syscode-labs
diff --git a/‎cmd/agent/main.go‎
Lines changed: 17 additions & 0 deletions b/‎cmd/agent/main.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎cmd/operator/main.go‎
Lines changed: 6 additions & 0 deletions b/‎cmd/operator/main.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 7 additions & 4 deletions b/‎go.mod‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎go.sum‎
Lines changed: 6 additions & 0 deletions b/‎go.sum‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎internal/agent/firecracker_driver.go‎
Lines changed: 10 additions & 5 deletions b/‎internal/agent/firecracker_driver.go‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎internal/agent/impnetwork_reconciler.go‎
Lines changed: 96 additions & 0 deletions b/‎internal/agent/impnetwork_reconciler.go‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎internal/agent/impnetwork_reconciler_test.go‎
Lines changed: 113 additions & 0 deletions b/‎internal/agent/impnetwork_reconciler_test.go‎
Lines changed: 113 additions & 0 deletions
@@ -71,6 +71,12 @@ func main() {
 		os.Exit(1)
 	}
 	defer func() { _ = shutdownTelemetry(context.Background()) }()
+	_, shutdownTraces, err := telemetry.SetupTracerProvider(context.Background())
+	if err != nil {
+		log.Error(err, "unable to set up traces")
+		os.Exit(1)
+	}
+	defer func() { _ = shutdownTraces(context.Background()) }()
 	mc := agent.NewVMMetricsCollector(mp.Meter("imp.agent"), agentReg)
 
 	// IMP_STUB_DRIVER=true: StubDriver (CI, test clusters, no KVM needed).
@@ -113,6 +119,17 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&agent.ImpNetworkReconciler{
+		Client:   mgr.GetClient(),
+		Scheme:   mgr.GetScheme(),
+		NodeName: nodeName,
+		NodeIP:   nodeIP,
+		Net:      prodNet,
+	}).SetupWithManager(mgr); err != nil {
+		log.Error(err, "unable to create controller", "controller", "ImpNetwork(agent)")
+		os.Exit(1)
+	}
+
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		log.Error(err, "Unable to set up health check")
 		os.Exit(1)
 
@@ -133,6 +133,12 @@ func main() {
 		os.Exit(1)
 	}
 	defer func() { _ = shutdownTelemetry(context.Background()) }()
+	_, shutdownTraces, err := telemetry.SetupTracerProvider(context.Background())
+	if err != nil {
+		setupLog.Error(err, "unable to set up traces")
+		os.Exit(1)
+	}
+	defer func() { _ = shutdownTraces(context.Background()) }()
 	controller.InitMetrics(mp.Meter("imp.controller"))
 
 	cfg := ctrl.GetConfigOrDie()
 
@@ -11,14 +11,18 @@ require (
 	github.com/onsi/ginkgo/v2 v2.27.2
 	github.com/onsi/gomega v1.38.2
 	github.com/prometheus/client_golang v1.23.2
-	github.com/prometheus/client_model v0.6.2
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netlink v1.1.1-0.20210330154013-f5de75959ad5
 	github.com/xanzy/go-gitlab v0.115.0
+	go.opentelemetry.io/otel v1.42.0
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.64.0
+	go.opentelemetry.io/otel/metric v1.42.0
+	go.opentelemetry.io/otel/sdk v1.42.0
 	go.opentelemetry.io/otel/sdk/metric v1.42.0
 	golang.org/x/oauth2 v0.35.0
 	google.golang.org/grpc v1.79.2
@@ -88,6 +92,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
@@ -98,9 +103,7 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.8.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/otel v1.42.0 // indirect
-	go.opentelemetry.io/otel/metric v1.42.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
 	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 
@@ -849,6 +849,12 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 h1:MdK
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0/go.mod h1:RolT8tWtfHcjajEH5wFIZ4Dgh5jpPdFXYV9pTAk/qjc=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 h1:H7O6RlGOMTizyl3R08Kn5pdM06bnH8oscSj7o11tmLA=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0/go.mod h1:mBFWu/WOVDkWWsR7Tx7h6EpQB8wsv7P0Yrh0Pb7othc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 h1:THuZiwpQZuHPul65w4WcwEnkX2QIuMT+UFoOrygtoJw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0/go.mod h1:J2pvYM5NGHofZ2/Ru6zw/TNWnEQp5crgyDeSrYpXkAw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 h1:zWWrB1U6nqhS/k6zYB74CjRpuiitRtLLi68VcgmOEto=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0/go.mod h1:2qXPNBX1OVRC0IwOnfo1ljoid+RD0QK3443EaqVlsOU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 h1:uLXP+3mghfMf7XmV4PkGfFhFKuNWoCvvx5wP/wOXo0o=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0/go.mod h1:v0Tj04armyT59mnURNUJf7RCKcKzq+lgJs6QSjHjaTc=
 go.opentelemetry.io/otel/exporters/prometheus v0.64.0 h1:g0LRDXMX/G1SEZtK8zl8Chm4K6GBwRkjPKE36LxiTYs=
 go.opentelemetry.io/otel/exporters/prometheus v0.64.0/go.mod h1:UrgcjnarfdlBDP3GjDIJWe6HTprwSazNjwsI+Ru6hro=
 go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
 
@@ -430,9 +430,14 @@ func (d *FirecrackerDriver) setupNetwork(ctx context.Context, vm *impdevv1alpha1
 	tapName := network.TAPName(vKey)
 	macAddr := network.MACAddr(vKey)
 
-	_, cidr, err := gonet.ParseCIDR(impNet.Spec.Subnet)
+	allocSubnet, err := resolveAllocationSubnet(ctx, d.Client, &impNet)
 	if err != nil {
-		return nil, fmt.Errorf("parse subnet %q: %w", impNet.Spec.Subnet, err)
+		return nil, fmt.Errorf("resolve allocation subnet: %w", err)
+	}
+
+	_, cidr, err := gonet.ParseCIDR(allocSubnet)
+	if err != nil {
+		return nil, fmt.Errorf("parse subnet %q: %w", allocSubnet, err)
 	}
 	prefixLen, _ := cidr.Mask.Size()
 
@@ -445,7 +450,7 @@ func (d *FirecrackerDriver) setupNetwork(ctx context.Context, vm *impdevv1alpha1
 	}
 
 	// Allocate VM IP.
-	ip, err := d.Alloc.Allocate(netKey, impNet.Spec.Subnet, gateway)
+	ip, err := d.Alloc.Allocate(netKey, allocSubnet, gateway)
 	if err != nil {
 		return nil, fmt.Errorf("allocate IP: %w", err)
 	}
@@ -464,7 +469,7 @@ func (d *FirecrackerDriver) setupNetwork(ctx context.Context, vm *impdevv1alpha1
 
 	// Install NAT if requested (best-effort — don't block VM start on NAT failure).
 	if impNet.Spec.NAT.Enabled {
-		if natErr := d.Net.EnsureNAT(ctx, impNet.Spec.Subnet, impNet.Spec.NAT.EgressInterface); natErr != nil {
+		if natErr := d.Net.EnsureNAT(ctx, allocSubnet, impNet.Spec.NAT.EgressInterface); natErr != nil {
 			logf.FromContext(ctx).Error(natErr, "EnsureNAT failed — VM will start without NAT")
 		}
 	}
@@ -477,7 +482,7 @@ func (d *FirecrackerDriver) setupNetwork(ctx context.Context, vm *impdevv1alpha1
 		PrefixLen:       prefixLen,
 		Gateway:         gateway,
 		DNS:             impNet.Spec.DNS,
-		Subnet:          impNet.Spec.Subnet,
+		Subnet:          allocSubnet,
 		NetworkKey:      netKey,
 		NATEnabled:      impNet.Spec.NAT.Enabled,
 		EgressInterface: impNet.Spec.NAT.EgressInterface,
 
@@ -0,0 +1,96 @@
+//go:build linux
+
+package agent
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+
+	impdevv1alpha1 "github.com/syscode-labs/imp/api/v1alpha1"
+	"github.com/syscode-labs/imp/internal/agent/network"
+)
+
+// ImpNetworkReconciler watches ImpNetwork objects on behalf of the node agent.
+// When VTEPTable changes, it syncs the local VXLAN FDB for running local VMs.
+type ImpNetworkReconciler struct {
+	client.Client
+	Scheme   *runtime.Scheme
+	NodeName string
+	NodeIP   string
+	Net      network.NetManager
+}
+
+// +kubebuilder:rbac:groups=imp.dev,resources=impnetworks,verbs=get;list;watch
+// +kubebuilder:rbac:groups=imp.dev,resources=impnetworks/status,verbs=get;update;patch
+
+func (r *ImpNetworkReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	var impNet impdevv1alpha1.ImpNetwork
+	if err := r.Get(ctx, req.NamespacedName, &impNet); err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	// Only sync FDB if this node has at least one running VM on this network.
+	var vmList impdevv1alpha1.ImpVMList
+	if err := r.List(ctx, &vmList, client.InNamespace(req.Namespace)); err != nil {
+		return ctrl.Result{}, err
+	}
+	hasLocalVM := false
+	for i := range vmList.Items {
+		vm := &vmList.Items[i]
+		if vm.Spec.NodeName == r.NodeName &&
+			vm.Spec.NetworkRef != nil &&
+			vm.Spec.NetworkRef.Name == impNet.Name &&
+			vm.Status.Phase == impdevv1alpha1.VMPhaseRunning {
+			hasLocalVM = true
+			break
+		}
+	}
+	if !hasLocalVM {
+		return ctrl.Result{}, nil
+	}
+
+	if err := syncNetworkFDB(ctx, &impNet, r.NodeIP, r.Net); err != nil {
+		logf.FromContext(ctx).WithValues("node", r.NodeName).Error(err, "syncNetworkFDB failed")
+		return ctrl.Result{}, err
+	}
+	return ctrl.Result{}, nil
+}
+
+func (r *ImpNetworkReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&impdevv1alpha1.ImpNetwork{}).
+		Named("agent-impnetwork").
+		Complete(r)
+}
+
+// syncNetworkFDB ensures VXLAN exists for the network and reconciles FDB with
+// remote (non-local) VTEP entries.
+func syncNetworkFDB(ctx context.Context, netObj *impdevv1alpha1.ImpNetwork, nodeIP string, mgr network.NetManager) error {
+	if mgr == nil || nodeIP == "" {
+		return nil
+	}
+
+	netKey := netObj.Namespace + "/" + netObj.Name
+	bridgeName := network.BridgeName(netKey)
+	vni, ifaceName := network.VXLANParams(string(netObj.UID))
+
+	if err := mgr.EnsureVXLAN(ctx, vni, ifaceName, nodeIP, bridgeName); err != nil {
+		return err
+	}
+
+	var remoteEntries []network.FDBEntry
+	for _, e := range netObj.Status.VTEPTable {
+		if e.NodeIP == nodeIP {
+			continue
+		}
+		remoteEntries = append(remoteEntries, network.FDBEntry{
+			MAC:   e.VMMAC,
+			DstIP: e.NodeIP,
+		})
+	}
+	return mgr.SyncFDB(ctx, ifaceName, remoteEntries)
+}
@@ -0,0 +1,113 @@
+//go:build linux
+
+package agent_test
+
+import (
+	"context"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	impdevv1alpha1 "github.com/syscode-labs/imp/api/v1alpha1"
+	"github.com/syscode-labs/imp/internal/agent"
+	"github.com/syscode-labs/imp/internal/agent/network"
+)
+
+func newImpNetworkScheme() *runtime.Scheme {
+	s := runtime.NewScheme()
+	_ = impdevv1alpha1.AddToScheme(s)
+	return s
+}
+
+func TestImpNetworkReconciler_noLocalVMs(t *testing.T) {
+	impNet := &impdevv1alpha1.ImpNetwork{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "net1",
+			Namespace: "default",
+			UID:       types.UID("uid-net1"),
+		},
+		Spec: impdevv1alpha1.ImpNetworkSpec{Subnet: "10.0.0.0/24"},
+	}
+	impNet.Status.VTEPTable = []impdevv1alpha1.VTEPEntry{
+		{NodeIP: "192.168.1.2", VMIP: "10.0.0.5", VMMAC: "02:aa:bb:cc:dd:ee"},
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(newImpNetworkScheme()).
+		WithObjects(impNet).
+		WithStatusSubresource(impNet).
+		Build()
+
+	stub := &network.StubNetManager{}
+	r := &agent.ImpNetworkReconciler{
+		Client:   fakeClient,
+		NodeName: "node-a",
+		NodeIP:   "192.168.1.1",
+		Net:      stub,
+	}
+
+	_, err := r.Reconcile(context.Background(), ctrl.Request{
+		NamespacedName: types.NamespacedName{Name: "net1", Namespace: "default"},
+	})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(stub.EnsureVXLANCalls) != 0 {
+		t.Errorf("expected no EnsureVXLAN calls (no local VMs), got %d", len(stub.EnsureVXLANCalls))
+	}
+}
+
+func TestImpNetworkReconciler_withLocalVM(t *testing.T) {
+	impNet := &impdevv1alpha1.ImpNetwork{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "net1",
+			Namespace: "default",
+			UID:       types.UID("uid-net1"),
+		},
+		Spec: impdevv1alpha1.ImpNetworkSpec{Subnet: "10.0.0.0/24"},
+	}
+	impNet.Status.VTEPTable = []impdevv1alpha1.VTEPEntry{
+		{NodeIP: "192.168.1.1", VMIP: "10.0.0.2", VMMAC: "02:aa:00:00:00:01"},
+		{NodeIP: "192.168.1.2", VMIP: "10.0.0.5", VMMAC: "02:bb:00:00:00:02"},
+	}
+
+	localVM := &impdevv1alpha1.ImpVM{
+		ObjectMeta: metav1.ObjectMeta{Name: "vm-local", Namespace: "default"},
+		Spec: impdevv1alpha1.ImpVMSpec{
+			NodeName:   "node-a",
+			NetworkRef: &impdevv1alpha1.NetworkRef{Name: "net1"},
+		},
+	}
+	localVM.Status.Phase = impdevv1alpha1.VMPhaseRunning
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(newImpNetworkScheme()).
+		WithObjects(impNet, localVM).
+		WithStatusSubresource(impNet, localVM).
+		Build()
+
+	stub := &network.StubNetManager{}
+	r := &agent.ImpNetworkReconciler{
+		Client:   fakeClient,
+		NodeName: "node-a",
+		NodeIP:   "192.168.1.1",
+		Net:      stub,
+	}
+
+	_, err := r.Reconcile(context.Background(), ctrl.Request{
+		NamespacedName: types.NamespacedName{Name: "net1", Namespace: "default"},
+	})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(stub.EnsureVXLANCalls) != 1 {
+		t.Fatalf("expected 1 EnsureVXLAN call, got %d", len(stub.EnsureVXLANCalls))
+	}
+	if len(stub.SyncFDBCalls) != 1 {
+		t.Fatalf("expected 1 SyncFDB call, got %d", len(stub.SyncFDBCalls))
+	}
+}