From e8c6685b30a15dcafb65355cdca1f901aa064ba1 Mon Sep 17 00:00:00 2001 From: jichenjc Date: Wed, 30 Nov 2022 03:01:58 +0000 Subject: [PATCH] add configmap for calico sec group rules --- .../services/networking/securitygroups.go | 2 +- .../networking/securitygroups_rules.go | 27 ++++++- templates/scgrules/calico.yaml | 78 +++++++++++++++++++ 3 files changed, 104 insertions(+), 3 deletions(-) create mode 100644 templates/scgrules/calico.yaml diff --git a/pkg/cloud/services/networking/securitygroups.go b/pkg/cloud/services/networking/securitygroups.go index e41a66f5cf..32875696e1 100644 --- a/pkg/cloud/services/networking/securitygroups.go +++ b/pkg/cloud/services/networking/securitygroups.go @@ -126,7 +126,7 @@ func (s *Service) generateDesiredSecGroups(openStackCluster *infrav1.OpenStackCl controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneAllowAll(remoteGroupIDSelf, secWorkerGroupID)...) workerRules = append(workerRules, GetSGWorkerAllowAll(remoteGroupIDSelf, secControlPlaneGroupID)...) } else { - controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneGeneral(remoteGroupIDSelf, secWorkerGroupID)...) + controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneGeneral(s, remoteGroupIDSelf, secWorkerGroupID)...) workerRules = append(workerRules, GetSGWorkerGeneral(remoteGroupIDSelf, secControlPlaneGroupID)...) } diff --git a/pkg/cloud/services/networking/securitygroups_rules.go b/pkg/cloud/services/networking/securitygroups_rules.go index 47b3718a38..a3b55a0d5e 100644 --- a/pkg/cloud/services/networking/securitygroups_rules.go +++ b/pkg/cloud/services/networking/securitygroups_rules.go @@ -17,6 +17,10 @@ limitations under the License. package networking import ( + "encoding/json" + "encoding/base64" + "os" + infrav1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1alpha6" ) @@ -291,10 +295,29 @@ func GetSGWorkerAllowAll(remoteGroupIDSelf, secControlPlaneGroupID string) []inf } } -func GetSGControlPlaneGeneral(remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule { +func getSGControlPlaneFromConfigmap(s *Service, remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule { + // Read from configmap + str, err := os.ReadFile("/etc/capo/calico/control-plane") + if err != nil { + s.scope.Logger.Info("file not found") + return []infrav1.SecurityGroupRule{} + } + data, err := base64.StdEncoding.DecodeString(string(str)) + if err != nil { + s.scope.Logger.Info("failed to decode") + return []infrav1.SecurityGroupRule{} + } + + var sgrule []infrav1.SecurityGroupRule + err = json.Unmarshal([]byte(data), &sgrule) + return sgrule +} + +func GetSGControlPlaneGeneral(s *Service, remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule { controlPlaneRules := []infrav1.SecurityGroupRule{} controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCommon(remoteGroupIDSelf, secWorkerGroupID)...) - controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCalico(remoteGroupIDSelf, secWorkerGroupID)...) + // controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCalico(remoteGroupIDSelf, secWorkerGroupID)...) + controlPlaneRules = append(controlPlaneRules, getSGControlPlaneFromConfigmap(s, remoteGroupIDSelf, secWorkerGroupID)...) return controlPlaneRules } diff --git a/templates/scgrules/calico.yaml b/templates/scgrules/calico.yaml new file mode 100644 index 0000000000..50dd96c5a2 --- /dev/null +++ b/templates/scgrules/calico.yaml @@ -0,0 +1,78 @@ +##calico control-plane +##{ +## Description: "BGP (calico)", +## Direction: "ingress", +## EtherType: "IPv4", +## PortRangeMin: 179, +## PortRangeMax: 179, +## Protocol: "tcp", +## RemoteGroupID: "remoteGroupIDSelf", +##}, +##{ +## Description: "BGP (calico)", +## Direction: "ingress", +## EtherType: "IPv4", +## PortRangeMin: 179, +## PortRangeMax: 179, +## Protocol: "tcp", +## RemoteGroupID: "secWorkerGroupID", +##}, +##{ +## Description: "IP-in-IP (calico)", +## Direction: "ingress", +## EtherType: "IPv4", +## Protocol: "ipip", +## RemoteGroupID: "remoteGroupIDSelf", +##}, +##{ +## Description: "IP-in-IP (calico)", +## Direction: "ingress", +## EtherType: "IPv4", +## Protocol: "ipip", +## RemoteGroupID: "secWorkerGroupID", +##} + + +##calico worker +#{ +# Description: "BGP (calico)", +# Direction: "ingress", +# EtherType: "IPv4", +# PortRangeMin: 179, +# PortRangeMax: 179, +# Protocol: "tcp", +# RemoteGroupID: "remoteGroupIDSelf", +#}, +#{ +# Description: "BGP (calico)", +# Direction: "ingress", +# EtherType: "IPv4", +# PortRangeMin: 179, +# PortRangeMax: 179, +# Protocol: "tcp", +# RemoteGroupID: "secControlPlaneGroupID", +#}, +#{ +# Description: "IP-in-IP (calico)", +# Direction: "ingress", +# EtherType: "IPv4", +# Protocol: "ipip", +# RemoteGroupID: "remoteGroupIDSelf", +#}, +#{ +# Description: "IP-in-IP (calico)", +# Direction: "ingress", +# EtherType: "IPv4", +# Protocol: "ipip", +# RemoteGroupID: "secControlPlaneGroupID", +#} + + +apiVersion: v1 +kind: ConfigMap +metadata: + name: calico-sgrules +data: + control-plane: ewogICAgICAgIERlc2NyaXB0aW9uOiAgICJCR1AgKGNhbGljbykiLAogICAgICAgIERpcmVjdGlvbjogICAgICJpbmdyZXNzIiwKICAgICAgICBFdGhlclR5cGU6ICAgICAiSVB2NCIsCiAgICAgICAgUG9ydFJhbmdlTWluOiAgMTc5LAogICAgICAgIFBvcnRSYW5nZU1heDogIDE3OSwKICAgICAgICBQcm90b2NvbDogICAgICAidGNwIiwKICAgICAgICBSZW1vdGVHcm91cElEOiAicmVtb3RlR3JvdXBJRFNlbGYiLAp9LAp7CiAgICAgICAgRGVzY3JpcHRpb246ICAgIkJHUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQb3J0UmFuZ2VNaW46ICAxNzksCiAgICAgICAgUG9ydFJhbmdlTWF4OiAgMTc5LAogICAgICAgIFByb3RvY29sOiAgICAgICJ0Y3AiLAogICAgICAgIFJlbW90ZUdyb3VwSUQ6ICJzZWNXb3JrZXJHcm91cElEIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInJlbW90ZUdyb3VwSURTZWxmIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInNlY1dvcmtlckdyb3VwSUQiLAp9Cg== + worker: ewogICAgICAgIERlc2NyaXB0aW9uOiAgICJCR1AgKGNhbGljbykiLAogICAgICAgIERpcmVjdGlvbjogICAgICJpbmdyZXNzIiwKICAgICAgICBFdGhlclR5cGU6ICAgICAiSVB2NCIsCiAgICAgICAgUG9ydFJhbmdlTWluOiAgMTc5LAogICAgICAgIFBvcnRSYW5nZU1heDogIDE3OSwKICAgICAgICBQcm90b2NvbDogICAgICAidGNwIiwKICAgICAgICBSZW1vdGVHcm91cElEOiAicmVtb3RlR3JvdXBJRFNlbGYiLAp9LAp7CiAgICAgICAgRGVzY3JpcHRpb246ICAgIkJHUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQb3J0UmFuZ2VNaW46ICAxNzksCiAgICAgICAgUG9ydFJhbmdlTWF4OiAgMTc5LAogICAgICAgIFByb3RvY29sOiAgICAgICJ0Y3AiLAogICAgICAgIFJlbW90ZUdyb3VwSUQ6ICJzZWNDb250cm9sUGxhbmVHcm91cElEIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInJlbW90ZUdyb3VwSURTZWxmIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInNlY0NvbnRyb2xQbGFuZUdyb3VwSUQiLAp9Cg== +