Skip to content

Commit bc57b7f

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #1592 from jichenjc/bug/1588
✨ Add additional sec group rule for additionalPorts of LB
2 parents 6607d77 + fe3bf7b commit bc57b7f

File tree

2 files changed

+33
-0
lines changed

2 files changed

+33
-0
lines changed

pkg/cloud/services/networking/securitygroups.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,11 @@ func (s *Service) generateDesiredSecGroups(openStackCluster *infrav1.OpenStackCl
121121
controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneHTTPS()...)
122122
workerRules = append(workerRules, GetSGWorkerNodePort()...)
123123

124+
// If we set additional ports to LB, we need create secgroup rules those ports, this apply to controlPlaneRules only
125+
if openStackCluster.Spec.APIServerLoadBalancer.Enabled {
126+
controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneAdditionalPorts(openStackCluster.Spec.APIServerLoadBalancer.AdditionalPorts)...)
127+
}
128+
124129
if openStackCluster.Spec.AllowAllInClusterTraffic {
125130
// Permit all ingress from the cluster security groups
126131
controlPlaneRules = append(controlPlaneRules, GetSGControlPlaneAllowAll(remoteGroupIDSelf, secWorkerGroupID)...)

pkg/cloud/services/networking/securitygroups_rules.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -291,6 +291,34 @@ func GetSGWorkerAllowAll(remoteGroupIDSelf, secControlPlaneGroupID string) []inf
291291
}
292292
}
293293

294+
// Permit ports that defined in openStackCluster.Spec.APIServerLoadBalancer.AdditionalPorts.
295+
func GetSGControlPlaneAdditionalPorts(ports []int) []infrav1.SecurityGroupRule {
296+
controlPlaneRules := []infrav1.SecurityGroupRule{}
297+
298+
r := []infrav1.SecurityGroupRule{
299+
{
300+
Description: "Additional ports",
301+
Direction: "ingress",
302+
EtherType: "IPv4",
303+
Protocol: "tcp",
304+
},
305+
{
306+
Description: "Additional ports",
307+
Direction: "ingress",
308+
EtherType: "IPv4",
309+
Protocol: "udp",
310+
},
311+
}
312+
for _, p := range ports {
313+
r[0].PortRangeMin = p
314+
r[0].PortRangeMax = p
315+
r[1].PortRangeMin = p
316+
r[1].PortRangeMax = p
317+
controlPlaneRules = append(controlPlaneRules, r...)
318+
}
319+
return controlPlaneRules
320+
}
321+
294322
func GetSGControlPlaneGeneral(remoteGroupIDSelf, secWorkerGroupID string) []infrav1.SecurityGroupRule {
295323
controlPlaneRules := []infrav1.SecurityGroupRule{}
296324
controlPlaneRules = append(controlPlaneRules, getSGControlPlaneCommon(remoteGroupIDSelf, secWorkerGroupID)...)

0 commit comments

Comments
 (0)