Add controlPlaneLoadBalancer ACLs

Author: Tomy2e

api/v1beta1/scalewaycluster_types.go

@@ -110,6 +110,14 @@ type LoadBalancerSpec struct {
 	// +kubebuilder:validation:Format=ipv4
 	// +optional
 	IP *string `json:"ip,omitempty"`
+
+	// AllowedRanges allows to set a list of allowed IP ranges that can access
+	// the cluster through the load balancer. When unset, all IP ranges are allowed.
+	// To allow the cluster to work properly, public IPs of nodes and Public
+	// Gateways will automatically be allowed. However, if this field is set,
+	// you MUST manually allow IPs of the nodes of your management cluster.
+	// +optional
+	AllowedRanges []string `json:"allowedRanges,omitempty"`
 }
 
 // ScalewayClusterStatus defines the observed state of ScalewayCluster

api/v1beta1/scalewaycluster_webhook.go

@@ -226,9 +226,20 @@ func (r *ScalewayCluster) enforceImmutability(old *ScalewayCluster) error {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "network"), r.Spec.Network, "field is immutable"))
 	}
 
-	// TODO: allow updating load balancer type when it's implemented.
-	if !reflect.DeepEqual(r.Spec.ControlPlaneLoadBalancer, old.Spec.ControlPlaneLoadBalancer) {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer"), r.Spec.ControlPlaneLoadBalancer, "field is immutable"))
+	if old.Spec.ControlPlaneLoadBalancer == nil {
+		old.Spec.ControlPlaneLoadBalancer = &LoadBalancerSpec{}
+	}
+
+	if r.Spec.ControlPlaneLoadBalancer == nil {
+		r.Spec.ControlPlaneLoadBalancer = &LoadBalancerSpec{}
+	}
+
+	if !reflect.DeepEqual(old.Spec.ControlPlaneLoadBalancer.Zone, r.Spec.ControlPlaneLoadBalancer.Zone) {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "zone"), r.Spec.ControlPlaneLoadBalancer.Zone, "field is immutable"))
+	}
+
+	if !reflect.DeepEqual(old.Spec.ControlPlaneLoadBalancer.IP, r.Spec.ControlPlaneLoadBalancer.IP) {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ip"), r.Spec.ControlPlaneLoadBalancer.IP, "field is immutable"))
 	}
 
 	if allErrs == nil {

api/v1beta1/zz_generated.deepcopy.go

@@ -52,6 +52,16 @@ spec:
               controlPlaneLoadBalancer:
                 description: ControlPlaneLoadBalancer contains loadbalancer options.
                 properties:
+                  allowedRanges:
+                    description: AllowedRanges allows to set a list of allowed IP
+                      ranges that can access the cluster through the load balancer.
+                      When unset, all IP ranges are allowed. To allow the cluster
+                      to work properly, public IPs of nodes and Public Gateways will
+                      automatically be allowed. However, if this field is set, you
+                      MUST manually allow IPs of the nodes of your management cluster.
+                    items:
+                      type: string
+                    type: array
                   ip:
                     description: IP to use when creating a loadbalancer.
                     format: ipv4

config/crd/bases/infrastructure.cluster.x-k8s.io_scalewayclusters.yaml

@@ -68,6 +68,17 @@ spec:
                         description: ControlPlaneLoadBalancer contains loadbalancer
                           options.
                         properties:
+                          allowedRanges:
+                            description: AllowedRanges allows to set a list of allowed
+                              IP ranges that can access the cluster through the load
+                              balancer. When unset, all IP ranges are allowed. To
+                              allow the cluster to work properly, public IPs of nodes
+                              and Public Gateways will automatically be allowed. However,
+                              if this field is set, you MUST manually allow IPs of
+                              the nodes of your management cluster.
+                            items:
+                              type: string
+                            type: array
                           ip:
                             description: IP to use when creating a loadbalancer.
                             format: ipv4

config/crd/bases/infrastructure.cluster.x-k8s.io_scalewayclustertemplates.yaml

@@ -50,6 +50,30 @@ func (c *Client) FindLoadBalancerBackendByNames(ctx context.Context, zone scw.Zo
 	return nil, ErrNoItemFound
 }
 
+func (c *Client) FindLoadBalancerFrontendByNames(ctx context.Context, zone scw.Zone, lbName, frontendName string) (*lb.Frontend, error) {
+	loadbalancer, err := c.FindLoadBalancerByName(ctx, zone, lbName)
+	if err != nil {
+		return nil, err
+	}
+
+	frontends, err := c.LoadBalancer.ListFrontends(&lb.ZonedAPIListFrontendsRequest{
+		Zone: zone,
+		LBID: loadbalancer.ID,
+		Name: scw.StringPtr(frontendName),
+	}, scw.WithAllPages(), scw.WithContext(ctx))
+	if err != nil {
+		return nil, err
+	}
+
+	for _, frontend := range frontends.Frontends {
+		if frontend.Name == frontendName {
+			return frontend, nil
+		}
+	}
+
+	return nil, ErrNoItemFound
+}
+
 func (c *Client) FindLoadBalancerIP(ctx context.Context, zone scw.Zone, ip string) (*lb.IP, error) {
 	ips, err := c.LoadBalancer.ListIPs(&lb.ZonedAPIListIPsRequest{
 		Zone:      zone,
@@ -68,3 +92,22 @@ func (c *Client) FindLoadBalancerIP(ctx context.Context, zone scw.Zone, ip strin
 
 	return nil, ErrNoItemFound
 }
+
+func (c *Client) FindLoadBalancerACLByName(ctx context.Context, zone scw.Zone, frontendID, name string) (*lb.ACL, error) {
+	acls, err := c.LoadBalancer.ListACLs(&lb.ZonedAPIListACLsRequest{
+		Name:       scw.StringPtr(name),
+		Zone:       zone,
+		FrontendID: frontendID,
+	}, scw.WithContext(ctx), scw.WithAllPages())
+	if err != nil {
+		return nil, fmt.Errorf("failed to list ACLs: %w", err)
+	}
+
+	for _, acl := range acls.ACLs {
+		if acl.Name == name {
+			return acl, nil
+		}
+	}
+
+	return nil, ErrNoItemFound
+}

pkg/service/scaleway/client/loadbalancer.go

@@ -66,3 +66,17 @@ func (c *Client) FindGatewayIPByTags(ctx context.Context, zone scw.Zone, tags []
 
 	return ips.IPs[0], nil
 }
+
+func (c *Client) FindGatewaysByPrivateNetworkID(ctx context.Context, zones []scw.Zone, privateNetworkID string) ([]*vpcgw.Gateway, error) {
+	resp, err := c.PublicGateway.ListGateways(&vpcgw.ListGatewaysRequest{
+		PrivateNetworkID: scw.StringPtr(privateNetworkID),
+		Zone:             scw.ZoneFrPar1,
+	}, scw.WithContext(ctx), scw.WithAllPages(), scw.WithZones(zones...))
+	if err != nil {
+		return nil, fmt.Errorf("failed to list public gateways by private network ID: %w", err)
+	}
+
+	gws := make([]*vpcgw.Gateway, 0, len(resp.Gateways))
+	gws = append(gws, resp.Gateways...)
+	return gws, nil
+}

pkg/service/scaleway/client/vpcgw.go

@@ -15,7 +15,7 @@ import (
 	"github.com/scaleway/scaleway-sdk-go/api/lb/v1"
 	"github.com/scaleway/scaleway-sdk-go/api/marketplace/v1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
-	"k8s.io/utils/strings/slices"
+	"golang.org/x/exp/slices"
 	"sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util"
 )
@@ -271,6 +271,66 @@ func (s *Service) ensureServerStarted(ctx context.Context, server *instance.Serv
 	return nil
 }
 
+func (s *Service) ensureLoadBalancerACL(ctx context.Context, publicIP *string) error {
+	frontend, err := s.ScalewayClient.FindLoadBalancerFrontendByNames(
+		ctx,
+		s.Cluster.LoadBalancerZone(),
+		s.Cluster.Name(),
+		loadbalancer.ControlPlaneFrontendName,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to find load balancer frontend: %w", err)
+	}
+
+	acl, err := s.ScalewayClient.FindLoadBalancerACLByName(ctx, s.LoadBalancerZone(), frontend.ID, s.Name())
+	if err != nil && !errors.Is(err, client.ErrNoItemFound) {
+		return fmt.Errorf("failed to find load balancer ACL: %w", err)
+	}
+
+	if publicIP == nil {
+		if acl != nil {
+			if err := s.ScalewayClient.LoadBalancer.DeleteACL(&lb.ZonedAPIDeleteACLRequest{
+				Zone:  s.LoadBalancerZone(),
+				ACLID: acl.ID,
+			}, scw.WithContext(ctx)); err != nil {
+				return fmt.Errorf("failed to delete load balancer ACL: %w", err)
+			}
+		}
+
+		return nil
+	}
+
+	match := scw.StringSlicePtr([]string{*publicIP})
+
+	if acl == nil {
+		_, err := s.ScalewayClient.LoadBalancer.CreateACL(&lb.ZonedAPICreateACLRequest{
+			Zone:       s.LoadBalancerZone(),
+			FrontendID: frontend.ID,
+			Name:       s.Name(),
+			Action:     &lb.ACLAction{Type: lb.ACLActionTypeAllow},
+			Match:      &lb.ACLMatch{IPSubnet: match},
+			Index:      3,
+		}, scw.WithContext(ctx))
+
+		return err
+	}
+
+	if acl.Match == nil || !slices.Equal(match, acl.Match.IPSubnet) {
+		_, err := s.ScalewayClient.LoadBalancer.UpdateACL(&lb.ZonedAPIUpdateACLRequest{
+			Zone:   s.LoadBalancerZone(),
+			ACLID:  acl.ID,
+			Name:   s.Name(),
+			Action: &lb.ACLAction{Type: lb.ACLActionTypeAllow},
+			Match:  &lb.ACLMatch{IPSubnet: match},
+			Index:  3,
+		}, scw.WithContext(ctx))
+
+		return err
+	}
+
+	return nil
+}
+
 func (s *Service) ensureControlPlaneLoadBalancer(ctx context.Context, server *instance.Server, pnic *instance.PrivateNIC, deletion bool) (*machineIPs, error) {
 	if !util.IsControlPlaneMachine(s.Machine.Machine) {
 		return nil, nil
@@ -336,6 +396,10 @@ func (s *Service) Reconcile(ctx context.Context) error {
 		return err
 	}
 
+	if err := s.ensureLoadBalancerACL(ctx, machineIPs.External); err != nil {
+		return err
+	}
+
 	if err := s.ensureCloudInit(ctx, server, machineIPs); err != nil {
 		return err
 	}
@@ -375,6 +439,11 @@ func (s *Service) Delete(ctx context.Context) error {
 		return err
 	}
 
+	// Set publicIP to nil to force deletion.
+	if err := s.ensureLoadBalancerACL(ctx, nil); err != nil && !errors.Is(err, client.ErrNoItemFound) {
+		return err
+	}
+
 	// Remove this control-plane from the loadbalancer.
 	if util.IsControlPlaneMachine(s.Machine.Machine) {
 		var pnic *instance.PrivateNIC