Merge branch 'master' of https://github.com/metal-stack/metal-core in…

…to ipv6-support
metal-stack · Aug 14, 2024 · 3ff4cdd · 3ff4cdd
2 parents f1c7c3a + 7aca726
commit 3ff4cdd
Show file tree

Hide file tree

Showing 21 changed files with 207 additions and 185 deletions.
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -51,7 +51,7 @@ jobs:
         [ "${GITHUB_EVENT_NAME}" == 'push' ] && echo "tag=latest" >> $GITHUB_ENV || true
 
     - name: Build and push image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
       with:
         context: .
         push: true

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.22-alpine3.19 as builder
+FROM golang:1.22-alpine3.20 as builder
 WORKDIR /work
 COPY . .
 RUN apk add \
@@ -11,7 +11,7 @@ RUN apk add \
     dbus-libs
 RUN make
 
-FROM alpine:3.19
+FROM alpine:3.20
 
 RUN apk add \
     libpcap \

diff --git a/cmd/config.go b/cmd/config.go
@@ -31,5 +31,5 @@ type Config struct {
 	GrpcClientCertFile        string        `required:"false" desc:"the gRPC client certificate file" envconfig:"grpc_client_cert_file"`
 	GrpcClientKeyFile         string        `required:"false" desc:"the gRPC client key file" envconfig:"grpc_client_key_file"`
 	PXEVlanID                 uint16        `required:"false" default:"4000" desc:"the id of the pxe vlan" envconfig:"pxe_vlan_id"`
-	PodCIDRs                  []string      `required:"false" default:"10.240.0.0/12" desc:"the pod cidrs, one cidr for ipv4 and on for ipv6 separated by comma" envconfig:"pod_cidrs"`
+	AdditionalRouteMapCIDRs   []string      `required:"false" default:"10.240.0.0/12" desc:"additional route map entries, typically the pod/service CIDRs, one or more CIDR for ipv4 or ipv6, separated by comma" envconfig:"additional_route_map_cidrs"`
 }
diff --git a/cmd/grpc.go b/cmd/grpc.go
@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -48,13 +47,9 @@ func NewGrpcClient(log *slog.Logger, address string, cert, key, caCert []byte) (
 	dialOpts := []grpc.DialOption{
 		grpc.WithKeepaliveParams(kacp),
 		grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
-		grpc.WithBlock(),
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-	defer cancel()
-
-	conn, err := grpc.DialContext(ctx, address, dialOpts...)
+	conn, err := grpc.NewClient(address, dialOpts...)
 	if err != nil {
 		return nil, err
 	}

diff --git a/cmd/internal/core/core.go b/cmd/internal/core/core.go
@@ -33,8 +33,8 @@ type Core struct {
 
 	metrics *metrics.Metrics
 
-	pxeVlanID uint16
-	podCidrs  []string
+	pxeVlanID               uint16
+	additionalRouteMapCIDRs []string
 }
 
 type Config struct {
@@ -60,8 +60,8 @@ type Config struct {
 
 	Metrics *metrics.Metrics
 
-	PXEVlanID uint16
-	PodCidrs  []string
+	PXEVlanID               uint16
+	AdditionalRouteMapCIDRs []string
 }
 
 func New(c Config) *Core {
@@ -84,6 +84,6 @@ func New(c Config) *Core {
 		eventServiceClient:        c.EventServiceClient,
 		metrics:                   c.Metrics,
 		pxeVlanID:                 c.PXEVlanID,
-		podCidrs:                  c.PodCidrs,
+		additionalRouteMapCIDRs:   c.AdditionalRouteMapCIDRs,
 	}
 }
diff --git a/cmd/internal/core/reconfigure-switch.go b/cmd/internal/core/reconfigure-switch.go
@@ -126,14 +126,14 @@ func (c *Core) buildSwitcherConfig(s *models.V1SwitchResponse) (*types.Conf, err
 	}
 
 	switcherConfig := &types.Conf{
-		Name:                 s.Name,
-		LogLevel:             mapLogLevel(c.logLevel),
-		ASN:                  asn,
-		Loopback:             c.loopbackIP,
-		MetalCoreCIDR:        c.cidr,
-		AdditionalBridgeVIDs: c.additionalBridgeVIDs,
-		PXEVlanID:            c.pxeVlanID,
-		PodCidrs:             c.podCidrs,
+		Name:                    s.Name,
+		LogLevel:                mapLogLevel(c.logLevel),
+		ASN:                     asn,
+		Loopback:                c.loopbackIP,
+		MetalCoreCIDR:           c.cidr,
+		AdditionalBridgeVIDs:    c.additionalBridgeVIDs,
+		PXEVlanID:               c.pxeVlanID,
+		AdditionalRouteMapCIDRs: c.additionalRouteMapCIDRs,
 	}
 
 	p := types.Ports{

diff --git a/cmd/internal/core/reconfigure-switch_test.go b/cmd/internal/core/reconfigure-switch_test.go
@@ -12,15 +12,15 @@ import (
 
 func TestBuildSwitcherConfig(t *testing.T) {
 	c := &Core{
-		cidr:                 "10.255.255.2/24",
-		partitionID:          "fra-equ01",
-		rackID:               "rack01",
-		asn:                  "420000001",
-		loopbackIP:           "10.0.0.1",
-		spineUplinks:         []string{"swp31", "swp32"},
-		additionalBridgeVIDs: []string{"201-256", "301-356"},
-		nos:                  &cumulus.Cumulus{},
-		podCidrs:             []string{"10.240.0.0/12"},
+		cidr:                    "10.255.255.2/24",
+		partitionID:             "fra-equ01",
+		rackID:                  "rack01",
+		asn:                     "420000001",
+		loopbackIP:              "10.0.0.1",
+		spineUplinks:            []string{"swp31", "swp32"},
+		additionalBridgeVIDs:    []string{"201-256", "301-356"},
+		nos:                     &cumulus.Cumulus{},
+		additionalRouteMapCIDRs: []string{"10.240.0.0/12"},
 	}
 
 	n1 := "swp1"
@@ -54,11 +54,11 @@ func TestBuildSwitcherConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, actual)
 	expected := &types.Conf{
-		LogLevel:      "warnings",
-		Loopback:      "10.0.0.1",
-		MetalCoreCIDR: "10.255.255.2/24",
-		ASN:           420000001,
-		PodCidrs:      []string{"10.240.0.0/12"},
+		LogLevel:                "warnings",
+		Loopback:                "10.0.0.1",
+		MetalCoreCIDR:           "10.255.255.2/24",
+		ASN:                     420000001,
+		AdditionalRouteMapCIDRs: []string{"10.240.0.0/12"},
 		Ports: types.Ports{
 			DownPorts:     map[string]bool{},
 			Underlay:      []string{"swp31", "swp32"},

diff --git a/cmd/internal/switcher/templates/test_data/dev/conf.yaml b/cmd/internal/switcher/templates/test_data/dev/conf.yaml
@@ -4,7 +4,7 @@ loglevel: warnings
 loopback: 10.0.0.10
 asn: 4200000010
 metalcorecidr: 10.255.255.2/24
-podcidrs:
+additionalroutemapcidrs:
   - "10.240.0.0/12"
   - "fd00:10::/64"
 ports:

diff --git a/cmd/internal/switcher/templates/test_data/dev/cumulus_frr.conf b/cmd/internal/switcher/templates/test_data/dev/cumulus_frr.conf
@@ -113,9 +113,9 @@ router bgp 4200000010 vrf vrf104001
  exit-address-family
 !
 # route-maps for vrf104001
+ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list vrf104001-in-prefixes permit 212.17.234.17/32 le 32
-ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
 ip prefix-list vrf104001-in6-prefixes permit fd00:10::/64 le 128
 route-map vrf104001-in permit 10

diff --git a/cmd/internal/switcher/templates/test_data/dev/customtpl/frr.conf b/cmd/internal/switcher/templates/test_data/dev/customtpl/frr.conf
@@ -100,9 +100,9 @@ router bgp 4200000010 vrf vrf104001
  exit-address-family
 !
 # route-maps for vrf104001
+ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list vrf104001-in-prefixes permit 212.17.234.17/32 le 32
-ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
 ip prefix-list vrf104001-in6-prefixes permit fd00:10::/64 le 128
 route-map vrf104001-in permit 10

diff --git a/cmd/internal/switcher/templates/test_data/dev/sonic_frr.conf b/cmd/internal/switcher/templates/test_data/dev/sonic_frr.conf
@@ -61,6 +61,8 @@ router bgp 4200000010
  address-family ipv6 unicast
   redistribute connected route-map DENY_MGMT
   neighbor FIREWALL allowas-in 2
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
   neighbor FIREWALL activate
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
@@ -109,6 +111,8 @@ router bgp 4200000010 vrf Vrf104001
  address-family ipv6 unicast
   redistribute connected
   neighbor MACHINE maximum-prefix 24000
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
   neighbor MACHINE activate
   neighbor MACHINE route-map Vrf104001-in6 in
  exit-address-family
@@ -119,9 +123,9 @@ router bgp 4200000010 vrf Vrf104001
  exit-address-family
 !
 # route-maps for Vrf104001
+ip prefix-list Vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list Vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list Vrf104001-in-prefixes permit 212.17.234.17/32 le 32
-ip prefix-list Vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list Vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
 ip prefix-list Vrf104001-in6-prefixes permit fd00:10::/64 le 128
 route-map Vrf104001-in permit 10

diff --git a/cmd/internal/switcher/templates/test_data/lab/conf.yaml b/cmd/internal/switcher/templates/test_data/lab/conf.yaml
@@ -4,7 +4,7 @@ loglevel: debugging
 loopback: 10.0.0.10
 asn: 4200000010
 metalcorecidr: 10.255.255.2/24
-podcidrs:
+additionalroutemapcidrs:
   - "10.240.0.0/12"
 ports:
   eth0:

diff --git a/cmd/internal/switcher/templates/test_data/lab/sonic_frr.conf b/cmd/internal/switcher/templates/test_data/lab/sonic_frr.conf
@@ -61,6 +61,8 @@ router bgp 4200000010
  address-family ipv6 unicast
   redistribute connected route-map DENY_MGMT
   neighbor FIREWALL allowas-in 2
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
   neighbor FIREWALL activate
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family

diff --git a/cmd/internal/switcher/templates/test_data/notenants/conf.yaml b/cmd/internal/switcher/templates/test_data/notenants/conf.yaml
@@ -4,7 +4,7 @@ loglevel: warnings
 loopback: 10.0.0.10
 asn: 4200000010
 metalcorecidr: 10.255.255.2/24
-podcidrs:
+additionalroutemapcidrs:
   - "10.240.0.0/12"
 ports:
   eth0:

diff --git a/cmd/internal/switcher/templates/test_data/notenants/sonic_frr.conf b/cmd/internal/switcher/templates/test_data/notenants/sonic_frr.conf
@@ -43,6 +43,8 @@ router bgp 4200000010
  address-family ipv6 unicast
   redistribute connected route-map DENY_MGMT
   neighbor FIREWALL allowas-in 2
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
   neighbor FIREWALL activate
  exit-address-family
  !

diff --git a/cmd/internal/switcher/templates/tpl/sonic_frr.tpl b/cmd/internal/switcher/templates/tpl/sonic_frr.tpl
@@ -68,6 +68,8 @@ router bgp {{ $ASN }}
  address-family ipv6 unicast
   redistribute connected route-map DENY_MGMT
   neighbor FIREWALL allowas-in 2
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
   neighbor FIREWALL activate
   {{- range $k, $f := .Ports.Firewalls }}
   neighbor {{ $f.Port }} route-map fw-{{ $k }}-in in
@@ -131,6 +133,8 @@ router bgp {{ $ASN }} vrf {{ $vrf }}
  address-family ipv6 unicast
   redistribute connected
   neighbor MACHINE maximum-prefix 24000
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
   neighbor MACHINE activate
   {{- if gt (len $t.IPPrefixLists) 0 }}
   neighbor MACHINE route-map {{ $vrf }}-in6 in

diff --git a/cmd/internal/switcher/types/conf.go b/cmd/internal/switcher/types/conf.go
@@ -5,6 +5,7 @@ import (
 	"net/netip"
 
 	"github.com/metal-stack/metal-core/cmd/internal/vlan"
+	"go4.org/netipx"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 )
@@ -37,7 +38,14 @@ func (c *Conf) FillRouteMapsAndIPPrefixLists() error {
 		f.Assemble("fw-"+port, f.Vnis, f.Cidrs)
 	}
 	for vrf, t := range c.Ports.Vrfs {
-		t.Cidrs = append(t.Cidrs, c.PodCidrs...)
+		t.Cidrs = append(t.Cidrs, c.AdditionalRouteMapCIDRs...)
+
+		var err error
+		t.Cidrs, err = compactCidrs(t.Cidrs)
+		if err != nil {
+			return err
+		}
+
 		ipv4, ipv6, err := addressFamilies(t.Cidrs)
 		if err != nil {
 			return fmt.Errorf("unable to parse addressfamilies from cidrs:%w", err)
@@ -48,6 +56,29 @@ func (c *Conf) FillRouteMapsAndIPPrefixLists() error {
 	}
 	return nil
 }
+func compactCidrs(cidrs []string) ([]string, error) {
+	var (
+		compacted    []string
+		ipsetBuilder netipx.IPSetBuilder
+	)
+
+	for _, cidr := range cidrs {
+		parsed, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			return nil, err
+		}
+		ipsetBuilder.AddPrefix(parsed)
+	}
+	set, err := ipsetBuilder.IPSet()
+	if err != nil {
+		return nil, fmt.Errorf("unable to create ipset:%w", err)
+	}
+	for _, pfx := range set.Prefixes() {
+		compacted = append(compacted, pfx.String())
+	}
+
+	return compacted, nil
+}
 
 func addressFamilies(cidrs []string) (ipv4, ipv6 bool, err error) {
 	for _, cidr := range cidrs {

diff --git a/cmd/internal/switcher/types/types.go b/cmd/internal/switcher/types/types.go
@@ -7,15 +7,15 @@ import (
 
 // Conf holds the switch configuration
 type Conf struct {
-	Name                 string
-	LogLevel             string
-	Loopback             string
-	ASN                  uint32
-	Ports                Ports
-	MetalCoreCIDR        string
-	AdditionalBridgeVIDs []string
-	PXEVlanID            uint16
-	PodCidrs             []string
+	Name                    string
+	LogLevel                string
+	Loopback                string
+	ASN                     uint32
+	Ports                   Ports
+	MetalCoreCIDR           string
+	AdditionalBridgeVIDs    []string
+	PXEVlanID               uint16
+	AdditionalRouteMapCIDRs []string
 }
 
 type Ports struct {

diff --git a/cmd/server.go b/cmd/server.go
@@ -102,7 +102,7 @@ func Run() {
 		EventServiceClient:        grpcClient.NewEventClient(),
 		Metrics:                   metrics,
 		PXEVlanID:                 cfg.PXEVlanID,
-		PodCidrs:                  cfg.PodCIDRs,
+		AdditionalRouteMapCIDRs:   cfg.AdditionalRouteMapCIDRs,
 	})
 
 	err = c.RegisterSwitch()