Skip to content

Commit

Permalink
Add support for custom Control Plane ingress rules
Browse files Browse the repository at this point in the history
  • Loading branch information
alexander-demicev committed May 24, 2023
1 parent 2570d97 commit 88d7502
Show file tree
Hide file tree
Showing 14 changed files with 625 additions and 24 deletions.
5 changes: 5 additions & 0 deletions api/v1beta1/awscluster_conversion.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
}
dst.Spec.Partition = restored.Spec.Partition

for role, sg := range restored.Status.Network.SecurityGroups {
dst.Status.Network.SecurityGroups[role] = sg
}

return nil
}

Expand All @@ -69,6 +73,7 @@ func restoreControlPlaneLoadBalancer(restored, dst *infrav2.AWSLoadBalancerSpec)
dst.LoadBalancerType = restored.LoadBalancerType
dst.DisableHostsRewrite = restored.DisableHostsRewrite
dst.PreserveClientIP = restored.PreserveClientIP
dst.AdditionalIngressRules = restored.AdditionalIngressRules
}

// ConvertFrom converts the v1beta1 AWSCluster receiver to a v1beta1 AWSCluster.
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/conversion.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,7 @@ func Convert_v1beta2_LoadBalancer_To_v1beta1_ClassicELB(in *v1beta2.LoadBalancer
out.SubnetIDs = in.SubnetIDs
return nil
}

func Convert_v1beta2_IngressRule_To_v1beta1_IngressRule(in *v1beta2.IngressRule, out *IngressRule, s conversion.Scope) error {
return autoConvert_v1beta2_IngressRule_To_v1beta1_IngressRule(in, out, s)
}
69 changes: 55 additions & 14 deletions api/v1beta1/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions api/v1beta2/awscluster_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,11 @@ type AWSLoadBalancerSpec struct {
// +optional
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`

// AdditionalIngressRules sets the additional ingress rules for the control plane load balancer. If no source security group ids are specified, the
// default control plane security group will be used.
// +optional
AdditionalIngressRules []IngressRule `json:"additionalIngressRules,omitempty"`

// LoadBalancerType sets the type for a load balancer. The default type is classic.
// +kubebuilder:default=classic
// +kubebuilder:validation:Enum:=classic;elb;alb;nlb
Expand Down
17 changes: 17 additions & 0 deletions api/v1beta2/awscluster_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func (r *AWSCluster) ValidateCreate() error {
allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
allErrs = append(allErrs, r.Spec.S3Bucket.Validate()...)
allErrs = append(allErrs, r.validateNetwork()...)
allErrs = append(allErrs, r.validateAdditionalIngressRules()...)

return aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
}
Expand Down Expand Up @@ -190,3 +191,19 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
}
return allErrs
}

func (r *AWSCluster) validateAdditionalIngressRules() field.ErrorList {
var allErrs field.ErrorList

if r.Spec.ControlPlaneLoadBalancer == nil {
return allErrs
}

for _, rule := range r.Spec.ControlPlaneLoadBalancer.AdditionalIngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalIngressRules"), r.Spec.ControlPlaneLoadBalancer.AdditionalIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}

return allErrs
}
84 changes: 84 additions & 0 deletions api/v1beta2/awscluster_webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,90 @@ func TestAWSClusterValidateCreate(t *testing.T) {
},
wantErr: true,
},
{
name: "rejects additional ingress rules with cidr block and source security group id",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
},
},
},
},
},
wantErr: true,
},
{
name: "rejects additional ingress rules with cidr block and source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
IPv6CidrBlocks: []string{"test"},
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: true,
},
{
name: "accepts additional ingress rules with cidr block",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
},
},
},
},
},
wantErr: false,
},
{
name: "accepts additional ingress rules with source security group role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
{
name: "accepts additional ingress rules with source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
},
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
19 changes: 15 additions & 4 deletions api/v1beta2/network_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,7 @@ type RouteTable struct {
}

// SecurityGroupRole defines the unique role of a security group.
// +kubebuilder:validation:Enum=bastion;node;controlplane;apiserver-lb;lb;node-eks-additional
type SecurityGroupRole string

var (
Expand Down Expand Up @@ -530,10 +531,15 @@ var (

// IngressRule defines an AWS ingress rule for security groups.
type IngressRule struct {
Description string `json:"description"`
Protocol SecurityGroupProtocol `json:"protocol"`
FromPort int64 `json:"fromPort"`
ToPort int64 `json:"toPort"`
// Description provides extended information about the ingress rule.
Description string `json:"description"`
// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58"
Protocol SecurityGroupProtocol `json:"protocol"`
// FromPort is the start of port range.
FromPort int64 `json:"fromPort"`
// ToPort is the end of port range.
ToPort int64 `json:"toPort"`

// List of CIDR blocks to allow access from. Cannot be specified with SourceSecurityGroupID.
// +optional
Expand All @@ -546,6 +552,11 @@ type IngressRule struct {
// The security group id to allow access from. Cannot be specified with CidrBlocks.
// +optional
SourceSecurityGroupIDs []string `json:"sourceSecurityGroupIds,omitempty"`

// The security group role to allow access from. Cannot be specified with CidrBlocks.
// The field will be combined with source security group IDs if specified.
// +optional
SourceSecurityGroupRoles []SecurityGroupRole `json:"sourceSecurityGroupRoles,omitempty"`
}

// String returns a string representation of the ingress rule.
Expand Down
12 changes: 12 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 88d7502

Please sign in to comment.