PodCIDR, ServiceCIDR, ExternalCIDR, ReservedCIDRs as Networks

liqotech · Dec 18, 2023 · ca27c28 · ca27c28
1 parent 3b367cc
commit ca27c28
Show file tree

Hide file tree

Showing 30 changed files with 941 additions and 197 deletions.
diff --git a/cmd/ipam/main.go b/cmd/ipam/main.go
@@ -30,14 +30,14 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	netv1alpha1 "github.com/liqotech/liqo/apis/net/v1alpha1"
 	"github.com/liqotech/liqo/pkg/consts"
 	liqoipam "github.com/liqotech/liqo/pkg/ipam"
 	"github.com/liqotech/liqo/pkg/leaderelection"
-	liqonetutils "github.com/liqotech/liqo/pkg/liqonet/utils"
 	flagsutils "github.com/liqotech/liqo/pkg/utils/flags"
 	"github.com/liqotech/liqo/pkg/utils/restcfg"
 )
@@ -55,6 +55,8 @@ var (
 
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;create;update;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=net.liqo.io,resources=ipamstorages,verbs=get;list;watch;create;update;patch
 // +kubebuilder:rbac:groups=net.liqo.io,resources=natmappings,verbs=get;list;watch;create;update;patch;delete
 
@@ -130,12 +132,14 @@ func run(_ *cobra.Command, _ []string) error {
 	leaderelectionOpts := &leaderelection.Opts{
 		PodName:           os.Getenv("POD_NAME"),
 		Namespace:         os.Getenv("POD_NAMESPACE"),
+		DeploymentName:    ptr.To(os.Getenv("DEPLOYMENT_NAME")),
 		LeaderElectorName: leaderElectorName,
 		LeaseDuration:     options.LeaseDuration,
 		RenewDeadline:     options.LeaseRenewDeadline,
 		RetryPeriod:       options.LeaseRetryPeriod,
 		InitCallback:      startIPAMServer,
 		StopCallback:      stopIPAMServer,
+		LabelLeader:       options.LabelLeader,
 	}
 
 	localClient := kubernetes.NewForConfigOrDie(cfg)
@@ -158,28 +162,33 @@ func initializeIPAM(ipam *liqoipam.IPAM, opts *liqoipam.Options, dynClient dynam
 		return fmt.Errorf("IPAM pointer is nil. Initialize it before calling this function")
 	}
 
-	if err := ipam.Init(liqoipam.Pools, dynClient, consts.IpamPort); err != nil {
+	if err := ipam.Init(liqoipam.Pools, dynClient); err != nil {
 		return err
 	}
 
+	// Configure PodCIDR
 	if err := ipam.SetPodCIDR(opts.PodCIDR.String()); err != nil {
 		return err
 	}
+
+	// Configure ServiceCIDR
 	if err := ipam.SetServiceCIDR(opts.ServiceCIDR.String()); err != nil {
 		return err
 	}
 
+	// Configure additional network pools.
 	for _, pool := range opts.AdditionalPools.StringList.StringList {
 		if err := ipam.AddNetworkPool(pool); err != nil {
 			return err
 		}
 	}
 
+	// Configure reserved subnets.
 	if err := ipam.SetReservedSubnets(opts.ReservedPools.StringList.StringList); err != nil {
 		return err
 	}
 
-	if _, err := ipam.GetExternalCIDR(liqonetutils.GetMask(options.PodCIDR.String())); err != nil {
+	if err := ipam.Serve(consts.IpamPort); err != nil {
 		return err
 	}
 

diff --git a/cmd/liqo-controller-manager/main.go b/cmd/liqo-controller-manager/main.go
@@ -675,21 +675,13 @@ func main() {
 	}
 
 	if !*disableInternalNetwork {
-		networkReconciler := &networkctrl.NetworkReconciler{
-			Client:     mgr.GetClient(),
-			Scheme:     mgr.GetScheme(),
-			IpamClient: ipamClient,
-		}
+		networkReconciler := networkctrl.NewNetworkReconciler(mgr.GetClient(), mgr.GetScheme(), ipamClient)
 		if err = networkReconciler.SetupWithManager(mgr, *networkWorkers); err != nil {
 			klog.Errorf("Unable to start the networkReconciler", err)
 			os.Exit(1)
 		}
 
-		ipReconciler := &ipctrl.IPReconciler{
-			Client:     mgr.GetClient(),
-			Scheme:     mgr.GetScheme(),
-			IpamClient: ipamClient,
-		}
+		ipReconciler := ipctrl.NewIPReconciler(mgr.GetClient(), mgr.GetScheme(), ipamClient)
 		if err = ipReconciler.SetupWithManager(ctx, mgr, *ipWorkers); err != nil {
 			klog.Errorf("Unable to start the ipReconciler", err)
 			os.Exit(1)

diff --git a/cmd/liqoctl/main.go b/cmd/liqoctl/main.go
@@ -25,6 +25,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1"
+	ipamv1alpha1 "github.com/liqotech/liqo/apis/ipam/v1alpha1"
 	netv1alpha1 "github.com/liqotech/liqo/apis/net/v1alpha1"
 	networkingv1alpha1 "github.com/liqotech/liqo/apis/networking/v1alpha1"
 	offloadingv1alpha1 "github.com/liqotech/liqo/apis/offloading/v1alpha1"
@@ -40,6 +41,7 @@ func init() {
 	utilruntime.Must(sharingv1alpha1.AddToScheme(scheme.Scheme))
 	utilruntime.Must(virtualkubeletv1alpha1.AddToScheme(scheme.Scheme))
 	utilruntime.Must(networkingv1alpha1.AddToScheme(scheme.Scheme))
+	utilruntime.Must(ipamv1alpha1.AddToScheme(scheme.Scheme))
 }
 
 func main() {

diff --git a/cmd/liqonet/network-manager.go b/cmd/liqonet/network-manager.go
@@ -30,7 +30,7 @@ import (
 
 	"github.com/liqotech/liqo/internal/liqonet/network-manager/netcfgcreator"
 	"github.com/liqotech/liqo/internal/liqonet/network-manager/tunnelendpointcreator"
-	liqoconst "github.com/liqotech/liqo/pkg/consts"
+	"github.com/liqotech/liqo/pkg/consts"
 	liqoipam "github.com/liqotech/liqo/pkg/ipam"
 	liqonetutils "github.com/liqotech/liqo/pkg/liqonet/utils"
 	"github.com/liqotech/liqo/pkg/utils/args"
@@ -132,7 +132,7 @@ func runNetworkManager(commonFlags *liqonetCommonFlags, managerFlags *networkMan
 func initializeIPAM(dynClient dynamic.Interface, managerFlags *networkManagerFlags) (*liqoipam.IPAM, error) {
 	ipam := liqoipam.NewIPAM()
 
-	if err := ipam.Init(liqoipam.Pools, dynClient, liqoconst.IpamPort); err != nil {
+	if err := ipam.Init(liqoipam.Pools, dynClient); err != nil {
 		return nil, err
 	}
 
@@ -153,5 +153,9 @@ func initializeIPAM(dynClient dynamic.Interface, managerFlags *networkManagerFla
 		return nil, err
 	}
 
+	if err := ipam.Serve(consts.IpamPort); err != nil {
+		return nil, err
+	}
+
 	return ipam, nil
 }
diff --git a/deployments/liqo/README.md b/deployments/liqo/README.md
@@ -102,6 +102,7 @@
 | ipam.additionalPools | list | `[]` | Set of additional network pools to perform the automatic address mapping in Liqo. Network pools are used to map a cluster network into another one in order to prevent conflicts. Default set of network pools is: [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12] |
 | ipam.external.enabled | bool | `false` | Use an external IPAM to allocate the IP addresses for the pods. Enabling it will disable the internal IPAM. |
 | ipam.external.url | string | `""` | The URL of the external IPAM. |
+| ipam.externalCIDR | string | `""` | The subnet used for the external CIDR. If empty, the default value (10.70.0.0/16) is used. |
 | ipam.internal.enabled | bool | `true` | Use the default Liqo IPAM. |
 | ipam.internal.image.name | string | `"ghcr.io/liqotech/ipam"` | Image repository for the IPAM pod. |
 | ipam.internal.image.version | string | `""` | Custom version for the IPAM image. If not specified, the global tag is used. |
@@ -110,7 +111,7 @@
 | ipam.internal.pod.labels | object | `{}` | Labels for the IPAM pod. |
 | ipam.internal.pod.resources | object | `{"limits":{},"requests":{}}` | Resource requests and limits (https://kubernetes.io/docs/user-guide/compute-resources/) for the proxy pod. |
 | ipam.internal.replicas | int | `1` | The number of IPAM instances to run, which can be increased for active/passive high availability. |
-| ipam.legacy | bool | `true` |  |
+| ipam.legacy | bool | `false` |  |
 | ipam.podCIDR | string | `""` | The subnet used by the pods in your cluster, in CIDR notation (e.g., 10.0.0.0/16). |
 | ipam.reservedSubnets | list | `[]` | List of IP subnets that do not have to be used by Liqo. Liqo can perform automatic IP address remapping when a remote cluster is peering with you, e.g., in case IP address spaces (e.g., PodCIDR) overlaps. In order to prevent IP conflicting between locally used private subnets in your infrastructure and private subnets belonging to remote clusters you need tell liqo the subnets used in your cluster. E.g if your cluster nodes belong to the 192.168.2.0/24 subnet, then you should add that subnet to the reservedSubnets. PodCIDR and serviceCIDR used in the local cluster are automatically added to the reserved list. |
 | ipam.serviceCIDR | string | `""` | The subnet used by the services in you cluster, in CIDR notation (e.g., 172.16.0.0/16). |

diff --git a/deployments/liqo/files/liqo-controller-manager-ClusterRole.yaml b/deployments/liqo/files/liqo-controller-manager-ClusterRole.yaml
@@ -359,14 +359,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - net.liqo.io
-  resources:
-  - ipamstorages
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - net.liqo.io
   resources:

diff --git a/deployments/liqo/files/liqo-ipam-ClusterRole.yaml b/deployments/liqo/files/liqo-ipam-ClusterRole.yaml
@@ -1,4 +1,12 @@
 rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -20,6 +28,16 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - net.liqo.io
   resources:

diff --git a/deployments/liqo/templates/liqo-ipam-deployment.yaml b/deployments/liqo/templates/liqo-ipam-deployment.yaml
@@ -1,8 +1,8 @@
----
-{{- $ipamConfig := (merge (dict "name" "ipam" "module" "ipam" "version" .Values.ipam.internal.image.version) .) -}}
-
 {{- if and (.Values.networking.internal) (not .Values.ipam.external.enabled) (not .Values.ipam.legacy ) }}
 
+{{- $ipamConfig := (merge (dict "name" "ipam" "module" "ipam" "version" .Values.ipam.internal.image.version) .) -}}
+{{- $ha := (gt .Values.ipam.internal.replicas 1.0) -}}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -39,9 +39,21 @@ spec:
           ports:
             - name: ipam-api
               containerPort: 6000
+          {{- if not $ha }}
+          livenessProbe:
+            grpc:
+              port: 6000
+            initialDelaySeconds: 1
+          readinessProbe:
+            grpc:
+              port: 6000
+          {{- end }}
           args:
             - --pod-cidr={{ .Values.ipam.podCIDR }}
             - --service-cidr={{ .Values.ipam.serviceCIDR }}
+            {{- if $ha }}
+            - --lease-enabled=true
+            {{- end }}
             {{- if .Values.ipam.reservedSubnets }}
             {{- $d := dict "commandName" "--reserved-pools" "list" .Values.ipam.reservedSubnets }}
             {{- include "liqo.concatenateList" $d | nindent 12 }}
@@ -65,6 +77,8 @@ spec:
             valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
+          - name: DEPLOYMENT_NAME
+            value: {{ include "liqo.prefixedName" $ipamConfig }}
           resources: {{- toYaml .Values.ipam.internal.pod.resources | nindent 12 }}
       {{- if ((.Values.common).nodeSelector) }}
       nodeSelector:

diff --git a/deployments/liqo/templates/liqo-ipam-networks.yaml b/deployments/liqo/templates/liqo-ipam-networks.yaml
@@ -0,0 +1,52 @@
+{{- $ipamConfig := (merge (dict "name" "ipam" "module" "ipam") .) -}}
+---
+apiVersion: ipam.liqo.io/v1alpha1
+kind: Network
+metadata:
+  name: pod-cidr
+  labels:
+    {{- include "liqo.labels" $ipamConfig | nindent 4 }}
+    ipam.liqo.io/network-type: pod-cidr
+    ipam.liqo.io/network-not-remapped: "true"
+spec:
+  cidr: {{ .Values.ipam.podCIDR }}
+---
+apiVersion: ipam.liqo.io/v1alpha1
+kind: Network
+metadata:
+  name: service-cidr
+  labels:
+    {{- include "liqo.labels" $ipamConfig | nindent 4 }}
+    ipam.liqo.io/network-type: service-cidr
+    ipam.liqo.io/network-not-remapped: "true"
+spec:
+  cidr: {{ .Values.ipam.serviceCIDR }}
+---
+apiVersion: ipam.liqo.io/v1alpha1
+kind: Network
+metadata:
+  name: external-cidr
+  labels:
+    {{- include "liqo.labels" $ipamConfig | nindent 4 }}
+    ipam.liqo.io/network-type: external-cidr
+spec:
+  {{- if .Values.ipam.externalCIDR }}
+  cidr: {{ .Values.ipam.externalCIDR }}
+  {{- else }}
+  cidr: 10.70.0.0/16
+  {{- end }}
+---
+{{- range $i, $value := .Values.ipam.reservedSubnets }}
+apiVersion: ipam.liqo.io/v1alpha1
+kind: Network
+metadata:
+  name: reserved-{{ add $i 1 }}
+  labels:
+    {{- include "liqo.labels" $ipamConfig | nindent 4 }}
+    ipam.liqo.io/network-type: reserved
+    ipam.liqo.io/network-not-remapped: "true"
+spec:
+  cidr: {{ $value }}
+---
+{{- end }}
+
diff --git a/deployments/liqo/templates/liqo-ipam-service.yaml b/deployments/liqo/templates/liqo-ipam-service.yaml
@@ -1,8 +1,8 @@
----
-{{- $ipamConfig := (merge (dict "name" "ipam" "module" "ipam") .) -}}
-
 {{- if and (.Values.networking.internal) (not .Values.ipam.external.enabled) (not .Values.ipam.legacy ) }}
 
+{{- $ipamConfig := (merge (dict "name" "ipam" "module" "ipam") .) -}}
+{{- $ha := (gt .Values.ipam.internal.replicas 1.0) -}}
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -18,5 +18,8 @@ spec:
       protocol: TCP
   selector:
     {{- include "liqo.selectorLabels" $ipamConfig | nindent 4 }}
+    {{- if $ha }}
+    leaderelection.liqo.io/leader: "true"
+    {{- end }}
 
 {{- end }}
diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml
@@ -173,7 +173,7 @@ controllerManager:
     enableNodeFailureController: false
 
 ipam:
-  legacy: true
+  legacy: false
   external:
     # -- Use an external IPAM to allocate the IP addresses for the pods. Enabling it will disable the internal IPAM.
     enabled: false
@@ -204,6 +204,8 @@ ipam:
   podCIDR: ""
   # -- The subnet used by the services in you cluster, in CIDR notation (e.g., 172.16.0.0/16).
   serviceCIDR: ""
+  # -- The subnet used for the external CIDR. If empty, the default value (10.70.0.0/16) is used.
+  externalCIDR: ""
   # -- List of IP subnets that do not have to be used by Liqo.
   # Liqo can perform automatic IP address remapping when a remote cluster is peering with you, e.g., in case IP address spaces (e.g., PodCIDR) overlaps.
   # In order to prevent IP conflicting between locally used private subnets in your infrastructure and private subnets belonging to remote clusters

diff --git a/pkg/consts/ipam.go b/pkg/consts/ipam.go
@@ -14,7 +14,26 @@
 
 package consts
 
+// NetworkType indicates the type of Network.
+type NetworkType string
+
 const (
 	// IpamPort is the port used by the IPAM gRPC server.
 	IpamPort = 6000
+
+	// NetworkNotRemappedLabelKey is the label key used to mark a Network that does not need CIDR remapping.
+	NetworkNotRemappedLabelKey = "ipam.liqo.io/network-not-remapped"
+	// NetworkNotRemappedLabelValue is the label value used to mark a Network that does not need CIDR remapping.
+	NetworkNotRemappedLabelValue = "true"
+
+	// NetworkTypeLabelKey is the label key used to indicate the type of a Network.
+	NetworkTypeLabelKey = "ipam.liqo.io/network-type"
+	// NetworkTypePodCIDR is the constant representing a network of type podCIDR.
+	NetworkTypePodCIDR NetworkType = "pod-cidr"
+	// NetworkTypeServiceCIDR is the constant representing a network of type serviceCIDR.
+	NetworkTypeServiceCIDR NetworkType = "service-cidr"
+	// NetworkTypeExternalCIDR is the constant representing a network of type externalCIDR.
+	NetworkTypeExternalCIDR NetworkType = "external-cidr"
+	// NetworkTypeReserved is the constant representing a network of type reserved subnet.
+	NetworkTypeReserved NetworkType = "reserved"
 )
diff --git a/pkg/ipam/fake/ipam.go b/pkg/ipam/fake/ipam.go
@@ -115,3 +115,9 @@ func (mock *IPAMClient) MapNetworkCIDR(_ context.Context, req *ipam.MapCIDRReque
 func (mock *IPAMClient) UnmapNetworkCIDR(_ context.Context, _ *ipam.UnmapCIDRRequest, _ ...grpc.CallOption) (*ipam.UnmapCIDRResponse, error) {
 	return &ipam.UnmapCIDRResponse{}, nil
 }
+
+// GetOrSetExternalCIDR mocks the corresponding IPAMClient function.
+func (mock *IPAMClient) GetOrSetExternalCIDR(_ context.Context, req *ipam.GetOrSetExtCIDRRequest,
+	_ ...grpc.CallOption) (*ipam.GetOrSetExtCIDRResponse, error) {
+	return &ipam.GetOrSetExtCIDRResponse{RemappedExtCIDR: req.DesiredExtCIDR}, nil
+}