metis: implement Metis SQLite store initialization (#1009)

* metis: implement Metis SQLite store initialization

* address comments

* remove tests around the sidelock file

* go mod tidy && address new comments from Ivy

* actually ensure that all the goroutines start at the same time

* update comments in the test

* add docstring to the concurrency test

* argh, last edit

* add MaxOpenConns test

* make DefaultDBPath a well known metis location

* address qzhao's comments

* fix test

Author: arvindbr8

metis/go.mod

@@ -3,6 +3,8 @@ module k8s.io/metis
 go 1.24.13
 
 require (
+	github.com/go-logr/logr v1.4.3
+	github.com/mattn/go-sqlite3 v1.14.37
 	github.com/spf13/cobra v1.10.0
 	github.com/spf13/pflag v1.0.10
 	k8s.io/component-base v0.34.2
@@ -15,7 +17,6 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

metis/go.sum

@@ -34,6 +34,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/mattn/go-sqlite3 v1.14.37 h1:3DOZp4cXis1cUIpCfXLtmlGolNLp2VEqhiB/PARNBIg=
+github.com/mattn/go-sqlite3 v1.14.37/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

metis/ipam/consts.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipam
+
+const DefaultDBPath = "/var/lib/cni/metis/metis.sqlite"

metis/ipam/schema.sql

@@ -0,0 +1,105 @@
+-- cidr_blocks tracks the lifecycle and utilization of all IP alias ranges 
+-- provisioned to this node by GCE.
+CREATE TABLE IF NOT EXISTS cidr_blocks (
+    -- Unique identifier for the CIDR block.
+    -- Note: SQLite INTEGER uses variable length encoding with a max of 8 bytes.
+    -- This provides a theoretical max of 2^63, which is sufficient for 
+    -- 1 pod allocation per second for ~6 billion years.
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+
+    -- The actual IP range allocated from GCE. 
+    -- Example: '10.0.1.0/28'
+    cidr TEXT UNIQUE NOT NULL,
+
+    -- The logical network this block belongs to, matching the CNI networkName.
+    -- Example: 'gke-pod-network'
+    network TEXT NOT NULL,
+
+    -- The protocol family of the IP range.
+    -- Example: 'ipv4' or 'ipv6'
+    ip_family TEXT NOT NULL,
+
+    -- The total number of IP addresses contained within this block.
+    -- Note: SQLite does not support unsigned integers, so standard INTEGER is used.
+    -- Example: 16
+    total_ips INTEGER NOT NULL,
+
+    -- The current count of IPs within this block that are actively assigned to pods.
+    -- Example: 5
+    allocated_ips INTEGER DEFAULT 0,
+
+    -- The current operational state of the block. 
+    -- Expected values: 'Ready', 'Draining', 'Deleting'
+    state TEXT NOT NULL DEFAULT 'Ready',
+
+    -- Timestamp of when this block was successfully pulled from the CRD.
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+
+    -- Timestamp of the last mutation to this block's state or capacity.
+    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+
+-- ip_addresses tracks the assignment state, ownership, and cooldown periods 
+-- of every individual IP address managed by the daemon.
+CREATE TABLE IF NOT EXISTS ip_addresses (
+    -- Unique identifier for the individual IP record.
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+
+    -- The specific IP address string.
+    -- Example: '10.0.1.2'
+    address TEXT UNIQUE NOT NULL,
+
+    -- The parent CIDR block this IP belongs to. 
+    -- Enforces cascading deletes if the parent block is removed by the daemon.
+    cidr_block_id INTEGER NOT NULL,
+
+    -- The CNI_CONTAINER_ID of the pod currently holding this IP.
+    -- Example: 'f093u09jfioj...'
+    container_id TEXT,
+
+    -- The Kubernetes Pod Name holding this IP.
+    pod_name TEXT,
+
+    -- The Kubernetes Pod Namespace holding this IP.
+    pod_namespace TEXT,
+
+    -- The CNI_IFNAME inside the container holding this IP.
+    -- Example: 'eth0'
+    interface_name TEXT,
+
+    -- Represents whether the IP is currently held by an active pod.
+    is_allocated BOOLEAN DEFAULT FALSE,
+
+    -- Timestamp indicating when a released IP has finished its "cool-down" 
+    -- period and is safe to be reassigned without risking NEG routing collisions.
+    release_at TIMESTAMP, 
+
+    -- Timestamp of when the IP was assigned to its current container_id.
+    allocated_at TIMESTAMP,
+
+    -- Timestamp of the last mutation to this IP record.
+    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+
+    FOREIGN KEY (cidr_block_id) REFERENCES cidr_blocks(id) ON DELETE CASCADE
+);
+
+-- Index to optimize the daemon's search for the next available IP address.
+CREATE INDEX IF NOT EXISTS idx_available_ips 
+    ON ip_addresses(cidr_block_id, id) 
+    WHERE is_allocated = FALSE;
+
+-- Composite index to guarantee fast, idempotent lookups during CNI cmdAdd retries.
+CREATE INDEX IF NOT EXISTS idx_ip_idempotency
+    ON ip_addresses(container_id, interface_name);
+
+-- Automatically update the updated_at timestamp on cidr_blocks mutations.
+CREATE TRIGGER IF NOT EXISTS update_cidr_blocks_updated_at
+    AFTER UPDATE ON cidr_blocks FOR EACH ROW BEGIN
+    UPDATE cidr_blocks SET updated_at = CURRENT_TIMESTAMP WHERE id = OLD.id;
+    END;
+
+-- Automatically update the updated_at timestamp on ip_addresses mutations.
+CREATE TRIGGER IF NOT EXISTS update_ip_addresses_updated_at
+    AFTER UPDATE ON ip_addresses FOR EACH ROW BEGIN
+        UPDATE ip_addresses SET updated_at = CURRENT_TIMESTAMP WHERE id = OLD.id;
+    END;

metis/ipam/store.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipam
+
+import (
+	"database/sql"
+	_ "embed"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/go-logr/logr"
+	_ "github.com/mattn/go-sqlite3" // SQLite driver
+)
+
+//go:embed schema.sql
+var schemaSQL string
+
+const (
+	// dbSchemaVersion tracks the SQLite schema version to allow safe local
+	// migrations and prevent state corruption across daemon restarts.
+	dbSchemaVersion = 1
+	maxOpenConns    = 10
+	maxIdleConns    = 10
+)
+
+// Store manages database operations for IPAM.
+type Store struct {
+	db  *sql.DB
+	log logr.Logger
+}
+
+// NewStore creates a new Store instance and initializes the database.
+func NewStore(log logr.Logger, dbPath string) (*Store, error) {
+	if dbPath == "" {
+		return nil, fmt.Errorf("dbPath cannot be empty: an absolute path must be explicitly provided")
+	}
+
+	log.Info("Opening or creating database", "path", dbPath)
+
+	if err := os.MkdirAll(filepath.Dir(dbPath), 0755); err != nil {
+		return nil, fmt.Errorf("failed to create db directory: %w", err)
+	}
+
+	// SQLite is configured directly through the DSN string. This approach
+	// guarantees every new connection spawned by the sql.DB pool inherits these
+	// exact configurations natively.
+	dsn := dbPath +
+		// Enables Write-Ahead Logging (WAL) mode. This significantly improves
+		// concurrency by allowing multiple readers to access the database
+		// simultaneously without blocking a writer, which is critical for burst
+		// requests.
+		// See: https://www.sqlite.org/pragma.html#pragma_journal_mode
+		"?_journal_mode=WAL" +
+		// Enforces foreign key constraints. SQLite ignores these by default.
+		// This is required to ensure ON DELETE CASCADE functions correctly on the
+		// ip_addresses table when a draining CIDR block is officially removed.
+		// See: https://www.sqlite.org/pragma.html#pragma_foreign_keys
+		"&_foreign_keys=on" +
+		// Sets the busy timeout to 5000 milliseconds. If the database is locked
+		// by another transaction, this tells the SQLite driver to wait for up
+		// to 5 seconds before giving up and returning a locked error.
+		// See: https://www.sqlite.org/pragma.html#pragma_busy_timeout
+		"&_busy_timeout=5000" +
+		// Instructs the Go driver to send "BEGIN IMMEDIATE" instead of standard
+		// "BEGIN" when starting a transaction. This grabs a write lock instantly,
+		// preventing deadlocks when concurrent requests try to upgrade their
+		// read locks to write locks simultaneously. Note: This is a go-sqlite3
+		// driver feature, not a native SQLite PRAGMA.
+		// See: https://github.com/mattn/go-sqlite3#connection-string
+		"&_txlock=immediate" +
+		// Maps to PRAGMA synchronous = NORMAL. In WAL mode, this is the optimal
+		// setting for high-concurrency daemons. It prevents database corruption
+		// during power loss or hard crashes while offering much faster write
+		// performance than FULL mode, sacrificing only a few milliseconds of
+		// un-checkpointed durability.
+		// See: https://www.sqlite.org/pragma.html#pragma_synchronous
+		"&_synchronous=1"
+
+	db, err := sql.Open("sqlite3", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open database: %w", err)
+	}
+
+	db.SetMaxOpenConns(maxOpenConns)
+	db.SetMaxIdleConns(maxIdleConns)
+	// Sets the maximum amount of time a connection may be reused to infinity
+	// (0). This guarantees the single connection never expires.
+	db.SetConnMaxLifetime(0)
+
+	store := &Store{
+		db:  db,
+		log: log,
+	}
+
+	// Only a single process enters this execution block at a time.
+	if err := store.initSchema(); err != nil {
+		db.Close()
+		return nil, fmt.Errorf("failed to initialize schema: %w", err)
+	}
+
+	log.Info("Initialized or updated database schema", "path", dbPath)
+
+	return store, nil
+}
+
+// initSchema creates the necessary tables if they don't exist.
+func (s *Store) initSchema() error {
+	var currentVersion int
+	err := s.db.QueryRow("PRAGMA user_version").Scan(&currentVersion)
+	if err != nil {
+		return fmt.Errorf("failed to check schema version: %w", err)
+	}
+
+	if currentVersion == dbSchemaVersion {
+		s.log.V(4).Info("Database schema already initialized", "version", currentVersion)
+		return nil
+	}
+
+	s.log.Info("Initializing DB schema", "currentVersion", currentVersion, "expectedVersion", dbSchemaVersion)
+
+	// 1. Begin an atomic transaction
+	tx, err := s.db.Begin()
+	if err != nil {
+		return fmt.Errorf("failed to begin transaction: %w", err)
+	}
+	// Safe to defer; Rollback does nothing if Commit() is successful
+	defer tx.Rollback()
+
+	// 2. Execute the embedded schema.sql file
+	if _, err := tx.Exec(schemaSQL); err != nil {
+		return fmt.Errorf("failed to execute schema.sql: %w", err)
+	}
+
+	// 3. Set User Version
+	setVersion := fmt.Sprintf("PRAGMA user_version = %d;", dbSchemaVersion)
+	if _, err := tx.Exec(setVersion); err != nil {
+		return fmt.Errorf("failed to set user_version: %w", err)
+	}
+
+	// 4. Commit everything atomically
+	if err := tx.Commit(); err != nil {
+		return fmt.Errorf("failed to commit schema transaction: %w", err)
+	}
+
+	s.log.Info("Database schema initialized or updated successfully")
+	return nil
+}
+
+// Close safely closes the database connection and releases any file locks.
+// This should be called during the daemon's graceful shutdown sequence.
+func (s *Store) Close() error {
+	s.log.Info("Closing IPAM database connection")
+
+	if err := s.db.Close(); err != nil {
+		return fmt.Errorf("failed to close database connection: %w", err)
+	}
+
+	return nil
+}