Merge pull request #87 from Chia-Network/trusted-cidrs

Chia-Network · May 31, 2024 · 1e13e42 · 1e13e42
2 parents a25a4cf + 3890915
commit 1e13e42
Show file tree

Hide file tree

Showing 10 changed files with 94 additions and 2 deletions.
diff --git a/api/v1/chianode_types.go b/api/v1/chianode_types.go
@@ -24,6 +24,11 @@ type ChiaNodeSpec struct {
 // ChiaNodeSpecChia defines the desired state of Chia component configuration
 type ChiaNodeSpecChia struct {
 	CommonSpecChia `json:",inline"`
+
+	// TrustedCIDRs is a list of CIDRs that this chia component should trust peers from
+	// See: https://docs.chia.net/faq/?_highlight=trust#what-are-trusted-peers-and-how-do-i-add-them
+	// +optional
+	TrustedCIDRs *[]string `json:"trustedCIDRs,omitempty"`
 }
 
 // ChiaNodeStatus defines the observed state of ChiaNode

diff --git a/api/v1/chianode_types_test.go b/api/v1/chianode_types_test.go
@@ -33,6 +33,9 @@ spec:
     dnsIntroducerAddress: dns-introducer.svc.cluster.local
     timezone: "UTC"
     logLevel: "INFO"
+    trustedCIDRs:
+      - "192.168.0.0/16"
+      - "10.0.0.0/8"
   chiaExporter:
     enabled: true
     serviceLabels:
@@ -48,6 +51,10 @@ spec:
 		introducerAddress           = "introducer.svc.cluster.local"
 		dnsIntroducerAddress        = "dns-introducer.svc.cluster.local"
 	)
+	expectCIDRs := []string{
+		"192.168.0.0/16",
+		"10.0.0.0/8",
+	}
 	expect := ChiaNode{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "k8s.chia.net/v1",
@@ -74,6 +81,7 @@ spec:
 					Timezone:             &timezone,
 					LogLevel:             &logLevel,
 				},
+				TrustedCIDRs: &expectCIDRs,
 			},
 			CommonSpec: CommonSpec{
 				ChiaExporterConfig: SpecChiaExporter{

diff --git a/api/v1/chiawallet_types.go b/api/v1/chiawallet_types.go
@@ -27,6 +27,11 @@ type ChiaWalletSpecChia struct {
 	// In Kubernetes this is likely to be <node service name>.<namespace>.svc.cluster.local:8555
 	// +optional
 	FullNodePeer string `json:"fullNodePeer,omitempty"`
+
+	// TrustedCIDRs is a list of CIDRs that this chia component should trust peers from
+	// See: https://docs.chia.net/faq/?_highlight=trust#what-are-trusted-peers-and-how-do-i-add-them
+	// +optional
+	TrustedCIDRs *[]string `json:"trustedCIDRs,omitempty"`
 }
 
 // ChiaWalletStatus defines the observed state of ChiaWallet

diff --git a/api/v1/chiawallet_types_test.go b/api/v1/chiawallet_types_test.go
@@ -37,6 +37,9 @@ spec:
     secretKey:
       name: "chiakey-secret"
       key: "key.txt"
+    trustedCIDRs:
+      - "192.168.0.0/16"
+      - "10.0.0.0/8"
   chiaExporter:
     enabled: true
     serviceLabels:
@@ -52,6 +55,10 @@ spec:
 		introducerAddress           = "introducer.svc.cluster.local"
 		dnsIntroducerAddress        = "dns-introducer.svc.cluster.local"
 	)
+	expectCIDRs := []string{
+		"192.168.0.0/16",
+		"10.0.0.0/8",
+	}
 	expect := ChiaWallet{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "k8s.chia.net/v1",
@@ -83,6 +90,7 @@ spec:
 					Name: "chiakey-secret",
 					Key:  "key.txt",
 				},
+				TrustedCIDRs: &expectCIDRs,
 			},
 			CommonSpec: CommonSpec{
 				ChiaExporterConfig: SpecChiaExporter{

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/k8s.chia.net_chianodes.yaml b/config/crd/bases/k8s.chia.net_chianodes.yaml
@@ -794,6 +794,13 @@ spec:
                     description: Timezone can be set to your local timezone for accurate
                       timestamps. Defaults to UTC
                     type: string
+                  trustedCIDRs:
+                    description: |-
+                      TrustedCIDRs is a list of CIDRs that this chia component should trust peers from
+                      See: https://docs.chia.net/faq/?_highlight=trust#what-are-trusted-peers-and-how-do-i-add-them
+                    items:
+                      type: string
+                    type: array
                 required:
                 - caSecretName
                 type: object

diff --git a/config/crd/bases/k8s.chia.net_chiawallets.yaml b/config/crd/bases/k8s.chia.net_chiawallets.yaml
@@ -814,6 +814,13 @@ spec:
                     description: Timezone can be set to your local timezone for accurate
                       timestamps. Defaults to UTC
                     type: string
+                  trustedCIDRs:
+                    description: |-
+                      TrustedCIDRs is a list of CIDRs that this chia component should trust peers from
+                      See: https://docs.chia.net/faq/?_highlight=trust#what-are-trusted-peers-and-how-do-i-add-them
+                    items:
+                      type: string
+                    type: array
                 required:
                 - caSecretName
                 - secretKey

diff --git a/internal/controller/chianode/helpers.go b/internal/controller/chianode/helpers.go
@@ -6,6 +6,9 @@ package chianode
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
@@ -101,6 +104,7 @@ func (r *ChiaNodeReconciler) getChiaVolumeMounts(ctx context.Context, node k8sch
 
 // getChiaNodeEnv retrieves the environment variables from the Chia config struct
 func (r *ChiaNodeReconciler) getChiaNodeEnv(ctx context.Context, node k8schianetv1.ChiaNode) []corev1.EnvVar {
+	logr := log.FromContext(ctx)
 	var env []corev1.EnvVar
 
 	// service env var
@@ -167,6 +171,20 @@ func (r *ChiaNodeReconciler) getChiaNodeEnv(ctx context.Context, node k8schianet
 		})
 	}
 
+	// trusted_cidrs env var
+	if node.Spec.ChiaConfig.TrustedCIDRs != nil {
+		// TODO should any special CIDR input checking happen here
+		cidrs, err := json.Marshal(*node.Spec.ChiaConfig.TrustedCIDRs)
+		if err != nil {
+			logr.Error(err, fmt.Sprintf("ChiaNodeReconciler ChiaNode=%s given CIDRs could not be marshalled to json. Peer connections that you would expect to be trusted might not be trusted.", node.Name))
+		} else {
+			env = append(env, corev1.EnvVar{
+				Name:  "trusted_cidrs",
+				Value: string(cidrs),
+			})
+		}
+	}
+
 	// TZ env var
 	if node.Spec.ChiaConfig.Timezone != nil {
 		env = append(env, corev1.EnvVar{

diff --git a/internal/controller/chiaseeder/helpers.go b/internal/controller/chiaseeder/helpers.go
@@ -7,10 +7,9 @@ package chiaseeder
 import (
 	"context"
 	"fmt"
-	"strconv"
-
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"strconv"
 
 	k8schianetv1 "github.com/chia-network/chia-operator/api/v1"
 	"github.com/chia-network/chia-operator/internal/controller/common/consts"

diff --git a/internal/controller/chiawallet/helpers.go b/internal/controller/chiawallet/helpers.go
@@ -6,7 +6,9 @@ package chiawallet
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
@@ -85,6 +87,7 @@ func (r *ChiaWalletReconciler) getChiaVolumes(ctx context.Context, wallet k8schi
 
 // getChiaEnv retrieves the environment variables from the Chia config struct
 func (r *ChiaWalletReconciler) getChiaEnv(ctx context.Context, wallet k8schianetv1.ChiaWallet) []corev1.EnvVar {
+	logr := log.FromContext(ctx)
 	var env []corev1.EnvVar
 
 	// service env var
@@ -145,6 +148,20 @@ func (r *ChiaWalletReconciler) getChiaEnv(ctx context.Context, wallet k8schianet
 		})
 	}
 
+	// trusted_cidrs env var
+	if wallet.Spec.ChiaConfig.TrustedCIDRs != nil {
+		// TODO should any special CIDR input checking happen here
+		cidrs, err := json.Marshal(*wallet.Spec.ChiaConfig.TrustedCIDRs)
+		if err != nil {
+			logr.Error(err, fmt.Sprintf("ChiaWalletReconciler ChiaWallet=%s given CIDRs could not be marshalled to json. Peer connections that you would expect to be trusted might not be trusted.", wallet.Name))
+		} else {
+			env = append(env, corev1.EnvVar{
+				Name:  "trusted_cidrs",
+				Value: string(cidrs),
+			})
+		}
+	}
+
 	// TZ env var
 	if wallet.Spec.ChiaConfig.Timezone != nil {
 		env = append(env, corev1.EnvVar{