Skip to content

Commit

Permalink
add support in model build target group
Browse files Browse the repository at this point in the history
  • Loading branch information
@oliviassss
oliviassss committed Sep 15, 2021
1 parent d030084 commit f14f6a5
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 17 deletions.
2 changes: 1 addition & 1 deletion pkg/config/controller_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ const (
defaultMaxConcurrentReconciles = 3
defaultMaxExponentialBackoffDelay = time.Second * 1000
defaultSSLPolicy = "ELBSecurityPolicy-2016-08"
defaultDisableRestrictedSGRules = true
defaultDisableRestrictedSGRules = false
defaultEnableBackendSG = true
)

Expand Down
36 changes: 23 additions & 13 deletions pkg/ingress/model_build_target_group.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func (t *defaultModelBuildTask) buildTargetGroupBinding(ctx context.Context, tg

func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context, tg *elbv2model.TargetGroup, svc *corev1.Service, port intstr.IntOrString, nodeSelector *metav1.LabelSelector) elbv2model.TargetGroupBindingResourceSpec {
targetType := elbv2api.TargetType(tg.Spec.TargetType)
tgbNetworking := t.buildTargetGroupBindingNetworking(ctx)
tgbNetworking := t.buildTargetGroupBindingNetworking(ctx, tg.Spec.Port, *tg.Spec.HealthCheckConfig.Port)
return elbv2model.TargetGroupBindingResourceSpec{
Template: elbv2model.TargetGroupBindingTemplate{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -75,7 +75,7 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingSpec(ctx context.Context,
}
}

func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context) *elbv2model.TargetGroupBindingNetworking {
func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Context, targetGroupPort int64, healthCheckPort intstr.IntOrString) *elbv2model.TargetGroupBindingNetworking {
if !t.manageBackendSecurityGroupRules {
return nil
}
Expand All @@ -96,18 +96,28 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingNetworking(ctx context.Co
})
}
protocolTCP := elbv2api.NetworkingProtocolTCP
var networkingPorts []elbv2api.NetworkingPort
var networkingRules []elbv2model.NetworkingIngressRule
port := intstr.FromInt(int(targetGroupPort))
networkingPorts = append(networkingPorts, elbv2api.NetworkingPort{
Protocol: &protocolTCP,
Port: &port,
})

if healthCheckPort.String() != healthCheckPortTrafficPort {
networkingPorts = append(networkingPorts, elbv2api.NetworkingPort{
Protocol: &protocolTCP,
Port: &healthCheckPort,
})
}
for _, port := range networkingPorts {
networkingRules = append(networkingRules, elbv2model.NetworkingIngressRule{
From: networkingPeers,
Ports: []elbv2api.NetworkingPort{port},
})
}
return &elbv2model.TargetGroupBindingNetworking{
Ingress: []elbv2model.NetworkingIngressRule{
{
From: networkingPeers,
Ports: []elbv2api.NetworkingPort{
{
Protocol: &protocolTCP,
Port: nil,
},
},
},
},
Ingress: networkingRules,
}
}

Expand Down
74 changes: 74 additions & 0 deletions pkg/ingress/model_builder_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -516,6 +516,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port":32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -555,6 +556,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port":32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -594,6 +596,22 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 8443,
"protocol":"TCP"
}
]
},
{
"from":[
{
"securityGroup":{
"groupID": "sg-auto"
}
}
],
"ports":[
{
"port": 9090,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -962,6 +980,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1001,6 +1020,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1040,6 +1060,22 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 8443,
"protocol":"TCP"
}
]
},
{
"from":[
{
"securityGroup":{
"groupID": "sg-auto"
}
}
],
"ports":[
{
"port": 9090,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1421,6 +1457,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1460,6 +1497,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1499,6 +1537,22 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 8443,
"protocol":"TCP"
}
]
},
{
"from":[
{
"securityGroup":{
"groupID": "sg-auto"
}
}
],
"ports":[
{
"port": 9090,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1787,6 +1841,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -1826,6 +1881,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -2246,6 +2302,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -2285,6 +2342,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 32768,
"protocol":"TCP"
}
]
Expand Down Expand Up @@ -2324,6 +2382,22 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
],
"ports":[
{
"port": 8443,
"protocol":"TCP"
}
]
},
{
"from":[
{
"securityGroup":{
"groupID": "sg-auto"
}
}
],
"ports":[
{
"port": 9090,
"protocol":"TCP"
}
]
Expand Down
11 changes: 8 additions & 3 deletions pkg/targetgroupbinding/networking_manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ import (
const (
tgbNetworkingIPPermissionLabelKey = "elbv2.k8s.aws/targetGroupBinding"
tgbNetworkingIPPermissionLabelValue = "shared"
defaultTgbMinPort = int64(0)
defaultTgbMaxPort = int64(65535)
)

// NetworkingManager manages the networking for targetGroupBindings.
Expand Down Expand Up @@ -255,15 +257,18 @@ func (m *defaultNetworkingManager) computeRestrictedIngressPermissionsPerSG(_ co
restrictedPermByProtocolPerSG := make(map[string][]networking.IPPermissionInfo)
for sgID, permsByProtocol := range permsByProtocolPerSG {
for _, protocol := range sets.StringKeySet(permsByProtocol).List() {
minPort, maxPort := int64(65535), int64(0)
minPort, maxPort := defaultTgbMaxPort, defaultTgbMinPort
for _, permission := range permsByProtocol[protocol] {
if *permission.Permission.FromPort < minPort {
if awssdk.Int64Value(permission.Permission.FromPort) > 0 && awssdk.Int64Value(permission.Permission.FromPort) < minPort {
minPort = *permission.Permission.FromPort
}
if *permission.Permission.ToPort > maxPort {
if awssdk.Int64Value(permission.Permission.ToPort) > maxPort {
maxPort = *permission.Permission.ToPort
}
}
if minPort > maxPort {
minPort, maxPort = defaultTgbMinPort, defaultTgbMaxPort
}
restrictedPermByProtocolPerSG[sgID] = append(restrictedPermByProtocolPerSG[sgID], networking.IPPermissionInfo{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String(protocol),
Expand Down
29 changes: 29 additions & 0 deletions pkg/targetgroupbinding/networking_manager_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1093,6 +1093,35 @@ func Test_defaultNetworkingManager_computeRestrictedIngressPermissionsPerSG(t *t
},
},
},
{
name: "port is nil",
fields: fields{
ingressPermissionsPerSGByTGB: map[types.NamespacedName]map[string][]networking.IPPermissionInfo{
types.NamespacedName{Namespace: "ns-1", Name: "tgb-1"}: {
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: nil,
ToPort: nil,
},
},
},
},
},
},
want: map[string][]networking.IPPermissionInfo{
"sg-a": {
{
Permission: ec2sdk.IpPermission{
IpProtocol: awssdk.String("tcp"),
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down

0 comments on commit f14f6a5

Please sign in to comment.