feat(agent): attach VXLAN interface to bridge on EnsureVXLAN

syscod3 · syscod3 · commit 431159a84f33 · 2026-03-07T17:58:58.000Z
diff --git a/internal/agent/network/net.go b/internal/agent/network/net.go
@@ -45,10 +45,10 @@ type NetManager interface {
 	// If egressIface is empty, the default-route interface is used.
 	RemoveNAT(ctx context.Context, subnet, egressIface string) error
 
-	// EnsureVXLAN creates or reconciles the VXLAN interface for the given network.
-	// vni is the VXLAN Network Identifier. ifaceName is the interface name to use.
-	// nodeIP is the local node's IP for VTEP termination.
-	EnsureVXLAN(ctx context.Context, vni uint32, ifaceName, nodeIP string) error
+	// EnsureVXLAN creates or reconciles the VXLAN interface for the given network,
+	// attaches it to bridgeName, and brings it up. bridgeName must already exist
+	// (call EnsureNetwork first). Idempotent.
+	EnsureVXLAN(ctx context.Context, vni uint32, ifaceName, nodeIP, bridgeName string) error
 
 	// SyncFDB reconciles the local FDB (forwarding database) on the VXLAN interface
 	// to match the provided entries. Entries not in the list are removed.
@@ -58,13 +58,14 @@ type NetManager interface {
 // StubNetManager is a no-op NetManager for tests.
 // It records calls so tests can verify interactions.
 type StubNetManager struct {
-	EnsureNetworkCalls []string // bridgeName
-	SetupVMCalls       []string // tapName
-	TeardownVMCalls    []string // tapName
-	EnsureNATCalls     []string // subnet
-	RemoveNATCalls     []string // subnet
-	EnsureVXLANCalls   []string // ifaceName
-	SyncFDBCalls       []string // ifaceName
+	EnsureNetworkCalls     []string // bridgeName
+	SetupVMCalls           []string // tapName
+	TeardownVMCalls        []string // tapName
+	EnsureNATCalls         []string // subnet
+	RemoveNATCalls         []string // subnet
+	EnsureVXLANCalls       []string // ifaceName
+	EnsureVXLANBridgeCalls []string // bridgeName
+	SyncFDBCalls           []string // ifaceName
 
 	EnsureNetworkErr error
 	SetupVMErr       error
@@ -100,8 +101,9 @@ func (s *StubNetManager) RemoveNAT(_ context.Context, subnet, _ string) error {
 	return s.RemoveNATErr
 }
 
-func (s *StubNetManager) EnsureVXLAN(_ context.Context, _ uint32, ifaceName, _ string) error {
+func (s *StubNetManager) EnsureVXLAN(_ context.Context, _ uint32, ifaceName, _, bridgeName string) error {
 	s.EnsureVXLANCalls = append(s.EnsureVXLANCalls, ifaceName)
+	s.EnsureVXLANBridgeCalls = append(s.EnsureVXLANBridgeCalls, bridgeName)
 	return s.EnsureVXLANErr
 }
 
diff --git a/internal/agent/network/vxlan.go b/internal/agent/network/vxlan.go
@@ -11,32 +11,34 @@ import (
 	"github.com/vishvananda/netlink"
 )
 
-// EnsureVXLAN creates or reconciles the VXLAN interface for the given network.
-// vni is the VXLAN Network Identifier, ifaceName is the interface name to use,
-// and nodeIP is the local node's IP for VTEP termination.
-// Idempotent: no-ops if the interface already exists with matching configuration.
-func (m *LinuxNetManager) EnsureVXLAN(_ context.Context, vni uint32, ifaceName, nodeIP string) error {
+// EnsureVXLAN creates or reconciles the VXLAN interface for the given network,
+// attaches it to bridgeName, and brings it up. bridgeName must already exist
+// (call EnsureNetwork first). Idempotent.
+func (m *LinuxNetManager) EnsureVXLAN(_ context.Context, vni uint32, ifaceName, nodeIP, bridgeName string) error {
 	localIP := net.ParseIP(nodeIP)
 	if localIP == nil {
 		return fmt.Errorf("invalid nodeIP %q", nodeIP)
 	}
 
 	link, err := netlink.LinkByName(ifaceName)
 	if err == nil {
-		// Interface already exists — ensure it is up.
-		return netlink.LinkSetUp(link)
+		// Interface already exists — ensure it is up and attached to bridge.
+		if err := netlink.LinkSetUp(link); err != nil {
+			return err
+		}
+		return m.attachToBridge(link, bridgeName)
 	}
 
 	vx := &netlink.Vxlan{
 		LinkAttrs: netlink.LinkAttrs{
 			Name: ifaceName,
 		},
-		VxlanId:      int(vni),
-		SrcAddr:      localIP.To4(),
-		Port:         8472,
-		Learning:     false,
-		L2miss:       false,
-		L3miss:       false,
+		VxlanId:  int(vni),
+		SrcAddr:  localIP.To4(),
+		Port:     8472,
+		Learning: false,
+		L2miss:   false,
+		L3miss:   false,
 	}
 	if err := netlink.LinkAdd(vx); err != nil {
 		return fmt.Errorf("create vxlan %s (vni %d): %w", ifaceName, vni, err)
@@ -46,7 +48,27 @@ func (m *LinuxNetManager) EnsureVXLAN(_ context.Context, vni uint32, ifaceName,
 	if err != nil {
 		return fmt.Errorf("fetch vxlan %s after create: %w", ifaceName, err)
 	}
-	return netlink.LinkSetUp(link)
+	if err := netlink.LinkSetUp(link); err != nil {
+		return err
+	}
+	return m.attachToBridge(link, bridgeName)
+}
+
+// attachToBridge attaches link to the bridge named bridgeName.
+// No-op if link is already a member of that bridge or bridgeName is empty.
+func (m *LinuxNetManager) attachToBridge(link netlink.Link, bridgeName string) error {
+	if bridgeName == "" {
+		return nil
+	}
+	bridge, err := netlink.LinkByName(bridgeName)
+	if err != nil {
+		return fmt.Errorf("get bridge %s: %w", bridgeName, err)
+	}
+	// Already a member?
+	if link.Attrs().MasterIndex == bridge.Attrs().Index {
+		return nil
+	}
+	return netlink.LinkSetMaster(link, bridge)
 }
 
 // SyncFDB reconciles the local FDB (forwarding database) on the VXLAN interface
diff --git a/internal/agent/network/vxlan_test.go b/internal/agent/network/vxlan_test.go
@@ -1,6 +1,7 @@
 package network_test
 
 import (
+	"context"
 	"testing"
 
 	"github.com/syscode-labs/imp/internal/agent/network"
@@ -63,3 +64,17 @@ func TestVXLANParams_distinct(t *testing.T) {
 		t.Errorf("different UIDs produced same ifaceName %q", iface1)
 	}
 }
+
+func TestStubNetManager_EnsureVXLAN_recordsBridgeName(t *testing.T) {
+	stub := &network.StubNetManager{}
+	_ = stub.EnsureVXLAN(context.Background(), 42, "impvx-abc", "10.0.0.1", "impbr-xyz")
+	if len(stub.EnsureVXLANCalls) != 1 {
+		t.Fatalf("expected 1 EnsureVXLAN call, got %d", len(stub.EnsureVXLANCalls))
+	}
+	if stub.EnsureVXLANCalls[0] != "impvx-abc" {
+		t.Errorf("expected ifaceName impvx-abc, got %q", stub.EnsureVXLANCalls[0])
+	}
+	if stub.EnsureVXLANBridgeCalls[0] != "impbr-xyz" {
+		t.Errorf("expected bridgeName impbr-xyz, got %q", stub.EnsureVXLANBridgeCalls[0])
+	}
+}
diff --git a/internal/agent/reconciler.go b/internal/agent/reconciler.go
@@ -332,9 +332,11 @@ func (r *ImpVMReconciler) syncFDB(ctx context.Context, vm *impdevv1alpha1.ImpVM)
 		return client.IgnoreNotFound(err)
 	}
 
+	netKey := impNet.Namespace + "/" + impNet.Name
+	bridgeName := network.BridgeName(netKey)
 	vni, ifaceName := network.VXLANParams(string(impNet.UID))
 
-	if err := r.Net.EnsureVXLAN(ctx, vni, ifaceName, r.NodeIP); err != nil {
+	if err := r.Net.EnsureVXLAN(ctx, vni, ifaceName, r.NodeIP, bridgeName); err != nil {
 		return err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -332,9 +332,11 @@ func (r ImpVMReconciler) syncFDB(ctx context.Context, vm impdevv1alpha1.ImpVM)`
`332`	`332`	`return client.IgnoreNotFound(err)`
`333`	`333`	`}`
`334`	`334`
	`335`	`+ netKey := impNet.Namespace + "/" + impNet.Name`
	`336`	`+ bridgeName := network.BridgeName(netKey)`
`335`	`337`	`vni, ifaceName := network.VXLANParams(string(impNet.UID))`
`336`	`338`
`337`		`- if err := r.Net.EnsureVXLAN(ctx, vni, ifaceName, r.NodeIP); err != nil {`
	`339`	`+ if err := r.Net.EnsureVXLAN(ctx, vni, ifaceName, r.NodeIP, bridgeName); err != nil {`
`338`	`340`	`return err`
`339`	`341`	`}`
`340`	`342`