Add AS-path set actions to RoutingPolicy CRD

Extend the RoutingPolicy API with a new SetASPath action under
BgpActions, supporting prepend, prepend last-as repeat-n, replace, and
explicit AS-path operations. The API uses vendor-agnostic types
with intstr.IntOrString for AS numbers (plain and dotted notation
per RFC 5396) and CEL validation rules for mutual exclusivity.

While this API is not fully supported in openconfig, which only seems to
model the set-as-path-prepend options currently, it seems to be
supported on multiple vendors, including Cisco NX-OS[^1] and Nokia SR
Linux[^2]. As such it qualifies for being added to the core CRDs as it
can be supported across different vendors.

[^1]: https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/106x/configuration/unicast-routing-configuration/cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide/m_configuring_route_policy_manager.html
[^2]: https://documentation.nokia.com/srlinux/25-7/books/data-model-reference/srl_nokia-routing-policy_0.html

Author: felix-kaestner

PROJECT

@@ -214,6 +214,9 @@ resources:
   kind: RoutingPolicy
   path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 - api:
     crdVersion: v1
     namespaced: true

api/core/v1alpha1/routingpolicy_types.go

@@ -8,6 +8,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // RoutingPolicySpec defines the desired state of RoutingPolicy
@@ -96,7 +97,7 @@ const (
 )
 
 // BgpActions defines BGP-specific actions for a policy statement.
-// +kubebuilder:validation:XValidation:rule="has(self.setCommunity) || has(self.setExtCommunity)",message="at least one BGP action must be specified"
+// +kubebuilder:validation:XValidation:rule="has(self.setCommunity) || has(self.setExtCommunity) || has(self.setASPath)",message="at least one BGP action must be specified"
 type BgpActions struct {
 	// SetCommunity configures BGP standard community attributes.
 	// +optional
@@ -105,6 +106,62 @@ type BgpActions struct {
 	// SetExtCommunity configures BGP extended community attributes.
 	// +optional
 	SetExtCommunity *SetExtCommunityAction `json:"setExtCommunity,omitempty"`
+
+	// SetASPath configures modifications to the BGP AS path attribute.
+	// +optional
+	SetASPath *SetASPathAction `json:"setASPath,omitempty"`
+}
+
+// SetASPathAction defines actions to modify the BGP AS path attribute.
+// +kubebuilder:validation:XValidation:rule="has(self.prepend) || has(self.replace) || has(self.asNumber)",message="at least one AS path action must be specified"
+type SetASPathAction struct {
+	// Prepend configures prepending to the AS path.
+	// +optional
+	Prepend *SetASPathPrepend `json:"prepend,omitempty"`
+
+	// Replace configures replacement of AS numbers in the AS path.
+	// +optional
+	Replace *SetASPathReplace `json:"replace,omitempty"`
+
+	// ASNumber sets the AS path to the specified AS number.
+	// Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+	// +optional
+	ASNumber *intstr.IntOrString `json:"asNumber,omitempty"`
+}
+
+// SetASPathPrepend configures prepending to the BGP AS path.
+// Either asNumber or useLastAS must be specified, but not both.
+// +kubebuilder:validation:XValidation:rule="has(self.asNumber) != has(self.useLastAS)",message="exactly one of asNumber or useLastAS must be specified"
+type SetASPathPrepend struct {
+	// ASNumber is the autonomous system number to prepend to the AS path.
+	// Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+	// +optional
+	ASNumber *intstr.IntOrString `json:"asNumber,omitempty"`
+
+	// UseLastAS prepends the last AS number in the existing AS path the specified number of times.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=10
+	UseLastAS *int32 `json:"useLastAS,omitempty"`
+}
+
+// SetASPathReplace configures replacement of AS numbers in the BGP AS path.
+// Either privateAS or asNumber must be specified, but not both.
+// +kubebuilder:validation:XValidation:rule="has(self.privateAS) != has(self.asNumber)",message="exactly one of privateAS or asNumber must be specified"
+type SetASPathReplace struct {
+	// PrivateAS, when set to true, targets all private AS numbers in the path for replacement.
+	// +optional
+	PrivateAS bool `json:"privateAS,omitempty"`
+
+	// ASNumber targets a specific AS number in the path for replacement.
+	// Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+	// +optional
+	ASNumber *intstr.IntOrString `json:"asNumber,omitempty"`
+
+	// Replacement is the AS number to substitute in place of matched AS numbers.
+	// Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+	// +required
+	Replacement intstr.IntOrString `json:"replacement"`
 }
 
 // SetCommunityAction defines the action to set BGP standard communities.

api/core/v1alpha1/zz_generated.deepcopy.go

@@ -142,6 +142,82 @@ spec:
                             BgpActions specifies BGP-specific actions to apply when the route is accepted.
                             Only applicable when RouteDisposition is AcceptRoute.
                           properties:
+                            setASPath:
+                              description: |-
+                                SetASPath configures modifications to the BGP AS path attribute.
+                                Not all providers may support this action.
+                              properties:
+                                asNumber:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: |-
+                                    ASNumber sets the AS path to the specified AS number.
+                                    Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                  x-kubernetes-int-or-string: true
+                                prepend:
+                                  description: Prepend configures prepending to the
+                                    AS path.
+                                  properties:
+                                    asNumber:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        ASNumber is the autonomous system number to prepend to the AS path.
+                                        Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                        Mutually exclusive with useLastAS.
+                                      x-kubernetes-int-or-string: true
+                                    useLastAS:
+                                      description: |-
+                                        UseLastAS prepends the last AS number in the existing AS path the specified number of times.
+                                        Mutually exclusive with asNumber.
+                                      format: int32
+                                      maximum: 10
+                                      minimum: 1
+                                      type: integer
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: exactly one of asNumber or useLastAS
+                                      must be specified
+                                    rule: has(self.asNumber) != has(self.useLastAS)
+                                replace:
+                                  description: Replace configures replacement of AS
+                                    numbers in the AS path.
+                                  properties:
+                                    asNumber:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        ASNumber targets a specific AS number in the path for replacement.
+                                        Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                        Mutually exclusive with privateAS.
+                                      x-kubernetes-int-or-string: true
+                                    privateAS:
+                                      description: |-
+                                        PrivateAS, when set to true, targets all private AS numbers in the path for replacement.
+                                        Mutually exclusive with asNumber.
+                                      type: boolean
+                                    replacement:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Replacement is the AS number to substitute in place of matched AS numbers.
+                                        Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - replacement
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: exactly one of privateAS or asNumber
+                                      must be specified
+                                    rule: has(self.privateAS) != has(self.asNumber)
+                              type: object
+                              x-kubernetes-validations:
+                              - message: at least one AS path action must be specified
+                                rule: has(self.prepend) || has(self.replace) || has(self.asNumber)
                             setCommunity:
                               description: SetCommunity configures BGP standard community
                                 attributes.
@@ -178,6 +254,7 @@ spec:
                           x-kubernetes-validations:
                           - message: at least one BGP action must be specified
                             rule: has(self.setCommunity) || has(self.setExtCommunity)
+                              || has(self.setASPath)
                         routeDisposition:
                           description: RouteDisposition specifies whether to accept
                             or reject the route.

charts/network-operator/templates/crd/routingpolicies.networking.metal.ironcore.dev.yaml

@@ -627,6 +627,11 @@ func main() {
 			os.Exit(1)
 		}
 
+		if err := webhookv1alpha1.SetupRoutingPolicyWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "Failed to create webhook", "webhook", "RoutingPolicy")
+			os.Exit(1)
+		}
+
 		if err := webhooknxv1alpha1.SetupNetworkVirtualizationEdgeConfigWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "NetworkVirtualizationEdgeConfig")
 			os.Exit(1)

cmd/main.go

@@ -139,6 +139,78 @@ spec:
                             BgpActions specifies BGP-specific actions to apply when the route is accepted.
                             Only applicable when RouteDisposition is AcceptRoute.
                           properties:
+                            setASPath:
+                              description: SetASPath configures modifications to the
+                                BGP AS path attribute.
+                              properties:
+                                asNumber:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: |-
+                                    ASNumber sets the AS path to the specified AS number.
+                                    Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                  x-kubernetes-int-or-string: true
+                                prepend:
+                                  description: Prepend configures prepending to the
+                                    AS path.
+                                  properties:
+                                    asNumber:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        ASNumber is the autonomous system number to prepend to the AS path.
+                                        Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                      x-kubernetes-int-or-string: true
+                                    useLastAS:
+                                      description: UseLastAS prepends the last AS
+                                        number in the existing AS path the specified
+                                        number of times.
+                                      format: int32
+                                      maximum: 10
+                                      minimum: 1
+                                      type: integer
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: exactly one of asNumber or useLastAS
+                                      must be specified
+                                    rule: has(self.asNumber) != has(self.useLastAS)
+                                replace:
+                                  description: Replace configures replacement of AS
+                                    numbers in the AS path.
+                                  properties:
+                                    asNumber:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        ASNumber targets a specific AS number in the path for replacement.
+                                        Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                      x-kubernetes-int-or-string: true
+                                    privateAS:
+                                      description: PrivateAS, when set to true, targets
+                                        all private AS numbers in the path for replacement.
+                                      type: boolean
+                                    replacement:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Replacement is the AS number to substitute in place of matched AS numbers.
+                                        Supports both plain format (1-4294967295) and dotted notation (1-65535.0-65535) as per RFC 5396.
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - replacement
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: exactly one of privateAS or asNumber
+                                      must be specified
+                                    rule: has(self.privateAS) != has(self.asNumber)
+                              type: object
+                              x-kubernetes-validations:
+                              - message: at least one AS path action must be specified
+                                rule: has(self.prepend) || has(self.replace) || has(self.asNumber)
                             setCommunity:
                               description: SetCommunity configures BGP standard community
                                 attributes.
@@ -175,6 +247,7 @@ spec:
                           x-kubernetes-validations:
                           - message: at least one BGP action must be specified
                             rule: has(self.setCommunity) || has(self.setExtCommunity)
+                              || has(self.setASPath)
                         routeDisposition:
                           description: RouteDisposition specifies whether to accept
                             or reject the route.