From 2814f51df0873406062028498718e86f05181170 Mon Sep 17 00:00:00 2001 From: Jayesh Srivastava Date: Tue, 26 Sep 2023 12:46:34 +0530 Subject: [PATCH] Support CIDR Blocks for NodePortRules (#853) --- api/v1alpha3/types.go | 3 ++ api/v1alpha3/zz_generated.conversion.go | 2 + api/v1alpha3/zz_generated.deepcopy.go | 5 ++ api/v1alpha4/types.go | 3 ++ api/v1alpha4/zz_generated.conversion.go | 2 + api/v1alpha4/zz_generated.deepcopy.go | 5 ++ api/v1beta1/network_types.go | 3 ++ api/v1beta1/zz_generated.deepcopy.go | 5 ++ ...ster.x-k8s.io_awsmanagedcontrolplanes.yaml | 18 +++++++ ...tructure.cluster.x-k8s.io_awsclusters.yaml | 18 +++++++ ....cluster.x-k8s.io_awsclustertemplates.yaml | 12 +++++ pkg/cloud/scope/cluster.go | 5 ++ pkg/cloud/scope/managedcontrolplane.go | 4 ++ pkg/cloud/scope/sg.go | 3 ++ .../services/securitygroup/securitygroups.go | 6 ++- spectro/generated/core-global.yaml | 48 +++++++++++++++++++ 16 files changed, 141 insertions(+), 1 deletion(-) diff --git a/api/v1alpha3/types.go b/api/v1alpha3/types.go index 3e16adb1ee..76115cdfa9 100644 --- a/api/v1alpha3/types.go +++ b/api/v1alpha3/types.go @@ -209,6 +209,9 @@ type NetworkSpec struct { // This is optional - if not provided new security groups will be created for the cluster // +optional SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"` + + // NodePortCIDRBlocks is a set of allowedCIDRBlocks to use for cluster instances + NodePortCIDRBlocks []string `json:"nodePortCIDRBlocks,omitempty"` } // VPCSpec configures an AWS VPC. diff --git a/api/v1alpha3/zz_generated.conversion.go b/api/v1alpha3/zz_generated.conversion.go index 3d1bfc7fad..beb0a92982 100644 --- a/api/v1alpha3/zz_generated.conversion.go +++ b/api/v1alpha3/zz_generated.conversion.go @@ -1908,6 +1908,7 @@ func autoConvert_v1alpha3_NetworkSpec_To_v1beta1_NetworkSpec(in *NetworkSpec, ou out.Subnets = *(*v1beta1.Subnets)(unsafe.Pointer(&in.Subnets)) out.CNI = (*v1beta1.CNISpec)(unsafe.Pointer(in.CNI)) out.SecurityGroupOverrides = *(*map[v1beta1.SecurityGroupRole]string)(unsafe.Pointer(&in.SecurityGroupOverrides)) + out.NodePortCIDRBlocks = *(*[]string)(unsafe.Pointer(&in.NodePortCIDRBlocks)) return nil } @@ -1923,6 +1924,7 @@ func autoConvert_v1beta1_NetworkSpec_To_v1alpha3_NetworkSpec(in *v1beta1.Network out.Subnets = *(*Subnets)(unsafe.Pointer(&in.Subnets)) out.CNI = (*CNISpec)(unsafe.Pointer(in.CNI)) out.SecurityGroupOverrides = *(*map[SecurityGroupRole]string)(unsafe.Pointer(&in.SecurityGroupOverrides)) + out.NodePortCIDRBlocks = *(*[]string)(unsafe.Pointer(&in.NodePortCIDRBlocks)) return nil } diff --git a/api/v1alpha3/zz_generated.deepcopy.go b/api/v1alpha3/zz_generated.deepcopy.go index dac8db2339..c6bf5666db 100644 --- a/api/v1alpha3/zz_generated.deepcopy.go +++ b/api/v1alpha3/zz_generated.deepcopy.go @@ -1218,6 +1218,11 @@ func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { (*out)[key] = val } } + if in.NodePortCIDRBlocks != nil { + in, out := &in.NodePortCIDRBlocks, &out.NodePortCIDRBlocks + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec. diff --git a/api/v1alpha4/types.go b/api/v1alpha4/types.go index 7227dd530d..125f136dbd 100644 --- a/api/v1alpha4/types.go +++ b/api/v1alpha4/types.go @@ -223,6 +223,9 @@ type NetworkSpec struct { // This is optional - if not provided new security groups will be created for the cluster // +optional SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"` + + // NodePortCIDRBlocks is a set of allowedCIDRBlocks to use for cluster instances + NodePortCIDRBlocks []string `json:"nodePortCIDRBlocks,omitempty"` } // VPCSpec configures an AWS VPC. diff --git a/api/v1alpha4/zz_generated.conversion.go b/api/v1alpha4/zz_generated.conversion.go index 2781cb58de..a518fbe838 100644 --- a/api/v1alpha4/zz_generated.conversion.go +++ b/api/v1alpha4/zz_generated.conversion.go @@ -2005,6 +2005,7 @@ func autoConvert_v1alpha4_NetworkSpec_To_v1beta1_NetworkSpec(in *NetworkSpec, ou out.Subnets = *(*v1beta1.Subnets)(unsafe.Pointer(&in.Subnets)) out.CNI = (*v1beta1.CNISpec)(unsafe.Pointer(in.CNI)) out.SecurityGroupOverrides = *(*map[v1beta1.SecurityGroupRole]string)(unsafe.Pointer(&in.SecurityGroupOverrides)) + out.NodePortCIDRBlocks = *(*[]string)(unsafe.Pointer(&in.NodePortCIDRBlocks)) return nil } @@ -2020,6 +2021,7 @@ func autoConvert_v1beta1_NetworkSpec_To_v1alpha4_NetworkSpec(in *v1beta1.Network out.Subnets = *(*Subnets)(unsafe.Pointer(&in.Subnets)) out.CNI = (*CNISpec)(unsafe.Pointer(in.CNI)) out.SecurityGroupOverrides = *(*map[SecurityGroupRole]string)(unsafe.Pointer(&in.SecurityGroupOverrides)) + out.NodePortCIDRBlocks = *(*[]string)(unsafe.Pointer(&in.NodePortCIDRBlocks)) return nil } diff --git a/api/v1alpha4/zz_generated.deepcopy.go b/api/v1alpha4/zz_generated.deepcopy.go index 3613241f22..ea1cc206d5 100644 --- a/api/v1alpha4/zz_generated.deepcopy.go +++ b/api/v1alpha4/zz_generated.deepcopy.go @@ -1337,6 +1337,11 @@ func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { (*out)[key] = val } } + if in.NodePortCIDRBlocks != nil { + in, out := &in.NodePortCIDRBlocks, &out.NodePortCIDRBlocks + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec. diff --git a/api/v1beta1/network_types.go b/api/v1beta1/network_types.go index 4a86c5012a..df53a664d7 100644 --- a/api/v1beta1/network_types.go +++ b/api/v1beta1/network_types.go @@ -166,6 +166,9 @@ type NetworkSpec struct { // This is optional - if not provided new security groups will be created for the cluster // +optional SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"` + + // NodePortCIDRBlocks is a set of allowedCIDRBlocks to use for cluster instances + NodePortCIDRBlocks []string `json:"nodePortCIDRBlocks,omitempty"` } // VPCSpec configures an AWS VPC. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 6821ee88e2..2d93c76efc 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1363,6 +1363,11 @@ func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { (*out)[key] = val } } + if in.NodePortCIDRBlocks != nil { + in, out := &in.NodePortCIDRBlocks, &out.NodePortCIDRBlocks + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec. diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml index d2e5a240dc..7f34e34b8f 100644 --- a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml +++ b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml @@ -370,6 +370,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -1386,6 +1392,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -2626,6 +2638,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml index 7f409e22cf..702a8e239c 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml @@ -233,6 +233,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -988,6 +994,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -1840,6 +1852,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml index bf4d04a4ee..1cf73fbf1b 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml @@ -225,6 +225,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -658,6 +664,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string diff --git a/pkg/cloud/scope/cluster.go b/pkg/cloud/scope/cluster.go index 3721308e07..40dc09024d 100644 --- a/pkg/cloud/scope/cluster.go +++ b/pkg/cloud/scope/cluster.go @@ -402,3 +402,8 @@ func (s *ClusterScope) ImageLookupOrg() string { func (s *ClusterScope) ImageLookupBaseOS() string { return s.AWSCluster.Spec.ImageLookupBaseOS } + +// NetworkSpec returns cluster network spec. +func (s *ClusterScope) NetworkSpec() *infrav1.NetworkSpec { + return &s.AWSCluster.Spec.NetworkSpec +} diff --git a/pkg/cloud/scope/managedcontrolplane.go b/pkg/cloud/scope/managedcontrolplane.go index f02b1df1e5..00047f66d8 100644 --- a/pkg/cloud/scope/managedcontrolplane.go +++ b/pkg/cloud/scope/managedcontrolplane.go @@ -429,3 +429,7 @@ func (s *ManagedControlPlaneScope) ServiceCidrs() *clusterv1.NetworkRanges { return nil } + +func (s *ManagedControlPlaneScope) NetworkSpec() *infrav1.NetworkSpec { + return &s.ControlPlane.Spec.NetworkSpec +} diff --git a/pkg/cloud/scope/sg.go b/pkg/cloud/scope/sg.go index d89bfbd6b0..f388e842da 100644 --- a/pkg/cloud/scope/sg.go +++ b/pkg/cloud/scope/sg.go @@ -51,4 +51,7 @@ type SGScope interface { // GetNatGatewaysIPs gets the Nat Gateways Public IPs. GetNatGatewaysIPs() []string + + // NetworkSpec returns cluster network spec. + NetworkSpec() *infrav1.NetworkSpec } diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go index be19420cfa..7372241e1a 100644 --- a/pkg/cloud/services/securitygroup/securitygroups.go +++ b/pkg/cloud/services/securitygroup/securitygroups.go @@ -471,6 +471,10 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) ( } } cidrBlocks := []string{services.AnyIPv4CidrBlock} + // If nodePortCIDRBlocks are available use them instead of 0.0.0.0/0 + if len(s.scope.NetworkSpec().NodePortCIDRBlocks) != 0 { + cidrBlocks = s.scope.NetworkSpec().NodePortCIDRBlocks + } switch role { case infrav1.SecurityGroupBastion: return infrav1.IngressRules{ @@ -551,7 +555,7 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) ( case infrav1.SecurityGroupNode: rules := infrav1.IngressRules{ { - Description: "Node Port Services", + Description: "Node Port CIDR Blocks", Protocol: infrav1.SecurityGroupProtocolTCP, FromPort: 30000, ToPort: 32767, diff --git a/spectro/generated/core-global.yaml b/spectro/generated/core-global.yaml index 85ed00521a..ec22856eec 100644 --- a/spectro/generated/core-global.yaml +++ b/spectro/generated/core-global.yaml @@ -1053,6 +1053,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -1808,6 +1814,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -2660,6 +2672,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -3866,6 +3884,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -4299,6 +4323,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -9398,6 +9428,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -10414,6 +10450,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string @@ -11654,6 +11696,12 @@ spec: type: object type: array type: object + nodePortCIDRBlocks: + description: NodePortCIDRBlocks is a set of allowedCIDRBlocks + to use for cluster instances + items: + type: string + type: array securityGroupOverrides: additionalProperties: type: string