Update sunet-l4lb-namespace

Make it able to delete addresses that are no longer in the netns config.
Also make it read one netns-base.json for hardware config which is
managed by puppet but also make it look for netns-sunet-cdn-agent.json
which is not created by puppet. This file will be generated by
sunet-cdn-agent and will include the configuration for dummy0.

global/overlay/etc/puppet/modules/cdn/files/l4lb/sunet-l4lb-namespace

@@ -13,6 +13,7 @@ pylint sunet-l4lb-namespace
 mypy --strict sunet-l4lb-namespace
 """
 
+import ipaddress
 import json
 import shlex
 import subprocess
@@ -21,6 +22,7 @@ import sys
 
 def run_command(cmd: str) -> subprocess.CompletedProcess[str]:
     """Execute subprocess command"""
+    print(f"{cmd}")
     args = shlex.split(cmd)
     try:
         proc = subprocess.run(args, capture_output=True, check=True, encoding="utf-8")
@@ -35,12 +37,15 @@ def run_command(cmd: str) -> subprocess.CompletedProcess[str]:
     return proc
 
 
-def configure_interfaces(
+def configure_interfaces(  # pylint: disable=too-many-locals,too-many-branches
     namespace: str, if_data: dict[str, dict[str, list[str]]]
 ) -> None:
     """Configure interfaces"""
-    proc = run_command("ip netns exec l4lb ip -j addr show")
+    proc = run_command(f"ip netns exec {namespace} ip -j addr show")
     namespace_ifs = json.loads(proc.stdout)
+
+    ipv4_key = "ipv4"
+    ipv6_key = "ipv6"
     for if_name, data in if_data.items():
         if_exists = next(
             (True for interface in namespace_ifs if interface["ifname"] == if_name),
@@ -54,10 +59,15 @@ def configure_interfaces(
             else:
                 run_command(f"ip link set {if_name} netns {namespace}")
 
+            run_command(f"ip netns exec {namespace} ip link set {if_name} up")
+
         proc = run_command(f"ip netns exec {namespace} ip -j addr show dev {if_name}")
         if_conf = json.loads(proc.stdout)
-        for ipv4_cidr in data["ipv4"]:
+
-            ip4, prefix = ipv4_cidr.split("/")
+        # Add missing addresses from config
+        if ipv4_key in data:
+            for configured_ipv4_cidr in data[ipv4_key]:
+                ip4, prefix = configured_ipv4_cidr.split("/")
                 v4_addr_exists = next(
                     (
                         True
@@ -68,9 +78,10 @@ def configure_interfaces(
                 )
                 if not v4_addr_exists:
                     run_command(
-                    f"ip netns exec {namespace} ip addr add {ipv4_cidr} dev {if_name}"
+                        f"ip netns exec {namespace} ip addr add {configured_ipv4_cidr} dev {if_name}"  # pylint: disable=line-too-long
                     )
-        for ipv6_cidr in data["ipv6"]:
+        if ipv6_key in data:
+            for ipv6_cidr in data[ipv6_key]:
                 ip6, prefix = ipv6_cidr.split("/")
                 v6_addr_exists = next(
                     (
@@ -85,7 +96,36 @@ def configure_interfaces(
                         f"ip netns exec {namespace} ip addr add {ipv6_cidr} dev {if_name}"
                     )
 
-        run_command(f"ip netns exec {namespace} ip link set {if_name} up")
+        # Remove no longer configured addresseses
+        for addr_info in if_conf[0]["addr_info"]:
+            # Ignore addresses like fe80
+            if addr_info["scope"] != "global":
+                continue
+
+            cidr = "/".join((addr_info["local"], str(addr_info["prefixlen"])))
+
+            # We need strict=False because otherwise ip_network() gets angry if
+            # there are host bits set in the address (which of course there is
+            # because we are parsing actual interface configs, not pure
+            # "networks")
+            cidr_net = ipaddress.ip_network(cidr, strict=False)
+
+            needs_removal = False
+            if cidr_net.version == 4:
+                if ipv4_key not in data or cidr not in data[ipv4_key]:
+                    needs_removal = True
+            elif cidr_net.version == 6:
+                if ipv6_key not in data or cidr not in data[ipv6_key]:
+                    needs_removal = True
+            else:
+                raise ValueError(
+                    f"Expected IPv4 or IPv6, got something else: {cidr_net.version}"
+                )
+
+            if needs_removal:
+                run_command(
+                    f"ip netns exec {namespace} ip addr del {cidr} dev {if_name}"
+                )
 
 
 def setup_namespaces(netns_data: dict[str, dict[str, dict[str, list[str]]]]) -> None:
@@ -129,9 +169,19 @@ def main() -> None:
     #    }
     #  }
     # }
-    with open("/opt/sunet-cdn/l4lb/conf/netns.json", encoding="utf-8") as f:
-        netns_data = json.load(f)
 
+    input_files = [
+        "/opt/sunet-cdn/l4lb/conf/netns-base.json",
+        "/opt/sunet-cdn/l4lb/conf/netns-sunet-cdn-agent.json",
+    ]
+
+    for input_file in input_files:
+        try:
+            with open(input_file, encoding="utf-8") as f:
+                netns_data = json.load(f)
+        except FileNotFoundError:
+            print(f"skipping nonexistant file '{input_file}'")
+            continue
         setup_namespaces(netns_data)
 
 

global/overlay/etc/puppet/modules/cdn/manifests/l4lb.pp

@@ -54,12 +54,12 @@ class cdn::l4lb(
     mode   => '0640',
   }
 
-  file { '/opt/sunet-cdn/l4lb/conf/netns.json':
+  file { '/opt/sunet-cdn/l4lb/conf/netns-base.json':
     ensure  => file,
     owner   => 'root',
     group   => 'root',
     mode    => '0644',
-    content => template('cdn/l4lb/netns.json.erb'),
+    content => template('cdn/l4lb/netns-base.json.erb'),
   }
 
   file { '/usr/local/bin/sunet-l4lb-namespace':

global/overlay/etc/puppet/modules/cdn/templates/l4lb/netns-base.json.erb

@@ -15,14 +15,6 @@
       "ipv6": [
         "2001:6b0:2006:75::1/127"
       ]
-    },
-    "dummy0": {
-      "ipv4": [
-        "188.240.152.1/32"
-      ],
-      "ipv6": [
-        "2001:6b0:2100::1/128"
-      ]
     }
   }
 }