mesh: set src for encapsulated tunl routes

kvaps · kvaps · commit a9fedecbfbd4 · 2026-02-14T02:34:08.000+01:00
Signed-off-by: Andrei Kvapil &lt;kvapss@gmail.com&gt;
diff --git a/manifests/kilo-azure-route-sync-deployment.yaml b/manifests/kilo-azure-route-sync-deployment.yaml
@@ -0,0 +1,129 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kilo-azure-route-sync
+  namespace: cozy-cluster-autoscaler-azure
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kilo-azure-route-sync
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kilo-azure-route-sync
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kilo-azure-route-sync
+subjects:
+- kind: ServiceAccount
+  name: kilo-azure-route-sync
+  namespace: cozy-cluster-autoscaler-azure
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kilo-azure-route-sync
+  namespace: cozy-cluster-autoscaler-azure
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kilo-azure-route-sync
+  template:
+    metadata:
+      labels:
+        app: kilo-azure-route-sync
+    spec:
+      serviceAccountName: kilo-azure-route-sync
+      containers:
+      - name: sync
+        image: mcr.microsoft.com/azure-cli:2.67.0
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: AZURE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: cluster-autoscaler-azure-azure-cluster-autoscaler
+              key: ClientID
+        - name: AZURE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: cluster-autoscaler-azure-azure-cluster-autoscaler
+              key: ClientSecret
+        - name: AZURE_TENANT_ID
+          valueFrom:
+            secretKeyRef:
+              name: cluster-autoscaler-azure-azure-cluster-autoscaler
+              key: TenantID
+        - name: AZURE_SUBSCRIPTION_ID
+          valueFrom:
+            secretKeyRef:
+              name: cluster-autoscaler-azure-azure-cluster-autoscaler
+              key: SubscriptionID
+        - name: AZURE_RESOURCE_GROUP
+          valueFrom:
+            secretKeyRef:
+              name: cluster-autoscaler-azure-azure-cluster-autoscaler
+              key: ResourceGroup
+        - name: AZURE_ROUTE_TABLE
+          value: kilo-routes-workers-serverscom
+        - name: AZURE_VNET_NAME
+          value: cozystack-vnet
+        - name: AZURE_SUBNET_NAME
+          value: workers-serverscom
+        - name: AZURE_ROUTES
+          value: to-serverscom=192.168.102.0/23
+        command: ["/bin/sh","-ceu"]
+        args:
+        - |
+          az login --service-principal -u "$AZURE_CLIENT_ID" -p "$AZURE_CLIENT_SECRET" --tenant "$AZURE_TENANT_ID" >/dev/null
+          az account set --subscription "$AZURE_SUBSCRIPTION_ID"
+
+          az aks install-cli --install-location /usr/local/bin/kubectl >/dev/null
+
+          sync_route() {
+            route_name="$1"
+            route_prefix="$2"
+            leader_ip="$3"
+            az network route-table route create -g "$AZURE_RESOURCE_GROUP" --route-table-name "$AZURE_ROUTE_TABLE" \
+              -n "$route_name" --address-prefix "$route_prefix" \
+              --next-hop-type VirtualAppliance --next-hop-ip-address "$leader_ip" >/dev/null || true
+            az network route-table route update -g "$AZURE_RESOURCE_GROUP" --route-table-name "$AZURE_ROUTE_TABLE" \
+              -n "$route_name" --address-prefix "$route_prefix" \
+              --next-hop-type VirtualAppliance --next-hop-ip-address "$leader_ip" >/dev/null
+          }
+
+          sync_all_routes() {
+            leader_ip="$1"
+            IFS=','
+            for entry in $AZURE_ROUTES; do
+              route_name="${entry%%=*}"
+              route_prefix="${entry#*=}"
+              [ -n "$route_name" ] && [ -n "$route_prefix" ] || continue
+              sync_route "$route_name" "$route_prefix" "$leader_ip"
+            done
+            unset IFS
+          }
+
+          kubectl get node -w -l topology.kubernetes.io/zone=azure --no-headers \
+            -o 'custom-columns=NAME:.metadata.name,LEADER:.metadata.annotations.kilo\.squat\.ai/leader,IP:.status.addresses[?(@.type=="InternalIP")].address' \
+            | while read -r n leader ip; do
+                echo "$(date -Iseconds) event node=${n} leader=${leader} ip=${ip}"
+                [ "$leader" = "true" ] || continue
+                az network vnet subnet update \
+                  -g "$AZURE_RESOURCE_GROUP" \
+                  --vnet-name "$AZURE_VNET_NAME" \
+                  -n "$AZURE_SUBNET_NAME" \
+                  --route-table "$AZURE_ROUTE_TABLE" >/dev/null
+
+                sync_all_routes "$ip"
+
+                echo "$(date -Iseconds) synced routes to leader ${n} (${ip})"
+              done
diff --git a/pkg/mesh/routes.go b/pkg/mesh/routes.go
@@ -76,6 +76,7 @@ func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface
 								Flags:     int(netlink.FLAG_ONLINK),
 								Gw:        segment.privateIPs[i],
 								LinkIndex: tunlIface,
+								Src:       t.privateIP.IP,
 								Protocol:  unix.RTPROT_STATIC,
 								Table:     kiloTableIndex,
 							})
@@ -169,6 +170,7 @@ func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface
 							Flags:     int(netlink.FLAG_ONLINK),
 							Gw:        segment.privateIPs[i],
 							LinkIndex: tunlIface,
+							Src:       t.privateIP.IP,
 							Protocol:  unix.RTPROT_STATIC,
 							Table:     kiloTableIndex,
 						})
@@ -316,8 +318,11 @@ func (t *Topology) PeerRoutes(name string, kiloIface int, additionalAllowedIPs [
 }
 
 func encapsulateRoute(route *netlink.Route, encapsulate encapsulation.Strategy, subnet *net.IPNet, tunlIface int) *netlink.Route {
-	if encapsulate == encapsulation.Always || (encapsulate == encapsulation.CrossSubnet && !subnet.Contains(route.Gw)) {
+	if encapsulate == encapsulation.Always || (encapsulate == encapsulation.CrossSubnet && subnet != nil && !subnet.Contains(route.Gw)) {
 		route.LinkIndex = tunlIface
+		if subnet != nil && route.Src == nil {
+			route.Src = subnet.IP
+		}
 	}
 	return route
 }
diff --git a/pkg/mesh/routes_test.go b/pkg/mesh/routes_test.go
@@ -747,13 +747,15 @@ func TestRoutes(t *testing.T) {
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["c"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["b"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       oneAddressCIDR(nodes["c"].InternalIP.IP),
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["c"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["b"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 					Table:     kiloTableIndex,
 				},
@@ -886,41 +888,47 @@ func TestRoutes(t *testing.T) {
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       nodes["a"].Subnet,
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       oneAddressCIDR(nodes["a"].InternalIP.IP),
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       oneAddressCIDR(mustTopoForGranularityAndHost(LogicalGranularity, nodes["c"].Name).segments[1].wireGuardIP),
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       nodes["b"].Subnet,
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       nodes["b"].InternalIP,
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 					Table:     kiloTableIndex,
 				},
@@ -929,34 +937,39 @@ func TestRoutes(t *testing.T) {
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       nodes["d"].Subnet,
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       &peers["a"].AllowedIPs[0],
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       &peers["a"].AllowedIPs[1],
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 				{
 					Dst:       &peers["b"].AllowedIPs[0],
 					Flags:     int(netlink.FLAG_ONLINK),
 					Gw:        nodes["b"].InternalIP.IP,
 					LinkIndex: tunlIface,
+					Src:       nodes["c"].InternalIP.IP,
 					Protocol:  unix.RTPROT_STATIC,
 				},
 			},
