feat(agent): use group CIDR from network status when VM has spec.networkGroup set

syscod3 · syscod3 · commit 14a92010c724 · 2026-03-24T23:47:10.000Z
diff --git a/internal/agent/firecracker_driver.go b/internal/agent/firecracker_driver.go
@@ -507,7 +507,7 @@ func (d *FirecrackerDriver) setupNetwork(ctx context.Context, vm *impdevv1alpha1
 	tapName := network.TAPName(vKey)
 	macAddr := network.MACAddr(vKey)
 
-	allocSubnet, err := resolveAllocationSubnet(ctx, d.Client, &impNet)
+	allocSubnet, err := resolveAllocationSubnet(ctx, d.Client, &impNet, vm.Spec.NetworkGroup)
 	if err != nil {
 		return nil, fmt.Errorf("resolve allocation subnet: %w", err)
 	}
diff --git a/internal/agent/ipam_resolver.go b/internal/agent/ipam_resolver.go
@@ -22,8 +22,18 @@ func ciliumPoolGVK(version string) schema.GroupVersionKind {
 }
 
 func resolveAllocationSubnet(
-	ctx context.Context, c ctrlclient.Client, impNet *impdevv1alpha1.ImpNetwork,
+	ctx context.Context, c ctrlclient.Client, impNet *impdevv1alpha1.ImpNetwork, networkGroup string,
 ) (string, error) {
+	// If VM is in a named group, return the group's allocated CIDR from network status.
+	if networkGroup != "" {
+		for _, gc := range impNet.Status.GroupCIDRs {
+			if gc.Name == networkGroup {
+				return gc.CIDR, nil
+			}
+		}
+		return "", fmt.Errorf("network group %q has no allocated CIDR yet (network controller may not have reconciled)", networkGroup)
+	}
+
 	if impNet.Spec.IPAM == nil || impNet.Spec.IPAM.Provider == "" || impNet.Spec.IPAM.Provider == "internal" {
 		return impNet.Spec.Subnet, nil
 	}
diff --git a/internal/agent/ipam_resolver_test.go b/internal/agent/ipam_resolver_test.go
@@ -27,7 +27,7 @@ func TestResolveAllocationSubnet_DefaultsToImpSubnet(t *testing.T) {
 		},
 	}
 
-	got, err := resolveAllocationSubnet(context.Background(), c, impNet)
+	got, err := resolveAllocationSubnet(context.Background(), c, impNet, "")
 	if err != nil {
 		t.Fatalf("resolveAllocationSubnet: %v", err)
 	}
@@ -63,7 +63,7 @@ func TestResolveAllocationSubnet_UsesCiliumPoolCIDR(t *testing.T) {
 		},
 	}
 
-	got, err := resolveAllocationSubnet(context.Background(), c, impNet)
+	got, err := resolveAllocationSubnet(context.Background(), c, impNet, "")
 	if err != nil {
 		t.Fatalf("resolveAllocationSubnet: %v", err)
 	}
@@ -87,7 +87,7 @@ func TestResolveAllocationSubnet_CiliumWithOverrideCidr(t *testing.T) {
 	}
 	// When Cidr override is set, should use it without fetching pool from API.
 	// Pass nil client to prove it doesn't touch the API.
-	subnet, err := resolveAllocationSubnet(context.Background(), nil, net)
+	subnet, err := resolveAllocationSubnet(context.Background(), nil, net, "")
 	if err != nil {
 		t.Fatalf("resolveAllocationSubnet: %v", err)
 	}
@@ -96,6 +96,56 @@ func TestResolveAllocationSubnet_CiliumWithOverrideCidr(t *testing.T) {
 	}
 }
 
+func TestResolveAllocationSubnet_UsesGroupCIDRFromStatus(t *testing.T) {
+	scheme := runtime.NewScheme()
+	if err := impdevv1alpha1.AddToScheme(scheme); err != nil {
+		t.Fatalf("scheme: %v", err)
+	}
+	c := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	impNet := &impdevv1alpha1.ImpNetwork{
+		ObjectMeta: metav1.ObjectMeta{Name: "net1", Namespace: "default"},
+		Spec: impdevv1alpha1.ImpNetworkSpec{
+			Subnet: "10.44.0.0/24",
+			Groups: []impdevv1alpha1.NetworkGroupSpec{
+				{Name: "workers", ExpectedSize: 14},
+			},
+		},
+	}
+	impNet.Status.GroupCIDRs = []impdevv1alpha1.GroupCIDR{
+		{Name: "workers", CIDR: "10.44.0.0/28"},
+	}
+
+	got, err := resolveAllocationSubnet(context.Background(), c, impNet, "workers")
+	if err != nil {
+		t.Fatalf("resolveAllocationSubnet: %v", err)
+	}
+	if got != "10.44.0.0/28" {
+		t.Fatalf("got %q, want %q", got, "10.44.0.0/28")
+	}
+}
+
+func TestResolveAllocationSubnet_GroupNotAllocatedYetReturnsError(t *testing.T) {
+	scheme := runtime.NewScheme()
+	if err := impdevv1alpha1.AddToScheme(scheme); err != nil {
+		t.Fatalf("scheme: %v", err)
+	}
+	c := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	impNet := &impdevv1alpha1.ImpNetwork{
+		ObjectMeta: metav1.ObjectMeta{Name: "net1", Namespace: "default"},
+		Spec: impdevv1alpha1.ImpNetworkSpec{
+			Subnet: "10.44.0.0/24",
+		},
+		// Status.GroupCIDRs is empty — controller hasn't reconciled yet.
+	}
+
+	_, err := resolveAllocationSubnet(context.Background(), c, impNet, "workers")
+	if err == nil {
+		t.Fatal("expected error for unallocated group CIDR")
+	}
+}
+
 func TestResolveAllocationSubnet_CiliumPoolMissingReturnsError(t *testing.T) {
 	scheme := runtime.NewScheme()
 	if err := impdevv1alpha1.AddToScheme(scheme); err != nil {
@@ -114,7 +164,7 @@ func TestResolveAllocationSubnet_CiliumPoolMissingReturnsError(t *testing.T) {
 		},
 	}
 
-	_, err := resolveAllocationSubnet(context.Background(), c, impNet)
+	_, err := resolveAllocationSubnet(context.Background(), c, impNet, "")
 	if err == nil {
 		t.Fatal("expected error for missing CiliumPodIPPool")
 	}

Original file line number	Diff line number	Diff line change
`@@ -507,7 +507,7 @@ func (d FirecrackerDriver) setupNetwork(ctx context.Context, vm impdevv1alpha1`
`507`	`507`	`tapName := network.TAPName(vKey)`
`508`	`508`	`macAddr := network.MACAddr(vKey)`
`509`	`509`
`510`		`- allocSubnet, err := resolveAllocationSubnet(ctx, d.Client, &impNet)`
	`510`	`+ allocSubnet, err := resolveAllocationSubnet(ctx, d.Client, &impNet, vm.Spec.NetworkGroup)`
`511`	`511`	`if err != nil {`
`512`	`512`	`return nil, fmt.Errorf("resolve allocation subnet: %w", err)`
`513`	`513`	`}`