Skip to content

Support for default exposes #1198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Fredi-raspall wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Support for default exposes #1198

Fredi-raspall wants to merge 10 commits into from

Conversation

@Fredi-raspall
Copy link
Contributor

@Fredi-raspall Fredi-raspall commented Jan 15, 2026
edited
Loading

@Fredi-raspall Fredi-raspall requested a review from a team as a code owner January 15, 2026 14:52
@Fredi-raspall Fredi-raspall requested review from qmonnet and sergeymatov and removed request for a team and sergeymatov January 15, 2026 14:52
@Fredi-raspall Fredi-raspall added the ci:-upgrade Disable VLAB upgrade tests label Jan 15, 2026
qmonnet
qmonnet approved these changes Jan 15, 2026
View reviewed changes
@qmonnet qmonnet mentioned this pull request Jan 15, 2026
Open
@Fredi-raspall Fredi-raspall marked this pull request as draft January 15, 2026 16:22
qmonnet and others added 10 commits January 16, 2026 16:42
@qmonnet
chore(flow-filter): Remove code for exposed IP overlap support
514646a 
By policy, we no longer support overlap between peerings for exposed
prefixes. This means that if VPC A exposes a given prefix to VPC B, then
VPC C cannot expose an overlapping prefix (except for "default"
destination prefixes, which will be handled differently).

This means we can remove the code for overlap support from the
flow-filter stage, along with related tests. The nat crate also contains
some tests relying on the flow-filter stage behaviour for overlap, so we
prune them as well.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet
chore(pkt-meta,nat): Remove flow table entry for overlap support
d82a308 
Following our change of policy regarding overlap in prefixes, we can
remove the code that we added for the sole purpose of supporting
overlapping IPs in crates nat and pkt-meta.

We already removed some related code in a previous commit: here we
remove the creation of a 3rd flow table entry for each connection, with
an empty destination VPC discriminant, which would be used for lookup up
the discriminant from the flow table, if relevant. We also remove the
related check and destination VPC lookup attachment to packet metadata
from the flow table lookup stage. The flow table lookup stage is now
agnostic to the destination VPC for the packet.

This reverts code from the following commits (all from Pull Request
#1038):

- 5abd3d9 ("feat(nat): Write destination VPC discriminant to flow table values")
- 8c1282e ("feat(nat): Add 3rd stateful NAT session entry for destination VPC lookup")
- d5a2c14 ("feat(pkt-meta): Move "unroutable" drop from dst VPC to flow lookup")

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@Fredi-raspall
feat(k8s-intf): bump to gateway v0.15.0
6edef1e 
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(config): extend converter for default expose
46326a2 
Extends the conversion from CRD to internal type to allow the
support of default exposes. A default expose cannot contain
any ip/nots or nat configuration.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(config): cleanup / simplify overlay validation
b83d806 
Since we keep at most one config, there's no need to clear
intermediate collections. Also, reorganize the code so that
adding validations is clearer.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(config): deny configs with default
2c5546e 
- Forbid prefixes 0/0 or ::/0 in ip/nat/nots/as-not's in exposes
- Do not allow default exposes to have ip/nat/nots/not-as

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(config): reorg validation of peerings
5a9bd2a 
Reorganize code so that we validate the `Peering` objects collected
in Vpcs instead of the undirected `VpcPeering` objects learnt from
the CRD.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(config): method to adv prefixes of expose
69bf0a3 
Adds a method to return the set of prefixes that should be
advertised for an expose.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(mgmt): augment routing config for default exposes
286cc6f 
Adapt the logic to determine prefixes to be advertised for a
given peering expose.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(config): remove unused method
e08e39b 
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
qmonnet added a commit that referenced this pull request Jan 16, 2026
@qmonnet
Temporary commit: Add "default" to VpcExpose
a242e53 
Because the follow-up commits should be based on the changes from
#1198, but we just need
this tiny change to get the rest to compile.
@qmonnet qmonnet mentioned this pull request Jan 16, 2026
Draft
@Fredi-raspall Fredi-raspall force-pushed the pr/fredi/expose_refined branch from cfe7896 to e08e39b Compare January 16, 2026 22:20
qmonnet added a commit that referenced this pull request Jan 17, 2026
@qmonnet
Temporary commit: Add "default" to VpcExpose
e4914a8 
Because the follow-up commits should be based on the changes from
#1198, but we just need
this tiny change to get the rest to compile.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qmonnet qmonnet qmonnet approved these changes

Assignees

No one assigned

Labels

ci:-upgrade Disable VLAB upgrade tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Fredi-raspall @qmonnet