[NX-OS] Implement support for RoutingPolicy on Cisco NX-OS

Author: felix-kaestner

api/core/v1alpha1/groupversion_info.go

@@ -134,3 +134,9 @@ const (
 	// VRFNotFoundReason indicates that a referenced VRF was not found.
 	VRFNotFoundReason = "VRFNotFound"
 )
+
+// Reasons that are specific to [RoutingPolicy] objects.
+const (
+	// PrefixSetNotFoundReason indicates that a referenced PrefixSet was not found.
+	PrefixSetNotFoundReason = "PrefixSetNotFound"
+)

internal/controller/core/routingpolicy_controller.go

@@ -14,10 +14,15 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
 	"github.com/ironcore-dev/network-operator/internal/conditions"
@@ -169,8 +174,10 @@ func (r *RoutingPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 	return ctrl.Result{}, nil
 }
 
+var routingPolicyPrefixSetRefKey = ".spec.statements[].conditions.matchPrefixSet.prefixSetRef.name"
+
 // SetupWithManager sets up the controller with the Manager.
-func (r *RoutingPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *RoutingPolicyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
 	labelSelector := metav1.LabelSelector{}
 	if r.WatchFilterValue != "" {
 		labelSelector.MatchLabels = map[string]string{v1alpha1.WatchLabel: r.WatchFilterValue}
@@ -181,10 +188,37 @@ func (r *RoutingPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return fmt.Errorf("failed to create label selector predicate: %w", err)
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(ctx, &v1alpha1.RoutingPolicy{}, routingPolicyPrefixSetRefKey, func(obj client.Object) []string {
+		rp := obj.(*v1alpha1.RoutingPolicy)
+		var names []string
+		for _, stmt := range rp.Spec.Statements {
+			if stmt.Conditions != nil && stmt.Conditions.MatchPrefixSet != nil {
+				names = append(names, stmt.Conditions.MatchPrefixSet.PrefixSetRef.Name)
+			}
+		}
+		return names
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1alpha1.RoutingPolicy{}).
 		Named("routingpolicy").
 		WithEventFilter(filter).
+		// Watches enqueues RoutingPolicies for updates in referenced PrefixSet resources.
+		// Only triggers on create and delete events since PrefixSet names are immutable.
+		Watches(
+			&v1alpha1.PrefixSet{},
+			handler.EnqueueRequestsFromMapFunc(r.prefixSetToRoutingPolicy),
+			builder.WithPredicates(predicate.Funcs{
+				UpdateFunc: func(e event.UpdateEvent) bool {
+					return false
+				},
+				GenericFunc: func(e event.GenericEvent) bool {
+					return false
+				},
+			}),
+		).
 		Complete(r)
 }
 
@@ -211,6 +245,11 @@ func (r *RoutingPolicyReconciler) reconcile(ctx context.Context, s *routingPolic
 		}
 	}
 
+	statements, err := r.reconcileStatements(ctx, s)
+	if err != nil {
+		return err
+	}
+
 	if err := s.Provider.Connect(ctx, s.Connection); err != nil {
 		return fmt.Errorf("failed to connect to provider: %w", err)
 	}
@@ -221,8 +260,9 @@ func (r *RoutingPolicyReconciler) reconcile(ctx context.Context, s *routingPolic
 	}()
 
 	// Ensure the RoutingPolicy is realized on the provider.
-	err := s.Provider.EnsureRoutingPolicy(ctx, &provider.RoutingPolicyRequest{
-		RoutingPolicy:  s.RoutingPolicy,
+	err = s.Provider.EnsureRoutingPolicy(ctx, &provider.EnsureRoutingPolicyRequest{
+		Name:           s.RoutingPolicy.Spec.Name,
+		Statements:     statements,
 		ProviderConfig: s.ProviderConfig,
 	})
 
@@ -234,6 +274,66 @@ func (r *RoutingPolicyReconciler) reconcile(ctx context.Context, s *routingPolic
 	return err
 }
 
+func (r *RoutingPolicyReconciler) reconcileStatements(ctx context.Context, s *routingPolicyScope) ([]provider.PolicyStatement, error) {
+	statements := make([]provider.PolicyStatement, 0, len(s.RoutingPolicy.Spec.Statements))
+
+	for _, stmt := range s.RoutingPolicy.Spec.Statements {
+		var conditions []provider.PolicyCondition
+		switch {
+		case stmt.Conditions != nil && stmt.Conditions.MatchPrefixSet != nil:
+			prefixSet, err := r.reconcilePrefixSet(ctx, s, stmt.Conditions.MatchPrefixSet)
+			if err != nil {
+				return nil, err
+			}
+			conditions = append(conditions, provider.MatchPrefixSetCondition{
+				PrefixSet: prefixSet,
+			})
+		}
+
+		statements = append(statements, provider.PolicyStatement{
+			Sequence:   stmt.Sequence,
+			Conditions: conditions,
+			Actions:    stmt.Actions,
+		})
+	}
+
+	return statements, nil
+}
+
+// reconcilePrefixSet ensures that the referenced PrefixSet exists and belongs to the same device as the RoutingPolicy.
+func (r *RoutingPolicyReconciler) reconcilePrefixSet(ctx context.Context, s *routingPolicyScope, c *v1alpha1.PrefixSetMatchCondition) (*v1alpha1.PrefixSet, error) {
+	key := client.ObjectKey{
+		Name:      c.PrefixSetRef.Name,
+		Namespace: s.RoutingPolicy.Namespace,
+	}
+
+	prefixSet := new(v1alpha1.PrefixSet)
+	if err := r.Get(ctx, key, prefixSet); err != nil {
+		if apierrors.IsNotFound(err) {
+			conditions.Set(s.RoutingPolicy, metav1.Condition{
+				Type:    v1alpha1.ReadyCondition,
+				Status:  metav1.ConditionFalse,
+				Reason:  v1alpha1.PrefixSetNotFoundReason,
+				Message: fmt.Sprintf("referenced PrefixSet %q not found", key),
+			})
+			return nil, reconcile.TerminalError(fmt.Errorf("referenced PrefixSet %q not found", key))
+		}
+		return nil, fmt.Errorf("failed to get referenced PrefixSet %q: %w", key, err)
+	}
+
+	if prefixSet.Spec.DeviceRef.Name != s.Device.Name {
+		conditions.Set(s.RoutingPolicy, metav1.Condition{
+			Type:    v1alpha1.ReadyCondition,
+			Status:  metav1.ConditionFalse,
+			Reason:  v1alpha1.CrossDeviceReferenceReason,
+			Message: fmt.Sprintf("referenced PrefixSet %q does not belong to device %q", prefixSet.Name, s.Device.Name),
+		})
+		return nil, reconcile.TerminalError(fmt.Errorf("referenced PrefixSet %q does not belong to device %q", prefixSet.Name, s.Device.Name))
+	}
+
+	return prefixSet, nil
+}
+
 func (r *RoutingPolicyReconciler) finalize(ctx context.Context, s *routingPolicyScope) (reterr error) {
 	if err := s.Provider.Connect(ctx, s.Connection); err != nil {
 		return fmt.Errorf("failed to connect to provider: %w", err)
@@ -244,8 +344,42 @@ func (r *RoutingPolicyReconciler) finalize(ctx context.Context, s *routingPolicy
 		}
 	}()
 
-	return s.Provider.DeleteRoutingPolicy(ctx, &provider.RoutingPolicyRequest{
-		RoutingPolicy:  s.RoutingPolicy,
-		ProviderConfig: s.ProviderConfig,
+	return s.Provider.DeleteRoutingPolicy(ctx, &provider.DeleteRoutingPolicyRequest{
+		Name: s.RoutingPolicy.Spec.Name,
 	})
 }
+
+// prefixSetToRoutingPolicy is a [handler.MapFunc] to be used to enqueue requests for reconciliation
+// for RoutingPolicies when their referenced PrefixSet changes.
+func (r *RoutingPolicyReconciler) prefixSetToRoutingPolicy(ctx context.Context, obj client.Object) []ctrl.Request {
+	prefixSet, ok := obj.(*v1alpha1.PrefixSet)
+	if !ok {
+		panic(fmt.Sprintf("Expected a PrefixSet but got a %T", obj))
+	}
+
+	log := ctrl.LoggerFrom(ctx, "PrefixSet", klog.KObj(prefixSet))
+
+	routingPolicies := new(v1alpha1.RoutingPolicyList)
+	if err := r.List(ctx, routingPolicies, client.InNamespace(prefixSet.Namespace), client.MatchingFields{routingPolicyPrefixSetRefKey: prefixSet.Spec.Name}); err != nil {
+		log.Error(err, "Failed to list RoutingPolicies")
+		return nil
+	}
+
+	requests := []ctrl.Request{}
+	for _, rp := range routingPolicies.Items {
+		for _, stmt := range rp.Spec.Statements {
+			if stmt.Conditions != nil && stmt.Conditions.MatchPrefixSet != nil && stmt.Conditions.MatchPrefixSet.PrefixSetRef.Name == prefixSet.Spec.Name {
+				log.Info("Enqueuing RoutingPolicy for reconciliation", "RoutingPolicy", klog.KObj(&rp))
+				requests = append(requests, ctrl.Request{
+					NamespacedName: client.ObjectKey{
+						Name:      rp.Name,
+						Namespace: rp.Namespace,
+					},
+				})
+				break
+			}
+		}
+	}
+
+	return requests
+}

internal/provider/cisco/nxos/evi.go

@@ -31,24 +31,32 @@ func (b *BDEVI) XPath() string {
 	return "System/evpn-items/bdevi-items/BDEvi-list[encap=" + b.Encap + "]"
 }
 
+func Community(rt string) (string, error) {
+	s, err := community(rt)
+	if err != nil {
+		return "", err
+	}
+	return "regular:" + s, nil
+}
+
 func RouteDistinguisher(rd string) (string, error) {
-	s, err := extcommunity(rd)
+	s, err := community(rd)
 	if err != nil {
 		return "", err
 	}
 	return "rd:" + s, nil
 }
 
 func RouteTarget(rt string) (string, error) {
-	s, err := extcommunity(rt)
+	s, err := community(rt)
 	if err != nil {
 		return "", err
 	}
 	return "route-target:" + s, nil
 }
 
-// extcommunity converts a value to an extended community string.
-func extcommunity(s string) (string, error) {
+// community converts a value to an bgp community attribute.
+func community(s string) (string, error) {
 	if s == "" {
 		return "unknown:0:0", nil
 	}

internal/provider/cisco/nxos/provider.go

@@ -52,6 +52,7 @@ var (
 	_ provider.PIMProvider              = (*Provider)(nil)
 	_ provider.SNMPProvider             = (*Provider)(nil)
 	_ provider.PrefixSetProvider        = (*Provider)(nil)
+	_ provider.RoutingPolicyProvider    = (*Provider)(nil)
 	_ provider.SyslogProvider           = (*Provider)(nil)
 	_ provider.UserProvider             = (*Provider)(nil)
 	_ provider.VLANProvider             = (*Provider)(nil)
@@ -1613,6 +1614,55 @@ func (p *Provider) DeletePrefixSet(ctx context.Context, req *provider.PrefixSetR
 	return p.client.Delete(ctx, s)
 }
 
+func (p *Provider) EnsureRoutingPolicy(ctx context.Context, req *provider.EnsureRoutingPolicyRequest) error {
+	rm := new(RouteMap)
+	rm.Name = req.Name
+	for _, stmt := range req.Statements {
+		e := new(RouteMapEntry)
+		e.Order = stmt.Sequence
+
+		for _, cond := range stmt.Conditions {
+			switch v := cond.(type) {
+			case provider.MatchPrefixSetCondition:
+				e.SetPrefixSet(v.PrefixSet)
+			default:
+				return fmt.Errorf("routing policy: unsupported condition type %T", cond)
+			}
+		}
+
+		switch stmt.Actions.RouteDisposition {
+		case v1alpha1.AcceptRoute:
+			e.Action = ActionPermit
+		case v1alpha1.RejectRoute:
+			e.Action = ActionDeny
+		default:
+			return fmt.Errorf("routing policy: unsupported action %q", stmt.Actions.RouteDisposition)
+		}
+
+		if stmt.Actions.BgpActions != nil {
+			if stmt.Actions.BgpActions.SetCommunity != nil {
+				if err := e.SetCommunities(stmt.Actions.BgpActions.SetCommunity.Communities); err != nil {
+					return err
+				}
+			}
+			if stmt.Actions.BgpActions.SetExtCommunity != nil {
+				if err := e.SetExtCommunities(stmt.Actions.BgpActions.SetExtCommunity.Communities); err != nil {
+					return err
+				}
+			}
+		}
+
+		rm.EntItems.EntryList.Set(e)
+	}
+	return p.client.Update(ctx, rm)
+}
+
+func (p *Provider) DeleteRoutingPolicy(ctx context.Context, req *provider.DeleteRoutingPolicyRequest) error {
+	rm := new(RouteMap)
+	rm.Name = req.Name
+	return p.client.Delete(ctx, rm)
+}
+
 func (p *Provider) EnsureUser(ctx context.Context, req *provider.EnsureUserRequest) error {
 	u := new(User)
 	u.AllowExpired = "no"