feat(host-preflights): add cidr preflight checks (#1355)

JGAntunes · ajp-io · web-flow · commit 67a7da5536ae · 2024-10-23T16:53:59.000Z
* feat(host-preflights): add cidr preflight checks

* chore: adding unit tests

* chore: fully test template rendering

* chore: test flag logic

* fix: address flag feedback

* chore: change preflight exclude behaviour

* Update failure wording

* fix: preflight tests and template

* chore: add getCIDRs CIDR only flag test

---------

Co-authored-by: Alex Parker &lt;7272359+ajp-io@users.noreply.github.com&gt;
diff --git a/cmd/embedded-cluster/install.go b/cmd/embedded-cluster/install.go
@@ -152,7 +152,7 @@ func RunHostPreflights(c *cli.Context, provider *defaults.Provider, applier *add
 		return fmt.Errorf("unable to read host preflights: %w", err)
 	}
 
-	data := preflights.TemplateData{
+	data, err := preflights.TemplateData{
 		ReplicatedAPIURL:        replicatedAPIURL,
 		ProxyRegistryURL:        proxyRegistryURL,
 		IsAirgap:                isAirgap,
@@ -162,6 +162,10 @@ func RunHostPreflights(c *cli.Context, provider *defaults.Provider, applier *add
 		K0sDataDir:              provider.EmbeddedClusterK0sSubDir(),
 		OpenEBSDataDir:          provider.EmbeddedClusterOpenEBSLocalSubDir(),
 		SystemArchitecture:      runtime.GOARCH,
+	}.WithCIDRData(getCIDRs(c))
+
+	if err != nil {
+		return fmt.Errorf("unable to get host preflights data: %w", err)
 	}
 	chpfs, err := preflights.GetClusterHostPreflights(c.Context, data)
 	if err != nil {
diff --git a/cmd/embedded-cluster/network.go b/cmd/embedded-cluster/network.go
@@ -45,8 +45,16 @@ func withSubnetCIDRFlags(flags []cli.Flag) []cli.Flag {
 // --pod-cidr and --service-cidr have been set, they are used. Otherwise,
 // the cidr flag is split into pod and service CIDRs.
 func DeterminePodAndServiceCIDRs(c *cli.Context) (string, string, error) {
-	if c.IsSet("pod-cidr") && c.IsSet("service-cidr") {
+	if c.IsSet("pod-cidr") || c.IsSet("service-cidr") {
 		return c.String("pod-cidr"), c.String("service-cidr"), nil
 	}
 	return netutils.SplitNetworkCIDR(c.String("cidr"))
 }
+
+// getCIDRs returns the CIDRs in use based on the provided cli flags.
+func getCIDRs(c *cli.Context) (string, string, string) {
+	if c.IsSet("pod-cidr") || c.IsSet("service-cidr") {
+		return c.String("pod-cidr"), c.String("service-cidr"), ""
+	}
+	return "", "", c.String("cidr")
+}
diff --git a/cmd/embedded-cluster/network_test.go b/cmd/embedded-cluster/network_test.go
@@ -0,0 +1,172 @@
+package main
+
+import (
+	"flag"
+	"testing"
+
+	"github.com/k0sproject/k0s/pkg/apis/k0s/v1beta1"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli/v2"
+)
+
+func Test_getCIDRs(t *testing.T) {
+	tests := []struct {
+		name            string
+		buildCliContext func(*flag.FlagSet) *cli.Context
+		expected        []string
+	}{
+		{
+			name: "with pod and service flags",
+			expected: []string{
+				"10.0.0.0/24",
+				"10.1.0.0/24",
+				"",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("pod-cidr", "10.0.0.0/24")
+				c.Set("service-cidr", "10.1.0.0/24")
+				return c
+			},
+		},
+		{
+			name: "with pod flag",
+			expected: []string{
+				"10.0.0.0/24",
+				v1beta1.DefaultNetwork().ServiceCIDR,
+				"",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("pod-cidr", "10.0.0.0/24")
+				return c
+			},
+		},
+		{
+			name: "with pod, service and cidr flags",
+			expected: []string{
+				"10.0.0.0/24",
+				"10.1.0.0/24",
+				"",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("pod-cidr", "10.0.0.0/24")
+				c.Set("service-cidr", "10.1.0.0/24")
+				c.Set("cidr", "10.2.0.0/24")
+				return c
+			},
+		},
+		{
+			name: "with pod and cidr flags",
+			expected: []string{
+				"10.0.0.0/24",
+				v1beta1.DefaultNetwork().ServiceCIDR,
+				"",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("pod-cidr", "10.0.0.0/24")
+				c.Set("cidr", "10.2.0.0/24")
+				return c
+			},
+		},
+		{
+			name: "with cidr flag",
+			expected: []string{
+				"",
+				"",
+				"10.2.0.0/24",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("cidr", "10.2.0.0/24")
+				return c
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			req := require.New(t)
+
+			flagSet := flag.NewFlagSet(t.Name(), 0)
+			flags := withSubnetCIDRFlags([]cli.Flag{})
+			for _, f := range flags {
+				err := f.Apply(flagSet)
+				req.NoError(err)
+			}
+
+			cc := test.buildCliContext(flagSet)
+			podCIDR, serviceCIDR, CIDR := getCIDRs(cc)
+			req.Equal(test.expected[0], podCIDR)
+			req.Equal(test.expected[1], serviceCIDR)
+			req.Equal(test.expected[2], CIDR)
+		})
+	}
+}
+
+func Test_DeterminePodAndServiceCIDRs(t *testing.T) {
+
+	tests := []struct {
+		name            string
+		buildCliContext func(*flag.FlagSet) *cli.Context
+		expected        []string
+	}{
+		{
+			name: "with pod flag",
+			expected: []string{
+				"10.0.0.0/16",
+				v1beta1.DefaultNetwork().ServiceCIDR,
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("pod-cidr", "10.0.0.0/16")
+				return c
+			},
+		},
+		{
+			name: "with service flag",
+			expected: []string{
+				v1beta1.DefaultNetwork().PodCIDR,
+				"10.1.0.0/16",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("service-cidr", "10.1.0.0/16")
+				return c
+			},
+		},
+		{
+			name: "with cidr flag",
+			expected: []string{
+				"10.0.0.0/16",
+				"10.1.0.0/16",
+			},
+			buildCliContext: func(flagSet *flag.FlagSet) *cli.Context {
+				c := cli.NewContext(cli.NewApp(), flagSet, nil)
+				c.Set("cidr", "10.0.0.0/15")
+				return c
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			req := require.New(t)
+
+			flagSet := flag.NewFlagSet(t.Name(), 0)
+			flags := withSubnetCIDRFlags([]cli.Flag{})
+			for _, f := range flags {
+				err := f.Apply(flagSet)
+				req.NoError(err)
+			}
+
+			cc := test.buildCliContext(flagSet)
+			podCIDR, serviceCIDR, err := DeterminePodAndServiceCIDRs(cc)
+			req.NoError(err)
+			req.Equal(test.expected[0], podCIDR)
+			req.Equal(test.expected[1], serviceCIDR)
+		})
+	}
+}
diff --git a/pkg/preflights/host-preflight.yaml b/pkg/preflights/host-preflight.yaml
@@ -127,6 +127,21 @@ spec:
         collectorName: 'wildcard-check'
         hostnames:
           - '*'
+    - subnetAvailable:
+        collectorName: Pod CIDR
+        exclude: '{{ eq .PodCIDR.CIDR "" }}'
+        CIDRRangeAlloc: '{{ .PodCIDR.CIDR }}'
+        desiredCIDR: {{.PodCIDR.Size}}
+    - subnetAvailable:
+        collectorName: Service CIDR
+        exclude: '{{ eq .ServiceCIDR.CIDR "" }}'
+        CIDRRangeAlloc: '{{ .ServiceCIDR.CIDR }}'
+        desiredCIDR: {{.ServiceCIDR.Size}}
+    - subnetAvailable:
+        collectorName: CIDR
+        exclude: '{{ eq .GlobalCIDR.CIDR "" }}'
+        CIDRRangeAlloc: '{{ .GlobalCIDR.CIDR }}'
+        desiredCIDR: {{.GlobalCIDR.Size}}
   analyzers:
     - cpu:
         checkName: CPU
@@ -763,10 +778,10 @@ spec:
         outcomes:
           - fail:
               when: 'true'
-              message: {{ .DataDir }} cannot be symlinked. Remove the symlink, or use the --data-dir flag to provide an alternate data directory.
+              message: "{{ .DataDir }} cannot be symlinked. Remove the symlink, or use the --data-dir flag to provide an alternate data directory."
           - pass:
               when: 'false'
-              message: {{ .DataDir }} is not a symlink.
+              message: "{{ .DataDir }} is not a symlink."
     - jsonCompare:
         checkName: Wildcard DNS
         fileName: host-collectors/dns/wildcard-check/result.json
@@ -780,3 +795,36 @@ spec:
           - pass:
               when: 'true'
               message: No wildcard DNS entry detected.
+    - subnetAvailable:
+        checkName: Pod CIDR Availability
+        collectorName: Pod CIDR
+        exclude: '{{ eq .PodCIDR.CIDR "" }}'
+        outcomes:
+          - fail:
+              when: "no-subnet-available"
+              message: "{{ .PodCIDR.CIDR }} is not available. Use --pod-cidr to specify an available CIDR block."
+          - pass:
+              when: "a-subnet-is-available"
+              message: Specified Pod CIDR is available.
+    - subnetAvailable:
+        checkName: Service CIDR Availability
+        collectorName: Service CIDR
+        exclude: '{{ eq .ServiceCIDR.CIDR "" }}'
+        outcomes:
+          - fail:
+              when: "no-subnet-available"
+              message: "{{ .ServiceCIDR.CIDR }} is not available. Use --service-cidr to specify an available CIDR block."
+          - pass:
+              when: "a-subnet-is-available"
+              message: Specified Service CIDR is available.
+    - subnetAvailable:
+        checkName: CIDR Availability
+        collectorName: CIDR
+        exclude: '{{ eq .GlobalCIDR.CIDR "" }}'
+        outcomes:
+          - fail:
+              when: "no-subnet-available"
+              message:  "{{ .GlobalCIDR.CIDR }} is not available. Use --cidr to specify a CIDR block of available private IP addresses (/16 or larger)."
+          - pass:
+              when: "a-subnet-is-available"
+              message: Specified CIDR is available.
diff --git a/pkg/preflights/template.go b/pkg/preflights/template.go
@@ -4,9 +4,17 @@ package preflights
 import (
 	"bytes"
 	"fmt"
+	"net"
 	"text/template"
 )
 
+type CIDRData struct {
+	// Should specify the IP Address and size of the network e.g. "10.0.0.0/8"
+	CIDR string
+	// The size of the CIDR network. Should match the CIDR size above.
+	Size int
+}
+
 type TemplateData struct {
 	IsAirgap                bool
 	ReplicatedAPIURL        string
@@ -17,6 +25,51 @@ type TemplateData struct {
 	K0sDataDir              string
 	OpenEBSDataDir          string
 	SystemArchitecture      string
+	ServiceCIDR             CIDRData
+	PodCIDR                 CIDRData
+	GlobalCIDR              CIDRData
+}
+
+// WithCIDRData sets the respective CIDR properties in the TemplateData struct based on the provided CIDR strings
+func (t TemplateData) WithCIDRData(podCIDR, serviceCIDR, globalCIDR string) (TemplateData, error) {
+	if globalCIDR != "" {
+		_, cidr, err := net.ParseCIDR(globalCIDR)
+		if err != nil {
+			return t, fmt.Errorf("invalid cidr: %w", err)
+		}
+		size, _ := cidr.Mask.Size()
+		t.GlobalCIDR = CIDRData{
+			CIDR: cidr.String(),
+			Size: size,
+		}
+		return t, nil
+	}
+
+	s := CIDRData{}
+	p := CIDRData{}
+	if serviceCIDR != "" {
+		_, cidr, err := net.ParseCIDR(serviceCIDR)
+		if err != nil {
+			return t, fmt.Errorf("invalid service cidr: %w", err)
+		}
+		size, _ := cidr.Mask.Size()
+		s.CIDR = cidr.String()
+		s.Size = size
+	}
+
+	if podCIDR != "" {
+		_, cidr, err := net.ParseCIDR(podCIDR)
+		if err != nil {
+			return t, fmt.Errorf("invalid pod cidr: %w", err)
+		}
+		size, _ := cidr.Mask.Size()
+		p.CIDR = cidr.String()
+		p.Size = size
+	}
+
+	t.ServiceCIDR = s
+	t.PodCIDR = p
+	return t, nil
 }
 
 func renderTemplate(spec string, data TemplateData) (string, error) {
diff --git a/pkg/preflights/template_test.go b/pkg/preflights/template_test.go
