feat: node ipam controller

[sergelogvinov]

Pull Request

What? (description)

This is alpha version of implementation. Closes #154

Tested on:

• [x] gcp (each node has IPv6/96 subnet)
• [x] nocloud
• [x] openstack (with ipv6 subnet on the instance, cannot work with OVH)

Why? (reasoning)

Talos machine config. We need to disable node-ipam-controller

cluster:
  controllerManager:
    extraArgs:
        controllers: "*,tokencleaner,-node-ipam-controller"
  network:
    podSubnets: ["10.32.0.0/12","fd00:10:32::/64"]
    serviceSubnets: ["10.200.0.0/22","fd40:10:200::/108"]

Talos CCM helm values:

enabledControllers:
  - cloud-node
  - node-ipam-controller

extraArgs:
  - --allocate-node-cidrs
  - --cidr-allocator-type=CloudAllocator
  - --node-cidr-mask-size-ipv4=24
  - --node-cidr-mask-size-ipv6=80

Cilium helm values

ipam:
  mode: "kubernetes"
k8s:
  requireIPv4PodCIDR: true
  requireIPv6PodCIDR: true

enableIPv6Masquerade: false
enableIPv4Masquerade: true

Two bare metal servers with ipv6/64 separated subnets. (2a01:x:x:3064::/64, 2a01:x:x:30ac::/64) All nodes run as VMs inside bare metal servers.

• kubectl get nodes -owide

  NAME               STATUS   ROLES           AGE   VERSION   INTERNAL-IP    EXTERNAL-IP                 OS-IMAGE         KERNEL-VERSION   CONTAINER-RUNTIME
  controlplane-01a   Ready    control-plane   23h   v1.30.2   172.16.0.142   2a01:x:x:3064:1::2d02   Talos (v1.7.4)   6.6.32-talos     containerd://1.7.16
  web-01a            Ready    web             23h   v1.30.2   172.16.0.129   2a01:x:x:3064:2::2c0c   Talos (v1.7.4)   6.6.32-talos     containerd://1.7.16
  web-01b            Ready    web             23h   v1.30.2   172.16.0.130   2a01:x:x:3064:2::2c0d   Talos (v1.7.4)   6.6.32-talos     containerd://1.7.16
  web-02a            Ready    web             23h   v1.30.2   172.16.0.145   2a01:x:x:30ac:3::2ff4   Talos (v1.7.4)   6.6.32-talos     containerd://1.7.16
  web-02b            Ready    web             23h   v1.30.2   172.16.0.146   2a01:x:x:30ac:3::2ff5   Talos (v1.7.4)   6.6.32-talos     containerd://1.7.16

PodCIDRs have ipv4 and ipv6 networks, IPv6 is global subnet

• kubectl get nodes -o jsonpath='{.items[*].spec.podCIDRs}'; echo

  ["10.32.0.0/24","2a01:x:x:3064::/80"] ["10.32.3.0/24","2a01:x:x:3064:1::/80"] ["10.32.5.0/24","2a01:x:x:3064:3::/80"] ["10.32.1.0/24","2a01:x:x:30ac::/80"] ["10.32.2.0/24","2a01:x:x:30ac:1::/80"]

Inside the pod

# ip addr show dev eth0
17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1400 qdisc noqueue state UP qlen 1000
    link/ether 3e:3e:38:e9:03:58 brd ff:ff:ff:ff:ff:ff
    inet 10.32.3.79/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a01:x:x:3064:1::f464/128 scope global flags 02 
       valid_lft forever preferred_lft forever
    inet6 fe80::3c3e:38ff:fee9:358/64 scope link 
       valid_lft forever preferred_lft forever

Acceptance

Please use the following checklist:

• [x] you linked an issue (if applicable)
• [ ] you included tests (if applicable)
• [x] you ran conformance (make conformance)
• [x] you linted your code (make lint)
• [x] you linted your code (make unit)

See make help for a description of the available targets.

[frezbo]

I would like Andrey also to take a look

[sergelogvinov]

Hi @smira, can you take a look, thanks.

[sergelogvinov]

this looks great to me, certainly big, and probably we'd need some kind of integration test sooner or later

Yep, indeed. But most of this code from kubernetes repo. The status of implementations is alpha. I will add the test only to my part of the changes.

[sergelogvinov]

/m