fix: don't publish external IPs as affiliate addresses

Fixes #5937

This removes external IPs from a set of addresses published by the node
(we source addresses from 'routed' now which excludes external). This is
definitely "right" thing to do, as those addresses are not on the node
itself and can't be routed to the node.

On other hand it also removes them from `talosctl get members`, but we
don't have to split this up right now.

For the KubeSpan endpoints, we still use 'all' addresses, as external
IPs are perfect as KubeSpan endpoints (Wireguard endpoints).

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov 2022-11-18 23:18:58 +04:00
parent 54d9032ce2
commit c54bea1283
No known key found for this signature in database
GPG Key ID: 7B26396447AB6DFD
2 changed files with 30 additions and 17 deletions

View File

@ -149,7 +149,17 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
continue
}
addresses, err := r.Get(ctx,
routedAddresses, err := r.Get(ctx,
resource.NewMetadata(network.NamespaceName, network.NodeAddressType, network.FilteredNodeAddressID(network.NodeAddressRoutedID, k8s.NodeAddressFilterNoK8s), resource.VersionUndefined))
if err != nil {
if !state.IsNotFoundError(err) {
return fmt.Errorf("error getting addresses: %w", err)
}
continue
}
currentAddresses, err := r.Get(ctx,
resource.NewMetadata(network.NamespaceName, network.NodeAddressType, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterNoK8s), resource.VersionUndefined))
if err != nil {
if !state.IsNotFoundError(err) {
@ -204,17 +214,10 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
spec.MachineType = machineType.(*config.MachineType).MachineType()
spec.OperatingSystem = fmt.Sprintf("%s (%s)", version.Name, version.Tag)
nodeIPs := addresses.(*network.NodeAddress).TypedSpec().IPs()
spec.Addresses = make([]netip.Addr, 0, len(nodeIPs))
routedNodeIPs := routedAddresses.(*network.NodeAddress).TypedSpec().IPs()
currentNodeIPs := currentAddresses.(*network.NodeAddress).TypedSpec().IPs()
for _, ip := range nodeIPs {
if network.IsULA(ip, network.ULASideroLink) {
// ignore SideroLink addresses, as they are point-to-point addresses
continue
}
spec.Addresses = append(spec.Addresses, ip)
}
spec.Addresses = routedNodeIPs
spec.KubeSpan = cluster.KubeSpanAffiliateSpec{}
@ -228,7 +231,7 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
spec.KubeSpan.AdditionalAddresses = nil
}
endpointIPs := slices.Filter(nodeIPs, func(ip netip.Addr) bool {
endpointIPs := slices.Filter(currentNodeIPs, func(ip netip.Addr) bool {
if ip == spec.KubeSpan.Address {
// skip kubespan local address
return false

View File

@ -52,8 +52,8 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
nodename.TypedSpec().Nodename = "example1.com"
suite.Require().NoError(suite.state.Create(suite.ctx, nodename))
nonK8sAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterNoK8s))
nonK8sAddresses.TypedSpec().Addresses = []netip.Prefix{
nonK8sCurrentAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterNoK8s))
nonK8sCurrentAddresses.TypedSpec().Addresses = []netip.Prefix{
netip.MustParsePrefix("172.20.0.2/24"),
netip.MustParsePrefix("10.5.0.1/32"),
netip.MustParsePrefix("192.168.192.168/24"),
@ -61,7 +61,17 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
netip.MustParsePrefix("2001:123:4567::1/128"),
netip.MustParsePrefix("fdae:41e4:649b:9303:60be:7e36:c270:3238/128"), // SideroLink, should be ignored
}
suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sAddresses))
suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sCurrentAddresses))
nonK8sRoutedAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressRoutedID, k8s.NodeAddressFilterNoK8s))
nonK8sRoutedAddresses.TypedSpec().Addresses = []netip.Prefix{ // routed node addresses don't contain SideroLink addresses
netip.MustParsePrefix("172.20.0.2/24"),
netip.MustParsePrefix("10.5.0.1/32"),
netip.MustParsePrefix("192.168.192.168/24"),
netip.MustParsePrefix("2001:123:4567::1/64"),
netip.MustParsePrefix("2001:123:4567::1/128"),
}
suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sRoutedAddresses))
machineType := config.NewMachineType()
machineType.SetMachineType(machine.TypeWorker)
@ -102,8 +112,8 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
suite.Require().NoError(suite.state.Create(suite.ctx, ksConfig))
// add KS address to the list of node addresses, it should be ignored in the endpoints
nonK8sAddresses.TypedSpec().Addresses = append(nonK8sAddresses.TypedSpec().Addresses, ksIdentity.TypedSpec().Address)
suite.Require().NoError(suite.state.Update(suite.ctx, nonK8sAddresses))
nonK8sRoutedAddresses.TypedSpec().Addresses = append(nonK8sRoutedAddresses.TypedSpec().Addresses, ksIdentity.TypedSpec().Address)
suite.Require().NoError(suite.state.Update(suite.ctx, nonK8sRoutedAddresses))
onlyK8sAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterOnlyK8s))
onlyK8sAddresses.TypedSpec().Addresses = []netip.Prefix{netip.MustParsePrefix("10.244.1.0/24")}