Merge branch 'main' into network-interfaces

Author: AshleyDumaine

api/v1alpha2/linodecluster_types.go

@@ -190,6 +190,16 @@ type NetworkSpec struct {
 	// example: 10.10.10.0/30
 	// +optional
 	NodeBalancerBackendIPv4Range string `json:"nodeBalancerBackendIPv4Range,omitempty"`
+
+	// EnableVPCBackends toggles VPC-scoped NodeBalancer and VPC backend IP usage.
+	// If set to false (default), the NodeBalancer will not be created in a VPC and
+	// backends will use Linode private IPs. If true, the NodeBalancer will be
+	// created in the configured VPC (when VPCRef or VPCID is set) and backends
+	// will use VPC IPs.
+	// +kubebuilder:default=false
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	// +optional
+	EnableVPCBackends bool `json:"enableVPCBackends,omitempty"`
 }
 
 type LinodeNBPortConfig struct {

api/v1alpha2/linodemachine_types.go

@@ -70,7 +70,7 @@ type LinodeMachineSpec struct {
 	PrivateIP *bool `json:"privateIP,omitempty"`
 	// Tags is a list of tags to apply to the Linode instance.
 	Tags []string `json:"tags,omitempty"`
-	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	// FirewallID is the id of the cloud firewall to apply to the Linode Instance
 	FirewallID int `json:"firewallID,omitempty"`
 	// OSDisk is configuration for the root disk that includes the OS,
 	// if not specified this defaults to whatever space is not taken up by the DataDisks

api/v1alpha2/linodemachinetemplate_types.go

@@ -33,6 +33,10 @@ type LinodeMachineTemplateStatus struct {
 	// +optional
 	Tags []string `json:"tags,omitempty"`
 
+	// Firewall ID that is currently applied to the LinodeMachineTemplate.
+	// +optional
+	FirewallID int `json:"firewallID,omitempty"`
+
 	// Conditions represent the latest available observations of a LinodeMachineTemplate's current state.
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`

clients/clients.go

@@ -56,6 +56,8 @@ type LinodeInstanceClient interface {
 	GetRegion(ctx context.Context, regionID string) (*linodego.Region, error)
 	GetImage(ctx context.Context, imageID string) (*linodego.Image, error)
 	GetType(ctx context.Context, typeID string) (*linodego.LinodeType, error)
+	ListInstanceFirewalls(ctx context.Context, linodeID int, opts *linodego.ListOptions) ([]linodego.Firewall, error)
+	UpdateInstanceFirewalls(ctx context.Context, linodeID int, opts linodego.InstanceFirewallUpdateOptions) ([]linodego.Firewall, error)
 }
 
 // LinodeVPCClient defines the methods that interact with Linode's VPC service.

cloud/services/loadbalancers.go

@@ -22,6 +22,21 @@ const (
 	DefaultKonnectivityLBPort = 8132
 )
 
+// DetermineAPIServerLBPort returns the configured API server load balancer port,
+// or the provider default when not explicitly set.
+func DetermineAPIServerLBPort(clusterScope *scope.ClusterScope) int {
+	if clusterScope.LinodeCluster.Spec.Network.ApiserverLoadBalancerPort != 0 {
+		return clusterScope.LinodeCluster.Spec.Network.ApiserverLoadBalancerPort
+	}
+	return DefaultApiserverLBPort
+}
+
+// ShouldUseVPC decides whether VPC IPs/backends should be preferred and a VPC-scoped
+// NodeBalancer should be created. It requires both the feature flag and a VPC reference/ID.
+func ShouldUseVPC(clusterScope *scope.ClusterScope) bool {
+	return clusterScope.LinodeCluster.Spec.Network.EnableVPCBackends && (clusterScope.LinodeCluster.Spec.VPCRef != nil || clusterScope.LinodeCluster.Spec.VPCID != nil)
+}
+
 // FindSubnet selects a subnet from the provided subnets based on the subnet name
 // It handles both direct VPC subnets and VPCRef subnets
 // If subnet name is provided, it looks for a matching subnet; otherwise, it uses the first subnet
@@ -125,19 +140,18 @@ func EnsureNodeBalancer(ctx context.Context, clusterScope *scope.ClusterScope, l
 		Tags:   []string{string(clusterScope.LinodeCluster.UID)},
 	}
 
-	// if NodeBalancerBackendIPv4Range is set, create the NodeBalancer in the specified VPC
-	if clusterScope.LinodeCluster.Spec.Network.NodeBalancerBackendIPv4Range != "" && (clusterScope.LinodeCluster.Spec.VPCRef != nil || clusterScope.LinodeCluster.Spec.VPCID != nil) {
-		logger.Info("Creating NodeBalancer in VPC", "NodeBalancerBackendIPv4Range", clusterScope.LinodeCluster.Spec.Network.NodeBalancerBackendIPv4Range)
+	// if enableVPCBackends is true and vpcRef or vpcID is set, create the NodeBalancer in the specified VPC
+	if ShouldUseVPC(clusterScope) {
+		logger.Info("Creating NodeBalancer in VPC")
 		subnetID, err := getSubnetID(ctx, clusterScope, logger)
 		if err != nil {
 			logger.Error(err, "Failed to fetch Linode Subnet ID")
 			return nil, err
 		}
-		createConfig.VPCs = []linodego.NodeBalancerVPCOptions{
-			{
-				IPv4Range: clusterScope.LinodeCluster.Spec.Network.NodeBalancerBackendIPv4Range,
-				SubnetID:  subnetID,
-			},
+
+		createConfig.VPCs = []linodego.NodeBalancerVPCOptions{{SubnetID: subnetID}}
+		if clusterScope.LinodeCluster.Spec.Network.NodeBalancerBackendIPv4Range != "" {
+			createConfig.VPCs[0].IPv4Range = clusterScope.LinodeCluster.Spec.Network.NodeBalancerBackendIPv4Range
 		}
 	}
 
@@ -264,10 +278,7 @@ func EnsureNodeBalancerConfigs(
 	nbConfigs := []*linodego.NodeBalancerConfig{}
 	var apiserverLinodeNBConfig *linodego.NodeBalancerConfig
 	var err error
-	apiLBPort := DefaultApiserverLBPort
-	if clusterScope.LinodeCluster.Spec.Network.ApiserverLoadBalancerPort != 0 {
-		apiLBPort = clusterScope.LinodeCluster.Spec.Network.ApiserverLoadBalancerPort
-	}
+	apiLBPort := DetermineAPIServerLBPort(clusterScope)
 
 	if clusterScope.LinodeCluster.Spec.Network.ApiserverNodeBalancerConfigID != nil {
 		apiserverLinodeNBConfig, err = clusterScope.LinodeClient.GetNodeBalancerConfig(
@@ -325,10 +336,7 @@ func EnsureNodeBalancerConfigs(
 }
 
 func processAndCreateNodeBalancerNodes(ctx context.Context, ipAddress string, clusterScope *scope.ClusterScope, nodeBalancerNodes []linodego.NodeBalancerNode, subnetID int) error {
-	apiserverLBPort := DefaultApiserverLBPort
-	if clusterScope.LinodeCluster.Spec.Network.ApiserverLoadBalancerPort != 0 {
-		apiserverLBPort = clusterScope.LinodeCluster.Spec.Network.ApiserverLoadBalancerPort
-	}
+	apiserverLBPort := DetermineAPIServerLBPort(clusterScope)
 
 	// Set the port number and NB config ID for standard ports
 	portsToBeAdded := make([]map[string]int, 0)
@@ -382,12 +390,8 @@ func AddNodesToNB(ctx context.Context, logger logr.Logger, clusterScope *scope.C
 		return errors.New("nil NodeBalancer Config ID")
 	}
 
-	// if NodeBalancerBackendIPv4Range is set, we want to prioritize finding the VPC IP address
-	// otherwise, we will use the private IP address
 	subnetID := 0
-	useVPCIps := clusterScope.LinodeCluster.Spec.Network.NodeBalancerBackendIPv4Range != "" && clusterScope.LinodeCluster.Spec.VPCRef != nil
-	if useVPCIps {
-		// Get subnetID
+	if ShouldUseVPC(clusterScope) {
 		subnetID, err := getSubnetID(ctx, clusterScope, logger)
 		if err != nil {
 			logger.Error(err, "Failed to fetch Linode Subnet ID")

cloud/services/loadbalancers_test.go

@@ -276,6 +276,7 @@ func TestEnsureNodeBalancer(t *testing.T) {
 							Namespace: "default",
 						},
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:            true,
 							NodeBalancerBackendIPv4Range: "10.0.0.0/24",
 						},
 					},
@@ -339,6 +340,7 @@ func TestEnsureNodeBalancer(t *testing.T) {
 						Region: "us-east",
 						VPCID:  ptr.To(456),
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:            true,
 							NodeBalancerBackendIPv4Range: "10.0.0.0/24",
 						},
 					},
@@ -393,6 +395,7 @@ func TestEnsureNodeBalancer(t *testing.T) {
 						Region: "us-east",
 						VPCID:  ptr.To(789),
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:            true,
 							NodeBalancerBackendIPv4Range: "10.0.0.0/24",
 						},
 					},
@@ -420,6 +423,7 @@ func TestEnsureNodeBalancer(t *testing.T) {
 							Namespace: "default",
 						},
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:            true,
 							NodeBalancerBackendIPv4Range: "10.0.0.0/24",
 						},
 					},
@@ -1713,6 +1717,7 @@ func TestAddNodeToNBFullWorkflow(t *testing.T) {
 							Namespace: "default",
 						},
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							NodeBalancerID:                ptr.To(1234),
 							ApiserverNodeBalancerConfigID: ptr.To(5678),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",
@@ -1786,6 +1791,7 @@ func TestAddNodeToNBFullWorkflow(t *testing.T) {
 							Namespace: "default",
 						},
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							NodeBalancerID:                ptr.To(1234),
 							ApiserverNodeBalancerConfigID: ptr.To(5678),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",
@@ -1844,6 +1850,7 @@ func TestAddNodeToNBFullWorkflow(t *testing.T) {
 							Namespace: "default",
 						},
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							NodeBalancerID:                ptr.To(1234),
 							ApiserverNodeBalancerConfigID: ptr.To(5678),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",
@@ -2564,6 +2571,7 @@ func TestAddNodeToNBWithVPC(t *testing.T) {
 					},
 					Spec: infrav1alpha2.LinodeClusterSpec{
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							ApiserverNodeBalancerConfigID: ptr.To(222),
 							NodeBalancerID:                ptr.To(111),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",
@@ -2635,6 +2643,7 @@ func TestAddNodeToNBWithVPC(t *testing.T) {
 					},
 					Spec: infrav1alpha2.LinodeClusterSpec{
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							ApiserverNodeBalancerConfigID: ptr.To(222),
 							NodeBalancerID:                ptr.To(111),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",
@@ -2710,6 +2719,7 @@ func TestAddNodeToNBWithVPC(t *testing.T) {
 					},
 					Spec: infrav1alpha2.LinodeClusterSpec{
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							ApiserverNodeBalancerConfigID: ptr.To(222),
 							NodeBalancerID:                ptr.To(111),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",
@@ -2819,6 +2829,7 @@ func TestAddNodeToNBWithVPC(t *testing.T) {
 					},
 					Spec: infrav1alpha2.LinodeClusterSpec{
 						Network: infrav1alpha2.NetworkSpec{
+							EnableVPCBackends:             true,
 							ApiserverNodeBalancerConfigID: ptr.To(222),
 							NodeBalancerID:                ptr.To(111),
 							NodeBalancerBackendIPv4Range:  "10.0.0.0/24",

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeclusters.yaml

@@ -155,6 +155,18 @@ spec:
                       Ignored if the LoadBalancerType is set to anything other than dns
                       If not set, CAPL will create a unique identifier for you
                     type: string
+                  enableVPCBackends:
+                    default: false
+                    description: |-
+                      EnableVPCBackends toggles VPC-scoped NodeBalancer and VPC backend IP usage.
+                      If set to false (default), the NodeBalancer will not be created in a VPC and
+                      backends will use Linode private IPs. If true, the NodeBalancer will be
+                      created in the configured VPC (when VPCRef or VPCID is set) and backends
+                      will use VPC IPs.
+                    type: boolean
+                    x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
                   loadBalancerType:
                     default: NodeBalancer
                     description: LoadBalancerType is the type of load balancer to

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeclustertemplates.yaml

@@ -151,6 +151,18 @@ spec:
                               Ignored if the LoadBalancerType is set to anything other than dns
                               If not set, CAPL will create a unique identifier for you
                             type: string
+                          enableVPCBackends:
+                            default: false
+                            description: |-
+                              EnableVPCBackends toggles VPC-scoped NodeBalancer and VPC backend IP usage.
+                              If set to false (default), the NodeBalancer will not be created in a VPC and
+                              backends will use Linode private IPs. If true, the NodeBalancer will be
+                              created in the configured VPC (when VPCRef or VPCID is set) and backends
+                              will use VPC IPs.
+                            type: boolean
+                            x-kubernetes-validations:
+                            - message: Value is immutable
+                              rule: self == oldSelf
                           loadBalancerType:
                             default: NodeBalancer
                             description: LoadBalancerType is the type of load balancer

config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachines.yaml

@@ -164,10 +164,9 @@ spec:
                 - message: Value is immutable
                   rule: self == oldSelf
               firewallID:
+                description: FirewallID is the id of the cloud firewall to apply to
+                  the Linode Instance
                 type: integer
-                x-kubernetes-validations:
-                - message: Value is immutable
-                  rule: self == oldSelf
               firewallRef:
                 description: FirewallRef is a reference to a firewall object. This
                   makes the linode use the specified firewall.

config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachinetemplates.yaml

@@ -154,10 +154,9 @@ spec:
                         - message: Value is immutable
                           rule: self == oldSelf
                       firewallID:
+                        description: FirewallID is the id of the cloud firewall to
+                          apply to the Linode Instance
                         type: integer
-                        x-kubernetes-validations:
-                        - message: Value is immutable
-                          rule: self == oldSelf
                       firewallRef:
                         description: FirewallRef is a reference to a firewall object.
                           This makes the linode use the specified firewall.
@@ -697,6 +696,9 @@ spec:
                   - type
                   type: object
                 type: array
+              firewallID:
+                description: Firewall ID that is currently applied to the LinodeMachineTemplate.
+                type: integer
               tags:
                 description: tags that are currently applied to the LinodeMachineTemplate.
                 items: