Merge pull request #125 from adobley/pool-downsize-in-use-ips

Webhook Validate updated pool does not remove in use IPs

Author: schrej

api/v1alpha1/inclusterippool_types.go

@@ -59,6 +59,11 @@ type InClusterIPPoolStatusIPAddresses struct {
 	// Used is the count of allocated IPs in the pool.
 	// Counts greater than int can contain will report as math.MaxInt.
 	Used int `json:"used"`
+
+	// Out of Range is the count of allocated IPs in the pool that is not
+	// contained within spec.Addresses.
+	// Counts greater than int can contain will report as math.MaxInt.
+	OutOfRange int `json:"outOfRange"`
 }
 
 // +kubebuilder:object:root=true

config/crd/bases/ipam.cluster.x-k8s.io_globalinclusterippools.yaml

@@ -103,6 +103,11 @@ spec:
                     description: Free is the count of unallocated IPs in the pool.
                       Counts greater than int can contain will report as math.MaxInt.
                     type: integer
+                  outOfRange:
+                    description: Out of Range is the count of allocated IPs in the
+                      pool that is not contained within spec.Addresses. Counts greater
+                      than int can contain will report as math.MaxInt.
+                    type: integer
                   total:
                     description: Total is the total number of IPs configured for the
                       pool. Counts greater than int can contain will report as math.MaxInt.
@@ -113,6 +118,7 @@ spec:
                     type: integer
                 required:
                 - free
+                - outOfRange
                 - total
                 - used
                 type: object

config/crd/bases/ipam.cluster.x-k8s.io_inclusterippools.yaml

@@ -105,6 +105,11 @@ spec:
                     description: Free is the count of unallocated IPs in the pool.
                       Counts greater than int can contain will report as math.MaxInt.
                     type: integer
+                  outOfRange:
+                    description: Out of Range is the count of allocated IPs in the
+                      pool that is not contained within spec.Addresses. Counts greater
+                      than int can contain will report as math.MaxInt.
+                    type: integer
                   total:
                     description: Total is the total number of IPs configured for the
                       pool. Counts greater than int can contain will report as math.MaxInt.
@@ -115,6 +120,7 @@ spec:
                     type: integer
                 required:
                 - free
+                - outOfRange
                 - total
                 - used
                 type: object

internal/controllers/inclusterippool.go

@@ -199,11 +199,16 @@ func genericReconcile(ctx context.Context, c client.Client, pool pooltypes.Gener
 	}
 
 	free := poolCount - inUseCount
+	outOfRangeIPSet, err := poolutil.AddressesOutOfRangeIPSet(addressesInUse, poolIPSet)
+	if err != nil {
+		return ctrl.Result{}, errors.Wrap(err, "failed to build out of range ip set")
+	}
 
 	pool.PoolStatus().Addresses = &v1alpha1.InClusterIPPoolStatusIPAddresses{
-		Total: poolCount,
-		Used:  inUseCount,
-		Free:  free,
+		Total:      poolCount,
+		Used:       inUseCount,
+		Free:       free,
+		OutOfRange: poolutil.IPSetCount(outOfRangeIPSet),
 	}
 
 	log.Info("Updating pool with usage info", "statusAddresses", pool.PoolStatus().Addresses)

internal/controllers/inclusterippool_test.go

@@ -99,6 +99,67 @@ var _ = Describe("IP Pool Reconciler", func() {
 			Entry("When there is 1 claim with gateway outside of range - GlobalInClusterIPPool",
 				"GlobalInClusterIPPool", []string{"10.0.0.10-10.0.0.20"}, "10.0.0.1", 11, 1, 10),
 		)
+
+		DescribeTable("it shows the out of range ips if any",
+			func(poolType string, addresses []string, gateway string, updatedAddresses []string, numClaims, expectedOutOfRange int) {
+				poolSpec := v1alpha1.InClusterIPPoolSpec{
+					Prefix:    24,
+					Gateway:   gateway,
+					Addresses: addresses,
+				}
+
+				switch poolType {
+				case "InClusterIPPool":
+					genericPool = &v1alpha1.InClusterIPPool{
+						ObjectMeta: metav1.ObjectMeta{GenerateName: testPool, Namespace: namespace},
+						Spec:       poolSpec,
+					}
+				case "GlobalInClusterIPPool":
+					genericPool = &v1alpha1.GlobalInClusterIPPool{
+						ObjectMeta: metav1.ObjectMeta{GenerateName: testPool, Namespace: namespace},
+						Spec:       poolSpec,
+					}
+				default:
+					Fail("Unknown pool type")
+				}
+
+				Expect(k8sClient.Create(context.Background(), genericPool)).To(Succeed())
+
+				for i := 0; i < numClaims; i++ {
+					claim := ipamv1.IPAddressClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      fmt.Sprintf("test%d", i),
+							Namespace: namespace,
+						},
+						Spec: ipamv1.IPAddressClaimSpec{
+							PoolRef: corev1.TypedLocalObjectReference{
+								APIGroup: pointer.String("ipam.cluster.x-k8s.io"),
+								Kind:     poolType,
+								Name:     genericPool.GetName(),
+							},
+						},
+					}
+					Expect(k8sClient.Create(context.Background(), &claim)).To(Succeed())
+					createdClaimNames = append(createdClaimNames, claim.Name)
+				}
+
+				Eventually(Object(genericPool)).
+					WithTimeout(5 * time.Second).WithPolling(100 * time.Millisecond).Should(
+					HaveField("Status.Addresses.Used", Equal(numClaims)))
+
+				genericPool.PoolSpec().Addresses = updatedAddresses
+				Expect(k8sClient.Update(context.Background(), genericPool)).To(Succeed())
+
+				Eventually(Object(genericPool)).
+					WithTimeout(5 * time.Second).WithPolling(100 * time.Millisecond).Should(
+					HaveField("Status.Addresses.OutOfRange", Equal(expectedOutOfRange)))
+			},
+
+			Entry("InClusterIPPool",
+				"InClusterIPPool", []string{"10.0.0.10-10.0.0.20"}, "10.0.0.1", []string{"10.0.0.13-10.0.0.20"}, 5, 3),
+			Entry("GlobalInClusterIPPool",
+				"GlobalInClusterIPPool", []string{"10.0.0.10-10.0.0.20"}, "10.0.0.1", []string{"10.0.0.13-10.0.0.20"}, 5, 3),
+		)
 	})
 
 	Context("when the pool has IPAddresses", func() {

internal/poolutil/pool.go

@@ -19,6 +19,22 @@ import (
 	"github.com/telekom/cluster-api-ipam-provider-in-cluster/internal/index"
 )
 
+// AddressesOutOfRangeIPSet returns an IPSet of the inUseAddresses IPs that are
+// not in the poolIPSet.
+func AddressesOutOfRangeIPSet(inUseAddresses []ipamv1.IPAddress, poolIPSet *netipx.IPSet) (*netipx.IPSet, error) {
+	outOfRangeBuilder := &netipx.IPSetBuilder{}
+	for _, address := range inUseAddresses {
+		ip, err := netip.ParseAddr(address.Spec.Address)
+		if err != nil {
+			// if an address we fetch for the pool is unparsable then it isn't in the pool ranges
+			continue
+		}
+		outOfRangeBuilder.Add(ip)
+	}
+	outOfRangeBuilder.RemoveSet(poolIPSet)
+	return outOfRangeBuilder.IPSet()
+}
+
 // ListAddressesInUse fetches all IPAddresses belonging to the specified pool.
 // Note: requires `index.ipAddressByCombinedPoolRef` to be set up.
 func ListAddressesInUse(ctx context.Context, c client.Reader, namespace string, poolRef corev1.TypedLocalObjectReference) ([]ipamv1.IPAddress, error) {

internal/webhooks/inclusterippool.go

@@ -110,7 +110,7 @@ func (webhook *InClusterIPPool) ValidateCreate(_ context.Context, obj runtime.Ob
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (webhook *InClusterIPPool) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) error {
+func (webhook *InClusterIPPool) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) error {
 	newPool, ok := newObj.(types.GenericInClusterPool)
 	if !ok {
 		return apierrors.NewBadRequest(fmt.Sprintf("expected a InClusterIPPool or an GlobalInClusterIPPool but got a %T", newObj))
@@ -119,7 +119,49 @@ func (webhook *InClusterIPPool) ValidateUpdate(_ context.Context, oldObj, newObj
 	if !ok {
 		return apierrors.NewBadRequest(fmt.Sprintf("expected a InClusterIPPool or an GlobalInClusterIPPool but got a %T", oldObj))
 	}
-	return webhook.validate(oldPool, newPool)
+
+	err := webhook.validate(oldPool, newPool)
+	if err != nil {
+		return err
+	}
+
+	oldPoolRef := corev1.TypedLocalObjectReference{
+		APIGroup: pointer.String(v1alpha1.GroupVersion.Group),
+		Kind:     oldPool.GetObjectKind().GroupVersionKind().Kind,
+		Name:     oldPool.GetName(),
+	}
+	inUseAddresses, err := poolutil.ListAddressesInUse(ctx, webhook.Client, oldPool.GetNamespace(), oldPoolRef)
+	if err != nil {
+		return apierrors.NewInternalError(err)
+	}
+
+	inUseBuilder := &netipx.IPSetBuilder{}
+	for _, address := range inUseAddresses {
+		ip, err := netip.ParseAddr(address.Spec.Address)
+		if err != nil {
+			// if an address we fetch for the pool is unparsable then it isn't in the pool ranges
+			continue
+		}
+		inUseBuilder.Add(ip)
+	}
+
+	newPoolIPSet, err := poolutil.AddressesToIPSet(newPool.PoolSpec().Addresses)
+	if err != nil {
+		// these addresses are already validated, this shouldn't happen
+		return apierrors.NewInternalError(err)
+	}
+
+	inUseBuilder.RemoveSet(newPoolIPSet)
+	outOfRangeIPSet, err := inUseBuilder.IPSet()
+	if err != nil {
+		return apierrors.NewInternalError(err)
+	}
+
+	if outOfRange := outOfRangeIPSet.Ranges(); len(outOfRange) > 0 {
+		return apierrors.NewBadRequest(fmt.Sprintf("pool addresses does not contain allocated addresses: %v", outOfRange))
+	}
+
+	return nil
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.

internal/webhooks/inclusterippool_test.go

@@ -61,6 +61,7 @@ func TestPoolDeletionWithExistingIPAddresses(t *testing.T) {
 					Kind:     namespacedPool.GetObjectKind().GroupVersionKind().Kind,
 					Name:     namespacedPool.GetName(),
 				},
+				Address: "10.0.0.10",
 			},
 		},
 		&ipamv1.IPAddress{
@@ -77,6 +78,7 @@ func TestPoolDeletionWithExistingIPAddresses(t *testing.T) {
 					Kind:     globalPool.GetObjectKind().GroupVersionKind().Kind,
 					Name:     globalPool.GetName(),
 				},
+				Address: "10.0.0.10",
 			},
 		},
 	}
@@ -98,6 +100,91 @@ func TestPoolDeletionWithExistingIPAddresses(t *testing.T) {
 
 	g.Expect(webhook.ValidateDelete(ctx, namespacedPool)).To(Succeed(), "should allow deletion when no claims exist")
 	g.Expect(webhook.ValidateDelete(ctx, globalPool)).To(Succeed(), "should allow deletion when no claims exist")
+
+}
+
+func TestUpdatingPoolInUseAddresses(t *testing.T) {
+	g := NewWithT(t)
+
+	scheme := runtime.NewScheme()
+	g.Expect(ipamv1.AddToScheme(scheme)).To(Succeed())
+
+	namespacedPool := &v1alpha1.InClusterIPPool{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-pool",
+		},
+		Spec: v1alpha1.InClusterIPPoolSpec{
+			Addresses: []string{"10.0.0.10-10.0.0.20"},
+			Prefix:    24,
+			Gateway:   "10.0.0.1",
+		},
+	}
+
+	globalPool := &v1alpha1.InClusterIPPool{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-pool",
+		},
+		Spec: v1alpha1.InClusterIPPoolSpec{
+			Addresses: []string{"10.0.0.10-10.0.0.20"},
+			Prefix:    24,
+			Gateway:   "10.0.0.1",
+		},
+	}
+
+	ips := []client.Object{
+		&ipamv1.IPAddress{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "IPAddress",
+				APIVersion: "ipam.cluster.x-k8s.io/v1alpha1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "my-ip",
+			},
+			Spec: ipamv1.IPAddressSpec{
+				PoolRef: corev1.TypedLocalObjectReference{
+					APIGroup: pointer.String(namespacedPool.GetObjectKind().GroupVersionKind().Group),
+					Kind:     namespacedPool.GetObjectKind().GroupVersionKind().Kind,
+					Name:     namespacedPool.GetName(),
+				},
+				Address: "10.0.0.10",
+			},
+		},
+		&ipamv1.IPAddress{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "IPAddress",
+				APIVersion: "ipam.cluster.x-k8s.io/v1alpha1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "my-ip-2",
+			},
+			Spec: ipamv1.IPAddressSpec{
+				PoolRef: corev1.TypedLocalObjectReference{
+					APIGroup: pointer.String(globalPool.GetObjectKind().GroupVersionKind().Group),
+					Kind:     globalPool.GetObjectKind().GroupVersionKind().Kind,
+					Name:     globalPool.GetName(),
+				},
+				Address: "10.0.0.10",
+			},
+		},
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(ips...).
+		WithIndex(&ipamv1.IPAddress{}, index.IPAddressPoolRefCombinedField, index.IPAddressByCombinedPoolRef).
+		Build()
+
+	webhook := InClusterIPPool{
+		Client: fakeClient,
+	}
+
+	oldNamespacedPool := namespacedPool.DeepCopyObject()
+	oldGlobalPool := globalPool.DeepCopyObject()
+	namespacedPool.Spec.Addresses = []string{"10.0.0.15-10.0.0.20"}
+	globalPool.Spec.Addresses = []string{"10.0.0.15-10.0.0.20"}
+
+	g.Expect(webhook.ValidateUpdate(ctx, oldNamespacedPool, namespacedPool)).NotTo(Succeed(), "should not allow removing in use IPs from addresses field in pool")
+	g.Expect(webhook.ValidateUpdate(ctx, oldGlobalPool, globalPool)).NotTo(Succeed(), "should not allow removing in use IPs from addresses field in pool")
 }
 
 func TestInClusterIPPoolDefaulting(t *testing.T) {