reconcile allowedaddresses in nic by breuerfelix · Pull Request #83 · stackitcloud/machine-controller-manager-provider-stackit

breuerfelix · 2026-01-14T12:43:01Z

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:

We need this MR in order to put the pod network CIDR into the allowedAddresses in the stackit MCM. Otherwise pod to pod communication does not work when using native kubernetes networking.

Special notes for your reviewer:

Breaking changes:

ske-prow · 2026-01-14T12:43:04Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

hown3d · 2026-01-19T16:33:28Z

In openstack this is done in the Route controller.

Why do you want to do this here?

breuerfelix · 2026-01-20T08:12:48Z

In openstack this is done in the Route controller.

Why do you want to do this here?

https://github.com/gardener/machine-controller-manager-provider-openstack/blob/master/pkg/driver/executor/executor.go#L144

This is done in the Openstack MCM. It takes the podNetworkCIDR and puts it into the AllowedAddressPairs. Thats why I also wanna do it in the STACKIT MCM.

hown3d

overall good, some QOL changes.

hown3d · 2026-01-20T08:58:34Z

pkg/provider/apis/provider_spec.go


+	// AllowedAddresses are the IP address ranges (CIDRs) allowed to originate traffic from the server's network interface.
+	// Optional field. If specified, these ranges are configured as AllowedAddresses on the network interface of the server to bypass anti-spoofing rules.
+	AllowedAddresses []string `json:"allowedAddresses,omitempty"`


Should be part of NetworkingSpec

I would not put that in NetworkingSpec since other MCM providers are also passing almost all config in the top level.
The NetworkingSpec has only 2 configuration options which are mutually exclusive. And even Networking is optional because if it is not set, the VM is put into the "default" network. So the Networking field has its own logic separate from the allowedAddresses.

hown3d · 2026-01-20T08:59:01Z

pkg/provider/apis/validation/validation.go

 		}
 	}

+	// Validate AllowedAddresses


move into validateNetworking function

same as above

pkg/provider/core.go

hown3d · 2026-01-20T09:05:43Z

pkg/provider/core.go


+func (p *Provider) getServerByName(ctx context.Context, projectID, region, serverName string) (*Server, error) {
+	// Check if the server got already created
+	labelSelector := fmt.Sprintf("mcm.gardener.cloud/machine=%s", serverName)


Use constant StackitMachineLabel

nit:
It was confusing that the labels are here put in as raw string with '=' concatination while in the request they were put in as map[string]string.
This is somewhat inconsistent. Labels should be used the same way across API requests.

We have to refactor the labels anyways in another task so i would like to refactor them in another PR.

For the Labels... its the SDK ... but I changed our interface to consume a map and create the label string on the fly

pkg/provider/core_create_machine_networking_test.go

go.mod

hown3d · 2026-01-20T09:19:20Z

pkg/provider/core.go

nit: Might be worth to separate functions into other files (e.g. network.go for network related functions).
Having a single core.go that will grow is not really clear to overlook in the long run.

solve in another story

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

ske-prow · 2026-01-21T10:40:37Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hown3d

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [hown3d]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ske-prow · 2026-01-21T10:40:38Z

LGTM label has been added.

Details

Git tree hash: eebd653688f9351ee136c13890f4bd9dcab6df21

reconcile allowedaddresses in nic

8e55bdc

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

breuerfelix force-pushed the allowed-addresses branch from 43240d9 to 8e55bdc Compare January 14, 2026 13:28

ske-prow bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 14, 2026

wait fo server to become ready

67136bd

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

ske-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 16, 2026

delete machines without providerID

2105a7e

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

breuerfelix force-pushed the allowed-addresses branch from a49eca5 to 2105a7e Compare January 16, 2026 13:16

add tests to allowedAddresses

1d64de7

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

breuerfelix marked this pull request as ready for review January 19, 2026 11:17

ske-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 19, 2026

fix linter

186eef8

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

hown3d requested changes Jan 20, 2026

View reviewed changes

ske-prow bot assigned hown3d Jan 20, 2026

resolve comments

00165b0

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

breuerfelix force-pushed the allowed-addresses branch from ef86c0c to 00165b0 Compare January 20, 2026 10:48

breuerfelix requested a review from hown3d January 20, 2026 13:12

resolve comments

70ee4c3

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

hown3d approved these changes Jan 21, 2026

View reviewed changes

ske-prow bot added the lgtm Indicates that a PR is ready to be merged. label Jan 21, 2026

ske-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 21, 2026

ske-prow bot merged commit 1d4a215 into main Jan 21, 2026
3 checks passed

breuerfelix deleted the allowed-addresses branch February 18, 2026 09:35

Comments

Conversation

breuerfelix commented Jan 14, 2026

Uh oh!

ske-prow bot commented Jan 14, 2026

Uh oh!

hown3d commented Jan 19, 2026

Uh oh!

breuerfelix commented Jan 20, 2026

Uh oh!

hown3d left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ske-prow bot commented Jan 21, 2026

Uh oh!

ske-prow bot commented Jan 21, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants