This is an automated email from the ASF dual-hosted git repository. pearl11594 pushed a commit to branch support-acl in repository https://gitbox.apache.org/repos/asf/cloudstack-kubernetes-provider.git
commit d746130517ce87c3e918307b39d374199e6d6a9d Author: Pearl Dsilva <[email protected]> AuthorDate: Tue Jul 2 12:49:45 2024 -0400 Add support for NetworkACLs for LB on VPC networks --- Makefile | 4 ++-- cloudstack_loadbalancer.go | 46 ++++++++++++++++++++++++++++++++++++++++++---- deployment.yaml | 2 +- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index aebd9ff7..d7d034e0 100644 --- a/Makefile +++ b/Makefile @@ -49,7 +49,7 @@ test: docker: docker build . -t apache/cloudstack-kubernetes-provider:${GIT_COMMIT_SHORT} - docker tag apache/cloudstack-kubernetes-provider:${GIT_COMMIT_SHORT} apache/cloudstack-kubernetes-provider:latest + docker tag apache/cloudstack-kubernetes-provider:${GIT_COMMIT_SHORT} pearl1594/cloudstack-kubernetes-provider:latest ifneq (${GIT_IS_TAG},NOT_A_TAG) - docker tag apache/cloudstack-kubernetes-provider:${GIT_COMMIT_SHORT} apache/cloudstack-kubernetes-provider:${GIT_TAG} + docker tag apache/cloudstack-kubernetes-provider:${GIT_COMMIT_SHORT} pearl1594/cloudstack-kubernetes-provider:${GIT_TAG} endif diff --git a/cloudstack_loadbalancer.go b/cloudstack_loadbalancer.go index 09011127..f23f29f8 100644 --- a/cloudstack_loadbalancer.go +++ b/cloudstack_loadbalancer.go @@ -181,10 +181,17 @@ func (cs *CSCloud) EnsureLoadBalancer(ctx context.Context, clusterName string, s return nil, err } - if lbRule != nil && isFirewallSupported(network.Service) { - klog.V(4).Infof("Creating firewall rules for load balancer rule: %v (%v:%v:%v)", lbRuleName, protocol, lbRule.Publicip, port.Port) - if _, err := lb.updateFirewallRule(lbRule.Publicipid, int(port.Port), protocol, service.Spec.LoadBalancerSourceRanges); err != nil { - return nil, err + if lbRule != nil { + if isFirewallSupported(network.Service) { + klog.V(4).Infof("Creating firewall rules for load balancer rule: %v (%v:%v:%v)", lbRuleName, protocol, lbRule.Publicip, port.Port) + if _, err := lb.updateFirewallRule(lbRule.Publicipid, int(port.Port), protocol, service.Spec.LoadBalancerSourceRanges); err != nil { + return nil, err + } + } else if isNetworkACLSupported(network.Service) { + klog.V(4).Infof("Creating ACL rules for load balancer rule: %v (%v:%v:%v)", lbRuleName, protocol, lbRule.Publicip, port.Port) + if _, err := lb.updateNetworkACL(int(port.Port), protocol, network.Id); err != nil { + return nil, err + } } } } @@ -278,6 +285,15 @@ func isFirewallSupported(services []cloudstack.NetworkServiceInternal) bool { return false } +func isNetworkACLSupported(services []cloudstack.NetworkServiceInternal) bool { + for _, svc := range services { + if svc.Name == "NetworkACL" { + return true + } + } + return false +} + // EnsureLoadBalancerDeleted deletes the specified load balancer if it exists, returning // nil if the load balancer specified either didn't exist or was successfully deleted. func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName string, service *corev1.Service) error { @@ -790,6 +806,28 @@ func (lb *loadBalancer) updateFirewallRule(publicIpId string, publicPort int, pr return true, err } +func (lb *loadBalancer) updateNetworkACL(publicPort int, protocol LoadBalancerProtocol, networkId string) (bool, error) { + network, _, err := lb.Network.GetNetworkByID(networkId) + if err != nil { + return false, fmt.Errorf("error fetching Network with ID: %v, due to: %s", networkId, err) + } + + // create ACL rule + acl := lb.NetworkACL.NewCreateNetworkACLParams(protocol.CSProtocol()) + acl.SetAclid(network.Aclid) + acl.SetAction("Allow") + acl.SetStartport(publicPort) + acl.SetEndport(publicPort) + acl.SetNetworkid(networkId) + acl.SetTraffictype("Ingress") + + _, err = lb.NetworkACL.CreateNetworkACL(acl) + if err != nil { + return false, fmt.Errorf("error creating Network ACL for port: %v, due to: %s", publicPort, err) + } + return true, err +} + // deleteFirewallRule deletes the firewall rule associated with the ip:port:protocol combo // // returns true when corresponding rules were deleted diff --git a/deployment.yaml b/deployment.yaml index 0cc59528..5197bdec 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -143,7 +143,7 @@ spec: spec: containers: - name: cloud-controller-manager - image: apache/cloudstack-kubernetes-provider:v1.1.0 + image: pearl1594/cloudstack-kubernetes-provider:latest imagePullPolicy: IfNotPresent args: - --leader-elect=true
