Skip to content

Commit

Permalink
Ensure regional keppel and object-store are accesible from cluster nodes
Browse files Browse the repository at this point in the history
  • Loading branch information
databus23 committed Apr 21, 2022
1 parent 87752a9 commit 48fa697
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 9 deletions.
59 changes: 52 additions & 7 deletions pkg/client/openstack/kluster/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -212,13 +212,9 @@ func (c *klusterClient) EnsureKubernikusRulesInSecurityGroup(kluster *v1.Kluster
return false, fmt.Errorf("More than one SecurityGroup with name %v found", sgName)
}

apiURL, err := url.Parse(kluster.Status.Apiserver)
apiIP, err := ipForUrl(kluster.Status.Apiserver)
if err != nil {
return false, fmt.Errorf("Failed to parse apiserver api: %w", err)
}
apiIPs, err := net.LookupHost(apiURL.Host)
if err != nil || len(apiIPs) == 0 {
return false, fmt.Errorf("Failed to resolve apiserver: %w", err)
return false, fmt.Errorf("Failed to lookup apiserver ip: %w", err)
}

wantedRules := []rules.SecGroupRule{
Expand All @@ -242,10 +238,40 @@ func (c *klusterClient) EnsureKubernikusRulesInSecurityGroup(kluster *v1.Kluster
Protocol: string(rules.ProtocolTCP),
PortRangeMin: 443,
PortRangeMax: 443,
RemoteIPPrefix: apiIPs[0] + "/32",
RemoteIPPrefix: apiIP.String(),
Description: fmt.Sprintf(`Kubernikus: allow access to apiserver of cluster "%s"`, kluster.Spec.Name),
},
}
if osURL, err := c.ComputeClient.ProviderClient.EndpointLocator(gophercloud.EndpointOpts{Type: "object-store", Availability: gophercloud.AvailabilityPublic}); err == nil {
if ip, err := ipForUrl(osURL); err == nil {
wantedRules = append(wantedRules, rules.SecGroupRule{
Direction: string(rules.DirEgress),
EtherType: string(rules.EtherType4),
Protocol: string(rules.ProtocolTCP),
PortRangeMin: 443,
PortRangeMax: 443,
RemoteIPPrefix: ip.String(),
Description: `Kubernikus: allow access to regional object-store/swift`,
})
} else {
fmt.Println("parse error object-store", osURL, err)
}
} else {
fmt.Println("no object-store", err, osURL)
}
if keppelURL, err := c.ComputeClient.ProviderClient.EndpointLocator(gophercloud.EndpointOpts{Type: "keppel", Availability: gophercloud.AvailabilityPublic}); err == nil {
if ip, err := ipForUrl(keppelURL); err == nil {
wantedRules = append(wantedRules, rules.SecGroupRule{
Direction: string(rules.DirEgress),
EtherType: string(rules.EtherType4),
Protocol: string(rules.ProtocolTCP),
PortRangeMin: 443,
PortRangeMax: 443,
RemoteIPPrefix: ip.String(),
Description: `Kubernikus: allow access to regional keppel`,
})
}
}
OUTER:
for n, wanted := range wantedRules {
for _, rule := range groups[0].Rules {
Expand Down Expand Up @@ -405,3 +431,22 @@ func nodeMetadata(kluster, pool string) map[string]string {
"kubernikus:kluster": kluster,
}
}

func ipForUrl(theurl string) (net.IP, error) {
u, err := url.Parse(theurl)
if err != nil {
return nil, fmt.Errorf("Failed to parse url %s: %w", theurl, err)
}
//if host is an IP we are done
if ip := net.ParseIP(u.Hostname()); ip != nil {
return ip, nil
}
ips, err := net.LookupHost(u.Hostname())
if err != nil || len(ips) == 0 {
return nil, fmt.Errorf("Failed to resolve host: %w", err)
}
if ip := net.ParseIP(ips[0]); ip != nil {
return ip, nil
}
return nil, fmt.Errorf("Failed to parse resolved ip %s", ips[0])
}
9 changes: 7 additions & 2 deletions pkg/client/openstack/kluster/securitygroup.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,15 @@ func MatchRule(input rules.SecGroupRule, rule rules.SecGroupRule) bool {
if err != nil {
return false
}
inputnet := &net.IPNet{IP: make([]byte, 4), Mask: make([]byte, 4)}
var inputnet = &net.IPNet{IP: make([]byte, 4), Mask: make([]byte, 4)}
if input.RemoteIPPrefix != "" {
if _, inputnet, err = net.ParseCIDR(input.RemoteIPPrefix); err != nil {
return false
//true to parse as an ip
if ip := net.ParseIP(input.RemoteIPPrefix); ip != nil && ip.To4() != nil {
inputnet = &net.IPNet{IP: ip.To4(), Mask: net.IPv4Mask(255, 255, 255, 255)}
} else {
return false
}
}
}
if !CIDRIncluded(inputnet, rulenet) {
Expand Down
1 change: 1 addition & 0 deletions pkg/client/openstack/kluster/securitygroup_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ func TestMatchRule(t *testing.T) {
{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.0.0/23"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.1.0/24"}, false},
{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/23"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/24"}, false},
{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/24"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.0/23"}, true},
{rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.1"}, rules.SecGroupRule{Direction: "ingress", Protocol: "tcp", RemoteIPPrefix: "10.0.2.1/32"}, true},
}

for _, c := range cases {
Expand Down

0 comments on commit 48fa697

Please sign in to comment.