From 527fb541ea1b2d5748280b5f801848876417b002 Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Tue, 9 May 2023 15:31:02 +0200 Subject: [PATCH 01/11] apps sc & wc: private subnet as node-ips --- bin/update-ips.bash | 176 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 166 insertions(+), 10 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index 6890bc6c2..3028dedfd 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -51,6 +51,84 @@ diffIPs() { return ${DIFF_RETURN} } +getConfigIPS() { + local source_file="$1" + local config_file="$2" + + local configIPS=() + while IFS= read -r line; do + if [[ $line != */32 ]]; then + configIPS+=("${line//[- ]/}") + fi + done < <(yq4 e "$source_file" "$config_file") + + echo "${configIPS[@]}" +} + +updateConfigFile() { + local source_file="$1" + local config_file="$2" + local ip="$3" + + if [[ $ip =~ "/" ]]; then + yq4 -i "${source_file}"' |= . + ["'"${ip}"'"]' "${config_file}" + else + yq4 -i "${source_file}"' |= . + ["'"${ip}"'/32"]' "${config_file}" + fi +} + +performIPCheck() { + local kubectlIP="$1" + local configIP="$2" + local output + + output=$(performTheIPCheck "$kubectlIP" "$configIP") + + if [[ $output == "True" ]]; then + if [[ " ${inside_subnet[*]} " != *" $kubectlIP "* ]]; then + inside_subnet+=("$kubectlIP") + + # Create a new array without the matching string. + filtered_array=() + for kubectl_ip in "${IPS[@]}"; do + if [[ "$kubectl_ip" != "$kubectlIP" ]]; then + filtered_array+=("$kubectl_ip") + fi + done + + # Create and set a clean kubeIP list without copies. + IPS=("${filtered_array[@]}") + fi + + if [[ " ${working_subnet[*]} " != *" $configIP "* ]]; then + working_subnet+=("$configIP") + fi + elif [[ $output == "False" ]]; then + : + else + echo "$output". This string is disregarded. + fi +} + +performTheIPCheck() { + local kubectlIP="$1" + local configIP="$2" + + local output + output=$(python3 -c " +import ipaddress +try: + result = ipaddress.ip_address('${kubectlIP}') in ipaddress.ip_network('${configIP}') + print('True' if result else 'False') +except ipaddress.AddressValueError: + print('Invalid IP address') +except Exception as e: + print('Error:', e) +") + + echo "$output" +} + # Fetches the IPs from a specified address # Usage: getDNSIPs getDNSIPs() { @@ -74,12 +152,50 @@ diffDNSIPs() { # Updates the list from the file and yaml path specified with IPs fetched from the domain # Usage: updateDNSIPs updateDNSIPs() { - read -r -a IPS <<< "$(getDNSIPs "${1}")" + endpoint="${1}" + inputSource="${2}" + inputConfig="$3" - yq4 -i "${2}"' = []' "${3}" - for ip in "${IPS[@]}"; do - yq4 -i "${2}"' |= . + ["'"${ip}"'/32"]' "${3}" - done + read -r -a IPS <<<"$(getDNSIPs "${endpoint}")" + + IPS_copy=("${IPS[@]}") + + multiIPRanges=() + + read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" + + inside_subnet=() + working_subnet=() + + # Clear config-values + yq4 -i "$inputSource"' = []' "$inputConfig" + + # IF config-value is not empty, go ahread with the following: + # 1. Check if any got kubectlIPs fits inside of the IPs existing in the config-files. + # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. + # 3. Merge the working subnet-adresses and kube-addresses into a finalized list. + if [ "${multiIPRanges[*]}" != '[]' ]; then + for upstreamDNSIP in "${IPS_copy[@]}"; do + + for configIP in "${multiIPRanges[@]}"; do + performIPCheck "$upstreamDNSIP" "$configIP" + + done + + done + + working_subnet+=("${IPS[@]}") + + for ip in "${working_subnet[@]}"; do + updateConfigFile "$inputSource" "$inputConfig" "$ip" + done + else + yq4 -i "${inputSource}"' = []' "${inputConfig}" + for ip in "${IPS[@]}"; do + updateConfigFile "$inputSource" "$inputConfig" "$ip/32" + done + + fi } # Usage: updateIPs @@ -125,13 +241,53 @@ diffKubectlIPs() { # Updates the list from the file and yaml path specified with IPs fetched from the nodes updateKubectlIPs() { + cloud="${1}" + label="${2}" + inputSource="${3}" + inputConfig="${4}" + local IPS - read -r -a IPS <<< "$(getKubectlIPs "${1}" "${2}")" + read -r -a IPS <<<"$(getKubectlIPs "$cloud" "$label")" - yq4 -i "${3}"' = []' "${4}" - for ip in "${IPS[@]}"; do - yq4 -i "${3}"' |= . + ["'"${ip}"'/32"]' "${4}" - done + # Create copy of the kube-addresses array for for-loop purposes only + IPS_copy=("${IPS[@]}") + + multiIPRanges=() + + read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" + + inside_subnet=() + working_subnet=() + + # Clear config-values + yq4 -i "$inputSource"' = []' "$inputConfig" + + # IF config-value is not empty, go ahread with the following: + # 1. Check if any got kubectlIPs fits inside of the IPs existing in the config-files. + # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. + # 3. Merge the working subnet-adresses and kube-addresses into a finalized list. + if [ "${multiIPRanges[*]}" != '[]' ]; then + for upstreamDNSIP in "${IPS_copy[@]}"; do + + for configIP in "${multiIPRanges[@]}"; do + performIPCheck "$upstreamDNSIP" "$configIP" + done + + done + + # Add the working subnet-adresses and working kubeIPs together. + working_subnet+=("${IPS[@]}") + + for ip in "${working_subnet[@]}"; do + updateConfigFile "$inputSource" "$inputConfig" "$ip" + done + else + yq4 -i "${inputSource}"' = []' "${inputConfig}" + for ip in "${IPS[@]}"; do + updateConfigFile "$inputSource" "$inputConfig" "$ip/32" + done + + fi } # Usage: checkIfDiffAndUpdateDNSIPs From 050323470114ae14c0d534b1e062e45cff1257aa Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Tue, 30 May 2023 14:51:54 +0200 Subject: [PATCH 02/11] comment fixes --- bin/update-ips.bash | 58 ++++++++++----------------------------------- 1 file changed, 12 insertions(+), 46 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index 3028dedfd..39103915a 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -56,11 +56,12 @@ getConfigIPS() { local config_file="$2" local configIPS=() - while IFS= read -r line; do - if [[ $line != */32 ]]; then - configIPS+=("${line//[- ]/}") + + for ip in $(yq4 e "$source_file | .[]" "$config_file"); do + if [[ $ip != */32 ]]; then + configIPS+=("${ip}") fi - done < <(yq4 e "$source_file" "$config_file") + done echo "${configIPS[@]}" } @@ -80,14 +81,9 @@ updateConfigFile() { performIPCheck() { local kubectlIP="$1" local configIP="$2" - local output - - output=$(performTheIPCheck "$kubectlIP" "$configIP") - - if [[ $output == "True" ]]; then - if [[ " ${inside_subnet[*]} " != *" $kubectlIP "* ]]; then - inside_subnet+=("$kubectlIP") + if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${kubectlIP}') in ipaddress.ip_network('${configIP}') else exit(1)" + then # Create a new array without the matching string. filtered_array=() for kubectl_ip in "${IPS[@]}"; do @@ -98,37 +94,13 @@ performIPCheck() { # Create and set a clean kubeIP list without copies. IPS=("${filtered_array[@]}") - fi if [[ " ${working_subnet[*]} " != *" $configIP "* ]]; then working_subnet+=("$configIP") fi - elif [[ $output == "False" ]]; then - : - else - echo "$output". This string is disregarded. fi } -performTheIPCheck() { - local kubectlIP="$1" - local configIP="$2" - - local output - output=$(python3 -c " -import ipaddress -try: - result = ipaddress.ip_address('${kubectlIP}') in ipaddress.ip_network('${configIP}') - print('True' if result else 'False') -except ipaddress.AddressValueError: - print('Invalid IP address') -except Exception as e: - print('Error:', e) -") - - echo "$output" -} - # Fetches the IPs from a specified address # Usage: getDNSIPs getDNSIPs() { @@ -158,13 +130,10 @@ updateDNSIPs() { read -r -a IPS <<<"$(getDNSIPs "${endpoint}")" - IPS_copy=("${IPS[@]}") - multiIPRanges=() read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" - inside_subnet=() working_subnet=() # Clear config-values @@ -174,8 +143,8 @@ updateDNSIPs() { # 1. Check if any got kubectlIPs fits inside of the IPs existing in the config-files. # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. # 3. Merge the working subnet-adresses and kube-addresses into a finalized list. - if [ "${multiIPRanges[*]}" != '[]' ]; then - for upstreamDNSIP in "${IPS_copy[@]}"; do + if [ "${#multiIPRanges[@]}" -gt 0 ]; then + for upstreamDNSIP in "${IPS[@]}"; do for configIP in "${multiIPRanges[@]}"; do performIPCheck "$upstreamDNSIP" "$configIP" @@ -184,6 +153,7 @@ updateDNSIPs() { done + # Add the working subnet-adresses and working kubeIPs together. working_subnet+=("${IPS[@]}") for ip in "${working_subnet[@]}"; do @@ -249,14 +219,10 @@ updateKubectlIPs() { local IPS read -r -a IPS <<<"$(getKubectlIPs "$cloud" "$label")" - # Create copy of the kube-addresses array for for-loop purposes only - IPS_copy=("${IPS[@]}") - multiIPRanges=() read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" - inside_subnet=() working_subnet=() # Clear config-values @@ -266,8 +232,8 @@ updateKubectlIPs() { # 1. Check if any got kubectlIPs fits inside of the IPs existing in the config-files. # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. # 3. Merge the working subnet-adresses and kube-addresses into a finalized list. - if [ "${multiIPRanges[*]}" != '[]' ]; then - for upstreamDNSIP in "${IPS_copy[@]}"; do + if [ "${#multiIPRanges[@]}" -gt 0 ]; then + for upstreamDNSIP in "${IPS[@]}"; do for configIP in "${multiIPRanges[@]}"; do performIPCheck "$upstreamDNSIP" "$configIP" From 8338136ba7548a6eef36c1584beae901d7fe44ce Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Wed, 31 May 2023 14:59:46 +0200 Subject: [PATCH 03/11] main refactor --- bin/update-ips.bash | 58 ++++++++++----------------------------------- 1 file changed, 13 insertions(+), 45 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index 39103915a..d60603784 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -130,42 +130,7 @@ updateDNSIPs() { read -r -a IPS <<<"$(getDNSIPs "${endpoint}")" - multiIPRanges=() - - read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" - - working_subnet=() - - # Clear config-values - yq4 -i "$inputSource"' = []' "$inputConfig" - - # IF config-value is not empty, go ahread with the following: - # 1. Check if any got kubectlIPs fits inside of the IPs existing in the config-files. - # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. - # 3. Merge the working subnet-adresses and kube-addresses into a finalized list. - if [ "${#multiIPRanges[@]}" -gt 0 ]; then - for upstreamDNSIP in "${IPS[@]}"; do - - for configIP in "${multiIPRanges[@]}"; do - performIPCheck "$upstreamDNSIP" "$configIP" - - done - - done - - # Add the working subnet-adresses and working kubeIPs together. - working_subnet+=("${IPS[@]}") - - for ip in "${working_subnet[@]}"; do - updateConfigFile "$inputSource" "$inputConfig" "$ip" - done - else - yq4 -i "${inputSource}"' = []' "${inputConfig}" - for ip in "${IPS[@]}"; do - updateConfigFile "$inputSource" "$inputConfig" "$ip/32" - done - - fi + processIPRanges "$inputSource" "$inputConfig" } # Usage: updateIPs @@ -219,29 +184,33 @@ updateKubectlIPs() { local IPS read -r -a IPS <<<"$(getKubectlIPs "$cloud" "$label")" - multiIPRanges=() + processIPRanges "$inputSource" "$inputConfig" +} + +processIPRanges(){ + local inputSource="$1" + local inputConfig="$2" + local multiIPRanges=() read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" - working_subnet=() + local working_subnet=() # Clear config-values yq4 -i "$inputSource"' = []' "$inputConfig" - # IF config-value is not empty, go ahread with the following: - # 1. Check if any got kubectlIPs fits inside of the IPs existing in the config-files. + # IF config-value is not empty, go ahead with the following: + # 1. Check if any got kubectlIPs fit inside of the IPs existing in the config-files. # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. - # 3. Merge the working subnet-adresses and kube-addresses into a finalized list. + # 3. Merge the working subnet-addresses and kube-addresses into a finalized list. if [ "${#multiIPRanges[@]}" -gt 0 ]; then for upstreamDNSIP in "${IPS[@]}"; do - for configIP in "${multiIPRanges[@]}"; do performIPCheck "$upstreamDNSIP" "$configIP" done - done - # Add the working subnet-adresses and working kubeIPs together. + # Add the working subnet-addresses and working kubeIPs together. working_subnet+=("${IPS[@]}") for ip in "${working_subnet[@]}"; do @@ -252,7 +221,6 @@ updateKubectlIPs() { for ip in "${IPS[@]}"; do updateConfigFile "$inputSource" "$inputConfig" "$ip/32" done - fi } From 8c8c1be5e18a3095e9a54827188b3ce64c681c82 Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Wed, 31 May 2023 15:52:03 +0200 Subject: [PATCH 04/11] comments added --- bin/update-ips.bash | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index d60603784..e99d808c4 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -51,13 +51,14 @@ diffIPs() { return ${DIFF_RETURN} } +# Get IPs in given field and config file getConfigIPS() { - local source_file="$1" + local source_field="$1" local config_file="$2" local configIPS=() - for ip in $(yq4 e "$source_file | .[]" "$config_file"); do + for ip in $(yq4 e "$source_field | .[]" "$config_file"); do if [[ $ip != */32 ]]; then configIPS+=("${ip}") fi @@ -66,25 +67,28 @@ getConfigIPS() { echo "${configIPS[@]}" } +# Insert processes IPs updateConfigFile() { - local source_file="$1" + local source_field="$1" local config_file="$2" local ip="$3" if [[ $ip =~ "/" ]]; then - yq4 -i "${source_file}"' |= . + ["'"${ip}"'"]' "${config_file}" + yq4 -i "${source_field}"' |= . + ["'"${ip}"'"]' "${config_file}" else - yq4 -i "${source_file}"' |= . + ["'"${ip}"'/32"]' "${config_file}" + yq4 -i "${source_field}"' |= . + ["'"${ip}"'/32"]' "${config_file}" fi } +# Check if IPs fits into subnets performIPCheck() { local kubectlIP="$1" local configIP="$2" + # Try to see if ip belongs to subnet - if not, exit(1) if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${kubectlIP}') in ipaddress.ip_network('${configIP}') else exit(1)" then - # Create a new array without the matching string. + # Filter out the matching string for IPS. filtered_array=() for kubectl_ip in "${IPS[@]}"; do if [[ "$kubectl_ip" != "$kubectlIP" ]]; then @@ -92,9 +96,10 @@ performIPCheck() { fi done - # Create and set a clean kubeIP list without copies. + IPS=("${filtered_array[@]}") + # Add working configIP to the list of working subnets if [[ " ${working_subnet[*]} " != *" $configIP "* ]]; then working_subnet+=("$configIP") fi @@ -187,6 +192,7 @@ updateKubectlIPs() { processIPRanges "$inputSource" "$inputConfig" } +# Process ip ranges with subnet masks in consideration. processIPRanges(){ local inputSource="$1" local inputConfig="$2" @@ -196,10 +202,10 @@ processIPRanges(){ local working_subnet=() - # Clear config-values + # Clear config values yq4 -i "$inputSource"' = []' "$inputConfig" - # IF config-value is not empty, go ahead with the following: + # IF config value is not empty, go ahead with the following: # 1. Check if any got kubectlIPs fit inside of the IPs existing in the config-files. # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. # 3. Merge the working subnet-addresses and kube-addresses into a finalized list. @@ -210,7 +216,7 @@ processIPRanges(){ done done - # Add the working subnet-addresses and working kubeIPs together. + # Add the working subnet-addresses and working IPs together. working_subnet+=("${IPS[@]}") for ip in "${working_subnet[@]}"; do From 702c1d844dec1b19164c0118f469a3b234fbf8e6 Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Wed, 31 May 2023 15:58:44 +0200 Subject: [PATCH 05/11] WIP-CHANGELOG.md added --- WIP-CHANGELOG.md | 1 + bin/update-ips.bash | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/WIP-CHANGELOG.md b/WIP-CHANGELOG.md index 9123364ab..5c2eed1f8 100644 --- a/WIP-CHANGELOG.md +++ b/WIP-CHANGELOG.md @@ -29,6 +29,7 @@ ### Updated - Upgraded falco-exporter chart version to `v0.9.6` and app version to `v0.8.3` +- Added "IPs in Subnet mask" logic in checkIfDiffAndUpdateDNSIPs, checkIfDiffAndUpdateKubectlIPs and checkIfDiffAndUpdateIPs of update-ips.bash ### Removed diff --git a/bin/update-ips.bash b/bin/update-ips.bash index e99d808c4..c3583989a 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -206,7 +206,7 @@ processIPRanges(){ yq4 -i "$inputSource"' = []' "$inputConfig" # IF config value is not empty, go ahead with the following: - # 1. Check if any got kubectlIPs fit inside of the IPs existing in the config-files. + # 1. Check if any got IPS fit inside of the IPs existing in the config-files. # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. # 3. Merge the working subnet-addresses and kube-addresses into a finalized list. if [ "${#multiIPRanges[@]}" -gt 0 ]; then From 492ce5d2d7896a9d801631d92cff66ff219f798f Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Fri, 9 Jun 2023 10:58:46 +0200 Subject: [PATCH 06/11] additional fixes --- bin/update-ips.bash | 52 ++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index c3583989a..b10d439db 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -51,7 +51,7 @@ diffIPs() { return ${DIFF_RETURN} } -# Get IPs in given field and config file +# Get all non /32 IPs in given field and config file getConfigIPS() { local source_field="$1" local config_file="$2" @@ -81,27 +81,25 @@ updateConfigFile() { } # Check if IPs fits into subnets -performIPCheck() { - local kubectlIP="$1" - local configIP="$2" +performIPCheckAndRemoveFromIPSList() { + local IPToCheck="$1" + local networkToCompareTo="$2" # Try to see if ip belongs to subnet - if not, exit(1) - if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${kubectlIP}') in ipaddress.ip_network('${configIP}') else exit(1)" - then + if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${IPToCheck}') in ipaddress.ip_network('${networkToCompareTo}') else exit(1)"; then # Filter out the matching string for IPS. filtered_array=() - for kubectl_ip in "${IPS[@]}"; do - if [[ "$kubectl_ip" != "$kubectlIP" ]]; then - filtered_array+=("$kubectl_ip") + for ip in "${IPS[@]}"; do + if [[ "$ip" != "$IPToCheck" ]]; then + filtered_array+=("$ip") fi done - IPS=("${filtered_array[@]}") - # Add working configIP to the list of working subnets - if [[ " ${working_subnet[*]} " != *" $configIP "* ]]; then - working_subnet+=("$configIP") + # Add working networkToCompareTo to the list of working subnets + if [[ " ${working_subnet[*]} " != *" $networkToCompareTo "* ]]; then + working_subnet+=("$networkToCompareTo") fi fi } @@ -130,12 +128,12 @@ diffDNSIPs() { # Usage: updateDNSIPs updateDNSIPs() { endpoint="${1}" - inputSource="${2}" - inputConfig="$3" + configKey="${2}" + configFile="$3" read -r -a IPS <<<"$(getDNSIPs "${endpoint}")" - processIPRanges "$inputSource" "$inputConfig" + processIPRanges "$configKey" "$configFile" } # Usage: updateIPs @@ -183,27 +181,27 @@ diffKubectlIPs() { updateKubectlIPs() { cloud="${1}" label="${2}" - inputSource="${3}" - inputConfig="${4}" + configKey="${3}" + configFile="${4}" local IPS read -r -a IPS <<<"$(getKubectlIPs "$cloud" "$label")" - processIPRanges "$inputSource" "$inputConfig" + processIPRanges "$configKey" "$configFile" } # Process ip ranges with subnet masks in consideration. processIPRanges(){ - local inputSource="$1" - local inputConfig="$2" + local configKey="$1" + local configFile="$2" local multiIPRanges=() - read -r -a multiIPRanges <<<"$(getConfigIPS "$inputSource" "$inputConfig")" + read -r -a multiIPRanges <<<"$(getConfigIPS "$configKey" "$configFile")" local working_subnet=() # Clear config values - yq4 -i "$inputSource"' = []' "$inputConfig" + yq4 -i "$configKey"' = []' "$configFile" # IF config value is not empty, go ahead with the following: # 1. Check if any got IPS fit inside of the IPs existing in the config-files. @@ -212,7 +210,7 @@ processIPRanges(){ if [ "${#multiIPRanges[@]}" -gt 0 ]; then for upstreamDNSIP in "${IPS[@]}"; do for configIP in "${multiIPRanges[@]}"; do - performIPCheck "$upstreamDNSIP" "$configIP" + performIPCheckAndRemoveFromIPSList "$upstreamDNSIP" "$configIP" done done @@ -220,12 +218,12 @@ processIPRanges(){ working_subnet+=("${IPS[@]}") for ip in "${working_subnet[@]}"; do - updateConfigFile "$inputSource" "$inputConfig" "$ip" + updateConfigFile "$configKey" "$configFile" "$ip" done else - yq4 -i "${inputSource}"' = []' "${inputConfig}" + yq4 -i "${configKey}"' = []' "${configFile}" for ip in "${IPS[@]}"; do - updateConfigFile "$inputSource" "$inputConfig" "$ip/32" + updateConfigFile "$configKey" "$configFile" "$ip/32" done fi } From 0203be96b36127207aa2f0b5da39cc9ba8e1a260 Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Tue, 8 Aug 2023 14:45:32 +0200 Subject: [PATCH 07/11] filter function moved and redirected --- bin/update-ips.bash | 351 ++++++++++++++++++++++++++++---------------- 1 file changed, 222 insertions(+), 129 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index b10d439db..43f51a24a 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -33,7 +33,7 @@ diffIPs() { IPS=("$@") tmp_file=$(mktemp --suffix=.yaml) - yq4 -n '. = []' > "${tmp_file}" + yq4 -n '. = []' >"${tmp_file}" for ip in "${IPS[@]}"; do yq4 -i '. |= . + ["'"${ip}"'/32"]' "${tmp_file}" done @@ -45,63 +45,11 @@ diffIPs() { fi diff -U3 --color=always \ --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "${yaml_path}"' // [] | sort_by(.)' "${file}") \ - --label expected <(yq4 -P '. | sort_by(.)' "${tmp_file}") > "${out_file}" + --label expected <(yq4 -P '. | sort_by(.)' "${tmp_file}") >"${out_file}" DIFF_RETURN=$? rm "${tmp_file}" - return ${DIFF_RETURN} -} - -# Get all non /32 IPs in given field and config file -getConfigIPS() { - local source_field="$1" - local config_file="$2" - - local configIPS=() - - for ip in $(yq4 e "$source_field | .[]" "$config_file"); do - if [[ $ip != */32 ]]; then - configIPS+=("${ip}") - fi - done - - echo "${configIPS[@]}" -} - -# Insert processes IPs -updateConfigFile() { - local source_field="$1" - local config_file="$2" - local ip="$3" - - if [[ $ip =~ "/" ]]; then - yq4 -i "${source_field}"' |= . + ["'"${ip}"'"]' "${config_file}" - else - yq4 -i "${source_field}"' |= . + ["'"${ip}"'/32"]' "${config_file}" - fi -} - -# Check if IPs fits into subnets -performIPCheckAndRemoveFromIPSList() { - local IPToCheck="$1" - local networkToCompareTo="$2" - - # Try to see if ip belongs to subnet - if not, exit(1) - if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${IPToCheck}') in ipaddress.ip_network('${networkToCompareTo}') else exit(1)"; then - # Filter out the matching string for IPS. - filtered_array=() - for ip in "${IPS[@]}"; do - if [[ "$ip" != "$IPToCheck" ]]; then - filtered_array+=("$ip") - fi - done - - IPS=("${filtered_array[@]}") - # Add working networkToCompareTo to the list of working subnets - if [[ " ${working_subnet[*]} " != *" $networkToCompareTo "* ]]; then - working_subnet+=("$networkToCompareTo") - fi - fi + return ${DIFF_RETURN} } # Fetches the IPs from a specified address @@ -118,22 +66,41 @@ getDNSIPs() { # Usage: diffDNSIPs diffDNSIPs() { - local IPS - read -r -a IPS <<< "$(getDNSIPs "${1}")" - diffIPs "${2}" "${3}" "${IPS[@]}" + diffIPs "${2}" "${3}" "${@:4}" return $? } # Updates the list from the file and yaml path specified with IPs fetched from the domain # Usage: updateDNSIPs updateDNSIPs() { - endpoint="${1}" - configKey="${2}" - configFile="$3" + local yaml_path="${2}" + local file="${3}" + + yq4 -i "${yaml_path}"' = []' "${file}" - read -r -a IPS <<<"$(getDNSIPs "${endpoint}")" + IFS=' ' read -ra ip_array <<<"${@:4}" - processIPRanges "$configKey" "$configFile" + for ip in "${ip_array[@]}"; do + yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" + done +} + +# Usage: updateIPs +updateIPs() { + local yaml_path="${1}" + local file="${2}" + shift 2 + local IPS=("$@") + + yq4 -i "${yaml_path}"' = []' "${file}" + + + + IFS=' ' read -ra ip_array <<<"${@:2}" + + for ip in "${ip_array[@]}"; do + yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" + done } # Usage: updateIPs @@ -162,7 +129,7 @@ getKubectlIPs() { mapfile -t IPS_internal < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}') mapfile -t IPS_calico < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].metadata.annotations.projectcalico\.org/IPv4IPIPTunnelAddr}') mapfile -t IPS_wireguard < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].metadata.annotations.projectcalico\.org/IPv4WireguardInterfaceAddr}') - read -r -a IPS <<< "${IPS_internal[*]} ${IPS_calico[*]} ${IPS_wireguard[*]}" + read -r -a IPS <<<"${IPS_internal[*]} ${IPS_calico[*]} ${IPS_wireguard[*]}" if [ ${#IPS[@]} -eq 0 ]; then log_error "No ips for ${1} nodes with labels ${2} was found" exit 1 @@ -171,27 +138,96 @@ getKubectlIPs() { } diffKubectlIPs() { - local IPS - read -r -a IPS <<< "$(getKubectlIPs "${1}" "${2}")" - diffIPs "${3}" "${4}" "${IPS[@]}" + #local IPS + #read -r -a IPS <<< "$(getKubectlIPs "${1}" "${2}")" + diffIPs "${3}" "${4}" "${@:5}" return $? } # Updates the list from the file and yaml path specified with IPs fetched from the nodes updateKubectlIPs() { - cloud="${1}" - label="${2}" - configKey="${3}" - configFile="${4}" + yq4 -i "${3}"' = []' "${4}" + IFS=' ' read -ra ip_array <<<"${@:5}" + + for ip in "${ip_array[@]}"; do + yq4 -i "${3}"' |= . + ["'"${ip}"'"]' "${4}" + done +} +# Usage: checkIfDiffAndUpdateDNSIPs +checkIfDiffAndUpdateDNSIPs() { local IPS - read -r -a IPS <<<"$(getKubectlIPs "$cloud" "$label")" + read -r -a IPS <<<"$(getDNSIPs "${1}")" + + processedIPRANGE=$(processIPRanges "$2" "$3") - processIPRanges "$configKey" "$configFile" + if ! diffDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE"; then + if ! $DRY_RUN; then + updateDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE" + else + log_warning "Diff found for ${2} in ${3//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" + fi + has_diff=$((has_diff + 1)) + fi } -# Process ip ranges with subnet masks in consideration. -processIPRanges(){ +checkIfDiffAndUpdateKubectlIPs() { + local IPS + read -r -a IPS <<<"$(getKubectlIPs "${1}" "${2}")" + + processedIPRANGE=$(processIPRanges "$3" "$4") + + if ! diffKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE"; then + if ! $DRY_RUN; then + updateKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE" + else + log_warning "Diff found for ${3} in ${4//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" + fi + has_diff=$((has_diff + 1)) + fi +} + +# Get all non /32 IPs in given field and config file +getConfigIPS() { + local source_field="$1" + local config_file="$2" + + local configIPS=() + + for ip in $(yq4 e "$source_field | .[]" "$config_file"); do + if [[ $ip != */32 ]]; then + configIPS+=("${ip}") + fi + done + + echo "${configIPS[@]}" +} + +# Check if IPs fits into subnets +performIPCheckAndRemoveFromIPSList() { + local IPToCheck="$1" + local networkToCompareTo="$2" + + # Try to see if ip belongs to subnet - if not, exit(1) + if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${IPToCheck}') in ipaddress.ip_network('${networkToCompareTo}') else exit(1)"; then + # Filter out the matching string for IPS. + filtered_array=() + for ip in "${IPS[@]}"; do + if [[ "$ip" != "$IPToCheck" ]]; then + filtered_array+=("$ip") + fi + done + + IPS=("${filtered_array[@]}") + + # Add working networkToCompareTo to the list of working subnets + if [[ " ${working_subnet[*]} " != *" $networkToCompareTo "* ]]; then + working_subnet+=("$networkToCompareTo") + fi + fi +} + +processIPRanges() { local configKey="$1" local configFile="$2" @@ -217,37 +253,26 @@ processIPRanges(){ # Add the working subnet-addresses and working IPs together. working_subnet+=("${IPS[@]}") + ready_IPS=() + for ip in "${working_subnet[@]}"; do - updateConfigFile "$configKey" "$configFile" "$ip" + + if [[ $ip =~ "/" ]]; then + ready_IPS+=("$ip") + else + ready_IPS+=("$ip"/32) + fi done + + echo "${ready_IPS[@]}" else - yq4 -i "${configKey}"' = []' "${configFile}" - for ip in "${IPS[@]}"; do - updateConfigFile "$configKey" "$configFile" "$ip/32" - done - fi -} -# Usage: checkIfDiffAndUpdateDNSIPs -checkIfDiffAndUpdateDNSIPs() { - if ! diffDNSIPs "${1}" "${2}" "${3}"; then - if ! $DRY_RUN; then - updateDNSIPs "${1}" "${2}" "${3}" - else - log_warning "Diff found for ${2} in ${3//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$(( has_diff + 1 )) - fi -} + ready_IPS=() -checkIfDiffAndUpdateKubectlIPs() { - if ! diffKubectlIPs "${1}" "${2}" "${3}" "${4}"; then - if ! $DRY_RUN; then - updateKubectlIPs "${1}" "${2}" "${3}" "${4}" - else - log_warning "Diff found for ${3} in ${4//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$(( has_diff + 1 )) + for ip in "${IPS[@]}"; do + ready_IPS+=("$ip/32") + done + echo "${ready_IPS[@]}" fi } @@ -258,13 +283,15 @@ checkIfDiffAndUpdateIPs() { shift 2 local IPS=("$@") - if ! diffIPs "${yaml_path}" "${file}" "${IPS[@]}"; then + processedIPRANGE=$(processIPRanges "${yaml_path}" "${file}") + + if ! diffIPs "${yaml_path}" "${file}" "$processedIPRANGE"; then if ! $DRY_RUN; then - updateIPs "${yaml_path}" "${file}" "${IPS[@]}" + updateIPs "${yaml_path}" "${file}" "$processedIPRANGE" else log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi - has_diff=$(( has_diff + 1 )) + has_diff=$((has_diff + 1)) fi } @@ -283,33 +310,99 @@ checkIfDiffAndUpdatePorts() { fi portDiff() { - diff -U3 --color=always \ - --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "$yaml_path"' // [] | sort_by(.)' "$file") \ - --label expected <(echo "$ports" | yq4 -P '. | sort_by(.)') > "$out" + diff -U3 --color=always \ + --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "$yaml_path"' // [] | sort_by(.)' "$file") \ + --label expected <(echo "$ports" | yq4 -P '. | sort_by(.)') >"$out" } - if ! portDiff ; then + if ! portDiff; then if ! $DRY_RUN; then yq4 -i "$yaml_path = $ports" "$file" else log_warning "Diff found for $yaml_path in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi - has_diff=$(( has_diff + 1 )) + has_diff=$((has_diff + 1)) fi } # yq_dig yq_dig() { - for conf in "${config["override_$1"]}" "${config["override_common"]}" "${config["default_$1"]}" "${config["default_common"]}"; do - ret=$(yq4 "$2" "$conf") + for conf in "${config["override_$1"]}" "${config["override_common"]}" "${config["default_$1"]}" "${config["default_common"]}"; do + ret=$(yq4 "$2" "$conf") + + if [[ "$ret" != "null" ]]; then + echo "$ret" + return + fi + done + + echo "$3" +} + +# yq_dig_secrets +yq_dig_secrets() { + ret=$(sops -d "${secrets["secrets_file"]}" | yq4 "$1") + + if [[ "$ret" != "null" ]]; then + echo "$ret" + return + fi + + echo "$2" +} - if [[ "$ret" != "null" ]]; then - echo "$ret" - return - fi - done +get_swift_url() { + local auth_url + local os_token + local swift_url + local swift_region + + auth_url="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""')" - echo "$3" + if [ -n "$(yq_dig_secrets '.objectStorage.swift.username' "")" ]; then + response=$(curl -i -s -H "Content-Type: application/json" -d ' + { + "auth": { + "identity": { + "methods": ["password"], + "password": { + "user": { + "name": "'"$(yq_dig_secrets '.objectStorage.swift.username' '""')"'", + "domain": { "name": "'"$(yq_dig "sc" '.objectStorage.swift.domainName' '""')"'" }, + "password": "'"$(yq_dig_secrets '.objectStorage.swift.password' '""')"'" + } + } + }, + "scope": { + "project": { + "name": "'"$(yq_dig "sc" '.objectStorage.swift.projectName' '""')"'", + "domain": { "name": "'"$(yq_dig "sc" '.objectStorage.swift.projectDomainName' '""')"'" } + } + } + } + }' "${auth_url}/auth/tokens") + elif [ -n "$(yq_dig_secrets '.objectStorage.swift.applicationCredentialID' "")" ]; then + response=$(curl -i -s -H "Content-Type: application/json" -d ' + { + "auth": { + "identity": { + "methods": ["application_credential"], + "application_credential": { + "id": "'"$(yq_dig_secrets '.objectStorage.swift.applicationCredentialID' '""')"'", + "secret": "'"$(yq_dig_secrets '.objectStorage.swift.applicationCredentialSecret' '""')"'" + } + } + } + }' "${auth_url}/auth/tokens") + fi + + swift_region=$(yq_dig "sc" '.objectStorage.swift.region' '""') + os_token=$(echo "$response" | grep -oP "x-subject-token:\s+\K\S+") + swift_url=$(echo "$response" | tail -n +15 | jq -r '.[].catalog[] | select( .type == "object-store" and .name == "swift") | .endpoints[] | select(.interface == "public" and .region == "'"$swift_region"'") | .url') + + curl -i -s -X DELETE -H "X-Auth-Token: $os_token" -H "X-Subject-Token: $os_token" "${auth_url}/auth/tokens" >/dev/null + + echo "$swift_url" } # yq_dig_secrets @@ -379,9 +472,9 @@ get_swift_url() { } if [ "${CHECK_CLUSTER}" == "both" ]; then - DIG_CLUSTER="sc" + DIG_CLUSTER="sc" else - DIG_CLUSTER="wc" + DIG_CLUSTER="wc" fi S3_ENDPOINT="$(yq_dig "${DIG_CLUSTER}" '.objectStorage.s3.regionEndpoint' '""' | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" if [[ "${S3_ENDPOINT}" == "" ]]; then @@ -440,12 +533,12 @@ fi if [[ "${CHECK_CLUSTER}" =~ ^(sc|both)$ ]]; then check_harbor="$(yq_dig 'sc' '.harbor.persistence.type' 'false')" check_thanos="$(yq_dig 'sc' '.thanos.objectStorage.type' 'false')" - sourceType=$(yq4 '.objectStorage.sync.buckets.[].sourceType' "${config["override_sc"]}") + sourceType=$(yq4 '.objectStorage.sync.buckets.[].sourceType' "${config["override_sc"]}") sourceSwift=false for type in $sourceType; do - if [ "$type" == "swift" ]; then - sourceSwift=true - fi + if [ "$type" == "swift" ]; then + sourceSwift=true + fi done if [ "$check_harbor" == "swift" ] || [ "$check_thanos" == "swift" ] || [ "${sourceSwift}" == "true" ]; then os_auth_endpoint="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""' | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" @@ -494,11 +587,11 @@ if [ "$(yq_dig 'sc' '.objectStorage.sync.enabled' 'false')" == "true" ]; then destinationSwift=false destinationS3=false for type in $destination; do - if [ "$type" == "swift" ]; then - destinationSwift=true - elif [ "$type" == "s3" ]; then - destinationS3=true - fi + if [ "$type" == "swift" ]; then + destinationSwift=true + elif [ "$type" == "s3" ]; then + destinationS3=true + fi done if [ "$check_harbor" == "swift" ] || [ "$check_thanos" == "swift" ]; then destinationSwift=true @@ -593,7 +686,7 @@ if [ "$(yq_dig 'sc' '.objectStorage.sync.enabled' 'false')" == "true" ]; then checkIfDiffAndUpdateDNSIPs "${SECONDARY_ENDPOINT}" ".networkPolicies.rcloneSync.secondaryUrl.ips" "${config["override_sc"]}" checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.secondaryUrl.ports" "${config["override_sc"]}" "$SECONDARY_PORT" - elif [ -z "${SECONDARY_ENDPOINT}" ] && [ $DRY_RUN == "true" ]; then + elif [ -z "${SECONDARY_ENDPOINT}" ] && [ $DRY_RUN == "true" ]; then results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true if [ "${results_diff}" != "" ]; then printf "${results_diff}"'%s\n' From c6f2509c8fd3b9b5502cf8e5a2b01ff73a17533e Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Tue, 8 Aug 2023 16:28:39 +0200 Subject: [PATCH 08/11] indenting test --- bin/update-ips.bash | 770 ++++++++++++++++++++++---------------------- 1 file changed, 382 insertions(+), 388 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index 43f51a24a..b6fc5babf 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -16,7 +16,7 @@ source "${here}/common.bash" CHECK_CLUSTER="${1}" # sc, wc or both DRY_RUN=true if [[ "${2}" == "update" ]]; then - DRY_RUN=false + DRY_RUN=false fi has_diff=0 @@ -24,83 +24,81 @@ has_diff=0 # If DRY_RUN is set, it will output to stdout, otherwise it will just return the diff return code silently. # Usage: diffIPs diffIPs() { - local yaml_path - local file - local IPS - yaml_path="${1}" - file="${2}" - shift 2 - IPS=("$@") - tmp_file=$(mktemp --suffix=.yaml) - - yq4 -n '. = []' >"${tmp_file}" - for ip in "${IPS[@]}"; do - yq4 -i '. |= . + ["'"${ip}"'/32"]' "${tmp_file}" - done - - if $DRY_RUN; then - out_file=/dev/stdout - else - out_file=/dev/null - fi - diff -U3 --color=always \ - --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "${yaml_path}"' // [] | sort_by(.)' "${file}") \ - --label expected <(yq4 -P '. | sort_by(.)' "${tmp_file}") >"${out_file}" - DIFF_RETURN=$? - rm "${tmp_file}" - - return ${DIFF_RETURN} + local yaml_path + local file + local IPS + yaml_path="${1}" + file="${2}" + shift 2 + IPS=("$@") + tmp_file=$(mktemp --suffix=.yaml) + + yq4 -n '. = []' >"${tmp_file}" + for ip in "${IPS[@]}"; do + yq4 -i '. |= . + ["'"${ip}"'/32"]' "${tmp_file}" + done + + if $DRY_RUN; then + out_file=/dev/stdout + else + out_file=/dev/null + fi + diff -U3 --color=always \ + --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "${yaml_path}"' // [] | sort_by(.)' "${file}") \ + --label expected <(yq4 -P '. | sort_by(.)' "${tmp_file}") >"${out_file}" + DIFF_RETURN=$? + rm "${tmp_file}" + + return ${DIFF_RETURN} } # Fetches the IPs from a specified address # Usage: getDNSIPs getDNSIPs() { - local IPS - mapfile -t IPS < <(dig +short "${1}" | grep '^[.0-9]*$') - if [ ${#IPS[@]} -eq 0 ]; then - log_error "No ips for ${1} was found" - exit 1 - fi - echo "${IPS[@]}" + local IPS + mapfile -t IPS < <(dig +short "${1}" | grep '^[.0-9]*$') + if [ ${#IPS[@]} -eq 0 ]; then + log_error "No ips for ${1} was found" + exit 1 + fi + echo "${IPS[@]}" } # Usage: diffDNSIPs diffDNSIPs() { - diffIPs "${2}" "${3}" "${@:4}" - return $? + diffIPs "${2}" "${3}" "${@:4}" + return $? } # Updates the list from the file and yaml path specified with IPs fetched from the domain # Usage: updateDNSIPs updateDNSIPs() { - local yaml_path="${2}" - local file="${3}" + local yaml_path="${2}" + local file="${3}" - yq4 -i "${yaml_path}"' = []' "${file}" + yq4 -i "${yaml_path}"' = []' "${file}" - IFS=' ' read -ra ip_array <<<"${@:4}" + IFS=' ' read -ra ip_array <<<"${@:4}" - for ip in "${ip_array[@]}"; do - yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" - done + for ip in "${ip_array[@]}"; do + yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" + done } # Usage: updateIPs updateIPs() { - local yaml_path="${1}" - local file="${2}" - shift 2 - local IPS=("$@") + local yaml_path="${1}" + local file="${2}" + shift 2 + local IPS=("$@") - yq4 -i "${yaml_path}"' = []' "${file}" + yq4 -i "${yaml_path}"' = []' "${file}" + IFS=' ' read -ra ip_array <<<"${@:2}" - - IFS=' ' read -ra ip_array <<<"${@:2}" - - for ip in "${ip_array[@]}"; do - yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" - done + for ip in "${ip_array[@]}"; do + yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" + done } # Usage: updateIPs @@ -119,248 +117,249 @@ updateIPs() { # Fetches the Internal IP and calico tunnel ip of kubernetes nodes using the label selector. # If label selector isn't specified, all nodes will be returned. getKubectlIPs() { - local IPS_internal - local IPS_calico - local IPS - local label_argument="" - if [[ "${2}" != "" ]]; then - label_argument="-l ${2}" - fi - mapfile -t IPS_internal < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}') - mapfile -t IPS_calico < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].metadata.annotations.projectcalico\.org/IPv4IPIPTunnelAddr}') - mapfile -t IPS_wireguard < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].metadata.annotations.projectcalico\.org/IPv4WireguardInterfaceAddr}') - read -r -a IPS <<<"${IPS_internal[*]} ${IPS_calico[*]} ${IPS_wireguard[*]}" - if [ ${#IPS[@]} -eq 0 ]; then - log_error "No ips for ${1} nodes with labels ${2} was found" - exit 1 - fi - echo "${IPS[@]}" + local IPS_internal + local IPS_calico + local IPS + local label_argument="" + if [[ "${2}" != "" ]]; then + label_argument="-l ${2}" + fi + mapfile -t IPS_internal < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}') + mapfile -t IPS_calico < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].metadata.annotations.projectcalico\.org/IPv4IPIPTunnelAddr}') + mapfile -t IPS_wireguard < <("${here}/ops.bash" kubectl "${1}" get node "${label_argument}" -ojsonpath='{.items[*].metadata.annotations.projectcalico\.org/IPv4WireguardInterfaceAddr}') + read -r -a IPS <<<"${IPS_internal[*]} ${IPS_calico[*]} ${IPS_wireguard[*]}" + if [ ${#IPS[@]} -eq 0 ]; then + log_error "No ips for ${1} nodes with labels ${2} was found" + exit 1 + fi + echo "${IPS[@]}" } diffKubectlIPs() { - #local IPS - #read -r -a IPS <<< "$(getKubectlIPs "${1}" "${2}")" - diffIPs "${3}" "${4}" "${@:5}" - return $? + #local IPS + #read -r -a IPS <<< "$(getKubectlIPs "${1}" "${2}")" + diffIPs "${3}" "${4}" "${@:5}" + return $? } # Updates the list from the file and yaml path specified with IPs fetched from the nodes updateKubectlIPs() { - yq4 -i "${3}"' = []' "${4}" - IFS=' ' read -ra ip_array <<<"${@:5}" + yq4 -i "${3}"' = []' "${4}" + IFS=' ' read -ra ip_array <<<"${@:5}" - for ip in "${ip_array[@]}"; do - yq4 -i "${3}"' |= . + ["'"${ip}"'"]' "${4}" - done + for ip in "${ip_array[@]}"; do + yq4 -i "${3}"' |= . + ["'"${ip}"'"]' "${4}" + done } # Usage: checkIfDiffAndUpdateDNSIPs checkIfDiffAndUpdateDNSIPs() { - local IPS - read -r -a IPS <<<"$(getDNSIPs "${1}")" + local IPS + read -r -a IPS <<<"$(getDNSIPs "${1}")" - processedIPRANGE=$(processIPRanges "$2" "$3") + processedIPRANGE=$(processIPRanges "$2" "$3") - if ! diffDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE"; then - if ! $DRY_RUN; then - updateDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE" - else - log_warning "Diff found for ${2} in ${3//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$((has_diff + 1)) + if ! diffDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE"; then + if ! $DRY_RUN; then + updateDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE" + else + log_warning "Diff found for ${2} in ${3//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi + has_diff=$((has_diff + 1)) + fi } checkIfDiffAndUpdateKubectlIPs() { - local IPS - read -r -a IPS <<<"$(getKubectlIPs "${1}" "${2}")" + local IPS + read -r -a IPS <<<"$(getKubectlIPs "${1}" "${2}")" - processedIPRANGE=$(processIPRanges "$3" "$4") + processedIPRANGE=$(processIPRanges "$3" "$4") - if ! diffKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE"; then - if ! $DRY_RUN; then - updateKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE" - else - log_warning "Diff found for ${3} in ${4//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$((has_diff + 1)) + if ! diffKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE"; then + if ! $DRY_RUN; then + updateKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE" + else + log_warning "Diff found for ${3} in ${4//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi + has_diff=$((has_diff + 1)) + fi } # Get all non /32 IPs in given field and config file getConfigIPS() { - local source_field="$1" - local config_file="$2" + local source_field="$1" + local config_file="$2" - local configIPS=() + local configIPS=() - for ip in $(yq4 e "$source_field | .[]" "$config_file"); do - if [[ $ip != */32 ]]; then - configIPS+=("${ip}") - fi - done + for ip in $(yq4 e "$source_field | .[]" "$config_file"); do + if [[ $ip != */32 ]]; then + configIPS+=("${ip}") + fi + done - echo "${configIPS[@]}" + echo "${configIPS[@]}" } # Check if IPs fits into subnets performIPCheckAndRemoveFromIPSList() { - local IPToCheck="$1" - local networkToCompareTo="$2" - - # Try to see if ip belongs to subnet - if not, exit(1) - if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${IPToCheck}') in ipaddress.ip_network('${networkToCompareTo}') else exit(1)"; then - # Filter out the matching string for IPS. - filtered_array=() - for ip in "${IPS[@]}"; do - if [[ "$ip" != "$IPToCheck" ]]; then - filtered_array+=("$ip") - fi - done - - IPS=("${filtered_array[@]}") - - # Add working networkToCompareTo to the list of working subnets - if [[ " ${working_subnet[*]} " != *" $networkToCompareTo "* ]]; then - working_subnet+=("$networkToCompareTo") - fi - fi -} + local IPToCheck="$1" + local networkToCompareTo="$2" -processIPRanges() { - local configKey="$1" - local configFile="$2" + # Try to see if ip belongs to subnet - if not, exit(1) + if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${IPToCheck}') in ipaddress.ip_network('${networkToCompareTo}') else exit(1)"; then + # Filter out the matching string for IPS. + filtered_array=() + for ip in "${IPS[@]}"; do + if [[ "$ip" != "$IPToCheck" ]]; then + filtered_array+=("$ip") + fi + done - local multiIPRanges=() - read -r -a multiIPRanges <<<"$(getConfigIPS "$configKey" "$configFile")" + IPS=("${filtered_array[@]}") - local working_subnet=() + # Add working networkToCompareTo to the list of working subnets + if [[ " ${working_subnet[*]} " != *" $networkToCompareTo "* ]]; then + working_subnet+=("$networkToCompareTo") + fi + fi +} - # Clear config values - yq4 -i "$configKey"' = []' "$configFile" +processIPRanges() { + local configKey="$1" + local configFile="$2" + + local multiIPRanges=() + read -r -a multiIPRanges <<<"$(getConfigIPS "$configKey" "$configFile")" + + local working_subnet=() + + # Clear config values + yq4 -i "$configKey"' = []' "$configFile" + + # IF config value is not empty, go ahead with the following: + # 1. Check if any got IPS fit inside of the IPs existing in the config-files. + # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. + # 3. Merge the working subnet-addresses and kube-addresses into a finalized list. + if [ "${#multiIPRanges[@]}" -gt 0 ]; then + for upstreamDNSIP in "${IPS[@]}"; do + for configIP in "${multiIPRanges[@]}"; do + performIPCheckAndRemoveFromIPSList "$upstreamDNSIP" "$configIP" + done + done - # IF config value is not empty, go ahead with the following: - # 1. Check if any got IPS fit inside of the IPs existing in the config-files. - # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. - # 3. Merge the working subnet-addresses and kube-addresses into a finalized list. - if [ "${#multiIPRanges[@]}" -gt 0 ]; then - for upstreamDNSIP in "${IPS[@]}"; do - for configIP in "${multiIPRanges[@]}"; do - performIPCheckAndRemoveFromIPSList "$upstreamDNSIP" "$configIP" - done - done + # Add the working subnet-addresses and working IPs together. + working_subnet+=("${IPS[@]}") - # Add the working subnet-addresses and working IPs together. - working_subnet+=("${IPS[@]}") + ready_IPS=() - ready_IPS=() + for ip in "${working_subnet[@]}"; do - for ip in "${working_subnet[@]}"; do + if [[ $ip =~ "/" ]]; then + ready_IPS+=("$ip") + else + ready_IPS+=("$ip"/32) + fi + done - if [[ $ip =~ "/" ]]; then - ready_IPS+=("$ip") - else - ready_IPS+=("$ip"/32) - fi - done + echo "${ready_IPS[@]}" + else - echo "${ready_IPS[@]}" - else + ready_IPS=() - ready_IPS=() + for ip in "${IPS[@]}"; do + ready_IPS+=("$ip/32") + done - for ip in "${IPS[@]}"; do - ready_IPS+=("$ip/32") - done - echo "${ready_IPS[@]}" - fi + echo "${ready_IPS[@]}" + fi } # checkIfDiffAndUpdateIPs checkIfDiffAndUpdateIPs() { - local yaml_path="${1}" - local file="${2}" - shift 2 - local IPS=("$@") + local yaml_path="${1}" + local file="${2}" + shift 2 + local IPS=("$@") - processedIPRANGE=$(processIPRanges "${yaml_path}" "${file}") + processedIPRANGE=$(processIPRanges "${yaml_path}" "${file}") - if ! diffIPs "${yaml_path}" "${file}" "$processedIPRANGE"; then - if ! $DRY_RUN; then - updateIPs "${yaml_path}" "${file}" "$processedIPRANGE" - else - log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$((has_diff + 1)) + if ! diffIPs "${yaml_path}" "${file}" "$processedIPRANGE"; then + if ! $DRY_RUN; then + updateIPs "${yaml_path}" "${file}" "$processedIPRANGE" + else + log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi + has_diff=$((has_diff + 1)) + fi } # checkIfDiffAndUpdatePorts checkIfDiffAndUpdatePorts() { - yaml_path="${1}" - file="${2}" - shift 2 + yaml_path="${1}" + file="${2}" + shift 2 - ports="$(echo "[$(for port in "$@"; do echo "$port,"; done)]" | yq4 -oj)" + ports="$(echo "[$(for port in "$@"; do echo "$port,"; done)]" | yq4 -oj)" - if $DRY_RUN; then - out=/dev/stdout - else - out=/dev/null - fi + if $DRY_RUN; then + out=/dev/stdout + else + out=/dev/null + fi - portDiff() { - diff -U3 --color=always \ - --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "$yaml_path"' // [] | sort_by(.)' "$file") \ - --label expected <(echo "$ports" | yq4 -P '. | sort_by(.)') >"$out" - } - - if ! portDiff; then - if ! $DRY_RUN; then - yq4 -i "$yaml_path = $ports" "$file" - else - log_warning "Diff found for $yaml_path in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$((has_diff + 1)) + portDiff() { + diff -U3 --color=always \ + --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "$yaml_path"' // [] | sort_by(.)' "$file") \ + --label expected <(echo "$ports" | yq4 -P '. | sort_by(.)') >"$out" + } + + if ! portDiff; then + if ! $DRY_RUN; then + yq4 -i "$yaml_path = $ports" "$file" + else + log_warning "Diff found for $yaml_path in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi + has_diff=$((has_diff + 1)) + fi } # yq_dig yq_dig() { - for conf in "${config["override_$1"]}" "${config["override_common"]}" "${config["default_$1"]}" "${config["default_common"]}"; do - ret=$(yq4 "$2" "$conf") + for conf in "${config["override_$1"]}" "${config["override_common"]}" "${config["default_$1"]}" "${config["default_common"]}"; do + ret=$(yq4 "$2" "$conf") - if [[ "$ret" != "null" ]]; then - echo "$ret" - return - fi - done + if [[ "$ret" != "null" ]]; then + echo "$ret" + return + fi + done - echo "$3" + echo "$3" } # yq_dig_secrets yq_dig_secrets() { - ret=$(sops -d "${secrets["secrets_file"]}" | yq4 "$1") + ret=$(sops -d "${secrets["secrets_file"]}" | yq4 "$1") - if [[ "$ret" != "null" ]]; then - echo "$ret" - return - fi + if [[ "$ret" != "null" ]]; then + echo "$ret" + return + fi - echo "$2" + echo "$2" } get_swift_url() { - local auth_url - local os_token - local swift_url - local swift_region + local auth_url + local os_token + local swift_url + local swift_region - auth_url="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""')" + auth_url="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""')" - if [ -n "$(yq_dig_secrets '.objectStorage.swift.username' "")" ]; then - response=$(curl -i -s -H "Content-Type: application/json" -d ' + if [ -n "$(yq_dig_secrets '.objectStorage.swift.username' "")" ]; then + response=$(curl -i -s -H "Content-Type: application/json" -d ' { "auth": { "identity": { @@ -381,8 +380,8 @@ get_swift_url() { } } }' "${auth_url}/auth/tokens") - elif [ -n "$(yq_dig_secrets '.objectStorage.swift.applicationCredentialID' "")" ]; then - response=$(curl -i -s -H "Content-Type: application/json" -d ' + elif [ -n "$(yq_dig_secrets '.objectStorage.swift.applicationCredentialID' "")" ]; then + response=$(curl -i -s -H "Content-Type: application/json" -d ' { "auth": { "identity": { @@ -394,15 +393,15 @@ get_swift_url() { } } }' "${auth_url}/auth/tokens") - fi + fi - swift_region=$(yq_dig "sc" '.objectStorage.swift.region' '""') - os_token=$(echo "$response" | grep -oP "x-subject-token:\s+\K\S+") - swift_url=$(echo "$response" | tail -n +15 | jq -r '.[].catalog[] | select( .type == "object-store" and .name == "swift") | .endpoints[] | select(.interface == "public" and .region == "'"$swift_region"'") | .url') + swift_region=$(yq_dig "sc" '.objectStorage.swift.region' '""') + os_token=$(echo "$response" | grep -oP "x-subject-token:\s+\K\S+") + swift_url=$(echo "$response" | tail -n +15 | jq -r '.[].catalog[] | select( .type == "object-store" and .name == "swift") | .endpoints[] | select(.interface == "public" and .region == "'"$swift_region"'") | .url') - curl -i -s -X DELETE -H "X-Auth-Token: $os_token" -H "X-Subject-Token: $os_token" "${auth_url}/auth/tokens" >/dev/null + curl -i -s -X DELETE -H "X-Auth-Token: $os_token" -H "X-Subject-Token: $os_token" "${auth_url}/auth/tokens" >/dev/null - echo "$swift_url" + echo "$swift_url" } # yq_dig_secrets @@ -472,30 +471,30 @@ get_swift_url() { } if [ "${CHECK_CLUSTER}" == "both" ]; then - DIG_CLUSTER="sc" + DIG_CLUSTER="sc" else - DIG_CLUSTER="wc" + DIG_CLUSTER="wc" fi S3_ENDPOINT="$(yq_dig "${DIG_CLUSTER}" '.objectStorage.s3.regionEndpoint' '""' | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" if [[ "${S3_ENDPOINT}" == "" ]]; then - log_error "No S3 endpoint found, check your common-config.yaml (or ${DIG_CLUSTER}-config.yaml)" - exit 1 + log_error "No S3 endpoint found, check your common-config.yaml (or ${DIG_CLUSTER}-config.yaml)" + exit 1 fi S3_PORT="$(yq_dig 'sc' '.objectStorage.s3.regionEndpoint' '""' | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" if [ -z "$S3_PORT" ]; then - S3_PORT="443" + S3_PORT="443" fi OPS_DOMAIN="$(yq_dig "${DIG_CLUSTER}" '.global.opsDomain' '""')" if [[ "${OPS_DOMAIN}" == "" ]]; then - log_error "No ops domain found, check your common-config.yaml (or ${DIG_CLUSTER}-config.yaml)" - exit 1 + log_error "No ops domain found, check your common-config.yaml (or ${DIG_CLUSTER}-config.yaml)" + exit 1 fi BASE_DOMAIN="$(yq_dig "${DIG_CLUSTER}" '.global.baseDomain' '""')" if [[ "${BASE_DOMAIN}" == "" ]]; then - log_error "No base domain found, check your common-config.yaml (or ${DIG_CLUSTER}-config.yaml)" - exit 1 + log_error "No base domain found, check your common-config.yaml (or ${DIG_CLUSTER}-config.yaml)" + exit 1 fi ## Add object storage ips to common config @@ -511,191 +510,186 @@ checkIfDiffAndUpdateDNSIPs "non-existing-subdomain.${BASE_DOMAIN}" ".networkPoli ## Add sc apiserver ips if [[ "${CHECK_CLUSTER}" =~ ^(sc|both)$ ]]; then - checkIfDiffAndUpdateKubectlIPs "sc" "node-role.kubernetes.io/control-plane=" ".networkPolicies.global.scApiserver.ips" "${config["override_sc"]}" + checkIfDiffAndUpdateKubectlIPs "sc" "node-role.kubernetes.io/control-plane=" ".networkPolicies.global.scApiserver.ips" "${config["override_sc"]}" fi ## Add wc apiserver ips if [[ "${CHECK_CLUSTER}" =~ ^(wc|both)$ ]]; then - checkIfDiffAndUpdateKubectlIPs "wc" "node-role.kubernetes.io/control-plane=" ".networkPolicies.global.wcApiserver.ips" "${config["override_wc"]}" + checkIfDiffAndUpdateKubectlIPs "wc" "node-role.kubernetes.io/control-plane=" ".networkPolicies.global.wcApiserver.ips" "${config["override_wc"]}" fi ## Add sc nodes ips to sc config if [[ "${CHECK_CLUSTER}" =~ ^(sc|both)$ ]]; then - checkIfDiffAndUpdateKubectlIPs "sc" "" ".networkPolicies.global.scNodes.ips" "${config["override_sc"]}" + checkIfDiffAndUpdateKubectlIPs "sc" "" ".networkPolicies.global.scNodes.ips" "${config["override_sc"]}" fi ## Add wc nodes ips to wc config if [[ "${CHECK_CLUSTER}" =~ ^(wc|both)$ ]]; then - checkIfDiffAndUpdateKubectlIPs "wc" "" ".networkPolicies.global.wcNodes.ips" "${config["override_wc"]}" + checkIfDiffAndUpdateKubectlIPs "wc" "" ".networkPolicies.global.wcNodes.ips" "${config["override_wc"]}" fi ## Add Swift to sc config if [[ "${CHECK_CLUSTER}" =~ ^(sc|both)$ ]]; then - check_harbor="$(yq_dig 'sc' '.harbor.persistence.type' 'false')" - check_thanos="$(yq_dig 'sc' '.thanos.objectStorage.type' 'false')" - sourceType=$(yq4 '.objectStorage.sync.buckets.[].sourceType' "${config["override_sc"]}") - sourceSwift=false - for type in $sourceType; do - if [ "$type" == "swift" ]; then - sourceSwift=true - fi - done - if [ "$check_harbor" == "swift" ] || [ "$check_thanos" == "swift" ] || [ "${sourceSwift}" == "true" ]; then - os_auth_endpoint="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""' | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" + check_harbor="$(yq_dig 'sc' '.harbor.persistence.type' 'false')" + check_thanos="$(yq_dig 'sc' '.thanos.objectStorage.type' 'false')" + sourceType=$(yq4 '.objectStorage.sync.buckets.[].sourceType' "${config["override_sc"]}") + sourceSwift=false + for type in $sourceType; do + if [ "$type" == "swift" ]; then + sourceSwift=true + fi + done + if [ "$check_harbor" == "swift" ] || [ "$check_thanos" == "swift" ] || [ "${sourceSwift}" == "true" ]; then + os_auth_endpoint="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""' | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" - if [ -z "$os_auth_endpoint" ]; then - log_error "No openstack auth endpoint found, check your sc-config.yaml" - exit 1 - fi + if [ -z "$os_auth_endpoint" ]; then + log_error "No openstack auth endpoint found, check your sc-config.yaml" + exit 1 + fi - os_auth_port="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""' | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" + os_auth_port="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""' | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" - if [ -z "$os_auth_port" ]; then - os_auth_port="5000" - fi + if [ -z "$os_auth_port" ]; then + os_auth_port="5000" + fi - object_storage_swift_ips=() - object_storage_swift_ports=() + object_storage_swift_ips=() + object_storage_swift_ports=() - # shellcheck disable=SC2207 - object_storage_swift_ips+=($(getDNSIPs "$os_auth_endpoint")) - object_storage_swift_ports+=("$os_auth_port") + # shellcheck disable=SC2207 + object_storage_swift_ips+=($(getDNSIPs "$os_auth_endpoint")) + object_storage_swift_ports+=("$os_auth_port") - swift_url=$(get_swift_url) - swift_endpoint="$(echo "$swift_url" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" - swift_port="$(echo "$swift_url" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" + swift_url=$(get_swift_url) + swift_endpoint="$(echo "$swift_url" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" + swift_port="$(echo "$swift_url" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" - if [ -z "$swift_port" ]; then - swift_port="443" - fi + if [ -z "$swift_port" ]; then + swift_port="443" + fi - # shellcheck disable=SC2207 - object_storage_swift_ips+=($(getDNSIPs "$swift_endpoint")) - object_storage_swift_ports+=("$swift_port") + # shellcheck disable=SC2207 + object_storage_swift_ips+=($(getDNSIPs "$swift_endpoint")) + object_storage_swift_ports+=("$swift_port") - checkIfDiffAndUpdateIPs ".networkPolicies.global.objectStorageSwift.ips" "${config["override_sc"]}" "${object_storage_swift_ips[@]}" - checkIfDiffAndUpdatePorts ".networkPolicies.global.objectStorageSwift.ports" "${config["override_sc"]}" "${object_storage_swift_ports[@]}" - fi + checkIfDiffAndUpdateIPs ".networkPolicies.global.objectStorageSwift.ips" "${config["override_sc"]}" "${object_storage_swift_ips[@]}" + checkIfDiffAndUpdatePorts ".networkPolicies.global.objectStorageSwift.ports" "${config["override_sc"]}" "${object_storage_swift_ports[@]}" + fi fi ## Add destination object storage ips for rclone sync to sc config if [ "$(yq_dig 'sc' '.objectStorage.sync.enabled' 'false')" == "true" ]; then - if [ "$(yq_dig 'sc' '.networkPolicies.rcloneSync.enabled' 'false')" == "true" ]; then - check_harbor="$(yq_dig 'sc' '.harbor.persistence.type' 'false')" - check_thanos="$(yq_dig 'sc' '.thanos.objectStorage.type' 'false')" - destination=$(yq4 '.objectStorage.sync.buckets.[].destinationType' "${config["override_sc"]}") - destinationSwift=false - destinationS3=false - for type in $destination; do - if [ "$type" == "swift" ]; then - destinationSwift=true - elif [ "$type" == "s3" ]; then - destinationS3=true - fi - done - if [ "$check_harbor" == "swift" ] || [ "$check_thanos" == "swift" ]; then - destinationSwift=true - fi + if [ "$(yq_dig 'sc' '.networkPolicies.rcloneSync.enabled' 'false')" == "true" ]; then + destination=$(yq4 '.objectStorage.sync.buckets.[].destinationType' "${config["override_sc"]}") + destinationSwift=false + destinationS3=false + for type in $destination; do + if [ "$type" == "swift" ]; then + destinationSwift=true + elif [ "$type" == "s3" ]; then + destinationS3=true + fi + done + ifNull="" + S3_ENDPOINT_DST="$(yq_dig 'sc' '.objectStorage.sync.s3.regionEndpoint' "" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" + S3_PORT_DST="$(yq_dig 'sc' '.objectStorage.sync.s3.regionEndpoint' "" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" - ifNull="" - S3_ENDPOINT_DST="$(yq_dig 'sc' '.objectStorage.sync.s3.regionEndpoint' "" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" - S3_PORT_DST="$(yq_dig 'sc' '.objectStorage.sync.s3.regionEndpoint' "" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" - - SWIFT_ENDPOINT_DST="$(yq_dig 'sc' '.objectStorage.sync.swift.authUrl' "" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" - SWIFT_PORT_DST="$(yq_dig 'sc' '.objectStorage.sync.swift.authUrl' "" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" - - if { [ "$destinationS3" == "true" ] && [ "$destinationSwift" != "true" ]; } || { [ "$destinationS3" != "true" ] && [ "$destinationSwift" != "true" ] && [ "$(yq_dig 'sc' '.objectStorage.sync.destinationType' 's3')" == "s3" ]; }; then - if [ -z "${S3_ENDPOINT_DST}" ]; then - log_error "No destination S3 endpoint for rclone sync found, check your sc-config.yaml" - exit 1 - fi - if [ -z "${S3_PORT_DST}" ]; then - S3_PORT_DST="443" - fi - checkIfDiffAndUpdateDNSIPs "${S3_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageS3.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageS3.ports" "${config["override_sc"]}" "$S3_PORT_DST" - if [ -z "${SWIFT_ENDPOINT_DST}" ] && [ -z "${SWIFT_PORT_DST}" ] && [ $DRY_RUN == "true" ]; then - results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.destinationObjectStorageSwift)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.destinationObjectStorageSwift)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true - if [ "${results_diff}" != "" ]; then - printf "${results_diff}"'%s\n' - log_warning "Diff found for .networkPolicies.rcloneSync.destinationObjectStorageSwift in ${config[override_sc]//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - elif [ -z "${SWIFT_ENDPOINT_DST}" ] && [ -z "${SWIFT_PORT_DST}" ] && [ $DRY_RUN != "true" ]; then - yq4 -i 'del(.networkPolicies.rcloneSync.destinationObjectStorageSwift)' "${config["override_sc"]}" - else - checkIfDiffAndUpdateDNSIPs "${SWIFT_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ports" "${config["override_sc"]}" "$SWIFT_PORT_DST" - fi - ifNull=true - fi - if { [ "$destinationSwift" == "true" ] && [ "$destinationS3" != "true" ]; } || { [ "$destinationS3" != "true" ] && [ "$destinationSwift" != "true" ] && [ "$(yq_dig 'sc' '.objectStorage.sync.desinationType' 'swift')" == "swift" ]; }; then - if [ -z "${SWIFT_ENDPOINT_DST}" ]; then - log_error "No destination Swift endpoint for rclone sync found, check your sc-config.yaml" - exit 1 - fi - if [ -z "${SWIFT_PORT_DST}" ]; then - SWIFT_PORT_DST="443" - fi - - if [ -z "${S3_ENDPOINT_DST}" ] && [ -z "${S3_PORT_DST}" ] && [ $DRY_RUN == "true" ]; then - results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.destinationObjectStorageS3)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.destinationObjectStorageS3)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true - if [ "${results_diff}" != "" ]; then - printf "${results_diff}"'%s\n' - log_warning "Diff found for .networkPolicies.rcloneSync.destinationObjectStorageS3 in ${config[override_sc]//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - elif [ -z "${S3_ENDPOINT_DST}" ] && [ -z "${S3_PORT_DST}" ] && [ $DRY_RUN != "true" ]; then - yq4 -i 'del(.networkPolicies.rcloneSync.destinationObjectStorageS3)' "${config["override_sc"]}" - else - checkIfDiffAndUpdateDNSIPs "${S3_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageS3.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageS3.ports" "${config["override_sc"]}" "$S3_PORT_DST" - fi - - checkIfDiffAndUpdateDNSIPs "${SWIFT_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ports" "${config["override_sc"]}" "$SWIFT_PORT_DST" - ifNull=true + SWIFT_ENDPOINT_DST="$(yq_dig 'sc' '.objectStorage.sync.swift.authUrl' "" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" + SWIFT_PORT_DST="$(yq_dig 'sc' '.objectStorage.sync.swift.authUrl' "" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" + + if { [ "$destinationS3" == "true" ] && [ "$destinationSwift" != "true" ]; } || { [ "$destinationS3" != "true" ] && [ "$destinationSwift" != "true" ] && [ "$(yq_dig 'sc' '.objectStorage.sync.type' 's3')" == "s3" ]; }; then + if [ -z "${S3_ENDPOINT_DST}" ]; then + log_error "No destination S3 endpoint for rclone sync found, check your sc-config.yaml" + exit 1 + fi + if [ -z "${S3_PORT_DST}" ]; then + S3_PORT_DST="443" + fi + checkIfDiffAndUpdateDNSIPs "${S3_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageS3.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageS3.ports" "${config["override_sc"]}" "$S3_PORT_DST" + if [ -z "${SWIFT_ENDPOINT_DST}" ] && [ -z "${SWIFT_PORT_DST}" ] && [ $DRY_RUN == "true" ]; then + results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.destinationObjectStorageSwift)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.destinationObjectStorageSwift)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true + if [ "${results_diff}" != "" ]; then + printf "${results_diff}"'%s\n' + log_warning "Diff found for .networkPolicies.rcloneSync.destinationObjectStorageSwift in ${config[override_sc]//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi - if { [ "$destinationSwift" == "true" ] && [ "$destinationS3" == "true" ]; } || [ -z "$ifNull" ] && { [ "$(yq_dig 'sc' '.objectStorage.sync.destinationType' 'swift')" == "swift" ] || [ "$(yq_dig 'sc' '.objectStorage.sync.destinationType' 's3')" == "s3" ]; }; then - if [ -z "${S3_ENDPOINT_DST}" ]; then - log_error "No destination S3 endpoint for rclone sync found, check your sc-config.yaml" - exit 1 - fi - if [ -z "${SWIFT_ENDPOINT_DST}" ]; then - log_error "No destination Swift endpoint for rclone sync found, check your sc-config.yaml" - exit 1 - fi - if [ -z "${S3_PORT_DST}" ]; then - S3_PORT_DST="443" - fi - if [ -z "${SWIFT_PORT_DST}" ]; then - SWIFT_PORT_DST="443" - fi - - checkIfDiffAndUpdateDNSIPs "${S3_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageS3.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageS3.ports" "${config["override_sc"]}" "$S3_PORT_DST" - - checkIfDiffAndUpdateDNSIPs "${SWIFT_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ports" "${config["override_sc"]}" "$SWIFT_PORT_DST" + elif [ -z "${SWIFT_ENDPOINT_DST}" ] && [ -z "${SWIFT_PORT_DST}" ] && [ $DRY_RUN != "true" ]; then + yq4 -i 'del(.networkPolicies.rcloneSync.destinationObjectStorageSwift)' "${config["override_sc"]}" + else + checkIfDiffAndUpdateDNSIPs "${SWIFT_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ports" "${config["override_sc"]}" "$SWIFT_PORT_DST" + fi + ifNull=true + fi + if { [ "$destinationSwift" == "true" ] && [ "$destinationS3" != "true" ]; } || { [ "$destinationS3" != "true" ] && [ "$destinationSwift" != "true" ] && [ "$(yq_dig 'sc' '.objectStorage.sync.type' 'swift')" == "swift" ]; }; then + if [ -z "${SWIFT_ENDPOINT_DST}" ]; then + log_error "No destination Swift endpoint for rclone sync found, check your sc-config.yaml" + exit 1 + fi + if [ -z "${SWIFT_PORT_DST}" ]; then + SWIFT_PORT_DST="443" + fi + + if [ -z "${S3_ENDPOINT_DST}" ] && [ -z "${S3_PORT_DST}" ] && [ $DRY_RUN == "true" ]; then + results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.destinationObjectStorageS3)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.destinationObjectStorageS3)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true + if [ "${results_diff}" != "" ]; then + printf "${results_diff}"'%s\n' + log_warning "Diff found for .networkPolicies.rcloneSync.destinationObjectStorageS3 in ${config[override_sc]//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi + elif [ -z "${S3_ENDPOINT_DST}" ] && [ -z "${S3_PORT_DST}" ] && [ $DRY_RUN != "true" ]; then + yq4 -i 'del(.networkPolicies.rcloneSync.destinationObjectStorageS3)' "${config["override_sc"]}" + else + checkIfDiffAndUpdateDNSIPs "${S3_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageS3.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageS3.ports" "${config["override_sc"]}" "$S3_PORT_DST" + fi - SECONDARY_ENDPOINT="$(yq_dig 'sc' '.objectStorage.sync.secondaryUrl' "" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" - if [ -n "${SECONDARY_ENDPOINT}" ]; then - SECONDARY_PORT="$(yq_dig 'sc' '.objectStorage.sync.secondaryUrl' "" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" - if [ -z "${SECONDARY_PORT}" ]; then - SECONDARY_PORT="443" - fi - checkIfDiffAndUpdateDNSIPs "${SECONDARY_ENDPOINT}" ".networkPolicies.rcloneSync.secondaryUrl.ips" "${config["override_sc"]}" - checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.secondaryUrl.ports" "${config["override_sc"]}" "$SECONDARY_PORT" - - elif [ -z "${SECONDARY_ENDPOINT}" ] && [ $DRY_RUN == "true" ]; then - results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true - if [ "${results_diff}" != "" ]; then - printf "${results_diff}"'%s\n' - log_warning "Diff found for .networkPolicies.rcloneSync.secondaryUrl in ${config[override_sc]//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - elif [ -z "${SECONDARY_ENDPOINT}" ] && [ $DRY_RUN != "true" ]; then - yq4 -i 'del(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}" - fi + checkIfDiffAndUpdateDNSIPs "${SWIFT_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ports" "${config["override_sc"]}" "$SWIFT_PORT_DST" + ifNull=true + + fi + if { [ "$destinationSwift" == "true" ] && [ "$destinationS3" == "true" ]; } || [ -z "$ifNull" ] && { [ "$(yq_dig 'sc' '.objectStorage.sync.type' 'swift')" == "swift" ] || [ "$(yq_dig 'sc' '.objectStorage.sync.type' 's3')" == "s3" ]; }; then + if [ -z "${S3_ENDPOINT_DST}" ]; then + log_error "No destination S3 endpoint for rclone sync found, check your sc-config.yaml" + exit 1 + fi + if [ -z "${SWIFT_ENDPOINT_DST}" ]; then + log_error "No destination Swift endpoint for rclone sync found, check your sc-config.yaml" + exit 1 + fi + if [ -z "${S3_PORT_DST}" ]; then + S3_PORT_DST="443" + fi + if [ -z "${SWIFT_PORT_DST}" ]; then + SWIFT_PORT_DST="443" + fi + + checkIfDiffAndUpdateDNSIPs "${S3_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageS3.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageS3.ports" "${config["override_sc"]}" "$S3_PORT_DST" + + checkIfDiffAndUpdateDNSIPs "${SWIFT_ENDPOINT_DST}" ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.destinationObjectStorageSwift.ports" "${config["override_sc"]}" "$SWIFT_PORT_DST" + fi + + SECONDARY_ENDPOINT="$(yq_dig 'sc' '.objectStorage.sync.secondaryUrl' "" | sed 's/https\?:\/\///' | sed 's/[:\/].*//')" + if [ -n "${SECONDARY_ENDPOINT}" ]; then + SECONDARY_PORT="$(yq_dig 'sc' '.objectStorage.sync.secondaryUrl' "" | sed 's/https\?:\/\///' | sed 's/[A-Za-z.0-9-]*:\?//' | sed 's/\/.*//')" + if [ -z "${SECONDARY_PORT}" ]; then + SECONDARY_PORT="443" + fi + checkIfDiffAndUpdateDNSIPs "${SECONDARY_ENDPOINT}" ".networkPolicies.rcloneSync.secondaryUrl.ips" "${config["override_sc"]}" + checkIfDiffAndUpdatePorts ".networkPolicies.rcloneSync.secondaryUrl.ports" "${config["override_sc"]}" "$SECONDARY_PORT" + + elif [ -z "${SECONDARY_ENDPOINT}" ] && [ $DRY_RUN == "true" ]; then + results_diff=$(diff -U0 --color=always <(yq4 -P 'sort_keys(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}") <(yq4 -P 'del(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}") --label "${config["override_sc"]//${CK8S_CONFIG_PATH}\//}" --label expected) || true + if [ "${results_diff}" != "" ]; then + printf "${results_diff}"'%s\n' + log_warning "Diff found for .networkPolicies.rcloneSync.secondaryUrl in ${config[override_sc]//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" + fi + elif [ -z "${SECONDARY_ENDPOINT}" ] && [ $DRY_RUN != "true" ]; then + yq4 -i 'del(.networkPolicies.rcloneSync.secondaryUrl)' "${config["override_sc"]}" fi + fi fi exit ${has_diff} From db2875bed590e93bdc481d5ef67cf431dcefe64c Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Wed, 9 Aug 2023 13:32:44 +0200 Subject: [PATCH 09/11] variable naming --- bin/update-ips.bash | 62 ++++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 23 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index b6fc5babf..c46992329 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -66,7 +66,10 @@ getDNSIPs() { # Usage: diffDNSIPs diffDNSIPs() { - diffIPs "${2}" "${3}" "${@:4}" + local yaml_path="${2}" + local file="${3}" + + diffIPs "${yaml_path}" "${file}" "${@:4}" return $? } @@ -136,50 +139,63 @@ getKubectlIPs() { } diffKubectlIPs() { - #local IPS - #read -r -a IPS <<< "$(getKubectlIPs "${1}" "${2}")" - diffIPs "${3}" "${4}" "${@:5}" + local yaml_path="${3}" + local file="${4}" + + diffIPs "${yaml_path}" "${file}" "${@:5}" return $? } # Updates the list from the file and yaml path specified with IPs fetched from the nodes updateKubectlIPs() { - yq4 -i "${3}"' = []' "${4}" + local yaml_path="${3}" + local file="${4}" + + yq4 -i "${yaml_path}"' = []' "${file}" IFS=' ' read -ra ip_array <<<"${@:5}" for ip in "${ip_array[@]}"; do - yq4 -i "${3}"' |= . + ["'"${ip}"'"]' "${4}" + yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" done } # Usage: checkIfDiffAndUpdateDNSIPs checkIfDiffAndUpdateDNSIPs() { + local dns_record="${1}" + local yaml_path="${2}" + local file="${3}" + local IPS - read -r -a IPS <<<"$(getDNSIPs "${1}")" + read -r -a IPS <<<"$(getDNSIPs "${dns_record}")" - processedIPRANGE=$(processIPRanges "$2" "$3") + processedIPRANGE=$(processIPRanges "$yaml_path" "$file") - if ! diffDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE"; then + if ! diffDNSIPs "${dns_record}" "${yaml_path}" "${file}" "$processedIPRANGE"; then if ! $DRY_RUN; then - updateDNSIPs "${1}" "${2}" "${3}" "$processedIPRANGE" + updateDNSIPs "${dns_record}" "${yaml_path}" "${file}" "$processedIPRANGE" else - log_warning "Diff found for ${2} in ${3//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" + log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi has_diff=$((has_diff + 1)) fi } checkIfDiffAndUpdateKubectlIPs() { + local cluster="${1}" + local label="${2}" + local yaml_path="${3}" + local file="${4}" + local IPS - read -r -a IPS <<<"$(getKubectlIPs "${1}" "${2}")" + read -r -a IPS <<<"$(getKubectlIPs "${cluster}" "${label}")" - processedIPRANGE=$(processIPRanges "$3" "$4") + processedIPRANGE=$(processIPRanges "$yaml_path" "$file") - if ! diffKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE"; then + if ! diffKubectlIPs "${cluster}" "${label}" "${yaml_path}" "${file}" "$processedIPRANGE"; then if ! $DRY_RUN; then - updateKubectlIPs "${1}" "${2}" "${3}" "${4}" "$processedIPRANGE" + updateKubectlIPs "${cluster}" "${label}" "${yaml_path}" "${file}" "$processedIPRANGE" else - log_warning "Diff found for ${3} in ${4//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" + log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi has_diff=$((has_diff + 1)) fi @@ -251,27 +267,27 @@ processIPRanges() { # Add the working subnet-addresses and working IPs together. working_subnet+=("${IPS[@]}") - ready_IPS=() + filtered_working_subnet=() for ip in "${working_subnet[@]}"; do if [[ $ip =~ "/" ]]; then - ready_IPS+=("$ip") + filtered_working_subnet+=("$ip") else - ready_IPS+=("$ip"/32) + filtered_working_subnet+=("$ip"/32) fi done - echo "${ready_IPS[@]}" + echo "${filtered_working_subnet[@]}" else - ready_IPS=() + processed_IPS=() for ip in "${IPS[@]}"; do - ready_IPS+=("$ip/32") + processed_IPS+=("$ip/32") done - echo "${ready_IPS[@]}" + echo "${processed_IPS[@]}" fi } From 8ba358970cd40047043adc7194f0a138c2d38fcd Mon Sep 17 00:00:00 2001 From: robinelastisys Date: Wed, 9 Aug 2023 16:19:16 +0200 Subject: [PATCH 10/11] change update to apply --- bin/ck8s | 4 +-- bin/update-ips.bash | 88 ++------------------------------------------- 2 files changed, 5 insertions(+), 87 deletions(-) diff --git a/bin/ck8s b/bin/ck8s index b6c8c8a15..6b4c22e4e 100755 --- a/bin/ck8s +++ b/bin/ck8s @@ -36,7 +36,7 @@ usage() { echo " validate validates config files" 1>&2 echo " providers lists supported cloud providers" 1>&2 echo " flavors lists supported configuration flavors" 1>&2 - echo " update-ips Automatically fetches and updates the IPs for network policies" 1>&2 + echo " update-ips Automatically fetches and applies the IPs for network policies" 1>&2 exit 1 } @@ -152,7 +152,7 @@ case "${1}" in flavors) echo "${ck8s_flavors[@]}" ;; update-ips) [[ "${2}" =~ ^(wc|sc|both)$ ]] || usage - [[ "${3}" =~ ^(update|dry-run)$ ]] || usage + [[ "${3}" =~ ^(apply|dry-run)$ ]] || usage "${here}/update-ips.bash" "${2}" "${3}" ;; *) usage ;; diff --git a/bin/update-ips.bash b/bin/update-ips.bash index c46992329..b528a6371 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -15,7 +15,7 @@ source "${here}/common.bash" CHECK_CLUSTER="${1}" # sc, wc or both DRY_RUN=true -if [[ "${2}" == "update" ]]; then +if [[ "${2}" == "apply" ]]; then DRY_RUN=false fi has_diff=0 @@ -24,11 +24,9 @@ has_diff=0 # If DRY_RUN is set, it will output to stdout, otherwise it will just return the diff return code silently. # Usage: diffIPs diffIPs() { - local yaml_path - local file + local yaml_path="${1}" + local file="${2}" local IPS - yaml_path="${1}" - file="${2}" shift 2 IPS=("$@") tmp_file=$(mktemp --suffix=.yaml) @@ -94,7 +92,6 @@ updateIPs() { local file="${2}" shift 2 local IPS=("$@") - yq4 -i "${yaml_path}"' = []' "${file}" IFS=' ' read -ra ip_array <<<"${@:2}" @@ -104,19 +101,6 @@ updateIPs() { done } -# Usage: updateIPs -updateIPs() { - local yaml_path="${1}" - local file="${2}" - shift 2 - local IPS=("$@") - - yq4 -i "${yaml_path}"' = []' "${file}" - for ip in "${IPS[@]}"; do - yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'/32"]' "${file}" - done -} - # Fetches the Internal IP and calico tunnel ip of kubernetes nodes using the label selector. # If label selector isn't specified, all nodes will be returned. getKubectlIPs() { @@ -420,72 +404,6 @@ get_swift_url() { echo "$swift_url" } -# yq_dig_secrets -yq_dig_secrets() { - ret=$(sops -d "${secrets["secrets_file"]}" | yq4 "$1") - - if [[ "$ret" != "null" ]]; then - echo "$ret" - return - fi - - echo "$2" -} - -get_swift_url() { - local auth_url - local os_token - local swift_url - local swift_region - - auth_url="$(yq_dig 'sc' '.objectStorage.swift.authUrl' '""')" - - if [ -n "$(yq_dig_secrets '.objectStorage.swift.username' "")" ]; then - response=$(curl -i -s -H "Content-Type: application/json" -d ' - { - "auth": { - "identity": { - "methods": ["password"], - "password": { - "user": { - "name": "'"$(yq_dig_secrets '.objectStorage.swift.username' '""')"'", - "domain": { "name": "'"$(yq_dig "sc" '.objectStorage.swift.domainName' '""')"'" }, - "password": "'"$(yq_dig_secrets '.objectStorage.swift.password' '""')"'" - } - } - }, - "scope": { - "project": { - "name": "'"$(yq_dig "sc" '.objectStorage.swift.projectName' '""')"'", - "domain": { "name": "'"$(yq_dig "sc" '.objectStorage.swift.projectDomainName' '""')"'" } - } - } - } - }' "${auth_url}/auth/tokens") - elif [ -n "$(yq_dig_secrets '.objectStorage.swift.applicationCredentialID' "")" ]; then - response=$(curl -i -s -H "Content-Type: application/json" -d ' - { - "auth": { - "identity": { - "methods": ["application_credential"], - "application_credential": { - "id": "'"$(yq_dig_secrets '.objectStorage.swift.applicationCredentialID' '""')"'", - "secret": "'"$(yq_dig_secrets '.objectStorage.swift.applicationCredentialSecret' '""')"'" - } - } - } - }' "${auth_url}/auth/tokens") - fi - - swift_region=$(yq_dig "sc" '.objectStorage.swift.region' '""') - os_token=$(echo "$response" | grep -oP "x-subject-token:\s+\K\S+") - swift_url=$(echo "$response" | tail -n +15 | jq -r '.[].catalog[] | select( .type == "object-store" and .name == "swift") | .endpoints[] | select(.interface == "public" and .region == "'"$swift_region"'") | .url') - - curl -i -s -X DELETE -H "X-Auth-Token: $os_token" -H "X-Subject-Token: $os_token" "${auth_url}/auth/tokens" > /dev/null - - echo "$swift_url" -} - if [ "${CHECK_CLUSTER}" == "both" ]; then DIG_CLUSTER="sc" else From 659a956febe83f9eeb509f74e54d27e14ce8e754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Arnqvist?= Date: Mon, 21 Aug 2023 16:05:05 +0200 Subject: [PATCH 11/11] bin: Common path for update-ips --- bin/update-ips.bash | 268 ++++++++++++-------------------------------- 1 file changed, 70 insertions(+), 198 deletions(-) diff --git a/bin/update-ips.bash b/bin/update-ips.bash index b528a6371..fe48b314a 100755 --- a/bin/update-ips.bash +++ b/bin/update-ips.bash @@ -7,7 +7,7 @@ # cluster: What cluster config to check for (sc, wc or both) # action: If the script should update the config or not (update or dry-run) -set -eu -o pipefail +set -euo pipefail here="$(dirname "$(readlink -f "$0")")" # shellcheck source=bin/common.bash @@ -20,34 +20,37 @@ if [[ "${2}" == "apply" ]]; then fi has_diff=0 -# Compares a list IPs with the list of IPs in the yaml path and file specified and returns the diff return code. -# If DRY_RUN is set, it will output to stdout, otherwise it will just return the diff return code silently. -# Usage: diffIPs -diffIPs() { - local yaml_path="${1}" - local file="${2}" - local IPS - shift 2 - IPS=("$@") - tmp_file=$(mktemp --suffix=.yaml) - yq4 -n '. = []' >"${tmp_file}" - for ip in "${IPS[@]}"; do - yq4 -i '. |= . + ["'"${ip}"'/32"]' "${tmp_file}" - done +# Usage: diff_cidrs ... +# Compares the given list of cidrs with the cidrs configured in the config (with implicit diff return code). +# If DRY_RUN is set it will output to stdout, else to null +diff_cidrs() { + local config_key="${1}" + local config_file="${2}" + local cidrs=("${@:3}") if $DRY_RUN; then out_file=/dev/stdout else out_file=/dev/null fi + + # use diff return implicitly diff -U3 --color=always \ - --label "${file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "${yaml_path}"' // [] | sort_by(.)' "${file}") \ - --label expected <(yq4 -P '. | sort_by(.)' "${tmp_file}") >"${out_file}" - DIFF_RETURN=$? - rm "${tmp_file}" + --label "${config_file//${CK8S_CONFIG_PATH}\//}" <(yq4 -P "${config_key}"' // [] | sort' "${config_file}") \ + --label expected <(yq4 -P 'split(" ") | sort' <<< "${cidrs[*]}") > "${out_file}" +} - return ${DIFF_RETURN} +# Usage: update_cidrs +update_cidrs() { + local config_key="${1}" + local config_file="${2}" + local cidrs=("${@:3}") + + local ips + ips="$(yq4 -oj 'split(" ") | sort' <<< "${cidrs[*]}")" + + yq4 -i "${config_key} = ${ips}" "${config_file}" } # Fetches the IPs from a specified address @@ -62,45 +65,6 @@ getDNSIPs() { echo "${IPS[@]}" } -# Usage: diffDNSIPs -diffDNSIPs() { - local yaml_path="${2}" - local file="${3}" - - diffIPs "${yaml_path}" "${file}" "${@:4}" - return $? -} - -# Updates the list from the file and yaml path specified with IPs fetched from the domain -# Usage: updateDNSIPs -updateDNSIPs() { - local yaml_path="${2}" - local file="${3}" - - yq4 -i "${yaml_path}"' = []' "${file}" - - IFS=' ' read -ra ip_array <<<"${@:4}" - - for ip in "${ip_array[@]}"; do - yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" - done -} - -# Usage: updateIPs -updateIPs() { - local yaml_path="${1}" - local file="${2}" - shift 2 - local IPS=("$@") - yq4 -i "${yaml_path}"' = []' "${file}" - - IFS=' ' read -ra ip_array <<<"${@:2}" - - for ip in "${ip_array[@]}"; do - yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" - done -} - # Fetches the Internal IP and calico tunnel ip of kubernetes nodes using the label selector. # If label selector isn't specified, all nodes will be returned. getKubectlIPs() { @@ -122,173 +86,81 @@ getKubectlIPs() { echo "${IPS[@]}" } -diffKubectlIPs() { - local yaml_path="${3}" - local file="${4}" - - diffIPs "${yaml_path}" "${file}" "${@:5}" - return $? -} - -# Updates the list from the file and yaml path specified with IPs fetched from the nodes -updateKubectlIPs() { - local yaml_path="${3}" - local file="${4}" - - yq4 -i "${yaml_path}"' = []' "${file}" - IFS=' ' read -ra ip_array <<<"${@:5}" - - for ip in "${ip_array[@]}"; do - yq4 -i "${yaml_path}"' |= . + ["'"${ip}"'"]' "${file}" - done -} - -# Usage: checkIfDiffAndUpdateDNSIPs +# Usage: checkIfDiffAndUpdateDNSIPs checkIfDiffAndUpdateDNSIPs() { local dns_record="${1}" - local yaml_path="${2}" - local file="${3}" - - local IPS - read -r -a IPS <<<"$(getDNSIPs "${dns_record}")" + local config_key="${2}" + local config_file="${3}" - processedIPRANGE=$(processIPRanges "$yaml_path" "$file") + local -a ips + readarray -t ips <<<"$(getDNSIPs "${dns_record}" | tr ' ' '\n')" - if ! diffDNSIPs "${dns_record}" "${yaml_path}" "${file}" "$processedIPRANGE"; then - if ! $DRY_RUN; then - updateDNSIPs "${dns_record}" "${yaml_path}" "${file}" "$processedIPRANGE" - else - log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$((has_diff + 1)) - fi + checkIfDiffAndUpdateIPs "${config_key}" "${config_file}" "${ips[@]}" } checkIfDiffAndUpdateKubectlIPs() { local cluster="${1}" local label="${2}" - local yaml_path="${3}" - local file="${4}" - - local IPS - read -r -a IPS <<<"$(getKubectlIPs "${cluster}" "${label}")" - - processedIPRANGE=$(processIPRanges "$yaml_path" "$file") - - if ! diffKubectlIPs "${cluster}" "${label}" "${yaml_path}" "${file}" "$processedIPRANGE"; then - if ! $DRY_RUN; then - updateKubectlIPs "${cluster}" "${label}" "${yaml_path}" "${file}" "$processedIPRANGE" - else - log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" - fi - has_diff=$((has_diff + 1)) - fi -} - -# Get all non /32 IPs in given field and config file -getConfigIPS() { - local source_field="$1" - local config_file="$2" + local config_key="${3}" + local config_file="${4}" - local configIPS=() + local -a ips + readarray -t ips <<< "$(getKubectlIPs "${cluster}" "${label}" | tr ' ' '\n')" - for ip in $(yq4 e "$source_field | .[]" "$config_file"); do - if [[ $ip != */32 ]]; then - configIPS+=("${ip}") - fi - done - - echo "${configIPS[@]}" + checkIfDiffAndUpdateIPs "${config_key}" "${config_file}" "${ips[@]}" } -# Check if IPs fits into subnets -performIPCheckAndRemoveFromIPSList() { - local IPToCheck="$1" - local networkToCompareTo="$2" - - # Try to see if ip belongs to subnet - if not, exit(1) - if python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${IPToCheck}') in ipaddress.ip_network('${networkToCompareTo}') else exit(1)"; then - # Filter out the matching string for IPS. - filtered_array=() - for ip in "${IPS[@]}"; do - if [[ "$ip" != "$IPToCheck" ]]; then - filtered_array+=("$ip") - fi - done - - IPS=("${filtered_array[@]}") +# Usage: check_ip_in_cidr +check_ip_in_cidr() { + local ip="${1}" + local cidr="${2}" - # Add working networkToCompareTo to the list of working subnets - if [[ " ${working_subnet[*]} " != *" $networkToCompareTo "* ]]; then - working_subnet+=("$networkToCompareTo") - fi - fi + python3 -c "import ipaddress; exit(0) if ipaddress.ip_address('${ip}') in ipaddress.ip_network('${cidr}') else exit(1)" } -processIPRanges() { - local configKey="$1" - local configFile="$2" - - local multiIPRanges=() - read -r -a multiIPRanges <<<"$(getConfigIPS "$configKey" "$configFile")" - - local working_subnet=() - - # Clear config values - yq4 -i "$configKey"' = []' "$configFile" - - # IF config value is not empty, go ahead with the following: - # 1. Check if any got IPS fit inside of the IPs existing in the config-files. - # 2. IF True = Put the working subnet-address and kube-address in assigned arrays for comparison and remove copies. - # 3. Merge the working subnet-addresses and kube-addresses into a finalized list. - if [ "${#multiIPRanges[@]}" -gt 0 ]; then - for upstreamDNSIP in "${IPS[@]}"; do - for configIP in "${multiIPRanges[@]}"; do - performIPCheckAndRemoveFromIPSList "$upstreamDNSIP" "$configIP" - done - done - - # Add the working subnet-addresses and working IPs together. - working_subnet+=("${IPS[@]}") - - filtered_working_subnet=() - - for ip in "${working_subnet[@]}"; do - - if [[ $ip =~ "/" ]]; then - filtered_working_subnet+=("$ip") - else - filtered_working_subnet+=("$ip"/32) +# Usage: process_ips_to_cidrs ... +# return cidrs that are filtered so: +# 1. old cidr entries are returned with existing suffix if it contains new ips +# 2. new cidr entries are returned with a /32 suffix +# 3. returned cidrs are sorted and unique +process_ips_to_cidrs() { + local config_key="${1}" + local config_file="${2}" + + local -a new_cidrs + local -a old_cidrs + + readarray -t old_cidrs <<< "$(yq4 "${config_key} | .[]" "${config_file}")" + + for ip in "${@:3}"; do + for cidr in "${old_cidrs[@]}"; do + if [[ "${cidr}" != "" ]] && ! [[ "${cidr}" =~ .*/32 ]] && check_ip_in_cidr "${ip}" "${cidr}"; then + new_cidrs+=("${cidr}") + continue 2 fi done - echo "${filtered_working_subnet[@]}" - else - - processed_IPS=() - - for ip in "${IPS[@]}"; do - processed_IPS+=("$ip/32") - done + new_cidrs+=("${ip}/32") + done - echo "${processed_IPS[@]}" - fi + yq4 'split(" ") | sort | unique | .[]' <<< "${new_cidrs[@]}" } -# checkIfDiffAndUpdateIPs +# checkIfDiffAndUpdateIPs ... checkIfDiffAndUpdateIPs() { - local yaml_path="${1}" - local file="${2}" + local config_key="${1}" + local config_file="${2}" shift 2 - local IPS=("$@") + local -a ips=("$@") - processedIPRANGE=$(processIPRanges "${yaml_path}" "${file}") + local cidrs + cidrs="$(process_ips_to_cidrs "${config_key}" "${config_file}" "${ips[@]}")" - if ! diffIPs "${yaml_path}" "${file}" "$processedIPRANGE"; then + if ! diff_cidrs "${config_key}" "${config_file}" "${cidrs}"; then if ! $DRY_RUN; then - updateIPs "${yaml_path}" "${file}" "$processedIPRANGE" + update_cidrs "${config_key}" "${config_file}" "${cidrs}" else - log_warning "Diff found for ${yaml_path} in ${file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" + log_warning "Diff found for ${config_key} in ${config_file//${CK8S_CONFIG_PATH}\//} (diff shows actions needed to be up to date)" fi has_diff=$((has_diff + 1)) fi