From 19f66fc6230921704f92725df592fd152600dca7 Mon Sep 17 00:00:00 2001 From: fahad-rauf Date: Fri, 17 Jul 2020 17:09:25 +0200 Subject: [PATCH 1/6] add support for security group filter type --- configs/config.yaml | 1 + .../configWithIncorrectFilterType.yaml | 19 ++ configs/testConfigs/correctAwsGitConfig.yaml | 1 + .../correctAwsGitConfigWithSG.yaml | 19 ++ .../correctAwsKubernetesConfig.yaml | 1 + configs/testConfigs/noIpProviderConfig.yaml | 1 + configs/testConfigs/noProviderConfig.yaml | 1 + internal/pkg/config/config.go | 13 +- internal/pkg/config/config_test.go | 57 +++- internal/pkg/config/filterType.go | 53 ++++ internal/pkg/providers/aws/aws.go | 260 ++---------------- .../pkg/providers/aws/ec2IpPermissions.go | 96 +++++++ .../pkg/providers/aws/securityGroupFetcher.go | 95 +++++++ .../pkg/providers/aws/securityGroupUpdator.go | 98 +++++++ internal/pkg/providers/provider.go | 3 +- internal/pkg/tasks/tasks.go | 21 +- 16 files changed, 487 insertions(+), 252 deletions(-) create mode 100644 configs/testConfigs/configWithIncorrectFilterType.yaml create mode 100644 configs/testConfigs/correctAwsGitConfigWithSG.yaml create mode 100644 internal/pkg/config/filterType.go create mode 100644 internal/pkg/providers/aws/ec2IpPermissions.go create mode 100644 internal/pkg/providers/aws/securityGroupFetcher.go create mode 100644 internal/pkg/providers/aws/securityGroupUpdator.go diff --git a/configs/config.yaml b/configs/config.yaml index a2024e9..b5b838c 100644 --- a/configs/config.yaml +++ b/configs/config.yaml @@ -1,5 +1,6 @@ syncInterval: 10s filter: + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/configWithIncorrectFilterType.yaml b/configs/testConfigs/configWithIncorrectFilterType.yaml new file mode 100644 index 0000000..f722d57 --- /dev/null +++ b/configs/testConfigs/configWithIncorrectFilterType.yaml @@ -0,0 +1,19 @@ +syncInterval: 10s +filter: + filterType: InCorrectType + labelName: whitelister + labelValue: true +ipProviders: + - name: kubernetes + params: + FromPort: 0 + ToPort: 65535 + IpProtocol: tcp +provider: + name: aws + params: + KeepRuleDescriptionPrefix: "DO NOT REMOVE -" + RemoveRule: true + RoleArn: "arn:aws:iam::111111111111:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" + Region: us-west-2 + \ No newline at end of file diff --git a/configs/testConfigs/correctAwsGitConfig.yaml b/configs/testConfigs/correctAwsGitConfig.yaml index 9fdb138..1a7277f 100644 --- a/configs/testConfigs/correctAwsGitConfig.yaml +++ b/configs/testConfigs/correctAwsGitConfig.yaml @@ -1,5 +1,6 @@ syncInterval: 10s filter: + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsGitConfigWithSG.yaml b/configs/testConfigs/correctAwsGitConfigWithSG.yaml new file mode 100644 index 0000000..ed2d052 --- /dev/null +++ b/configs/testConfigs/correctAwsGitConfigWithSG.yaml @@ -0,0 +1,19 @@ +syncInterval: 10s +filter: + filterType: SecurityGroup + labelName: whitelister + labelValue: true +ipProviders: + - name: git + params: + AccessToken: "access-token" + URL: "http://github.com/stakater/whitelister-config.git" + Config: "config.yaml" +provider: + name: aws + params: + KeepRuleDescriptionPrefix: "DO NOT REMOVE -" + RemoveRule: true + RoleArn: "arn:aws:iam::111111111111:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" + Region: us-west-2 + \ No newline at end of file diff --git a/configs/testConfigs/correctAwsKubernetesConfig.yaml b/configs/testConfigs/correctAwsKubernetesConfig.yaml index 76b33ad..b341191 100644 --- a/configs/testConfigs/correctAwsKubernetesConfig.yaml +++ b/configs/testConfigs/correctAwsKubernetesConfig.yaml @@ -1,5 +1,6 @@ syncInterval: 10s filter: + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/noIpProviderConfig.yaml b/configs/testConfigs/noIpProviderConfig.yaml index e586c4d..6901b8a 100644 --- a/configs/testConfigs/noIpProviderConfig.yaml +++ b/configs/testConfigs/noIpProviderConfig.yaml @@ -1,4 +1,5 @@ syncInterval: 10s filter: + filterType: LoadBalancer labelName: whitelister labelValue: true \ No newline at end of file diff --git a/configs/testConfigs/noProviderConfig.yaml b/configs/testConfigs/noProviderConfig.yaml index 3b94169..8819cff 100644 --- a/configs/testConfigs/noProviderConfig.yaml +++ b/configs/testConfigs/noProviderConfig.yaml @@ -1,5 +1,6 @@ syncInterval: 10s filter: + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go index a24a21a..48dd7a4 100644 --- a/internal/pkg/config/config.go +++ b/internal/pkg/config/config.go @@ -10,10 +10,10 @@ import ( // Config which would be read from the config.yaml type Config struct { - SyncInterval string `yaml:"syncInterval"` - IpProviders []IpProvider `yaml:"ipProviders"` - Provider Provider `yaml:"provider"` - Filter Filter `yaml:"filter"` + SyncInterval string `yaml:"syncInterval"` + IpProviders []IpProvider `yaml:"ipProviders"` + Provider Provider `yaml:"provider"` + Filter Filter `yaml:"filter"` } // IpProvider that the controller will be using to gather whitelist IPs @@ -30,8 +30,9 @@ type Provider struct { // Filter that will be used to filter resources on the provider type Filter struct { - LabelName string `yaml:"labelName"` - LabelValue string `yaml:"labelValue"` + FilterType FilterType `yaml:"filterType"` + LabelName string `yaml:"labelName"` + LabelValue string `yaml:"labelValue"` } // ReadConfig function that reads the yaml file diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go index 032a1da..8ea3766 100644 --- a/internal/pkg/config/config_test.go +++ b/internal/pkg/config/config_test.go @@ -1,6 +1,7 @@ package config import ( + "errors" "reflect" "testing" ) @@ -14,10 +15,11 @@ func TestReadConfig(t *testing.T) { filePath string } tests := []struct { - name string - args args - want Config - wantErr bool + name string + args args + want Config + wantErr bool + errValue error }{ { name: "TestingWithCorrectValues", @@ -44,11 +46,49 @@ func TestReadConfig(t *testing.T) { }, }, Filter: Filter{ + FilterType: LoadBalancer, LabelName: "whitelister", LabelValue: "true", }, }, }, + { + name: "TestingWithCorrectValuesForSecurityGroupFilter", + args: args{filePath: configFilePath + "correctAwsGitConfigWithSG.yaml"}, + want: Config{ + SyncInterval: "10s", + IpProviders: []IpProvider{ + { + Name: "git", + Params: map[interface{}]interface{}{ + "AccessToken": "access-token", + "URL": "http://github.com/stakater/whitelister-config.git", + "Config": "config.yaml", + }, + }, + }, + Provider: Provider{ + Name: "aws", + Params: map[interface{}]interface{}{ + "RoleArn": "arn:aws:iam::111111111111:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", + "Region": "us-west-2", + "RemoveRule": true, + "KeepRuleDescriptionPrefix": "DO NOT REMOVE -", + }, + }, + Filter: Filter{ + FilterType: SecurityGroup, + LabelName: "whitelister", + LabelValue: "true", + }, + }, + }, + { + name: "TestingWithIncorrectFilterType", + args: args{filePath: configFilePath + "configWithIncorrectFilterType.yaml"}, + wantErr: true, + errValue: errors.New("incorrect FilterType :InCorrectType provided"), + }, { name: "TestingWithEmptyFile", args: args{filePath: configFilePath + "Empty.yaml"}, @@ -63,10 +103,17 @@ func TestReadConfig(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := ReadConfig(tt.args.filePath) - if (err != nil) != tt.wantErr { + if err == nil && tt.wantErr { t.Errorf("ReadConfig() error = %v, wantErr %v", err, tt.wantErr) return } + if err != nil && tt.wantErr && tt.errValue != nil { + if err.Error() != tt.errValue.Error() { + t.Errorf("ReadConfig() error %v, wantErr %v", err, tt.errValue) + return + } + return + } if !reflect.DeepEqual(got, tt.want) { t.Errorf("ReadConfig() = %v, want %v", got, tt.want) } diff --git a/internal/pkg/config/filterType.go b/internal/pkg/config/filterType.go new file mode 100644 index 0000000..819ff59 --- /dev/null +++ b/internal/pkg/config/filterType.go @@ -0,0 +1,53 @@ +package config + +import "fmt" + +type FilterType int + +const ( + LoadBalancer FilterType = iota + SecurityGroup +) + +func (filterType FilterType) String() string { + filterTypes := [...]string{ + "LoadBalancer", + "SecurityGroup", + } + + if filterType < LoadBalancer || filterType > SecurityGroup { + return "Unknown" + } + + return filterTypes[filterType] +} + +func toFilterType(s string) (u FilterType, err error) { + switch s { + case "LoadBalancer": + u = LoadBalancer + + case "SecurityGroup": + u = SecurityGroup + + default: + err = fmt.Errorf("incorrect FilterType :%s provided", s) + } + return +} + +func (filterType *FilterType) UnmarshalYAML(unmarshal func(interface{}) error) error { + var value string + + if err := unmarshal(&value); err != nil { + return err + } + + FilterType, err := toFilterType(value) + if err != nil { + return err + } + *filterType = FilterType + + return nil +} diff --git a/internal/pkg/providers/aws/aws.go b/internal/pkg/providers/aws/aws.go index 72806a0..4fabb5a 100644 --- a/internal/pkg/providers/aws/aws.go +++ b/internal/pkg/providers/aws/aws.go @@ -2,14 +2,10 @@ package aws import ( "errors" - "regexp" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ec2" - "github.com/aws/aws-sdk-go/service/elb" "github.com/mitchellh/mapstructure" "github.com/sirupsen/logrus" @@ -24,33 +20,30 @@ type Aws struct { KeepRuleDescriptionPrefix string } -var vpcFilter = "vpc-id" -var groupFilter = "group-name" - // GetName Returns name of provider func (a *Aws) GetName() string { return "Amazon Web Services" } -// Init initializes the Aws Provider Configuration like Access Token and Reion +// Init initializes the Aws Provider Configuration like Access Token and Region func (a *Aws) Init(params map[interface{}]interface{}) error { err := mapstructure.Decode(params, &a) //Converts the params to Aws struct fields if err != nil { return err } if a.RoleArn == "" || a.Region == "" { - return errors.New("Missing Aws Assume Role ARN or Region") + return errors.New("missing Aws Assume Role ARN or Region") } return nil } // WhiteListIps - Get List of IP addresses to whitelist -func (a *Aws) WhiteListIps(resourceIds []string, ipPermissions []utils.IpPermission) error { +func (a *Aws) WhiteListIpsByLoadBalancer(resourceIds []string, ipPermissions []utils.IpPermission) error { - // Initial credentials loaded from SDK's default credential chain. Such as + // Initial credentials loaded default credential chain from SDK. Such as // the environment, shared credentials (~/.aws/credentials), or EC2 Instance // Role. These credentials will be used to to make the STS Assume Role API. - session, err := session.NewSession() + awsSession, err := session.NewSession() if err != nil { logrus.Errorf("%v", err) return err @@ -58,9 +51,9 @@ func (a *Aws) WhiteListIps(resourceIds []string, ipPermissions []utils.IpPermiss // Create the credentials from AssumeRoleProvider to assume the role // referenced by the "myRoleARN" ARN. - roleCredentials := stscreds.NewCredentials(session, a.RoleArn) + roleCredentials := stscreds.NewCredentials(awsSession, a.RoleArn) - securityGroups, err := a.getSecurityGroups(session, roleCredentials, resourceIds) + securityGroups, err := a.getSecurityGroupsByLoadBalancer(awsSession, roleCredentials, resourceIds) if err != nil { logrus.Errorf("%v", err) return err @@ -73,247 +66,48 @@ func (a *Aws) WhiteListIps(resourceIds []string, ipPermissions []utils.IpPermiss ec2IpPermissions := getEc2IpPermissions(ipPermissions) - ec2Client := ec2.New(session, &aws.Config{ + ec2Client := ec2.New(awsSession, &aws.Config{ Credentials: roleCredentials, Region: aws.String(a.Region), }) for _, securityGroup := range securityGroups { - a.updateSecurityGroup(ec2Client, securityGroup, ec2IpPermissions) + err := a.updateSecurityGroup(ec2Client, securityGroup, ec2IpPermissions) + if err != nil { + logrus.Errorf("%v", err) + } } return nil } -func (a *Aws) getSecurityGroups(session *session.Session, credentials *credentials.Credentials, - resourceIds []string) ([]*ec2.SecurityGroup, error) { - - // Create an ELB service client. - elbClient := elb.New(session, &aws.Config{ - Credentials: credentials, - Region: aws.String(a.Region), - }) +func (a *Aws) WhiteListIpsBySecurityGroup(filterLabel []string, ipPermissions []utils.IpPermission) error { - result, err := elbClient.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{ - LoadBalancerNames: aws.StringSlice(resourceIds), - }) + awsSession, err := session.NewSession() if err != nil { logrus.Errorf("%v", err) - return nil, err - } - - if len(result.LoadBalancerDescriptions) == 0 { - return nil, errors.New("No Load Balancer Found with AWS") - } - - securityGroupNames := []*string{} - for _, loadBalancerDescription := range result.LoadBalancerDescriptions { - securityGroupNames = append(securityGroupNames, loadBalancerDescription.SourceSecurityGroup.GroupName) + return err } + roleCredentials := stscreds.NewCredentials(awsSession, a.RoleArn) - ec2Client := ec2.New(session, &aws.Config{ - Credentials: credentials, - Region: aws.String(a.Region), - }) - - securityGroupResult, err := ec2Client.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{ - Filters: []*ec2.Filter{ - { - Name: &vpcFilter, - Values: []*string{result.LoadBalancerDescriptions[0].VPCId}, - }, - { - Name: &groupFilter, - Values: securityGroupNames, - }, - }, - }) - + securityGroups, err := a.getSecurityGroupsByTagFilter(awsSession, roleCredentials, filterLabel) if err != nil { logrus.Errorf("%v", err) - return nil, err - } - - return securityGroupResult.SecurityGroups, nil -} - -func (a *Aws) updateSecurityGroup(client *ec2.EC2, securityGroup *ec2.SecurityGroup, - ipPermissions []*ec2.IpPermission) error { - - if a.RemoveRule { - a.removeSecurityRules(client, securityGroup, ipPermissions) - } - addSecurityRules(client, securityGroup, ipPermissions) - - return nil -} - -func (a *Aws) removeSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, - ipPermissions []*ec2.IpPermission) { - var removeIpPermission bool - ipPermissionsToRemove := []*ec2.IpPermission{} - - securityGroupFilteredIpPermissions := a.filterIpPermissions(securityGroup.IpPermissions) - - for _, securityGroupIpPermission := range securityGroupFilteredIpPermissions { - removeIpPermission = true - for _, ipPermission := range ipPermissions { - if utils.IsEc2IpPermissionEqual(ipPermission, securityGroupIpPermission) { - removeIpPermission = false - break - } - } - if removeIpPermission { - ipPermissionsToRemove = append(ipPermissionsToRemove, securityGroupIpPermission) - } - } - - if len(ipPermissionsToRemove) > 0 { - logrus.Infof("Removing security rules : %v for security group :%s", ipPermissionsToRemove, *securityGroup.GroupName) - err := removeSecurityGroupIngresses(client, securityGroup, ipPermissionsToRemove) - if err != nil { - logrus.Errorf("Error removing security rules for security group %s : %v", *securityGroup.GroupName, err) - } - } else { - logrus.Infof("No security rules to remove for security group : %s", *securityGroup.GroupName) - } -} - -func (a *Aws) filterIpPermissions(ipPermissions []*ec2.IpPermission) []*ec2.IpPermission { - - filteredIpPermissions := []*ec2.IpPermission{} - - for _, ipPermission := range ipPermissions { - ipPermission.IpRanges = a.filterIpRanges(ipPermission.IpRanges) - ipPermission.Ipv6Ranges = a.filterIpv6Ranges(ipPermission.Ipv6Ranges) - //Must be checked otherwise all security rules are removed for a certain port range and protocol - if len(ipPermission.IpRanges) != 0 || len(ipPermission.Ipv6Ranges) != 0 { - filteredIpPermissions = append(filteredIpPermissions, ipPermission) - } - } - - if len(filteredIpPermissions) == 0 { - return nil - } - - return filteredIpPermissions -} - -func (a *Aws) filterIpRanges(ipRanges []*ec2.IpRange) []*ec2.IpRange { - - reg, _ := regexp.Compile(a.KeepRuleDescriptionPrefix + ".*$") - filteredIpRanges := []*ec2.IpRange{} - - for _, ipRange := range ipRanges { - if ipRange.Description == nil || !reg.MatchString(*ipRange.Description) { - filteredIpRanges = append(filteredIpRanges, ipRange) - } - } - - if len(filteredIpRanges) == 0 { - return nil - } - - return filteredIpRanges -} - -func (a *Aws) filterIpv6Ranges(ipv6Ranges []*ec2.Ipv6Range) []*ec2.Ipv6Range { - - reg, _ := regexp.Compile(a.KeepRuleDescriptionPrefix + ".*$") - filteredIpv6Ranges := []*ec2.Ipv6Range{} - - for _, ipv6Range := range ipv6Ranges { - if ipv6Range.Description == nil || !reg.MatchString(*ipv6Range.Description) { - filteredIpv6Ranges = append(filteredIpv6Ranges, ipv6Range) - } - } - - if len(filteredIpv6Ranges) == 0 { - return nil + return err } - return filteredIpv6Ranges -} + ec2IpPermissions := getEc2IpPermissions(ipPermissions) -func addSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, - ipPermissions []*ec2.IpPermission) { - var ipPermissionExists bool - ipPermissionsToAdd := []*ec2.IpPermission{} + ec2Client := ec2.New(awsSession, &aws.Config{ + Credentials: roleCredentials, + Region: aws.String(a.Region), + }) - for _, ipPermission := range ipPermissions { - ipPermissionExists = false - for _, securityGroupIpPermission := range securityGroup.IpPermissions { - if utils.IsEc2IpPermissionEqual(ipPermission, securityGroupIpPermission) { - ipPermissionExists = true - break - } - } - if !ipPermissionExists { - ipPermissionsToAdd = append(ipPermissionsToAdd, ipPermission) - } - } - if len(ipPermissionsToAdd) > 0 { - logrus.Infof("Adding security rules : %v for security group :%s", ipPermissionsToAdd, *securityGroup.GroupName) - err := addSecurityGroupIngresses(client, securityGroup, ipPermissionsToAdd) + for _, securityGroup := range securityGroups { + err := a.updateSecurityGroup(ec2Client, securityGroup, ec2IpPermissions) if err != nil { - logrus.Errorf("Error adding security rules for security group %s : %v", *securityGroup.GroupName, err) + logrus.Errorf("%v", err) } - } else { - logrus.Infof("No security rules to add for security group : %s", *securityGroup.GroupName) } + return nil } - -func removeSecurityGroupIngresses(client *ec2.EC2, securityGroup *ec2.SecurityGroup, - ipPermissions []*ec2.IpPermission) error { - - _, err := client.RevokeSecurityGroupIngress(&ec2.RevokeSecurityGroupIngressInput{ - GroupId: securityGroup.GroupId, - IpPermissions: ipPermissions, - }) - - return err -} - -func addSecurityGroupIngresses(client *ec2.EC2, securityGroup *ec2.SecurityGroup, - ipPermissions []*ec2.IpPermission) error { - - _, err := client.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{ - GroupId: securityGroup.GroupId, - IpPermissions: ipPermissions, - }) - - return err -} - -func getEc2IpPermissions(ipPermissions []utils.IpPermission) []*ec2.IpPermission { - - ec2IpPermissions := []*ec2.IpPermission{} - for _, ipPermission := range ipPermissions { - ec2IpPermissions = append(ec2IpPermissions, - (&ec2.IpPermission{}). - SetIpProtocol(*ipPermission.IpProtocol). - SetFromPort(*ipPermission.FromPort). - SetToPort(*ipPermission.ToPort). - SetIpRanges(getEc2IpRanges(ipPermission.IpRanges)), - ) - } - - return ec2IpPermissions -} - -func getEc2IpRanges(ipRanges []*utils.IpRange) []*ec2.IpRange { - - if ipRanges == nil { - return nil - } - - ec2IpRanges := []*ec2.IpRange{} - - for _, ipRange := range ipRanges { - ec2IpRanges = append(ec2IpRanges, &ec2.IpRange{ - CidrIp: ipRange.IpCidr, - Description: ipRange.Description, - }) - } - return ec2IpRanges -} diff --git a/internal/pkg/providers/aws/ec2IpPermissions.go b/internal/pkg/providers/aws/ec2IpPermissions.go new file mode 100644 index 0000000..a32dbb2 --- /dev/null +++ b/internal/pkg/providers/aws/ec2IpPermissions.go @@ -0,0 +1,96 @@ +package aws + +import ( + "github.com/aws/aws-sdk-go/service/ec2" + "github.com/stakater/Whitelister/internal/pkg/utils" + "regexp" +) + +func getEc2IpPermissions(ipPermissions []utils.IpPermission) []*ec2.IpPermission { + + var ec2IpPermissions []*ec2.IpPermission + for _, ipPermission := range ipPermissions { + ec2IpPermissions = append(ec2IpPermissions, + (&ec2.IpPermission{}). + SetIpProtocol(*ipPermission.IpProtocol). + SetFromPort(*ipPermission.FromPort). + SetToPort(*ipPermission.ToPort). + SetIpRanges(getEc2IpRanges(ipPermission.IpRanges)), + ) + } + + return ec2IpPermissions +} + +func (a *Aws) filterIpPermissions(ipPermissions []*ec2.IpPermission) []*ec2.IpPermission { + + var filteredIpPermissions []*ec2.IpPermission + + for _, ipPermission := range ipPermissions { + ipPermission.IpRanges = a.filterIpRanges(ipPermission.IpRanges) + ipPermission.Ipv6Ranges = a.filterIpv6Ranges(ipPermission.Ipv6Ranges) + //Must be checked otherwise all security rules are removed for a certain port range and protocol + if len(ipPermission.IpRanges) != 0 || len(ipPermission.Ipv6Ranges) != 0 { + filteredIpPermissions = append(filteredIpPermissions, ipPermission) + } + } + + if len(filteredIpPermissions) == 0 { + return nil + } + + return filteredIpPermissions +} + +func (a *Aws) filterIpRanges(ipRanges []*ec2.IpRange) []*ec2.IpRange { + + reg, _ := regexp.Compile(a.KeepRuleDescriptionPrefix + ".*$") + var filteredIpRanges []*ec2.IpRange + + for _, ipRange := range ipRanges { + if ipRange.Description == nil || !reg.MatchString(*ipRange.Description) { + filteredIpRanges = append(filteredIpRanges, ipRange) + } + } + + if len(filteredIpRanges) == 0 { + return nil + } + + return filteredIpRanges +} + +func (a *Aws) filterIpv6Ranges(ipv6Ranges []*ec2.Ipv6Range) []*ec2.Ipv6Range { + + reg, _ := regexp.Compile(a.KeepRuleDescriptionPrefix + ".*$") + var filteredIpv6Ranges []*ec2.Ipv6Range + + for _, ipv6Range := range ipv6Ranges { + if ipv6Range.Description == nil || !reg.MatchString(*ipv6Range.Description) { + filteredIpv6Ranges = append(filteredIpv6Ranges, ipv6Range) + } + } + + if len(filteredIpv6Ranges) == 0 { + return nil + } + + return filteredIpv6Ranges +} + +func getEc2IpRanges(ipRanges []*utils.IpRange) []*ec2.IpRange { + + if ipRanges == nil { + return nil + } + + var ec2IpRanges []*ec2.IpRange + + for _, ipRange := range ipRanges { + ec2IpRanges = append(ec2IpRanges, &ec2.IpRange{ + CidrIp: ipRange.IpCidr, + Description: ipRange.Description, + }) + } + return ec2IpRanges +} diff --git a/internal/pkg/providers/aws/securityGroupFetcher.go b/internal/pkg/providers/aws/securityGroupFetcher.go new file mode 100644 index 0000000..fe8c4c1 --- /dev/null +++ b/internal/pkg/providers/aws/securityGroupFetcher.go @@ -0,0 +1,95 @@ +package aws + +import ( + "errors" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/ec2" + "github.com/aws/aws-sdk-go/service/elb" + "github.com/sirupsen/logrus" +) + +func (a *Aws) getSecurityGroupsByLoadBalancer(session *session.Session, credentials *credentials.Credentials, resourceIds []string) ([]*ec2.SecurityGroup, error) { + + // Create an ELB service client. + elbClient := elb.New(session, &aws.Config{ + Credentials: credentials, + Region: aws.String(a.Region), + }) + + result, err := elbClient.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{ + LoadBalancerNames: aws.StringSlice(resourceIds), + }) + if err != nil { + logrus.Errorf("%v", err) + return nil, err + } + + if len(result.LoadBalancerDescriptions) == 0 { + return nil, errors.New("no load balancer found with AWS") + } + + var securityGroupNames []*string + for _, loadBalancerDescription := range result.LoadBalancerDescriptions { + securityGroupNames = append(securityGroupNames, loadBalancerDescription.SourceSecurityGroup.GroupName) + } + + ec2Client := getEc2Client(session, credentials, a) + + var vpcFilter = "vpc-id" + var groupFilter = "group-name" + + securityGroupResult, err := ec2Client.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{ + Filters: []*ec2.Filter{ + { + Name: &vpcFilter, + Values: []*string{result.LoadBalancerDescriptions[0].VPCId}, + }, + { + Name: &groupFilter, + Values: securityGroupNames, + }, + }, + }) + + if err != nil { + logrus.Errorf("%v", err) + return nil, err + } + + return securityGroupResult.SecurityGroups, nil +} + +func (a *Aws) getSecurityGroupsByTagFilter(session *session.Session, credentials *credentials.Credentials, filterLabel []string) ([]*ec2.SecurityGroup, error) { + + ec2Client := getEc2Client(session, credentials, a) + filters := a.getSearchFilterWithTag(filterLabel) + + securityGroupResult, err := ec2Client.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{Filters: filters}) + + if err != nil { + logrus.Errorf("%v", err) + return nil, err + } + + return securityGroupResult.SecurityGroups, nil +} + +func getEc2Client(session *session.Session, credentials *credentials.Credentials, a *Aws) *ec2.EC2 { + return ec2.New(session, &aws.Config{ + Credentials: credentials, + Region: aws.String(a.Region), + }) +} + +func (a *Aws) getSearchFilterWithTag(filterLabel []string) []*ec2.Filter { + filters := make([]*ec2.Filter, 0) + keyName := "tag:" + filterLabel[0] + filter := ec2.Filter{ + Name: &keyName, + Values: []*string{&filterLabel[1]}} + filters = append(filters, &filter) + return filters +} diff --git a/internal/pkg/providers/aws/securityGroupUpdator.go b/internal/pkg/providers/aws/securityGroupUpdator.go new file mode 100644 index 0000000..6e0beea --- /dev/null +++ b/internal/pkg/providers/aws/securityGroupUpdator.go @@ -0,0 +1,98 @@ +package aws + +import ( + "github.com/aws/aws-sdk-go/service/ec2" + "github.com/sirupsen/logrus" + "github.com/stakater/Whitelister/internal/pkg/utils" +) + +func (a *Aws) updateSecurityGroup(client *ec2.EC2, securityGroup *ec2.SecurityGroup, + ipPermissions []*ec2.IpPermission) error { + + if a.RemoveRule { + a.removeSecurityRules(client, securityGroup, ipPermissions) + } + addSecurityRules(client, securityGroup, ipPermissions) + + return nil +} + +func addSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, ipPermissions []*ec2.IpPermission) { + var ipPermissionExists bool + var ipPermissionsToAdd []*ec2.IpPermission + + for _, ipPermission := range ipPermissions { + ipPermissionExists = false + for _, securityGroupIpPermission := range securityGroup.IpPermissions { + if utils.IsEc2IpPermissionEqual(ipPermission, securityGroupIpPermission) { + ipPermissionExists = true + break + } + } + if !ipPermissionExists { + ipPermissionsToAdd = append(ipPermissionsToAdd, ipPermission) + } + } + if len(ipPermissionsToAdd) > 0 { + logrus.Infof("Adding security rules : %v for security group :%s", ipPermissionsToAdd, *securityGroup.GroupName) + err := addSecurityGroupIngresses(client, securityGroup, ipPermissionsToAdd) + if err != nil { + logrus.Errorf("Error adding security rules for security group %s : %v", *securityGroup.GroupName, err) + } + } else { + logrus.Infof("No security rules to add for security group : %s", *securityGroup.GroupName) + } +} + +func (a *Aws) removeSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, + ipPermissions []*ec2.IpPermission) { + var removeIpPermission bool + var ipPermissionsToRemove []*ec2.IpPermission + + securityGroupFilteredIpPermissions := a.filterIpPermissions(securityGroup.IpPermissions) + + for _, securityGroupIpPermission := range securityGroupFilteredIpPermissions { + removeIpPermission = true + for _, ipPermission := range ipPermissions { + if utils.IsEc2IpPermissionEqual(ipPermission, securityGroupIpPermission) { + removeIpPermission = false + break + } + } + if removeIpPermission { + ipPermissionsToRemove = append(ipPermissionsToRemove, securityGroupIpPermission) + } + } + + if len(ipPermissionsToRemove) > 0 { + logrus.Infof("Removing security rules : %v for security group :%s", ipPermissionsToRemove, *securityGroup.GroupName) + err := removeSecurityGroupIngresses(client, securityGroup, ipPermissionsToRemove) + if err != nil { + logrus.Errorf("Error removing security rules for security group %s : %v", *securityGroup.GroupName, err) + } + } else { + logrus.Infof("No security rules to remove for security group : %s", *securityGroup.GroupName) + } +} + +func addSecurityGroupIngresses(client *ec2.EC2, securityGroup *ec2.SecurityGroup, + ipPermissions []*ec2.IpPermission) error { + + _, err := client.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{ + GroupId: securityGroup.GroupId, + IpPermissions: ipPermissions, + }) + + return err +} + +func removeSecurityGroupIngresses(client *ec2.EC2, securityGroup *ec2.SecurityGroup, + ipPermissions []*ec2.IpPermission) error { + + _, err := client.RevokeSecurityGroupIngress(&ec2.RevokeSecurityGroupIngressInput{ + GroupId: securityGroup.GroupId, + IpPermissions: ipPermissions, + }) + + return err +} diff --git a/internal/pkg/providers/provider.go b/internal/pkg/providers/provider.go index 94edc8c..17ca102 100644 --- a/internal/pkg/providers/provider.go +++ b/internal/pkg/providers/provider.go @@ -11,7 +11,8 @@ import ( // Provider interface so that providers like aws, google cloud can implement this type Provider interface { Init(map[interface{}]interface{}) error - WhiteListIps(resourceIds []string, ipPermissions []utils.IpPermission) error + WhiteListIpsByLoadBalancer(resourceIds []string, ipPermissions []utils.IpPermission) error + WhiteListIpsBySecurityGroup(filterLabel []string, ipPermissions []utils.IpPermission) error } // PopulateFromConfig populates the IpProvider from config diff --git a/internal/pkg/tasks/tasks.go b/internal/pkg/tasks/tasks.go index f6f417b..da3ffa7 100644 --- a/internal/pkg/tasks/tasks.go +++ b/internal/pkg/tasks/tasks.go @@ -43,15 +43,22 @@ func (t *Task) PerformTasks() { combinedIPPermissions = utils.CombineIpPermission(combinedIPPermissions, ipList) } - loadBalancerNames := t.getLoadBalancerNames(t.config.Filter) + if t.config.Filter.FilterType == config.LoadBalancer { + loadBalancerNames := t.getLoadBalancerNames(t.config.Filter) + logrus.Info("load balancer names: ", loadBalancerNames[0]) - if len(loadBalancerNames) > 0 { - t.provider.WhiteListIps(loadBalancerNames, combinedIPPermissions) + if len(loadBalancerNames) > 0 { + _ = t.provider.WhiteListIpsByLoadBalancer(loadBalancerNames, combinedIPPermissions) + } else { + logrus.Errorf("Cannot find any services with label name: " + t.config.Filter.LabelName + + " , label value: " + t.config.Filter.LabelValue) + } + } else if t.config.Filter.FilterType == config.SecurityGroup { + filterLabel := []string{t.config.Filter.LabelName, t.config.Filter.LabelValue} + _ = t.provider.WhiteListIpsBySecurityGroup(filterLabel, combinedIPPermissions) } else { - logrus.Errorf("Cannot find any services with label name: " + t.config.Filter.LabelName + - " , label value: " + t.config.Filter.LabelValue) + logrus.Errorf("Unrecognized filter " + t.config.Filter.LabelName) } - } // Get Load Balancer names @@ -64,7 +71,7 @@ func (t *Task) getLoadBalancerNames(filter config.Filter) []string { logrus.Fatal(err) } - loadBalancerNames := []string{} + var loadBalancerNames []string var loadBalancerDNSName string for _, service := range services.Items { From af71b13b31519d770bcd09f6ea549bcf58c0bf49 Mon Sep 17 00:00:00 2001 From: fahad-rauf Date: Sat, 18 Jul 2020 01:23:21 +0200 Subject: [PATCH 2/6] rename filter type enum to camel case --- configs/config.yaml | 2 +- configs/testConfigs/correctAwsGitConfig.yaml | 2 +- .../correctAwsGitConfigWithSG.yaml | 2 +- .../correctAwsKubernetesConfig.yaml | 2 +- configs/testConfigs/noIpProviderConfig.yaml | 2 +- configs/testConfigs/noProviderConfig.yaml | 2 +- internal/pkg/config/config_test.go | 4 ++-- internal/pkg/config/filterType.go | 21 +++++++++++-------- internal/pkg/tasks/tasks.go | 4 ++-- 9 files changed, 22 insertions(+), 19 deletions(-) diff --git a/configs/config.yaml b/configs/config.yaml index b5b838c..ad685eb 100644 --- a/configs/config.yaml +++ b/configs/config.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: LoadBalancer + filterType: loadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsGitConfig.yaml b/configs/testConfigs/correctAwsGitConfig.yaml index 1a7277f..5480b2f 100644 --- a/configs/testConfigs/correctAwsGitConfig.yaml +++ b/configs/testConfigs/correctAwsGitConfig.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: LoadBalancer + filterType: loadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsGitConfigWithSG.yaml b/configs/testConfigs/correctAwsGitConfigWithSG.yaml index ed2d052..87fd135 100644 --- a/configs/testConfigs/correctAwsGitConfigWithSG.yaml +++ b/configs/testConfigs/correctAwsGitConfigWithSG.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: SecurityGroup + filterType: securityGroup labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsKubernetesConfig.yaml b/configs/testConfigs/correctAwsKubernetesConfig.yaml index b341191..df473cc 100644 --- a/configs/testConfigs/correctAwsKubernetesConfig.yaml +++ b/configs/testConfigs/correctAwsKubernetesConfig.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: LoadBalancer + filterType: loadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/noIpProviderConfig.yaml b/configs/testConfigs/noIpProviderConfig.yaml index 6901b8a..b75a9d2 100644 --- a/configs/testConfigs/noIpProviderConfig.yaml +++ b/configs/testConfigs/noIpProviderConfig.yaml @@ -1,5 +1,5 @@ syncInterval: 10s filter: - filterType: LoadBalancer + filterType: loadBalancer labelName: whitelister labelValue: true \ No newline at end of file diff --git a/configs/testConfigs/noProviderConfig.yaml b/configs/testConfigs/noProviderConfig.yaml index 8819cff..845d644 100644 --- a/configs/testConfigs/noProviderConfig.yaml +++ b/configs/testConfigs/noProviderConfig.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: LoadBalancer + filterType: loadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go index 8ea3766..d07ea98 100644 --- a/internal/pkg/config/config_test.go +++ b/internal/pkg/config/config_test.go @@ -46,7 +46,7 @@ func TestReadConfig(t *testing.T) { }, }, Filter: Filter{ - FilterType: LoadBalancer, + FilterType: loadBalancer, LabelName: "whitelister", LabelValue: "true", }, @@ -77,7 +77,7 @@ func TestReadConfig(t *testing.T) { }, }, Filter: Filter{ - FilterType: SecurityGroup, + FilterType: securityGroup, LabelName: "whitelister", LabelValue: "true", }, diff --git a/internal/pkg/config/filterType.go b/internal/pkg/config/filterType.go index 819ff59..b1ec5c8 100644 --- a/internal/pkg/config/filterType.go +++ b/internal/pkg/config/filterType.go @@ -5,17 +5,20 @@ import "fmt" type FilterType int const ( - LoadBalancer FilterType = iota - SecurityGroup + loadBalancer FilterType = iota + securityGroup ) +var LoadBalancerStr = "loadBalancer" +var SecurityGroupStr = "securityGroup" + func (filterType FilterType) String() string { filterTypes := [...]string{ - "LoadBalancer", - "SecurityGroup", + "loadBalancer", + "securityGroup", } - if filterType < LoadBalancer || filterType > SecurityGroup { + if filterType < loadBalancer || filterType > securityGroup { return "Unknown" } @@ -24,11 +27,11 @@ func (filterType FilterType) String() string { func toFilterType(s string) (u FilterType, err error) { switch s { - case "LoadBalancer": - u = LoadBalancer + case "loadBalancer": + u = loadBalancer - case "SecurityGroup": - u = SecurityGroup + case "securityGroup": + u = securityGroup default: err = fmt.Errorf("incorrect FilterType :%s provided", s) diff --git a/internal/pkg/tasks/tasks.go b/internal/pkg/tasks/tasks.go index da3ffa7..0e0d28e 100644 --- a/internal/pkg/tasks/tasks.go +++ b/internal/pkg/tasks/tasks.go @@ -43,7 +43,7 @@ func (t *Task) PerformTasks() { combinedIPPermissions = utils.CombineIpPermission(combinedIPPermissions, ipList) } - if t.config.Filter.FilterType == config.LoadBalancer { + if t.config.Filter.FilterType.String() == config.LoadBalancerStr { loadBalancerNames := t.getLoadBalancerNames(t.config.Filter) logrus.Info("load balancer names: ", loadBalancerNames[0]) @@ -53,7 +53,7 @@ func (t *Task) PerformTasks() { logrus.Errorf("Cannot find any services with label name: " + t.config.Filter.LabelName + " , label value: " + t.config.Filter.LabelValue) } - } else if t.config.Filter.FilterType == config.SecurityGroup { + } else if t.config.Filter.FilterType.String() == config.SecurityGroupStr { filterLabel := []string{t.config.Filter.LabelName, t.config.Filter.LabelValue} _ = t.provider.WhiteListIpsBySecurityGroup(filterLabel, combinedIPPermissions) } else { From 81250df724a142e75ea499b7a66f41fd90565374 Mon Sep 17 00:00:00 2001 From: fahad-rauf Date: Fri, 24 Jul 2020 14:52:35 +0200 Subject: [PATCH 3/6] refactor --- configs/config.yaml | 2 +- configs/testConfigs/correctAwsGitConfig.yaml | 2 +- .../correctAwsGitConfigWithSG.yaml | 2 +- .../correctAwsKubernetesConfig.yaml | 2 +- configs/testConfigs/noIpProviderConfig.yaml | 2 +- configs/testConfigs/noProviderConfig.yaml | 2 +- internal/pkg/config/config_test.go | 13 ++++--- .../config/{filterType.go => filtertype.go} | 28 +++++++------- internal/pkg/providers/aws/aws.go | 37 ++----------------- ...IpPermissions.go => ec2_ip_permissions.go} | 0 ...upFetcher.go => security_group_fetcher.go} | 15 ++++++++ ...upUpdator.go => security_group_updator.go} | 0 internal/pkg/providers/provider.go | 3 +- internal/pkg/tasks/tasks.go | 8 ++-- 14 files changed, 51 insertions(+), 65 deletions(-) rename internal/pkg/config/{filterType.go => filtertype.go} (50%) rename internal/pkg/providers/aws/{ec2IpPermissions.go => ec2_ip_permissions.go} (100%) rename internal/pkg/providers/aws/{securityGroupFetcher.go => security_group_fetcher.go} (79%) rename internal/pkg/providers/aws/{securityGroupUpdator.go => security_group_updator.go} (100%) diff --git a/configs/config.yaml b/configs/config.yaml index ad685eb..b5b838c 100644 --- a/configs/config.yaml +++ b/configs/config.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: loadBalancer + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsGitConfig.yaml b/configs/testConfigs/correctAwsGitConfig.yaml index 5480b2f..1a7277f 100644 --- a/configs/testConfigs/correctAwsGitConfig.yaml +++ b/configs/testConfigs/correctAwsGitConfig.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: loadBalancer + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsGitConfigWithSG.yaml b/configs/testConfigs/correctAwsGitConfigWithSG.yaml index 87fd135..ed2d052 100644 --- a/configs/testConfigs/correctAwsGitConfigWithSG.yaml +++ b/configs/testConfigs/correctAwsGitConfigWithSG.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: securityGroup + filterType: SecurityGroup labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/correctAwsKubernetesConfig.yaml b/configs/testConfigs/correctAwsKubernetesConfig.yaml index df473cc..b341191 100644 --- a/configs/testConfigs/correctAwsKubernetesConfig.yaml +++ b/configs/testConfigs/correctAwsKubernetesConfig.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: loadBalancer + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/configs/testConfigs/noIpProviderConfig.yaml b/configs/testConfigs/noIpProviderConfig.yaml index b75a9d2..6901b8a 100644 --- a/configs/testConfigs/noIpProviderConfig.yaml +++ b/configs/testConfigs/noIpProviderConfig.yaml @@ -1,5 +1,5 @@ syncInterval: 10s filter: - filterType: loadBalancer + filterType: LoadBalancer labelName: whitelister labelValue: true \ No newline at end of file diff --git a/configs/testConfigs/noProviderConfig.yaml b/configs/testConfigs/noProviderConfig.yaml index 845d644..8819cff 100644 --- a/configs/testConfigs/noProviderConfig.yaml +++ b/configs/testConfigs/noProviderConfig.yaml @@ -1,6 +1,6 @@ syncInterval: 10s filter: - filterType: loadBalancer + filterType: LoadBalancer labelName: whitelister labelValue: true ipProviders: diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go index d07ea98..c96f0b0 100644 --- a/internal/pkg/config/config_test.go +++ b/internal/pkg/config/config_test.go @@ -46,11 +46,12 @@ func TestReadConfig(t *testing.T) { }, }, Filter: Filter{ - FilterType: loadBalancer, + FilterType: LoadBalancer, LabelName: "whitelister", LabelValue: "true", }, }, + wantErr: false, }, { name: "TestingWithCorrectValuesForSecurityGroupFilter", @@ -77,11 +78,12 @@ func TestReadConfig(t *testing.T) { }, }, Filter: Filter{ - FilterType: securityGroup, + FilterType: SecurityGroup, LabelName: "whitelister", LabelValue: "true", }, }, + wantErr: false, }, { name: "TestingWithIncorrectFilterType", @@ -90,9 +92,10 @@ func TestReadConfig(t *testing.T) { errValue: errors.New("incorrect FilterType :InCorrectType provided"), }, { - name: "TestingWithEmptyFile", - args: args{filePath: configFilePath + "Empty.yaml"}, - want: Config{}, + name: "TestingWithEmptyFile", + args: args{filePath: configFilePath + "Empty.yaml"}, + want: Config{}, + wantErr: false, }, { name: "TestingWithFileNotPresent", diff --git a/internal/pkg/config/filterType.go b/internal/pkg/config/filtertype.go similarity index 50% rename from internal/pkg/config/filterType.go rename to internal/pkg/config/filtertype.go index b1ec5c8..bcaf57f 100644 --- a/internal/pkg/config/filterType.go +++ b/internal/pkg/config/filtertype.go @@ -5,36 +5,36 @@ import "fmt" type FilterType int const ( - loadBalancer FilterType = iota - securityGroup + LoadBalancer FilterType = iota + SecurityGroup ) -var LoadBalancerStr = "loadBalancer" -var SecurityGroupStr = "securityGroup" +var loadBalancerStr = "LoadBalancer" +var securityGroupStr = "SecurityGroup" func (filterType FilterType) String() string { filterTypes := [...]string{ - "loadBalancer", - "securityGroup", + loadBalancerStr, + securityGroupStr, } - if filterType < loadBalancer || filterType > securityGroup { + if filterType < LoadBalancer || filterType > SecurityGroup { return "Unknown" } return filterTypes[filterType] } -func toFilterType(s string) (u FilterType, err error) { - switch s { - case "loadBalancer": - u = loadBalancer +func toFilterType(filterTypeStr string) (filterType FilterType, err error) { + switch filterTypeStr { + case loadBalancerStr: + filterType = LoadBalancer - case "securityGroup": - u = securityGroup + case securityGroupStr: + filterType = SecurityGroup default: - err = fmt.Errorf("incorrect FilterType :%s provided", s) + err = fmt.Errorf("incorrect FilterType :%s provided", filterTypeStr) } return } diff --git a/internal/pkg/providers/aws/aws.go b/internal/pkg/providers/aws/aws.go index 4fabb5a..94de0cd 100644 --- a/internal/pkg/providers/aws/aws.go +++ b/internal/pkg/providers/aws/aws.go @@ -8,6 +8,7 @@ import ( "github.com/aws/aws-sdk-go/service/ec2" "github.com/mitchellh/mapstructure" "github.com/sirupsen/logrus" + "github.com/stakater/Whitelister/internal/pkg/config" "github.com/stakater/Whitelister/internal/pkg/utils" ) @@ -38,7 +39,7 @@ func (a *Aws) Init(params map[interface{}]interface{}) error { } // WhiteListIps - Get List of IP addresses to whitelist -func (a *Aws) WhiteListIpsByLoadBalancer(resourceIds []string, ipPermissions []utils.IpPermission) error { +func (a *Aws) WhiteListIps(filterType config.FilterType, resourceIds []string, ipPermissions []utils.IpPermission) error { // Initial credentials loaded default credential chain from SDK. Such as // the environment, shared credentials (~/.aws/credentials), or EC2 Instance @@ -52,8 +53,8 @@ func (a *Aws) WhiteListIpsByLoadBalancer(resourceIds []string, ipPermissions []u // Create the credentials from AssumeRoleProvider to assume the role // referenced by the "myRoleARN" ARN. roleCredentials := stscreds.NewCredentials(awsSession, a.RoleArn) + securityGroups, err := a.fetchSecurityGroup(filterType, awsSession, roleCredentials, resourceIds) - securityGroups, err := a.getSecurityGroupsByLoadBalancer(awsSession, roleCredentials, resourceIds) if err != nil { logrus.Errorf("%v", err) return err @@ -79,35 +80,3 @@ func (a *Aws) WhiteListIpsByLoadBalancer(resourceIds []string, ipPermissions []u } return nil } - -func (a *Aws) WhiteListIpsBySecurityGroup(filterLabel []string, ipPermissions []utils.IpPermission) error { - - awsSession, err := session.NewSession() - if err != nil { - logrus.Errorf("%v", err) - return err - } - roleCredentials := stscreds.NewCredentials(awsSession, a.RoleArn) - - securityGroups, err := a.getSecurityGroupsByTagFilter(awsSession, roleCredentials, filterLabel) - if err != nil { - logrus.Errorf("%v", err) - return err - } - - ec2IpPermissions := getEc2IpPermissions(ipPermissions) - - ec2Client := ec2.New(awsSession, &aws.Config{ - Credentials: roleCredentials, - Region: aws.String(a.Region), - }) - - for _, securityGroup := range securityGroups { - err := a.updateSecurityGroup(ec2Client, securityGroup, ec2IpPermissions) - if err != nil { - logrus.Errorf("%v", err) - } - } - return nil - -} diff --git a/internal/pkg/providers/aws/ec2IpPermissions.go b/internal/pkg/providers/aws/ec2_ip_permissions.go similarity index 100% rename from internal/pkg/providers/aws/ec2IpPermissions.go rename to internal/pkg/providers/aws/ec2_ip_permissions.go diff --git a/internal/pkg/providers/aws/securityGroupFetcher.go b/internal/pkg/providers/aws/security_group_fetcher.go similarity index 79% rename from internal/pkg/providers/aws/securityGroupFetcher.go rename to internal/pkg/providers/aws/security_group_fetcher.go index fe8c4c1..b1df048 100644 --- a/internal/pkg/providers/aws/securityGroupFetcher.go +++ b/internal/pkg/providers/aws/security_group_fetcher.go @@ -2,6 +2,7 @@ package aws import ( "errors" + "github.com/stakater/Whitelister/internal/pkg/config" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" @@ -11,6 +12,16 @@ import ( "github.com/sirupsen/logrus" ) +func (a *Aws) fetchSecurityGroup(filterType config.FilterType, session *session.Session, credentials *credentials.Credentials, resourceIds []string) ([]*ec2.SecurityGroup, error) { + if filterType == config.LoadBalancer { + return a.getSecurityGroupsByLoadBalancer(session, credentials, resourceIds) + } else if filterType == config.SecurityGroup { + return a.getSecurityGroupsByTagFilter(session, credentials, resourceIds) + } else { + return nil, errors.New("unrecognized filter type " + filterType.String()) + } +} + func (a *Aws) getSecurityGroupsByLoadBalancer(session *session.Session, credentials *credentials.Credentials, resourceIds []string) ([]*ec2.SecurityGroup, error) { // Create an ELB service client. @@ -64,6 +75,10 @@ func (a *Aws) getSecurityGroupsByLoadBalancer(session *session.Session, credenti func (a *Aws) getSecurityGroupsByTagFilter(session *session.Session, credentials *credentials.Credentials, filterLabel []string) ([]*ec2.SecurityGroup, error) { + if len(filterLabel) != 2 { + return nil, errors.New("not enough tag filters provided") + } + ec2Client := getEc2Client(session, credentials, a) filters := a.getSearchFilterWithTag(filterLabel) diff --git a/internal/pkg/providers/aws/securityGroupUpdator.go b/internal/pkg/providers/aws/security_group_updator.go similarity index 100% rename from internal/pkg/providers/aws/securityGroupUpdator.go rename to internal/pkg/providers/aws/security_group_updator.go diff --git a/internal/pkg/providers/provider.go b/internal/pkg/providers/provider.go index 17ca102..8751814 100644 --- a/internal/pkg/providers/provider.go +++ b/internal/pkg/providers/provider.go @@ -11,8 +11,7 @@ import ( // Provider interface so that providers like aws, google cloud can implement this type Provider interface { Init(map[interface{}]interface{}) error - WhiteListIpsByLoadBalancer(resourceIds []string, ipPermissions []utils.IpPermission) error - WhiteListIpsBySecurityGroup(filterLabel []string, ipPermissions []utils.IpPermission) error + WhiteListIps(filterType config.FilterType, resourceIds []string, ipPermissions []utils.IpPermission) error } // PopulateFromConfig populates the IpProvider from config diff --git a/internal/pkg/tasks/tasks.go b/internal/pkg/tasks/tasks.go index 0e0d28e..5d00f7b 100644 --- a/internal/pkg/tasks/tasks.go +++ b/internal/pkg/tasks/tasks.go @@ -43,19 +43,19 @@ func (t *Task) PerformTasks() { combinedIPPermissions = utils.CombineIpPermission(combinedIPPermissions, ipList) } - if t.config.Filter.FilterType.String() == config.LoadBalancerStr { + if t.config.Filter.FilterType == config.LoadBalancer { loadBalancerNames := t.getLoadBalancerNames(t.config.Filter) logrus.Info("load balancer names: ", loadBalancerNames[0]) if len(loadBalancerNames) > 0 { - _ = t.provider.WhiteListIpsByLoadBalancer(loadBalancerNames, combinedIPPermissions) + _ = t.provider.WhiteListIps(t.config.Filter.FilterType, loadBalancerNames, combinedIPPermissions) } else { logrus.Errorf("Cannot find any services with label name: " + t.config.Filter.LabelName + " , label value: " + t.config.Filter.LabelValue) } - } else if t.config.Filter.FilterType.String() == config.SecurityGroupStr { + } else if t.config.Filter.FilterType == config.SecurityGroup { filterLabel := []string{t.config.Filter.LabelName, t.config.Filter.LabelValue} - _ = t.provider.WhiteListIpsBySecurityGroup(filterLabel, combinedIPPermissions) + _ = t.provider.WhiteListIps(t.config.Filter.FilterType, filterLabel, combinedIPPermissions) } else { logrus.Errorf("Unrecognized filter " + t.config.Filter.LabelName) } From b269b791a611168b1c52f7febb583e39f3f60d66 Mon Sep 17 00:00:00 2001 From: fahad-rauf Date: Fri, 24 Jul 2020 17:58:46 +0200 Subject: [PATCH 4/6] refactor --- internal/pkg/config/config_test.go | 2 +- internal/pkg/controller/controller.go | 2 +- internal/pkg/providers/aws/aws.go | 11 +++-- ...ip_permissions.go => ec2_ippermissions.go} | 0 ...up_fetcher.go => securitygroup_fetcher.go} | 34 +++++++------- ...up_updator.go => securitygroup_updater.go} | 3 +- internal/pkg/providers/provider.go | 9 ++-- internal/pkg/tasks/tasks.go | 45 +------------------ internal/pkg/utils/k8s_util.go | 33 ++++++++++++++ 9 files changed, 68 insertions(+), 71 deletions(-) rename internal/pkg/providers/aws/{ec2_ip_permissions.go => ec2_ippermissions.go} (100%) rename internal/pkg/providers/aws/{security_group_fetcher.go => securitygroup_fetcher.go} (66%) rename internal/pkg/providers/aws/{security_group_updator.go => securitygroup_updater.go} (98%) create mode 100644 internal/pkg/utils/k8s_util.go diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go index c96f0b0..8c1f352 100644 --- a/internal/pkg/config/config_test.go +++ b/internal/pkg/config/config_test.go @@ -106,7 +106,7 @@ func TestReadConfig(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := ReadConfig(tt.args.filePath) - if err == nil && tt.wantErr { + if (err == nil && tt.wantErr) || (!tt.wantErr && err != nil) { t.Errorf("ReadConfig() error = %v, wantErr %v", err, tt.wantErr) return } diff --git a/internal/pkg/controller/controller.go b/internal/pkg/controller/controller.go index 16b715c..6f43b6e 100644 --- a/internal/pkg/controller/controller.go +++ b/internal/pkg/controller/controller.go @@ -32,7 +32,7 @@ func NewController(clientset clientset.Interface, config config.Config) (*Contro if len(controller.ipProviders) == 0 { return nil, errors.New("No Ip Provider specified") } - controller.provider = providers.PopulateFromConfig(config.Provider) + controller.provider = providers.PopulateFromConfig(config.Provider, clientset) if controller.provider == nil { return nil, errors.New("No Provider specified") } diff --git a/internal/pkg/providers/aws/aws.go b/internal/pkg/providers/aws/aws.go index 94de0cd..6ccfd50 100644 --- a/internal/pkg/providers/aws/aws.go +++ b/internal/pkg/providers/aws/aws.go @@ -9,12 +9,14 @@ import ( "github.com/mitchellh/mapstructure" "github.com/sirupsen/logrus" "github.com/stakater/Whitelister/internal/pkg/config" + clientset "k8s.io/client-go/kubernetes" "github.com/stakater/Whitelister/internal/pkg/utils" ) // Aws provider class implementing the Provider interface type Aws struct { + ClientSet clientset.Interface RoleArn string Region string RemoveRule bool @@ -27,7 +29,8 @@ func (a *Aws) GetName() string { } // Init initializes the Aws Provider Configuration like Access Token and Region -func (a *Aws) Init(params map[interface{}]interface{}) error { +func (a *Aws) Init(params map[interface{}]interface{}, clientSet clientset.Interface) error { + a.ClientSet = clientSet err := mapstructure.Decode(params, &a) //Converts the params to Aws struct fields if err != nil { return err @@ -39,9 +42,9 @@ func (a *Aws) Init(params map[interface{}]interface{}) error { } // WhiteListIps - Get List of IP addresses to whitelist -func (a *Aws) WhiteListIps(filterType config.FilterType, resourceIds []string, ipPermissions []utils.IpPermission) error { +func (a *Aws) WhiteListIps(filter config.Filter, ipPermissions []utils.IpPermission) error { - // Initial credentials loaded default credential chain from SDK. Such as + // Initial credentials loaded from SDK's default credential chain. Such as // the environment, shared credentials (~/.aws/credentials), or EC2 Instance // Role. These credentials will be used to to make the STS Assume Role API. awsSession, err := session.NewSession() @@ -53,7 +56,7 @@ func (a *Aws) WhiteListIps(filterType config.FilterType, resourceIds []string, i // Create the credentials from AssumeRoleProvider to assume the role // referenced by the "myRoleARN" ARN. roleCredentials := stscreds.NewCredentials(awsSession, a.RoleArn) - securityGroups, err := a.fetchSecurityGroup(filterType, awsSession, roleCredentials, resourceIds) + securityGroups, err := a.fetchSecurityGroup(awsSession, roleCredentials, filter) if err != nil { logrus.Errorf("%v", err) diff --git a/internal/pkg/providers/aws/ec2_ip_permissions.go b/internal/pkg/providers/aws/ec2_ippermissions.go similarity index 100% rename from internal/pkg/providers/aws/ec2_ip_permissions.go rename to internal/pkg/providers/aws/ec2_ippermissions.go diff --git a/internal/pkg/providers/aws/security_group_fetcher.go b/internal/pkg/providers/aws/securitygroup_fetcher.go similarity index 66% rename from internal/pkg/providers/aws/security_group_fetcher.go rename to internal/pkg/providers/aws/securitygroup_fetcher.go index b1df048..f27a1fb 100644 --- a/internal/pkg/providers/aws/security_group_fetcher.go +++ b/internal/pkg/providers/aws/securitygroup_fetcher.go @@ -3,6 +3,7 @@ package aws import ( "errors" "github.com/stakater/Whitelister/internal/pkg/config" + "github.com/stakater/Whitelister/internal/pkg/utils" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" @@ -12,13 +13,20 @@ import ( "github.com/sirupsen/logrus" ) -func (a *Aws) fetchSecurityGroup(filterType config.FilterType, session *session.Session, credentials *credentials.Credentials, resourceIds []string) ([]*ec2.SecurityGroup, error) { - if filterType == config.LoadBalancer { - return a.getSecurityGroupsByLoadBalancer(session, credentials, resourceIds) - } else if filterType == config.SecurityGroup { - return a.getSecurityGroupsByTagFilter(session, credentials, resourceIds) +func (a *Aws) fetchSecurityGroup(session *session.Session, credentials *credentials.Credentials, filter config.Filter) ([]*ec2.SecurityGroup, error) { + if filter.FilterType == config.LoadBalancer { + loadBalancerNames := utils.GetLoadBalancerNames(filter, a.ClientSet) + logrus.Info("load balancer names: ", loadBalancerNames[0]) + + if len(loadBalancerNames) > 0 { + return a.getSecurityGroupsByLoadBalancer(session, credentials, loadBalancerNames) + } else { + return nil, errors.New("Cannot find any services with label name: " + filter.LabelName + " , label value: " + filter.LabelValue) + } + } else if filter.FilterType == config.SecurityGroup { + return a.getSecurityGroupsByTagFilter(session, credentials, filter.LabelName, filter.LabelValue) } else { - return nil, errors.New("unrecognized filter type " + filterType.String()) + return nil, errors.New("unrecognized filter type " + filter.FilterType.String()) } } @@ -73,14 +81,10 @@ func (a *Aws) getSecurityGroupsByLoadBalancer(session *session.Session, credenti return securityGroupResult.SecurityGroups, nil } -func (a *Aws) getSecurityGroupsByTagFilter(session *session.Session, credentials *credentials.Credentials, filterLabel []string) ([]*ec2.SecurityGroup, error) { - - if len(filterLabel) != 2 { - return nil, errors.New("not enough tag filters provided") - } +func (a *Aws) getSecurityGroupsByTagFilter(session *session.Session, credentials *credentials.Credentials, labelName string, labelValue string) ([]*ec2.SecurityGroup, error) { ec2Client := getEc2Client(session, credentials, a) - filters := a.getSearchFilterWithTag(filterLabel) + filters := a.getSearchFilterWithTag(labelName, labelValue) securityGroupResult, err := ec2Client.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{Filters: filters}) @@ -99,12 +103,12 @@ func getEc2Client(session *session.Session, credentials *credentials.Credentials }) } -func (a *Aws) getSearchFilterWithTag(filterLabel []string) []*ec2.Filter { +func (a *Aws) getSearchFilterWithTag(labelName string, labelValue string) []*ec2.Filter { filters := make([]*ec2.Filter, 0) - keyName := "tag:" + filterLabel[0] + keyName := "tag:" + labelName filter := ec2.Filter{ Name: &keyName, - Values: []*string{&filterLabel[1]}} + Values: []*string{&labelValue}} filters = append(filters, &filter) return filters } diff --git a/internal/pkg/providers/aws/security_group_updator.go b/internal/pkg/providers/aws/securitygroup_updater.go similarity index 98% rename from internal/pkg/providers/aws/security_group_updator.go rename to internal/pkg/providers/aws/securitygroup_updater.go index 6e0beea..1cb09d8 100644 --- a/internal/pkg/providers/aws/security_group_updator.go +++ b/internal/pkg/providers/aws/securitygroup_updater.go @@ -44,8 +44,7 @@ func addSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, ipPermi } } -func (a *Aws) removeSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, - ipPermissions []*ec2.IpPermission) { +func (a *Aws) removeSecurityRules(client *ec2.EC2, securityGroup *ec2.SecurityGroup, ipPermissions []*ec2.IpPermission) { var removeIpPermission bool var ipPermissionsToRemove []*ec2.IpPermission diff --git a/internal/pkg/providers/provider.go b/internal/pkg/providers/provider.go index 8751814..ac1c8e7 100644 --- a/internal/pkg/providers/provider.go +++ b/internal/pkg/providers/provider.go @@ -2,6 +2,7 @@ package providers import ( "github.com/sirupsen/logrus" + clientset "k8s.io/client-go/kubernetes" "github.com/stakater/Whitelister/internal/pkg/config" "github.com/stakater/Whitelister/internal/pkg/providers/aws" @@ -10,15 +11,15 @@ import ( // Provider interface so that providers like aws, google cloud can implement this type Provider interface { - Init(map[interface{}]interface{}) error - WhiteListIps(filterType config.FilterType, resourceIds []string, ipPermissions []utils.IpPermission) error + Init(map[interface{}]interface{}, clientset.Interface) error + WhiteListIps(filter config.Filter, ipPermissions []utils.IpPermission) error } // PopulateFromConfig populates the IpProvider from config -func PopulateFromConfig(configProvider config.Provider) Provider { +func PopulateFromConfig(configProvider config.Provider, clientset clientset.Interface) Provider { providerToAdd := MapToProvider(configProvider.Name) if providerToAdd != nil { - err := providerToAdd.Init(configProvider.Params) + err := providerToAdd.Init(configProvider.Params, clientset) if err != nil { logrus.Errorf("%v", err) } diff --git a/internal/pkg/tasks/tasks.go b/internal/pkg/tasks/tasks.go index 5d00f7b..01daa40 100644 --- a/internal/pkg/tasks/tasks.go +++ b/internal/pkg/tasks/tasks.go @@ -1,10 +1,7 @@ package tasks import ( - "context" - "github.com/sirupsen/logrus" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientset "k8s.io/client-go/kubernetes" "github.com/stakater/Whitelister/internal/pkg/config" @@ -43,45 +40,5 @@ func (t *Task) PerformTasks() { combinedIPPermissions = utils.CombineIpPermission(combinedIPPermissions, ipList) } - if t.config.Filter.FilterType == config.LoadBalancer { - loadBalancerNames := t.getLoadBalancerNames(t.config.Filter) - logrus.Info("load balancer names: ", loadBalancerNames[0]) - - if len(loadBalancerNames) > 0 { - _ = t.provider.WhiteListIps(t.config.Filter.FilterType, loadBalancerNames, combinedIPPermissions) - } else { - logrus.Errorf("Cannot find any services with label name: " + t.config.Filter.LabelName + - " , label value: " + t.config.Filter.LabelValue) - } - } else if t.config.Filter.FilterType == config.SecurityGroup { - filterLabel := []string{t.config.Filter.LabelName, t.config.Filter.LabelValue} - _ = t.provider.WhiteListIps(t.config.Filter.FilterType, filterLabel, combinedIPPermissions) - } else { - logrus.Errorf("Unrecognized filter " + t.config.Filter.LabelName) - } -} - -// Get Load Balancer names -func (t *Task) getLoadBalancerNames(filter config.Filter) []string { - services, err := t.clientset.CoreV1().Services("").List(context.TODO(), meta_v1.ListOptions{ - LabelSelector: filter.LabelName + "=" + filter.LabelValue}, - ) - - if err != nil { - logrus.Fatal(err) - } - - var loadBalancerNames []string - var loadBalancerDNSName string - - for _, service := range services.Items { - if service.Spec.Type == "LoadBalancer" { - loadBalancerDNSName = - utils.GetLoadBalancerNameFromDNSName(service.Status.LoadBalancer.Ingress[0].Hostname) - loadBalancerNames = append(loadBalancerNames, loadBalancerDNSName) - } else { - logrus.Error("Cannot process service : " + service.Name) - } - } - return loadBalancerNames + _ = t.provider.WhiteListIps(t.config.Filter, combinedIPPermissions) } diff --git a/internal/pkg/utils/k8s_util.go b/internal/pkg/utils/k8s_util.go new file mode 100644 index 0000000..fb096fa --- /dev/null +++ b/internal/pkg/utils/k8s_util.go @@ -0,0 +1,33 @@ +package utils + +import ( + "context" + "github.com/sirupsen/logrus" + "github.com/stakater/Whitelister/internal/pkg/config" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + clientset "k8s.io/client-go/kubernetes" +) + +// Get Load Balancer names +func GetLoadBalancerNames(filter config.Filter, clientSet clientset.Interface) []string { + services, err := clientSet.CoreV1().Services("").List(context.TODO(), meta_v1.ListOptions{ + LabelSelector: filter.LabelName + "=" + filter.LabelValue}, + ) + + if err != nil { + logrus.Fatal(err) + } + + var loadBalancerNames []string + var loadBalancerDNSName string + + for _, service := range services.Items { + if service.Spec.Type == "LoadBalancer" { + loadBalancerDNSName = GetLoadBalancerNameFromDNSName(service.Status.LoadBalancer.Ingress[0].Hostname) + loadBalancerNames = append(loadBalancerNames, loadBalancerDNSName) + } else { + logrus.Error("Cannot process service : " + service.Name) + } + } + return loadBalancerNames +} From ef76d19a088e1ae1d81ed541c48693a04a389d25 Mon Sep 17 00:00:00 2001 From: fahad-rauf Date: Fri, 31 Jul 2020 08:45:19 +0200 Subject: [PATCH 5/6] adds config doc for filter type --- docs/config.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/config.md b/docs/config.md index 9e05b5d..2b6235c 100644 --- a/docs/config.md +++ b/docs/config.md @@ -5,6 +5,7 @@ Sample config map looks like this ```yaml syncInterval: 10s filter: + filterType: LoadBalancer labelName: app labelValue: internal-ingress ipProviders: @@ -30,7 +31,8 @@ provider: |Key |Status |Description| |----|-------|-----------| |syncInterval| required |The interval after which whitelister syncs the Ip Providers input with the security group. Sync interval is a positive sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".| -|filter.labelName| required | Label Name on which to filter ingresses that will provide the load balancers whose security groups need to be modified| +|filter.filterType| required |The filter type based on which this whitelister will work. Filter type can be "LoadBalancer" or "SecurityGroup"| +|filter.labelName| required |Label Name on which to filter ingresses that will provide the load balancers whose security groups need to be modified| |filter.labelValue| required |Label Value on which to filter ingresses that will provide the load balancers whose security groups need to be modified| |ipProviders| required, Min length = 1 |List of IP Providers.| |ipProviders[].name| required |Name of the IP Provider e.g "kubernetes"| From d4fa88ac004c4d86b6271a28dd9131ae2be20696 Mon Sep 17 00:00:00 2001 From: fahad-rauf Date: Fri, 31 Jul 2020 12:25:54 +0200 Subject: [PATCH 6/6] update config doc --- docs/config.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/config.md b/docs/config.md index 2b6235c..feb8ed8 100644 --- a/docs/config.md +++ b/docs/config.md @@ -32,8 +32,8 @@ provider: |----|-------|-----------| |syncInterval| required |The interval after which whitelister syncs the Ip Providers input with the security group. Sync interval is a positive sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".| |filter.filterType| required |The filter type based on which this whitelister will work. Filter type can be "LoadBalancer" or "SecurityGroup"| -|filter.labelName| required |Label Name on which to filter ingresses that will provide the load balancers whose security groups need to be modified| -|filter.labelValue| required |Label Value on which to filter ingresses that will provide the load balancers whose security groups need to be modified| +|filter.labelName| required |Label Name on which to filter resources based on filter.filterType| +|filter.labelValue| required |Label Value on which to filter resources based on filter.filterType| |ipProviders| required, Min length = 1 |List of IP Providers.| |ipProviders[].name| required |Name of the IP Provider e.g "kubernetes"| |ipProviders[].params| required |Map to be passed to the IP Provider| @@ -41,6 +41,10 @@ provider: |provider[].name| required |Name of Cloud Provider e.g "aws"| |provider[].params| required |Map to be passed to the Cloud Provider| +## Filter + +labelName and labelValue represent the key value pair of a tag in case of filterType "SecurityGroup". However, if filterType is "LoadBalancer" labelName and labelValue correspond to the label's key value pair on kubernetes service + ## Ip Providers Whitelister supports the following IP Providers