Merge branch 'main' into concept-doc/network-policy

.github/dependabot.yml

@@ -4,15 +4,29 @@ updates:
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
+      interval: "weekly"
+    reviewers:
+      - "ironcore-dev/core"
+    # Ignore K8 packages as these are done manually
+    ignore:
+      - dependency-name: "k8s.io/api"
+      - dependency-name: "k8s.io/apiextensions-apiserver"
+      - dependency-name: "k8s.io/apimachinery"
+      - dependency-name: "k8s.io/apiserver"
+      - dependency-name: "k8s.io/client-go"
+      - dependency-name: "k8s.io/component-base"
+      - dependency-name: "k8s.io/kube-aggregator"
+      - dependency-name: "k8s.io/kubectl"
+      - dependency-name: "sigs.k8s.io/controller-runtime"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
+      interval: "weekly"
+    reviewers:
+      - "ironcore-dev/core"
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
+      interval: "weekly"
+    reviewers:
+      - "ironcore-dev/core"

.github/workflows/dependabot-auto-merge.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
     - name: Dependabot metadata
       id: metadata
-      uses: dependabot/fetch-metadata@v1
+      uses: dependabot/fetch-metadata@v2
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"
     - name: Approve the PR

.github/workflows/lint.yml

@@ -15,6 +15,6 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.56.0
+          version: v1.57.2

.github/workflows/publish-docker.yml

@@ -73,7 +73,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push
         timeout-minutes: 40
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/release-drafter.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
     types: [ opened, reopened, synchronize ]
 
 jobs:

.github/workflows/size-label.yml

@@ -1,7 +1,7 @@
 name: Size Label
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - edited
@@ -15,6 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: size-label
-        uses: pascalgn/[email protected].0
+        uses: pascalgn/[email protected].2
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

Makefile

@@ -112,7 +112,7 @@ ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
 test-only: envtest ## Only run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
 
-.PHONY: openapi-extractor
+.PHONY: extract-openapi
 extract-openapi: envtest openapi-extractor
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" $(OPENAPI_EXTRACTOR) \
 		--apiserver-package="github.com/ironcore-dev/ironcore-net/cmd/apiserver" \
@@ -349,11 +349,11 @@ GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 KUSTOMIZE_VERSION ?= v5.1.1
 CODE_GENERATOR_VERSION ?= v0.29.0
 VGOPATH_VERSION ?= v0.1.3
-CONTROLLER_TOOLS_VERSION ?= v0.13.0
+CONTROLLER_TOOLS_VERSION ?= v0.14.0
 GEN_CRD_API_REFERENCE_DOCS_VERSION ?= v0.3.0
 ADDLICENSE_VERSION ?= v1.1.1
-GOIMPORTS_VERSION ?= v0.13.0
-GOLANGCI_LINT_VERSION ?= v1.56.0
+GOIMPORTS_VERSION ?= v0.20.0
+GOLANGCI_LINT_VERSION ?= v1.57.2
 OPENAPI_EXTRACTOR_VERSION ?= v0.1.4
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"

api/core/v1alpha1/common_types.go

@@ -3,6 +3,11 @@
 
 package v1alpha1
 
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
 const (
 	ReconcileRequestAnnotation = "reconcile.apinet.ironcore.dev/requestedAt"
 
@@ -28,3 +33,20 @@ func APINetletCommonName(name string) string {
 func MetalnetletCommonName(name string) string {
 	return MetalnetletUserNamePrefix + name
 }
+
+// ObjectSelector specifies how to select objects of a certain kind.
+type ObjectSelector struct {
+	// Kind is the kind of object to select.
+	Kind string `json:"kind"`
+	// LabelSelector is the label selector to select objects of the specified Kind by.
+	metav1.LabelSelector `json:",inline"`
+}
+
+// LocalUIDReference is a reference to another entity including its UID
+// +structType=atomic
+type LocalUIDReference struct {
+	// Name is the name of the referenced entity.
+	Name string `json:"name"`
+	// UID is the UID of the referenced entity.
+	UID types.UID `json:"uid"`
+}

api/core/v1alpha1/network_types.go

@@ -10,9 +10,45 @@ import (
 type NetworkSpec struct {
 	// ID is the ID of the network.
 	ID string `json:"id,omitempty"`
+	// Peerings are the network peerings with this network
+	Peerings []NetworkPeering `json:"peerings,omitempty"`
+}
+
+// NetworkPeering defines a network peering with another network.
+type NetworkPeering struct {
+	// Name is the semantical name of the network peering.
+	Name string `json:"name"`
+	// ID is the ID of the network to peer with.
+	ID string `json:"id"`
 }
 
 type NetworkStatus struct {
+	// Peerings contains the states of the network peerings for the network.
+	Peerings []NetworkPeeringStatus `json:"peerings,omitempty"`
+}
+
+// NetworkState is the state of a network.
+// +enum
+type NetworkState string
+
+// NetworkPeeringState is the state a NetworkPeering can be in
+type NetworkPeeringState string
+
+const (
+	// NetworkPeeringStatePending signals that the network peering is not applied.
+	NetworkPeeringStatePending NetworkPeeringState = "Pending"
+	// NetworkPeeringStateReady signals that the network peering is ready.
+	NetworkPeeringStateReady NetworkPeeringState = "Ready"
+	// NetworkPeeringStateError signals that the network peering is in error state.
+	NetworkPeeringStateError NetworkPeeringState = "Error"
+)
+
+// NetworkPeeringStatus is the status of a network peering.
+type NetworkPeeringStatus struct {
+	// ID is the ID of network
+	ID int32 `json:"id"`
+	// State represents the network peering state
+	State NetworkPeeringState `json:"state,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

api/core/v1alpha1/networkpolicy_types.go

@@ -0,0 +1,118 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"github.com/ironcore-dev/ironcore-net/apimachinery/api/net"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type NetworkPolicySpec struct {
+	// NetworkRef is the network to regulate using this policy.
+	NetworkRef corev1.LocalObjectReference `json:"networkRef"`
+	// NetworkInterfaceSelector selects the network interfaces that are subject to this policy.
+	NetworkInterfaceSelector metav1.LabelSelector `json:"networkInterfaceSelector"`
+	// Priority is an optional field that specifies the order in which the policy is applied.
+	// Policies with higher "order" are applied after those with lower
+	// order.  If the order is omitted, it may be considered to be "infinite" - i.e. the
+	// policy will be applied last.  Policies with identical order will be applied in
+	// alphanumerical order based on the Policy "Name".
+	Priority *int32 `json:"priority,omitempty"`
+	// Ingress specifies rules for ingress traffic.
+	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty"`
+	// Egress specifies rules for egress traffic.
+	Egress []NetworkPolicyEgressRule `json:"egress,omitempty"`
+	// PolicyTypes specifies the types of policies this network policy contains.
+	PolicyTypes []PolicyType `json:"policyTypes,omitempty"`
+}
+
+// NetworkPolicyPort describes a port to allow traffic on
+type NetworkPolicyPort struct {
+	// Protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this
+	// field defaults to TCP.
+	Protocol *corev1.Protocol `json:"protocol,omitempty"`
+
+	// The port on the given protocol. If this field is not provided, this matches
+	// all port names and numbers.
+	// If present, only traffic on the specified protocol AND port will be matched.
+	Port int32 `json:"port,omitempty"`
+
+	// EndPort indicates that the range of ports from Port to EndPort, inclusive,
+	// should be allowed by the policy. This field cannot be defined if the port field
+	// is not defined. The endPort must be equal or greater than port.
+	EndPort *int32 `json:"endPort,omitempty" protobuf:"bytes,3,opt,name=endPort"`
+}
+
+// IPBlock specifies an ip block with optional exceptions.
+type IPBlock struct {
+	// CIDR is a string representing the ip block.
+	CIDR net.IPPrefix `json:"cidr"`
+	// Except is a slice of CIDRs that should not be included within the specified CIDR.
+	// Values will be rejected if they are outside CIDR.
+	Except []net.IPPrefix `json:"except,omitempty"`
+}
+
+// NetworkPolicyPeer describes a peer to allow traffic to / from.
+type NetworkPolicyPeer struct {
+	// ObjectSelector selects peers with the given kind matching the label selector.
+	// Exclusive with other peer specifiers.
+	ObjectSelector *ObjectSelector `json:"objectSelector,omitempty"`
+	// IPBlock specifies the ip block from or to which network traffic may come.
+	IPBlock *IPBlock `json:"ipBlock,omitempty"`
+}
+
+// NetworkPolicyIngressRule describes a rule to regulate ingress traffic with.
+type NetworkPolicyIngressRule struct {
+	// From specifies the list of sources which should be able to send traffic to the
+	// selected network interfaces. Fields are combined using a logical OR. Empty matches all sources.
+	// As soon as a single item is present, only these peers are allowed.
+	From []NetworkPolicyPeer `json:"from,omitempty"`
+	// Ports specifies the list of ports which should be made accessible for
+	// this rule. Each item in this list is combined using a logical OR. Empty matches all ports.
+	// As soon as a single item is present, only these ports are allowed.
+	Ports []NetworkPolicyPort `json:"ports,omitempty"`
+}
+
+// NetworkPolicyEgressRule describes a rule to regulate egress traffic with.
+type NetworkPolicyEgressRule struct {
+	// Ports specifies the list of destination ports that can be called with
+	// this rule. Each item in this list is combined using a logical OR. Empty matches all ports.
+	// As soon as a single item is present, only these ports are allowed.
+	Ports []NetworkPolicyPort `json:"ports,omitempty"`
+	// To specifies the list of destinations which the selected network interfaces should be
+	// able to send traffic to. Fields are combined using a logical OR. Empty matches all destinations.
+	// As soon as a single item is present, only these peers are allowed.
+	To []NetworkPolicyPeer `json:"to,omitempty"`
+}
+
+// PolicyType is a type of policy.
+type PolicyType string
+
+const (
+	// PolicyTypeIngress is a policy that describes ingress traffic.
+	PolicyTypeIngress PolicyType = "Ingress"
+	// PolicyTypeEgress is a policy that describes egress traffic.
+	PolicyTypeEgress PolicyType = "Egress"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +genclient
+
+// NetworkPolicy is the Schema for the networkpolicies API.
+type NetworkPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec NetworkPolicySpec `json:"spec,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkPolicyList contains a list of NetworkPolicy.
+type NetworkPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NetworkPolicy `json:"items"`
+}

api/core/v1alpha1/networkpolicyrule_types.go

@@ -0,0 +1,64 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"github.com/ironcore-dev/ironcore-net/apimachinery/api/net"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +genclient
+
+// NetworkPolicyRule is the schema for the networkpolicyrules API.
+type NetworkPolicyRule struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// NetworkRef is the network the load balancer is assigned to.
+	NetworkRef LocalUIDReference `json:"networkRef"`
+	// Targets are the targets of the network policy.
+	Targets []TargetNetworkInterface `json:"targets,omitempty"`
+	// Priority is an optional field that specifies the order in which the policy is applied.
+	Priority *int32 `json:"priority,omitempty"`
+	// IngressRules are the ingress rules.
+	IngressRules []Rule `json:"ingressRule,omitempty"`
+	// EgressRules are the egress rules.
+	EgressRules []Rule `json:"egressRule,omitempty"`
+}
+
+// TargetNetworkInterface is the target of the network policy.
+type TargetNetworkInterface struct {
+	// IP is the IP address of the target network interface.
+	IP net.IP `json:"ip"`
+	// TargetRef is the target providing the destination.
+	TargetRef *LocalUIDReference `json:"targetRef,omitempty"`
+}
+
+type Rule struct {
+	// CIDRBlock specifies the CIDR block from which network traffic may come or go.
+	CIDRBlock []IPBlock `json:"ipBlock,omitempty"`
+	// ObjectIPs are the object IPs the rule applies to.
+	ObjectIPs []ObjectIP `json:"ips,omitempty"`
+	// NetworkPolicyPorts are the protocol type and ports.
+	NetworkPolicyPorts []NetworkPolicyPort `json:"networkPolicyPorts,omitempty"`
+}
+
+type ObjectIP struct {
+	// IPFamily is the IPFamily of the prefix.
+	// If unset but Prefix is set, this can be inferred.
+	IPFamily corev1.IPFamily `json:"ipFamily,omitempty"`
+	// Prefix is the prefix of the IP.
+	Prefix net.IPPrefix `json:"prefix,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkPolicyRulesList contains a list of NetworkPolicyRule.
+type NetworkPolicyRuleList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NetworkPolicyRule `json:"items"`
+}

api/core/v1alpha1/register.go

@@ -55,6 +55,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&NetworkIDList{},
 		&NetworkInterface{},
 		&NetworkInterfaceList{},
+		&NetworkPolicy{},
+		&NetworkPolicyList{},
+		&NetworkPolicyRule{},
+		&NetworkPolicyRuleList{},
 		&Node{},
 		&NodeList{},
 	)