Skip to content

Commit b072c8b

Browse files
Pacho20Pacho20
committed
Add support for new SGR protocols in PowerVS
The latest vpc-go-sdk introduces two new security group rule protocol types: 'any' and 'individual'. This commit adds full compatibility for these new protocols in the PowerVS implementation.
1 parent d3d97e2 commit b072c8b

File tree

4 files changed

+57
-22
lines changed

4 files changed

+57
-22
lines changed

api/powervs/v1beta2/types.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,9 @@ var (
285285
)
286286

287287
const (
288+
// VPCSecurityGroupRuleProtocolAnyType is a string representation of the 'SecurityGroupRuleProtocolAny' type.
289+
VPCSecurityGroupRuleProtocolAnyType = "*vpcv1.SecurityGroupRuleProtocolAny"
290+
288291
// VPCSecurityGroupRuleProtocolIcmptcpudpType is a string representation of the 'SecurityGroupRuleProtocolIcmptcpudp' type.
289292
VPCSecurityGroupRuleProtocolIcmptcpudpType = "*vpcv1.SecurityGroupRuleProtocolIcmptcpudp"
290293

@@ -293,6 +296,9 @@ const (
293296

294297
// VPCSecurityGroupRuleProtocolTcpudpType is a string representation of the 'SecurityGroupRuleSecurityGroupRuleProtocolTcpudp' type.
295298
VPCSecurityGroupRuleProtocolTcpudpType = "*vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolTcpudp"
299+
300+
// VPCSecurityGroupRuleProtocolIndividualType is a string representation of the 'SecurityGroupRuleProtocolIndividual' type.
301+
VPCSecurityGroupRuleProtocolIndividualType = "*vpcv1.SecurityGroupRuleProtocolIndividual"
296302
)
297303

298304
// VPCSecurityGroupRuleAction represents the actions for a Security Group Rule.
@@ -318,10 +324,12 @@ const (
318324
)
319325

320326
// VPCSecurityGroupRuleProtocol represents the protocols for a Security Group Rule.
321-
// +kubebuilder:validation:Enum=icmp_tcp_udp;icmp;tcp;udp
327+
// +kubebuilder:validation:Pattern=`^(any|icmp_tcp_udp|icmp|tcp|udp|ah|esp|gre|ip_in_ip|l2tp|rsvp|sctp|vrrp|number_(?:0|2|3|5|[7-9]|1[0-6]|1[8-9]|[2-3][0-9]|4[0-5]|4[89]|5[2-9]|[6-9][0-9]|10[0-9]|11[0-1]|11[3-4]|11[6-9]|12[0-9]|13[0-1]|13[3-9]|1[4-9][0-9]|2[0-4][0-9]|25[0-5]))$`
322328
type VPCSecurityGroupRuleProtocol string
323329

324330
const (
331+
// VPCSecurityGroupRuleProtocolAny defines the Rule is for any network protocols.
332+
VPCSecurityGroupRuleProtocolAny VPCSecurityGroupRuleProtocol = vpcv1.NetworkACLRuleProtocolAnyConst
325333
// VPCSecurityGroupRuleProtocolIcmpTCPUDP defines the Rule is for ICMP, TCP and UDP protocols.
326334
VPCSecurityGroupRuleProtocolIcmpTCPUDP VPCSecurityGroupRuleProtocol = vpcv1.NetworkACLRuleProtocolIcmpTCPUDPConst
327335
// VPCSecurityGroupRuleProtocolIcmp defiens the Rule is for ICMP network protocol.
@@ -447,6 +455,7 @@ type VPCSecurityGroupRuleRemote struct {
447455
// VPCSecurityGroupRulePrototype defines a VPC Security Group Rule's traffic specifics for a series of remotes (destinations or sources).
448456
// +kubebuilder:validation:XValidation:rule="self.protocol != 'icmp' ? (!has(self.icmpCode) && !has(self.icmpType)) : true",message="icmpCode and icmpType are only supported for VPCSecurityGroupRuleProtocolIcmp protocol"
449457
// +kubebuilder:validation:XValidation:rule="self.protocol == 'icmp' ? !has(self.portRange) : true",message="portRange is not valid for VPCSecurityGroupRuleProtocolIcmp protocol"
458+
// +kubebuilder:validation:XValidation:rule="(self.protocol != 'tcp' && self.protocol != 'udp') ? !has(self.portRange) : true",message="portRange is not valid for protocol"
450459
// +kubebuilder:validation:XValidation:rule="self.protocol == 'icmp_tcp_udp' ? !has(self.portRange) : true",message="portRange is not valid for VPCSecurityGroupRuleProtocolIcmpTCPUDP protocol"
451460
type VPCSecurityGroupRulePrototype struct {
452461
// icmpCode is the ICMP code for the Rule.

cloud/scope/powervs/powervs_cluster.go

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1462,6 +1462,9 @@ func (s *ClusterScope) createVPCSecurityGroupRule(ctx context.Context, securityG
14621462
}
14631463

14641464
switch reflect.TypeOf(ruleIntf).String() {
1465+
case infrav1.VPCSecurityGroupRuleProtocolAnyType:
1466+
rule := ruleIntf.(*vpcv1.SecurityGroupRuleProtocolAny)
1467+
ruleID = rule.ID
14651468
case infrav1.VPCSecurityGroupRuleProtocolIcmptcpudpType:
14661469
rule := ruleIntf.(*vpcv1.SecurityGroupRuleProtocolIcmptcpudp)
14671470
ruleID = rule.ID
@@ -1471,6 +1474,9 @@ func (s *ClusterScope) createVPCSecurityGroupRule(ctx context.Context, securityG
14711474
case infrav1.VPCSecurityGroupRuleProtocolIcmpType:
14721475
rule := ruleIntf.(*vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolIcmp)
14731476
ruleID = rule.ID
1477+
case infrav1.VPCSecurityGroupRuleProtocolIndividualType:
1478+
rule := ruleIntf.(*vpcv1.SecurityGroupRuleProtocolIndividual)
1479+
ruleID = rule.ID
14741480
}
14751481
log.Info("Created VPC security group rule", "ruleID", *ruleID)
14761482
return ruleID, nil
@@ -1600,7 +1606,7 @@ func (s *ClusterScope) validateVPCSecurityGroupRuleRemote(originalSGRemote *vpcv
16001606
}
16011607

16021608
// validateSecurityGroupRule compares a specific security group's rule with the spec and existing security group's rule.
1603-
func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vpcv1.SecurityGroupRuleIntf, direction infrav1.VPCSecurityGroupRuleDirection, rule *infrav1.VPCSecurityGroupRulePrototype, remote infrav1.VPCSecurityGroupRuleRemote) (ruleID *string, match bool, err error) {
1609+
func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vpcv1.SecurityGroupRuleIntf, direction infrav1.VPCSecurityGroupRuleDirection, rule *infrav1.VPCSecurityGroupRulePrototype, remote infrav1.VPCSecurityGroupRuleRemote) (ruleID *string, match bool, err error) { //nolint: gocyclo
16041610
updateError := func(e error) {
16051611
err = fmt.Errorf("failed to validate VPC security group rule's remote: %w", e)
16061612
}
@@ -1609,6 +1615,18 @@ func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vp
16091615

16101616
for _, ogRuleIntf := range originalSecurityGroupRules {
16111617
switch reflect.TypeOf(ogRuleIntf).String() {
1618+
case infrav1.VPCSecurityGroupRuleProtocolAnyType:
1619+
ogRule := ogRuleIntf.(*vpcv1.SecurityGroupRuleProtocolAny)
1620+
ruleID = ogRule.ID
1621+
1622+
if *ogRule.Direction == string(direction) && *ogRule.Protocol == protocol {
1623+
ogRemote := ogRule.Remote.(*vpcv1.SecurityGroupRuleRemote)
1624+
match, err = s.validateVPCSecurityGroupRuleRemote(ogRemote, remote)
1625+
if err != nil {
1626+
updateError(err)
1627+
return nil, false, err
1628+
}
1629+
}
16121630
case infrav1.VPCSecurityGroupRuleProtocolIcmptcpudpType:
16131631
ogRule := ogRuleIntf.(*vpcv1.SecurityGroupRuleProtocolIcmptcpudp)
16141632
ruleID = ogRule.ID
@@ -1649,6 +1667,18 @@ func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vp
16491667
return nil, false, err
16501668
}
16511669
}
1670+
case infrav1.VPCSecurityGroupRuleProtocolIndividualType:
1671+
ogRule := ogRuleIntf.(*vpcv1.SecurityGroupRuleProtocolIndividual)
1672+
ruleID = ogRule.ID
1673+
1674+
if *ogRule.Direction == string(direction) && *ogRule.Protocol == protocol {
1675+
ogRemote := ogRule.Remote.(*vpcv1.SecurityGroupRuleRemote)
1676+
match, err = s.validateVPCSecurityGroupRuleRemote(ogRemote, remote)
1677+
if err != nil {
1678+
updateError(err)
1679+
return nil, false, err
1680+
}
1681+
}
16521682
}
16531683
if match {
16541684
return ruleID, match, nil

config/crd/bases/infrastructure.cluster.x-k8s.io_ibmpowervsclusters.yaml

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -701,11 +701,7 @@ spec:
701701
protocol:
702702
description: protocol defines the traffic protocol
703703
used for the Security Group Rule.
704-
enum:
705-
- icmp_tcp_udp
706-
- icmp
707-
- tcp
708-
- udp
704+
pattern: ^(any|icmp_tcp_udp|icmp|tcp|udp|ah|esp|gre|ip_in_ip|l2tp|rsvp|sctp|vrrp|number_(?:0|2|3|5|[7-9]|1[0-6]|1[8-9]|[2-3][0-9]|4[0-5]|4[89]|5[2-9]|[6-9][0-9]|10[0-9]|11[0-1]|11[3-4]|11[6-9]|12[0-9]|13[0-1]|13[3-9]|1[4-9][0-9]|2[0-4][0-9]|25[0-5]))$
709705
type: string
710706
remotes:
711707
description: |-
@@ -780,6 +776,9 @@ spec:
780776
protocol
781777
rule: 'self.protocol == ''icmp'' ? !has(self.portRange)
782778
: true'
779+
- message: portRange is not valid for protocol
780+
rule: '(self.protocol != ''tcp'' && self.protocol !=
781+
''udp'') ? !has(self.portRange) : true'
783782
- message: portRange is not valid for VPCSecurityGroupRuleProtocolIcmpTCPUDP
784783
protocol
785784
rule: 'self.protocol == ''icmp_tcp_udp'' ? !has(self.portRange)
@@ -838,11 +837,7 @@ spec:
838837
protocol:
839838
description: protocol defines the traffic protocol
840839
used for the Security Group Rule.
841-
enum:
842-
- icmp_tcp_udp
843-
- icmp
844-
- tcp
845-
- udp
840+
pattern: ^(any|icmp_tcp_udp|icmp|tcp|udp|ah|esp|gre|ip_in_ip|l2tp|rsvp|sctp|vrrp|number_(?:0|2|3|5|[7-9]|1[0-6]|1[8-9]|[2-3][0-9]|4[0-5]|4[89]|5[2-9]|[6-9][0-9]|10[0-9]|11[0-1]|11[3-4]|11[6-9]|12[0-9]|13[0-1]|13[3-9]|1[4-9][0-9]|2[0-4][0-9]|25[0-5]))$
846841
type: string
847842
remotes:
848843
description: |-
@@ -917,6 +912,9 @@ spec:
917912
protocol
918913
rule: 'self.protocol == ''icmp'' ? !has(self.portRange)
919914
: true'
915+
- message: portRange is not valid for protocol
916+
rule: '(self.protocol != ''tcp'' && self.protocol !=
917+
''udp'') ? !has(self.portRange) : true'
920918
- message: portRange is not valid for VPCSecurityGroupRuleProtocolIcmpTCPUDP
921919
protocol
922920
rule: 'self.protocol == ''icmp_tcp_udp'' ? !has(self.portRange)

config/crd/bases/infrastructure.cluster.x-k8s.io_ibmpowervsclustertemplates.yaml

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -739,11 +739,7 @@ spec:
739739
protocol:
740740
description: protocol defines the traffic
741741
protocol used for the Security Group Rule.
742-
enum:
743-
- icmp_tcp_udp
744-
- icmp
745-
- tcp
746-
- udp
742+
pattern: ^(any|icmp_tcp_udp|icmp|tcp|udp|ah|esp|gre|ip_in_ip|l2tp|rsvp|sctp|vrrp|number_(?:0|2|3|5|[7-9]|1[0-6]|1[8-9]|[2-3][0-9]|4[0-5]|4[89]|5[2-9]|[6-9][0-9]|10[0-9]|11[0-1]|11[3-4]|11[6-9]|12[0-9]|13[0-1]|13[3-9]|1[4-9][0-9]|2[0-4][0-9]|25[0-5]))$
747743
type: string
748744
remotes:
749745
description: |-
@@ -821,6 +817,9 @@ spec:
821817
protocol
822818
rule: 'self.protocol == ''icmp'' ? !has(self.portRange)
823819
: true'
820+
- message: portRange is not valid for protocol
821+
rule: '(self.protocol != ''tcp'' && self.protocol
822+
!= ''udp'') ? !has(self.portRange) : true'
824823
- message: portRange is not valid for VPCSecurityGroupRuleProtocolIcmpTCPUDP
825824
protocol
826825
rule: 'self.protocol == ''icmp_tcp_udp'' ? !has(self.portRange)
@@ -880,11 +879,7 @@ spec:
880879
protocol:
881880
description: protocol defines the traffic
882881
protocol used for the Security Group Rule.
883-
enum:
884-
- icmp_tcp_udp
885-
- icmp
886-
- tcp
887-
- udp
882+
pattern: ^(any|icmp_tcp_udp|icmp|tcp|udp|ah|esp|gre|ip_in_ip|l2tp|rsvp|sctp|vrrp|number_(?:0|2|3|5|[7-9]|1[0-6]|1[8-9]|[2-3][0-9]|4[0-5]|4[89]|5[2-9]|[6-9][0-9]|10[0-9]|11[0-1]|11[3-4]|11[6-9]|12[0-9]|13[0-1]|13[3-9]|1[4-9][0-9]|2[0-4][0-9]|25[0-5]))$
888883
type: string
889884
remotes:
890885
description: |-
@@ -962,6 +957,9 @@ spec:
962957
protocol
963958
rule: 'self.protocol == ''icmp'' ? !has(self.portRange)
964959
: true'
960+
- message: portRange is not valid for protocol
961+
rule: '(self.protocol != ''tcp'' && self.protocol
962+
!= ''udp'') ? !has(self.portRange) : true'
965963
- message: portRange is not valid for VPCSecurityGroupRuleProtocolIcmpTCPUDP
966964
protocol
967965
rule: 'self.protocol == ''icmp_tcp_udp'' ? !has(self.portRange)

0 commit comments

Comments
 (0)