Add IPv6CIDR range check to configValidator.

gardener · Dec 6, 2023 · fde766d · fde766d
1 parent 196f04c
commit fde766d
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 22 deletions.
diff --git a/pkg/aws/client/client.go b/pkg/aws/client/client.go
@@ -670,6 +670,20 @@ func (c *Client) DeleteVpcDhcpOptions(ctx context.Context, id string) error {
 	return ignoreNotFound(err)
 }
 
+// RetryableIPv6CIDRError is a custom error type.
+type RetryableIPv6CIDRError struct{}
+
+// Error prints the error message of the RetryableIPv6CIDRError error.
+func (e *RetryableIPv6CIDRError) Error() string {
+	return "no ipv6 CIDR assigned"
+}
+
+// RetryableIPv6CIDRError returns true if the error indicates that getting the IPv6 CIDR can be retried.
+func IsRetryableIPv6CIDRError(err error) bool {
+	_, ok := err.(*RetryableIPv6CIDRError)
+	return ok
+}
+
 // CreateVpc creates a VPC resource.
 func (c *Client) CreateVpc(ctx context.Context, desired *VPC) (*VPC, error) {
 	input := &ec2.CreateVpcInput{
@@ -687,38 +701,49 @@ func (c *Client) CreateVpc(ctx context.Context, desired *VPC) (*VPC, error) {
 
 // WaitForIPv6Cidr waits for the ipv6 cidr block association
 func (c *Client) WaitForIPv6Cidr(ctx context.Context, vpcID string) (string, error) {
-	// Custom waiting loop
-	waitInput := &ec2.DescribeVpcsInput{
-		VpcIds: []*string{aws.String(vpcID)},
-	}
-	var ipv6CidrBlock string
+
 	maxRetries := 30
 	waitInterval := 10 * time.Second
 	for i := 0; i < maxRetries; i++ {
 		select {
 		case <-ctx.Done():
 			return "", ctx.Err()
 		case <-time.After(waitInterval):
-			resp, err := c.EC2.DescribeVpcs(waitInput)
-			if err != nil {
-				return "", fmt.Errorf("error describing VPC: %v", err)
+			ipv6CidrBlock, err := c.GetIPv6Cidr(ctx, vpcID)
+			if err == nil {
+				return ipv6CidrBlock, nil
 			}
-			if len(resp.Vpcs) > 0 {
-				for _, assoc := range resp.Vpcs[0].Ipv6CidrBlockAssociationSet {
-					if assoc != nil && aws.StringValue(assoc.Ipv6CidrBlockState.State) == "associated" {
-						ipv6CidrBlock = *assoc.Ipv6CidrBlock
-						vpc, err := c.GetVpc(ctx, vpcID)
-						if err != nil {
-							return "", err
-						}
-						vpc.IPv6CidrBlock = ipv6CidrBlock
-						return ipv6CidrBlock, nil
-					}
+			if !IsRetryableIPv6CIDRError(err) {
+				return "", err
+			}
+		}
+	}
+	return "", fmt.Errorf("no IPv6 CIDR Block was assigned to VPC")
+}
+
+func (c *Client) GetIPv6Cidr(ctx context.Context, vpcID string) (string, error) {
+	var ipv6CidrBlock string
+	describeVPCInput := &ec2.DescribeVpcsInput{
+		VpcIds: []*string{aws.String(vpcID)},
+	}
+	resp, err := c.EC2.DescribeVpcs(describeVPCInput)
+	if err != nil {
+		return "", fmt.Errorf("error describing VPC: %v", err)
+	}
+	if len(resp.Vpcs) > 0 {
+		for _, assoc := range resp.Vpcs[0].Ipv6CidrBlockAssociationSet {
+			if assoc != nil && aws.StringValue(assoc.Ipv6CidrBlockState.State) == "associated" {
+				ipv6CidrBlock = *assoc.Ipv6CidrBlock
+				vpc, err := c.GetVpc(ctx, vpcID)
+				if err != nil {
+					return "", err
 				}
+				vpc.IPv6CidrBlock = ipv6CidrBlock
+				return ipv6CidrBlock, nil
 			}
 		}
 	}
-	return "", fmt.Errorf("No IPv6 CIDR Block was assigned to VPC")
+	return "", &RetryableIPv6CIDRError{}
 }
 
 // UpdateVpcAttribute sets/updates a VPC attribute if needed.

diff --git a/pkg/aws/client/mock/mocks.go b/pkg/aws/client/mock/mocks.go
diff --git a/pkg/aws/client/types.go b/pkg/aws/client/types.go
@@ -64,6 +64,7 @@ type Interface interface {
 	FindVpcDhcpOptionsByTags(ctx context.Context, tags Tags) ([]*DhcpOptions, error)
 	DeleteVpcDhcpOptions(ctx context.Context, id string) error
 	CreateVpc(ctx context.Context, vpc *VPC) (*VPC, error)
+	GetIPv6Cidr(ctx context.Context, vpcID string) (string, error)
 	WaitForIPv6Cidr(ctx context.Context, vpcID string) (string, error)
 	AddVpcDhcpOptionAssociation(vpcId string, dhcpOptionsId *string) error
 	UpdateVpcAttribute(ctx context.Context, vpcId, attributeName string, value bool) error

diff --git a/pkg/controller/infrastructure/configvalidator.go b/pkg/controller/infrastructure/configvalidator.go
@@ -75,7 +75,7 @@ func (c *configValidator) Validate(ctx context.Context, infra *extensionsv1alpha
 	// Validate infrastructure config
 	if config.Networks.VPC.ID != nil {
 		logger.Info("Validating infrastructure networks.vpc.id")
-		allErrs = append(allErrs, c.validateVPC(ctx, awsClient, *config.Networks.VPC.ID, infra.Spec.Region, field.NewPath("networks", "vpc", "id"))...)
+		allErrs = append(allErrs, c.validateVPC(ctx, awsClient, *config.Networks.VPC.ID, infra.Spec.Region, field.NewPath("networks", "vpc", "id"), config.DualStack != nil && config.DualStack.Enabled)...)
 	}
 
 	var (
@@ -97,7 +97,7 @@ func (c *configValidator) Validate(ctx context.Context, infra *extensionsv1alpha
 	return allErrs
 }
 
-func (c *configValidator) validateVPC(ctx context.Context, awsClient awsclient.Interface, vpcID, region string, fldPath *field.Path) field.ErrorList {
+func (c *configValidator) validateVPC(ctx context.Context, awsClient awsclient.Interface, vpcID, region string, fldPath *field.Path, dualStack bool) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	// Verify that the VPC exists and the enableDnsSupport and enableDnsHostnames VPC attributes are both true
@@ -116,6 +116,14 @@ func (c *configValidator) validateVPC(ctx context.Context, awsClient awsclient.I
 		}
 	}
 
+	if dualStack {
+		_, err := awsClient.GetIPv6Cidr(ctx, vpcID)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, vpcID, fmt.Sprintf("VPC %s has no ipv6 CIDR", vpcID)))
+			return allErrs
+		}
+	}
+
 	// Verify that there is an internet gateway attached to the VPC
 	internetGatewayID, err := awsClient.GetVPCInternetGateway(ctx, vpcID)
 	if err != nil {