Add service firewall rule background task

oxidecomputer · May 3, 2024 · fdb9d96 · fdb9d96
1 parent 44a8d47
commit fdb9d96
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 1 deletion.
diff --git a/nexus-config/src/nexus_config.rs b/nexus-config/src/nexus_config.rs
@@ -375,6 +375,8 @@ pub struct BackgroundTaskConfig {
     pub switch_port_settings_manager: SwitchPortSettingsManagerConfig,
     /// configuration for region replacement task
     pub region_replacement: RegionReplacementConfig,
+    /// configuration for service VPC firewall propagation task
+    pub service_firewall_propagation: ServiceFirewallPropagationConfig,
 }
 
 #[serde_as]
@@ -519,6 +521,14 @@ pub struct RegionReplacementConfig {
     pub period_secs: Duration,
 }
 
+#[serde_as]
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
+pub struct ServiceFirewallPropagationConfig {
+    /// period (in seconds) for periodic activations of this background task
+    #[serde_as(as = "DurationSeconds<u64>")]
+    pub period_secs: Duration,
+}
+
 /// Configuration for a nexus server
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 pub struct PackageConfig {
@@ -755,6 +765,7 @@ mod test {
             sync_service_zone_nat.period_secs = 30
             switch_port_settings_manager.period_secs = 30
             region_replacement.period_secs = 30
+            service_firewall_propagation.period_secs = 300
             [default_region_allocation_strategy]
             type = "random"
             seed = 0
@@ -883,6 +894,10 @@ mod test {
                         region_replacement: RegionReplacementConfig {
                             period_secs: Duration::from_secs(30),
                         },
+                        service_firewall_propagation:
+                            ServiceFirewallPropagationConfig {
+                                period_secs: Duration::from_secs(300),
+                            }
                     },
                     default_region_allocation_strategy:
                         crate::nexus_config::RegionAllocationStrategy::Random {
@@ -949,6 +964,7 @@ mod test {
             sync_service_zone_nat.period_secs = 30
             switch_port_settings_manager.period_secs = 30
             region_replacement.period_secs = 30
+            service_firewall_propagation.period_secs = 300
             [default_region_allocation_strategy]
             type = "random"
             "##,

diff --git a/nexus/examples/config.toml b/nexus/examples/config.toml
@@ -113,6 +113,7 @@ blueprints.period_secs_execute = 60
 sync_service_zone_nat.period_secs = 30
 switch_port_settings_manager.period_secs = 30
 region_replacement.period_secs = 30
+service_firewall_propagation.period_secs = 300
 
 [default_region_allocation_strategy]
 # allocate region on 3 random distinct zpools, on 3 random distinct sleds.

diff --git a/nexus/src/app/background/init.rs b/nexus/src/app/background/init.rs
@@ -18,6 +18,7 @@ use super::nat_cleanup;
 use super::phantom_disks;
 use super::physical_disk_adoption;
 use super::region_replacement;
+use super::service_firewall_rules;
 use super::sync_service_zone_nat::ServiceZoneNatTracker;
 use super::sync_switch_configuration::SwitchPortSettingsManager;
 use crate::app::oximeter::PRODUCER_LEASE_DURATION;
@@ -90,6 +91,10 @@ pub struct BackgroundTasks {
     /// task handle for the task that detects if regions need replacement and
     /// begins the process
     pub task_region_replacement: common::TaskHandle,
+
+    /// task handle for propagation of VPC firewall rules for Omicron services
+    /// with external network connectivity,
+    pub task_service_firewall_propagation: common::TaskHandle,
 }
 
 impl BackgroundTasks {
@@ -325,7 +330,7 @@ impl BackgroundTasks {
         // process
         let task_region_replacement = {
             let detector = region_replacement::RegionReplacementDetector::new(
-                datastore,
+                datastore.clone(),
                 saga_request.clone(),
             );
 
@@ -341,6 +346,21 @@ impl BackgroundTasks {
             task
         };
 
+        // Background task: service firewall rule propagation
+        let task_service_firewall_propagation = driver.register(
+            String::from("service_firewall_rule_propagation"),
+            String::from(
+                "propagates VPC firewall rules for Omicron \
+                services with external network connectivity",
+            ),
+            config.service_firewall_propagation.period_secs,
+            Box::new(service_firewall_rules::ServiceRulePropagator::new(
+                datastore.clone(),
+            )),
+            opctx.child(BTreeMap::new()),
+            vec![],
+        );
+
         BackgroundTasks {
             driver,
             task_internal_dns_config,
@@ -360,6 +380,7 @@ impl BackgroundTasks {
             task_service_zone_nat_tracker,
             task_switch_port_settings_manager,
             task_region_replacement,
+            task_service_firewall_propagation,
         }
     }
 

diff --git a/nexus/src/app/background/mod.rs b/nexus/src/app/background/mod.rs
@@ -20,6 +20,7 @@ mod networking;
 mod phantom_disks;
 mod physical_disk_adoption;
 mod region_replacement;
+mod service_firewall_rules;
 mod status;
 mod sync_service_zone_nat;
 mod sync_switch_configuration;

diff --git a/nexus/tests/config.test.toml b/nexus/tests/config.test.toml
@@ -109,6 +109,7 @@ blueprints.period_secs_execute = 600
 sync_service_zone_nat.period_secs = 30
 switch_port_settings_manager.period_secs = 30
 region_replacement.period_secs = 30
+service_firewall_propagation.period_secs = 300
 
 [default_region_allocation_strategy]
 # we only have one sled in the test environment, so we need to use the

diff --git a/smf/nexus/multi-sled/config-partial.toml b/smf/nexus/multi-sled/config-partial.toml
@@ -55,6 +55,7 @@ blueprints.period_secs_execute = 60
 sync_service_zone_nat.period_secs = 30
 switch_port_settings_manager.period_secs = 30
 region_replacement.period_secs = 30
+service_firewall_propagation.period_secs = 300
 
 [default_region_allocation_strategy]
 # by default, allocate across 3 distinct sleds

diff --git a/smf/nexus/single-sled/config-partial.toml b/smf/nexus/single-sled/config-partial.toml
@@ -55,6 +55,7 @@ blueprints.period_secs_execute = 60
 sync_service_zone_nat.period_secs = 30
 switch_port_settings_manager.period_secs = 30
 region_replacement.period_secs = 30
+service_firewall_propagation.period_secs = 300
 
 [default_region_allocation_strategy]
 # by default, allocate without requirement for distinct sleds.