Skip to content

Commit

Permalink
🌱 Allow ESP protocol to be set in IngressRules
Browse files Browse the repository at this point in the history
Signed-off-by: Vince Prignano <vincepri@redhat.com>
  • Loading branch information
vincepri committed Oct 13, 2023
1 parent f88f0fa commit 9528f42
Show file tree
Hide file tree
Showing 6 changed files with 46 additions and 13 deletions.
9 changes: 6 additions & 3 deletions api/v1beta2/network_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -590,14 +590,17 @@ var (

// SecurityGroupProtocolICMPv6 represents the ICMPv6 protocol in ingress rules.
SecurityGroupProtocolICMPv6 = SecurityGroupProtocol("58")

// SecurityGroupProtocolESP represents the ESP protocol in ingress rules.
SecurityGroupProtocolESP = SecurityGroupProtocol("50")
)

// IngressRule defines an AWS ingress rule for security groups.
type IngressRule struct {
// Description provides extended information about the ingress rule.
Description string `json:"description"`
// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58"
// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58";"50"
Protocol SecurityGroupProtocol `json:"protocol"`
// FromPort is the start of port range.
FromPort int64 `json:"fromPort"`
Expand Down Expand Up @@ -706,7 +709,7 @@ func (i *IngressRule) Equals(o *IngressRule) bool {
SecurityGroupProtocolICMP,
SecurityGroupProtocolICMPv6:
return i.FromPort == o.FromPort && i.ToPort == o.ToPort
case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP:
case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP, SecurityGroupProtocolESP:
// FromPort / ToPort are not applicable
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -386,14 +386,15 @@ spec:
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Expand Down Expand Up @@ -1525,14 +1526,16 @@ spec:
protocol:
description: Protocol is the protocol for the ingress
rule. Accepted values are "-1" (all), "4" (IP in
IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
(ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access
Expand Down Expand Up @@ -1969,14 +1972,15 @@ spec:
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Expand Down Expand Up @@ -3121,14 +3125,16 @@ spec:
protocol:
description: Protocol is the protocol for the ingress
rule. Accepted values are "-1" (all), "4" (IP in
IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
(ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1029,14 +1029,15 @@ spec:
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Expand Down Expand Up @@ -1189,14 +1190,15 @@ spec:
protocol:
description: Protocol is the protocol for the ingress rule.
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
"udp", "icmp", and "58" (ICMPv6).
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access from.
Expand Down Expand Up @@ -2059,14 +2061,16 @@ spec:
protocol:
description: Protocol is the protocol for the ingress
rule. Accepted values are "-1" (all), "4" (IP in
IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
(ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -624,14 +624,16 @@ spec:
protocol:
description: Protocol is the protocol for the ingress
rule. Accepted values are "-1" (all), "4" (IP
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6),
"50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access
Expand Down Expand Up @@ -791,14 +793,16 @@ spec:
protocol:
description: Protocol is the protocol for the ingress
rule. Accepted values are "-1" (all), "4" (IP
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6),
"50" (ESP).
enum:
- "-1"
- "4"
- tcp
- udp
- icmp
- "58"
- "50"
type: string
sourceSecurityGroupIds:
description: The security group id to allow access
Expand Down
4 changes: 3 additions & 1 deletion pkg/cloud/services/securitygroup/securitygroups.go
Original file line number Diff line number Diff line change
Expand Up @@ -680,7 +680,9 @@ func ingressRuleToSDKType(scope scope.SGScope, i *infrav1.IngressRule) (res *ec2
FromPort: aws.Int64(i.FromPort),
ToPort: aws.Int64(i.ToPort),
}
case infrav1.SecurityGroupProtocolAll, infrav1.SecurityGroupProtocolIPinIP:
case infrav1.SecurityGroupProtocolIPinIP,
infrav1.SecurityGroupProtocolESP,
infrav1.SecurityGroupProtocolAll:
res = &ec2.IpPermission{
IpProtocol: aws.String(string(i.Protocol)),
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,20 @@ spec:
controlPlaneLoadBalancer:
scheme: internal
network:
cni:
cniIngressRules:
- description: Allow ESP traffic from all nodes in the cluster
protocol: "50"
fromPort: -1
toPort: -1
- description: bgp (calico)
protocol: tcp
fromPort: 179
toPort: 179
- description: IP-in-IP (calico)
protocol: "4"
fromPort: -1
toPort: 65535
subnets:
- id: ${WL_PRIVATE_SUBNET_ID}
vpc:
Expand Down

0 comments on commit 9528f42

Please sign in to comment.