-
Notifications
You must be signed in to change notification settings - Fork 102
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This new controller reconciles on NatMapping resources. In particular, it guarrantees the appropriate set of NAT rules is in place and updated by consuming the IPTables module.
- Loading branch information
1 parent
d85b247
commit 5df9dcd
Showing
10 changed files
with
575 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
// Package tunneloperator contains the tunnel controller which configures the vpn tunnels, natting rules and | ||
// routes in order to comunicate with the remote peering clusters. | ||
// routes in order to comunicate with the remote peering clusters and also the natmapping controller | ||
// that configures nat rules for ExternalCIDR. | ||
package tunneloperator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
package tunneloperator | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"sync" | ||
|
||
"github.com/containernetworking/plugins/pkg/ns" | ||
"k8s.io/klog/v2" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
|
||
netv1alpha1 "github.com/liqotech/liqo/apis/net/v1alpha1" | ||
"github.com/liqotech/liqo/pkg/liqonet/iptables" | ||
) | ||
|
||
// NatMappingController reconciles a NatMapping object. | ||
type NatMappingController struct { | ||
client.Client | ||
iptables.IPTHandler | ||
readyClustersMutex *sync.Mutex | ||
readyClusters map[string]struct{} | ||
gatewayNetns ns.NetNS | ||
} | ||
|
||
//+kubebuilder:rbac:groups=net.liqo.io,resources=natmappings,verbs=get;list;watch;create;update;patch;delete | ||
|
||
// Reconcile function handles requests made on NatMapping resource | ||
// by guaranteeing the proper set of DNAT rules are updated. | ||
func (npc *NatMappingController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { | ||
var nm netv1alpha1.NatMapping | ||
|
||
if err := npc.Get(ctx, req.NamespacedName, &nm); err != nil { | ||
return result, client.IgnoreNotFound(err) | ||
} | ||
// There's no need of a pre-delete logic since IPTables rules for cluster are removed by the | ||
// tunnel-operator after the un-peer. | ||
|
||
// The following logic has to be executed in the custom network namespace, | ||
// and not on the root namespace. Therefore it must be defined in a closure | ||
// and then used as parameter of method Do of netNs | ||
if err := npc.gatewayNetns.Do(func(netNamespace ns.NetNS) error { | ||
// Is the remote cluster tunnel ready? If not, do nothing | ||
npc.readyClustersMutex.Lock() | ||
defer npc.readyClustersMutex.Unlock() | ||
if _, ready := npc.readyClusters[nm.Spec.ClusterID]; !ready { | ||
return fmt.Errorf("tunnel for cluster {%s} is not ready", nm.Spec.ClusterID) | ||
} | ||
if err := npc.IPTHandler.EnsurePreroutingRulesPerNatMapping(&nm); err != nil { | ||
klog.Errorf("unable to ensure prerouting rules for cluster {%s}: %s", | ||
nm.Spec.ClusterID, err.Error()) | ||
return err | ||
} | ||
return nil | ||
}); err != nil { | ||
return result, err | ||
} | ||
return result, nil | ||
} | ||
|
||
// SetupWithManager sets up the controller with the Manager. | ||
func (npc *NatMappingController) SetupWithManager(mgr ctrl.Manager) error { | ||
return ctrl.NewControllerManagedBy(mgr). | ||
For(&netv1alpha1.NatMapping{}). | ||
Complete(npc) | ||
} | ||
|
||
// NewNatMappingController returns a NAT mapping controller istance. | ||
func NewNatMappingController(cl client.Client, readyClustersMutex *sync.Mutex, | ||
readyClusters map[string]struct{}, gatewayNetns ns.NetNS) (*NatMappingController, error) { | ||
iptablesHandler, err := iptables.NewIPTHandler() | ||
if err != nil { | ||
return nil, err | ||
} | ||
return &NatMappingController{ | ||
Client: cl, | ||
IPTHandler: iptablesHandler, | ||
readyClustersMutex: readyClustersMutex, | ||
readyClusters: readyClusters, | ||
gatewayNetns: gatewayNetns, | ||
}, nil | ||
} |
Oops, something went wrong.