Skip to content

Commit

Permalink
Wicket work
Browse files Browse the repository at this point in the history 
- Add the allowlist types to a bunch of OpenAPI documents, mostly
  through gratuitious use of Progenitor's `replace` feature
- Add fields to the RSS config structs passed around between wicket /
  wicketd
- Add the allowlist as an entry to the rack update pane in wicket's UI
  • Loading branch information
@bnaecker
bnaecker committed May 3, 2024
1 parent eb16907 commit 44a8d47
Show file tree
Hide file tree
Showing 10 changed files with 282 additions and 7 deletions.
60 changes: 60 additions & 0 deletions clients/bootstrap-agent-client/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ progenitor::generate_api!(
Ipv4Network = ipnetwork::Ipv4Network,
Ipv6Network = ipnetwork::Ipv6Network,
IpNetwork = ipnetwork::IpNetwork,
IpNet = omicron_common::api::external::IpNet,
Ipv4Net = omicron_common::api::external::Ipv4Net,
Ipv6Net = omicron_common::api::external::Ipv6Net,
IpAllowList = omicron_common::api::external::IpAllowList,
AllowedSourceIps = omicron_common::api::external::AllowedSourceIps,
}
);

Expand Down Expand Up @@ -66,3 +71,58 @@ impl From<sled_hardware_types::Baseboard> for types::Baseboard {
}
}
}

/*
impl TryFrom<&types::Ipv4Net> for external::Ipv4Net {
type Error = String;
fn try_from(
net: &types::Ipv4Net,
) -> Result<Self, Self::Error> {
net.parse().map(external::Ipv4Net).map_err(|e| e.to_string())
}
}
impl TryFrom<&types::Ipv6Net> for external::Ipv6Net {
type Error = String;
fn try_from(
net: &types::Ipv6Net,
) -> Result<Self, Self::Error> {
net.parse().map(external::Ipv6Net).map_err(|e| e.to_string())
}
}
impl TryFrom<&types::IpNet> for external::IpNet {
type Error = String;
fn try_from(
net: &types::IpNet,
) -> Result<Self, Self::Error> {
match net {
types::IpNet::V4(v4) => external::Ipv4Net::try_from(v4).map(external::IpNet::V4),
types::IpNet::V6(v6) => external::Ipv6Net::try_from(v6).map(external::IpNet::V6),
}
}
}
impl TryFrom<&types::AllowedSourceIps> for external::AllowedSourceIps
{
type Error = String;
fn try_from(
ips: &types::AllowedSourceIps,
) -> Result<Self, Self::Error> {
match ips {
types::AllowedSourceIps::Any => Ok(external::AllowedSourceIps::Any),
types::AllowedSourceIps::List(list) => {
let vec = list
.iter()
.map(TryFrom::try_from)
.collect::<Result<Vec<_>, _>>()?;
external::AllowedSourceIps::try_from(vec).map_err(|e| e.to_string())
}
}
}
}
*/
5 changes: 3 additions & 2 deletions clients/wicketd-client/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,13 @@ progenitor::generate_api!(
RackOperationStatus = { derives = [ PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize ] },
RackNetworkConfigV1 = { derives = [ PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize ] },
UplinkConfig = { derives = [ PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize ] },
CurrentRssUserConfigInsensitive = { derives = [ PartialEq, Eq, Serialize, Deserialize ] },
CurrentRssUserConfigInsensitive = { derives = [ PartialEq, Serialize, Deserialize ] },
CurrentRssUserConfigSensitive = { derives = [ PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize ] },
CurrentRssUserConfig = { derives = [ PartialEq, Eq, Serialize, Deserialize ] },
CurrentRssUserConfig = { derives = [ PartialEq, Serialize, Deserialize ] },
GetLocationResponse = { derives = [ PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize ] },
},
replace = {
AllowedSourceIps = omicron_common::api::internal::shared::AllowedSourceIps,
BgpConfig = omicron_common::api::internal::shared::BgpConfig,
BgpPeerConfig = omicron_common::api::internal::shared::BgpPeerConfig,
ClearUpdateStateResponse = wicket_common::rack_update::ClearUpdateStateResponse,
Expand Down
87 changes: 86 additions & 1 deletion openapi/bootstrap-agent.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,48 @@
},
"components": {
"schemas": {
"AllowedSourceIps": {
"description": "Description of source IPs allowed to reach rack services.",
"oneOf": [
{
"description": "Allow traffic from any external IP address.",
"type": "object",
"properties": {
"allow": {
"type": "string",
"enum": [
"any"
]
}
},
"required": [
"allow"
]
},
{
"description": "Restrict access to a specific set of source IP addresses or subnets.\n\nAll others are prevented from reaching rack services.",
"type": "object",
"properties": {
"allow": {
"type": "string",
"enum": [
"list"
]
},
"ips": {
"type": "array",
"items": {
"$ref": "#/components/schemas/IpNet"
}
}
},
"required": [
"allow",
"ips"
]
}
]
},
"Baseboard": {
"description": "Describes properties that should uniquely identify a Gimlet.",
"oneOf": [
Expand Down Expand Up @@ -305,7 +347,7 @@
"format": "ipv4"
},
"asn": {
"description": "The autonomous sysetm number of the router the peer belongs to.",
"description": "The autonomous system number of the router the peer belongs to.",
"type": "integer",
"format": "uint32",
"minimum": 0
Expand Down Expand Up @@ -449,6 +491,26 @@
"request_id"
]
},
"IpNet": {
"oneOf": [
{
"title": "v4",
"allOf": [
{
"$ref": "#/components/schemas/Ipv4Net"
}
]
},
{
"title": "v6",
"allOf": [
{
"$ref": "#/components/schemas/Ipv6Net"
}
]
}
]
},
"IpNetwork": {
"oneOf": [
{
Expand Down Expand Up @@ -489,6 +551,13 @@
}
]
},
"Ipv4Net": {
"example": "192.168.1.0/24",
"title": "An IPv4 subnet",
"description": "An IPv4 subnet, including prefix and subnet mask",
"type": "string",
"pattern": "^(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|1[0-9]|2[0-9]|3[0-2])$"
},
"Ipv4Network": {
"type": "string",
"pattern": "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/(3[0-2]|[0-2]?[0-9])$"
Expand All @@ -511,6 +580,13 @@
"last"
]
},
"Ipv6Net": {
"example": "fd12:3456::/64",
"title": "An IPv6 subnet",
"description": "An IPv6 subnet, including prefix and subnet mask",
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"Ipv6Network": {
"type": "string",
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\")[/](12[0-8]|1[0-1][0-9]|[0-9]?[0-9])$"
Expand Down Expand Up @@ -646,6 +722,14 @@
"description": "Configuration for the \"rack setup service\".\n\nThe Rack Setup Service should be responsible for one-time setup actions, such as CockroachDB placement and initialization. Without operator intervention, however, these actions need a way to be automated in our deployment.",
"type": "object",
"properties": {
"allowed_source_ips": {
"description": "IPs or subnets allowed to make requests to user-facing services",
"allOf": [
{
"$ref": "#/components/schemas/AllowedSourceIps"
}
]
},
"bootstrap_discovery": {
"description": "Describes how bootstrap addresses should be collected during RSS.",
"allOf": [
Expand Down Expand Up @@ -721,6 +805,7 @@
}
},
"required": [
"allowed_source_ips",
"bootstrap_discovery",
"dns_servers",
"external_certificates",
Expand Down
2 changes: 1 addition & 1 deletion openapi/sled-agent.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1452,7 +1452,7 @@
"format": "ipv4"
},
"asn": {
"description": "The autonomous sysetm number of the router the peer belongs to.",
"description": "The autonomous system number of the router the peer belongs to.",
"type": "integer",
"format": "uint32",
"minimum": 0
Expand Down
90 changes: 89 additions & 1 deletion openapi/wicketd.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -699,6 +699,48 @@
"message"
]
},
"AllowedSourceIps": {
"description": "Description of source IPs allowed to reach rack services.",
"oneOf": [
{
"description": "Allow traffic from any external IP address.",
"type": "object",
"properties": {
"allow": {
"type": "string",
"enum": [
"any"
]
}
},
"required": [
"allow"
]
},
{
"description": "Restrict access to a specific set of source IP addresses or subnets.\n\nAll others are prevented from reaching rack services.",
"type": "object",
"properties": {
"allow": {
"type": "string",
"enum": [
"list"
]
},
"ips": {
"type": "array",
"items": {
"$ref": "#/components/schemas/IpNet"
}
}
},
"required": [
"allow",
"ips"
]
}
]
},
"ArtifactHashId": {
"description": "A hash-based identifier for an artifact.\n\nSome places, e.g. the installinator, request artifacts by hash rather than by name and version. This type indicates that.",
"type": "object",
Expand Down Expand Up @@ -844,7 +886,7 @@
"format": "ipv4"
},
"asn": {
"description": "The autonomous sysetm number of the router the peer belongs to.",
"description": "The autonomous system number of the router the peer belongs to.",
"type": "integer",
"format": "uint32",
"minimum": 0
Expand Down Expand Up @@ -1092,6 +1134,14 @@
"CurrentRssUserConfigInsensitive": {
"type": "object",
"properties": {
"allowed_source_ips": {
"nullable": true,
"allOf": [
{
"$ref": "#/components/schemas/AllowedSourceIps"
}
]
},
"bootstrap_sleds": {
"type": "array",
"items": {
Expand Down Expand Up @@ -1446,6 +1496,26 @@
"installable"
]
},
"IpNet": {
"oneOf": [
{
"title": "v4",
"allOf": [
{
"$ref": "#/components/schemas/Ipv4Net"
}
]
},
{
"title": "v6",
"allOf": [
{
"$ref": "#/components/schemas/Ipv6Net"
}
]
}
]
},
"IpNetwork": {
"oneOf": [
{
Expand Down Expand Up @@ -1486,6 +1556,13 @@
}
]
},
"Ipv4Net": {
"example": "192.168.1.0/24",
"title": "An IPv4 subnet",
"description": "An IPv4 subnet, including prefix and subnet mask",
"type": "string",
"pattern": "^(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|1[0-9]|2[0-9]|3[0-2])$"
},
"Ipv4Network": {
"type": "string",
"pattern": "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/(3[0-2]|[0-2]?[0-9])$"
Expand All @@ -1508,6 +1585,13 @@
"last"
]
},
"Ipv6Net": {
"example": "fd12:3456::/64",
"title": "An IPv6 subnet",
"description": "An IPv6 subnet, including prefix and subnet mask",
"type": "string",
"pattern": "^([fF][dD])[0-9a-fA-F]{2}:(([0-9a-fA-F]{1,4}:){6}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,6}:)([0-9a-fA-F]{1,4})?\\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
},
"Ipv6Network": {
"type": "string",
"pattern": "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\")[/](12[0-8]|1[0-1][0-9]|[0-9]?[0-9])$"
Expand Down Expand Up @@ -2132,6 +2216,9 @@
"PutRssUserConfigInsensitive": {
"type": "object",
"properties": {
"allowed_source_ips": {
"$ref": "#/components/schemas/AllowedSourceIps"
},
"bootstrap_sleds": {
"description": "List of slot numbers only.\n\n`wicketd` will map this back to sleds with the correct `SpIdentifier` based on the `bootstrap_sleds` it provides in `CurrentRssUserConfigInsensitive`.",
"type": "array",
Expand Down Expand Up @@ -2176,6 +2263,7 @@
}
},
"required": [
"allowed_source_ips",
"bootstrap_sleds",
"dns_servers",
"external_dns_ips",
Expand Down
4 changes: 3 additions & 1 deletion wicket-common/src/rack_setup.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

// Copyright 2023 Oxide Computer Company
// Copyright 2024 Oxide Computer Company

use omicron_common::address;
use omicron_common::api::internal::shared::AllowedSourceIps;
use omicron_common::api::internal::shared::BgpConfig;
use omicron_common::api::internal::shared::PortConfigV1;
use schemars::JsonSchema;
Expand Down Expand Up @@ -40,4 +41,5 @@ pub struct PutRssUserConfigInsensitive {
pub external_dns_ips: Vec<IpAddr>,
pub external_dns_zone_name: String,
pub rack_network_config: UserSpecifiedRackNetworkConfig,
pub allowed_source_ips: AllowedSourceIps,
}
Loading

0 comments on commit 44a8d47

Please sign in to comment.