Add support for specifying egress IP range as CIDR

simu · simu · commit 68cd8983c9b3 · 2025-11-11T13:27:54.000+01:00
We introduce a new helper function `read_egress_range()` which returns
the parsed egress range from each entry of `egress_ip_ranges`.

This helper either parses field `egress_range` or parses field
`egress_cidr` and returns an object with the same fields as
`parse_ip_range()` based on the parsed CIDR and optional fields
`skip_first` and `skip_last`.
diff --git a/component/egress-gateway-policies.jsonnet b/component/egress-gateway-policies.jsonnet
@@ -20,12 +20,13 @@ local policies = com.generateResources(
 
 local egress_ip_policies = std.flattenArrays([
   local cfg = params.egress_gateway.egress_ip_ranges[interface_prefix];
+  local egress_range = egw.read_egress_range(interface_prefix, cfg);
   local ns_egress_ips = std.get(cfg, 'namespace_egress_ips', {});
   local dest_cidrs = com.renderArray(std.get(cfg, 'destination_cidrs', []));
   [
     egw.NamespaceEgressPolicy(
       interface_prefix,
-      cfg.egress_range,
+      '%(start)s - %(end)s' % egress_range,
       std.objectValues(std.get(cfg, 'shadow_ranges', {})),
       cfg.node_selector,
       ns_egress_ips[namespace],
diff --git a/component/egress-gateway-shadow-ranges.libsonnet b/component/egress-gateway-shadow-ranges.libsonnet
@@ -38,10 +38,7 @@ local egress_ip_shadow_ranges =
       std.join('.', std.split(range.start, '.')[0:3]);
 
   local check_length(hostname, egress_range, range) =
-    local public_range = ipcalc.parse_ip_range(
-      egress_range.prefix,
-      egress_range.config.egress_range
-    );
+    local public_range = egw.read_egress_range(egress_range.prefix, egress_range.config);
     local public_len = ipcalc.ipval(public_range.end) - ipcalc.ipval(public_range.start);
     local shadow_len = ipcalc.ipval(range.end) - ipcalc.ipval(range.start);
 
@@ -51,7 +48,7 @@ local egress_ip_shadow_ranges =
         range.end,
         hostname,
         egress_range.prefix,
-        egress_range.config.egress_range,
+        public_range,
       ]
     else
       range;
diff --git a/component/espejote-templates/egress-gateway-self-service.jsonnet b/component/espejote-templates/egress-gateway-self-service.jsonnet
@@ -42,10 +42,11 @@ local reconcileNamespace(namespace) =
       // ownerReference pointing to the namespace, and labeled as managed by
       // us) and update the namespace with an informational message.
       local range = res.range;
+      local egress_range = egw.read_egress_range(range.if_prefix, range);
       [
         egw.NamespaceEgressPolicy(
           range.if_prefix,
-          range.egress_range,
+          '%(start)s - %(end)s' % egress_range,
           std.objectValues(std.get(range, 'shadow_ranges', {})),
           range.node_selector,
           egress_ip,
diff --git a/component/espejote-templates/egress-gateway.libsonnet b/component/espejote-templates/egress-gateway.libsonnet
@@ -153,6 +153,42 @@ local espejoteLabel = {
   'cilium.syn.tools/managed-by': 'espejote_cilium_namespace-egress-ips',
 };
 
+// read_egress_range extracts the egress range from the passed config object,
+// either from field `egress_range` or from field `egress_cidr`.
+// When reading from field `egress_cidr` the function also respects fields
+// `skip_first` and `skip_last` when generating the resulting range object.
+local read_egress_range(prefix, config) =
+  local ekey = std.setDiff(
+    std.set([ 'egress_range', 'egress_cidr' ]),
+    std.set(std.objectFields(config))
+  );
+  if std.length(ekey) != 1 then
+    error
+      'egress_ip_ranges` entries are expected to have exactly one of ' +
+      '`egress_range` and `egress_cidr`. entry "%s" has %s.' % [
+        prefix,
+        if std.length(ekey) == 2 then 'neither'
+        else if std.length(ekey) == 0 then 'both'
+        else 'a weird configuration',
+      ]
+  else
+    if std.objectHas(config, 'egress_range') then
+      local erange = ipcalc.parse_ip_range(prefix, config.egress_range);
+      erange
+    else
+      local ecidr = ipcalc.parse_cidr(prefix, config.egress_cidr);
+      {
+        start: if std.get(config, 'skip_first', false) then
+          ecidr.host_min
+        else
+          ecidr.network_address,
+        end: if std.get(config, 'skip_last', false) then
+          ecidr.host_max
+        else
+          ecidr.broadcast_address,
+      };
+
+
 // find_egress_range expects a list of egress range objects which contain the
 // interface prefix in a field. This list is precomputed by the Commodore
 // component and provided to the Espejote template as
@@ -163,7 +199,7 @@ local espejoteLabel = {
 local find_egress_range(ranges, egress_ip) =
   local eip = ipcalc.ipval(egress_ip);
   local check_fn(rspec) =
-    local range = ipcalc.parse_ip_range(rspec.if_prefix, rspec.egress_range);
+    local range = read_egress_range(rspec.if_prefix, rspec);
     local start = ipcalc.ipval(range.start);
     local end = ipcalc.ipval(range.end);
     eip >= start && eip <= end;
@@ -172,14 +208,17 @@ local find_egress_range(ranges, egress_ip) =
     range: filtered[0],
     errmsg: '',
   } else {
+    local read_erange_str(r) =
+      local er = read_egress_range(r.if_prefix, r);
+      '%(start)s - %(end)s' % er,
     range: null,
     errmsg: if std.length(filtered) == 0 then
-      local eranges = std.join(', ', [ r.egress_range for r in ranges ]);
+      local eranges = std.join(', ', [ read_erange_str(r) for r in ranges ]);
       'No egress range found for %s, available ranges: %s'
       % [ egress_ip, eranges ]
     else
       local eranges = std.join(
-        ', ', [ '%s (%s)' % [ r.if_prefix, r.egress_range ] for r in filtered ]
+        ', ', [ '%s (%s)' % [ r.if_prefix, read_erange_str(r) ] for r in filtered ]
       );
       'Found multiple egress ranges which contain %s: %s. ' % [ egress_ip, eranges ] +
       "Please contact your cluster's administrator to resolve this range overlap",
@@ -191,4 +230,5 @@ local find_egress_range(ranges, egress_ip) =
   NamespaceEgressPolicy: NamespaceEgressPolicy,
   espejoteLabel: espejoteLabel,
   find_egress_range: find_egress_range,
+  read_egress_range: read_egress_range,
 }
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -381,7 +381,17 @@ default:: `{}`
 This parameter allows users to configure `CiliumEgressGatewayPolicy` (or `IsovalentEgressGatewayPolicy`) resources which assign a single egress IP to a namespace according to the design selected in https://kb.vshn.ch/oc4/explanations/decisions/cloudscale-cilium-egressip.html[Floating egress IPs with Cilium on cloudscale].
 
 Each entry in the parameter is intended to describe a group of dummy interfaces that can be used in `CiliumEgressGatewayPolicy` (or `IsovalentEgressGatewayPolicy`) resources.
-The component expects that each value is an object with fields `egress_range`, `node_selector`, `namespace_egress_ips`, `shadow_ranges`, `destination_cidrs`, and `bgp_policy_labels`.
+The component expects that each value is an object with fields `egress_cidr`, `egress_range`, `node_selector`, `namespace_egress_ips`, `shadow_ranges`, `destination_cidrs`, and `bgp_policy_labels`.
+Fields `egress_cidr` and `egress_range` are mutually exclusive.
+The component raises an error for entries which set neither or both.
+
+[TIP]
+====
+When specifying egress ranges with `egress_cidr`, the component also respects fields `skip_first` and `skip_last`.
+These fields default to `false`.
+When field `skip_first` is set to `true`, the component omits the given CIDR's network address from the egress range.
+When field `skip_last` is set to `true`, the component omits the given CIDR's broadcast address from the egress range.
+====
 
 NOTE: Field `shadow_ranges` is optional, see the section on <<_shadow_ranges,shadow ranges>> for more details.
 
diff --git a/tests/egress-gateway.yml b/tests/egress-gateway.yml
@@ -35,7 +35,7 @@ parameters:
       self_service_namespace_ips: true
       egress_ip_ranges:
         egress_a:
-          egress_range: '192.0.2.32 - 192.0.2.63'
+          egress_range: 192.0.2.32 - 192.0.2.63
           node_selector:
             node-role.kubernetes.io/infra: ''
           namespace_egress_ips:
@@ -49,7 +49,7 @@ parameters:
           destination_cidrs: []
         egress_b: null
         egress_c:
-          egress_range: '192.0.2.64 - 192.0.2.95'
+          egress_cidr: 192.0.2.64/27
           node_selector:
             node-role.kubernetes.io/infra: ''
           namespace_egress_ips:
@@ -73,7 +73,8 @@ parameters:
           namespace_egress_ips: {}
           shadow_ranges: null
         egress_f:
-          egress_range: '192.0.2.160 - 192.0.2.191'
+          egress_cidr: 192.0.2.160/27
+          skip_last: true
           node_selector:
             node-role.kubernetes.io/infra: ''
           namespace_egress_ips:
diff --git a/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml b/tests/golden/egress-gateway/cilium/cilium/20_namespace_egress_ip_policies.yaml
@@ -91,9 +91,9 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true,Prune=false
     cilium.syn.tools/description: Generated policy to assign BGP egress IP 192.0.2.160
-      in egress range "egress_f" (192.0.2.160 - 192.0.2.191) to namespace qux.
+      in egress range "egress_f" (192.0.2.160 - 192.0.2.190) to namespace qux.
     cilium.syn.tools/egress-ip: 192.0.2.160
-    cilium.syn.tools/egress-range: 192.0.2.160 - 192.0.2.191
+    cilium.syn.tools/egress-range: 192.0.2.160 - 192.0.2.190
     cilium.syn.tools/interface-prefix: egress_f
     cilium.syn.tools/source-namespace: qux
   labels:
diff --git a/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml b/tests/golden/egress-gateway/cilium/cilium/40_egress_ip_managed_resource.yaml
@@ -94,7 +94,7 @@ spec:
                   "destination_cidrs": [
                       "203.0.113.0/24"
                   ],
-                  "egress_range": "192.0.2.64 - 192.0.2.95",
+                  "egress_cidr": "192.0.2.64/27",
                   "if_prefix": "egress_c",
                   "namespace_egress_ips": {
                       "baz": "192.0.2.93"
@@ -136,14 +136,15 @@ spec:
                   "destination_cidrs": [
                       "203.0.113.0/25"
                   ],
-                  "egress_range": "192.0.2.160 - 192.0.2.191",
+                  "egress_cidr": "192.0.2.160/27",
                   "if_prefix": "egress_f",
                   "namespace_egress_ips": {
                       "qux": "192.0.2.160"
                   },
                   "node_selector": {
                       "node-role.kubernetes.io/infra": ""
-                  }
+                  },
+                  "skip_last": true
               }
           ]
       }
@@ -303,6 +304,42 @@ spec:
         'cilium.syn.tools/managed-by': 'espejote_cilium_namespace-egress-ips',
       };
 
+      // read_egress_range extracts the egress range from the passed config object,
+      // either from field `egress_range` or from field `egress_cidr`.
+      // When reading from field `egress_cidr` the function also respects fields
+      // `skip_first` and `skip_last` when generating the resulting range object.
+      local read_egress_range(prefix, config) =
+        local ekey = std.setDiff(
+          std.set([ 'egress_range', 'egress_cidr' ]),
+          std.set(std.objectFields(config))
+        );
+        if std.length(ekey) != 1 then
+          error
+            'egress_ip_ranges` entries are expected to have exactly one of ' +
+            '`egress_range` and `egress_cidr`. entry "%s" has %s.' % [
+              prefix,
+              if std.length(ekey) == 2 then 'neither'
+              else if std.length(ekey) == 0 then 'both'
+              else 'a weird configuration',
+            ]
+        else
+          if std.objectHas(config, 'egress_range') then
+            local erange = ipcalc.parse_ip_range(prefix, config.egress_range);
+            erange
+          else
+            local ecidr = ipcalc.parse_cidr(prefix, config.egress_cidr);
+            {
+              start: if std.get(config, 'skip_first', false) then
+                ecidr.host_min
+              else
+                ecidr.network_address,
+              end: if std.get(config, 'skip_last', false) then
+                ecidr.host_max
+              else
+                ecidr.broadcast_address,
+            };
+
+
       // find_egress_range expects a list of egress range objects which contain the
       // interface prefix in a field. This list is precomputed by the Commodore
       // component and provided to the Espejote template as
@@ -313,7 +350,7 @@ spec:
       local find_egress_range(ranges, egress_ip) =
         local eip = ipcalc.ipval(egress_ip);
         local check_fn(rspec) =
-          local range = ipcalc.parse_ip_range(rspec.if_prefix, rspec.egress_range);
+          local range = read_egress_range(rspec.if_prefix, rspec);
           local start = ipcalc.ipval(range.start);
           local end = ipcalc.ipval(range.end);
           eip >= start && eip <= end;
@@ -322,14 +359,17 @@ spec:
           range: filtered[0],
           errmsg: '',
         } else {
+          local read_erange_str(r) =
+            local er = read_egress_range(r.if_prefix, r);
+            '%(start)s - %(end)s' % er,
           range: null,
           errmsg: if std.length(filtered) == 0 then
-            local eranges = std.join(', ', [ r.egress_range for r in ranges ]);
+            local eranges = std.join(', ', [ read_erange_str(r) for r in ranges ]);
             'No egress range found for %s, available ranges: %s'
             % [ egress_ip, eranges ]
           else
             local eranges = std.join(
-              ', ', [ '%s (%s)' % [ r.if_prefix, r.egress_range ] for r in filtered ]
+              ', ', [ '%s (%s)' % [ r.if_prefix, read_erange_str(r) ] for r in filtered ]
             );
             'Found multiple egress ranges which contain %s: %s. ' % [ egress_ip, eranges ] +
             "Please contact your cluster's administrator to resolve this range overlap",
@@ -341,6 +381,7 @@ spec:
         NamespaceEgressPolicy: NamespaceEgressPolicy,
         espejoteLabel: espejoteLabel,
         find_egress_range: find_egress_range,
+        read_egress_range: read_egress_range,
       }
     ipcalc.libsonnet: |
       // NOTE(sg): This file is symlinked to `component/espejote-templates` in
@@ -581,10 +622,11 @@ spec:
           // ownerReference pointing to the namespace, and labeled as managed by
           // us) and update the namespace with an informational message.
           local range = res.range;
+          local egress_range = egw.read_egress_range(range.if_prefix, range);
           [
             egw.NamespaceEgressPolicy(
               range.if_prefix,
-              range.egress_range,
+              '%(start)s - %(end)s' % egress_range,
               std.objectValues(std.get(range, 'shadow_ranges', {})),
               range.node_selector,
               egress_ip,
