New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resources: Add SecurityGroup resource #97
Conversation
resources/aws/securitygroup.go
Outdated
// Insecure apiserver | ||
80, | ||
// apiserver | ||
443, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We were using 6443 in #70, and that's what I see elsewhere too. Which is it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using 6443 was a temporary solution for #70 which IMO should be disregarded, but I wasn't aware that kubernetesd is using that too. Will add it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (it means, I included both 443 and 6443, just in case)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have these ports in the TPR, no? Does it make sense to use those?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not all of them, but probably everything except SSH. I can use what is available in TPR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
resources/aws/securitygroup.go
Outdated
Description string | ||
GroupName string | ||
VpcID string | ||
name string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't we call this id
, since it contains the groupID
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then I need to create another interface, but OK, can do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not the most important thing
resources/aws/securitygroup.go
Outdated
func (s *SecurityGroup) openPort(port int) error { | ||
if _, err := s.Clients.EC2.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{ | ||
CidrIp: aws.String("0.0.0.0/0"), | ||
GroupId: aws.String(s.Name()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be name()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, name
is a private field, Name
is a public method.
resources/aws/securitygroup.go
Outdated
if _, err := s.Clients.EC2.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{ | ||
CidrIp: aws.String("0.0.0.0/0"), | ||
GroupId: aws.String(s.Name()), | ||
IpProtocol: aws.String("tcp"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer if this was capitalized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But it isn't and you can't do anything about that https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😢
|
||
func (s *SecurityGroup) openPort(port int) error { | ||
if _, err := s.Clients.EC2.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{ | ||
CidrIp: aws.String("0.0.0.0/0"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you're doing here is allowing inbound connections on those ports from any IP. Do we want to be so permissive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. What alse do you suggest? Maybe we could make it configurable, but IMO it's too early for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JosephSalisbury WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if we leave it like this then we should definitely add an issue to remember to change it in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I can create it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My gut feeling is that this is too open, but I'm not certain what would improve the situation. Issue is fine with me.
resources/aws/securitygroup.go
Outdated
} | ||
|
||
func (s *SecurityGroup) Delete() error { | ||
return microerror.MaskAny(notImplementedMethodError) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we implement this instead? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, can do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
0578682
to
16fa4c3
Compare
resources/aws/securitygroup.go
Outdated
) | ||
|
||
var ( | ||
portsToOpen []int = []int{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get a linter warning here saying you can omit the []int
on the LHS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
cbcef1a
to
e67002c
Compare
resources/aws/securitygroup.go
Outdated
Description string | ||
GroupName string | ||
VpcID string | ||
Cluster clustertpr.Cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not so sure this type needs to have access to the whole cluster part of the TPR. I think a list of port would make more sense.
But I understand that this could be a compromise to get us running. In that case though, we should address this later and have an issue to track it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do you want to create that list of ports, in which function and module, and based on what input?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Where you create the struct (in our case,
service.go
) - Based on the TPR
I'm just advocating for separating concerns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But yeah, it's not the most pressing concern, so you're also free to disregard :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You convinced me, done
Security groups are needed both for VPCs and ELBs. Both of them will use this resource. Ref giantswarm#27 Ref giantswarm#69
e67002c
to
31be24c
Compare
Please also create the issue wrt IP addresses. |
Security groups are needed both for VPCs and ELBs. Both of them will use this resource.
Ref #27
Ref #69