(cloudstack-kubernetes-provider) branch main updated: NSX: (temp fix) Skip adding firewall rules for CKS Clusters on VPC tiers (#56)

Fri, 19 Jan 2024 09:26:14 -0800 

This is an automated email from the ASF dual-hosted git repository.

weizhou pushed a commit to branch main
in repository 
https://gitbox.apache.org/repos/asf/cloudstack-kubernetes-provider.git


The following commit(s) were added to refs/heads/main by this push:
     new 98bd3c58 NSX: (temp fix) Skip adding firewall rules for CKS Clusters 
on VPC tiers (#56)
98bd3c58 is described below

commit 98bd3c586943fd11614d979cdafcbb19a72af82e
Author: Pearl Dsilva <[email protected]>
AuthorDate: Fri Jan 19 12:25:47 2024 -0500

    NSX: (temp fix) Skip adding firewall rules for CKS Clusters on VPC tiers 
(#56)
    
    Currently CKP does not setup NetworkACLs for CKS clusters on VPC tiers, and 
fails to add Firewall rules - as Firewall isn't supported on VPCs. This is a 
partial fix, to skip setting up Firewall rules if the network doesn't support 
the service.
---
 cloudstack_loadbalancer.go | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/cloudstack_loadbalancer.go b/cloudstack_loadbalancer.go
index b796dfa9..1859da7d 100644
--- a/cloudstack_loadbalancer.go
+++ b/cloudstack_loadbalancer.go
@@ -163,7 +163,15 @@ func (cs *CSCloud) EnsureLoadBalancer(ctx context.Context, 
clusterName string, s
                        }
                }
 
-               if lbRule != nil {
+               network, count, err := lb.Network.GetNetworkByID(lb.networkID, 
cloudstack.WithProject(lb.projectID))
+               if err != nil {
+                       if count == 0 {
+                               return nil, err
+                       }
+                       return nil, err
+               }
+
+               if lbRule != nil && isFirewallSupported(network.Service) {
                        klog.V(4).Infof("Creating firewall rules for load 
balancer rule: %v (%v:%v:%v)", lbRuleName, protocol, lbRule.Publicip, port.Port)
                        if _, err := lb.updateFirewallRule(lbRule.Publicipid, 
int(port.Port), protocol, service.Spec.LoadBalancerSourceRanges); err != nil {
                                return nil, err
@@ -244,6 +252,15 @@ func (cs *CSCloud) UpdateLoadBalancer(ctx context.Context, 
clusterName string, s
        return nil
 }
 
+func isFirewallSupported(services []cloudstack.NetworkServiceInternal) bool {
+       for _, svc := range services {
+               if svc.Name == "Firewall" {
+                       return true
+               }
+       }
+       return false
+}
+
 // EnsureLoadBalancerDeleted deletes the specified load balancer if it exists, 
returning
 // nil if the load balancer specified either didn't exist or was successfully 
deleted.
 func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName 
string, service *corev1.Service) error {

Reply via email to