Implementing MEP-6: Clusters with private networks only / DMZ (#159)

metal-stack · Mar 3, 2021 · e2112b4 · e2112b4
1 parent c953576
commit e2112b4
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/pkg/apis/metal/types_controlplane.go b/pkg/apis/metal/types_controlplane.go
@@ -35,7 +35,8 @@ type CloudControllerManagerConfig struct {
 	// FeatureGates contains information about enabled feature gates.
 	FeatureGates map[string]bool
 	// DefaultExternalNetwork explicitly defines the network from which the CCM allocates IPs for services of type load balancer
-	// If not defined, it will use the first network with the default external network tag from the infrastructure firewall networks
+	// If not defined, it will use the last network with the default external network tag from the infrastructure firewall networks
+	// Networks not derived from a private super network have precedence.
 	// +optional
 	DefaultExternalNetwork *string
 }
diff --git a/pkg/apis/metal/v1alpha1/types_controlplane.go b/pkg/apis/metal/v1alpha1/types_controlplane.go
@@ -36,7 +36,8 @@ type CloudControllerManagerConfig struct {
 	// +optional
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 	// DefaultExternalNetwork explicitly defines the network from which the CCM allocates IPs for services of type load balancer
-	// If not defined, it will use the first network with the default external network tag from the infrastructure firewall networks
+	// If not defined, it will use the last network with the default external network tag from the infrastructure firewall networks
+	// Networks not derived from a private super network have precedence.
 	// +optional
 	DefaultExternalNetwork *string `json:"defaultExternalNetwork" optional:"true"`
 }
diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -888,26 +888,45 @@ func getCCMChartValues(
 			return nil, errors.Wrap(err, fmt.Sprintf("could not retrieve user-given default external network: %s", defaultExternalNetwork))
 		}
 
-		if resp.Network.Projectid != "" && resp.Network.Projectid != infrastructureConfig.ProjectID {
-			return nil, fmt.Errorf("cannot define default external network of another project")
+		if resp.Network.Shared && resp.Network.Partitionid != infrastructureConfig.PartitionID {
+			return nil, fmt.Errorf("shared external network must be in same partition as shoot")
+		}
+
+		if resp.Network.Projectid != "" && resp.Network.Projectid != infrastructureConfig.ProjectID && !resp.Network.Shared {
+			return nil, fmt.Errorf("cannot define default external unshared network of another project")
 		}
 
 		if (resp.Network.Underlay != nil && *resp.Network.Underlay) || (resp.Network.Privatesuper != nil && *resp.Network.Privatesuper) {
 			return nil, fmt.Errorf("cannot declare underlay or private super networks as default external network")
 		}
 	} else {
+		var dmzNetwork string
 		for _, networkID := range infrastructureConfig.Firewall.Networks {
 			nw, ok := nws[networkID]
 			if !ok {
 				return nil, fmt.Errorf("network defined in firewall networks does not exist in metal-api")
 			}
 			for k := range nw.Labels {
 				if k == tag.NetworkDefaultExternal {
-					defaultExternalNetwork = networkID
+					if nw.Parentnetworkid != "" {
+						pn, ok := nws[nw.Parentnetworkid]
+						if !ok {
+							return nil, fmt.Errorf("network defined in firewall networks specified a parent network that does not exist in metal-api")
+						}
+						if *pn.Privatesuper {
+							dmzNetwork = networkID
+						}
+					} else {
+						defaultExternalNetwork = networkID
+					}
 					break
 				}
 			}
 		}
+		// fallback to a dmz network with the NetworkDefaultExternal tag
+		if defaultExternalNetwork == "" && dmzNetwork != "" {
+			defaultExternalNetwork = dmzNetwork
+		}
 		if defaultExternalNetwork == "" {
 			return nil, fmt.Errorf("unable to find a default external network for metal-ccm deployment")
 		}