Skip to content

Commit 9528f42

Browse files
committed
🌱 Allow ESP protocol to be set in IngressRules
Signed-off-by: Vince Prignano <[email protected]>
1 parent f88f0fa commit 9528f42

File tree

6 files changed

+46
-13
lines changed

6 files changed

+46
-13
lines changed

api/v1beta2/network_types.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -590,14 +590,17 @@ var (
590590

591591
// SecurityGroupProtocolICMPv6 represents the ICMPv6 protocol in ingress rules.
592592
SecurityGroupProtocolICMPv6 = SecurityGroupProtocol("58")
593+
594+
// SecurityGroupProtocolESP represents the ESP protocol in ingress rules.
595+
SecurityGroupProtocolESP = SecurityGroupProtocol("50")
593596
)
594597

595598
// IngressRule defines an AWS ingress rule for security groups.
596599
type IngressRule struct {
597600
// Description provides extended information about the ingress rule.
598601
Description string `json:"description"`
599-
// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
600-
// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58"
602+
// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
603+
// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58";"50"
601604
Protocol SecurityGroupProtocol `json:"protocol"`
602605
// FromPort is the start of port range.
603606
FromPort int64 `json:"fromPort"`
@@ -706,7 +709,7 @@ func (i *IngressRule) Equals(o *IngressRule) bool {
706709
SecurityGroupProtocolICMP,
707710
SecurityGroupProtocolICMPv6:
708711
return i.FromPort == o.FromPort && i.ToPort == o.ToPort
709-
case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP:
712+
case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP, SecurityGroupProtocolESP:
710713
// FromPort / ToPort are not applicable
711714
}
712715

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -386,14 +386,15 @@ spec:
386386
protocol:
387387
description: Protocol is the protocol for the ingress rule.
388388
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
389-
"udp", "icmp", and "58" (ICMPv6).
389+
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
390390
enum:
391391
- "-1"
392392
- "4"
393393
- tcp
394394
- udp
395395
- icmp
396396
- "58"
397+
- "50"
397398
type: string
398399
sourceSecurityGroupIds:
399400
description: The security group id to allow access from.
@@ -1525,14 +1526,16 @@ spec:
15251526
protocol:
15261527
description: Protocol is the protocol for the ingress
15271528
rule. Accepted values are "-1" (all), "4" (IP in
1528-
IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
1529+
IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
1530+
(ESP).
15291531
enum:
15301532
- "-1"
15311533
- "4"
15321534
- tcp
15331535
- udp
15341536
- icmp
15351537
- "58"
1538+
- "50"
15361539
type: string
15371540
sourceSecurityGroupIds:
15381541
description: The security group id to allow access
@@ -1969,14 +1972,15 @@ spec:
19691972
protocol:
19701973
description: Protocol is the protocol for the ingress rule.
19711974
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
1972-
"udp", "icmp", and "58" (ICMPv6).
1975+
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
19731976
enum:
19741977
- "-1"
19751978
- "4"
19761979
- tcp
19771980
- udp
19781981
- icmp
19791982
- "58"
1983+
- "50"
19801984
type: string
19811985
sourceSecurityGroupIds:
19821986
description: The security group id to allow access from.
@@ -3121,14 +3125,16 @@ spec:
31213125
protocol:
31223126
description: Protocol is the protocol for the ingress
31233127
rule. Accepted values are "-1" (all), "4" (IP in
3124-
IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
3128+
IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
3129+
(ESP).
31253130
enum:
31263131
- "-1"
31273132
- "4"
31283133
- tcp
31293134
- udp
31303135
- icmp
31313136
- "58"
3137+
- "50"
31323138
type: string
31333139
sourceSecurityGroupIds:
31343140
description: The security group id to allow access

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1029,14 +1029,15 @@ spec:
10291029
protocol:
10301030
description: Protocol is the protocol for the ingress rule.
10311031
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
1032-
"udp", "icmp", and "58" (ICMPv6).
1032+
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
10331033
enum:
10341034
- "-1"
10351035
- "4"
10361036
- tcp
10371037
- udp
10381038
- icmp
10391039
- "58"
1040+
- "50"
10401041
type: string
10411042
sourceSecurityGroupIds:
10421043
description: The security group id to allow access from.
@@ -1189,14 +1190,15 @@ spec:
11891190
protocol:
11901191
description: Protocol is the protocol for the ingress rule.
11911192
Accepted values are "-1" (all), "4" (IP in IP),"tcp",
1192-
"udp", "icmp", and "58" (ICMPv6).
1193+
"udp", "icmp", and "58" (ICMPv6), "50" (ESP).
11931194
enum:
11941195
- "-1"
11951196
- "4"
11961197
- tcp
11971198
- udp
11981199
- icmp
11991200
- "58"
1201+
- "50"
12001202
type: string
12011203
sourceSecurityGroupIds:
12021204
description: The security group id to allow access from.
@@ -2059,14 +2061,16 @@ spec:
20592061
protocol:
20602062
description: Protocol is the protocol for the ingress
20612063
rule. Accepted values are "-1" (all), "4" (IP in
2062-
IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
2064+
IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
2065+
(ESP).
20632066
enum:
20642067
- "-1"
20652068
- "4"
20662069
- tcp
20672070
- udp
20682071
- icmp
20692072
- "58"
2073+
- "50"
20702074
type: string
20712075
sourceSecurityGroupIds:
20722076
description: The security group id to allow access

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -624,14 +624,16 @@ spec:
624624
protocol:
625625
description: Protocol is the protocol for the ingress
626626
rule. Accepted values are "-1" (all), "4" (IP
627-
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
627+
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6),
628+
"50" (ESP).
628629
enum:
629630
- "-1"
630631
- "4"
631632
- tcp
632633
- udp
633634
- icmp
634635
- "58"
636+
- "50"
635637
type: string
636638
sourceSecurityGroupIds:
637639
description: The security group id to allow access
@@ -791,14 +793,16 @@ spec:
791793
protocol:
792794
description: Protocol is the protocol for the ingress
793795
rule. Accepted values are "-1" (all), "4" (IP
794-
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
796+
in IP),"tcp", "udp", "icmp", and "58" (ICMPv6),
797+
"50" (ESP).
795798
enum:
796799
- "-1"
797800
- "4"
798801
- tcp
799802
- udp
800803
- icmp
801804
- "58"
805+
- "50"
802806
type: string
803807
sourceSecurityGroupIds:
804808
description: The security group id to allow access

pkg/cloud/services/securitygroup/securitygroups.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -680,7 +680,9 @@ func ingressRuleToSDKType(scope scope.SGScope, i *infrav1.IngressRule) (res *ec2
680680
FromPort: aws.Int64(i.FromPort),
681681
ToPort: aws.Int64(i.ToPort),
682682
}
683-
case infrav1.SecurityGroupProtocolAll, infrav1.SecurityGroupProtocolIPinIP:
683+
case infrav1.SecurityGroupProtocolIPinIP,
684+
infrav1.SecurityGroupProtocolESP,
685+
infrav1.SecurityGroupProtocolAll:
684686
res = &ec2.IpPermission{
685687
IpProtocol: aws.String(string(i.Protocol)),
686688
}

test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,20 @@ spec:
2828
controlPlaneLoadBalancer:
2929
scheme: internal
3030
network:
31+
cni:
32+
cniIngressRules:
33+
- description: Allow ESP traffic from all nodes in the cluster
34+
protocol: "50"
35+
fromPort: -1
36+
toPort: -1
37+
- description: bgp (calico)
38+
protocol: tcp
39+
fromPort: 179
40+
toPort: 179
41+
- description: IP-in-IP (calico)
42+
protocol: "4"
43+
fromPort: -1
44+
toPort: 65535
3145
subnets:
3246
- id: ${WL_PRIVATE_SUBNET_ID}
3347
vpc:

0 commit comments

Comments
 (0)