feat: calculate default no_proxy values based on cluster

Author: mhrabovcin

charts/capi-runtime-extensions/templates/role.yaml

@@ -30,3 +30,11 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cluster.x-k8s.io
+  resources:
+  - clusters
+  verbs:
+  - get
+  - list
+  - watch

cmd/capi-runtime-extensions/main.go

@@ -78,7 +78,7 @@ func main() {
 		servicelbgc.New(client),
 		calico.New(client, calicoCNIConfig),
 		httpproxy.NewVariable(),
-		httpproxy.NewPatch(),
+		httpproxy.NewPatch(client),
 	)
 
 	// Initialize and parse command line flags.

docs/content/http-proxy.md

@@ -35,11 +35,17 @@ spec:
       values:
         http: http://example.com
         https: http://example.com
-        no:
+        additionalNo:
           - http://no-proxy-1.example.com
           - http://no-proxy-2.example.com
 ```
 
+The `additionalNo` list will be added to default pre-calculated values that apply on k8s networking.
+
+```
+localhost,127.0.0.1,<POD CIDRS>,<SERVICE CIDRS>,kubernetes,.svc,.svc.cluster,.svc.cluster.local
+```
+
 Applying this configuration will result in new bootstrap files on the `KubeadmControlPlaneTemplate`
 and `KubeadmConfigTemplate`.
 

pkg/handlers/httpproxy/inject.go

@@ -1,20 +1,27 @@
 // Copyright 2023 D2iQ, Inc. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=watch;list;get
+
 package httpproxy
 
 import (
 	"context"
+	"errors"
+	"fmt"
+	"strings"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/types"
+	capiv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
 	"sigs.k8s.io/cluster-api/exp/runtime/topologymutation"
 	ctrl "sigs.k8s.io/controller-runtime"
+	ctrclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/capi/clustertopology/patches"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/capi/clustertopology/patches/selectors"
@@ -29,14 +36,15 @@ const (
 
 type httpProxyPatchHandler struct {
 	decoder runtime.Decoder
+	client  ctrclient.Reader
 }
 
 var (
 	_ handlers.NamedHandler                   = &httpProxyPatchHandler{}
 	_ handlers.GeneratePatchesMutationHandler = &httpProxyPatchHandler{}
 )
 
-func NewPatch() *httpProxyPatchHandler {
+func NewPatch(cl ctrclient.Reader) *httpProxyPatchHandler {
 	scheme := runtime.NewScheme()
 	_ = bootstrapv1.AddToScheme(scheme)
 	_ = controlplanev1.AddToScheme(scheme)
@@ -45,6 +53,7 @@ func NewPatch() *httpProxyPatchHandler {
 			controlplanev1.GroupVersion,
 			bootstrapv1.GroupVersion,
 		),
+		client: cl,
 	}
 }
 
@@ -57,6 +66,12 @@ func (h *httpProxyPatchHandler) GeneratePatches(
 	req *runtimehooksv1.GeneratePatchesRequest,
 	resp *runtimehooksv1.GeneratePatchesResponse,
 ) {
+	log := ctrl.LoggerFrom(ctx)
+	noProxy, err := h.detectNoProxy(ctx, req)
+	if err != nil {
+		log.Error(err, "failed to resolve no proxy value")
+	}
+
 	topologymutation.WalkTemplates(
 		ctx,
 		h.decoder,
@@ -68,7 +83,7 @@ func (h *httpProxyPatchHandler) GeneratePatches(
 			vars map[string]apiextensionsv1.JSON,
 			holderRef runtimehooksv1.HolderReference,
 		) error {
-			log := ctrl.LoggerFrom(ctx).WithValues(
+			log = log.WithValues(
 				"holderRef", holderRef,
 			)
 
@@ -95,7 +110,7 @@ func (h *httpProxyPatchHandler) GeneratePatches(
 					}).Info("adding files to kubeadm config spec")
 					obj.Spec.Template.Spec.KubeadmConfigSpec.Files = append(
 						obj.Spec.Template.Spec.KubeadmConfigSpec.Files,
-						generateSystemdFiles(httpProxyVariable)...,
+						generateSystemdFiles(httpProxyVariable, noProxy)...,
 					)
 					return nil
 				}); err != nil {
@@ -111,7 +126,7 @@ func (h *httpProxyPatchHandler) GeneratePatches(
 					}).Info("adding files to worker node kubeadm config template")
 					obj.Spec.Template.Spec.Files = append(
 						obj.Spec.Template.Spec.Files,
-						generateSystemdFiles(httpProxyVariable)...,
+						generateSystemdFiles(httpProxyVariable, noProxy)...,
 					)
 					return nil
 				}); err != nil {
@@ -122,3 +137,77 @@ func (h *httpProxyPatchHandler) GeneratePatches(
 		},
 	)
 }
+
+func (h *httpProxyPatchHandler) detectNoProxy(
+	ctx context.Context,
+	req *runtimehooksv1.GeneratePatchesRequest,
+) ([]string, error) {
+	clusterKey := types.NamespacedName{}
+
+	for _, item := range req.Items {
+		if item.HolderReference.Kind == "Cluster" && item.HolderReference.APIVersion == capiv1.GroupVersion.String() {
+			clusterKey.Name = item.HolderReference.Name
+			clusterKey.Namespace = item.HolderReference.Namespace
+		}
+	}
+
+	if clusterKey.Name == "" {
+		return nil, errors.New("failed to detect cluster name from GeneratePatch request")
+	}
+
+	cluster := &capiv1.Cluster{}
+	if err := h.client.Get(ctx, clusterKey, cluster); err != nil {
+		return nil, err
+	}
+
+	return generateNoProxy(cluster), nil
+}
+
+// generateNoProxy creates default NO_PROXY values that should be applied on cluster
+// in any environment and are preventing the use of proxy for cluster internal
+// networking.
+func generateNoProxy(cluster *capiv1.Cluster) []string {
+	noProxy := []string{
+		"localhost",
+		"127.0.0.1",
+	}
+
+	if cluster.Spec.ClusterNetwork != nil &&
+		cluster.Spec.ClusterNetwork.Pods != nil {
+		noProxy = append(noProxy, cluster.Spec.ClusterNetwork.Pods.CIDRBlocks...)
+	}
+
+	if cluster.Spec.ClusterNetwork != nil &&
+		cluster.Spec.ClusterNetwork.Services != nil {
+		noProxy = append(noProxy, cluster.Spec.ClusterNetwork.Services.CIDRBlocks...)
+	}
+
+	serviceDomain := "cluster.local"
+	if cluster.Spec.ClusterNetwork != nil &&
+		cluster.Spec.ClusterNetwork.ServiceDomain != "" {
+		serviceDomain = cluster.Spec.ClusterNetwork.ServiceDomain
+	}
+
+	noProxy = append(noProxy, []string{
+		"kubernetes",
+		"kubernetes.default",
+		".svc",
+	}...)
+
+	noProxy = append(noProxy, mapServiceDomain(serviceDomain, ".svc")...)
+
+	return noProxy
+}
+
+// mapServiceDomain generates NO_PROXY values for service domain to allow use
+// of short service name in cluster.
+// Example: my.custom => [.svc, .svc.my, .svc.my.custom]
+func mapServiceDomain(serviceDomain, svcName string) []string {
+	mapped := []string{svcName}
+	progress := svcName
+	for _, part := range strings.Split(serviceDomain, ".") {
+		progress = fmt.Sprintf("%s.%s", progress, part)
+		mapped = append(mapped, progress)
+	}
+	return mapped
+}

pkg/handlers/httpproxy/inject_test.go

@@ -1,7 +1,7 @@
 // Copyright 2023 D2iQ, Inc. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package httpproxy_test
+package httpproxy
 
 import (
 	"bytes"
@@ -16,16 +16,17 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	capiv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
-
-	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/httpproxy"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
 func TestGeneratePatches(t *testing.T) {
 	g := NewWithT(t)
-	h := httpproxy.NewPatch()
+	fakeClient := fake.NewClientBuilder().Build()
+	h := NewPatch(fakeClient)
 	req := &runtimehooksv1.GeneratePatchesRequest{}
 	resp := &runtimehooksv1.GeneratePatchesResponse{}
 	h.GeneratePatches(context.Background(), req, resp)
@@ -34,13 +35,14 @@ func TestGeneratePatches(t *testing.T) {
 
 func TestGeneratePatches_KubeadmControlPlaneTemplate(t *testing.T) {
 	g := NewWithT(t)
-	h := httpproxy.NewPatch()
+	fakeClient := fake.NewClientBuilder().Build()
+	h := NewPatch(fakeClient)
 	req := &runtimehooksv1.GeneratePatchesRequest{
 		Variables: []runtimehooksv1.Variable{
-			newVariable(httpproxy.VariableName, httpproxy.HTTPProxyVariables{
-				HTTP:  "http://example.com",
-				HTTPS: "https://example.com",
-				NO:    []string{"https://no-proxy.example.com"},
+			newVariable(VariableName, HTTPProxyVariables{
+				HTTP:         "http://example.com",
+				HTTPS:        "https://example.com",
+				AdditionalNO: []string{"https://no-proxy.example.com"},
 			}),
 		},
 		Items: []runtimehooksv1.GeneratePatchesRequestItem{
@@ -84,13 +86,14 @@ func TestGeneratePatches_KubeadmControlPlaneTemplate(t *testing.T) {
 
 func TestGeneratePatches_KubeadmConfigTemplate(t *testing.T) {
 	g := NewWithT(t)
-	h := httpproxy.NewPatch()
+	fakeClient := fake.NewClientBuilder().Build()
+	h := NewPatch(fakeClient)
 	req := &runtimehooksv1.GeneratePatchesRequest{
 		Variables: []runtimehooksv1.Variable{
-			newVariable(httpproxy.VariableName, httpproxy.HTTPProxyVariables{
-				HTTP:  "http://example.com",
-				HTTPS: "https://example.com",
-				NO:    []string{"https://no-proxy.example.com"},
+			newVariable(VariableName, HTTPProxyVariables{
+				HTTP:         "http://example.com",
+				HTTPS:        "https://example.com",
+				AdditionalNO: []string{"https://no-proxy.example.com"},
 			}),
 			newVariable("builtin", map[string]any{
 				"machineDeployment": map[string]any{
@@ -137,6 +140,98 @@ func TestGeneratePatches_KubeadmConfigTemplate(t *testing.T) {
 	})))
 }
 
+func TestGenerateNoProxy(t *testing.T) {
+	t.Parallel()
+	g := NewWithT(t)
+
+	testCases := []struct {
+		name            string
+		cluster         *capiv1.Cluster
+		expectedNoProxy []string
+	}{
+		{
+			name:    "no networking config",
+			cluster: &capiv1.Cluster{},
+			expectedNoProxy: []string{
+				"localhost", "127.0.0.1", "kubernetes", "kubernetes.default",
+				".svc", ".svc", ".svc.cluster", ".svc.cluster.local",
+			},
+		},
+		{
+			name: "custom pod network",
+			cluster: &capiv1.Cluster{
+				Spec: capiv1.ClusterSpec{
+					ClusterNetwork: &capiv1.ClusterNetwork{
+						Pods: &capiv1.NetworkRanges{
+							CIDRBlocks: []string{"10.0.0.0/24", "10.0.1.0/24"},
+						},
+					},
+				},
+			},
+			expectedNoProxy: []string{
+				"localhost", "127.0.0.1", "10.0.0.0/24", "10.0.1.0/24", "kubernetes", "kubernetes.default",
+				".svc", ".svc", ".svc.cluster", ".svc.cluster.local",
+			},
+		},
+		{
+			name: "custom service network",
+			cluster: &capiv1.Cluster{
+				Spec: capiv1.ClusterSpec{
+					ClusterNetwork: &capiv1.ClusterNetwork{
+						Services: &capiv1.NetworkRanges{
+							CIDRBlocks: []string{"172.16.0.0/24", "172.16.1.0/24"},
+						},
+					},
+				},
+			},
+			expectedNoProxy: []string{
+				"localhost", "127.0.0.1", "172.16.0.0/24", "172.16.1.0/24", "kubernetes", "kubernetes.default",
+				".svc", ".svc", ".svc.cluster", ".svc.cluster.local",
+			},
+		},
+		{
+			name: "custom servicedomain",
+			cluster: &capiv1.Cluster{
+				Spec: capiv1.ClusterSpec{
+					ClusterNetwork: &capiv1.ClusterNetwork{
+						ServiceDomain: "foo.bar",
+					},
+				},
+			},
+			expectedNoProxy: []string{
+				"localhost", "127.0.0.1", "kubernetes", "kubernetes.default",
+				".svc", ".svc", ".svc.foo", ".svc.foo.bar",
+			},
+		},
+		{
+			name: "all options",
+			cluster: &capiv1.Cluster{
+				Spec: capiv1.ClusterSpec{
+					ClusterNetwork: &capiv1.ClusterNetwork{
+						Pods: &capiv1.NetworkRanges{
+							CIDRBlocks: []string{"10.10.0.0/16"},
+						},
+						Services: &capiv1.NetworkRanges{
+							CIDRBlocks: []string{"172.16.0.0/16"},
+						},
+						ServiceDomain: "foo.bar",
+					},
+				},
+			},
+			expectedNoProxy: []string{
+				"localhost", "127.0.0.1", "10.10.0.0/16", "172.16.0.0/16", "kubernetes", "kubernetes.default",
+				".svc", ".svc", ".svc.foo", ".svc.foo.bar",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(tt *testing.T) {
+			g.Expect(generateNoProxy(tc.cluster)).To(Equal(tc.expectedNoProxy))
+		})
+	}
+}
+
 func toJSON(v any) []byte {
 	data, err := json.Marshal(v)
 	if err != nil {