Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PCP-1705: Upstream changes LB ingress rules support #827

Open
wants to merge 2 commits into
base: spectro-v1beta1-1.5.2_v1
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/v1alpha3/awscluster_conversion.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,3 +136,7 @@ func Convert_v1beta1_AWSClusterSpec_To_v1alpha3_AWSClusterSpec(in *infrav1.AWSCl
func Convert_v1beta1_AWSClusterStatus_To_v1alpha3_AWSClusterStatus(in *infrav1.AWSClusterStatus, out *AWSClusterStatus, s apiconversion.Scope) error {
return autoConvert_v1beta1_AWSClusterStatus_To_v1alpha3_AWSClusterStatus(in, out, s)
}

func Convert_v1beta1_IngressRule_To_v1alpha3_IngressRule(in *infrav1.IngressRule, out *IngressRule, s apiconversion.Scope) error {
return autoConvert_v1beta1_IngressRule_To_v1alpha3_IngressRule(in, out, s)
}
31 changes: 24 additions & 7 deletions api/v1alpha3/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions api/v1alpha4/awscluster_conversion.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
}
restoreControlPlaneLoadBalancer(restored.Spec.ControlPlaneLoadBalancer, dst.Spec.ControlPlaneLoadBalancer)
}
for role, sg := range restored.Status.Network.SecurityGroups {
dst.Status.Network.SecurityGroups[role] = sg
}

dst.Spec.S3Bucket = restored.Spec.S3Bucket

Expand All @@ -55,6 +58,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
func restoreControlPlaneLoadBalancer(restored, dst *infrav1.AWSLoadBalancerSpec) {
dst.Name = restored.Name
dst.HealthCheckProtocol = restored.HealthCheckProtocol
dst.IngressRules = restored.IngressRules
}

// ConvertFrom converts the v1beta1 AWSCluster receiver to a v1alpha4 AWSCluster.
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha4/conversion.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,7 @@ import (
func Convert_v1beta1_AWSClusterSpec_To_v1alpha4_AWSClusterSpec(in *v1beta1.AWSClusterSpec, out *AWSClusterSpec, s conversion.Scope) error {
return autoConvert_v1beta1_AWSClusterSpec_To_v1alpha4_AWSClusterSpec(in, out, s)
}

func Convert_v1beta1_IngressRule_To_v1alpha4_IngressRule(in *v1beta1.IngressRule, out *IngressRule, s conversion.Scope) error {
return autoConvert_v1beta1_IngressRule_To_v1alpha4_IngressRule(in, out, s)
}
59 changes: 50 additions & 9 deletions api/v1alpha4/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions api/v1beta1/awscluster_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,11 @@ type AWSLoadBalancerSpec struct {
// This is optional - if not provided new security groups will be created for the load balancer
// +optional
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`

// IngressRules sets the additional ingress rules for the control plane load balancer. If no source security group ids are specified, the
// default control plane security group will be used.
// +optional
IngressRules []IngressRule `json:"ingressRules,omitempty"`
}

// AWSClusterStatus defines the observed state of AWSCluster.
Expand Down
17 changes: 17 additions & 0 deletions api/v1beta1/awscluster_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func (r *AWSCluster) ValidateCreate() error {
allErrs = append(allErrs, r.validateSSHKeyName()...)
allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
allErrs = append(allErrs, r.ingressRules()...)

return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
}
Expand Down Expand Up @@ -178,3 +179,19 @@ func (r *AWSCluster) Default() {
func (r *AWSCluster) validateSSHKeyName() field.ErrorList {
return validateSSHKeyName(r.Spec.SSHKeyName)
}

func (r *AWSCluster) ingressRules() field.ErrorList {
var allErrs field.ErrorList

if r.Spec.ControlPlaneLoadBalancer == nil {
return allErrs
}

for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
if rule.CidrBlocks != nil && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}

return allErrs
}
66 changes: 66 additions & 0 deletions api/v1beta1/awscluster_webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,72 @@ func TestAWSCluster_ValidateCreate(t *testing.T) {
},
wantErr: false,
},
{
name: "rejects additional ingress rules with cidr block and source security group id",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
},
},
},
},
},
wantErr: true,
},
{
name: "accepts additional ingress rules with cidr block",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
},
},
},
},
},
wantErr: false,
},
{
name: "accepts additional ingress rules with source security group role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
{
name: "accepts additional ingress rules with source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
18 changes: 14 additions & 4 deletions api/v1beta1/network_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -427,10 +427,15 @@ var (

// IngressRule defines an AWS ingress rule for security groups.
type IngressRule struct {
Description string `json:"description"`
Protocol SecurityGroupProtocol `json:"protocol"`
FromPort int64 `json:"fromPort"`
ToPort int64 `json:"toPort"`
// Description provides extended information about the ingress rule.
Description string `json:"description"`
// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58"
Protocol SecurityGroupProtocol `json:"protocol"`
// FromPort is the start of port range.
FromPort int64 `json:"fromPort"`
// ToPort is the end of port range.
ToPort int64 `json:"toPort"`

// List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
// +optional
Expand All @@ -439,6 +444,11 @@ type IngressRule struct {
// The security group id to allow access from. Cannot be specified with CidrBlocks.
// +optional
SourceSecurityGroupIDs []string `json:"sourceSecurityGroupIds,omitempty"`

// The security group role to allow access from. Cannot be specified with CidrBlocks.
// The field will be combined with source security group IDs if specified.
// +optional
SourceSecurityGroupRoles []SecurityGroupRole `json:"sourceSecurityGroupRoles,omitempty"`
}

// String returns a string representation of the ingress rule.
Expand Down
12 changes: 12 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading