fix: don't publish external IPs as affiliate addresses

Fixes #5937 This removes external IPs from a set of addresses published by the node (we source addresses from 'routed' now which excludes external). This is definitely "right" thing to do, as those addresses are not on the node itself and can't be routed to the node. On other hand it also removes them from `talosctl get members`, but we don't have to split this up right now. For the KubeSpan endpoints, we still use 'all' addresses, as external IPs are perfect as KubeSpan endpoints (Wireguard endpoints). Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2022-11-18 23:18:58 +04:00 · 2022-11-18 23:18:58 +04:00 · c54bea1283
commit c54bea1283
parent 54d9032ce2
2 changed files with 30 additions and 17 deletions
--- a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
+++ b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go
@ -149,7 +149,17 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 				continue
 			}

-			addresses, err := r.Get(ctx,
+			routedAddresses, err := r.Get(ctx,
+				resource.NewMetadata(network.NamespaceName, network.NodeAddressType, network.FilteredNodeAddressID(network.NodeAddressRoutedID, k8s.NodeAddressFilterNoK8s), resource.VersionUndefined))
+			if err != nil {
+				if !state.IsNotFoundError(err) {
+					return fmt.Errorf("error getting addresses: %w", err)
+				}
+
+				continue
+			}
+
+			currentAddresses, err := r.Get(ctx,
 				resource.NewMetadata(network.NamespaceName, network.NodeAddressType, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterNoK8s), resource.VersionUndefined))
 			if err != nil {
 				if !state.IsNotFoundError(err) {
@ -204,17 +214,10 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 					spec.MachineType = machineType.(*config.MachineType).MachineType()
 					spec.OperatingSystem = fmt.Sprintf("%s (%s)", version.Name, version.Tag)

-					nodeIPs := addresses.(*network.NodeAddress).TypedSpec().IPs()
-					spec.Addresses = make([]netip.Addr, 0, len(nodeIPs))
+					routedNodeIPs := routedAddresses.(*network.NodeAddress).TypedSpec().IPs()
+					currentNodeIPs := currentAddresses.(*network.NodeAddress).TypedSpec().IPs()

-					for _, ip := range nodeIPs {
-						if network.IsULA(ip, network.ULASideroLink) {
-							// ignore SideroLink addresses, as they are point-to-point addresses
-							continue
-						}
-
-						spec.Addresses = append(spec.Addresses, ip)
-					}
+					spec.Addresses = routedNodeIPs

 					spec.KubeSpan = cluster.KubeSpanAffiliateSpec{}

@ -228,7 +231,7 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 							spec.KubeSpan.AdditionalAddresses = nil
 						}

-						endpointIPs := slices.Filter(nodeIPs, func(ip netip.Addr) bool {
+						endpointIPs := slices.Filter(currentNodeIPs, func(ip netip.Addr) bool {
 							if ip == spec.KubeSpan.Address {
 								// skip kubespan local address
 								return false
--- a/internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go
+++ b/internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go
@ -52,8 +52,8 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 	nodename.TypedSpec().Nodename = "example1.com"
 	suite.Require().NoError(suite.state.Create(suite.ctx, nodename))

-	nonK8sAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterNoK8s))
-	nonK8sAddresses.TypedSpec().Addresses = []netip.Prefix{
+	nonK8sCurrentAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterNoK8s))
+	nonK8sCurrentAddresses.TypedSpec().Addresses = []netip.Prefix{
 		netip.MustParsePrefix("172.20.0.2/24"),
 		netip.MustParsePrefix("10.5.0.1/32"),
 		netip.MustParsePrefix("192.168.192.168/24"),
@ -61,7 +61,17 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 		netip.MustParsePrefix("2001:123:4567::1/128"),
 		netip.MustParsePrefix("fdae:41e4:649b:9303:60be:7e36:c270:3238/128"), // SideroLink, should be ignored
 	}
-	suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sAddresses))
+	suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sCurrentAddresses))
+
+	nonK8sRoutedAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressRoutedID, k8s.NodeAddressFilterNoK8s))
+	nonK8sRoutedAddresses.TypedSpec().Addresses = []netip.Prefix{ // routed node addresses don't contain SideroLink addresses
+		netip.MustParsePrefix("172.20.0.2/24"),
+		netip.MustParsePrefix("10.5.0.1/32"),
+		netip.MustParsePrefix("192.168.192.168/24"),
+		netip.MustParsePrefix("2001:123:4567::1/64"),
+		netip.MustParsePrefix("2001:123:4567::1/128"),
+	}
+	suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sRoutedAddresses))

 	machineType := config.NewMachineType()
 	machineType.SetMachineType(machine.TypeWorker)
@ -102,8 +112,8 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 	suite.Require().NoError(suite.state.Create(suite.ctx, ksConfig))

 	// add KS address to the list of node addresses, it should be ignored in the endpoints
-	nonK8sAddresses.TypedSpec().Addresses = append(nonK8sAddresses.TypedSpec().Addresses, ksIdentity.TypedSpec().Address)
-	suite.Require().NoError(suite.state.Update(suite.ctx, nonK8sAddresses))
+	nonK8sRoutedAddresses.TypedSpec().Addresses = append(nonK8sRoutedAddresses.TypedSpec().Addresses, ksIdentity.TypedSpec().Address)
+	suite.Require().NoError(suite.state.Update(suite.ctx, nonK8sRoutedAddresses))

 	onlyK8sAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterOnlyK8s))
 	onlyK8sAddresses.TypedSpec().Addresses = []netip.Prefix{netip.MustParsePrefix("10.244.1.0/24")}