From 9528f421bd309314751c77ba768f814f2db555b5 Mon Sep 17 00:00:00 2001 From: Vince Prignano Date: Fri, 6 Oct 2023 11:04:01 -0700 Subject: [PATCH] :seedling: Allow ESP protocol to be set in IngressRules Signed-off-by: Vince Prignano --- api/v1beta2/network_types.go | 9 ++++++--- ...e.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml | 14 ++++++++++---- ...nfrastructure.cluster.x-k8s.io_awsclusters.yaml | 10 +++++++--- ...cture.cluster.x-k8s.io_awsclustertemplates.yaml | 8 ++++++-- pkg/cloud/services/securitygroup/securitygroups.go | 4 +++- .../cluster-template-internal-elb.yaml | 14 ++++++++++++++ 6 files changed, 46 insertions(+), 13 deletions(-) diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go index 3f68e770cc..b964a4614d 100644 --- a/api/v1beta2/network_types.go +++ b/api/v1beta2/network_types.go @@ -590,14 +590,17 @@ var ( // SecurityGroupProtocolICMPv6 represents the ICMPv6 protocol in ingress rules. SecurityGroupProtocolICMPv6 = SecurityGroupProtocol("58") + + // SecurityGroupProtocolESP represents the ESP protocol in ingress rules. + SecurityGroupProtocolESP = SecurityGroupProtocol("50") ) // IngressRule defines an AWS ingress rule for security groups. type IngressRule struct { // Description provides extended information about the ingress rule. Description string `json:"description"` - // Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6). - // +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58" + // Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" (ESP). + // +kubebuilder:validation:Enum="-1";"4";tcp;udp;icmp;"58";"50" Protocol SecurityGroupProtocol `json:"protocol"` // FromPort is the start of port range. FromPort int64 `json:"fromPort"` @@ -706,7 +709,7 @@ func (i *IngressRule) Equals(o *IngressRule) bool { SecurityGroupProtocolICMP, SecurityGroupProtocolICMPv6: return i.FromPort == o.FromPort && i.ToPort == o.ToPort - case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP: + case SecurityGroupProtocolAll, SecurityGroupProtocolIPinIP, SecurityGroupProtocolESP: // FromPort / ToPort are not applicable } diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml index 84b7e14331..d5cca03753 100644 --- a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml +++ b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml @@ -386,7 +386,7 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", - "udp", "icmp", and "58" (ICMPv6). + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: - "-1" - "4" @@ -394,6 +394,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access from. @@ -1525,7 +1526,8 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in - IP),"tcp", "udp", "icmp", and "58" (ICMPv6). + IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" + (ESP). enum: - "-1" - "4" @@ -1533,6 +1535,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access @@ -1969,7 +1972,7 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", - "udp", "icmp", and "58" (ICMPv6). + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: - "-1" - "4" @@ -1977,6 +1980,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access from. @@ -3121,7 +3125,8 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in - IP),"tcp", "udp", "icmp", and "58" (ICMPv6). + IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" + (ESP). enum: - "-1" - "4" @@ -3129,6 +3134,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml index 3d956ce83b..187b3f102c 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml @@ -1029,7 +1029,7 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", - "udp", "icmp", and "58" (ICMPv6). + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: - "-1" - "4" @@ -1037,6 +1037,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access from. @@ -1189,7 +1190,7 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in IP),"tcp", - "udp", "icmp", and "58" (ICMPv6). + "udp", "icmp", and "58" (ICMPv6), "50" (ESP). enum: - "-1" - "4" @@ -1197,6 +1198,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access from. @@ -2059,7 +2061,8 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP in - IP),"tcp", "udp", "icmp", and "58" (ICMPv6). + IP),"tcp", "udp", "icmp", and "58" (ICMPv6), "50" + (ESP). enum: - "-1" - "4" @@ -2067,6 +2070,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml index bb37126f0f..5f369a80c6 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml @@ -624,7 +624,8 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP - in IP),"tcp", "udp", "icmp", and "58" (ICMPv6). + in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), + "50" (ESP). enum: - "-1" - "4" @@ -632,6 +633,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access @@ -791,7 +793,8 @@ spec: protocol: description: Protocol is the protocol for the ingress rule. Accepted values are "-1" (all), "4" (IP - in IP),"tcp", "udp", "icmp", and "58" (ICMPv6). + in IP),"tcp", "udp", "icmp", and "58" (ICMPv6), + "50" (ESP). enum: - "-1" - "4" @@ -799,6 +802,7 @@ spec: - udp - icmp - "58" + - "50" type: string sourceSecurityGroupIds: description: The security group id to allow access diff --git a/pkg/cloud/services/securitygroup/securitygroups.go b/pkg/cloud/services/securitygroup/securitygroups.go index df5812f42b..e8e0c9d95b 100644 --- a/pkg/cloud/services/securitygroup/securitygroups.go +++ b/pkg/cloud/services/securitygroup/securitygroups.go @@ -680,7 +680,9 @@ func ingressRuleToSDKType(scope scope.SGScope, i *infrav1.IngressRule) (res *ec2 FromPort: aws.Int64(i.FromPort), ToPort: aws.Int64(i.ToPort), } - case infrav1.SecurityGroupProtocolAll, infrav1.SecurityGroupProtocolIPinIP: + case infrav1.SecurityGroupProtocolIPinIP, + infrav1.SecurityGroupProtocolESP, + infrav1.SecurityGroupProtocolAll: res = &ec2.IpPermission{ IpProtocol: aws.String(string(i.Protocol)), } diff --git a/test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml b/test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml index 9d5245abd3..62166bbf1a 100644 --- a/test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml +++ b/test/e2e/data/infrastructure-aws/withoutclusterclass/e2e_test_templates/cluster-template-internal-elb.yaml @@ -28,6 +28,20 @@ spec: controlPlaneLoadBalancer: scheme: internal network: + cni: + cniIngressRules: + - description: Allow ESP traffic from all nodes in the cluster + protocol: "50" + fromPort: -1 + toPort: -1 + - description: bgp (calico) + protocol: tcp + fromPort: 179 + toPort: 179 + - description: IP-in-IP (calico) + protocol: "4" + fromPort: -1 + toPort: 65535 subnets: - id: ${WL_PRIVATE_SUBNET_ID} vpc: