From 14c8d6fae12f5ed26c30ae7afb55cbe0b7a97286 Mon Sep 17 00:00:00 2001 From: Vladislav Byrgazov Date: Fri, 11 Oct 2024 13:24:18 +0500 Subject: [PATCH 1/5] Handled IPAM policy properly to fully support strict IPAM Signed-off-by: Vladislav Byrgazov --- main.go | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/main.go b/main.go index 33e79e1..dd75008 100644 --- a/main.go +++ b/main.go @@ -34,7 +34,6 @@ import ( "os" "os/signal" "path/filepath" - "strings" "sync/atomic" "syscall" "time" @@ -67,7 +66,6 @@ import ( "github.com/networkservicemesh/sdk/pkg/networkservice/common/policyroute" "github.com/networkservicemesh/sdk/pkg/networkservice/connectioncontext/dnscontext" "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/groupipam" - "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam" "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/strictipam" registryclient "github.com/networkservicemesh/sdk/pkg/registry/chains/client" registryauthorize "github.com/networkservicemesh/sdk/pkg/registry/common/authorize" @@ -94,7 +92,7 @@ type Config struct { ConnectTo url.URL `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to" split_words:"true"` MaxTokenLifetime time.Duration `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"` RegistryClientPolicies []string `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego" desc:"paths to files and directories that contain registry client policies" split_words:"true"` - IPAMPolicy ipamPolicyFunc `default:"polite" desc:"defines NSE's IPAM Policy. Possible values: polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR." split_words:"true"` + IPAMPolicy string `default:"polite" desc:"defines NSE's IPAM Policy. Possible values: polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR." split_words:"true"` ServiceNames []string `default:"icmp-responder" desc:"Name of provided services" split_words:"true"` Payload string `default:"ETHERNET" desc:"Name of provided service payload" split_words:"true"` Labels map[string]string `default:"" desc:"Endpoint labels"` @@ -111,23 +109,6 @@ type Config struct { PprofListenOn string `default:"localhost:6060" desc:"pprof URL to ListenAndServe" split_words:"true"` } -type ipamPolicyFunc func(...*net.IPNet) networkservice.NetworkServiceServer - -// Decode takes a string IPAM Policy and returns the IPAM Policy func -func (f *ipamPolicyFunc) Decode(policy string) error { - switch strings.ToLower(policy) { - case "strict": - *f = func(prefixes ...*net.IPNet) networkservice.NetworkServiceServer { - return strictipam.NewServer(point2pointipam.NewServer, prefixes...) - } - return nil - case "polite": - *f = point2pointipam.NewServer - return nil - } - return errors.Errorf("not a valid IPAM Policy: %s", policy) -} - // Process prints and processes env to config func (c *Config) Process() error { if err := envconfig.Usage("nsm", c); err != nil { @@ -239,13 +220,30 @@ func main() { tokenServer := getSriovTokenServerChainElement(ctx) + ipnetList := []*net.IPNet{} + for _, group := range config.CidrPrefix { + ipnetList = append(ipnetList, group...) + } + var IPAMServer networkservice.NetworkServiceServer + + switch config.IPAMPolicy { + case "strict": + IPAMServer = strictipam.NewServer(func(i ...*net.IPNet) networkservice.NetworkServiceServer { + return groupipam.NewServer(config.CidrPrefix) + }, ipnetList...) + case "polite": + IPAMServer = groupipam.NewServer(config.CidrPrefix) + default: + logrus.Fatalf("not a valid IPAM Policy: %s", config.IPAMPolicy) + } + responderEndpoint := endpoint.NewServer(ctx, spiffejwt.TokenGeneratorFunc(source, config.MaxTokenLifetime), endpoint.WithName(config.Name), endpoint.WithAuthorizeServer(authorize.NewServer()), endpoint.WithAdditionalFunctionality( onidle.NewServer(ctx, cancel, config.IdleTimeout), - groupipam.NewServer(config.CidrPrefix, groupipam.WithCustomIPAMServer(config.IPAMPolicy)), + IPAMServer, policyroute.NewServer(newPolicyRoutesGetter(ctx, config.PBRConfigPath).Get), mechanisms.NewServer(map[string]networkservice.NetworkServiceServer{ kernelmech.MECHANISM: kernel.NewServer(), From f681e86a5097d2268693125bcf1daf51e8d9dcfd Mon Sep 17 00:00:00 2001 From: Vladislav Byrgazov Date: Fri, 11 Oct 2024 13:33:11 +0500 Subject: [PATCH 2/5] Fix linter Signed-off-by: Vladislav Byrgazov --- .golangci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.golangci.yml b/.golangci.yml index f5746a1..4724b4f 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -37,7 +37,7 @@ linters-settings: threshold: 150 funlen: Lines: 175 - Statements: 90 + Statements: 100 goconst: min-len: 2 min-occurrences: 2 From e95da0d4176ff4a8452314ecbbbbbbcba76bcdec Mon Sep 17 00:00:00 2001 From: Vladislav Byrgazov Date: Fri, 11 Oct 2024 13:49:56 +0500 Subject: [PATCH 3/5] Fix gogenerate Signed-off-by: Vladislav Byrgazov --- internal/pkg/imports/imports_linux.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/internal/pkg/imports/imports_linux.go b/internal/pkg/imports/imports_linux.go index 1c9204c..885a35f 100644 --- a/internal/pkg/imports/imports_linux.go +++ b/internal/pkg/imports/imports_linux.go @@ -25,7 +25,6 @@ import ( _ "github.com/networkservicemesh/sdk/pkg/networkservice/common/policyroute" _ "github.com/networkservicemesh/sdk/pkg/networkservice/connectioncontext/dnscontext" _ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/groupipam" - _ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam" _ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/strictipam" _ "github.com/networkservicemesh/sdk/pkg/registry/chains/client" _ "github.com/networkservicemesh/sdk/pkg/registry/common/authorize" @@ -71,7 +70,6 @@ import ( _ "os" _ "os/signal" _ "path/filepath" - _ "strings" _ "sync/atomic" _ "syscall" _ "testing" From 300690b0c1817395b70d77ee30fe1458cc0ecd78 Mon Sep 17 00:00:00 2001 From: Vladislav Byrgazov Date: Thu, 17 Oct 2024 10:31:53 +0500 Subject: [PATCH 4/5] Fix review comments Signed-off-by: Vladislav Byrgazov --- main.go | 48 +++++++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/main.go b/main.go index dd75008..9aaacda 100644 --- a/main.go +++ b/main.go @@ -34,6 +34,7 @@ import ( "os" "os/signal" "path/filepath" + "strings" "sync/atomic" "syscall" "time" @@ -92,7 +93,7 @@ type Config struct { ConnectTo url.URL `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to" split_words:"true"` MaxTokenLifetime time.Duration `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"` RegistryClientPolicies []string `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego" desc:"paths to files and directories that contain registry client policies" split_words:"true"` - IPAMPolicy string `default:"polite" desc:"defines NSE's IPAM Policy. Possible values: polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR." split_words:"true"` + IPAMPolicy ipamPolicyFunc `default:"polite" desc:"defines NSE's IPAM Policy. Possible values: polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR." split_words:"true"` ServiceNames []string `default:"icmp-responder" desc:"Name of provided services" split_words:"true"` Payload string `default:"ETHERNET" desc:"Name of provided service payload" split_words:"true"` Labels map[string]string `default:"" desc:"Endpoint labels"` @@ -109,6 +110,32 @@ type Config struct { PprofListenOn string `default:"localhost:6060" desc:"pprof URL to ListenAndServe" split_words:"true"` } +type ipamPolicyFunc func([][]*net.IPNet) networkservice.NetworkServiceServer + +// Decode takes a string IPAM Policy and returns the IPAM Policy func +func (f *ipamPolicyFunc) Decode(policy string) error { + switch strings.ToLower(policy) { + case "strict": + *f = func(cidrPrefix [][]*net.IPNet) networkservice.NetworkServiceServer { + var ipnetList []*net.IPNet + for _, group := range cidrPrefix { + ipnetList = append(ipnetList, group...) + } + return strictipam.NewServer(func(i ...*net.IPNet) networkservice.NetworkServiceServer { + return groupipam.NewServer(cidrPrefix) + }, ipnetList...) + } + return nil + case "polite": + *f = func(cidrPrefix [][]*net.IPNet) networkservice.NetworkServiceServer { + return groupipam.NewServer(cidrPrefix) + } + return nil + default: + return errors.Errorf("not a valid IPAM Policy: %s", policy) + } +} + // Process prints and processes env to config func (c *Config) Process() error { if err := envconfig.Usage("nsm", c); err != nil { @@ -220,30 +247,13 @@ func main() { tokenServer := getSriovTokenServerChainElement(ctx) - ipnetList := []*net.IPNet{} - for _, group := range config.CidrPrefix { - ipnetList = append(ipnetList, group...) - } - var IPAMServer networkservice.NetworkServiceServer - - switch config.IPAMPolicy { - case "strict": - IPAMServer = strictipam.NewServer(func(i ...*net.IPNet) networkservice.NetworkServiceServer { - return groupipam.NewServer(config.CidrPrefix) - }, ipnetList...) - case "polite": - IPAMServer = groupipam.NewServer(config.CidrPrefix) - default: - logrus.Fatalf("not a valid IPAM Policy: %s", config.IPAMPolicy) - } - responderEndpoint := endpoint.NewServer(ctx, spiffejwt.TokenGeneratorFunc(source, config.MaxTokenLifetime), endpoint.WithName(config.Name), endpoint.WithAuthorizeServer(authorize.NewServer()), endpoint.WithAdditionalFunctionality( onidle.NewServer(ctx, cancel, config.IdleTimeout), - IPAMServer, + config.IPAMPolicy(config.CidrPrefix), policyroute.NewServer(newPolicyRoutesGetter(ctx, config.PBRConfigPath).Get), mechanisms.NewServer(map[string]networkservice.NetworkServiceServer{ kernelmech.MECHANISM: kernel.NewServer(), From 0f4b5b0681bb1ed840986412ff4f2c630fb0d5ca Mon Sep 17 00:00:00 2001 From: Vladislav Byrgazov Date: Thu, 17 Oct 2024 14:28:02 +0500 Subject: [PATCH 5/5] Fix gogenerate linter error Signed-off-by: Vladislav Byrgazov --- internal/pkg/imports/imports_linux.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/pkg/imports/imports_linux.go b/internal/pkg/imports/imports_linux.go index 885a35f..2b6974d 100644 --- a/internal/pkg/imports/imports_linux.go +++ b/internal/pkg/imports/imports_linux.go @@ -70,6 +70,7 @@ import ( _ "os" _ "os/signal" _ "path/filepath" + _ "strings" _ "sync/atomic" _ "syscall" _ "testing"