agent: add flock.fritzlab.net/addresses annotation (eth0 static IPs)

Like anycast, addresses IPs are advertised via BGP (/128+/32) and get
host routes via the AnycastReconciler. The sole difference: they are
assigned to pod eth0 instead of lo, so workloads that inspect their
primary interface (e.g. Plex remote-access detection) see the public IP
directly.

- annotations.go: annAddresses const, Addresses []net.IP in ParsedAnnotations
- state.go: Addresses []string persisted in allocations.json
- anycast.go: resolveAnycastTargets processes Anycast+Addresses together
- netns_linux.go: configurePodSide assigns Addresses to eth0
- netns_stub.go: mirror Addresses field for non-Linux builds
- handlers.go: thread Addresses through ADD path

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

pkg/agent/annotations.go

@@ -22,6 +22,7 @@ const (
 	annCIDR4     = "cidr4"
 	annIPAlgo    = "ip-algo"
 	annAnycast   = "anycast"
+	annAddresses = "addresses"
 )
 
 // FamilyDefaults is the per-call baseline for whether a pod receives an IPv6
@@ -91,6 +92,13 @@ type ParsedAnnotations struct {
 	// Anycast is the set of anycast IPs to bind on the pod's loopback.
 	// nil/empty means "no anycast".
 	Anycast []net.IP
+	// Addresses is the set of additional IPs to bind directly on the pod's
+	// eth0. BGP advertisement (/128+/32) is identical to Anycast; the only
+	// difference is that these IPs land on the primary interface instead of
+	// lo. Use this when the workload needs the IP directly visible on eth0
+	// (e.g. Plex, which inspects its own interfaces for remote-access setup).
+	// nil/empty means "no extra addresses".
+	Addresses []net.IP
 }
 
 // ParseAnnotations applies the supplied per-node defaults and validates the
@@ -150,6 +158,14 @@ func ParseAnnotations(in map[string]string, defaults FamilyDefaults) (*ParsedAnn
 		out.Anycast = ips
 	}
 
+	if v, ok := in[annotationPrefix+annAddresses]; ok {
+		ips, err := parseIPList(v)
+		if err != nil {
+			return nil, fmt.Errorf("annotation %s: %w", annAddresses, err)
+		}
+		out.Addresses = ips
+	}
+
 	return out, nil
 }
 

pkg/agent/anycast.go

@@ -64,7 +64,7 @@ func resolveAnycastTargets(
 	}
 	out := map[string]anycastTarget{}
 	for _, a := range allocations {
-		if a.State != StateCommitted || len(a.Anycast) == 0 {
+		if a.State != StateCommitted || (len(a.Anycast) == 0 && len(a.Addresses) == 0) {
 			continue
 		}
 		if !isReady(a.Namespace, a.PodName) {
@@ -73,7 +73,9 @@ func resolveAnycastTargets(
 		host := HostIfaceName(a.ContainerID)
 		via6 := net.ParseIP(a.IP6)
 		via4 := net.ParseIP(a.IP4)
-		for _, ipStr := range a.Anycast {
+		// Anycast (lo-bound) and Addresses (eth0-bound) are advertised
+		// identically: /128 or /32 host route on the host, BGP via BIRD.
+		for _, ipStr := range append(a.Anycast, a.Addresses...) {
 			ip := net.ParseIP(ipStr)
 			if ip == nil {
 				continue

pkg/agent/handlers.go

@@ -167,6 +167,7 @@ func (h *PodHandler) Add(ctx context.Context, req flockcni.Request) (*current.Re
 		IP6:         ipString(res.IP6),
 		IP4:         ipString(res.IP4),
 		Anycast:     anycastStrings(parsed.Anycast),
+		Addresses:   anycastStrings(parsed.Addresses),
 		State:       StatePending,
 		AllocatedAt: time.Now().UTC(),
 	}
@@ -183,6 +184,7 @@ func (h *PodHandler) Add(ctx context.Context, req flockcni.Request) (*current.Re
 		IP6:         res.IP6,
 		IP4:         res.IP4,
 		Anycast:     parsed.Anycast,
+		Addresses:   parsed.Addresses,
 	}
 	if err := h.SetupFunc(setup); err != nil {
 		// Roll forward: leave pending entry in place so startup GC can clean

pkg/agent/netns_linux.go

@@ -25,6 +25,11 @@ type SetupRequest struct {
 	// Host /128 and /32 routes are NOT installed here — that happens once
 	// the pod becomes Ready, see AnycastReconciler.
 	Anycast []net.IP
+	// Addresses are additional IPs to bind directly on pod eth0 (NOT lo).
+	// BGP advertisement is handled identically to Anycast by the
+	// AnycastReconciler. Use when the workload needs the IP on its primary
+	// interface (e.g. Plex remote-access detection).
+	Addresses []net.IP
 }
 
 // LinkLocalGW is the deterministic IPv6 LL gateway placed on every host
@@ -269,6 +274,23 @@ func configurePodSide(req SetupRequest) error {
 			}
 		}
 
+		// Addresses: assign directly to pod eth0. Host routing and BGP
+		// advertisement are handled identically to Anycast by the
+		// AnycastReconciler (host route via pod-eth0-ip, /128+/32 in BIRD).
+		for _, ip := range req.Addresses {
+			var mask net.IPMask
+			if ip.To4() != nil {
+				mask = net.CIDRMask(32, 32)
+				ip = ip.To4()
+			} else {
+				mask = net.CIDRMask(128, 128)
+			}
+			a := &netlink.Addr{IPNet: &net.IPNet{IP: ip, Mask: mask}, Scope: int(netlink.SCOPE_UNIVERSE)}
+			if err := netlink.AddrAdd(eth0, a); err != nil && !errors.Is(err, os.ErrExist) {
+				return fmt.Errorf("pod eth0 address %s: %w", ip, err)
+			}
+		}
+
 		return nil
 	})
 }

pkg/agent/netns_stub.go

@@ -16,6 +16,7 @@ type SetupRequest struct {
 	IP6         net.IP
 	IP4         net.IP
 	Anycast     []net.IP
+	Addresses   []net.IP
 }
 
 // Setup is unimplemented on non-Linux platforms; the agent only runs in

pkg/agent/state.go

@@ -33,6 +33,7 @@ type Allocation struct {
 	IP6         string          `json:"ip6,omitempty"`
 	IP4         string          `json:"ip4,omitempty"`
 	Anycast     []string        `json:"anycast,omitempty"`
+	Addresses   []string        `json:"addresses,omitempty"`
 	State       AllocationState `json:"state"`
 	AllocatedAt time.Time       `json:"allocated_at"`
 }