Ensure regional keppel and object-store are accesible from cluster nodes

sapcc · Apr 21, 2022 · 48fa697 · 48fa697
1 parent 87752a9
commit 48fa697
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 9 deletions.
diff --git a/pkg/client/openstack/kluster/client.go b/pkg/client/openstack/kluster/client.go
@@ -212,13 +212,9 @@ func (c *klusterClient) EnsureKubernikusRulesInSecurityGroup(kluster *v1.Kluster
 		return false, fmt.Errorf("More than one SecurityGroup with name %v found", sgName)
 	}
 
-	apiURL, err := url.Parse(kluster.Status.Apiserver)
+	apiIP, err := ipForUrl(kluster.Status.Apiserver)
 	if err != nil {
-		return false, fmt.Errorf("Failed to parse apiserver api: %w", err)
-	}
-	apiIPs, err := net.LookupHost(apiURL.Host)
-	if err != nil || len(apiIPs) == 0 {
-		return false, fmt.Errorf("Failed to resolve apiserver: %w", err)
+		return false, fmt.Errorf("Failed to lookup apiserver ip: %w", err)
 	}
 
 	wantedRules := []rules.SecGroupRule{
@@ -242,10 +238,40 @@ func (c *klusterClient) EnsureKubernikusRulesInSecurityGroup(kluster *v1.Kluster
 			Protocol:       string(rules.ProtocolTCP),
 			PortRangeMin:   443,
 			PortRangeMax:   443,
-			RemoteIPPrefix: apiIPs[0] + "/32",
+			RemoteIPPrefix: apiIP.String(),
 			Description:    fmt.Sprintf(`Kubernikus: allow access to apiserver of cluster "%s"`, kluster.Spec.Name),
 		},
 	}
+	if osURL, err := c.ComputeClient.ProviderClient.EndpointLocator(gophercloud.EndpointOpts{Type: "object-store", Availability: gophercloud.AvailabilityPublic}); err == nil {
+		if ip, err := ipForUrl(osURL); err == nil {
+			wantedRules = append(wantedRules, rules.SecGroupRule{
+				Direction:      string(rules.DirEgress),
+				EtherType:      string(rules.EtherType4),
+				Protocol:       string(rules.ProtocolTCP),
+				PortRangeMin:   443,
+				PortRangeMax:   443,
+				RemoteIPPrefix: ip.String(),
+				Description:    `Kubernikus: allow access to regional object-store/swift`,
+			})
+		} else {
+			fmt.Println("parse error object-store", osURL, err)
+		}
+	} else {
+		fmt.Println("no object-store", err, osURL)
+	}
+	if keppelURL, err := c.ComputeClient.ProviderClient.EndpointLocator(gophercloud.EndpointOpts{Type: "keppel", Availability: gophercloud.AvailabilityPublic}); err == nil {
+		if ip, err := ipForUrl(keppelURL); err == nil {
+			wantedRules = append(wantedRules, rules.SecGroupRule{
+				Direction:      string(rules.DirEgress),
+				EtherType:      string(rules.EtherType4),
+				Protocol:       string(rules.ProtocolTCP),
+				PortRangeMin:   443,
+				PortRangeMax:   443,
+				RemoteIPPrefix: ip.String(),
+				Description:    `Kubernikus: allow access to regional keppel`,
+			})
+		}
+	}
 OUTER:
 	for n, wanted := range wantedRules {
 		for _, rule := range groups[0].Rules {
@@ -405,3 +431,22 @@ func nodeMetadata(kluster, pool string) map[string]string {
 		"kubernikus:kluster":  kluster,
 	}
 }
+
+func ipForUrl(theurl string) (net.IP, error) {
+	u, err := url.Parse(theurl)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to parse url %s: %w", theurl, err)
+	}
+	//if host is an IP we are done
+	if ip := net.ParseIP(u.Hostname()); ip != nil {
+		return ip, nil
+	}
+	ips, err := net.LookupHost(u.Hostname())
+	if err != nil || len(ips) == 0 {
+		return nil, fmt.Errorf("Failed to resolve host: %w", err)
+	}
+	if ip := net.ParseIP(ips[0]); ip != nil {
+		return ip, nil
+	}
+	return nil, fmt.Errorf("Failed to parse resolved ip %s", ips[0])
+}
diff --git a/pkg/client/openstack/kluster/securitygroup.go b/pkg/client/openstack/kluster/securitygroup.go
@@ -32,10 +32,15 @@ func MatchRule(input rules.SecGroupRule, rule rules.SecGroupRule) bool {
 			if err != nil {
 				return false
 			}
-			inputnet := &net.IPNet{IP: make([]byte, 4), Mask: make([]byte, 4)}
+			var inputnet = &net.IPNet{IP: make([]byte, 4), Mask: make([]byte, 4)}
 			if input.RemoteIPPrefix != "" {
 				if _, inputnet, err = net.ParseCIDR(input.RemoteIPPrefix); err != nil {
-					return false
+					//true to parse as an ip
+					if ip := net.ParseIP(input.RemoteIPPrefix); ip != nil && ip.To4() != nil {
+						inputnet = &net.IPNet{IP: ip.To4(), Mask: net.IPv4Mask(255, 255, 255, 255)}
+					} else {
+						return false
+					}
 				}
 			}
 			if !CIDRIncluded(inputnet, rulenet) {

diff --git a/pkg/client/openstack/kluster/securitygroup_test.go b/pkg/client/openstack/kluster/securitygroup_test.go
@@ -31,6 +31,7 @@ func TestMatchRule(t *testing.T) {
 		{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.0.0/23"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.1.0/24"}, false},
 		{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/23"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/24"}, false},
 		{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/24"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/23"}, true},
+		{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.1"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.1/32"}, true},
 	}
 
 	for _, c := range cases {