allow create/update when ipam ips values are equal

Author: therealak12

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: ghcr.io/snapp-incubator/kubernetes-webhooks
-  newTag: v0.1.3
+  newName: registry.teh-1.snappcloud.io/library/kubernetes-webhooks
+  newTag: v0.1.4

internal/webhook/v1/service_webhook.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"strings"
 
 	ciliumv2alpha1 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1"
@@ -100,54 +101,35 @@ func (v *ServiceCustomValidator) ValidateDelete(ctx context.Context, obj runtime
 // the address-pool label is absent.
 func (v *ServiceCustomValidator) validateIPSources(ctx context.Context, service *corev1.Service) (admission.Warnings, error) {
 	annotations := service.GetAnnotations()
-	ipamOriginalRaw := annotations[lbIpamIpsAnnotation]
-	ipamAliasRaw := annotations[lbIpamIpsAnnotationAlias]
-	loadBalancerIP := strings.TrimSpace(service.Spec.LoadBalancerIP)
-
-	// Count how many sources are set.
-	setCount := 0
-	if ipamOriginalRaw != "" {
-		setCount++
-	}
-	if ipamAliasRaw != "" {
-		setCount++
+	if annotations == nil {
+		annotations = map[string]string{}
 	}
-	if loadBalancerIP != "" {
-		setCount++
+	sources := []ipSourceRequest{
+		{name: lbIpamIpsAnnotation, ips: parseRequestedIPs(annotations[lbIpamIpsAnnotation])},
+		{name: lbIpamIpsAnnotationAlias, ips: parseRequestedIPs(annotations[lbIpamIpsAnnotationAlias])},
+		{name: "spec.loadBalancerIP", ips: parseRequestedIPs(service.Spec.LoadBalancerIP)},
 	}
 
-	if setCount > 1 {
-		return nil, fmt.Errorf(
-			"at most one of %s, %s, and spec.loadBalancerIP may be set",
-			lbIpamIpsAnnotation, lbIpamIpsAnnotationAlias,
-		)
+	var configuredSources []ipSourceRequest
+	for _, source := range sources {
+		if len(source.ips) > 0 {
+			configuredSources = append(configuredSources, source)
+		}
 	}
-	if setCount == 0 {
+
+	if len(configuredSources) == 0 {
 		return nil, nil
 	}
+	if err := validateMatchingIPSources(configuredSources); err != nil {
+		return nil, err
+	}
 
 	cidrs, ranges, poolName, err := v.fetchPoolBlocks(ctx, service)
 	if err != nil {
 		return nil, err
 	}
 
-	// Collect the IPs to validate.
-	var ipsToCheck []string
-	if loadBalancerIP != "" {
-		ipsToCheck = []string{loadBalancerIP}
-	} else {
-		raw := ipamOriginalRaw
-		if raw == "" {
-			raw = ipamAliasRaw
-		}
-		for _, s := range strings.Split(raw, ",") {
-			if t := strings.TrimSpace(s); t != "" {
-				ipsToCheck = append(ipsToCheck, t)
-			}
-		}
-	}
-
-	for _, ip := range ipsToCheck {
+	for _, ip := range configuredSources[0].ips {
 		if !isIPInPool(ip, cidrs, ranges) {
 			return nil, fmt.Errorf(
 				"IP %s is not within any block of CiliumLoadBalancerIPPool %q",
@@ -159,6 +141,50 @@ func (v *ServiceCustomValidator) validateIPSources(ctx context.Context, service
 	return nil, nil
 }
 
+func validateMatchingIPSources(sources []ipSourceRequest) error {
+	if len(sources) < 2 {
+		return nil
+	}
+
+	baseline := sources[0]
+	for _, source := range sources[1:] {
+		if !equalRequestedIPs(baseline.ips, source.ips) {
+			return fmt.Errorf(
+				"when multiple IP sources are set, %s and %s must specify the same IP value(s)",
+				baseline.name,
+				source.name,
+			)
+		}
+	}
+
+	return nil
+}
+
+func parseRequestedIPs(raw string) []string {
+	var ips []string
+	for _, part := range strings.Split(raw, ",") {
+		if ip := strings.TrimSpace(part); ip != "" {
+			ips = append(ips, ip)
+		}
+	}
+
+	return ips
+}
+
+func equalRequestedIPs(left, right []string) bool {
+	if len(left) != len(right) {
+		return false
+	}
+
+	// Create new slices for sorting to keep order of original slices
+	leftSorted := append([]string(nil), left...)
+	rightSorted := append([]string(nil), right...)
+	slices.Sort(leftSorted)
+	slices.Sort(rightSorted)
+
+	return slices.Equal(leftSorted, rightSorted)
+}
+
 // fetchPoolBlocks retrieves the CiliumLoadBalancerIPPool named by the service's
 // `network.snappcloud.io/address-pool` label and parses its blocks.
 // When the label is absent the pool name defaults to "default".
@@ -247,3 +273,8 @@ func isIPInPool(ipStr string, cidrs []*net.IPNet, ranges []ipRange) bool {
 type ipRange struct {
 	start, end netip.Addr
 }
+
+type ipSourceRequest struct {
+	name string
+	ips  []string
+}

internal/webhook/v1/service_webhook_test.go

@@ -320,7 +320,18 @@ var _ = Describe("Service Webhook", func() {
 			Expect(err).To(HaveOccurred())
 			Expect(err.Error()).To(ContainSubstring("192.168.1.1"))
 		})
-		It("Should reject creation when both ipam annotations are set", func() {
+		It("Should allow creation when both ipam annotations are set to the same value", func() {
+			pool := &ciliumv2alpha1.CiliumLoadBalancerIPPool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-pool",
+				},
+				Spec: ciliumv2alpha1.CiliumLoadBalancerIPPoolSpec{
+					Blocks: []ciliumv2alpha1.CiliumLoadBalancerIPPoolIPBlock{
+						{Cidr: "10.0.0.0/24"},
+					},
+				},
+			}
+
 			obj := &corev1.Service{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-svc",
@@ -329,7 +340,32 @@ var _ = Describe("Service Webhook", func() {
 						"network.snappcloud.io/address-pool": "my-pool",
 					},
 					Annotations: map[string]string{
-						"io.cilium/lb-ipam-ips": "10.0.0.5,192.168.1.1",
+						"io.cilium/lb-ipam-ips": "10.0.0.5,10.0.0.10",
+						"lbipam.cilium.io/ips":  "10.0.0.10,10.0.0.5",
+					},
+				},
+			}
+
+			scheme := runtime.NewScheme()
+			Expect(ciliumv2alpha1.AddToScheme(scheme)).To(Succeed())
+
+			validator := ServiceCustomValidator{
+				client: fake.NewClientBuilder().WithScheme(scheme).WithObjects(pool).Build(),
+			}
+			_, err := validator.ValidateCreate(ctx, obj)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("Should reject creation when the two ipam annotations are set to different values", func() {
+			obj := &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-svc",
+					Namespace: "default",
+					Labels: map[string]string{
+						"network.snappcloud.io/address-pool": "my",
+					},
+					Annotations: map[string]string{
+						"io.cilium/lb-ipam-ips": "10.0.0.4,192.168.1.1",
 						"lbipam.cilium.io/ips":  "10.0.0.4,192.168.1.2",
 					},
 				},
@@ -339,10 +375,22 @@ var _ = Describe("Service Webhook", func() {
 			}
 			_, err := validator.ValidateCreate(ctx, obj)
 			Expect(err).To(HaveOccurred())
-			Expect(err.Error()).To(ContainSubstring("at most one"))
+			Expect(err.Error()).To(ContainSubstring(lbIpamIpsAnnotation))
+			Expect(err.Error()).To(ContainSubstring(lbIpamIpsAnnotationAlias))
 		})
 
-		It("Should reject creation when lbIpamIps annotation and loadBalancerIP are both set", func() {
+		It("Should allow creation when lbIpamIps annotation and loadBalancerIP are set to the same value", func() {
+			pool := &ciliumv2alpha1.CiliumLoadBalancerIPPool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-pool",
+				},
+				Spec: ciliumv2alpha1.CiliumLoadBalancerIPPoolSpec{
+					Blocks: []ciliumv2alpha1.CiliumLoadBalancerIPPoolIPBlock{
+						{Cidr: "10.0.0.0/24"},
+					},
+				},
+			}
+
 			obj := &corev1.Service{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-svc",
@@ -351,22 +399,61 @@ var _ = Describe("Service Webhook", func() {
 						"network.snappcloud.io/address-pool": "my-pool",
 					},
 					Annotations: map[string]string{
-						"io.cilium/lb-ipam-ips": "10.0.0.5",
+						"io.cilium/lb-ipam-ips": "10.0.0.5,10.0.0.3",
 					},
 				},
 				Spec: corev1.ServiceSpec{
-					LoadBalancerIP: "10.0.0.5",
+					LoadBalancerIP: "10.0.0.3,10.0.0.5",
+				},
+			}
+
+			scheme := runtime.NewScheme()
+			Expect(ciliumv2alpha1.AddToScheme(scheme)).To(Succeed())
+
+			validator := ServiceCustomValidator{
+				client: fake.NewClientBuilder().WithScheme(scheme).WithObjects(pool).Build(),
+			}
+			_, err := validator.ValidateCreate(ctx, obj)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("Should reject creation when lbIpamIps annotation and loadBalancerIP are set to different values", func() {
+			obj := &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-svc",
+					Namespace: "default",
+					Labels: map[string]string{
+						"network.snappcloud.io/address-pool": "my",
+					},
+					Annotations: map[string]string{
+						"io.cilium/lb-ipam-ips": "10.0.0.5,192.168.1.2",
+					},
+				},
+				Spec: corev1.ServiceSpec{
+					LoadBalancerIP: "10.0.0.6,192.168.1.2",
 				},
 			}
 			validator := ServiceCustomValidator{
 				client: fake.NewClientBuilder().Build(),
 			}
 			_, err := validator.ValidateCreate(ctx, obj)
 			Expect(err).To(HaveOccurred())
-			Expect(err.Error()).To(ContainSubstring("at most one"))
+			Expect(err.Error()).To(ContainSubstring(lbIpamIpsAnnotation))
+			Expect(err.Error()).To(ContainSubstring("spec.loadBalancerIP"))
 		})
 
-		It("Should reject creation when lbIpamIps alias annotation and loadBalancerIP are both set", func() {
+		It("Should allow update when lbIpamIps alias annotation and loadBalancerIP are set to the same value", func() {
+			pool := &ciliumv2alpha1.CiliumLoadBalancerIPPool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "my-pool",
+				},
+				Spec: ciliumv2alpha1.CiliumLoadBalancerIPPoolSpec{
+					Blocks: []ciliumv2alpha1.CiliumLoadBalancerIPPoolIPBlock{
+						{Cidr: "10.0.0.0/24"},
+					},
+				},
+			}
+
 			obj := &corev1.Service{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-svc",
@@ -382,12 +469,40 @@ var _ = Describe("Service Webhook", func() {
 					LoadBalancerIP: "10.0.0.5",
 				},
 			}
+
+			scheme := runtime.NewScheme()
+			Expect(ciliumv2alpha1.AddToScheme(scheme)).To(Succeed())
+
+			validator := ServiceCustomValidator{
+				client: fake.NewClientBuilder().WithScheme(scheme).WithObjects(pool).Build(),
+			}
+			_, err := validator.ValidateUpdate(ctx, nil, obj)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("Should reject creation when lbIpamIps alias annotation and loadBalancerIP are set to different values", func() {
+			obj := &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-svc",
+					Namespace: "default",
+					Labels: map[string]string{
+						"network.snappcloud.io/address-pool": "my",
+					},
+					Annotations: map[string]string{
+						"lbipam.cilium.io/ips": "10.0.0.5",
+					},
+				},
+				Spec: corev1.ServiceSpec{
+					LoadBalancerIP: "10.0.0.6",
+				},
+			}
 			validator := ServiceCustomValidator{
 				client: fake.NewClientBuilder().Build(),
 			}
 			_, err := validator.ValidateCreate(ctx, obj)
 			Expect(err).To(HaveOccurred())
-			Expect(err.Error()).To(ContainSubstring("at most one"))
+			Expect(err.Error()).To(ContainSubstring(lbIpamIpsAnnotationAlias))
+			Expect(err.Error()).To(ContainSubstring("spec.loadBalancerIP"))
 		})
 	})