopkg.in/yaml.v2"
 	appsv1 "k8s.io/api/apps/v1"
 	ascv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -230,89 +227,3 @@ func reconcileMonitoringCerts(ctx context.Context, info *reconcilers.Common, tls
 
 	return nil
 }
-
-func (r *Reconciler) getOpenShiftSubnets(ctx context.Context) ([]flowslatest.SubnetLabel, error) {
-	var subnets []flowslatest.SubnetLabel
-
-	// Pods and Services subnets are found in CNO config
-	if r.mgr.ClusterInfo.HasCNO() {
-		network := &configv1.Network{}
-		err := r.Get(ctx, types.NamespacedName{Name: "cluster"}, network)
-		if err != nil {
-			return nil, fmt.Errorf("can't get Network information: %w", err)
-		}
-		var podCIDRs []string
-		for _, podsNet := range network.Spec.ClusterNetwork {
-			podCIDRs = append(podCIDRs, podsNet.CIDR)
-		}
-		if len(podCIDRs) > 0 {
-			subnets = append(subnets, flowslatest.SubnetLabel{
-				Name:  "Pods",
-				CIDRs: podCIDRs,
-			})
-		}
-		if len(network.Spec.ServiceNetwork) > 0 {
-			subnets = append(subnets, flowslatest.SubnetLabel{
-				Name:  "Services",
-				CIDRs: network.Spec.ServiceNetwork,
-			})
-		}
-		if network.Spec.ExternalIP != nil && len(network.Spec.ExternalIP.AutoAssignCIDRs) > 0 {
-			subnets = append(subnets, flowslatest.SubnetLabel{
-				Name:  "ExternalIP",
-				CIDRs: network.Spec.ExternalIP.AutoAssignCIDRs,
-			})
-		}
-	}
-
-	// Nodes subnet found in CM cluster-config-v1 (kube-system)
-	cm := &corev1.ConfigMap{}
-	if err := r.Get(ctx, types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}, cm); err != nil {
-		return nil, fmt.Errorf(`can't read "cluster-config-v1" ConfigMap: %w`, err)
-	}
-	machines, err := readMachineNetworks(cm)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(machines) > 0 {
-		subnets = append(subnets, machines...)
-	}
-
-	return subnets, nil
-}
-
-func readMachineNetworks(cm *corev1.ConfigMap) ([]flowslatest.SubnetLabel, error) {
-	var subnets []flowslatest.SubnetLabel
-
-	type ClusterConfig struct {
-		Networking struct {
-			MachineNetwork []struct {
-				CIDR string `yaml:"cidr"`
-			} `yaml:"machineNetwork"`
-		} `yaml:"networking"`
-	}
-
-	var rawConfig string
-	var ok bool
-	if rawConfig, ok = cm.Data["install-config"]; !ok {
-		return nil, fmt.Errorf(`can't find key "install-config" in "cluster-config-v1" ConfigMap`)
-	}
-	var config ClusterConfig
-	if err := yaml.Unmarshal([]byte(rawConfig), &config); err != nil {
-		return nil, fmt.Errorf(`can't deserialize content of "cluster-config-v1" ConfigMap: %w`, err)
-	}
-
-	var cidrs []string
-	for _, cidr := range config.Networking.MachineNetwork {
-		cidrs = append(cidrs, cidr.CIDR)
-	}
-	if len(cidrs) > 0 {
-		subnets = append(subnets, flowslatest.SubnetLabel{
-			Name:  "Machines",
-			CIDRs: cidrs,
-		})
-	}
-
-	return subnets, nil
-}

internal/controller/flp/flp_pipeline_builder_test.go

@@ -293,16 +293,10 @@ publish: External`,
 		},
 	}
 
-	machines, err := readMachineNetworks(&cm)
+	machines, err := readMachineFromConfig(&cm)
 	assert.NoError(t, err)
 
-	assert.Equal(t,
-		[]flowslatest.SubnetLabel{
-			{
-				Name:  "Machines",
-				CIDRs: []string{"10.0.0.0/16"},
-			},
-		}, machines)
+	assert.Equal(t, []string{"10.0.0.0/16"}, machines)
 }
 
 func TestPipelineWithSubnetLabels(t *testing.T) {

internal/controller/networkpolicy/apiserver_endpoint_test.go

@@ -11,6 +11,7 @@ import (
 
 	flowslatest "github.com/netobserv/network-observability-operator/api/flowcollector/v1beta2"
 	"github.com/netobserv/network-observability-operator/internal/controller/reconcilers"
+	"github.com/netobserv/network-observability-operator/internal/pkg/cluster"
 	"github.com/netobserv/network-observability-operator/internal/pkg/helper"
 	"github.com/netobserv/network-observability-operator/internal/pkg/manager"
 	"github.com/netobserv/network-observability-operator/internal/pkg/manager/status"
@@ -80,7 +81,7 @@ func (r *Reconciler) reconcile(ctx context.Context, clh *helper.Client, desired
 	// Get API server endpoint IPs for network policy
 	var apiServerIPs []string
 	if r.mgr.ClusterInfo.IsOpenShift() {
-		apiServerIPs, err = GetAPIServerEndpointIPs(ctx, r.Client, r.mgr.ClusterInfo)
+		apiServerIPs, err = cluster.GetAPIServerEndpointIPs(ctx, r.Client, r.mgr.ClusterInfo)
 		if err != nil {
 			l.Error(err, "Failed to get API server endpoint IPs")
 			return fmt.Errorf("cannot determine API server endpoint IPs: %w", err)