gardener · kon-angelo · Oct 15, 2024 · Sep 12, 2024 · Sep 24, 2024 · Oct 10, 2024
@@ -148,7 +148,7 @@ func ValidateInfrastructureConfig(infra *apisaws.InfrastructureConfig, ipFamilie
 
 	if (infra.Networks.VPC.ID == nil && infra.Networks.VPC.CIDR == nil) || (infra.Networks.VPC.ID != nil && infra.Networks.VPC.CIDR != nil) {
 		allErrs = append(allErrs, field.Invalid(networksPath.Child("vpc"), infra.Networks.VPC, "must specify either a vpc id or a cidr"))
-	} else if infra.Networks.VPC.CIDR != nil && infra.Networks.VPC.ID == nil {
+	} else if infra.Networks.VPC.CIDR != nil && infra.Networks.VPC.ID == nil && !slices.Contains(ipFamilies, core.IPFamilyIPv6) {
 		cidrPath := networksPath.Child("vpc", "cidr")
 		vpcCIDR := cidrvalidation.NewCIDR(*infra.Networks.VPC.CIDR, cidrPath)
 		allErrs = append(allErrs, cidrvalidation.ValidateCIDRIsCanonical(cidrPath, *infra.Networks.VPC.CIDR)...)

@@ -1508,6 +1508,38 @@ func (c *Client) CreateSubnet(ctx context.Context, subnet *Subnet) (*Subnet, err
 	return fromSubnet(output.Subnet), nil
 }
 
+// CreateCIDRReservation creates a EC2 subnet cidr reservation resource.
+func (c *Client) CreateCIDRReservation(ctx context.Context, subnet *Subnet, cidr string, reservationType string) (string, error) {
+	input := &ec2.CreateSubnetCidrReservationInput{
+		SubnetId:        &subnet.SubnetId,
+		Cidr:            aws.String(cidr),
+		ReservationType: aws.String(reservationType),
+	}
+
+	output, err := c.EC2.CreateSubnetCidrReservationWithContext(ctx, input)
+	if err != nil {
+		return "", err
+	}
+	return *output.SubnetCidrReservation.Cidr, nil
+}
+
+// CreateCIDRReservation gets EC2 subnet cidr reservations.
+func (c *Client) GetIPv6CIDRReservations(ctx context.Context, subnet *Subnet) ([]string, error) {
+	input := &ec2.GetSubnetCidrReservationsInput{
+		SubnetId: &subnet.SubnetId,
+	}
+
+	output, err := c.EC2.GetSubnetCidrReservationsWithContext(ctx, input)
+	if err != nil {
+		return nil, err
+	}
+	var cidrs []string
+	for _, cidrReservation := range output.SubnetIpv6CidrReservations {
+		cidrs = append(cidrs, *cidrReservation.Cidr)
+	}
+	return cidrs, nil
+}
+
 // GetSubnets gets subnets for the given identifiers.
 // Non-existing identifiers are ignored silently.
 func (c *Client) GetSubnets(ctx context.Context, ids []string) ([]*Subnet, error) {

@@ -120,6 +120,10 @@ type Interface interface {
 	UpdateSubnetAttributes(ctx context.Context, desired, current *Subnet) (modified bool, err error)
 	DeleteSubnet(ctx context.Context, id string) error
 
+	// Subnet CIDR Reservation
+	CreateCIDRReservation(ctx context.Context, subnet *Subnet, cidr string, reservationType string) (string, error)
+	GetIPv6CIDRReservations(ctx context.Context, subnet *Subnet) ([]string, error)
+
 	// Route table associations
 	CreateRouteTableAssociation(ctx context.Context, routeTableId, subnetId string) (associationId *string, err error)
 	DeleteRouteTableAssociation(ctx context.Context, associationId string) error

@@ -207,7 +207,7 @@ func (f *FlowReconciler) migrateFromTerraform(ctx context.Context, infra *extens
 		return nil, err
 	}
 
-	if err := infraflow.PatchProviderStatusAndState(ctx, f.client, infra, infrastructureStatus, &runtime.RawExtension{Object: state}, nil); err != nil {
+	if err := infraflow.PatchProviderStatusAndState(ctx, f.client, infra, infrastructureStatus, &runtime.RawExtension{Object: state}, nil, nil, nil); err != nil {
 		return nil, fmt.Errorf("updating status state failed: %w", err)
 	}
 

@@ -77,6 +77,8 @@ const (
 	IdentifierVpcIPv6CidrBlock = "VPCIPv6CidrBlock"
 	// IdentifierEgressCIDRs is the key for the slice containing egress CIDRs strings.
 	IdentifierEgressCIDRs = "EgressCIDRs"
+	// IdentifierServiceCIDR is the key for the subnet cidr reservation for the service range.
+	IdentifierServiceCIDR = "ServiceCIDR"
 	// NameIAMRole is the key for the name of the IAM role
 	NameIAMRole = "IAMRoleName"
 	// NameIAMInstanceProfile is the key for the name of the IAM instance profile
@@ -170,7 +172,7 @@ func NewFlowContext(opts Opts) (*FlowContext, error) {
 }
 
 func (c *FlowContext) persistState(ctx context.Context) error {
-	return PatchProviderStatusAndState(ctx, c.runtimeClient, c.infra, nil, c.computeInfrastructureState(), c.getEgressCIDRs())
+	return PatchProviderStatusAndState(ctx, c.runtimeClient, c.infra, nil, c.computeInfrastructureState(), c.getEgressCIDRs(), c.state.Get(IdentifierVpcIPv6CidrBlock), c.state.Get(IdentifierServiceCIDR))
 }
 
 func PatchProviderStatusAndState(
@@ -180,13 +182,23 @@ func PatchProviderStatusAndState(
 	status *awsv1alpha1.InfrastructureStatus,
 	state *runtime.RawExtension,
 	egressCIDRs []string,
+	vpcIPv6CidrBlock *string,
+	serviceCIDR *string,
 ) error {
 	patch := client.MergeFrom(infra.DeepCopy())
 	if status != nil {
 		infra.Status.ProviderStatus = &runtime.RawExtension{Object: status}
 		if egressCIDRs != nil {
 			infra.Status.EgressCIDRs = egressCIDRs
 		}
+		if vpcIPv6CidrBlock != nil && serviceCIDR != nil {
+			infra.Status.Networking = &extensionsv1alpha1.InfrastructureStatusNetworking{
+				Nodes:    []string{*vpcIPv6CidrBlock},
+				Pods:     []string{*vpcIPv6CidrBlock},
+				Services: []string{*serviceCIDR},
+			}
+			infra.Status.EgressCIDRs = append(infra.Status.EgressCIDRs, *vpcIPv6CidrBlock)
+		}
 	}
 
 	if state != nil {

@@ -13,6 +13,7 @@ import (
 	"math/big"
 	"net"
 	"reflect"
+	"slices"
 	"strings"
 	"text/template"
 	"time"
@@ -47,7 +48,9 @@ func (c *FlowContext) Reconcile(ctx context.Context) error {
 	status := c.computeInfrastructureStatus()
 	state := c.computeInfrastructureState()
 	egressCIDRs := c.getEgressCIDRs()
-	return PatchProviderStatusAndState(ctx, c.runtimeClient, c.infra, status, state, egressCIDRs)
+	vpcIPv6CidrBlock := c.state.Get(IdentifierVpcIPv6CidrBlock)
+	serviceCidr := c.state.Get(IdentifierServiceCIDR)
+	return PatchProviderStatusAndState(ctx, c.runtimeClient, c.infra, status, state, egressCIDRs, vpcIPv6CidrBlock, serviceCidr)
 }
 
 func (c *FlowContext) buildReconcileGraph() *flow.Graph {
@@ -94,6 +97,10 @@ func (c *FlowContext) buildReconcileGraph() *flow.Graph {
 		c.ensureZones,
 		Timeout(defaultLongTimeout), Dependencies(ensureVpc, ensureNodesSecurityGroup, ensureVpcIPv6CidrBloc, ensureMainRouteTable))
 
+	_ = c.AddTask(g, "ensure subnet cidr reservation",
+		c.ensureSubnetCidrReservation,
+		Timeout(defaultLongTimeout), Dependencies(ensureZones))
+
 	_ = c.AddTask(g, "ensure egress CIDRs",
 		c.ensureEgressCIDRs,
 		Timeout(defaultLongTimeout), Dependencies(ensureZones))
@@ -835,6 +842,7 @@ func (c *FlowContext) addZoneReconcileTasks(g *flow.Graph, zone *aws.Zone, depen
 	_ = c.AddTask(g, "ensure VPC endpoints route table associations "+zone.Name,
 		c.ensureVPCEndpointsRoutingTableAssociations(zone.Name),
 		Timeout(defaultTimeout), Dependencies(dependencies...), Dependencies(ensureRoutingTable))
+
 }
 
 func (c *FlowContext) addZoneDeletionTasks(g *flow.Graph, zoneName string) flow.TaskIDer {
@@ -916,6 +924,65 @@ func (c *FlowContext) ensureSubnet(subnetKey string, desired, current *awsclient
 	}
 }
 
+func (c *FlowContext) ensureSubnetCidrReservation(ctx context.Context) error {
+	if !isIPv6(c.ipFamilies) {
+		return nil
+	}
+
+	subnets, err := c.collectExistingSubnets(ctx)
+	if err != nil {
+		return err
+	}
+
+	for _, subnet := range subnets {
+		_, key, err := c.getSubnetKey(subnet)
+		if err != nil {
+			return err
+		}
+
+		if key == IdentifierZoneSubnetWorkers {
+			cidr, err := cidrSubnet(subnet.Ipv6CidrBlocks[0], 108, 1)
+			if err != nil {
+				return err
+			}
+
+			currentCidrs, err := c.client.GetIPv6CIDRReservations(ctx, subnet)
+			if err != nil {
+				return err
+			}
+
+			if slices.Contains(currentCidrs, cidr) {
+				c.state.Set(IdentifierServiceCIDR, cidr)
+				return nil
+			}
+		}
+	}
+
+	// we didn't find a CIDR reservation on a subnet
+	// create a new one at the first nodes subnet we find
+	for _, subnet := range subnets {
+		_, key, err := c.getSubnetKey(subnet)
+		if err != nil {
+			return err
+		}
+
+		if key == IdentifierZoneSubnetWorkers {
+			cidr, err := cidrSubnet(subnet.Ipv6CidrBlocks[0], 108, 1)
+			if err != nil {
+				return err
+			}
+
+			cidr, err = c.client.CreateCIDRReservation(ctx, subnet, cidr, "explicit")
+			if err != nil {
+				return err
+			}
+			c.state.Set(IdentifierServiceCIDR, cidr)
+			return nil
+		}
+	}
+	return nil
+}
+
 func (c *FlowContext) ensureElasticIP(zone *aws.Zone) flow.TaskFn {
 	return func(ctx context.Context) error {
 		if zone.ElasticIPAllocationID != nil {

@@ -389,6 +389,14 @@ resource "aws_vpc_endpoint_route_table_association" "vpc_gwep_{{ $ep }}_z{{ $ind
 
 {{end}}
 
+{{- if .isIPv6 }}
+resource "aws_ec2_subnet_cidr_reservation" "service-range" {
+  cidr_block       = "${cidrsubnet(cidrsubnet({{ .vpc.ipv6CidrBlock }}, 8, 0),44,1)}"
+  reservation_type = "explicit"
+  subnet_id        = aws_subnet.nodes_z0.id
+}
+{{end}}
+
 //=====================================================================
 //= IAM instance profiles
 //=====================================================================

@@ -135,14 +135,50 @@ func (t *TerraformReconciler) reconcile(ctx context.Context, infra *extensionsv1
 		return err
 	}
 
-	return infraflow.PatchProviderStatusAndState(ctx, t.client, infra, status, &runtime.RawExtension{Raw: stateBytes}, egressCIDRs)
+	if slices.Contains(ipfamilies, v1beta1.IPFamilyIPv6) {
+		vpcIPv6CIDR, err := t.computeVPCIPv6CIDR(ctx, infra)
+		if err != nil {
+			return err
+		}
+		ipV6ServiceCIDR, err := t.computeIPv6ServiceCIDR(ctx, infra)
+		if err != nil {
+			return err
+		}
+		return infraflow.PatchProviderStatusAndState(ctx, t.client, infra, status, &runtime.RawExtension{Raw: stateBytes}, egressCIDRs, &vpcIPv6CIDR, &ipV6ServiceCIDR)
+	}
+	return infraflow.PatchProviderStatusAndState(ctx, t.client, infra, status, &runtime.RawExtension{Raw: stateBytes}, egressCIDRs, nil, nil)
 }
 
 // Delete deletes the infrastructure using Terraformer.
 func (t *TerraformReconciler) Delete(ctx context.Context, infra *extensionsv1alpha1.Infrastructure, c *extensions.Cluster) error {
 	return util.DetermineError(t.delete(ctx, infra, c), helper.KnownCodes)
 }
 
+func (t *TerraformReconciler) getVPCID(ctx context.Context, infra *extensionsv1alpha1.Infrastructure) (string, error) {
+	infrastructureConfig, err := helper.InfrastructureConfigFromInfrastructure(infra)
+	var vpcID string
+	if err != nil {
+		return "", err
+	}
+
+	tf, err := newTerraformer(t.log, t.restConfig, aws.TerraformerPurposeInfra, infra, t.disableProjectedTokenMount)
+	if err != nil {
+		return "", util.DetermineError(fmt.Errorf("could not create the Terraformer: %+v", err), helper.KnownCodes)
+	}
+
+	if infrastructureConfig != nil && infrastructureConfig.Networks.VPC.ID != nil {
+		vpcID = *infrastructureConfig.Networks.VPC.ID
+	} else {
+		stateVariables, err := tf.GetStateOutputVariables(ctx, aws.VPCIDKey)
+		if err == nil {
+			vpcID = stateVariables[aws.VPCIDKey]
+		} else if !apierrors.IsNotFound(err) && !terraformer.IsVariablesNotFoundError(err) {
+			return "", err
+		}
+	}
+	return vpcID, nil
+}
+
 func (t *TerraformReconciler) delete(ctx context.Context, infra *extensionsv1alpha1.Infrastructure, _ *extensions.Cluster) error {
 	infrastructureConfig, err := helper.InfrastructureConfigFromInfrastructure(infra)
 	if err != nil {
@@ -326,6 +362,49 @@ func (t *TerraformReconciler) computeEgressCIDRs(ctx context.Context, infra *ext
 	return egressIPs, nil
 }
 
+func (t *TerraformReconciler) computeVPCIPv6CIDR(ctx context.Context, infra *extensionsv1alpha1.Infrastructure) (string, error) {
+	awsClient, err := aws.NewClientFromSecretRef(ctx, t.client, infra.Spec.SecretRef, infra.Spec.Region)
+	if err != nil {
+		return "", fmt.Errorf("failed to create new AWS client: %w", err)
+	}
+	vpcID, err := t.getVPCID(ctx, infra)
+	if err != nil {
+		return "", err
+	}
+	return awsClient.GetIPv6Cidr(ctx, vpcID)
+}
+
+func (t *TerraformReconciler) computeIPv6ServiceCIDR(ctx context.Context, infra *extensionsv1alpha1.Infrastructure) (string, error) {
+
+	awsClient, err := aws.NewClientFromSecretRef(ctx, t.client, infra.Spec.SecretRef, infra.Spec.Region)
+	if err != nil {
+		return "", fmt.Errorf("failed to create new AWS client: %w", err)
+	}
+	vpcID, err := t.getVPCID(ctx, infra)
+	if err != nil {
+		return "", err
+	}
+	subnets, err := awsClient.FindSubnets(ctx, awsclient.WithFilters().WithVpcId(vpcID).WithTags(map[string]string{
+		fmt.Sprintf(infraflow.TagKeyClusterTemplate, infra.Namespace): infraflow.TagValueCluster,
+	}).Build())
+	if err != nil {
+		return "", err
+	}
+
+	var cidrs []string
+	for _, subnet := range subnets {
+		subnetCIDRS, err := awsClient.GetIPv6CIDRReservations(ctx, subnet)
+		if err != nil {
+			return "", err
+		}
+		cidrs = append(cidrs, subnetCIDRS...)
+	}
+	if len(cidrs) != 1 {
+		return "", fmt.Errorf("unexpected number of CIDR reservations")
+	}
+	return cidrs[0], nil
+}
+
 func generateTerraformInfraConfig(ctx context.Context, infrastructure *extensionsv1alpha1.Infrastructure, infrastructureConfig *api.InfrastructureConfig, awsClient awsclient.Interface, ipFamilies []v1beta1.IPFamily) (map[string]interface{}, error) {
 	var (
 		dhcpDomainName              = "ec2.internal"
@@ -374,7 +453,7 @@ func generateTerraformInfraConfig(ctx context.Context, infrastructure *extension
 			existingEgressOnlyInternetGatewayID := eogw.EgressOnlyInternetGatewayId
 			egressOnlyInternetGatewayID = strconv.Quote(existingEgressOnlyInternetGatewayID)
 		}
-		// if dual stack is enabled or ipFamily is IPv6, then we wait for until the target VPC has a ipv6 CIDR assigned.
+		// if dual stack is enabled or ipFamily is IPv6, then we wait until the target VPC has a ipv6 CIDR assigned.
 		if enableDualStack || isIPv6 {
 			existingIPv6CidrBlock, err := awsClient.WaitForIPv6Cidr(ctx, existingVpcID)
 			if err != nil {