Skip to content

Commit

Permalink
[occm][WIP] Add SG to node ensure the different node's pods can acces…
Browse files Browse the repository at this point in the history
…s each other
  • Loading branch information
jeffyjf committed Nov 28, 2023
1 parent 637a3d4 commit 6b498a6
Showing 1 changed file with 77 additions and 2 deletions.
79 changes: 77 additions & 2 deletions pkg/openstack/routes.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,18 @@ package openstack
import (
"context"
"net"
"strings"
"sync"

"github.com/gophercloud/gophercloud"
"github.com/gophercloud/gophercloud/openstack/identity/v3/groups"
"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/extraroutes"
"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/routers"
"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/rules"
"github.com/gophercloud/gophercloud/openstack/networking/v2/ports"
secgroups "github.com/gophercloud/utils/openstack/networking/v2/extensions/security/groups"

"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
cloudprovider "k8s.io/cloud-provider"
Expand Down Expand Up @@ -264,6 +268,70 @@ func updateAllowedAddressPairs(network *gophercloud.ServiceClient, port *ports.P
return unwinder, nil
}

func updateSecurityGroup(network *gophercloud.ServiceClient, port *ports.Port, newPairs []ports.AddressPair) (func(), error) {
segName := "occm-nodes-sg"
onFailure := newCaller()
var sgId string
var err error
sgId, err = secgroups.IDFromName(network, segName)
if err != nil {
if strings.Contains(err.Error(), "Unable to find") {
res := groups.Create(network, groups.CreateOpts{Name: segName})
if res.Err != nil {
return nil, res.Err
}
sgGroup, err := res.Extract()
if err != nil {
return nil, err
}
sgId = sgGroup.ID
ruleRes := rules.Create(network, rules.CreateOpts{Direction: rules.DirIngress, SecGroupID: sgId, RemoteGroupID: sgId})
if ruleRes.Err != nil {
return nil, ruleRes.Err
}
defer onFailure.call(func() {
groups.Delete(network, sgId)
})
klog.V(2).Infof("Node security group %s created", segName)
} else {
return nil, err
}
}
var newRules []string
for _, pair := range newPairs {
res := rules.Create(network, rules.CreateOpts{Direction: rules.DirIngress, SecGroupID: sgId, RemoteIPPrefix: pair.IPAddress})
if res.Err != nil {
return nil, res.Err
}
rule, err := res.Extract()
if err != nil {
return nil, err
}
klog.V(2).Infof("Node security group rule created: %v", rule)
newRules = append(newRules, rule.ID)
}
defer onFailure.call(func() {
for _, rule := range newRules {
rules.Delete(network, rule)
}
})

oldSgs := port.SecurityGroups
sgs := append(port.SecurityGroups, sgId)
res := ports.Update(network, port.ID, ports.UpdateOpts{SecurityGroups: &sgs})
if res.Err != nil {
return nil, res.Err
}
onFailure.disarm()
unwinder := func() {
ports.Update(network, port.ID, ports.UpdateOpts{SecurityGroups: &oldSgs})
for _, rule := range newRules {
rules.Delete(network, rule)
}
}
return unwinder, nil
}

// CreateRoute creates the described managed route
func (r *Routes) CreateRoute(ctx context.Context, clusterName string, nameHint string, route *cloudprovider.Route) error {
ip, _, _ := net.ParseCIDR(route.DestinationCIDR)
Expand Down Expand Up @@ -344,8 +412,9 @@ func (r *Routes) CreateRoute(ctx context.Context, clusterName string, nameHint s
}
}

var newPairs []ports.AddressPair
if !found {
newPairs := append(port.AllowedAddressPairs, ports.AddressPair{
newPairs = append(port.AllowedAddressPairs, ports.AddressPair{
IPAddress: route.DestinationCIDR,
})
unwind, err := updateAllowedAddressPairs(r.network, port, newPairs)
Expand All @@ -355,6 +424,12 @@ func (r *Routes) CreateRoute(ctx context.Context, clusterName string, nameHint s
defer onFailure.call(unwind)
}

unwind, err := updateSecurityGroup(r.network, port, newPairs)
if err != nil {
return err
}
defer onFailure.call(unwind)

klog.V(4).Infof("Route created: %v", route)
onFailure.disarm()
return nil
Expand Down

0 comments on commit 6b498a6

Please sign in to comment.