Merge pull request #4552 from vincepri/allow-esp-port

k8s-ci-robot · web-flow · commit a2e7360e1bad · 2023-10-16T17:02:24.000+02:00
🌱 Allow ESP protocol to be set in IngressRules
diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go
@@ -590,14 +590,17 @@ var (
 
 	// SecurityGroupProtocolICMPv6 represents the ICMPv6 protocol in ingress rules.
 	SecurityGroupProtocolICMPv6 = SecurityGroupProtocol("58")
+
+	// SecurityGroupProtocolESP represents the ESP protocol in ingress rules.
+	SecurityGroupProtocolESP = SecurityGroupProtocol("50")
 )
 
 // IngressRule defines an AWS ingress rule for security groups.
 type IngressRule struct {
 	// Description provides extended information about the ingress rule.
 	Description string `json:"description"`
-	// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
-	// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58"
+	// Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
+	// +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58";"50"
 	Protocol SecurityGroupProtocol `json:"protocol"`
 	// FromPort is the start of port range.
 	FromPort int64 `json:"fromPort"`
@@ -706,7 +709,7 @@ func (i *IngressRule) Equals(o *IngressRule) bool {
 		SecurityGroupProtocolICMP,
 		SecurityGroupProtocolICMPv6:
 		return i.FromPort == o.FromPort && i.ToPort == o.ToPort
-	case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP:
+	case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP, SecurityGroupProtocolESP:
 		// FromPort / ToPort are not applicable
 	}
 
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -386,14 +386,15 @@ spec:
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
-                            "udp", "icmp", and "58" (ICMPv6).
+                            "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
                           enum:
                           - "-1"
                           - "4"
                           - tcp
                           - udp
                           - icmp
                           - "58"
+                          - "50"
                           type: string
                         sourceSecurityGroupIds:
                           description: The security group id to allow access from.
@@ -1525,14 +1526,16 @@ spec:
                               protocol:
                                 description: Protocol is the protocol for the ingress
                                   rule. Accepted values are "-1" (all), "4" (IP in
-                                  IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
+                                  IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
+                                  (ESP).
                                 enum:
                                 - "-1"
                                 - "4"
                                 - tcp
                                 - udp
                                 - icmp
                                 - "58"
+                                - "50"
                                 type: string
                               sourceSecurityGroupIds:
                                 description: The security group id to allow access
@@ -1969,14 +1972,15 @@ spec:
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
-                            "udp", "icmp", and "58" (ICMPv6).
+                            "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
                           enum:
                           - "-1"
                           - "4"
                           - tcp
                           - udp
                           - icmp
                           - "58"
+                          - "50"
                           type: string
                         sourceSecurityGroupIds:
                           description: The security group id to allow access from.
@@ -3121,14 +3125,16 @@ spec:
                               protocol:
                                 description: Protocol is the protocol for the ingress
                                   rule. Accepted values are "-1" (all), "4" (IP in
-                                  IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
+                                  IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
+                                  (ESP).
                                 enum:
                                 - "-1"
                                 - "4"
                                 - tcp
                                 - udp
                                 - icmp
                                 - "58"
+                                - "50"
                                 type: string
                               sourceSecurityGroupIds:
                                 description: The security group id to allow access
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -1057,14 +1057,15 @@ spec:
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
-                            "udp", "icmp", and "58" (ICMPv6).
+                            "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
                           enum:
                           - "-1"
                           - "4"
                           - tcp
                           - udp
                           - icmp
                           - "58"
+                          - "50"
                           type: string
                         sourceSecurityGroupIds:
                           description: The security group id to allow access from.
@@ -1217,14 +1218,15 @@ spec:
                         protocol:
                           description: Protocol is the protocol for the ingress rule.
                             Accepted values are "-1" (all), "4" (IP in IP),"tcp",
-                            "udp", "icmp", and "58" (ICMPv6).
+                            "udp", "icmp", and "58" (ICMPv6), "50" (ESP).
                           enum:
                           - "-1"
                           - "4"
                           - tcp
                           - udp
                           - icmp
                           - "58"
+                          - "50"
                           type: string
                         sourceSecurityGroupIds:
                           description: The security group id to allow access from.
@@ -2087,14 +2089,16 @@ spec:
                               protocol:
                                 description: Protocol is the protocol for the ingress
                                   rule. Accepted values are "-1" (all), "4" (IP in
-                                  IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
+                                  IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50"
+                                  (ESP).
                                 enum:
                                 - "-1"
                                 - "4"
                                 - tcp
                                 - udp
                                 - icmp
                                 - "58"
+                                - "50"
                                 type: string
                               sourceSecurityGroupIds:
                                 description: The security group id to allow access
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
@@ -653,14 +653,16 @@ spec:
                                 protocol:
                                   description: Protocol is the protocol for the ingress
                                     rule. Accepted values are "-1" (all), "4" (IP
-                                    in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
+                                    in IP),"tcp", "udp", "icmp", and "58" (ICMPv6),
+                                    "50" (ESP).
                                   enum:
                                   - "-1"
                                   - "4"
                                   - tcp
                                   - udp
                                   - icmp
                                   - "58"
+                                  - "50"
                                   type: string
                                 sourceSecurityGroupIds:
                                   description: The security group id to allow access
@@ -820,14 +822,16 @@ spec:
                                 protocol:
                                   description: Protocol is the protocol for the ingress
                                     rule. Accepted values are "-1" (all), "4" (IP
-                                    in IP),"tcp", "udp", "icmp", and "58" (ICMPv6).
+                                    in IP),"tcp", "udp", "icmp", and "58" (ICMPv6),
+                                    "50" (ESP).
                                   enum:
                                   - "-1"
                                   - "4"
                                   - tcp
                                   - udp
                                   - icmp
                                   - "58"
+                                  - "50"
                                   type: string
                                 sourceSecurityGroupIds:
                                   description: The security group id to allow access
diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go
@@ -703,7 +703,9 @@ func ingressRuleToSDKType(scope scope.SGScope, i *infrav1.IngressRule) (res *ec2
 			FromPort:   aws.Int64(i.FromPort),
 			ToPort:     aws.Int64(i.ToPort),
 		}
-	case infrav1.SecurityGroupProtocolAll, infrav1.SecurityGroupProtocolIPinIP:
+	case infrav1.SecurityGroupProtocolIPinIP,
+		infrav1.SecurityGroupProtocolESP,
+		infrav1.SecurityGroupProtocolAll:
 		res = &ec2.IpPermission{
 			IpProtocol: aws.String(string(i.Protocol)),
 		}
diff --git a/test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml b/test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml
@@ -28,6 +28,20 @@ spec:
   controlPlaneLoadBalancer:
     scheme: internal
   network:
+    cni:
+      cniIngressRules:
+      - description: Allow ESP traffic from all nodes in the cluster
+        protocol: "50"
+        fromPort: -1
+        toPort: -1
+      - description: bgp (calico)
+        protocol:    tcp
+        fromPort:    179
+        toPort:      179
+      - description: IP-in-IP (calico)
+        protocol:    "4"
+        fromPort:    -1
+        toPort:      65535
     subnets:
     - id: ${WL_PRIVATE_SUBNET_ID}
     vpc:

Original file line number	Diff line number	Diff line change
`@@ -703,7 +703,9 @@ func ingressRuleToSDKType(scope scope.SGScope, i infrav1.IngressRule) (res ec2`
`703`	`703`	`FromPort: aws.Int64(i.FromPort),`
`704`	`704`	`ToPort: aws.Int64(i.ToPort),`
`705`	`705`	`}`
`706`		`- case infrav1.SecurityGroupProtocolAll, infrav1.SecurityGroupProtocolIPinIP:`
	`706`	`+ case infrav1.SecurityGroupProtocolIPinIP,`
	`707`	`+ infrav1.SecurityGroupProtocolESP,`
	`708`	`+ infrav1.SecurityGroupProtocolAll:`
`707`	`709`	`res = &ec2.IpPermission{`
`708`	`710`	`IpProtocol: aws.String(string(i.Protocol)),`
`709`	`711`	`}`