feat: allow setting AllowedIps through WireguardPeer (#191)

* set default for allowIps

* generate manifest

* update test

config/crd/bases/vpn.wireguard-operator.io_wireguardpeers.yaml

@@ -45,6 +45,9 @@ spec:
                   Important: Run "make" to regenerate code after modifying this file
                   The address of the peer.
                 type: string
+              allowedIPs:
+                description: The AllowedIPs of the peer.
+                type: string
               disabled:
                 description: Set to true to temporarily disable the peer.
                 type: boolean

pkg/api/v1alpha1/wireguardpeer_types.go

@@ -37,6 +37,8 @@ type WireguardPeerSpec struct {
 	// Important: Run "make" to regenerate code after modifying this file
 	// The address of the peer.
 	Address string `json:"address,omitempty"`
+	// The AllowedIPs of the peer.
+	AllowedIPs string `json:"allowedIPs,omitempty"`
 	// Set to true to temporarily disable the peer.
 	Disabled bool `json:"disabled,omitempty"`
 	// The DNS configuration for the peer.

pkg/controllers/wireguard_controller.go

@@ -193,6 +193,12 @@ func (r *WireguardReconciler) updateWireguardPeers(ctx context.Context, req ctrl
 			dnsConfiguration = dns + ", " + dnsSearchDomain
 		}
 
+		allowIps := peer.Spec.AllowedIPs
+
+		if allowIps == "" {
+			allowIps = "0.0.0.0/0"
+		}
+
 		newConfig := fmt.Sprintf(`
 echo "
 [Interface]
@@ -208,8 +214,8 @@ DNS = %s`, peer.Spec.PrivateKey.SecretKeyRef.Name, peer.Spec.PrivateKey.SecretKe
 
 [Peer]
 PublicKey = %s
-AllowedIPs = 0.0.0.0/0
-Endpoint = %s:%s"`, serverPublicKey, serverAddress, wireguard.Status.Port)
+AllowedIPs = %s
+Endpoint = %s:%s"`, serverPublicKey, allowIps, serverAddress, wireguard.Status.Port)
 		if peer.Status.Config != newConfig || peer.Status.Status != v1alpha1.Ready {
 			peer.Status.Config = newConfig
 			peer.Status.Status = v1alpha1.Ready

pkg/controllers/wireguard_controller_test.go

@@ -3,12 +3,13 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	appsv1 "k8s.io/api/apps/v1"
@@ -371,8 +372,8 @@ DNS = %s, %s.svc.cluster.local
 
 [Peer]
 PublicKey = %s
-AllowedIPs = 0.0.0.0/0
-Endpoint = %s:%s"`, peerKey.Name, peer.Spec.Address, dnsServiceIp, peer.Namespace, wgPublicKey, expectedAddress, expectedNodePort),
+AllowedIPs = %s
+Endpoint = %s:%s"`, peerKey.Name, peer.Spec.AllowedIPs, peer.Spec.Address, dnsServiceIp, peer.Namespace, wgPublicKey, expectedAddress, expectedNodePort),
 				Status:  "ready",
 				Message: "Peer configured",
 			}))
@@ -500,8 +501,8 @@ DNS = %s, %s.svc.cluster.local
 
 [Peer]
 PublicKey = %s
-AllowedIPs = 0.0.0.0/0
-Endpoint = %s:%s"`, peerKey.Name, peer.Spec.Address, dnsServiceIp, peer.Namespace, wgPublicKey, expectedExternalHostName, wg.Status.Port),
+AllowedIPs = %s
+Endpoint = %s:%s"`, peerKey.Name, peer.Spec.AllowedIPs, peer.Spec.Address, dnsServiceIp, peer.Namespace, wgPublicKey, expectedExternalHostName, wg.Status.Port),
 				Status:  "ready",
 				Message: "Peer configured",
 			}))
@@ -515,7 +516,7 @@ Endpoint = %s:%s"`, peerKey.Name, peer.Spec.Address, dnsServiceIp, peer.Namespac
 		for _, useWgUserspace := range []bool{true, false} {
 			testTextPrefix := "uses"
 			if !useWgUserspace {
-				testTextPrefix="does not use"
+				testTextPrefix = "does not use"
 			}
 
 			It(fmt.Sprintf("%s userspace implementation of wireguard if spec.useWgUserspaceImplementation is set to %t", testTextPrefix, useWgUserspace), func() {