Merge pull request #5005 from alexander-demicev/natgatwaysipsingress

k8s-ci-robot · web-flow · commit 7ab0780c89fe · 2024-06-20T07:27:33.000-07:00
✨ Add natgatewayips as source for ingress rules
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awscluster_webhook.go b/api/v1beta2/awscluster_webhook.go
@@ -264,9 +264,7 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 	}
 
 	for _, rule := range r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules {
-		if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
-		}
+		allErrs = append(allErrs, r.validateIngressRule(rule)...)
 	}
 
 	if r.Spec.NetworkSpec.VPC.ElasticIPPool != nil {
@@ -323,9 +321,7 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		}
 
 		for _, rule := range cp.IngressRules {
-			if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
-				allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
-			}
+			allErrs = append(allErrs, r.validateIngressRule(rule)...)
 		}
 	}
 
@@ -367,11 +363,19 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {
 		}
 	}
 
-	for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {
+	return allErrs
+}
+
+func (r *AWSCluster) validateIngressRule(rule IngressRule) field.ErrorList {
+	var allErrs field.ErrorList
+	if rule.NatGatewaysIPsSource {
+		if rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil || rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
+		}
+	} else {
 		if (rule.CidrBlocks != nil || rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil || rule.SourceSecurityGroupRoles != nil) {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))
 		}
 	}
-
 	return allErrs
 }
diff --git a/api/v1beta2/awscluster_webhook_test.go b/api/v1beta2/awscluster_webhook_test.go
@@ -408,6 +408,59 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "rejects ingress rules with cidr block, source security group id, role and nat gateway IP source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:                 SecurityGroupProtocolTCP,
+								IPv6CidrBlocks:           []string{"test"},
+								SourceSecurityGroupIDs:   []string{"test"},
+								SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
+								NatGatewaysIPsSource:     true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects ingress rules with source security role and nat gateway IP source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:                 SecurityGroupProtocolTCP,
+								SourceSecurityGroupRoles: []SecurityGroupRole{SecurityGroupBastion},
+								NatGatewaysIPsSource:     true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "rejects ingress rules with cidr block and nat gateway IP source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:             SecurityGroupProtocolTCP,
+								IPv6CidrBlocks:       []string{"test"},
+								NatGatewaysIPsSource: true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "accepts ingress rules with cidr block",
 			cluster: &AWSCluster{
@@ -424,6 +477,22 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "accepts ingress rules with nat gateway IPs source",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					ControlPlaneLoadBalancer: &AWSLoadBalancerSpec{
+						IngressRules: []IngressRule{
+							{
+								Protocol:             SecurityGroupProtocolTCP,
+								NatGatewaysIPsSource: true,
+							},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "accepts ingress rules with source security group role",
 			cluster: &AWSCluster{
diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go
@@ -930,6 +930,10 @@ type IngressRule struct {
 	// The field will be combined with source security group IDs if specified.
 	// +optional
 	SourceSecurityGroupRoles []SecurityGroupRole `json:"sourceSecurityGroupRoles,omitempty"`
+
+	// NatGatewaysIPsSource use the NAT gateways IPs as the source for the ingress rule.
+	// +optional
+	NatGatewaysIPsSource bool `json:"natGatewaysIPsSource,omitempty"`
 }
 
 // String returns a string representation of the ingress rule.
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -393,6 +393,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        natGatewaysIPsSource:
+                          description: NatGatewaysIPsSource use the NAT gateways IPs
+                            as the source for the ingress rule.
+                          type: boolean
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
@@ -1920,6 +1924,10 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              natGatewaysIPsSource:
+                                description: NatGatewaysIPsSource use the NAT gateways
+                                  IPs as the source for the ingress rule.
+                                type: boolean
                               protocol:
                                 description: Protocol is the protocol for the ingress
                                   rule. Accepted values are "-1" (all), "4" (IP in
@@ -2376,6 +2384,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        natGatewaysIPsSource:
+                          description: NatGatewaysIPsSource use the NAT gateways IPs
+                            as the source for the ingress rule.
+                          type: boolean
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
@@ -3916,6 +3928,10 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              natGatewaysIPsSource:
+                                description: NatGatewaysIPsSource use the NAT gateways
+                                  IPs as the source for the ingress rule.
+                                type: boolean
                               protocol:
                                 description: Protocol is the protocol for the ingress
                                   rule. Accepted values are "-1" (all), "4" (IP in
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -1164,6 +1164,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        natGatewaysIPsSource:
+                          description: NatGatewaysIPsSource use the NAT gateways IPs
+                            as the source for the ingress rule.
+                          type: boolean
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
@@ -1329,6 +1333,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        natGatewaysIPsSource:
+                          description: NatGatewaysIPsSource use the NAT gateways IPs
+                            as the source for the ingress rule.
+                          type: boolean
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
@@ -1943,6 +1951,10 @@ spec:
                           items:
                             type: string
                           type: array
+                        natGatewaysIPsSource:
+                          description: NatGatewaysIPsSource use the NAT gateways IPs
+                            as the source for the ingress rule.
+                          type: boolean
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
@@ -2866,6 +2878,10 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              natGatewaysIPsSource:
+                                description: NatGatewaysIPsSource use the NAT gateways
+                                  IPs as the source for the ingress rule.
+                                type: boolean
                               protocol:
                                 description: Protocol is the protocol for the ingress
                                   rule. Accepted values are "-1" (all), "4" (IP in
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
@@ -756,6 +756,10 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                natGatewaysIPsSource:
+                                  description: NatGatewaysIPsSource use the NAT gateways
+                                    IPs as the source for the ingress rule.
+                                  type: boolean
                                 protocol:
                                   description: Protocol is the protocol for the ingress
                                     rule. Accepted values are "-1" (all), "4" (IP
@@ -925,6 +929,10 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                natGatewaysIPsSource:
+                                  description: NatGatewaysIPsSource use the NAT gateways
+                                    IPs as the source for the ingress rule.
+                                  type: boolean
                                 protocol:
                                   description: Protocol is the protocol for the ingress
                                     rule. Accepted values are "-1" (all), "4" (IP
@@ -1544,6 +1552,10 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                natGatewaysIPsSource:
+                                  description: NatGatewaysIPsSource use the NAT gateways
+                                    IPs as the source for the ingress rule.
+                                  type: boolean
                                 protocol:
                                   description: Protocol is the protocol for the ingress
                                     rule. Accepted values are "-1" (all), "4" (IP
diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go
@@ -592,7 +592,12 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 			rules = append(rules, s.defaultSSHIngressRule(s.scope.SecurityGroups()[infrav1.SecurityGroupBastion].ID))
 		}
 
-		rules = append(rules, s.processIngressRulesSGs(s.scope.AdditionalControlPlaneIngressRules())...)
+		additionalIngressRules, err := s.processIngressRulesSGs(s.scope.AdditionalControlPlaneIngressRules())
+		if err != nil {
+			return nil, err
+		}
+
+		rules = append(rules, additionalIngressRules...)
 
 		return append(cniRules, rules...), nil
 
@@ -639,7 +644,10 @@ func (s *Service) getSecurityGroupIngressRules(role infrav1.SecurityGroupRole) (
 		return infrav1.IngressRules{}, nil
 	case infrav1.SecurityGroupAPIServerLB:
 		kubeletRules := s.getIngressRulesToAllowKubeletToAccessTheControlPlaneLB()
-		customIngressRules := s.processIngressRulesSGs(s.getControlPlaneLBIngressRules())
+		customIngressRules, err := s.processIngressRulesSGs(s.getControlPlaneLBIngressRules())
+		if err != nil {
+			return nil, err
+		}
 		rulesToApply := customIngressRules.Difference(kubeletRules)
 		return append(kubeletRules, rulesToApply...), nil
 	case infrav1.SecurityGroupLB:
@@ -964,10 +972,25 @@ func (s *Service) getIngressRuleToAllowVPCCidrInTheAPIServer() infrav1.IngressRu
 	}
 }
 
-func (s *Service) processIngressRulesSGs(ingressRules []infrav1.IngressRule) infrav1.IngressRules {
+func (s *Service) processIngressRulesSGs(ingressRules []infrav1.IngressRule) (infrav1.IngressRules, error) {
 	output := []infrav1.IngressRule{}
 
 	for _, rule := range ingressRules {
+		if rule.NatGatewaysIPsSource { // if the rule has NatGatewaysIPsSource set to true, use the NAT Gateway IPs as the source
+			natGatewaysCidrs := []string{}
+			natGatewaysIPs := s.scope.GetNatGatewaysIPs()
+			for _, ip := range natGatewaysIPs {
+				natGatewaysCidrs = append(natGatewaysCidrs, fmt.Sprintf("%s/32", ip))
+			}
+			if len(natGatewaysIPs) > 0 {
+				rule.CidrBlocks = natGatewaysCidrs
+				output = append(output, rule)
+				continue
+			}
+
+			return nil, errors.New("NAT Gateway IPs are not available yet")
+		}
+
 		if len(rule.CidrBlocks) != 0 || len(rule.IPv6CidrBlocks) != 0 { // don't set source security group if cidr blocks are set
 			output = append(output, rule)
 			continue
@@ -988,5 +1011,5 @@ func (s *Service) processIngressRulesSGs(ingressRules []infrav1.IngressRule) inf
 		output = append(output, rule)
 	}
 
-	return output
+	return output, nil
 }
diff --git a/pkg/cloud/services/securitygroup/securitygroups_test.go b/pkg/cloud/services/securitygroup/securitygroups_test.go

Original file line number	Diff line number	Diff line change
`@@ -264,9 +264,7 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {`
`264`	`264`	`}`
`265`	`265`
`266`	`266`	`for _, rule := range r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules {`
`267`		`- if (rule.CidrBlocks != nil \|\| rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil \|\| rule.SourceSecurityGroupRoles != nil) {`
`268`		`- allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))`
`269`		`- }`
	`267`	`+ allErrs = append(allErrs, r.validateIngressRule(rule)...)`
`270`	`268`	`}`
`271`	`269`
`272`	`270`	`if r.Spec.NetworkSpec.VPC.ElasticIPPool != nil {`
`@@ -323,9 +321,7 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {`
`323`	`321`	`}`
`324`	`322`
`325`	`323`	`for _, rule := range cp.IngressRules {`
`326`		`- if (rule.CidrBlocks != nil \|\| rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil \|\| rule.SourceSecurityGroupRoles != nil) {`
`327`		`- allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))`
`328`		`- }`
	`324`	`+ allErrs = append(allErrs, r.validateIngressRule(rule)...)`
`329`	`325`	`}`
`330`	`326`	`}`
`331`	`327`
`@@ -367,11 +363,19 @@ func (r *AWSCluster) validateControlPlaneLBs() field.ErrorList {`
`367`	`363`	`}`
`368`	`364`	`}`
`369`	`365`
`370`		`- for _, rule := range r.Spec.ControlPlaneLoadBalancer.IngressRules {`
	`366`	`+ return allErrs`
	`367`	`+}`
	`368`	`+`
	`369`	`+func (r *AWSCluster) validateIngressRule(rule IngressRule) field.ErrorList {`
	`370`	`+ var allErrs field.ErrorList`
	`371`	`+ if rule.NatGatewaysIPsSource {`
	`372`	`+ if rule.CidrBlocks != nil \|\| rule.IPv6CidrBlocks != nil \|\| rule.SourceSecurityGroupIDs != nil \|\| rule.SourceSecurityGroupRoles != nil {`
	`373`	`+ allErrs = append(allErrs, field.Invalid(field.NewPath("additionalControlPlaneIngressRules"), r.Spec.NetworkSpec.AdditionalControlPlaneIngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))`
	`374`	`+ }`
	`375`	`+ } else {`
`371`	`376`	`if (rule.CidrBlocks != nil \|\| rule.IPv6CidrBlocks != nil) && (rule.SourceSecurityGroupIDs != nil \|\| rule.SourceSecurityGroupRoles != nil) {`
`372`	`377`	`allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "controlPlaneLoadBalancer", "ingressRules"), r.Spec.ControlPlaneLoadBalancer.IngressRules, "CIDR blocks and security group IDs or security group roles cannot be used together"))`
`373`	`378`	`}`
`374`	`379`	`}`
`375`		`-`
`376`	`380`	`return allErrs`
`377`	`381`	`}`