Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional ingress rules for control plane #4359

Merged
merged 1 commit into from
Sep 21, 2023

Conversation

alexander-demicev
Copy link
Contributor

@alexander-demicev alexander-demicev commented Jun 26, 2023

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR fixes mistake from #4228, initially, the intention was to allow adding custom ingress rules for the control plane itself and not for the load balancer.

cc @richardcase @fiunchinho

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

  • squashed commits
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

Release note:

Additional ingress rules for control plane

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 26, 2023
@k8s-ci-robot k8s-ci-robot requested review from dthorsen and pydctw June 26, 2023 12:47
@richardcase
Copy link
Member

/test ?

@k8s-ci-robot
Copy link
Contributor

@richardcase: The following commands are available to trigger required jobs:

  • /test pull-cluster-api-provider-aws-build
  • /test pull-cluster-api-provider-aws-test
  • /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-provider-aws-apidiff-main
  • /test pull-cluster-api-provider-aws-e2e
  • /test pull-cluster-api-provider-aws-e2e-blocking
  • /test pull-cluster-api-provider-aws-e2e-clusterclass
  • /test pull-cluster-api-provider-aws-e2e-conformance
  • /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
  • /test pull-cluster-api-provider-aws-e2e-eks
  • /test pull-cluster-api-provider-aws-e2e-eks-gc
  • /test pull-cluster-api-provider-aws-e2e-eks-testing

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-provider-aws-apidiff-main
  • pull-cluster-api-provider-aws-build
  • pull-cluster-api-provider-aws-test
  • pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks


// AdditionalControlPlaneIngressRules is an optional set of ingress rules to add to the control plane
// +optional
AdditionalControlPlaneIngressRules []IngressRule `json:"additionalControlPlaneIngressRules,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is this different from AWSLoadBalancerSpec.IngressRules?
You mention in the PR desc it was a mistake but it seems we are keeping it?

@@ -175,6 +175,19 @@ spec:
>
>An incorrectly configured Classic ELB can easily lead to a non-functional cluster. We strongly recommend you let Cluster API create the Classic ELB.

### Control Plane ingress rules

It's possible to specify custom ingress rules for the control plane itself. To do so, add this to the AWSCluster specification:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify/define what is "the control plane itself" in this context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are couple of places where we can customize ingress rules. One of them is the control plane load balancer, which is responsible for external traffic, these 2 PRs are introducing the possibility to set custom rules for it #4228, #4304. Current PR makes it possible to customize ingress rules on the control plane machine directly, in our case we want worker machines to talk with the control plane through a specific port, it's a requirement for the RKE2.

Copy link
Member

@enxebre enxebre Jul 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense thanks! so this would be control plane machines/ec2 instances. Just to make sure I'm clear this could also be satisfied by setting your AdditionalSecurityGroups in those machines, correct? (Not saying that's the way to go and I have no objections to this change, just making sure we put all context together)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AdditionalSecurityGroups is not the best option here because we want to leverage CAPA ability to manage the underlying infrastructure. AdditionalSecurityGroups requires SGs to be pre-created.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, we need a field in AWS machine template for defining security groups but I don't know how this can be combined with already existing AdditionalSecurityGroups cc @richardcase

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed AdditionalSecurityGroups []string in AWSCluster is not flexible enough, while other code locations have AdditionalSecurityGroups []AWSResourceReference which I believe would allow searching for CAPA-managed security groups. I'll take this into account for networking code improvements.

@enxebre
Copy link
Member

enxebre commented Jun 30, 2023

Dropped some questions Alex, it'd be good to provide some context on the PR desc to elaborate the use case which is driven this change and how it differs from #4228

@alexander-demicev
Copy link
Contributor Author

/test pull-cluster-api-provider-aws-e2e-eks

}
ingressRules := s.scope.AdditionalControlPlaneIngressRules()
for i := range ingressRules {
if ingressRules[i].SourceSecurityGroupIDs == nil && ingressRules[i].SourceSecurityGroupRoles == nil { // if the rule doesn't have a source security group, use the control plane security group
Copy link
Member

@enxebre enxebre Jul 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is called AdditionalControlPlaneIngressRules because it defaults to the controlPlane SG as the source, but as an API consumer I could set SourceSecurityGroupIDs to anything I want and so bypassing the intended API scope?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, there is no override, just adding new rules. The reason is that most likely we always want control plane to have rules for the API server and etcd.

@richardcase
Copy link
Member

/milestone v2.3.0

@k8s-ci-robot k8s-ci-robot added this to the v2.3.0 milestone Jul 10, 2023
@richardcase
Copy link
Member

/test ?

@k8s-ci-robot
Copy link
Contributor

@richardcase: The following commands are available to trigger required jobs:

  • /test pull-cluster-api-provider-aws-build
  • /test pull-cluster-api-provider-aws-test
  • /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-provider-aws-apidiff-main
  • /test pull-cluster-api-provider-aws-e2e
  • /test pull-cluster-api-provider-aws-e2e-blocking
  • /test pull-cluster-api-provider-aws-e2e-clusterclass
  • /test pull-cluster-api-provider-aws-e2e-conformance
  • /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
  • /test pull-cluster-api-provider-aws-e2e-eks
  • /test pull-cluster-api-provider-aws-e2e-eks-gc
  • /test pull-cluster-api-provider-aws-e2e-eks-testing

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-provider-aws-apidiff-main
  • pull-cluster-api-provider-aws-build
  • pull-cluster-api-provider-aws-test
  • pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e-eks
/test pull-cluster-api-provider-aws-e2e

@fiunchinho
Copy link
Contributor

lgtm

@alexander-demicev
Copy link
Contributor Author

@richardcase all tests are passing

api/v1beta2/awscluster_webhook.go Outdated Show resolved Hide resolved
docs/book/src/topics/bring-your-own-aws-infrastructure.md Outdated Show resolved Hide resolved
pkg/cloud/services/securitygroup/securitygroups.go Outdated Show resolved Hide resolved
@@ -175,6 +175,19 @@ spec:
>
>An incorrectly configured Classic ELB can easily lead to a non-functional cluster. We strongly recommend you let Cluster API create the Classic ELB.

### Control Plane ingress rules

It's possible to specify custom ingress rules for the control plane itself. To do so, add this to the AWSCluster specification:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed AdditionalSecurityGroups []string in AWSCluster is not flexible enough, while other code locations have AdditionalSecurityGroups []AWSResourceReference which I believe would allow searching for CAPA-managed security groups. I'll take this into account for networking code improvements.

@richardcase
Copy link
Member

@alexander-demicev - apart from the comments from @AndiDog is there anything outstanding on this?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 5, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 5, 2023
@alexander-demicev
Copy link
Contributor Author

@AndiDog I addressed all comments, thanks for the review

Copy link
Contributor

@AndiDog AndiDog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM apart from some minor things

api/v1beta2/awscluster_webhook_test.go Show resolved Hide resolved
Copy link

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been testing this today and found a couple of bugs while using it, have marked these with comments, pretty easy to fix I believe

Comment on lines 530 to 531
for _, sourceSGRole := range ingressRules[i].SourceSecurityGroupRoles {
ingressRules[i].SourceSecurityGroupIDs = append(ingressRules[i].SourceSecurityGroupIDs, s.scope.SecurityGroups()[sourceSGRole].ID)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should use a set style for this, else over time, the list of SourceSecurityGroupIDs grows and becomes invalid as far as AWS is concerned.

Suggested change
for _, sourceSGRole := range ingressRules[i].SourceSecurityGroupRoles {
ingressRules[i].SourceSecurityGroupIDs = append(ingressRules[i].SourceSecurityGroupIDs, s.scope.SecurityGroups()[sourceSGRole].ID)
securityGroupIDs := sets.New[string](ingressRules[i].SourceSecurityGroupIDs...)
for _, sourceSGRole := range ingressRules[i].SourceSecurityGroupRoles {
securityGroupIDs.Insert(s.scope.SecurityGroups()[sourceSGRole].ID)
}
ingressRules[i].SourceSecurityGroupIDs = sets.List[string](securityGroupIDs)

@alexander-demicev
Copy link
Contributor Author

@JoelSpeed @AndiDog all should be fixed, thanks for reviews

@JoelSpeed
Copy link

Bugs I picked up look to be fixed now, thanks @alexander-demicev

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 15, 2023
@richardcase
Copy link
Member

/test ?

@k8s-ci-robot
Copy link
Contributor

@richardcase: The following commands are available to trigger required jobs:

  • /test pull-cluster-api-provider-aws-build
  • /test pull-cluster-api-provider-aws-test
  • /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-provider-aws-apidiff-main
  • /test pull-cluster-api-provider-aws-e2e
  • /test pull-cluster-api-provider-aws-e2e-blocking
  • /test pull-cluster-api-provider-aws-e2e-clusterclass
  • /test pull-cluster-api-provider-aws-e2e-conformance
  • /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
  • /test pull-cluster-api-provider-aws-e2e-eks
  • /test pull-cluster-api-provider-aws-e2e-eks-gc
  • /test pull-cluster-api-provider-aws-e2e-eks-testing

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-provider-aws-apidiff-main
  • pull-cluster-api-provider-aws-build
  • pull-cluster-api-provider-aws-test
  • pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@richardcase
Copy link
Member

/test pull-cluster-api-provider-aws-e2e
/test pull-cluster-api-provider-aws-e2e-eks

@richardcase
Copy link
Member

@alexander-demicev - could you squash your commits?

@richardcase
Copy link
Member

e2e test passed.

Fix setting additional ingress rules for CP

Update documentation with CP ingress rules
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 19, 2023
Copy link

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems there's possibly an unresolved comment in the documentation added within the PR, is that resolved now? Otherwise LGTM

@@ -760,7 +779,7 @@ func TestAdditionalControlPlaneSecurityGroup(t *testing.T) {
t.Fatalf("Expected to port %d, got %d", tc.expectedAdditionalIngresRule.ToPort, r.ToPort)
}

if !reflect.DeepEqual(r.SourceSecurityGroupIDs, tc.expectedAdditionalIngresRule.SourceSecurityGroupIDs) {
if !sets.New[string](tc.expectedAdditionalIngresRule.SourceSecurityGroupIDs...).Equal(sets.New[string](tc.expectedAdditionalIngresRule.SourceSecurityGroupIDs...)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nit:
why set comparison and not cmp.Equal (if you do not intend to use reflect library)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually no reason :) I just felt like I could use a method provided by "sets" package since we make security groups a set in the controller logic.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok 🙂 just wanted to check if this has added benefit

@Ankitasw
Copy link
Member

/lgtm

cc @richardcase for final approval

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 21, 2023
@richardcase
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 21, 2023
@k8s-ci-robot k8s-ci-robot merged commit b90c18c into kubernetes-sigs:main Sep 21, 2023
3 checks passed
@richardcase
Copy link
Member

/cherrypick release-2.2

@k8s-infra-cherrypick-robot

@richardcase: #4359 failed to apply on top of branch "release-2.2":

Applying: Add additional ingress rules for CP to API
Using index info to reconstruct a base tree...
M	api/v1beta1/awscluster_conversion.go
M	api/v1beta1/conversion.go
M	api/v1beta1/zz_generated.conversion.go
M	api/v1beta2/awscluster_webhook.go
M	api/v1beta2/awscluster_webhook_test.go
M	api/v1beta2/network_types.go
M	api/v1beta2/zz_generated.deepcopy.go
M	config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
M	config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
M	config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
Falling back to patching base and 3-way merge...
Auto-merging config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
Auto-merging config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
Auto-merging config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
Auto-merging api/v1beta2/zz_generated.deepcopy.go
Auto-merging api/v1beta2/network_types.go
Auto-merging api/v1beta2/awscluster_webhook_test.go
CONFLICT (content): Merge conflict in api/v1beta2/awscluster_webhook_test.go
Auto-merging api/v1beta2/awscluster_webhook.go
CONFLICT (content): Merge conflict in api/v1beta2/awscluster_webhook.go
Auto-merging api/v1beta1/zz_generated.conversion.go
Auto-merging api/v1beta1/conversion.go
CONFLICT (content): Merge conflict in api/v1beta1/conversion.go
Auto-merging api/v1beta1/awscluster_conversion.go
CONFLICT (content): Merge conflict in api/v1beta1/awscluster_conversion.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add additional ingress rules for CP to API
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-2.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants