From 9161e555a29c93af48175621cecdc5d3e0dad393 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Ram=C3=ADrez?= <aramirez@opennebula.io>
Date: Tue, 4 Mar 2025 14:30:21 +0100
Subject: [PATCH 1/2] F #205: [OneKE] Adds ONEAPP_K8S_SERVICE_CIDR
 configuration parameter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aleix Ramírez <aramirez@opennebula.io>
---
 appliances/OneKE/config.rb     | 3 +++
 appliances/OneKE/kubernetes.rb | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/appliances/OneKE/config.rb b/appliances/OneKE/config.rb
index 1813b43d..33493dcf 100644
--- a/appliances/OneKE/config.rb
+++ b/appliances/OneKE/config.rb
@@ -42,6 +42,9 @@
 
 ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED = env :ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED, 'YES'
 
+# IPv4/IPv6 network CIDRs to use for cluster service IPs: https://docs.rke2.io/reference/server_config#networking
+ONEAPP_K8S_SERVICE_CIDR = env :ONEAPP_K8S_SERVICE_CIDR, '10.43.0.0/16'
+
 ONEAPP_VROUTER_ETH0_VIP0 = env :ONEAPP_VROUTER_ETH0_VIP0, nil
 ONEAPP_VROUTER_ETH1_VIP0 = env :ONEAPP_VROUTER_ETH1_VIP0, nil
 
diff --git a/appliances/OneKE/kubernetes.rb b/appliances/OneKE/kubernetes.rb
index b4399de9..a01a2b0b 100644
--- a/appliances/OneKE/kubernetes.rb
+++ b/appliances/OneKE/kubernetes.rb
@@ -206,6 +206,7 @@ def init_master
         'disable-kube-proxy'       => ONEAPP_K8S_CNI_PLUGIN == 'cilium',
         'disable-cloud-controller' => ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED == false
     }
+    server_config['service-cidr'] = ONEAPP_K8S_SERVICE_CIDR unless ONEAPP_K8S_SERVICE_CIDR.to_s.empty?
 
     msg :info, 'Prepare initial rke2-server config'
     file '/etc/rancher/rke2/config.yaml', YAML.dump(server_config), overwrite: false
@@ -263,6 +264,7 @@ def join_master(token, retries = RETRIES, seconds = SECONDS)
         'disable-kube-proxy'       => ONEAPP_K8S_CNI_PLUGIN == 'cilium',
         'disable-cloud-controller' => ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED == false
     }
+    server_config['service-cidr'] = ONEAPP_K8S_SERVICE_CIDR unless ONEAPP_K8S_SERVICE_CIDR.to_s.empty?
 
     msg :info, 'Prepare rke2-server config'
     file '/etc/rancher/rke2/config.yaml', YAML.dump(server_config), overwrite: true
@@ -396,6 +398,7 @@ def configure_rke2_proxy(current_role)
         no_proxy = ['127.0.0.1/32', 'localhost']
         no_proxy << retrieve_endpoint_host(ONEAPP_K8S_CONTROL_PLANE_EP) if ONEAPP_K8S_CONTROL_PLANE_EP
         no_proxy << retrieve_endpoint_host(ONEAPP_RKE2_SUPERVISOR_EP) if ONEAPP_RKE2_SUPERVISOR_EP
+        no_proxy << ONEAPP_K8S_SERVICE_CIDR
         proxy_config << "NO_PROXY=#{no_proxy.uniq.join(',')}"
     else
         proxy_config << "NO_PROXY=#{ONEAPP_K8S_NO_PROXY}"

From 5440c3f4bb23686778e39a40c8f48204f78bf218 Mon Sep 17 00:00:00 2001
From: Michal Opala <mopala@opennebula.io>
Date: Thu, 13 Mar 2025 20:54:21 +0100
Subject: [PATCH 2/2] F #205: Add ONEAPPS_K8S_CLUSTER_CIDR + cleanups

- Add ONEAPPS_K8S_CLUSTER_CIDR parameter
- Fix loopback subnet
- Cleanup ruby syntax
---
 appliances/OneKE/config.rb     |  7 ++++---
 appliances/OneKE/kubernetes.rb | 20 ++++++++++----------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/appliances/OneKE/config.rb b/appliances/OneKE/config.rb
index 33493dcf..57a00b89 100644
--- a/appliances/OneKE/config.rb
+++ b/appliances/OneKE/config.rb
@@ -42,9 +42,6 @@
 
 ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED = env :ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED, 'YES'
 
-# IPv4/IPv6 network CIDRs to use for cluster service IPs: https://docs.rke2.io/reference/server_config#networking
-ONEAPP_K8S_SERVICE_CIDR = env :ONEAPP_K8S_SERVICE_CIDR, '10.43.0.0/16'
-
 ONEAPP_VROUTER_ETH0_VIP0 = env :ONEAPP_VROUTER_ETH0_VIP0, nil
 ONEAPP_VROUTER_ETH1_VIP0 = env :ONEAPP_VROUTER_ETH1_VIP0, nil
 
@@ -63,6 +60,10 @@
 ONEAPP_K8S_CONTROL_PLANE_EP = env :ONEAPP_K8S_CONTROL_PLANE_EP, "#{ONEAPP_VROUTER_ETH0_VIP0}:#{ONEAPP_VNF_HAPROXY_LB1_PORT}"
 ONEAPP_K8S_EXTRA_SANS       = env :ONEAPP_K8S_EXTRA_SANS, 'localhost,127.0.0.1'
 
+# IPv4/IPv6 network CIDRs to use for cluster and service IPs: https://docs.rke2.io/reference/server_config#networking
+ONEAPP_K8S_CLUSTER_CIDR = env :ONEAPP_K8S_CLUSTER_CIDR, '10.42.0.0/16'
+ONEAPP_K8S_SERVICE_CIDR = env :ONEAPP_K8S_SERVICE_CIDR, '10.43.0.0/16'
+
 # Proxy config for RKE2: https://docs.rke2.io/advanced#configuring-an-http-proxy
 ONEAPP_K8S_HTTP_PROXY  = env :ONEAPP_K8S_HTTP_PROXY, nil
 ONEAPP_K8S_HTTPS_PROXY = env :ONEAPP_K8S_HTTPS_PROXY, nil
diff --git a/appliances/OneKE/kubernetes.rb b/appliances/OneKE/kubernetes.rb
index a01a2b0b..f23af077 100644
--- a/appliances/OneKE/kubernetes.rb
+++ b/appliances/OneKE/kubernetes.rb
@@ -13,15 +13,11 @@
 def install_kubernetes(airgap_dir = ONE_AIRGAP_DIR)
     rke2_release_url = "https://github.com/rancher/rke2/releases/download/#{ONE_SERVICE_RKE2_VERSION}"
 
-    amap= {
-      "x86_64" => "amd64",
-      "aarch64" => "arm64"
-    }
     begin
-      arch = amap[`arch`.strip]
+        arch = {'x86_64' => 'amd64', 'aarch64' => 'arm64'}[`arch`.strip]
     rescue KeyError
-      msg :error, "Unknown architecture"
-      exit 1
+        msg :error, 'Unknown architecture'
+        exit 1
     end
 
     msg :info, "Install RKE2 runtime: #{ONE_SERVICE_RKE2_VERSION}"
@@ -203,10 +199,11 @@ def init_master
         'node-taint'               => ['CriticalAddonsOnly=true:NoExecute'],
         'disable'                  => ['rke2-ingress-nginx'],
         'cni'                      => cni,
+        'cluster-cidr'             => ONEAPP_K8S_CLUSTER_CIDR,
+        'service-cidr'             => ONEAPP_K8S_SERVICE_CIDR,
         'disable-kube-proxy'       => ONEAPP_K8S_CNI_PLUGIN == 'cilium',
         'disable-cloud-controller' => ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED == false
     }
-    server_config['service-cidr'] = ONEAPP_K8S_SERVICE_CIDR unless ONEAPP_K8S_SERVICE_CIDR.to_s.empty?
 
     msg :info, 'Prepare initial rke2-server config'
     file '/etc/rancher/rke2/config.yaml', YAML.dump(server_config), overwrite: false
@@ -261,10 +258,11 @@ def join_master(token, retries = RETRIES, seconds = SECONDS)
         'node-taint'               => ['CriticalAddonsOnly=true:NoExecute'],
         'disable'                  => ['rke2-ingress-nginx'],
         'cni'                      => cni,
+        'cluster-cidr'             => ONEAPP_K8S_CLUSTER_CIDR,
+        'service-cidr'             => ONEAPP_K8S_SERVICE_CIDR,
         'disable-kube-proxy'       => ONEAPP_K8S_CNI_PLUGIN == 'cilium',
         'disable-cloud-controller' => ONEAPP_RKE2_CLOUD_CONTROLLER_ENABLED == false
     }
-    server_config['service-cidr'] = ONEAPP_K8S_SERVICE_CIDR unless ONEAPP_K8S_SERVICE_CIDR.to_s.empty?
 
     msg :info, 'Prepare rke2-server config'
     file '/etc/rancher/rke2/config.yaml', YAML.dump(server_config), overwrite: true
@@ -394,10 +392,12 @@ def configure_rke2_proxy(current_role)
     proxy_config = []
     proxy_config << "HTTP_PROXY=#{ONEAPP_K8S_HTTP_PROXY}" unless ONEAPP_K8S_HTTP_PROXY.nil?
     proxy_config << "HTTPS_PROXY=#{ONEAPP_K8S_HTTPS_PROXY}" unless ONEAPP_K8S_HTTPS_PROXY.nil?
+
     if ONEAPP_K8S_NO_PROXY.to_s.empty?
-        no_proxy = ['127.0.0.1/32', 'localhost']
+        no_proxy = ['127.0.0.0/8', 'localhost']
         no_proxy << retrieve_endpoint_host(ONEAPP_K8S_CONTROL_PLANE_EP) if ONEAPP_K8S_CONTROL_PLANE_EP
         no_proxy << retrieve_endpoint_host(ONEAPP_RKE2_SUPERVISOR_EP) if ONEAPP_RKE2_SUPERVISOR_EP
+        no_proxy << ONEAPP_K8S_CLUSTER_CIDR
         no_proxy << ONEAPP_K8S_SERVICE_CIDR
         proxy_config << "NO_PROXY=#{no_proxy.uniq.join(',')}"
     else