openstack: Implement network detection

Move the network detection logic from the legacy controller [1] in-tree.

[1] https://github.com/openshift/cluster-api-provider-openstack/blob/19b666d6f/openshift/pkg/infraclustercontroller/openstackcluster.go#L262-L305

Signed-off-by: Stephen Finucane <[email protected]>

Author: stephenfin

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/golangci/golangci-lint v1.64.8
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
+	github.com/gophercloud/gophercloud/v2 v2.7.0
 	github.com/klauspost/compress v1.18.0
 	github.com/metal3-io/cluster-api-provider-metal3/api v1.10.1
 	github.com/onsi/ginkgo/v2 v2.23.4
@@ -134,6 +135,7 @@ require (
 	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
+	github.com/gofrs/uuid/v5 v5.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/mock v1.7.0-rc.1 // indirect
 	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
@@ -147,7 +149,7 @@ require (
 	github.com/google/cel-go v0.23.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
-	github.com/gophercloud/gophercloud/v2 v2.7.0 // indirect
+	github.com/gophercloud/utils/v2 v2.0.0-20241209100706-e3a3b7c07d26 // indirect
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.5.0 // indirect
@@ -273,6 +275,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/mock v0.5.2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.39.0 // indirect

go.sum

@@ -225,6 +225,8 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
+github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
+github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
@@ -273,6 +275,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gophercloud/gophercloud/v2 v2.7.0 h1:o0m4kgVcPgHlcXiWAjoVxGd8QCmvM5VU+YM71pFbn0E=
 github.com/gophercloud/gophercloud/v2 v2.7.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk=
+github.com/gophercloud/utils/v2 v2.0.0-20241209100706-e3a3b7c07d26 h1:N65GYmx5LrMeYdeXcxMESDU+2pDyAOXlFNlHl7siUwM=
+github.com/gophercloud/utils/v2 v2.0.0-20241209100706-e3a3b7c07d26/go.mod h1:7SHUbtoiSYINNKgAVxse+PMhIio05IK7shHy8DVRaN0=
 github.com/gordonklaus/ineffassign v0.1.0 h1:y2Gd/9I7MdY1oEIt+n+rowjBNDcLQq3RsH5hwJd0f9s=
 github.com/gordonklaus/ineffassign v0.1.0/go.mod h1:Qcp2HIAYhR7mNUVSIxZww3Guk4it82ghYcEXIAk+QT0=
 github.com/gostaticanalysis/analysisutil v0.7.1 h1:ZMCjoue3DtDWQ5WyU16YbjbQEQ3VuzwxALrpYd+HeKk=
@@ -620,6 +624,8 @@ go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=

pkg/controllers/infracluster/openstack.go

@@ -13,28 +13,45 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package infracluster
 
 import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
+	"slices"
+	"strings"
 
 	"github.com/go-logr/logr"
 	configv1 "github.com/openshift/api/config/v1"
+	mapiv1beta1 "github.com/openshift/api/machine/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/layer3/routers"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/ports"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/subnets"
 	openstackv1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1beta1"
+	openstackclients "sigs.k8s.io/cluster-api-provider-openstack/pkg/clients"
+	openstackscope "sigs.k8s.io/cluster-api-provider-openstack/pkg/scope"
 )
 
 var (
 	errUnsupportedOpenStackLoadBalancerType = errors.New("unsupported load balancer type for OpenStack")
 	errOpenStackNoAPIServerInternalIPs      = errors.New("no APIServerInternalIPs available")
+	errOpenStackNoDefaultRouter             = errors.New("unable to determine default router from control plane machines")
+	errOpenStackNoDefaultSubnet             = errors.New("unable to determine default subnet from control plane machines")
+	errOpenStackNoControlPlaneMachines      = errors.New("no control plane machines found")
+)
+
+var (
+	scopeCacheMaxSize int //nolint:gochecknoglobals
 )
 
 // ensureOpenStackCluster ensures the OpenStackCluster object exists.
@@ -113,7 +130,6 @@ func (r *InfraClusterController) ensureOpenStackCluster(ctx context.Context, log
 			},
 			// NOTE(stephenfin): We deliberately don't add subnet here: CAPO will use all subnets in network,
 			// which should also cover dual stack deployments. Everything else is populated below.
-			// FIXME(stephenfin): Populate these.
 			Network:         nil,
 			Router:          nil,
 			ExternalNetwork: nil,
@@ -122,6 +138,40 @@ func (r *InfraClusterController) ensureOpenStackCluster(ctx context.Context, log
 		},
 	}
 
+	// FIXME(stephenfin): Where can I source caCertificates from? The legacy infracluster controller
+	// had the same issue.
+	caCertificates := []byte{} // PEM encoded CA certificates
+	scopeFactory := openstackscope.NewFactory(scopeCacheMaxSize)
+
+	scope, err := scopeFactory.NewClientScopeFromObject(ctx, r.Client, caCertificates, log, target)
+	if err != nil {
+		return nil, fmt.Errorf("creating OpenStack client: %w", err)
+	}
+
+	networkClient, err := scope.NewNetworkClient()
+	if err != nil {
+		return nil, fmt.Errorf("creating OpenStack compute service: %w", err)
+	}
+
+	defaultSubnet, err := getDefaultSubnetFromMachines(ctx, log, r.Client, networkClient, platformStatus)
+	if err != nil {
+		return nil, err
+	}
+	// NOTE(stephenfin): As noted previously, we deliberately *do not* add subnet here: CAPO will
+	// use all subnets in network, which should also cover dual-stack deployments
+	target.Spec.Network = &openstackv1.NetworkParam{ID: ptr.To(defaultSubnet.NetworkID)}
+
+	router, err := getDefaultRouterFromSubnet(ctx, networkClient, defaultSubnet)
+	if err != nil {
+		return nil, err
+	}
+
+	target.Spec.Router = &openstackv1.RouterParam{ID: ptr.To(router.ID)}
+	// NOTE(stephenfin): The only reason we set ExternalNetworkID in the cluster spec is to avoid
+	// an error reconciling the external network if it isn't set. If CAPO ever no longer requires
+	// this we can just not set it and remove much of the code above. We don't actually use it.
+	target.Spec.ExternalNetwork = &openstackv1.NetworkParam{ID: ptr.To(router.GatewayInfo.NetworkID)}
+
 	if err := r.Create(ctx, target); err != nil {
 		return nil, fmt.Errorf("failed to create InfraCluster: %w", err)
 	}
@@ -130,3 +180,140 @@ func (r *InfraClusterController) ensureOpenStackCluster(ctx context.Context, log
 
 	return target, nil
 }
+
+// getDefaultRouterFromSubnet attempts to infer the default router used for
+// the network by looking for ports with the given subnet and gateway IP
+// associated with them.
+func getDefaultRouterFromSubnet(_ context.Context, networkClient openstackclients.NetworkClient, subnet *subnets.Subnet) (*routers.Router, error) {
+	// Find the port which owns the subnet's gateway IP
+	ports, err := networkClient.ListPort(ports.ListOpts{
+		NetworkID: subnet.NetworkID,
+		FixedIPs: []ports.FixedIPOpts{
+			{
+				IPAddress: subnet.GatewayIP,
+				// XXX: We should search on both subnet and IP
+				// address here, but can't because of
+				// https://github.com/gophercloud/gophercloud/issues/2807
+				// SubnetID:  subnet.ID,
+			},
+		},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("listing ports: %w", err)
+	}
+
+	if len(ports) == 0 {
+		return nil, fmt.Errorf("%w: no ports found for subnet %s", errOpenStackNoDefaultRouter, subnet.ID)
+	}
+
+	if len(ports) > 1 {
+		return nil, fmt.Errorf("%w: multiple ports found for subnet %s", errOpenStackNoDefaultRouter, subnet.ID)
+	}
+
+	routerID := ports[0].DeviceID
+
+	router, err := networkClient.GetRouter(routerID)
+	if err != nil {
+		return nil, fmt.Errorf("getting router %s: %w", routerID, err)
+	}
+
+	if router.GatewayInfo.NetworkID == "" {
+		return nil, fmt.Errorf("%w: router %s does not have an external gateway", errOpenStackNoDefaultRouter, routerID)
+	}
+
+	return router, nil
+}
+
+// getDefaultSubnetFromMachines attempts to infer the default cluster subnet by
+// directly examining the control plane machines. Specifically it looks for a
+// subnet attached to a control plane machine whose CIDR contains the API
+// loadbalancer internal VIP.
+//
+// This heuristic is only valid when the API loadbalancer type is
+// LoadBalancerTypeOpenShiftManagedDefault.
+//
+//nolint:gocognit,funlen
+func getDefaultSubnetFromMachines(ctx context.Context, log logr.Logger, kubeclient client.Client, networkClient openstackclients.NetworkClient, platformStatus *configv1.OpenStackPlatformStatus) (*subnets.Subnet, error) {
+	mapiMachines := mapiv1beta1.MachineList{}
+	if err := kubeclient.List(
+		ctx,
+		&mapiMachines,
+		client.InNamespace("openshift-machine-api"),
+		client.MatchingLabels{"machine.openshift.io/cluster-api-machine-role": "master"},
+	); err != nil {
+		return nil, fmt.Errorf("listing control plane machines: %w", err)
+	}
+
+	if len(mapiMachines.Items) == 0 {
+		return nil, errOpenStackNoControlPlaneMachines
+	}
+
+	apiServerInternalIPs := make([]net.IP, len(platformStatus.APIServerInternalIPs))
+	for i, ipStr := range platformStatus.APIServerInternalIPs {
+		apiServerInternalIPs[i] = net.ParseIP(ipStr)
+	}
+
+	for _, mapiMachine := range mapiMachines.Items {
+		log := log.WithValues("machine", mapiMachine.Name)
+
+		providerID := mapiMachine.Spec.ProviderID
+		if providerID == nil {
+			log.V(3).Info("Skipping machine: providerID is not set")
+			continue
+		}
+
+		if !strings.HasPrefix(*providerID, "openstack:///") {
+			log.V(2).Info("Skipping machine: providerID has unexpected format", "providerID", *providerID)
+			continue
+		}
+
+		instanceID := (*providerID)[len("openstack:///"):]
+
+		portOpts := ports.ListOpts{
+			DeviceID: instanceID,
+		}
+
+		ports, err := networkClient.ListPort(portOpts)
+		if err != nil {
+			return nil, fmt.Errorf("listing ports for instance %s: %w", instanceID, err)
+		}
+
+		if len(ports) == 0 {
+			return nil, fmt.Errorf("%w: no ports found for instance %s", errOpenStackNoDefaultSubnet, instanceID)
+		}
+
+		for _, port := range ports {
+			log := log.WithValues("port", port.ID)
+
+			for _, fixedIP := range port.FixedIPs {
+				if fixedIP.SubnetID == "" {
+					continue
+				}
+
+				subnet, err := networkClient.GetSubnet(fixedIP.SubnetID)
+				if err != nil {
+					return nil, fmt.Errorf("getting subnet %s: %w", fixedIP.SubnetID, err)
+				}
+
+				_, cidr, err := net.ParseCIDR(subnet.CIDR)
+				if err != nil {
+					return nil, fmt.Errorf("parsing subnet CIDR %s: %w", subnet.CIDR, err)
+				}
+
+				if slices.ContainsFunc(
+					apiServerInternalIPs, func(ip net.IP) bool { return cidr.Contains(ip) },
+				) {
+					return subnet, nil
+				}
+
+				log.V(6).Info("subnet does not match any APIServerInternalIPs", "subnet", subnet.CIDR)
+			}
+
+			log.V(6).Info("port does not match any APIServerInternalIPs")
+		}
+
+		log.V(6).Info("machine does not match any APIServerInternalIPs")
+	}
+
+	return nil, fmt.Errorf("%w: no matching subnets found", errOpenStackNoDefaultSubnet)
+}