NodeConfig defaults + code-quality pass + fuzz tests + README

NodeConfig.Spec.Defaults adds per-node IPv6/IPv4 family defaults that pod annotations can override; built-in baseline (v6=true, v4=false) still applies when the field is omitted. bird.Render now validates every operator-supplied value (peer addresses, CIDRs, anycast IPs, source addresses) before templating — fuzz found a peer address containing `}` produced unbalanced braces in bird.conf. Failing input preserved as a regression seed. Fuzz targets added for ParseAnnotations, ParseCNIArgs, HostIfaceName, canonical, IPAM allocate sequences, embed.Embed, and bird.Render. Hardened canonical/ipToU32 against nil and non-IPv4 inputs. README rewritten for outside readers — quickstart, NodeConfig + annotation reference with worked examples, anycast use cases, comparison vs Calico and Cilium, requirements, limitations. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-04-25 09:25:45 -05:00
parent 677aec2a42
commit 71e584cf96
17 changed files with 1583 additions and 100 deletions
@@ -20,6 +20,9 @@ spec:
        openAPIV3Schema:
          type: object
          required: [spec]
+          description: |
+            NodeConfig is the per-node operator-supplied configuration for the
+            flock CNI agent. Its name MUST equal the Kubernetes node name.
          properties:
            spec:
              type: object
@@ -35,6 +38,25 @@ spec:
                  items:
                    type: string
                    description: IPv4 CIDR owned and aggregate-advertised by this node.
+                defaults:
+                  type: object
+                  description: |
+                    Per-node baseline for which address families a pod receives
+                    when its own annotations don't specify. Pod annotations
+                    flock.fritzlab.net/ipv6 and flock.fritzlab.net/ipv4 always
+                    override these defaults. Built-in fallback (when this block
+                    or any field is omitted) is IPv6=true, IPv4=false.
+                  properties:
+                    ipv6:
+                      type: boolean
+                      description: |
+                        Default IPv6 inclusion for pods on this node. Omit to
+                        inherit the built-in baseline (true).
+                    ipv4:
+                      type: boolean
+                      description: |
+                        Default IPv4 inclusion for pods on this node. Omit to
+                        inherit the built-in baseline (false).
                bgp:
                  type: object
                  required: [asn, peers]
@@ -70,6 +92,12 @@ spec:
        - name: CIDR4
          type: string
          jsonPath: .spec.cidr4
+        - name: DefV6
+          type: boolean
+          jsonPath: .spec.defaults.ipv6
+        - name: DefV4
+          type: boolean
+          jsonPath: .spec.defaults.ipv4
 ---
 apiVersion: v1
 kind: ServiceAccount