Merge branch 'main' into kubernetes-1.31

Author: jfbus

.github/local_action/start_ccm_e2e/action.yml

@@ -96,11 +96,10 @@ runs:
         profile="{\"default\":{\"access_key\":\"${{ inputs.osc_access_key }}\",\"secret_key\":\"${{ inputs.osc_secret_key }}\"}}"
         kubectl create secret generic osc-secret-file --from-literal=config.json=$profile -n kube-system
         echo "updating CCM config"
-        helm upgrade --wait k8s-osc-ccm deploy/k8s-osc-ccm --set oscSecretName=osc-secret-file --set oscCredentialsFromFile=true --set oscSecretFormat=v1 --set image.repository=${{ inputs.registry }}/outscale/cloud-provider-osc --set image.tag=${{ inputs.version }}\
+        helm upgrade --wait k8s-osc-ccm deploy/k8s-osc-ccm --set oscSecretName=osc-secret-file --set oscCredentialsFromFile=true --set image.repository=${{ inputs.registry }}/outscale/cloud-provider-osc --set image.tag=${{ inputs.version }}\
           --set extraLoadBalancerTags.clikey=clivalue
-        echo "waiting for pods"
-        kubectl wait --for=condition=Ready po --all -A --timeout=900s
-        kubectl get po -A
+        sleep 5
+        kubectl get pod -n kube-system -l "app=osc-cloud-controller-manager"
       shell: bash
       env:
         KUBECONFIG: "${{ github.workspace }}/${{ steps.caposc.outputs.KUBECONFIG }}"

.github/workflows/build.yml

@@ -31,7 +31,7 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v9
       with:
-        version: v2.1
+        version: v2.7.1
         args: --timeout=300s
         only-new-issues: true
     - name: Test

.github/workflows/e2e_test.yml

@@ -30,7 +30,7 @@ jobs:
     - name: ⬇️ Install kubectl
       uses: azure/setup-kubectl@v4
       with:
-        version: v1.31.12
+        version: v1.34.2
     - name: ⬇️ Install Helm
       uses: azure/setup-helm@v4
     - name: ⬇️ Install Python
@@ -39,7 +39,7 @@ jobs:
       uses: actions/setup-go@v6
       with:
         go-version-file: 'go.mod'
-    - name: 🔐 Set ak/sk name based on runner region
+    - name: 🔐 Set AK/SK name based on runner region
       run: .github/scripts/runneraksk.sh
     - name: 🧹 Frieza
       uses: outscale/frieza-github-actions/frieza-clean@master

Dockerfile

@@ -14,7 +14,7 @@
 ##                               BUILD ARGS                                   ##
 ################################################################################
 # This build arg allows the specification of a custom Golang image.
-ARG GOLANG_IMAGE=golang:1.25.4
+ARG GOLANG_IMAGE=golang:1.25.5
 
 # The distroless image on which the CPI manager image is built.
 #

cloud-controller-manager/osc/cloud/cloud.go

@@ -3,8 +3,11 @@ package cloud
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	"github.com/outscale/cloud-provider-osc/cloud-controller-manager/osc/oapi"
+	"github.com/outscale/cloud-provider-osc/cloud-controller-manager/utils"
+	"github.com/outscale/osc-sdk-go/v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
@@ -14,7 +17,7 @@ type Cloud struct {
 	api       oapi.Clienter
 	Metadata  oapi.Metadata
 	Self      *VM
-	clusterID string
+	clusterID []string
 }
 
 func New(ctx context.Context, clusterID string) (*Cloud, error) {
@@ -30,21 +33,42 @@ func New(ctx context.Context, clusterID string) (*Cloud, error) {
 	if err := api.OAPI().CheckCredentials(ctx); err != nil {
 		return nil, fmt.Errorf("init cloud: %w", err)
 	}
-	c := &Cloud{api: api, Metadata: metadata, clusterID: clusterID}
+	c := &Cloud{api: api, Metadata: metadata}
 
 	id := c.Metadata.InstanceID
 	self, err := c.GetVMByID(ctx, id)
 	if err != nil {
 		return nil, fmt.Errorf("error finding self: %w", err)
 	}
 	c.Self = self
-	if c.clusterID == "" {
-		c.clusterID = self.ClusterID()
+	if clusterID != "" {
+		c.clusterID = []string{clusterID}
+	} else {
+		// primary cluster ID (CAPOSC v1)
+		c.clusterID = []string{self.ClusterID()}
+		if self.SubnetID != "" {
+			// alternate cluster ID (CAPOSC v0)
+			subs, err := api.OAPI().ReadSubnets(ctx, osc.ReadSubnetsRequest{
+				Filters: &osc.FiltersSubnet{SubnetIds: &[]string{self.SubnetID}},
+			})
+			if err != nil {
+				return nil, fmt.Errorf("error finding self subnets: %w", err)
+			}
+			if len(subs) == 1 {
+				clusterID := getClusterIDFromTags(subs[0].GetTags())
+				if clusterID != "" && !slices.Contains(c.clusterID, clusterID) {
+					c.clusterID = append(c.clusterID, clusterID)
+				}
+			}
+		}
+	}
+	if len(c.clusterID) > 0 {
+		klog.FromContext(ctx).V(3).Info(fmt.Sprintf("Allowed cluster IDs: %v", c.clusterID))
 	}
 	return c, nil
 }
 
-func NewWith(api oapi.Clienter, self *VM, clusterID string) *Cloud {
+func NewWith(api oapi.Clienter, self *VM, clusterID []string) *Cloud {
 	return &Cloud{
 		api: api,
 		Metadata: oapi.Metadata{
@@ -58,7 +82,7 @@ func NewWith(api oapi.Clienter, self *VM, clusterID string) *Cloud {
 }
 
 func (c *Cloud) Initialize(ctx context.Context, kube clientset.Interface) {
-	if c.clusterID != "" {
+	if len(c.clusterID) > 0 {
 		return
 	}
 	logger := klog.FromContext(ctx)
@@ -68,6 +92,30 @@ func (c *Cloud) Initialize(ctx context.Context, kube clientset.Interface) {
 		logger.V(3).Error(err, "Unable to infer cluster ID")
 		return
 	}
-	c.clusterID = string(ns.UID)
-	logger.V(3).Info("Inferred cluster ID: " + c.clusterID)
+	c.clusterID = []string{string(ns.UID)}
+	logger.V(3).Info("Inferred cluster ID: " + string(ns.UID))
+}
+
+func (c *Cloud) sameCluster(tags []osc.ResourceTag) bool {
+	return slices.Contains(c.clusterID, getClusterIDFromTags(tags))
+}
+
+func (c *Cloud) mainSGTagKey() string {
+	if len(c.clusterID) == 0 {
+		return ""
+	}
+	return mainSGTagKey(c.clusterID[0])
+}
+
+func (c *Cloud) clusterIDTagKey() string {
+	if len(c.clusterID) == 0 {
+		return ""
+	}
+	return clusterIDTagKey(c.clusterID[0])
+}
+
+func (c *Cloud) clusterIDTagKeys() []string {
+	return utils.Map(c.clusterID, func(c string) (string, bool) {
+		return clusterIDTagKey(c), true
+	})
 }

cloud-controller-manager/osc/cloud/loadbalancer.go

@@ -18,7 +18,7 @@ import (
 	"github.com/go-viper/mapstructure/v2"
 	"github.com/outscale/cloud-provider-osc/cloud-controller-manager/osc/oapi"
 	"github.com/outscale/osc-sdk-go/v2"
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	controllerapi "k8s.io/cloud-provider/api"
 	servicehelpers "k8s.io/cloud-provider/service/helpers"
@@ -153,8 +153,8 @@ type LoadBalancer struct {
 	SessionAffinity          string
 	AccessLog                AccessLog `annotation:",squash"`
 	AllowFrom                utilnet.IPNetSet
-	IngressAddress           IngressAddress         `annotation:"osc-load-balancer-ingress-address"`
-	IPMode                   *v1.LoadBalancerIPMode `annotation:"osc-load-balancer-ingress-ipmode"`
+	IngressAddress           IngressAddress             `annotation:"osc-load-balancer-ingress-address"`
+	IPMode                   *corev1.LoadBalancerIPMode `annotation:"osc-load-balancer-ingress-ipmode"`
 
 	lbSecurityGroup     *osc.SecurityGroup
 	targetSecurityGroup *osc.SecurityGroup
@@ -163,8 +163,8 @@ type LoadBalancer struct {
 var reName = regexp.MustCompile("^[a-zA-Z0-9-]+$")
 
 // NewLoadBalancer creates a new LoadBalancer instance from a Kubernetes Service.
-func NewLoadBalancer(svc *v1.Service, addTags map[string]string) (*LoadBalancer, error) {
-	if svc.Spec.SessionAffinity != v1.ServiceAffinityNone {
+func NewLoadBalancer(svc *corev1.Service, addTags map[string]string) (*LoadBalancer, error) {
+	if svc.Spec.SessionAffinity != corev1.ServiceAffinityNone {
 		return nil, fmt.Errorf("unsupported SessionAffinity %q", svc.Spec.SessionAffinity)
 	}
 	if len(svc.Spec.Ports) == 0 {
@@ -198,7 +198,7 @@ func NewLoadBalancer(svc *v1.Service, addTags map[string]string) (*LoadBalancer,
 	}
 
 	for _, port := range svc.Spec.Ports {
-		if port.Protocol != v1.ProtocolTCP {
+		if port.Protocol != corev1.ProtocolTCP {
 			return nil, errors.New("only TCP load balancers are supported")
 		}
 		if port.NodePort == 0 {
@@ -233,10 +233,15 @@ func NewLoadBalancer(svc *v1.Service, addTags map[string]string) (*LoadBalancer,
 		lb.HealthCheck.Port = lb.Listeners[0].BackendPort
 		lb.HealthCheck.Protocol = "tcp"
 	}
+	// set defaults
 	err = mergo.Merge(lb, DefaultLoadBalancerConfiguration)
 	if err != nil {
 		return nil, fmt.Errorf("unable to set defaults: %w", err)
 	}
+	if lb.IngressAddress.NeedIP() && lb.IPMode == nil {
+		lb.IPMode = ptr.To(corev1.LoadBalancerIPModeProxy)
+	}
+
 	return lb, nil
 }
 
@@ -366,10 +371,10 @@ func (c *Cloud) LoadBalancerExists(ctx context.Context, l *LoadBalancer) (bool,
 	case lb == nil:
 		return false, nil
 	}
-	if getLBUClusterID(lb.GetTags()) != c.clusterID {
+	if !c.sameCluster(lb.GetTags()) {
 		return false, fmt.Errorf("%w another cluster", ErrBelongsToSomeoneElse)
 	}
-	svcName := getLBUServiceName(lb.GetTags())
+	svcName := getServiceNameFromTags(lb.GetTags())
 	if svcName != "" && svcName != l.ServiceName {
 		return false, fmt.Errorf("%w another service", ErrBelongsToSomeoneElse)
 	}
@@ -421,13 +426,21 @@ func (c *Cloud) CreateLoadBalancer(ctx context.Context, l *LoadBalancer, backend
 	}
 	switch {
 	case l.PublicIPID != "":
-		createRequest.PublicIp = ptr.To(l.PublicIPID)
+		ip := l.PublicIPID
+		if strings.HasPrefix(ip, "ipalloc-") {
+			pip, err := c.api.OAPI().GetPublicIp(ctx, l.PublicIPID)
+			if err != nil {
+				return "", "", fmt.Errorf("get ip: %w", err)
+			}
+			ip = *pip.PublicIp
+		}
+		createRequest.PublicIp = &ip
 	case l.PublicIPPool != "":
 		ip, err := c.allocateFromPool(ctx, l.PublicIPPool)
 		if err != nil {
 			return "", "", fmt.Errorf("allocate ip: %w", err)
 		}
-		createRequest.PublicIp = ip.PublicIpId
+		createRequest.PublicIp = ip.PublicIp
 	}
 
 	// TODO: drop public cloud code ?
@@ -454,7 +467,7 @@ func (c *Cloud) CreateLoadBalancer(ctx context.Context, l *LoadBalancer, backend
 		tags = map[string]string{}
 	}
 	tags[ServiceNameTagKey] = l.ServiceName
-	tags[clusterIDTagKey(c.clusterID)] = ResourceLifecycleOwned
+	tags[c.clusterIDTagKey()] = ResourceLifecycleOwned
 
 	ltags := make([]osc.ResourceTag, 0, len(tags))
 	for k, v := range tags {
@@ -550,7 +563,7 @@ func (c *Cloud) ensureSubnet(ctx context.Context, l *LoadBalancer) error {
 	}
 	subnets, err := c.api.OAPI().ReadSubnets(ctx, osc.ReadSubnetsRequest{
 		Filters: &osc.FiltersSubnet{
-			TagKeys: &[]string{clusterIDTagKey(c.clusterID)},
+			TagKeys: ptr.To(c.clusterIDTagKeys()),
 		},
 	})
 	if err != nil {
@@ -574,8 +587,37 @@ func (c *Cloud) ensureSubnet(ctx context.Context, l *LoadBalancer) error {
 	case ensureByTag("OscK8sRole/service"):
 	case ensureByTag("OscK8sRole/loadbalancer"):
 	default:
-		return errors.New("no subnet found with the correct tag")
+		return c.discoverSubnet(ctx, l, subnets)
+	}
+	return nil
+}
+
+// discoverSubnet tries to find a public or private subnet for the LB.
+func (c *Cloud) discoverSubnet(ctx context.Context, l *LoadBalancer, subnets []osc.Subnet) error {
+	rtbls, err := c.api.OAPI().ReadRouteTables(ctx, osc.ReadRouteTablesRequest{
+		Filters: &osc.FiltersRouteTable{
+			NetIds: &[]string{subnets[0].GetNetId()},
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("discover subnet: %w", err)
 	}
+
+	// find a public or private subnet, depending on LB type
+	var discovered *osc.Subnet
+	for _, subnet := range subnets {
+		if oapi.IsSubnetPublic(subnet.GetSubnetId(), rtbls) == !l.Internal {
+			// take the first, in lexical order
+			if discovered == nil || getName(subnet.GetTags()) < getName(discovered.GetTags()) {
+				discovered = &subnet
+			}
+		}
+	}
+	if discovered == nil {
+		return errors.New("discover subnet: none found")
+	}
+	l.SubnetID = discovered.GetSubnetId()
+	l.NetID = discovered.GetNetId()
 	return nil
 }
 
@@ -584,24 +626,47 @@ func (c *Cloud) ensureSecurityGroup(ctx context.Context, l *LoadBalancer) error
 		return nil
 	}
 	sgName := "k8s-elb-" + l.Name
-	sgDescription := fmt.Sprintf("Security group for Kubernetes ELB %s (%v)", l.Name, l.ServiceName)
-	resp, err := c.api.OAPI().CreateSecurityGroup(ctx, osc.CreateSecurityGroupRequest{
+	sgDescription := fmt.Sprintf("Security group for Kubernetes LB %s (%s)", l.Name, l.ServiceName)
+	sg, err := c.api.OAPI().CreateSecurityGroup(ctx, osc.CreateSecurityGroupRequest{
 		SecurityGroupName: sgName,
 		Description:       sgDescription,
 		NetId:             &l.NetID,
 	})
-	if err != nil {
+	switch {
+	case oapi.ErrorCode(err) == "9008": // ErrorDuplicateGroup: the SecurityGroupName '{group_name}' already exists.
+		// the SG might have been created by a previous request, try to load it
+		sgs, err := c.api.OAPI().ReadSecurityGroups(ctx, osc.ReadSecurityGroupsRequest{
+			Filters: &osc.FiltersSecurityGroup{
+				SecurityGroupNames: &[]string{sgName},
+			},
+		})
+		switch {
+		case err != nil:
+			return fmt.Errorf("read security groups: %w", err)
+		case len(sgs) == 0: // this has a tiny chance of occurring, but we would not want the CCM to panic
+			return errors.New("duplicate SG but none found")
+		default:
+			sg = &sgs[0]
+		}
+	case err != nil:
 		return fmt.Errorf("create SG: %w", err)
 	}
-	l.SecurityGroups = []string{resp.GetSecurityGroupId()}
-	l.lbSecurityGroup = resp
-	err = c.api.OAPI().CreateTags(ctx, osc.CreateTagsRequest{
-		ResourceIds: l.SecurityGroups,
-		Tags:        []osc.ResourceTag{{Key: clusterIDTagKey(c.clusterID), Value: ResourceLifecycleOwned}},
-	})
-	if err != nil {
-		return fmt.Errorf("create SG: %w", err)
+	// check clusterID tag
+	switch {
+	case c.sameCluster(sg.GetTags()): // existing SG with valid tag => noop
+	case getClusterIDFromTags(sg.GetTags()) == "": // new SG or existing SG without tag => create
+		err = c.api.OAPI().CreateTags(ctx, osc.CreateTagsRequest{
+			ResourceIds: []string{sg.GetSecurityGroupId()},
+			Tags:        []osc.ResourceTag{{Key: c.clusterIDTagKey(), Value: ResourceLifecycleOwned}},
+		})
+		if err != nil {
+			return fmt.Errorf("create SG: %w", err)
+		}
+	default: // existing SG with invalid tag/belonging to another cluster
+		return errors.New("a segurity group of the same name already exists")
 	}
+	l.SecurityGroups = []string{sg.GetSecurityGroupId()}
+	l.lbSecurityGroup = sg
 	return nil
 }
 
@@ -1029,7 +1094,7 @@ func (c *Cloud) getSecurityGroups(ctx context.Context, l *LoadBalancer, vms []VM
 		}
 		roleTagCount := math.MaxInt
 		for _, sg := range sgs {
-			if hasTag(sg.GetTags(), mainSGTagKey(c.clusterID)) {
+			if hasTag(sg.GetTags(), c.mainSGTagKey()) {
 				klog.FromContext(ctx).V(4).Info("Found security group having main tag", "securityGroupId", sg.GetSecurityGroupId())
 				l.targetSecurityGroup = &sg
 			}
@@ -1236,7 +1301,7 @@ func (c *Cloud) RunGarbageCollector(ctx context.Context) error {
 	// This is the list of SG we will scan to find rules linking to the SG to be deleted.
 	sgs, err := c.api.OAPI().ReadSecurityGroups(ctx, osc.ReadSecurityGroupsRequest{
 		Filters: &osc.FiltersSecurityGroup{
-			TagKeys: &[]string{clusterIDTagKey(c.clusterID)},
+			TagKeys: ptr.To(c.clusterIDTagKeys()),
 		},
 	})
 	if err != nil {