Preflight check that node IP isn't in pod / service CIDRs (#1879)

* Preflight check that node IP isn't in pod / service CIDRs

Author: sgalsaleh

cmd/installer/cli/install_runpreflights.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/configutils"
+	"github.com/replicatedhq/embedded-cluster/pkg/netutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/preflights"
 	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
 	"github.com/sirupsen/logrus"
@@ -87,13 +88,19 @@ func runInstallPreflights(ctx context.Context, flags InstallCmdFlags, metricsRep
 		proxyRegistryURL = fmt.Sprintf("https://%s", runtimeconfig.ProxyRegistryAddress)
 	}
 
+	nodeIP, err := netutils.FirstValidAddress(flags.networkInterface)
+	if err != nil {
+		return fmt.Errorf("unable to find first valid address: %w", err)
+	}
+
 	if err := preflights.PrepareAndRun(ctx, preflights.PrepareAndRunOptions{
 		ReplicatedAPIURL:     replicatedAPIURL,
 		ProxyRegistryURL:     proxyRegistryURL,
 		Proxy:                flags.proxy,
 		PodCIDR:              flags.cidrCfg.PodCIDR,
 		ServiceCIDR:          flags.cidrCfg.ServiceCIDR,
 		GlobalCIDR:           flags.cidrCfg.GlobalCIDR,
+		NodeIP:               nodeIP,
 		PrivateCAs:           flags.privateCAs,
 		IsAirgap:             flags.isAirgap,
 		SkipHostPreflights:   flags.skipHostPreflights,

cmd/installer/cli/join_runpreflights.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/replicatedhq/embedded-cluster/pkg/configutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/kotsadm"
+	"github.com/replicatedhq/embedded-cluster/pkg/netutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/preflights"
 	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
 	"github.com/sirupsen/logrus"
@@ -90,12 +91,18 @@ func runJoinRunPreflights(ctx context.Context, name string, flags JoinCmdFlags,
 }
 
 func runJoinPreflights(ctx context.Context, jcmd *kotsadm.JoinCommandResponse, flags JoinCmdFlags, cidrCfg *CIDRConfig, metricsReported preflights.MetricsReporter) error {
+	nodeIP, err := netutils.FirstValidAddress(flags.networkInterface)
+	if err != nil {
+		return fmt.Errorf("unable to find first valid address: %w", err)
+	}
+
 	if err := preflights.PrepareAndRun(ctx, preflights.PrepareAndRunOptions{
 		ReplicatedAPIURL:       jcmd.InstallationSpec.MetricsBaseURL, // MetricsBaseURL is the replicated.app endpoint url
 		ProxyRegistryURL:       fmt.Sprintf("https://%s", runtimeconfig.ProxyRegistryAddress),
 		Proxy:                  jcmd.InstallationSpec.Proxy,
 		PodCIDR:                cidrCfg.PodCIDR,
 		ServiceCIDR:            cidrCfg.ServiceCIDR,
+		NodeIP:                 nodeIP,
 		IsAirgap:               flags.isAirgap,
 		SkipHostPreflights:     flags.skipHostPreflights,
 		IgnoreHostPreflights:   flags.ignoreHostPreflights,

pkg/preflights/host-preflight.yaml

@@ -861,6 +861,42 @@ spec:
           - pass:
               when: "a-subnet-is-available"
               message: Specified CIDR is available.
+    - subnetContainsIP:
+        checkName: Node IP in Pod CIDR Check
+        cidr: '{{ .PodCIDR.CIDR }}'
+        ip: '{{ .NodeIP }}'
+        exclude: '{{ eq .PodCIDR.CIDR "" }}'
+        outcomes:
+          - fail:
+              when: "true"
+              message: The node IP {{ .NodeIP }} must not be within the Pod CIDR range {{ .PodCIDR.CIDR }}. Choose a different Pod CIDR or network interface.
+          - pass:
+              when: "false" 
+              message: The node IP {{ .NodeIP }} is not within the Pod CIDR range {{ .PodCIDR.CIDR }}.
+    - subnetContainsIP:
+        checkName: Node IP in Service CIDR Check
+        cidr: '{{ .ServiceCIDR.CIDR }}'
+        ip: '{{ .NodeIP }}'
+        exclude: '{{ eq .ServiceCIDR.CIDR "" }}'
+        outcomes:
+          - fail:
+              when: "true"
+              message: The node IP {{ .NodeIP }} must not be within the Service CIDR range {{ .ServiceCIDR.CIDR }}. Choose a different Service CIDR or network interface.
+          - pass:
+              when: "false"
+              message: The node IP {{ .NodeIP }} is not within the Service CIDR range {{ .ServiceCIDR.CIDR }}.
+    - subnetContainsIP:
+        checkName: Node IP in Global CIDR Check
+        cidr: '{{ .GlobalCIDR.CIDR }}'
+        ip: '{{ .NodeIP }}'
+        exclude: '{{ eq .GlobalCIDR.CIDR "" }}'
+        outcomes:
+          - fail:
+              when: "true"
+              message: The node IP {{ .NodeIP }} must not be within the Global CIDR range {{ .GlobalCIDR.CIDR }}. Choose a different CIDR or network interface.
+          - pass:
+              when: "false"
+              message: The node IP {{ .NodeIP }} is not within the Global CIDR range {{ .GlobalCIDR.CIDR }}.
     - sysctl:
         checkName: "ARP Filter default value for newly created interfaces"
         outcomes:

pkg/preflights/run.go

@@ -28,6 +28,7 @@ type PrepareAndRunOptions struct {
 	PodCIDR                string
 	ServiceCIDR            string
 	GlobalCIDR             *string
+	NodeIP                 string
 	PrivateCAs             []string
 	IsAirgap               bool
 	SkipHostPreflights     bool
@@ -66,6 +67,7 @@ func PrepareAndRun(ctx context.Context, opts PrepareAndRunOptions) error {
 		FromCIDR:                opts.PodCIDR,
 		ToCIDR:                  opts.ServiceCIDR,
 		TCPConnectionsRequired:  opts.TCPConnectionsRequired,
+		NodeIP:                  opts.NodeIP,
 	}.WithCIDRData(opts.PodCIDR, opts.ServiceCIDR, opts.GlobalCIDR)
 
 	if err != nil {

pkg/preflights/types/template.go

@@ -33,6 +33,7 @@ type TemplateData struct {
 	FromCIDR                string
 	ToCIDR                  string
 	TCPConnectionsRequired  []string
+	NodeIP                  string
 }
 
 // WithCIDRData sets the respective CIDR properties in the TemplateData struct based on the provided CIDR strings