kubernetes-sigs · jichenjc · Nov 30, 2022
diff --git a/pkg/cloud/services/networking/securitygroups.go b/pkg/cloud/services/networking/securitygroups.go
@@ -126,7 +126,7 @@ func (s *Service) generateDesiredSecGroups(openStackCluster *infrav1.OpenStackCl
 		controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneAllowAll(remoteGroupIDSelf, secWorkerGroupID)...)
 		workerRules = append(workerRules, GetSGWorkerAllowAll(remoteGroupIDSelf, secControlPlaneGroupID)...)
 	} else {
-		controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneGeneral(remoteGroupIDSelf, secWorkerGroupID)...)
+		controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneGeneral(s, remoteGroupIDSelf, secWorkerGroupID)...)
 		workerRules = append(workerRules, GetSGWorkerGeneral(remoteGroupIDSelf, secControlPlaneGroupID)...)
 	}
 

diff --git a/pkg/cloud/services/networking/securitygroups_rules.go b/pkg/cloud/services/networking/securitygroups_rules.go
@@ -17,6 +17,10 @@ limitations under the License.
 package networking
 
 import (
+	"encoding/json"
+        "encoding/base64"
+	"os"
+
 	infrav1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1alpha6"
 )
 
@@ -291,10 +295,29 @@ func GetSGWorkerAllowAll(remoteGroupIDSelf, secControlPlaneGroupID string) []inf
 	}
 }
 
-func GetSGControlPlaneGeneral(remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule {
+func getSGControlPlaneFromConfigmap(s *Service, remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule {
+	// Read from configmap
+	str, err := os.ReadFile("/etc/capo/calico/control-plane")
+	if err != nil {
+		s.scope.Logger.Info("file not found")
+		return []infrav1.SecurityGroupRule{}
+	}
+	data, err := base64.StdEncoding.DecodeString(string(str))
+        if err != nil {
+		s.scope.Logger.Info("failed to decode")
+                return []infrav1.SecurityGroupRule{}
+        }
+
+    	var sgrule []infrav1.SecurityGroupRule
+	err = json.Unmarshal([]byte(data), &sgrule)
+	return sgrule
+}
+
+func GetSGControlPlaneGeneral(s *Service, remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule {
 	controlPlaneRules := []infrav1.SecurityGroupRule{}
 	controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCommon(remoteGroupIDSelf, secWorkerGroupID)...)
-	controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCalico(remoteGroupIDSelf, secWorkerGroupID)...)
+	// controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCalico(remoteGroupIDSelf, secWorkerGroupID)...)
+	controlPlaneRules = append(controlPlaneRules, getSGControlPlaneFromConfigmap(s, remoteGroupIDSelf, secWorkerGroupID)...)
 	return controlPlaneRules
 }
 

diff --git a/templates/scgrules/calico.yaml b/templates/scgrules/calico.yaml
@@ -0,0 +1,78 @@
+##calico control-plane 
+##{
+##        Description:   "BGP (calico)",
+##        Direction:     "ingress",
+##        EtherType:     "IPv4",
+##        PortRangeMin:  179,
+##        PortRangeMax:  179,
+##        Protocol:      "tcp",
+##        RemoteGroupID: "remoteGroupIDSelf",
+##},
+##{
+##        Description:   "BGP (calico)",
+##        Direction:     "ingress",
+##        EtherType:     "IPv4",
+##        PortRangeMin:  179,
+##        PortRangeMax:  179,
+##        Protocol:      "tcp",
+##        RemoteGroupID: "secWorkerGroupID",
+##},
+##{
+##        Description:   "IP-in-IP (calico)",
+##        Direction:     "ingress",
+##        EtherType:     "IPv4",
+##        Protocol:      "ipip",
+##        RemoteGroupID: "remoteGroupIDSelf",
+##},
+##{
+##        Description:   "IP-in-IP (calico)",
+##        Direction:     "ingress",
+##        EtherType:     "IPv4",
+##        Protocol:      "ipip",
+##        RemoteGroupID: "secWorkerGroupID",
+##}
+
+
+##calico worker
+#{
+#        Description:   "BGP (calico)",
+#        Direction:     "ingress",
+#        EtherType:     "IPv4",
+#        PortRangeMin:  179,
+#        PortRangeMax:  179,
+#        Protocol:      "tcp",
+#        RemoteGroupID: "remoteGroupIDSelf",
+#},
+#{
+#        Description:   "BGP (calico)",
+#        Direction:     "ingress",
+#        EtherType:     "IPv4",
+#        PortRangeMin:  179,
+#        PortRangeMax:  179,
+#        Protocol:      "tcp",
+#        RemoteGroupID: "secControlPlaneGroupID",
+#},
+#{
+#        Description:   "IP-in-IP (calico)",
+#        Direction:     "ingress",
+#        EtherType:     "IPv4",
+#        Protocol:      "ipip",
+#        RemoteGroupID: "remoteGroupIDSelf",
+#},
+#{
+#        Description:   "IP-in-IP (calico)",
+#        Direction:     "ingress",
+#        EtherType:     "IPv4",
+#        Protocol:      "ipip",
+#        RemoteGroupID: "secControlPlaneGroupID",
+#}
+
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: calico-sgrules
+data:
+  control-plane: ewogICAgICAgIERlc2NyaXB0aW9uOiAgICJCR1AgKGNhbGljbykiLAogICAgICAgIERpcmVjdGlvbjogICAgICJpbmdyZXNzIiwKICAgICAgICBFdGhlclR5cGU6ICAgICAiSVB2NCIsCiAgICAgICAgUG9ydFJhbmdlTWluOiAgMTc5LAogICAgICAgIFBvcnRSYW5nZU1heDogIDE3OSwKICAgICAgICBQcm90b2NvbDogICAgICAidGNwIiwKICAgICAgICBSZW1vdGVHcm91cElEOiAicmVtb3RlR3JvdXBJRFNlbGYiLAp9LAp7CiAgICAgICAgRGVzY3JpcHRpb246ICAgIkJHUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQb3J0UmFuZ2VNaW46ICAxNzksCiAgICAgICAgUG9ydFJhbmdlTWF4OiAgMTc5LAogICAgICAgIFByb3RvY29sOiAgICAgICJ0Y3AiLAogICAgICAgIFJlbW90ZUdyb3VwSUQ6ICJzZWNXb3JrZXJHcm91cElEIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInJlbW90ZUdyb3VwSURTZWxmIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInNlY1dvcmtlckdyb3VwSUQiLAp9Cg==
+  worker: ewogICAgICAgIERlc2NyaXB0aW9uOiAgICJCR1AgKGNhbGljbykiLAogICAgICAgIERpcmVjdGlvbjogICAgICJpbmdyZXNzIiwKICAgICAgICBFdGhlclR5cGU6ICAgICAiSVB2NCIsCiAgICAgICAgUG9ydFJhbmdlTWluOiAgMTc5LAogICAgICAgIFBvcnRSYW5nZU1heDogIDE3OSwKICAgICAgICBQcm90b2NvbDogICAgICAidGNwIiwKICAgICAgICBSZW1vdGVHcm91cElEOiAicmVtb3RlR3JvdXBJRFNlbGYiLAp9LAp7CiAgICAgICAgRGVzY3JpcHRpb246ICAgIkJHUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQb3J0UmFuZ2VNaW46ICAxNzksCiAgICAgICAgUG9ydFJhbmdlTWF4OiAgMTc5LAogICAgICAgIFByb3RvY29sOiAgICAgICJ0Y3AiLAogICAgICAgIFJlbW90ZUdyb3VwSUQ6ICJzZWNDb250cm9sUGxhbmVHcm91cElEIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInJlbW90ZUdyb3VwSURTZWxmIiwKfSwKewogICAgICAgIERlc2NyaXB0aW9uOiAgICJJUC1pbi1JUCAoY2FsaWNvKSIsCiAgICAgICAgRGlyZWN0aW9uOiAgICAgImluZ3Jlc3MiLAogICAgICAgIEV0aGVyVHlwZTogICAgICJJUHY0IiwKICAgICAgICBQcm90b2NvbDogICAgICAiaXBpcCIsCiAgICAgICAgUmVtb3RlR3JvdXBJRDogInNlY0NvbnRyb2xQbGFuZUdyb3VwSUQiLAp9Cg==
+