From da881fb320ab7eb6f40ddc98fe5629aab433bc11 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Sat, 14 Jan 2023 17:33:41 -0800
Subject: [PATCH] Move NonMasqueradeCIDR to nodeup.Config

---
 nodeup/pkg/model/containerd.go |  4 ++--
 nodeup/pkg/model/context.go    |  9 +++++++++
 nodeup/pkg/model/kubelet.go    |  2 +-
 nodeup/pkg/model/prefix.go     |  2 +-
 nodeup/pkg/model/sysctls.go    |  2 +-
 pkg/apis/nodeup/config.go      | 17 +++++++++++------
 6 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/nodeup/pkg/model/containerd.go b/nodeup/pkg/model/containerd.go
index 612a72eb80..fb47507a4b 100644
--- a/nodeup/pkg/model/containerd.go
+++ b/nodeup/pkg/model/containerd.go
@@ -407,12 +407,12 @@ iptables -w -t nat -A IP-MASQ -d {{.NonMasqueradeCIDR}} -m comment --comment "ip
 iptables -w -t nat -A IP-MASQ -m comment --comment "ip-masq: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
 `
 
-	if b.Cluster.Spec.Networking.NonMasqueradeCIDR == "" {
+	if b.NodeupConfig.Networking.NonMasqueradeCIDR == "" {
 		// We could fall back to the pod CIDR, that is likely more correct anyway
 		return fmt.Errorf("NonMasqueradeCIDR is not set")
 	}
 
-	script = strings.ReplaceAll(script, "{{.NonMasqueradeCIDR}}", b.Cluster.Spec.Networking.NonMasqueradeCIDR)
+	script = strings.ReplaceAll(script, "{{.NonMasqueradeCIDR}}", b.NodeupConfig.Networking.NonMasqueradeCIDR)
 
 	c.AddTask(&nodetasks.File{
 		Path:     "/opt/kops/bin/cni-iptables-setup",
diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
index ac6135dfe2..ab072874f4 100644
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@@ -38,6 +38,7 @@ import (
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+	"k8s.io/kops/upup/pkg/fi/utils"
 	"k8s.io/kops/util/pkg/architectures"
 	"k8s.io/kops/util/pkg/distributions"
 	"k8s.io/kops/util/pkg/vfs"
@@ -114,6 +115,14 @@ func (c *NodeupModelContext) APIInternalName() string {
 	return "api.internal." + c.NodeupConfig.ClusterName
 }
 
+func (c *NodeupModelContext) IsIPv6Only() bool {
+	return utils.IsIPv6CIDR(c.NodeupConfig.Networking.NonMasqueradeCIDR)
+}
+
+func (c *NodeupModelContext) IsKopsControllerIPAM() bool {
+	return c.IsIPv6Only()
+}
+
 // SSLHostPaths returns the TLS paths for the distribution
 func (c *NodeupModelContext) SSLHostPaths() []string {
 	paths := []string{"/etc/ssl", "/etc/pki/tls", "/etc/pki/ca-trust"}
diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
index a0b79814e2..03b1727627 100644
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@@ -325,7 +325,7 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 		flags += " --tls-private-key-file=" + b.PathSrvKubernetes() + "/kubelet-server.key"
 	}
 
-	if b.Cluster.Spec.IsIPv6Only() {
+	if b.IsIPv6Only() {
 		flags += " --node-ip=::"
 	}
 
diff --git a/nodeup/pkg/model/prefix.go b/nodeup/pkg/model/prefix.go
index deb452c179..1abb19a78d 100644
--- a/nodeup/pkg/model/prefix.go
+++ b/nodeup/pkg/model/prefix.go
@@ -28,7 +28,7 @@ type PrefixBuilder struct {
 var _ fi.NodeupModelBuilder = &PrefixBuilder{}
 
 func (b *PrefixBuilder) Build(c *fi.NodeupModelBuilderContext) error {
-	if !b.Cluster.Spec.IsKopsControllerIPAM() {
+	if !b.IsKopsControllerIPAM() {
 		return nil
 	}
 	c.AddTask(&nodetasks.Prefix{
diff --git a/nodeup/pkg/model/sysctls.go b/nodeup/pkg/model/sysctls.go
index 223c20f632..657baef8be 100644
--- a/nodeup/pkg/model/sysctls.go
+++ b/nodeup/pkg/model/sysctls.go
@@ -147,7 +147,7 @@ func (b *SysctlBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 		}
 	}
 
-	if b.Cluster.Spec.IsIPv6Only() {
+	if b.IsIPv6Only() {
 		if b.Distribution == distributions.DistributionDebian11 {
 			// Accepting Router Advertisements must be enabled for each existing network interface to take effect.
 			// net.ipv6.conf.all.accept_ra takes effect only for newly created network interfaces.
diff --git a/pkg/apis/nodeup/config.go b/pkg/apis/nodeup/config.go
index 44caf85240..8a7260103e 100644
--- a/pkg/apis/nodeup/config.go
+++ b/pkg/apis/nodeup/config.go
@@ -61,6 +61,8 @@ type Config struct {
 	KubeletConfig kops.KubeletConfigSpec
 	// KubeProxy defines the kube-proxy configuration.
 	KubeProxy *kops.KubeProxyConfig
+	// Networking configures networking.
+	Networking kops.NetworkingSpec
 	// NTPUnmanaged is true when NTP is not managed by kOps.
 	NTPUnmanaged bool `json:",omitempty"`
 	// SysctlParameters will configure kernel parameters using sysctl(8). When
@@ -178,12 +180,15 @@ func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Confi
 		KubernetesVersion: cluster.Spec.KubernetesVersion,
 		CAs:               map[string]string{},
 		KeypairIDs:        map[string]string{},
-		SysctlParameters:  instanceGroup.Spec.SysctlParameters,
-		VolumeMounts:      instanceGroup.Spec.VolumeMounts,
-		FileAssets:        append(filterFileAssets(instanceGroup.Spec.FileAssets, role), filterFileAssets(cluster.Spec.FileAssets, role)...),
-		Hooks:             [][]kops.HookSpec{igHooks, clusterHooks},
-		ContainerRuntime:  cluster.Spec.ContainerRuntime,
-		Docker:            cluster.Spec.Docker,
+		Networking: kops.NetworkingSpec{
+			NonMasqueradeCIDR: cluster.Spec.Networking.NonMasqueradeCIDR,
+		},
+		SysctlParameters: instanceGroup.Spec.SysctlParameters,
+		VolumeMounts:     instanceGroup.Spec.VolumeMounts,
+		FileAssets:       append(filterFileAssets(instanceGroup.Spec.FileAssets, role), filterFileAssets(cluster.Spec.FileAssets, role)...),
+		Hooks:            [][]kops.HookSpec{igHooks, clusterHooks},
+		ContainerRuntime: cluster.Spec.ContainerRuntime,
+		Docker:           cluster.Spec.Docker,
 	}
 
 	bootConfig := BootConfig{