Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow customization of ingress rules in control plane LB security group #4304

Merged
merged 1 commit into from
Jun 7, 2023
Merged

Allow customization of ingress rules in control plane LB security group #4304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/v1beta1/awscluster_conversion.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func restoreControlPlaneLoadBalancer(restored, dst *infrav2.AWSLoadBalancerSpec)
dst.LoadBalancerType = restored.LoadBalancerType
dst.DisableHostsRewrite = restored.DisableHostsRewrite
dst.PreserveClientIP = restored.PreserveClientIP
dst.AdditionalIngressRules = restored.AdditionalIngressRules
dst.IngressRules = restored.IngressRules
}

// ConvertFrom converts the v1beta1 AWSCluster receiver to a v1beta1 AWSCluster.
Expand Down
2 changes: 1 addition & 1 deletion api/v1beta1/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 2 additions & 3 deletions api/v1beta2/awscluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,10 +208,9 @@ type AWSLoadBalancerSpec struct {
// +optional
AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`

// AdditionalIngressRules sets the additional ingress rules for the control plane load balancer. If no source security group ids are specified, the
// default control plane security group will be used.
// IngressRules sets the ingress rules for the control plane load balancer.
fiunchinho marked this conversation as resolved.
Show resolved Hide resolved
// +optional
AdditionalIngressRules []IngressRule `json:"additionalIngressRules,omitempty"`
IngressRules []IngressRule `json:"ingressRules,omitempty"`

// LoadBalancerType sets the type for a load balancer. The default type is classic.
// +kubebuilder:default=classic
Expand Down
4 changes: 2 additions & 2 deletions api/v1beta2/awscluster_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,9 +199,9 @@ func (r *AWSCluster) validateAdditionalIngressRules() field.ErrorList {
return allErrs
}

for _, rule := range r.Spec.ControlPlaneLoadBalancer.AdditionalIngressRules {
for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalIngressRules"), r.Spec.ControlPlaneLoadBalancer.AdditionalIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
allErrs = append(allErrs, field.Invalid(field.NewPath("additionalIngressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
}
}

Expand Down
20 changes: 10 additions & 10 deletions api/v1beta2/awscluster_webhook_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,11 +252,11 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: true,
},
{
name: "rejects additional ingress rules with cidr block and source security group id",
name: "rejects ingress rules with cidr block and source security group id",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
Expand All @@ -269,11 +269,11 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: true,
},
{
name: "rejects additional ingress rules with cidr block and source security group id and role",
name: "rejects ingress rules with cidr block and source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
IPv6CidrBlocks: []string{"test"},
Expand All @@ -287,11 +287,11 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: true,
},
{
name: "accepts additional ingress rules with cidr block",
name: "accepts ingress rules with cidr block",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
CidrBlocks: []string{"test"},
Expand All @@ -303,11 +303,11 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: false,
},
{
name: "accepts additional ingress rules with source security group role",
name: "accepts ingress rules with source security group role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
Expand All @@ -319,11 +319,11 @@ func TestAWSClusterValidateCreate(t *testing.T) {
wantErr: false,
},
{
name: "accepts additional ingress rules with source security group id and role",
name: "accepts ingress rules with source security group id and role",
cluster: &AWSCluster{
Spec: AWSClusterSpec{
ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
AdditionalIngressRules: []IngressRule{
IngressRules: []IngressRule{
{
Protocol: SecurityGroupProtocolTCP,
SourceSecurityGroupIDs: []string{"test"},
Expand Down
4 changes: 2 additions & 2 deletions api/v1beta2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

76 changes: 37 additions & 39 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -966,11 +966,43 @@ spec:
description: ControlPlaneLoadBalancer is optional configuration for
customizing control plane behavior.
properties:
additionalIngressRules:
description: AdditionalIngressRules sets the additional ingress
rules for the control plane load balancer. If no source security
group ids are specified, the default control plane security
group will be used.
additionalSecurityGroups:
description: AdditionalSecurityGroups sets the security groups
used by the load balancer. Expected to be security group IDs
This is optional - if not provided new security groups will
be created for the load balancer
items:
type: string
type: array
crossZoneLoadBalancing:
description: "CrossZoneLoadBalancing enables the classic ELB cross
availability zone balancing. \n With cross-zone load balancing,
each load balancer node for your Classic Load Balancer distributes
requests evenly across the registered instances in all enabled
Availability Zones. If cross-zone load balancing is disabled,
each load balancer node distributes requests evenly across the
registered instances in its Availability Zone only. \n Defaults
to false."
type: boolean
disableHostsRewrite:
description: DisableHostsRewrite disabled the hair pinning issue
solution that adds the NLB's address as 127.0.0.1 to the hosts
file of each instance. This is by default, false.
type: boolean
healthCheckProtocol:
description: HealthCheckProtocol sets the protocol type for ELB
health check target default value is ELBProtocolSSL
enum:
- TCP
- SSL
- HTTP
- HTTPS
- TLS
- UDP
type: string
ingressRules:
description: IngressRules sets the ingress rules for the control
plane load balancer.
items:
description: IngressRule defines an AWS ingress rule for security
groups.
Expand Down Expand Up @@ -1040,40 +1072,6 @@ spec:
- toPort
type: object
type: array
additionalSecurityGroups:
description: AdditionalSecurityGroups sets the security groups
used by the load balancer. Expected to be security group IDs
This is optional - if not provided new security groups will
be created for the load balancer
items:
type: string
type: array
crossZoneLoadBalancing:
description: "CrossZoneLoadBalancing enables the classic ELB cross
availability zone balancing. \n With cross-zone load balancing,
each load balancer node for your Classic Load Balancer distributes
requests evenly across the registered instances in all enabled
Availability Zones. If cross-zone load balancing is disabled,
each load balancer node distributes requests evenly across the
registered instances in its Availability Zone only. \n Defaults
to false."
type: boolean
disableHostsRewrite:
description: DisableHostsRewrite disabled the hair pinning issue
solution that adds the NLB's address as 127.0.0.1 to the hosts
file of each instance. This is by default, false.
type: boolean
healthCheckProtocol:
description: HealthCheckProtocol sets the protocol type for ELB
health check target default value is ELBProtocolSSL
enum:
- TCP
- SSL
- HTTP
- HTTPS
- TLS
- UDP
type: string
loadBalancerType:
default: classic
description: LoadBalancerType sets the type for a load balancer.
Expand Down
80 changes: 39 additions & 41 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -559,11 +559,45 @@ spec:
description: ControlPlaneLoadBalancer is optional configuration
for customizing control plane behavior.
properties:
additionalIngressRules:
description: AdditionalIngressRules sets the additional
ingress rules for the control plane load balancer. If
no source security group ids are specified, the default
control plane security group will be used.
additionalSecurityGroups:
description: AdditionalSecurityGroups sets the security
groups used by the load balancer. Expected to be security
group IDs This is optional - if not provided new security
groups will be created for the load balancer
items:
type: string
type: array
crossZoneLoadBalancing:
description: "CrossZoneLoadBalancing enables the classic
ELB cross availability zone balancing. \n With cross-zone
load balancing, each load balancer node for your Classic
Load Balancer distributes requests evenly across the
registered instances in all enabled Availability Zones.
If cross-zone load balancing is disabled, each load
balancer node distributes requests evenly across the
registered instances in its Availability Zone only.
\n Defaults to false."
type: boolean
disableHostsRewrite:
description: DisableHostsRewrite disabled the hair pinning
issue solution that adds the NLB's address as 127.0.0.1
to the hosts file of each instance. This is by default,
false.
type: boolean
healthCheckProtocol:
description: HealthCheckProtocol sets the protocol type
for ELB health check target default value is ELBProtocolSSL
enum:
- TCP
- SSL
- HTTP
- HTTPS
- TLS
- UDP
type: string
ingressRules:
description: IngressRules sets the ingress rules for the
control plane load balancer.
items:
description: IngressRule defines an AWS ingress rule
for security groups.
Expand Down Expand Up @@ -634,42 +668,6 @@ spec:
- toPort
type: object
type: array
additionalSecurityGroups:
description: AdditionalSecurityGroups sets the security
groups used by the load balancer. Expected to be security
group IDs This is optional - if not provided new security
groups will be created for the load balancer
items:
type: string
type: array
crossZoneLoadBalancing:
description: "CrossZoneLoadBalancing enables the classic
ELB cross availability zone balancing. \n With cross-zone
load balancing, each load balancer node for your Classic
Load Balancer distributes requests evenly across the
registered instances in all enabled Availability Zones.
If cross-zone load balancing is disabled, each load
balancer node distributes requests evenly across the
registered instances in its Availability Zone only.
\n Defaults to false."
type: boolean
disableHostsRewrite:
description: DisableHostsRewrite disabled the hair pinning
issue solution that adds the NLB's address as 127.0.0.1
to the hosts file of each instance. This is by default,
false.
type: boolean
healthCheckProtocol:
description: HealthCheckProtocol sets the protocol type
for ELB health check target default value is ELBProtocolSSL
enum:
- TCP
- SSL
- HTTP
- HTTPS
- TLS
- UDP
type: string
loadBalancerType:
default: classic
description: LoadBalancerType sets the type for a load
Expand Down
11 changes: 6 additions & 5 deletions docs/book/src/topics/bring-your-own-aws-infrastructure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,11 +163,12 @@ It's also possible to specify custom ingress rules for the control plane load ba

```yaml
spec:
additionalIngressRules:
- description: "example ingress rule"
protocol: "-1" # all
fromPort: 7777
toPort: 7777
controlPlaneLoadBalancer:
ingressRules:
- description: "example ingress rule"
protocol: "-1" # all
fromPort: 7777
toPort: 7777
```

> **WARNING:** Using an existing Classic ELB is an advanced feature. **If you use an existing Classic ELB, you must correctly configure it, and attach subnets to it.**
Expand Down
Loading