Add support for multiple namespaces (#157)

Author: vklohiya

README.md

@@ -31,11 +31,12 @@ The F5 IPAM Controller acts as an interface to CIS to provide an IP address from
 
 **Deployment Options**
 
-| PARAMETER | TYPE | REQUIRED | DESCRIPTION |
-| ------ | ------ | ------ | ------ |
-| orchestration | String | Required | The orchestration parameter holds the orchestration environment i.e. Kubernetes. |
-| ipam-provider | String | Required |  ipam-provider parameter holds the IP provider that holds the ownership of providing IP addresses such as infoblox, f5-ip-provider. Default is *f5-ip-provider*. |
-| log-level | String | Optional |  Log level parameter specify various logging level such as DEBUG, INFO, WARNING, ERROR, CRITICAL. |
+| PARAMETER     | TYPE   | REQUIRED | DESCRIPTION                                                                                                                                                     |
+|---------------|--------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| orchestration | String | Required | The orchestration parameter holds the orchestration environment i.e. Kubernetes.                                                                                |
+| ipam-provider | String | Required | ipam-provider parameter holds the IP provider that holds the ownership of providing IP addresses such as infoblox, f5-ip-provider. Default is *f5-ip-provider*. |
+| log-level     | String | Optional | Log level parameter specify various logging level such as DEBUG, INFO, WARNING, ERROR, CRITICAL.                                                                |
+| namespace     | String | Optional | Kubernetes namespace(s) to watch. By default controller will watch only kube-system namespace. To specify multiple namespace, use multiple --namespace flags.   |
 
 **Deployment Options of Provider (f5-ip-provider)**
 
@@ -45,16 +46,16 @@ The F5 IPAM Controller acts as an interface to CIS to provide an IP address from
 
 **Deployment Options of Provider (infoblox)**
 
-| PARAMETER | TYPE | REQUIRED | DESCRIPTION |
-| ------ | ------ | ------ | ------ |
-| infoblox-labels | String | Required | infoblox labels holds the mappings for infoblox's CIDR |
-| infoblox-grid-host | String | Required |  URL (or IP Address) of Infoblox Grid Host |
-| infoblox-wapi-port | String | Optional | Port that the Infoblox Server listens on. Default is 443 |
-| infoblox-wapi-version | String | Required | Web API version of Infoblox
-| infoblox-username | String | Required | Username of Infoblox User |
-| infoblox-password | String | Required | Password of the given Infoblox User |
-| infoblox-netview | String | Required | Netview from which IP addresses needs to be allocated |
-| credentials-directory | String | Optional | Credentials can be mounted from k8s secrets |
+| PARAMETER             | TYPE   | REQUIRED | DESCRIPTION                                              |
+|-----------------------|--------|----------|----------------------------------------------------------|
+| infoblox-labels       | String | Required | infoblox labels holds the mappings for infoblox's CIDR   |
+| infoblox-grid-host    | String | Required | URL (or IP Address) of Infoblox Grid Host                |
+| infoblox-wapi-port    | String | Optional | Port that the Infoblox Server listens on. Default is 443 |
+| infoblox-wapi-version | String | Required | Web API version of Infoblox                              |
+| infoblox-username     | String | Required | Username of Infoblox User                                |
+| infoblox-password     | String | Required | Password of the given Infoblox User                      |
+| infoblox-netview      | String | Required | Netview from which IP addresses needs to be allocated    |
+| credentials-directory | String | Optional | Credentials can be mounted from k8s secrets              |
 
 
 Note: On how to configure these Configuration Options, please refer to IPAM Deployment YAML example in below.

cmd/f5-ipam-controller/main.go

@@ -34,9 +34,10 @@ var (
 	ibFlags        *flag.FlagSet
 
 	// Global
-	logLevel *string
-	orch     *string
-	provider *string
+	logLevel   *string
+	orch       *string
+	provider   *string
+	namespaces *[]string
 
 	// Default Provider
 	iprange *string
@@ -77,7 +78,9 @@ func init() {
 		"Required, orchestration that the controller is running in.")
 	provider = globalFlags.String("ipam-provider", DefaultProvider,
 		"Required, the IPAM system that the controller will interface with.")
-
+	namespaces = globalFlags.StringArray("namespace", []string{},
+		"Optional, Kubernetes namespace(s) to watch."+
+			"If left blank controller will watch only kube-system namespace")
 	iprange = basicProvFlags.String("ip-range", "",
 		"Optional, the Default Provider needs iprange to build pools of IP Addresses")
 
@@ -239,7 +242,7 @@ func main() {
 	}
 	log.Infof("[INIT] Starting: F5 IPAM Controller - Version: %s, BuildInfo: %s", version, buildInfo)
 
-	orcr := orchestration.NewOrchestrator()
+	orcr := orchestration.NewOrchestrator(*namespaces)
 	if orcr == nil {
 		log.Error("Unable to create IPAM Client")
 		os.Exit(1)

docs/RELEASE-NOTES.rst

@@ -1,14 +1,27 @@
 Release Notes for F5 IPAM Controller for Kubernetes & OpenShift
 =======================================================================
 
-Next Release
+0.1.11
 -------------
 
 Added Functionality
 ```````````````````
+**What’s new:**
+    * Support for namespace to watch the multiple namespaces for IPAM CRD
 
-Bug Fixes
-````````````
+0.1.10
+``````````````````````````
+
+Vulnerability Fixes
+```````````````````
+CVE-2023-38545, CVE-2023-38546, CVE-2022-48337, CVE-2022-48338, CVE-2022-48339, CVE-2023-2491, CVE-2023-24329,
+CVE-2023-40217, CVE-2023-4527, CVE-2023-4806, CVE-2023-4813, CVE-2023-4911, CVE-2023-44487, CVE-2023-28617,
+CVE-2022-40897
+
+
+Known Issues
+`````````````
+CVE-2024-2961
 
 0.1.9
 -------------

docs/config_examples/f5-ip-provider/pv-mount-with-multiple-namespaces.yaml

@@ -0,0 +1,50 @@
+# Sample configuration for f5-ipam-controller with default provider. For persistent IP addresses upon restarts,
+# volume mounts are used. securityContext is used to change mount permissions to controller user.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    name: f5-ipam-controller
+  name: f5-ipam-controller
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: f5-ipam-controller
+  template:
+    metadata:
+      labels:
+        app: f5-ipam-controller
+    spec:
+      containers:
+        - args:
+            - --orchestration
+            - kubernetes
+            - --ip-range
+            - '{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40","Production":"172.16.3.41-172.16.3.50",
+                "Default":"172.16.3.51-172.16.3.60" } '
+            - --log-level
+            - DEBUG
+            # Add multiple namespaces to the controller, By default controller will watch only kube-system namespace
+            - --namespace=dev
+            - --namespace=test
+          command:
+            - /app/bin/f5-ipam-controller
+          image: f5networks/f5-ipam-controller:latest
+          imagePullPolicy: IfNotPresent
+          name: f5-ipam-controller
+          terminationMessagePath: /dev/termination-log
+          volumeMounts:
+            - mountPath: /app/ipamdb
+              name: samplevol
+      securityContext:
+        fsGroup: 1200
+        runAsGroup: 1200
+        runAsUser: 1200
+      serviceAccount: ipam-ctlr
+      serviceAccountName: ipam-ctlr
+      volumes:
+        - name: samplevol
+          persistentVolumeClaim:
+            claimName: pvc-local

next-version.txt

@@ -1 +1 @@
-0.1.10
+0.1.11

pkg/orchestration/kubernetes.go

@@ -67,7 +67,7 @@ type ResourceMeta struct {
 	namespace string
 }
 
-func NewIPAMK8SClient() *K8sIPAMClient {
+func NewIPAMK8SClient(namespaces []string) *K8sIPAMClient {
 	log.Debugf("Creating IPAM Kubernetes Client")
 	config, err := rest.InClusterConfig()
 	if err != nil {
@@ -85,11 +85,13 @@ func NewIPAMK8SClient() *K8sIPAMClient {
 		UpdateFunc: func(oldObj, newObj interface{}) { k8sIPAMClient.enqueueUpdatedIPAM(oldObj, newObj) },
 		DeleteFunc: func(obj interface{}) { k8sIPAMClient.enqueueDeletedIPAM(obj) },
 	}
-
+	if len(namespaces) == 0 {
+		namespaces = append(namespaces, DefaultNamespace)
+	}
 	ipamParams := ipammachinery.Params{
 		Config:        config,
 		EventHandlers: eventHandlers,
-		Namespaces:    []string{DefaultNamespace},
+		Namespaces:    namespaces,
 	}
 
 	ipamCli := ipammachinery.NewIPAMClient(ipamParams)

pkg/orchestration/orchestration.go

@@ -30,6 +30,6 @@ type Orchestrator interface {
 	Stop()
 }
 
-func NewOrchestrator() Orchestrator {
-	return NewIPAMK8SClient()
+func NewOrchestrator(namespaces []string) Orchestrator {
+	return NewIPAMK8SClient(namespaces)
 }