add host_stack_cidrs support in datapathv2

cmd/terway-cli/policy.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"net/netip"
 	"os"
 	"os/exec"
 	"strings"
@@ -40,6 +41,8 @@ type CNIConfig struct {
 	HubbleListenAddress string `json:"cilium_hubble_listen_address,omitempty"`
 	HubbleMetricServer  string `json:"cilium_hubble_metrics_server,omitempty"`
 	CiliumExtraArgs     string `json:"cilium_args,omitempty"` // legacy way. should move to config map
+
+	HostStackCIDRs []string `json:"host_stack_cidrs,omitempty"`
 }
 
 var policyCmd = &cobra.Command{
@@ -306,6 +309,19 @@ func policyConfig(container *gabs.Container) ([]string, error) {
 			}...)
 		}
 
+		for _, cidr := range h.HostStackCIDRs {
+			_, err = netip.ParsePrefix(cidr)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if len(h.HostStackCIDRs) > 0 {
+			ciliumArgs = append(ciliumArgs, "--terway-host-stack-cidr="+strings.Join(h.HostStackCIDRs, ","))
+		} else {
+			ciliumArgs = append(ciliumArgs, "--terway-host-stack-cidr=169.254.20.10/32")
+		}
+
 		// parse extra args
 		ciliumArgs = append(ciliumArgs, extractArgs(h.CiliumExtraArgs)...)
 	}

cmd/terway-cli/policy_test.go

@@ -194,6 +194,79 @@ func Test_policyConfig(t *testing.T) {
 				assert.Contains(t, strings, "--enable-hubble=true")
 			},
 		},
+		{
+			name: "host stack cidr not set",
+			args: args{container: func() *gabs.Container {
+				cniJSON, _ := gabs.ParseJSON([]byte(`{
+  "cniVersion": "0.4.0",
+  "name": "terway-chainer",
+  "plugins": [
+    {
+      "bandwidth_mode": "edt",
+      "capabilities": {
+        "bandwidth": true
+      },
+      "cilium_args": "disable-per-package-lb=true",
+      "eniip_virtual_type": "datapathv2",
+      "network_policy_provider": "ebpf",
+      "type": "terway"
+    },
+    {
+      "data-path": "datapathv2",
+      "enable-debug": false,
+      "log-file": "/var/run/cilium/cilium-cni.log",
+      "type": "cilium-cni"
+    }
+  ]
+}`))
+				return cniJSON
+			}()},
+			readFunc: func(name string) ([]byte, error) {
+				return []byte("#define DIRECT_ROUTING_DEV_IFINDEX 0\n#define DISABLE_PER_PACKET_LB 1\n"), nil
+			},
+			checkFunc: func(t *testing.T, strings []string, err error) {
+				assert.NoError(t, err)
+				assert.Contains(t, strings, "--disable-per-package-lb=true")
+				assert.Contains(t, strings, "--terway-host-stack-cidr=169.254.20.10/32")
+			},
+		},
+		{
+			name: "multi host stack cidr",
+			args: args{container: func() *gabs.Container {
+				cniJSON, _ := gabs.ParseJSON([]byte(`{
+  "cniVersion": "0.4.0",
+  "name": "terway-chainer",
+  "plugins": [
+    {
+      "bandwidth_mode": "edt",
+      "capabilities": {
+        "bandwidth": true
+      },
+      "cilium_args": "disable-per-package-lb=true",
+      "eniip_virtual_type": "datapathv2",
+      "network_policy_provider": "ebpf",
+      "host_stack_cidrs": ["169.254.20.10/32", "169.254.20.11/32"],
+      "type": "terway"
+    },
+    {
+      "data-path": "datapathv2",
+      "enable-debug": false,
+      "log-file": "/var/run/cilium/cilium-cni.log",
+      "type": "cilium-cni"
+    }
+  ]
+}`))
+				return cniJSON
+			}()},
+			readFunc: func(name string) ([]byte, error) {
+				return []byte("#define DIRECT_ROUTING_DEV_IFINDEX 0\n#define DISABLE_PER_PACKET_LB 1\n"), nil
+			},
+			checkFunc: func(t *testing.T, strings []string, err error) {
+				assert.NoError(t, err)
+				assert.Contains(t, strings, "--disable-per-package-lb=true")
+				assert.Contains(t, strings, "--terway-host-stack-cidr=169.254.20.10/32,169.254.20.11/32")
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

deploy/images/terway-controlplane/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1-labs
-ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-ce3481dc@sha256:b94ada7d627f9bba4a0d8638d05f630a9f6a9a04c47a6a9953c2abfa674ccaeb
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-381dd606@sha256:726a12276a3cbbe11be5a497716aa6e4a9a9638de55195d5f71a89a613366040
 
 FROM --platform=$TARGETPLATFORM ${TERWAY_POLICY_IMAGE} AS policy-dist
 

deploy/images/terway/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1-labs
-ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-ce3481dc@sha256:b94ada7d627f9bba4a0d8638d05f630a9f6a9a04c47a6a9953c2abfa674ccaeb
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-381dd606@sha256:726a12276a3cbbe11be5a497716aa6e4a9a9638de55195d5f71a89a613366040
 ARG UBUNTU_IMAGE=registry.cn-hangzhou.aliyuncs.com/acs/ubuntu:22.04-update
 ARG CILIUM_IPROUTE2_IMAGE=quay.io/cilium/cilium-iproute2:3570d58349efb2d6b0342369a836998c93afd291@sha256:1abcd7a5d2117190ab2690a163ee9cd135bc9e4cf8a4df662a8f993044c79342
 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:9f1bfe736009afb1fbb562718bbc42ea07d37d8e@sha256:a666a7a01a2dc610c3ab6e32f25ca5e294201f3cbbc01f233320c527955deee3