Skip to content

Commit

Permalink
Split security group rules on its own CRD, controller and api
Browse files Browse the repository at this point in the history
  • Loading branch information
@nsricardor
nsricardor committed Oct 30, 2024
1 parent da5512a commit 54e2ccd
Show file tree
Hide file tree
Showing 22 changed files with 3,188 additions and 619 deletions.
59 changes: 59 additions & 0 deletions charts/region/crds/region.unikorn-cloud.org_openstacksecuritygrouprules.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: openstacksecuritygrouprules.region.unikorn-cloud.org
spec:
group: region.unikorn-cloud.org
names:
categories:
- unikorn
kind: OpenstackSecurityGroupRule
listKind: OpenstackSecurityGroupRuleList
plural: openstacksecuritygrouprules
singular: openstacksecuritygrouprule
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: OpenstackSecurityGroupRule has no controller, its a database
record of state.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
securityGroupRuleID:
description: SecurityGroupRuleID is the security group rule ID.
type: string
type: object
status:
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
45 changes: 0 additions & 45 deletions charts/region/crds/region.unikorn-cloud.org_openstacksecuritygroups.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,51 +45,6 @@ spec:
type: object
spec:
properties:
rules:
description: Rules are the security group rules.
items:
properties:
direction:
description: |-
The direction in which the security group rule is applied. The only values
allowed are "ingress" or "egress".
type: string
id:
description: ID is the security group rule ID.
type: string
port_range_max:
description: |-
The maximum port number in the range that is matched by the security group
rule. The PortRangeMin attribute constrains the PortRangeMax attribute. If
the protocol is ICMP, this value must be an ICMP type.
type: integer
port_range_min:
description: |-
The minimum port number in the range that is matched by the security group
rule. If the protocol is TCP or UDP, this value must be less than or equal
to the value of the PortRangeMax attribute. If the protocol is ICMP, this
value must be an ICMP type.
type: integer
protocol:
description: |-
The protocol that is matched by the security group rule. Valid values are
"tcp", "udp", "icmp" or an empty string.
type: string
remote_ip_prefix:
description: |-
The remote IP prefix to be associated with this security group rule.
This attribute matches the specified IP prefix as the source IP address of
the IP packet.
pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\/(?:3[0-2]|[1-2]?[0-9])$
type: string
required:
- direction
- id
- port_range_max
- port_range_min
- protocol
type: object
type: array
securityGroupID:
description: SecurityGroupID is the security group ID.
type: string
Expand Down
156 changes: 156 additions & 0 deletions charts/region/crds/region.unikorn-cloud.org_securitygrouprules.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: securitygrouprules.region.unikorn-cloud.org
spec:
group: region.unikorn-cloud.org
names:
categories:
- unikorn
kind: SecurityGroupRule
listKind: SecurityGroupRuleList
plural: securitygrouprules
singular: securitygrouprule
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Available")].reason
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SecurityGroupRule defines a security group rule beloning to a
security group.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
cidr:
description: CIDR is the CIDR block to allow traffic from.
pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\/(?:3[0-2]|[1-2]?[0-9])$
type: string
direction:
description: Direction is the direction of the rule.
enum:
- ingress
- egress
type: string
pause:
description: Pause, if true, will inhibit reconciliation.
type: boolean
port:
description: Port is the port or range of ports.
properties:
number:
description: Number is the port number.
type: integer
range:
description: Range is the port range.
properties:
end:
description: End is the end of the range.
maximum: 65535
type: integer
start:
description: Start is the start of the range.
minimum: 1
type: integer
required:
- end
- start
type: object
type: object
x-kubernetes-validations:
- message: at least one of number or range must be defined
rule: (has(self.number) || has(self.range))
protocol:
description: Protocol is the protocol of the rule.
enum:
- tcp
- udp
type: string
required:
- cidr
- direction
- port
- protocol
type: object
status:
properties:
conditions:
description: Current service state of a security group rule.
items:
description: |-
Condition is a generic condition type for use across all resource types.
It's generic so that the underlying controller-manager functionality can
be shared across all resources.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
enum:
- Provisioning
- Provisioned
- Cancelled
- Errored
- Deprovisioning
- Deprovisioned
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
enum:
- Available
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
44 changes: 1 addition & 43 deletions charts/region/crds/region.unikorn-cloud.org_securitygroups.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,48 +47,6 @@ spec:
type: object
spec:
properties:
ingress:
description: Ingress are the ingress rules.
items:
properties:
cidr:
description: Cidr is the CIDR block to allow traffic from.
pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\/(?:3[0-2]|[1-2]?[0-9])$
type: string
port:
description: Port is the port or range of ports.
properties:
number:
description: Number is the port number.
type: integer
range:
description: Range is the port range.
properties:
end:
description: End is the end of the range.
maximum: 65535
type: integer
start:
description: Start is the start of the range.
minimum: 1
type: integer
required:
- end
- start
type: object
type: object
protocol:
description: Protocol is the protocol of the rule.
enum:
- tcp
- udp
type: string
required:
- cidr
- port
- protocol
type: object
type: array
pause:
description: Pause, if true, will inhibit reconciliation.
type: boolean
Expand Down Expand Up @@ -121,7 +79,7 @@ spec:
status:
properties:
conditions:
description: Current service state of a cluster manager.
description: Current service state of a security group.
items:
description: |-
Condition is a generic condition type for use across all resource types.
Expand Down
26 changes: 26 additions & 0 deletions cmd/unikorn-security-group-rule-controller/main.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
/*
Copyright 2024 the Unikorn Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
"github.com/unikorn-cloud/core/pkg/manager"
securitygrouprule "github.com/unikorn-cloud/region/pkg/managers/security-group-rule"
)

func main() {
manager.Run(&securitygrouprule.Factory{})
}
24 changes: 24 additions & 0 deletions pkg/apis/unikorn/v1alpha1/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,27 @@ func (c *SecurityGroup) StatusConditionWrite(t unikornv1core.ConditionType, stat
func (c *SecurityGroup) ResourceLabels() (labels.Set, error) {
return nil, nil
}

// Paused implements the ReconcilePauser interface.
func (c *SecurityGroupRule) Paused() bool {
return c.Spec.Pause
}

// StatusConditionRead scans the status conditions for an existing condition whose type
// matches.
func (c *SecurityGroupRule) StatusConditionRead(t unikornv1core.ConditionType) (*unikornv1core.Condition, error) {
return unikornv1core.GetCondition(c.Status.Conditions, t)
}

// StatusConditionWrite either adds or updates a condition in the cluster manager status.
// If the condition, status and message match an existing condition the update is
// ignored.
func (c *SecurityGroupRule) StatusConditionWrite(t unikornv1core.ConditionType, status corev1.ConditionStatus, reason unikornv1core.ConditionReason, message string) {
unikornv1core.UpdateCondition(&c.Status.Conditions, t, status, reason, message)
}

// ResourceLabels generates a set of labels to uniquely identify the resource
// if it were to be placed in a single global namespace.
func (c *SecurityGroupRule) ResourceLabels() (labels.Set, error) {
return nil, nil
}
2 changes: 2 additions & 0 deletions pkg/apis/unikorn/v1alpha1/register.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ func init() {
SchemeBuilder.Register(&VLANAllocation{}, &VLANAllocationList{})
SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{})
SchemeBuilder.Register(&OpenstackSecurityGroup{}, &OpenstackSecurityGroupList{})
SchemeBuilder.Register(&SecurityGroupRule{}, &SecurityGroupRuleList{})
SchemeBuilder.Register(&OpenstackSecurityGroupRule{}, &OpenstackSecurityGroupRuleList{})
}

// Resource maps a resource type to a group resource.
Expand Down
Loading

0 comments on commit 54e2ccd

Please sign in to comment.