Support auto route mode for non-VyOS VLAN networks in tenant-space

HiranAdikari · claude · HiranAdikari · commit a653e61a947a · 2026-04-21T10:08:47.000+05:30
When vlan_id is set without vyos_endpoint, use route_mode=auto so the
upstream router (DigiOps / physical switch) handles DHCP and routing.
The manual route_mode with deterministic 10.0.0.0/8 subnetting is now
gated on vyos_endpoint being set.

- Add use_vyos local; gate tenant_subnet/tenant_gateway computation on it
- harvester_network route_mode, route_cidr, route_gateway are conditional
- Relax vlan_id validation from &gt;= 1000 to valid 802.1Q range (1–4094)
- Update subnet_cidr/gateway_ip output descriptions (VyOS-only)

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/modules/management/tenant-space/main.tf b/modules/management/tenant-space/main.tf
@@ -9,8 +9,12 @@ locals {
   create_net_ns     = var.create_network_namespace || var.vlan_id != null
   network_namespace = local.create_net_ns ? "${var.project_name}-net" : null
 
-  tenant_subnet  = var.vlan_id != null ? cidrsubnet("10.0.0.0/8", 15, var.vlan_id - 1000) : null
-  tenant_gateway = var.vlan_id != null ? cidrhost(local.tenant_subnet, 1) : null
+  # VyOS path: compute a deterministic /23 subnet from 10.0.0.0/8 using the VLAN
+  # index. Only relevant when vyos_endpoint is set; auto-routed environments
+  # (physical switch / DigiOps-issued VLANs) do not need explicit subnets.
+  use_vyos       = var.vlan_id != null && var.vyos_endpoint != null
+  tenant_subnet  = local.use_vyos ? cidrsubnet("10.0.0.0/8", 15, var.vlan_id - 1000) : null
+  tenant_gateway = local.use_vyos ? cidrhost(local.tenant_subnet, 1) : null
 }
 
 resource "rancher2_project" "this" {
@@ -101,9 +105,13 @@ resource "harvester_network" "tenant" {
   namespace            = rancher2_namespace.network[0].name
   vlan_id              = var.vlan_id
   cluster_network_name = var.cluster_network_name
-  route_mode           = "manual"
-  route_cidr           = local.tenant_subnet
-  route_gateway        = local.tenant_gateway
+
+  # VyOS path: manual routing with a deterministic /23 from 10.0.0.0/8.
+  # DigiOps / physical-switch path: auto routing — the upstream router
+  # advertises the gateway; no explicit CIDR or gateway needed here.
+  route_mode    = local.use_vyos ? "manual" : "auto"
+  route_cidr    = local.tenant_subnet
+  route_gateway = local.tenant_gateway
 
   # When VyOS is configured, wait for the vif/DHCP to be provisioned before
   # the network is visible to tenant VMs. count=0 module depends_on is a no-op.
diff --git a/modules/management/tenant-space/outputs.tf b/modules/management/tenant-space/outputs.tf
@@ -29,11 +29,11 @@ output "network_name" {
 }
 
 output "subnet_cidr" {
-  value       = var.vlan_id != null ? local.tenant_subnet : null
-  description = "Tenant /23 subnet CIDR (e.g. 10.0.0.0/23). Null when vlan_id is not set."
+  value       = local.tenant_subnet
+  description = "Tenant /23 subnet CIDR (e.g. 10.0.0.0/23). Non-null only when vlan_id and vyos_endpoint are both set."
 }
 
 output "gateway_ip" {
-  value       = var.vlan_id != null ? local.tenant_gateway : null
-  description = "VyOS gateway IP for this tenant. Null when vlan_id is not set."
+  value       = local.tenant_gateway
+  description = "VyOS gateway IP for this tenant (first host in subnet_cidr). Non-null only when vlan_id and vyos_endpoint are both set."
 }
diff --git a/modules/management/tenant-space/variables.tf b/modules/management/tenant-space/variables.tf
@@ -105,11 +105,11 @@ variable "create_network_namespace" {
 
 variable "vlan_id" {
   type        = number
-  description = "VLAN ID for this tenant's network (>= 1000). When set, creates the network namespace (if not already), a harvester_network, and optionally VyOS config when vyos_endpoint is also provided. When null, no network or VyOS resources are created."
+  description = "VLAN ID for this tenant's network (>= 1000). When set, always creates the network namespace and a harvester_network. Routing mode depends on vyos_endpoint: if set, route_mode=manual with a deterministic /23 from 10.0.0.0/8 plus full VyOS vif/DHCP/NAT config; if null, route_mode=auto (upstream router / DigiOps-issued VLAN handles routing). When vlan_id is null, no network resources are created."
   default     = null
   validation {
-    condition     = var.vlan_id == null || var.vlan_id >= 1000
-    error_message = "vlan_id must be >= 1000."
+    condition     = var.vlan_id == null || (var.vlan_id >= 1 && var.vlan_id <= 4094)
+    error_message = "vlan_id must be a valid 802.1Q VLAN ID (1–4094)."
   }
 }
 
diff --git a/modules/management/tenant-space/versions.tf b/modules/management/tenant-space/versions.tf
@@ -9,5 +9,5 @@ terraform {
       source  = "harvester/harvester"
       version = "~> 1.7"
     }
-}
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -29,11 +29,11 @@ output "network_name" {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`output "subnet_cidr" {`
`32`		`- value = var.vlan_id != null ? local.tenant_subnet : null`
`33`		`- description = "Tenant /23 subnet CIDR (e.g. 10.0.0.0/23). Null when vlan_id is not set."`
	`32`	`+ value = local.tenant_subnet`
	`33`	`+ description = "Tenant /23 subnet CIDR (e.g. 10.0.0.0/23). Non-null only when vlan_id and vyos_endpoint are both set."`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`output "gateway_ip" {`
`37`		`- value = var.vlan_id != null ? local.tenant_gateway : null`
`38`		`- description = "VyOS gateway IP for this tenant. Null when vlan_id is not set."`
	`37`	`+ value = local.tenant_gateway`
	`38`	`+ description = "VyOS gateway IP for this tenant (first host in subnet_cidr). Non-null only when vlan_id and vyos_endpoint are both set."`
`39`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,11 +105,11 @@ variable "create_network_namespace" {`
`105`	`105`
`106`	`106`	`variable "vlan_id" {`
`107`	`107`	`type = number`
`108`		`- description = "VLAN ID for this tenant's network (>= 1000). When set, creates the network namespace (if not already), a harvester_network, and optionally VyOS config when vyos_endpoint is also provided. When null, no network or VyOS resources are created."`
	`108`	`+ description = "VLAN ID for this tenant's network (>= 1000). When set, always creates the network namespace and a harvester_network. Routing mode depends on vyos_endpoint: if set, route_mode=manual with a deterministic /23 from 10.0.0.0/8 plus full VyOS vif/DHCP/NAT config; if null, route_mode=auto (upstream router / DigiOps-issued VLAN handles routing). When vlan_id is null, no network resources are created."`
`109`	`109`	`default = null`
`110`	`110`	`validation {`
`111`		`- condition = var.vlan_id == null \|\| var.vlan_id >= 1000`
`112`		`- error_message = "vlan_id must be >= 1000."`
	`111`	`+ condition = var.vlan_id == null \|\| (var.vlan_id >= 1 && var.vlan_id <= 4094)`
	`112`	`+ error_message = "vlan_id must be a valid 802.1Q VLAN ID (1–4094)."`
`113`	`113`	`}`
`114`	`114`	`}`
`115`	`115`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,5 @@ terraform {`
`9`	`9`	`source = "harvester/harvester"`
`10`	`10`	`version = "~> 1.7"`
`11`	`11`	`}`
`12`		`-}`
	`12`	`+ }`
`13`	`13`	`}`