Decouple VyOS integration from network namespace in tenant-space#64
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
SummaryThis pull request decouples VyOS integration from network namespace and harvester network creation in the tenant-space module, enabling VLAN-based network configuration independent of VyOS availability. Key ChangesNetworking Independence: The module now treats VLAN configuration ( Resource Ownership Reorganization: The Expanded Configuration Options: A new Adaptive Routing Behavior: Routing mode now adapts based on VyOS availability:
Output Refinements: A new Code Quality: Namespace deduplication logic is corrected to ensure the project namespace is always included; network namespaces receive platform labeling ( Backward CompatibilityDeployments without WalkthroughThe PR decouples VyOS integration from network namespace and harvester network creation in the tenant-space module. The harvester_network resource is moved from vyos-tenant into tenant-space, and routing behavior is split: auto mode when VyOS is absent, manual deterministic mode when VyOS endpoint is configured. VLAN validation is relaxed to the full 802.1Q range. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
HiranAdikari
force-pushed
the
feature/63-decouple-vyos-from-network-namespace
branch
from
cafeb16 to
f03a463
Compare
Previously, setting vlan_id always invoked the vyos-tenant module, making it impossible to create a network namespace + harvester_network without VyOS config calls. Now vlan_id and vyos_endpoint are independent gates: - vlan_id only: creates network namespace + harvester_network (for environments using physical switch VLAN assignment, e.g. production) - vlan_id + vyos_endpoint: additionally configures VyOS vif, DHCP, and NAT (for environments with a VyOS gateway, e.g. lk-dev) Also adds vyos_endpoint and vyos_api_key variables to tenant-space, adds platform.wso2.com/role=network-namespace label to the network namespace (used by the namespace credential provisioner), and fixes a pre-existing missing newline in variables.tf. Closes wso2#63 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
tenant-space: - Add create_network_namespace (bool, default false) to pre-provision the <project_name>-net namespace before a VLAN is assigned. The network namespace is created when create_network_namespace = true OR when vlan_id is set (backward compat: existing callers with vlan_id are unaffected). - Move harvester_network ownership into tenant-space so it is created whenever vlan_id is set, regardless of whether VyOS is configured. Previously it lived inside vyos-tenant, causing a duplicate resource collision when both modules ran together. - harvester_network.tenant now depends_on module.vyos_tenant so VyOS vif/DHCP is committed before the network becomes active (no-op when vyos_endpoint is null and count=0). - Fix namespaces local: distinct(concat([project_name], namespaces)) so project_name namespace is always included and duplicates removed. - Outputs subnet_cidr and gateway_ip now derive from locals directly (no longer routed through vyos-tenant module outputs). - Add network_namespace_id output. vyos-tenant: - Remove harvester_network resource (now owned by tenant-space). - Remove network_namespace and cluster_network_name variables (were only used by the removed harvester_network). - Remove harvester provider requirement from versions.tf. - Remove network_name, network_namespace, network_ref outputs. - Add subnet_cidr alias output alongside existing subnet. No breaking changes for callers that do not set vlan_id: the create_network_namespace flag defaults to false and no resources are added. Callers with vlan_id already set will see a plan diff for the harvester_network moving from the vyos-tenant child module address to the tenant-space address — a targeted import is required on first apply. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The vyos provider was listed unconditionally, forcing every caller to configure it even when vyos_endpoint is null and no VyOS resources are created. The provider is only needed by the child vyos-tenant module, which declares its own required_providers — Terraform picks it up transitively without it being declared in the parent. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tenant-space/variables.tf: vyos_endpoint and vyos_api_key were declared twice after the create_network_namespace commit merged them in alongside pre-existing copies from the decouple branch. - vyos-tenant/outputs.tf: subnet_cidr output was declared twice, once as the canonical output and once as an alias added earlier. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When vlan_id is set without vyos_endpoint, use route_mode=auto so the upstream router (DigiOps / physical switch) handles DHCP and routing. The manual route_mode with deterministic 10.0.0.0/8 subnetting is now gated on vyos_endpoint being set. - Add use_vyos local; gate tenant_subnet/tenant_gateway computation on it - harvester_network route_mode, route_cidr, route_gateway are conditional - Relax vlan_id validation from >= 1000 to valid 802.1Q range (1–4094) - Update subnet_cidr/gateway_ip output descriptions (VyOS-only) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
HiranAdikari
force-pushed
the
feature/63-decouple-vyos-from-network-namespace
branch
from
a653e61 to
ff993f3
Compare
2 participants
Summary
vlan_idalone now creates network namespace +harvester_network— no VyOS required (physical switch / manually configured VLAN environments)create_network_namespaceflag (default:false) pre-provisions the<project_name>-netnamespace before a VLAN is assignedvlan_id+vyos_endpointadditionally configures VyOS vif/DHCP/NATvyos-tenantintotenant-spaceso both modules no longer create the same resource simultaneouslyharvester_networkdepends_onmodule.vyos_tenant— VyOS vif committed before network is visible to VMsnamespaceslocal to usedistinct(concat([project_name], namespaces))so the project namespace is always includednetwork_namespace_idoutputsubnet_cidr/gateway_ipoutputs now derive from locals directly rather than routing through vyos-tenant moduleplatform.wso2.com/role=network-namespace(used by reconciler in Add namespace credential provisioner module #62 to skip it)route_modeis now"auto"whenvyos_endpointis not set — upstream router handles DHCP/routing for externally managed VLANs;"manual"with deterministic 10.0.0.0/8 subnetting only when VyOS is configured (closes Support auto route mode for manually configured VLAN networks in tenant-space #65)vlan_idvalidation from>= 1000to the full 802.1Q range (1–4094)Behaviour matrix
create_network_namespacevlan_idvyos_endpointharvester_network(route_mode=auto)harvester_network(route_mode=manual) + VyOS configBackward compatibility
Existing callers without
vlan_id: no change (new flag defaults to false).Existing callers with
vlan_idset:harvester_networkmoves from addressmodule.<name>.module.vyos_tenant[0].harvester_network.tenanttomodule.<name>.harvester_network.tenant[0]. A targeted import is needed onfirst apply against an environment that previously applied with VyOS:
New environments (no prior state) are unaffected.
Test plan
create_network_namespace = true, novlan_id→ only<name>-netnamespace createdvlan_idset, novyos_endpoint→ namespace +harvester_networkwithroute_mode=auto, no VyOS API callsvlan_id+vyos_endpoint→ full stack: namespace + network (route_mode=manual) + VyOS vif/DHCP/NATvlan_id→ zero plan diffvlan_idbelow 1000 accepted whenvyos_endpointnot setCloses #63
Closes #65
🤖 Generated with Claude Code