refactor(encapsulation): rename LocalIP to CNICompatibilityIP

Rename the encapsulation interface method and all related struct
fields and annotation keys from Cilium-specific names to generic
CNI compatibility names, as requested in review.

Changes:
- LocalIP() -> CNICompatibilityIP() returning *net.IPNet
- CiliumInternalIP -> CNICompatibilityIP in Node struct
- ciliumInternalIPs -> cniCompatibilityIPs in segment struct
- kilo.squat.ai/cilium-internal-ip -> kilo.squat.ai/cni-compatibility-ip
- Add comments for ignored errors and IPv4 filter in cilium.go

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Author: kvaps

pkg/encapsulation/cilium.go

@@ -58,28 +58,33 @@ func (c *cilium) CleanUp() error {
 // Gw returns the correct gateway IP associated with the given node.
 // It returns the Cilium internal IP so that the IPIP outer packets are routed
 // through Cilium's VxLAN overlay rather than the host network.
-func (c *cilium) Gw(_, _, ciliumIP net.IP, subnet *net.IPNet) net.IP {
-	if ciliumIP != nil {
-		return ciliumIP
+func (c *cilium) Gw(_, _, cniIP net.IP, subnet *net.IPNet) net.IP {
+	if cniIP != nil {
+		return cniIP
 	}
 	return subnet.IP
 }
 
-// LocalIP returns the IP address of the cilium_host interface.
+// CNICompatibilityIP returns the IP address of the cilium_host interface.
 // This IP is advertised to other nodes so they can route IPIP outer
 // packets through Cilium's overlay.
-func (c *cilium) LocalIP() net.IP {
+func (c *cilium) CNICompatibilityIP() *net.IPNet {
 	iface, err := net.InterfaceByName(ciliumHostIface)
 	if err != nil {
+		// cilium_host does not exist; Cilium may not be running.
 		return nil
 	}
 	addrs, err := iface.Addrs()
 	if err != nil {
+		// Unable to list addresses; safe to skip since the
+		// CNI compatibility IP is only used for optimization.
 		return nil
 	}
 	for _, a := range addrs {
+		// IPIP tunnels use IPv4 encapsulation, so only IPv4
+		// addresses are usable as the outer header source/destination.
 		if ipNet, ok := a.(*net.IPNet); ok && ipNet.IP.To4() != nil {
-			return ipNet.IP
+			return ipNet
 		}
 	}
 	return nil

pkg/encapsulation/encapsulation.go

@@ -49,9 +49,9 @@ type Encapsulator interface {
 	Gw(net.IP, net.IP, net.IP, *net.IPNet) net.IP
 	Index() int
 	Init(int) error
-	// LocalIP returns the local overlay IP that should be advertised
-	// to other nodes. For Cilium, this is the IP of the cilium_host interface.
-	LocalIP() net.IP
+	// CNICompatibilityIP returns the local overlay IP that should be
+	// advertised to other nodes for CNI-compatible routing.
+	CNICompatibilityIP() *net.IPNet
 	Rules([]*net.IPNet) iptables.RuleSet
 	Set(*net.IPNet) error
 	Strategy() Strategy

pkg/encapsulation/flannel.go

@@ -54,8 +54,8 @@ func (f *flannel) Gw(_, _, _ net.IP, subnet *net.IPNet) net.IP {
 	return subnet.IP
 }
 
-// LocalIP is a no-op for Flannel.
-func (f *flannel) LocalIP() net.IP {
+// CNICompatibilityIP is a no-op for Flannel.
+func (f *flannel) CNICompatibilityIP() *net.IPNet {
 	return nil
 }
 

pkg/encapsulation/ipip.go

@@ -45,8 +45,8 @@ func (i *ipip) Gw(_, internal, _ net.IP, _ *net.IPNet) net.IP {
 	return internal
 }
 
-// LocalIP is a no-op for IPIP.
-func (i *ipip) LocalIP() net.IP {
+// CNICompatibilityIP is a no-op for IPIP.
+func (i *ipip) CNICompatibilityIP() *net.IPNet {
 	return nil
 }
 

pkg/encapsulation/noop.go

@@ -33,8 +33,8 @@ func (n Noop) Gw(_, _, _ net.IP, _ *net.IPNet) net.IP {
 	return nil
 }
 
-// LocalIP will also do nothing.
-func (n Noop) LocalIP() net.IP {
+// CNICompatibilityIP will also do nothing.
+func (n Noop) CNICompatibilityIP() *net.IPNet {
 	return nil
 }
 

pkg/k8s/backend.go

@@ -63,7 +63,7 @@ const (
 	discoveredEndpointsKey        = "kilo.squat.ai/discovered-endpoints"
 	allowedLocationIPsKey         = "kilo.squat.ai/allowed-location-ips"
 	granularityKey                = "kilo.squat.ai/granularity"
-	ciliumInternalIPAnnotationKey = "kilo.squat.ai/cilium-internal-ip"
+	cniCompatibilityIPAnnotationKey = "kilo.squat.ai/cni-compatibility-ip"
 	// RegionLabelKey is the key for the well-known Kubernetes topology region label.
 	RegionLabelKey  = "topology.kubernetes.io/region"
 	jsonPatchSlash  = "~1"
@@ -242,10 +242,10 @@ func (nb *nodeBackend) Set(ctx context.Context, name string, node *mesh.Node) er
 		n.ObjectMeta.Annotations[discoveredEndpointsKey] = string(discoveredEndpoints)
 	}
 	n.ObjectMeta.Annotations[granularityKey] = string(node.Granularity)
-	if node.CiliumInternalIP != nil {
-		n.ObjectMeta.Annotations[ciliumInternalIPAnnotationKey] = node.CiliumInternalIP.String()
+	if node.CNICompatibilityIP != nil {
+		n.ObjectMeta.Annotations[cniCompatibilityIPAnnotationKey] = node.CNICompatibilityIP.String()
 	} else {
-		n.ObjectMeta.Annotations[ciliumInternalIPAnnotationKey] = ""
+		n.ObjectMeta.Annotations[cniCompatibilityIPAnnotationKey] = ""
 	}
 	oldData, err := json.Marshal(old)
 	if err != nil {
@@ -348,10 +348,10 @@ func translateNode(node *v1.Node, topologyLabel string) *mesh.Node {
 	// TODO log some error or warning.
 	key, _ := wgtypes.ParseKey(node.ObjectMeta.Annotations[keyAnnotationKey])
 
-	// Parse the Cilium internal IP if present.
-	var ciliumInternalIP net.IP
-	if cipStr, ok := node.ObjectMeta.Annotations[ciliumInternalIPAnnotationKey]; ok && cipStr != "" {
-		ciliumInternalIP = net.ParseIP(cipStr)
+	// Parse the CNI compatibility IP if present.
+	var cniCompatibilityIP *net.IPNet
+	if cipStr, ok := node.ObjectMeta.Annotations[cniCompatibilityIPAnnotationKey]; ok && cipStr != "" {
+		cniCompatibilityIP = normalizeIP(cipStr)
 	}
 
 	return &mesh.Node{
@@ -364,7 +364,7 @@ func translateNode(node *v1.Node, topologyLabel string) *mesh.Node {
 		Endpoint:            endpoint,
 		NoInternalIP:        noInternalIP,
 		InternalIP:          internalIP,
-		CiliumInternalIP:    ciliumInternalIP,
+		CNICompatibilityIP:  cniCompatibilityIP,
 		Key:                 key,
 		LastSeen:            lastSeen,
 		Leader:              leader,

pkg/mesh/backend.go

@@ -61,7 +61,7 @@ type Node struct {
 	Key              wgtypes.Key
 	NoInternalIP     bool
 	InternalIP       *net.IPNet
-	CiliumInternalIP net.IP
+	CNICompatibilityIP *net.IPNet
 	// LastSeen is a Unix time for the last time
 	// the node confirmed it was live.
 	LastSeen int64

pkg/mesh/mesh.go

@@ -412,7 +412,7 @@ func (m *Mesh) handleLocal(ctx context.Context, n *Node) {
 		Key:                 m.pub,
 		NoInternalIP:        n.NoInternalIP,
 		InternalIP:          n.InternalIP,
-		CiliumInternalIP:    m.enc.LocalIP(),
+		CNICompatibilityIP:  m.enc.CNICompatibilityIP(),
 		LastSeen:            time.Now().Unix(),
 		Leader:              n.Leader,
 		Location:            n.Location,
@@ -700,7 +700,7 @@ func nodesAreEqual(a, b *Node) bool {
 	return a.Key.String() == b.Key.String() &&
 		ipNetsEqual(a.WireGuardIP, b.WireGuardIP) &&
 		ipNetsEqual(a.InternalIP, b.InternalIP) &&
-		a.CiliumInternalIP.Equal(b.CiliumInternalIP) &&
+		ipNetsEqual(a.CNICompatibilityIP, b.CNICompatibilityIP) &&
 		a.Leader == b.Leader &&
 		a.Location == b.Location &&
 		a.Name == b.Name &&

pkg/mesh/routes.go

@@ -40,7 +40,7 @@ func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface
 		var gw net.IP
 		for _, segment := range t.segments {
 			if segment.location == t.location {
-				gw = enc.Gw(t.updateEndpoint(segment.endpoint, segment.key, &segment.persistentKeepalive).IP(), segment.privateIPs[segment.leader], segment.ciliumInternalIPs[segment.leader], segment.cidrs[segment.leader])
+				gw = enc.Gw(t.updateEndpoint(segment.endpoint, segment.key, &segment.persistentKeepalive).IP(), segment.privateIPs[segment.leader], ipFromIPNet(segment.cniCompatibilityIPs[segment.leader]), segment.cidrs[segment.leader])
 				break
 			}
 		}
@@ -61,7 +61,7 @@ func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface
 						if segment.privateIPs[i].Equal(t.privateIP.IP) {
 							continue
 						}
-						nodeGw := enc.Gw(nil, segment.privateIPs[i], segment.ciliumInternalIPs[i], segment.cidrs[i])
+						nodeGw := enc.Gw(nil, segment.privateIPs[i], ipFromIPNet(segment.cniCompatibilityIPs[i]), segment.cidrs[i])
 						routes = append(routes, encapsulateRoute(&netlink.Route{
 							Dst:       segment.cidrs[i],
 							Flags:     int(netlink.FLAG_ONLINK),
@@ -156,7 +156,7 @@ func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface
 					if segment.privateIPs[i].Equal(t.privateIP.IP) {
 						continue
 					}
-					nodeGw := enc.Gw(nil, segment.privateIPs[i], segment.ciliumInternalIPs[i], segment.cidrs[i])
+					nodeGw := enc.Gw(nil, segment.privateIPs[i], ipFromIPNet(segment.cniCompatibilityIPs[i]), segment.cidrs[i])
 					routes = append(routes, encapsulateRoute(&netlink.Route{
 						Dst:       segment.cidrs[i],
 						Flags:     int(netlink.FLAG_ONLINK),
@@ -202,7 +202,7 @@ func (t *Topology) Routes(kiloIfaceName string, kiloIface, privIface, tunlIface
 					if segment.privateIPs[i].Equal(t.privateIP.IP) {
 						continue
 					}
-					nodeGw := enc.Gw(nil, segment.privateIPs[i], segment.ciliumInternalIPs[i], segment.cidrs[i])
+					nodeGw := enc.Gw(nil, segment.privateIPs[i], ipFromIPNet(segment.cniCompatibilityIPs[i]), segment.cidrs[i])
 					if nodeGw != nil && !nodeGw.Equal(segment.privateIPs[i]) {
 						routes = append(routes, &netlink.Route{
 							Dst:       oneAddressCIDR(segment.privateIPs[i]),

pkg/mesh/topology.go

@@ -86,8 +86,8 @@ type segment struct {
 	leader int
 	// privateIPs is a slice of private IPs of all peers in the segment.
 	privateIPs []net.IP
-	// ciliumInternalIPs is a slice of Cilium internal IPs of all peers in the segment.
-	ciliumInternalIPs []net.IP
+	// cniCompatibilityIPs is a slice of CNI compatibility IPs of all peers in the segment.
+	cniCompatibilityIPs []*net.IPNet
 	// wireGuardIP is the allocated IP address of the WireGuard
 	// interface on the leader of the segment.
 	wireGuardIP net.IP
@@ -157,7 +157,7 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra
 		var cidrs []*net.IPNet
 		var hostnames []string
 		var privateIPs []net.IP
-		var ciliumInternalIPs []net.IP
+		var cniCompatibilityIPs []*net.IPNet
 		for _, node := range topoMap[location] {
 			// Allowed IPs should include:
 			// - the node's allocated subnet
@@ -177,7 +177,7 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra
 				allowedIPs = append(allowedIPs, *oneAddressCIDR(node.InternalIP.IP))
 				privateIPs = append(privateIPs, node.InternalIP.IP)
 			}
-			ciliumInternalIPs = append(ciliumInternalIPs, node.CiliumInternalIP)
+			cniCompatibilityIPs = append(cniCompatibilityIPs, node.CNICompatibilityIP)
 			cidrs = append(cidrs, node.Subnet)
 			hostnames = append(hostnames, node.Name)
 		}
@@ -195,7 +195,7 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra
 			hostnames:           hostnames,
 			leader:              leader,
 			privateIPs:          privateIPs,
-			ciliumInternalIPs:   ciliumInternalIPs,
+			cniCompatibilityIPs: cniCompatibilityIPs,
 			allowedLocationIPs:  allowedLocationIPs,
 		})
 		level.Debug(t.logger).Log("msg", "generated segment", "location", location, "allowedIPs", allowedIPs, "endpoint", topoMap[location][leader].Endpoint, "cidrs", cidrs, "hostnames", hostnames, "leader", leader, "privateIPs", privateIPs, "allowedLocationIPs", allowedLocationIPs)
@@ -419,6 +419,14 @@ func oneAddressCIDR(ip net.IP) *net.IPNet {
 	return &net.IPNet{IP: ip, Mask: net.CIDRMask(len(ip)*8, len(ip)*8)}
 }
 
+// ipFromIPNet extracts the IP from a *net.IPNet, returning nil if the IPNet is nil.
+func ipFromIPNet(n *net.IPNet) net.IP {
+	if n == nil {
+		return nil
+	}
+	return n.IP
+}
+
 // findLeader selects a leader for the nodes in a segment;
 // it will select the first node that says it should lead
 // or the first node in the segment if none have volunteered,