feat(controller): reconcile group CIDRs into ImpNetwork status

syscod3 · syscod3 · commit 8a071c766c8b · 2026-03-24T23:47:10.000Z
diff --git a/internal/controller/events.go b/internal/controller/events.go
@@ -18,6 +18,7 @@ const (
 	EventReasonIPAllocated          = "IPAllocated"
 	EventReasonNATRulesApplied      = "NATRulesApplied"
 	EventReasonCiliumConfigMissing  = "CiliumConfigMissing"
+	EventReasonGroupCIDRError       = "GroupCIDRError"
 )
 
 // ImpVM condition type constants.
diff --git a/internal/controller/impnetwork_controller.go b/internal/controller/impnetwork_controller.go
@@ -3,6 +3,7 @@ package controller
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"strings"
 	"time"
 
@@ -183,6 +184,11 @@ func (r *ImpNetworkReconciler) sync(ctx context.Context, net *impdevv1alpha1.Imp
 		return ctrl.Result{}, err
 	}
 
+	// Allocate and record group subnets.
+	if err := r.reconcileGroupCIDRs(ctx, net); err != nil {
+		return ctrl.Result{}, err
+	}
+
 	// Enroll Running VMs as Cilium external workloads (no-op if Cilium absent).
 	if err := r.reconcileCiliumEnrollment(ctx, net); err != nil {
 		return ctrl.Result{}, err
@@ -284,6 +290,27 @@ func (r *ImpNetworkReconciler) ciliumPresent() bool {
 	return err == nil
 }
 
+// reconcileGroupCIDRs derives subnet CIDRs for each network group in spec.groups
+// and stores the result in status.groupCIDRs. Idempotent: skips the status patch
+// when the computed CIDRs match what is already recorded.
+func (r *ImpNetworkReconciler) reconcileGroupCIDRs(ctx context.Context, net *impdevv1alpha1.ImpNetwork) error {
+	desired, err := carveGroupCIDRs(net.Spec.Subnet, net.Spec.Groups)
+	if err != nil {
+		logf.FromContext(ctx).Error(err, "group CIDR carving failed", "network", net.Name)
+		r.Recorder.Eventf(net, corev1.EventTypeWarning, EventReasonGroupCIDRError,
+			"Group CIDR carving failed: %v", err)
+		return nil // don't block reconcile for this — operator continues without group CIDRs
+	}
+
+	if reflect.DeepEqual(net.Status.GroupCIDRs, desired) {
+		return nil
+	}
+
+	base := net.DeepCopy()
+	net.Status.GroupCIDRs = desired
+	return r.Status().Patch(ctx, net, client.MergeFrom(base))
+}
+
 // reconcileCiliumEnrollment creates CiliumExternalWorkload objects for Running VMs
 // attached to this network, and GCs CEWs for VMs that are no longer Running.
 // It is a no-op when Cilium is not the active CNI or its CRDs are not present.
diff --git a/internal/controller/impnetwork_controller_test.go b/internal/controller/impnetwork_controller_test.go
@@ -412,3 +412,85 @@ var _ = Describe("ImpNetwork Controller: CiliumConfigMissing", func() {
 		}, 200*time.Millisecond, 50*time.Millisecond).ShouldNot(ContainSubstring(EventReasonCiliumConfigMissing))
 	})
 })
+
+var _ = Describe("ImpNetwork Controller: group CIDR allocation", func() {
+	ctx := context.Background()
+
+	It("populates status.groupCIDRs from spec.groups on reconcile", func() {
+		net := &impdevv1alpha1.ImpNetwork{
+			ObjectMeta: metav1.ObjectMeta{Name: "group-net-1", Namespace: "default"},
+			Spec: impdevv1alpha1.ImpNetworkSpec{
+				Subnet: "10.55.0.0/24",
+				Groups: []impdevv1alpha1.NetworkGroupSpec{
+					{Name: "workers", ExpectedSize: 14},
+					{Name: "controllers", ExpectedSize: 4},
+				},
+			},
+		}
+		Expect(k8sClient.Create(ctx, net)).To(Succeed())
+		DeferCleanup(func() { k8sClient.Delete(ctx, net) }) //nolint:errcheck
+
+		r, _ := newNetworkReconciler(unknownStore())
+		// First reconcile: adds finalizer.
+		_, err := r.Reconcile(ctx, reconcile.Request{
+			NamespacedName: types.NamespacedName{Name: "group-net-1", Namespace: "default"},
+		})
+		Expect(err).NotTo(HaveOccurred())
+		// Second reconcile: runs sync, populates groupCIDRs.
+		_, err = r.Reconcile(ctx, reconcile.Request{
+			NamespacedName: types.NamespacedName{Name: "group-net-1", Namespace: "default"},
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		updated := &impdevv1alpha1.ImpNetwork{}
+		Expect(k8sClient.Get(ctx, types.NamespacedName{Name: "group-net-1", Namespace: "default"}, updated)).To(Succeed())
+		Expect(updated.Status.GroupCIDRs).To(HaveLen(2))
+
+		byName := make(map[string]string)
+		for _, gc := range updated.Status.GroupCIDRs {
+			byName[gc.Name] = gc.CIDR
+		}
+		// "controllers" sorted first: /29 at 10.55.0.0
+		Expect(byName["controllers"]).To(Equal("10.55.0.0/29"))
+		// "workers": /28 aligned after /29 block → 10.55.0.16
+		Expect(byName["workers"]).To(Equal("10.55.0.16/28"))
+	})
+
+	It("clears status.groupCIDRs when spec.groups is removed", func() {
+		net := &impdevv1alpha1.ImpNetwork{
+			ObjectMeta: metav1.ObjectMeta{Name: "group-net-2", Namespace: "default"},
+			Spec: impdevv1alpha1.ImpNetworkSpec{
+				Subnet: "10.56.0.0/24",
+				Groups: []impdevv1alpha1.NetworkGroupSpec{
+					{Name: "a", ExpectedSize: 4},
+				},
+			},
+		}
+		Expect(k8sClient.Create(ctx, net)).To(Succeed())
+		DeferCleanup(func() { k8sClient.Delete(ctx, net) }) //nolint:errcheck
+
+		r, _ := newNetworkReconciler(unknownStore())
+		for i := 0; i < 2; i++ {
+			_, err := r.Reconcile(ctx, reconcile.Request{
+				NamespacedName: types.NamespacedName{Name: "group-net-2", Namespace: "default"},
+			})
+			Expect(err).NotTo(HaveOccurred())
+		}
+
+		// Remove groups from spec.
+		updated := &impdevv1alpha1.ImpNetwork{}
+		Expect(k8sClient.Get(ctx, types.NamespacedName{Name: "group-net-2", Namespace: "default"}, updated)).To(Succeed())
+		updated.Spec.Groups = nil
+		Expect(k8sClient.Update(ctx, updated)).To(Succeed())
+
+		// Reconcile again.
+		_, err := r.Reconcile(ctx, reconcile.Request{
+			NamespacedName: types.NamespacedName{Name: "group-net-2", Namespace: "default"},
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		final := &impdevv1alpha1.ImpNetwork{}
+		Expect(k8sClient.Get(ctx, types.NamespacedName{Name: "group-net-2", Namespace: "default"}, final)).To(Succeed())
+		Expect(final.Status.GroupCIDRs).To(BeEmpty())
+	})
+})

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ const (`
`18`	`18`	`EventReasonIPAllocated = "IPAllocated"`
`19`	`19`	`EventReasonNATRulesApplied = "NATRulesApplied"`
`20`	`20`	`EventReasonCiliumConfigMissing = "CiliumConfigMissing"`
	`21`	`+ EventReasonGroupCIDRError = "GroupCIDRError"`
`21`	`22`	`)`
`22`	`23`
`23`	`24`	`// ImpVM condition type constants.`