Allow creation or more that one IPv6 shoot in one VPC (gardener#1403)

axel7born · hebelsan · web-flow · commit 7a6aaa166725 · 2025-08-07T16:47:13.000+03:00
* If subnet creation fails due to a conflicting IPv6

range, try the next /64 range.

* Address review comments.

* Add ensureSubnetIPv6
* Add comment

* Update pkg/controller/infrastructure/infraflow/reconcile.go

Co-authored-by: Alexander Hebel &lt;alexander.hebel@sap.com&gt;

---------

Co-authored-by: Alexander Hebel &lt;alexander.hebel@sap.com&gt;
diff --git a/pkg/controller/infrastructure/infraflow/reconcile.go b/pkg/controller/infrastructure/infraflow/reconcile.go
@@ -866,6 +866,11 @@ func (c *FlowContext) addSubnetReconcileTasks(g *flow.Graph, desired, current *a
 		return nil, err
 	}
 	suffix := fmt.Sprintf("%s-%s", zoneName, subnetKey)
+	if ptr.Deref(desired.AssignIpv6AddressOnCreation, true) {
+		return c.AddTask(g, "ensure IPv6 subnet "+suffix,
+			c.ensureSubnetIPv6(subnetKey, desired, current),
+			Timeout(defaultTimeout)), nil
+	}
 	return c.AddTask(g, "ensure subnet "+suffix,
 		c.ensureSubnet(subnetKey, desired, current),
 		Timeout(defaultTimeout)), nil
@@ -976,6 +981,55 @@ func (c *FlowContext) ensureSubnet(subnetKey string, desired, current *awsclient
 	}
 }
 
+func (c *FlowContext) ensureSubnetIPv6(subnetKey string, desired, current *awsclient.Subnet) flow.TaskFn {
+	zoneChild := c.getSubnetZoneChildByItem(desired)
+	if current == nil {
+		return func(ctx context.Context) error {
+			log := LogFromContext(ctx)
+			log.Info("creating...")
+			var lastErr error
+			for attempts := 0; attempts < 256; attempts++ {
+				created, err := c.client.CreateSubnet(ctx, desired, defaultTimeout)
+				if err == nil {
+					zoneChild.Set(subnetKey, created.SubnetId)
+					return nil
+				}
+				// Check for InvalidSubnet.Conflict error
+				apiErrCode := awsclient.GetAWSAPIErrorCode(err)
+				if apiErrCode == "InvalidSubnet.Conflict" {
+					log.Info("CIDR conflict, trying next CIDR block")
+					newCIDRs, nextErr := calcNextIPv6CidrBlock(desired.Ipv6CidrBlocks[0])
+					if nextErr != nil {
+						return nextErr
+					}
+					desired.Ipv6CidrBlocks = []string{newCIDRs}
+					lastErr = err
+					continue
+				}
+				// Any other error, return immediately
+				return err
+			}
+			// If we exhausted all attempts, return the last error
+			if lastErr != nil {
+				return lastErr
+			}
+			return fmt.Errorf("failed to create subnet after multiple attempts")
+		}
+	}
+	return func(ctx context.Context) error {
+		zoneChild.Set(subnetKey, current.SubnetId)
+		modified, err := c.updater.UpdateSubnet(ctx, desired, current)
+		if err != nil {
+			return err
+		}
+		if modified {
+			log := LogFromContext(ctx)
+			log.Info("updated")
+		}
+		return nil
+	}
+}
+
 func (c *FlowContext) ensureSubnetCidrReservation(ctx context.Context) error {
 	if !isIPv6(c.getIpFamilies()) {
 		return nil
@@ -1964,3 +2018,30 @@ func cidrSubnet(baseCIDR string, newPrefixLength int, index int) (string, error)
 	subnetIP := net.IP(big.NewInt(0).Add(big.NewInt(0).SetBytes(baseIP), offset).Bytes())
 	return fmt.Sprintf("%s/%d", subnetIP.String(), newPrefixLength), nil
 }
+
+// calcNextIPv6CidrBlock returns the next IPv6 /64 subnet CIDR block within the same /56 VPC range.
+// It increments the 8th byte of the IP address (index 7) to generate the next subnet.
+// This is used to avoid subnet conflicts when creating IPv6 subnets.
+// Returns an error if the maximum index (255) is reached or the input CIDR is invalid.
+func calcNextIPv6CidrBlock(currentSubnetCIDR string) (string, error) {
+	ip, _, err := net.ParseCIDR(currentSubnetCIDR)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse CIDR: %v", err)
+	}
+
+	currentIndex := int(ip[7])
+
+	if currentIndex >= 255 {
+		return "", fmt.Errorf("already at maximum index (255) within /56 range")
+	}
+
+	nextIndex := currentIndex + 1
+
+	nextIP := make(net.IP, 16)
+	copy(nextIP, ip)
+	nextIP[7] = byte(nextIndex)
+
+	nextCIDR := fmt.Sprintf("%s/64", nextIP.String())
+
+	return nextCIDR, nil
+}
