Rebased & address feedback

- rebased / bump FLP
- read external ips config
- read from config.Network rather than operator.Network, as it's
  considered the best source of truth

bundle/manifests/netobserv-operator.clusterserviceversion.yaml

@@ -909,6 +909,7 @@ spec:
           - config.openshift.io
           resources:
           - clusterversions
+          - networks
           verbs:
           - get
           - list
@@ -1024,14 +1025,6 @@ spec:
           - list
           - update
           - watch
-        - apiGroups:
-          - operator.openshift.io
-          resources:
-          - networks
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -1764,6 +1764,28 @@ spec:
                           description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                           type: object
                       type: object
+                    subnetLabels:
+                      description: '`subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.'
+                      properties:
+                        customLabels:
+                          description: '`customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.'
+                          items:
+                            description: SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+                            properties:
+                              cidrs:
+                                description: List of CIDRs, such as `["1.2.3.4/32"]`.
+                                items:
+                                  type: string
+                                type: array
+                              name:
+                                description: Label name, used to flag matching flows.
+                                type: string
+                            type: object
+                          type: array
+                        openShiftAutoDetect:
+                          description: '`openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the OpenShift install configuration and the Cluster Network Operator configuration.'
+                          type: boolean
+                      type: object
                   type: object
               type: object
             status:
@@ -4959,6 +4981,28 @@ spec:
                           description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                           type: object
                       type: object
+                    subnetLabels:
+                      description: '`SubnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift.'
+                      properties:
+                        customLabels:
+                          description: '`customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services. If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.'
+                          items:
+                            description: SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+                            properties:
+                              cidrs:
+                                description: List of CIDRs, such as `["1.2.3.4/32"]`.
+                                items:
+                                  type: string
+                                type: array
+                              name:
+                                description: Label name, used to flag matching flows.
+                                type: string
+                            type: object
+                          type: array
+                        openShiftAutoDetect:
+                          description: '`openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the OpenShift install configuration and the Cluster Network Operator configuration.'
+                          type: boolean
+                      type: object
                   type: object
               type: object
             status:

config/rbac/role.yaml

@@ -61,6 +61,7 @@ rules:
   - config.openshift.io
   resources:
   - clusterversions
+  - networks
   verbs:
   - get
   - list
@@ -176,14 +177,6 @@ rules:
   - list
   - update
   - watch
-- apiGroups:
-  - operator.openshift.io
-  resources:
-  - networks
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

controllers/flp/flp_controller.go

@@ -14,7 +14,6 @@ import (
 	"github.com/netobserv/network-observability-operator/pkg/manager/status"
 	"github.com/netobserv/network-observability-operator/pkg/watchers"
 	configv1 "github.com/openshift/api/config/v1"
-	operatorv1 "github.com/openshift/api/operator/v1"
 	"gopkg.in/yaml.v2"
 	appsv1 "k8s.io/api/apps/v1"
 	ascv2 "k8s.io/api/autoscaling/v2"
@@ -271,7 +270,7 @@ func (r *Reconciler) getOpenShiftSubnets(ctx context.Context) ([]flowslatest.Sub
 
 	// Pods and Services subnets are found in CNO config
 	if r.mgr.HasCNO() {
-		network := &operatorv1.Network{}
+		network := &configv1.Network{}
 		err := r.Get(ctx, types.NamespacedName{Name: "cluster"}, network)
 		if err != nil {
 			return nil, fmt.Errorf("can't get Network information: %w", err)
@@ -286,11 +285,16 @@ func (r *Reconciler) getOpenShiftSubnets(ctx context.Context) ([]flowslatest.Sub
 				CIDRs: podCIDRs,
 			})
 		}
-		svcCIDRs := network.Spec.ServiceNetwork
-		if len(svcCIDRs) > 0 {
+		if len(network.Spec.ServiceNetwork) > 0 {
 			subnets = append(subnets, flowslatest.SubnetLabel{
 				Name:  "Services",
-				CIDRs: svcCIDRs,
+				CIDRs: network.Spec.ServiceNetwork,
+			})
+		}
+		if network.Spec.ExternalIP != nil && len(network.Spec.ExternalIP.AutoAssignCIDRs) > 0 {
+			subnets = append(subnets, flowslatest.SubnetLabel{
+				Name:  "ExternalIP",
+				CIDRs: network.Spec.ExternalIP.AutoAssignCIDRs,
 			})
 		}
 	}

controllers/flp/flp_pipeline_builder.go

@@ -63,25 +63,27 @@ func (b *PipelineBuilder) AddProcessorStages() error {
 	allLabels := append(b.detectedSubnets, b.desired.Processor.SubnetLabels.CustomLabels...)
 	flpLabels := subnetLabelsToFLP(allLabels)
 
-	// enrich stage (transform) configuration
-	enrichedStage := lastStage.TransformNetwork("enrich", api.TransformNetwork{
-		Rules: api.NetworkTransformRules{{
+	rules := api.NetworkTransformRules{
+		{
 			Type: api.NetworkAddKubernetes,
 			Kubernetes: &api.K8sRule{
 				Input:   "SrcAddr",
 				Output:  "SrcK8S",
 				AddZone: addZone,
 			},
-		}, {
+		},
+		{
 			Type: api.NetworkAddKubernetes,
 			Kubernetes: &api.K8sRule{
 				Input:   "DstAddr",
 				Output:  "DstK8S",
 				AddZone: addZone,
 			},
-		}, {
+		},
+		{
 			Type: api.NetworkReinterpretDirection,
-		}, {
+		},
+		{
 			Type: api.NetworkAddKubernetesInfra,
 			KubernetesInfra: &api.K8sInfraRule{
 				Inputs: []string{
@@ -101,14 +103,38 @@ func (b *PipelineBuilder) AddProcessorStages() error {
 					},
 				},
 			},
-		}},
+		},
+	}
+
+	if len(flpLabels) > 0 {
+		rules = append(rules, []api.NetworkTransformRule{
+			{
+				Type: api.NetworkAddSubnetLabel,
+				AddSubnetLabel: &api.NetworkAddSubnetLabelRule{
+					Input:  "SrcAddr",
+					Output: "SrcSubnetLabel",
+				},
+			},
+			{
+				Type: api.NetworkAddSubnetLabel,
+				AddSubnetLabel: &api.NetworkAddSubnetLabelRule{
+					Input:  "DstAddr",
+					Output: "DstSubnetLabel",
+				},
+			},
+		}...)
+	}
+
+	// enrich stage (transform) configuration
+	enrichedStage := lastStage.TransformNetwork("enrich", api.TransformNetwork{
+		Rules: rules,
 		DirectionInfo: api.NetworkTransformDirectionInfo{
 			ReporterIPField:    "AgentIP",
 			SrcHostField:       "SrcK8S_HostIP",
 			DstHostField:       "DstK8S_HostIP",
 			FlowDirectionField: "FlowDirection",
 		},
-		IPCategories: flpLabels,
+		SubnetLabels: flpLabels,
 	})
 
 	// loki stage (write) configuration
@@ -475,10 +501,10 @@ func getKafkaSASL(sasl *flowslatest.SASLConfig, volumePrefix string, volumes *vo
 	}
 }
 
-func subnetLabelsToFLP(labels []flowslatest.SubnetLabel) []api.NetworkTransformIPCategory {
-	var cats []api.NetworkTransformIPCategory
+func subnetLabelsToFLP(labels []flowslatest.SubnetLabel) []api.NetworkTransformSubnetLabel {
+	var cats []api.NetworkTransformSubnetLabel
 	for _, subnetLabel := range labels {
-		cats = append(cats, api.NetworkTransformIPCategory{
+		cats = append(cats, api.NetworkTransformSubnetLabel{
 			Name:  subnetLabel.Name,
 			CIDRs: subnetLabel.CIDRs,
 		})

controllers/flp/flp_test.go

@@ -755,8 +755,8 @@ func TestLabels(t *testing.T) {
 
 	cfg := getConfig()
 	info := reconcilers.Common{Namespace: "ns"}
-	builder, _ := newMonolithBuilder(info.NewInstance(image, status.Instance{}), &cfg, &metricslatest.FlowMetricList{})
-	tBuilder, _ := newTransfoBuilder(info.NewInstance(image, status.Instance{}), &cfg, &metricslatest.FlowMetricList{})
+	builder, _ := newMonolithBuilder(info.NewInstance(image, status.Instance{}), &cfg, &metricslatest.FlowMetricList{}, nil)
+	tBuilder, _ := newTransfoBuilder(info.NewInstance(image, status.Instance{}), &cfg, &metricslatest.FlowMetricList{}, nil)
 
 	// Deployment
 	depl := tBuilder.deployment(annotate("digest"))

go.mod

@@ -6,7 +6,7 @@ toolchain go1.21.7
 
 require (
 	github.com/go-logr/logr v1.4.1
-	github.com/netobserv/flowlogs-pipeline v0.1.12-0.20240322124726-d2b2352bfe0f
+	github.com/netobserv/flowlogs-pipeline v0.1.12-0.20240325101510-5feb3c603334
 	github.com/onsi/ginkgo/v2 v2.16.0
 	github.com/onsi/gomega v1.31.1
 	github.com/openshift/api v0.0.0-20220112145620-704957ce4980
@@ -15,10 +15,10 @@ require (
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.29.2
+	k8s.io/api v0.29.3
 	k8s.io/apiextensions-apiserver v0.29.2
-	k8s.io/apimachinery v0.29.2
-	k8s.io/client-go v0.29.2
+	k8s.io/apimachinery v0.29.3
+	k8s.io/client-go v0.29.3
 	k8s.io/kube-aggregator v0.29.2
 	k8s.io/utils v0.0.0-20231127182322-b307cd553661
 	sigs.k8s.io/controller-runtime v0.17.2
@@ -40,7 +40,7 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect

go.sum

@@ -81,8 +81,8 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -155,8 +155,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/netobserv/flowlogs-pipeline v0.1.12-0.20240322124726-d2b2352bfe0f h1:JwOGw6FxAjknAaK9LciiDBEXmz5e6/KbU742bshpyW8=
-github.com/netobserv/flowlogs-pipeline v0.1.12-0.20240322124726-d2b2352bfe0f/go.mod h1:4RRivFK1Yvbrw76TB65PGAkDlleQE3O/h+0yNqofuFk=
+github.com/netobserv/flowlogs-pipeline v0.1.12-0.20240325101510-5feb3c603334 h1:46pTt4NT7s5buSwTe9YS+Vn+62kqFU1+vZ5I1QqcypQ=
+github.com/netobserv/flowlogs-pipeline v0.1.12-0.20240325101510-5feb3c603334/go.mod h1:aiCIZopeZfHuI1/jt/Gg2Cns2y4DOanIVJrOFRergYU=
 github.com/netobserv/prometheus-common v0.48.0-netobserv h1:yNde6dteyK69t7l3k8CcR2uM6q+S10xgCap7mofvvV8=
 github.com/netobserv/prometheus-common v0.48.0-netobserv/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
@@ -395,15 +395,15 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.23.0/go.mod h1:8wmDdLBHBNxtOIytwLstXt5E9PddnZb0GaMcqsvDBpg=
-k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
-k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
+k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw=
+k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80=
 k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg=
 k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8=
 k8s.io/apimachinery v0.23.0/go.mod h1:fFCTTBKvKcwTPFzjlcxp91uPFZr+JA0FubU4fLzzFYc=
-k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
-k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
-k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
+k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU=
+k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU=
+k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg=
+k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
 k8s.io/code-generator v0.23.0/go.mod h1:vQvOhDXhuzqiVfM/YHp+dmg10WDZCchJVObc9MvowsE=
 k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8=
 k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM=

pkg/manager/manager.go

@@ -21,7 +21,6 @@ import (
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings;clusterroles;rolebindings;roles,verbs=get;list;create;delete;update;watch
 //+kubebuilder:rbac:groups=console.openshift.io,resources=consoleplugins,verbs=get;create;delete;update;patch;list;watch
 //+kubebuilder:rbac:groups=operator.openshift.io,resources=consoles,verbs=get;list;update;watch
-//+kubebuilder:rbac:groups=operator.openshift.io,resources=networks,verbs=get;list;watch
 //+kubebuilder:rbac:groups=flows.netobserv.io,resources=flowcollectors,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=flows.netobserv.io,resources=flowcollectors/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=flows.netobserv.io,resources=flowcollectors/finalizers,verbs=update
@@ -30,7 +29,7 @@ import (
 //+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=list;create;update;watch
 //+kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=list;get;watch
 //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;create;delete;update;patch;list;watch
-//+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch
+//+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions;networks,verbs=get;list;watch
 //+kubebuilder:rbac:groups=loki.grafana.com,resources=network,resourceNames=logs,verbs=get;create
 //+kubebuilder:rbac:urls="/metrics",verbs=get