Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support client IP filtering through loadBalancerSourceRanges in case istioingress #835

Merged
merged 6 commits into from
Jul 15, 2022
Merged

Support client IP filtering through loadBalancerSourceRanges in case istioingress #835

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ae97e09
Support client IP filtering through loadBalancerSourceRanges in case …
stoader Jul 14, 2022
2b11ee9
Update api/v1beta1/kafkacluster_types.go
stoader Jul 15, 2022
7cc3d44
Update api/v1beta1/kafkacluster_types.go
stoader Jul 15, 2022
bf148ba
Regen manifests
stoader Jul 15, 2022
b0220fd
Fix lint error
stoader Jul 15, 2022
989e731
Merge branch 'master' into cidr_filtering
stoader Jul 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 19 additions & 2 deletions api/v1beta1/kafkacluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,8 +280,13 @@ type EnvoyConfig struct {
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
// Annotations defines the annotations placed on the envoy ingress controller deployment
Annotations map[string]string `json:"annotations,omitempty"`
LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
// If specified and supported by the platform, traffic through the
// cloud-provider load-balancer will be restricted to the specified client
// IPs. This field will be ignored if the
// cloud-provider does not support the feature."
// More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
// LoadBalancerIP can be used to specify an exact IP for the LoadBalancer service
LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
// Envoy admin port
Expand Down Expand Up @@ -318,6 +323,13 @@ type IstioIngressConfig struct {
VirtualServiceAnnotations map[string]string `json:"virtualServiceAnnotations,omitempty"`
// Envs allows to add additional env vars to the istio meshgateway resource
Envs []corev1.EnvVar `json:"envs,omitempty"`
// If specified and supported by the platform, traffic through the
// cloud-provider load-balancer will be restricted to the specified client
// IPs. This field will be ignored if the
// cloud-provider does not support the feature."
// More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
// +optional
LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
}

func (iIConfig *IstioIngressConfig) GetAnnotations() map[string]string {
Expand All @@ -329,6 +341,11 @@ func (iIConfig *IstioIngressConfig) GetVirtualServiceAnnotations() map[string]st
return util.CloneMap(iIConfig.VirtualServiceAnnotations)
}

// GetLoadBalancerSourceRanges returns LoadBalancerSourceRanges to use for Istio Meshagetway generated LoadBalancer
func (iIConfig *IstioIngressConfig) GetLoadBalancerSourceRanges() []string {
return iIConfig.LoadBalancerSourceRanges
}

// MonitoringConfig defines the config for monitoring Kafka and Cruise Control
type MonitoringConfig struct {
JmxImage string `json:"jmxImage,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 32 additions & 0 deletions charts/kafka-operator/templates/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16428,6 +16428,11 @@ spec:
for the LoadBalancer service
type: string
loadBalancerSourceRanges:
description: 'If specified and supported by the platform, this
will restrict traffic through the cloud-provider load-balancer
will be restricted to the specified client IPs. This field will
be ignored if the cloud-provider does not support the feature."
More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
Expand Down Expand Up @@ -16985,6 +16990,15 @@ spec:
type: string
type: array
type: object
loadBalancerSourceRanges:
description: 'If specified and supported by the platform, this
will restrict traffic through the cloud-provider load-balancer
will be restricted to the specified client IPs. This field will
be ignored if the cloud-provider does not support the feature."
More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
nodeSelector:
additionalProperties:
type: string
Expand Down Expand Up @@ -18400,6 +18414,13 @@ spec:
service
type: string
loadBalancerSourceRanges:
description: 'If specified and supported by
the platform, this will restrict traffic
through the cloud-provider load-balancer
will be restricted to the specified client
IPs. This field will be ignored if the cloud-provider
does not support the feature." More info:
https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
Expand Down Expand Up @@ -18960,6 +18981,17 @@ spec:
type: string
type: array
type: object
loadBalancerSourceRanges:
description: 'If specified and supported by
the platform, this will restrict traffic
through the cloud-provider load-balancer
will be restricted to the specified client
IPs. This field will be ignored if the cloud-provider
does not support the feature." More info:
https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
nodeSelector:
additionalProperties:
type: string
Expand Down
32 changes: 32 additions & 0 deletions config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16427,6 +16427,11 @@ spec:
for the LoadBalancer service
type: string
loadBalancerSourceRanges:
description: 'If specified and supported by the platform, this
will restrict traffic through the cloud-provider load-balancer
will be restricted to the specified client IPs. This field will
be ignored if the cloud-provider does not support the feature."
More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
Expand Down Expand Up @@ -16984,6 +16989,15 @@ spec:
type: string
type: array
type: object
loadBalancerSourceRanges:
description: 'If specified and supported by the platform, this
will restrict traffic through the cloud-provider load-balancer
will be restricted to the specified client IPs. This field will
be ignored if the cloud-provider does not support the feature."
More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
nodeSelector:
additionalProperties:
type: string
Expand Down Expand Up @@ -18399,6 +18413,13 @@ spec:
service
type: string
loadBalancerSourceRanges:
description: 'If specified and supported by
the platform, this will restrict traffic
through the cloud-provider load-balancer
will be restricted to the specified client
IPs. This field will be ignored if the cloud-provider
does not support the feature." More info:
https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
Expand Down Expand Up @@ -18959,6 +18980,17 @@ spec:
type: string
type: array
type: object
loadBalancerSourceRanges:
description: 'If specified and supported by
the platform, this will restrict traffic
through the cloud-provider load-balancer
will be restricted to the specified client
IPs. This field will be ignored if the cloud-provider
does not support the feature." More info:
https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/'
items:
type: string
type: array
nodeSelector:
additionalProperties:
type: string
Expand Down
52 changes: 42 additions & 10 deletions config/samples/banzaicloud_v1beta1_kafkacluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,28 +22,35 @@ spec:
labels:
- "failure-domain.beta.kubernetes.io/region"
- "failure-domain.beta.kubernetes.io/zone"

# oneBrokerPerNode if set to true every broker is started on a new node, if there is not enough node to do that
# it will stay in pending state. If set to false the operator also tries to schedule the brokers to a unique node
# but if the node number is insufficient the brokers will be scheduled to a node where a broker is already running.
oneBrokerPerNode: false

# Specify the Kafka Broker related settings
# clusterImage can specify the whole kafkacluster image in one place
#clusterImage: "ghcr.io/banzaicloud/kafka:2.13-3.1.0
# readOnlyConfig specifies the read-only type kafka config cluster wide, all these will be merged with broker specified
# readOnly configurations, so it can be overwritten per broker.

#clusterWideConfig specifies the cluster-wide kafka config cluster wide, all these can be overridden per-broker
#clusterWideConfig: |
# background.threads=10

# readOnlyConfig specifies the read-only type kafka config cluster wide, all these will be merged with broker specified
# readOnly configurations, so it can be overwritten per broker.
#readOnlyConfig: |
# auto.create.topics.enable=false
# brokerConfigGroups specifies multiple broker configs with unique name

#rollingUpgradeConfig specifies the rolling upgrade config for the cluster
#rollingUpgradeConfig:
#failureThreshold controls how many failures the cluster can tolerate during a rolling upgrade. Once the number of

# failureThreshold controls how many failures the cluster can tolerate during a rolling upgrade. Once the number of
# failures reaches this threshold a rolling upgrade flow stops. The number of failures is computed as the sum of
# distinct broker replicas with either offline replicas or out of sync replicas and the number of alerts triggered by
# alerts with 'rollingupgrade'
# failureThreshold: 1

# brokerConfigGroups specifies multiple broker configs with unique name
brokerConfigGroups:
# Specify desired group name (eg., 'default_group')
default_group:
Expand Down Expand Up @@ -204,20 +211,24 @@ spec:
# In case of external listeners using NodePort access method the broker instead of node public IP (see "brokerConfig.nodePortExternalIP")
# is advertised on the address having the following format: <kafka-cluster-name>-<broker-id>.<namespace><value-specified-in-hostnameOverride-field>
# hostnameOverride:

# ServiceAnnotations defines annotations which will
# be placed to the service or services created for the external listener
# serviceAnnotations:

# externalTrafficPolicy denotes if this Service desires to route external
# traffic to node-local or cluster-wide endpoints. "Local" preserves the
# client source IP and avoids a second hop for LoadBalancer and Nodeport
# type services, but risks potentially imbalanced traffic spreading.
# "Cluster" obscures the client source IP and may cause a second hop to
# another node, but should have good overall load-spreading.
# externalTrafficPolicy:

# Service Type string describes ingress methods for a service
# Only "NodePort" and "LoadBalancer" is supported.
# Default value is LoadBalancer
# serviceType:

# envoyConfig defines the envoy specific config used for ingress-az1 external listener
envoyConfig:
# replicas describes how many pods will be used for the created envoy proxy
Expand All @@ -241,14 +252,17 @@ spec:
# nodeSelector:
# tolerations can be specified, which set the pod's tolerations
# tolerations:
# annotations can be used to place annotation to the envoy created loadbalancer
# annotations defines the annotations placed on the envoy ingress controller deployment
annotations:
az1
# loadBalancerSourceRanges refers to the k8s resource used in loadbalancer type services
# If specified and supported by the platform, this will restrict traffic through the cloud-provider
# load-balancer will be restricted to the specified client IPs. This field will be ignored if the
# cloud-provider does not support the feature."
# More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
# loadBalancerSourceRanges:
ingress-az1-istio:
istioIngressConfig:
# annotations can be used to place annotation to the envoy created loadbalancer
# annotations can be used to place annotations on the istio ingress controller deployment
annotations:
istio-az1
# resourceRequirements works exactly like Container resources, the user can specify the limit and the requests
Expand All @@ -262,14 +276,27 @@ spec:
# cpu: "200m"
# replicas describes how many pods will be used for the created envoy proxy
# replicas: 1

# nodeSelector can be specified, which set the pod to fit on a node
# nodeSelector:

# tolerations can be specified, which set the pod's tolerations
# tolerations:

# allows to set the created gateway configuration
# gatewayConfig:

# annotations will be placed on the created virtual service
# virtualServiceAnnotations:

# annotations defines the annotations placed on the envoy ingress controller deployment
# annotations:

# If specified and supported by the platform, this will restrict traffic through the cloud-provider
# load-balancer will be restricted to the specified client IPs. This field will be ignored if the
# cloud-provider does not support the feature."
# More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
# loadBalancerSourceRanges:
# internalListeners specifies settings required to access kafka externally
internalListeners:
# type defines the used security type ssl, plaintext, sasl_plaintext, sasl_ssl
Expand Down Expand Up @@ -324,10 +351,15 @@ spec:
#nodeSelector:
# tolerations can be specified, which set the pod's tolerations
#tolerations:
# annotations can be used to place annotation to the envoy created loadbalancer
# annotations defines the annotations placed on the envoy ingress controller deployment
#annotations:
# loadBalancerSourceRanges refers to the k8s resource used in loadbalancer type services
#loadBalancerSourceRanges:

# If specified and supported by the platform, this will restrict traffic through the cloud-provider
# load-balancer will be restricted to the specified client IPs. This field will be ignored if the
# cloud-provider does not support the feature."
# More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
# loadBalancerSourceRanges:

# cruiseControlConfig describes the cruise control related configuration
cruiseControlConfig:
# image describes the CC docker image
Expand Down
3 changes: 2 additions & 1 deletion pkg/resources/istioingress/meshgateway.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ func (r *Reconciler) meshgateway(log logr.Logger, externalListenerConfig v1beta1
Ports: generateExternalPorts(r.KafkaCluster,
util.GetBrokerIdsFromStatusAndSpec(r.KafkaCluster.Status.BrokersState, r.KafkaCluster.Spec.Brokers, log),
externalListenerConfig, log, ingressConfigName, defaultIngressConfigName),
Type: string(ingressConfig.GetServiceType()),
Type: string(ingressConfig.GetServiceType()),
LoadBalancerSourceRanges: ingressConfig.IstioIngressConfig.GetLoadBalancerSourceRanges(),
},
RunAsRoot: util.BoolPointer(true),
Type: istioOperatorApi.GatewayType_ingress,
Expand Down