kubebuilder create api --group batch --version v1alpha1 --kind Mwan3Policy
```
-**NOTE:** For each new created CRD, we need to make correspond changes for webhook.
+**NOTE:** For each new created CRD, we need to make correspond changes(add switch cases and webhook resources) for [webhook](src/api/v1alpha1/bucket_permission_webhook.go).
To run local controller(For test/debug purpose)
```
- One CRD one controller
- Controller watches itself CR and the Deployment(ready status only)
- Reconcile calls WrtProvider to add/update/delete rules for CNF
+- `GenerationChangedPredicate` should be added to each CRD controller, to prevent status/meta changes triggering reconcile
- CnfProvider interfaces defines the function CNF function calls. WrtProvider is one implementation of CnfProvider
- For the users, CNF rules are CRs. But for openwrt, the rules are openwrt rule entities. We can pass the CRs to OpenWRT API. Instead, we need to convert the CRs to OpenWRT entities.
- Finalizer should be added to CR only when AddUpdate call succeed. Likewise, finalizer should be removed from CR only when Delete call succeed.
- A runable framework with Mwan3Policy CRD and controller implemented. It means we can run the controller and add/update/delete mwan3policy rules.
- We have extracted the common logics of controllers, and implemeted the second crd/controller with it
- The label based permission system implemented by webhook
+- Supported CRDs:
+ - Mwan3Policy
+ - Mwan3Rule
+ - FirewallForwarding
+ - FirewallZone
+ - FirewallRule
+ - FirewallDNAT
+ - FirewallSNAT
### What we don't have yet
- Add a watch for deployment, so that the controller can get the CNF ready status change. [predicate feature](https://godoc.org/sigs.k8s.io/controller-runtime/pkg/predicate#example-Funcs) should be used to filter no-status event.
-- Implemente the remain CRDs/controllers. As all the controller logics are almost the same, some workload will be the extracting of the similar logic and make them functions.
-- Add validation webhook to validate CR
+- Implemente the ipsec CRDs/controllers
+- Add validation webhook to validate CR ( as we have the validation in openwrt, so not validate the CR at frontend)
### NOTEs
annotations:
sdewan-bucket-type-permission: |-
{ "mwan3rules": ["app-intent", "k8s-service"],
- "mwan3policies": ["*"] }
+ "mwan3policies": ["*"],
+ "firewall*": ["app-intent"]
+ }
rules:
- apiGroups: ["batch.sdewan.akraino.org"]
- resources: ["mwan3policies", "mwan3rules"]
+ resources:
+ - mwan3policies
+ - mwan3rules
+ - firewallzones
+ - firewallforwardings
+ - firewallsnats
+ - firewalldnats
+ - firewallrules
verbs: ["create", "get", "watch", "list", "delete"]
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewalldnats.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallDNAT
+ listKind: FirewallDNATList
+ plural: firewalldnats
+ singular: firewalldnat
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallDNAT is the Schema for the firewalldnats API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallDNATSpec defines the desired state of FirewallDNAT
+ properties:
+ dest:
+ type: string
+ dest_ip:
+ type: string
+ dest_port:
+ type: string
+ family:
+ type: string
+ mark:
+ type: string
+ name:
+ description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ Important: Run "make" to regenerate code after modifying this file'
+ type: string
+ proto:
+ type: string
+ src:
+ type: string
+ src_dip:
+ type: string
+ src_dport:
+ type: string
+ src_ip:
+ type: string
+ src_mac:
+ type: string
+ src_port:
+ type: string
+ target:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallforwardings.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallForwarding
+ listKind: FirewallForwardingList
+ plural: firewallforwardings
+ singular: firewallforwarding
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallForwarding is the Schema for the firewallforwardings API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallForwardingSpec defines the desired state of FirewallForwarding
+ properties:
+ dest:
+ type: string
+ family:
+ type: string
+ name:
+ description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ Important: Run "make" to regenerate code after modifying this file'
+ type: string
+ src:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallrules.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallRule
+ listKind: FirewallRuleList
+ plural: firewallrules
+ singular: firewallrule
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallRule is the Schema for the firewallrules API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallRuleSpec defines the desired state of FirewallRule
+ properties:
+ dest:
+ type: string
+ dest_ip:
+ type: string
+ dest_port:
+ type: string
+ extra:
+ type: string
+ family:
+ type: string
+ icmp_type:
+ items:
+ type: string
+ type: array
+ mark:
+ type: string
+ name:
+ description: Foo is an example field of FirewallRule. Edit FirewallRule_types.go
+ to remove/update
+ type: string
+ proto:
+ type: string
+ set_mark:
+ type: string
+ set_xmark:
+ type: string
+ src:
+ type: string
+ src_ip:
+ type: string
+ src_mac:
+ type: string
+ src_port:
+ type: string
+ target:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallsnats.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallSNAT
+ listKind: FirewallSNATList
+ plural: firewallsnats
+ singular: firewallsnat
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallSNAT is the Schema for the firewallsnats API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallSNATSpec defines the desired state of FirewallSNAT
+ properties:
+ dest:
+ type: string
+ dest_ip:
+ type: string
+ dest_port:
+ type: string
+ family:
+ type: string
+ mark:
+ type: string
+ name:
+ description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ Important: Run "make" to regenerate code after modifying this file'
+ type: string
+ proto:
+ type: string
+ src:
+ type: string
+ src_dip:
+ type: string
+ src_dport:
+ type: string
+ src_ip:
+ type: string
+ src_mac:
+ type: string
+ src_port:
+ type: string
+ target:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallzones.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallZone
+ listKind: FirewallZoneList
+ plural: firewallzones
+ singular: firewallzone
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallZone is the Schema for the firewallzones API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallZoneSpec defines the desired state of FirewallZone
+ properties:
+ etra_dest:
+ type: string
+ extra_src:
+ type: string
+ family:
+ type: string
+ forward:
+ type: string
+ input:
+ type: string
+ masq:
+ type: string
+ masq_allow_invalid:
+ type: string
+ masq_dest:
+ items:
+ type: string
+ type: array
+ masq_src:
+ items:
+ type: string
+ type: array
+ mtu_fix:
+ type: string
+ name:
+ description: Foo is an example field of FirewallZone. Edit FirewallZone_types.go
+ to remove/update
+ type: string
+ network:
+ items:
+ type: string
+ type: array
+ output:
+ type: string
+ subnet:
+ items:
+ type: string
+ type: array
+ required:
+ - network
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
- get
- list
- watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewalldnats
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewalldnats/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallforwardings
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallforwardings/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallrules
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallrules/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallsnats
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallsnats/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallzones
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallzones/status
+ verbs:
+ - get
+ - patch
+ - update
- apiGroups:
- batch.sdewan.akraino.org
resources:
resources:
- mwan3policies
- mwan3rules
+ - firewallzones
+ - firewallforwardings
+ - firewallrules
+ - firewallsnats
+ - firewalldnats
- group: batch
kind: Mwan3Rule
version: v1alpha1
+- group: batch
+ kind: FirewallZone
+ version: v1alpha1
+- group: batch
+ kind: FirewallRule
+ version: v1alpha1
+- group: batch
+ kind: FirewallSNAT
+ version: v1alpha1
+- group: batch
+ kind: FirewallDNAT
+ version: v1alpha1
+- group: batch
+ kind: FirewallForwarding
+ version: v1alpha1
version: "2"
return nil
}
-// +kubebuilder:webhook:path=/validate-sdewan-bucket-permission,mutating=false,failurePolicy=fail,groups="batch.sdewan.akraino.org",resources=mwan3policies;mwan3rules,verbs=create;update;delete,versions=v1alpha1,name=validate-sdewan-bucket.akraino.org
+// +kubebuilder:webhook:path=/validate-sdewan-bucket-permission,mutating=false,failurePolicy=fail,groups="batch.sdewan.akraino.org",resources=mwan3policies;mwan3rules;firewallzones;firewallforwardings;firewallrules;firewallsnats;firewalldnats,verbs=create;update;delete,versions=v1alpha1,name=validate-sdewan-bucket.akraino.org
// bucketPermissionValidator validates Pods
type bucketPermissionValidator struct {
obj = &Mwan3Policy{}
case "Mwan3Rule":
obj = &Mwan3Rule{}
+ case "FirewallForwarding":
+ obj = &FirewallForwarding{}
+ case "FirewallZone":
+ obj = &FirewallZone{}
+ case "FirewallRule":
+ obj = &FirewallRule{}
+ case "FirewallDNAT":
+ obj = &FirewallDNAT{}
+ case "FirewallSNAT":
+ obj = &FirewallSNAT{}
default:
return admission.Errored(
http.StatusBadRequest,
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// FirewallDNATSpec defines the desired state of FirewallDNAT
+type FirewallDNATSpec struct {
+ // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ // Important: Run "make" to regenerate code after modifying this file
+ Name string `json:"name,omitempty"`
+ Src string `json:"src,omitempty"`
+ SrcIp string `json:"src_ip,omitempty"`
+ SrcDIp string `json:"src_dip,omitempty"`
+ SrcMac string `json:"src_mac,omitempty"`
+ SrcPort string `json:"src_port,omitempty"`
+ SrcDPort string `json:"src_dport,omitempty"`
+ Proto string `json:"proto,omitempty"`
+ Dest string `json:"dest,omitempty"`
+ DestIp string `json:"dest_ip,omitempty"`
+ DestPort string `json:"dest_port,omitempty"`
+ Mark string `json:"mark,omitempty"`
+ Target string `json:"target,omitempty"`
+ Family string `json:"family,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// FirewallDNAT is the Schema for the firewalldnats API
+type FirewallDNAT struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec FirewallDNATSpec `json:"spec,omitempty"`
+ Status SdewanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// FirewallDNATList contains a list of FirewallDNAT
+type FirewallDNATList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []FirewallDNAT `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&FirewallDNAT{}, &FirewallDNATList{})
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// FirewallForwardingSpec defines the desired state of FirewallForwarding
+type FirewallForwardingSpec struct {
+ // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ // Important: Run "make" to regenerate code after modifying this file
+ Name string `json:"name,omitempty"`
+ Src string `json:"src,omitempty"`
+ Dest string `json:"dest,omitempty"`
+ Family string `json:"family,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// FirewallForwarding is the Schema for the firewallforwardings API
+type FirewallForwarding struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec FirewallForwardingSpec `json:"spec,omitempty"`
+ Status SdewanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// FirewallForwardingList contains a list of FirewallForwarding
+type FirewallForwardingList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []FirewallForwarding `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&FirewallForwarding{}, &FirewallForwardingList{})
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// FirewallRuleSpec defines the desired state of FirewallRule
+type FirewallRuleSpec struct {
+ // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ // Important: Run "make" to regenerate code after modifying this file
+
+ // Foo is an example field of FirewallRule. Edit FirewallRule_types.go to remove/update
+ Name string `json:"name,omitempty"`
+ Src string `json:"src,omitempty"`
+ SrcIp string `json:"src_ip,omitempty"`
+ SrcMac string `json:"src_mac,omitempty"`
+ SrcPort string `json:"src_port,omitempty"`
+ Proto string `json:"proto,omitempty"`
+ IcmpType []string `json:"icmp_type,omitempty"`
+ Dest string `json:"dest,omitempty"`
+ DestIp string `json:"dest_ip,omitempty"`
+ DestPort string `json:"dest_port,omitempty"`
+ Mark string `json:"mark,omitempty"`
+ Target string `json:"target,omitempty"`
+ SetMark string `json:"set_mark,omitempty"`
+ SetXmark string `json:"set_xmark,omitempty"`
+ Family string `json:"family,omitempty"`
+ Extra string `json:"extra,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// FirewallRule is the Schema for the firewallrules API
+type FirewallRule struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec FirewallRuleSpec `json:"spec,omitempty"`
+ Status SdewanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// FirewallRuleList contains a list of FirewallRule
+type FirewallRuleList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []FirewallRule `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&FirewallRule{}, &FirewallRuleList{})
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// FirewallSNATSpec defines the desired state of FirewallSNAT
+type FirewallSNATSpec struct {
+ // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ // Important: Run "make" to regenerate code after modifying this file
+ Name string `json:"name,omitempty"`
+ Src string `json:"src,omitempty"`
+ SrcIp string `json:"src_ip,omitempty"`
+ SrcDIp string `json:"src_dip,omitempty"`
+ SrcMac string `json:"src_mac,omitempty"`
+ SrcPort string `json:"src_port,omitempty"`
+ SrcDPort string `json:"src_dport,omitempty"`
+ Proto string `json:"proto,omitempty"`
+ Dest string `json:"dest,omitempty"`
+ DestIp string `json:"dest_ip,omitempty"`
+ DestPort string `json:"dest_port,omitempty"`
+ Mark string `json:"mark,omitempty"`
+ Target string `json:"target,omitempty"`
+ Family string `json:"family,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// FirewallSNAT is the Schema for the firewallsnats API
+type FirewallSNAT struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec FirewallSNATSpec `json:"spec,omitempty"`
+ Status SdewanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// FirewallSNATList contains a list of FirewallSNAT
+type FirewallSNATList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []FirewallSNAT `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&FirewallSNAT{}, &FirewallSNATList{})
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// FirewallZoneSpec defines the desired state of FirewallZone
+type FirewallZoneSpec struct {
+ // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ // Important: Run "make" to regenerate code after modifying this file
+
+ // Foo is an example field of FirewallZone. Edit FirewallZone_types.go to remove/update
+ Name string `json:"name,omitempty"`
+ Network []string `json:"network"`
+ Masq string `json:"masq,omitempty"`
+ MasqSrc []string `json:"masq_src,omitempty"`
+ MasqDest []string `json:"masq_dest,omitempty"`
+ MasqAllowInvalid string `json:"masq_allow_invalid,omitempty"`
+ MtuFix string `json:"mtu_fix,omitempty"`
+ Input string `json:"input,omitempty"`
+ Forward string `json:"forward,omitempty"`
+ Output string `json:"output,omitempty"`
+ Family string `json:"family,omitempty"`
+ Subnet []string `json:"subnet,omitempty"`
+ ExtraSrc string `json:"extra_src,omitempty"`
+ ExtraDest string `json:"etra_dest,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// FirewallZone is the Schema for the firewallzones API
+type FirewallZone struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec FirewallZoneSpec `json:"spec,omitempty"`
+ Status SdewanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// FirewallZoneList contains a list of FirewallZone
+type FirewallZoneList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []FirewallZone `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&FirewallZone{}, &FirewallZoneList{})
+}
return *out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallDNAT) DeepCopyInto(out *FirewallDNAT) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ out.Spec = in.Spec
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDNAT.
+func (in *FirewallDNAT) DeepCopy() *FirewallDNAT {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallDNAT)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallDNAT) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallDNATList) DeepCopyInto(out *FirewallDNATList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]FirewallDNAT, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDNATList.
+func (in *FirewallDNATList) DeepCopy() *FirewallDNATList {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallDNATList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallDNATList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallDNATSpec) DeepCopyInto(out *FirewallDNATSpec) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDNATSpec.
+func (in *FirewallDNATSpec) DeepCopy() *FirewallDNATSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallDNATSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallForwarding) DeepCopyInto(out *FirewallForwarding) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ out.Spec = in.Spec
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallForwarding.
+func (in *FirewallForwarding) DeepCopy() *FirewallForwarding {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallForwarding)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallForwarding) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallForwardingList) DeepCopyInto(out *FirewallForwardingList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]FirewallForwarding, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallForwardingList.
+func (in *FirewallForwardingList) DeepCopy() *FirewallForwardingList {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallForwardingList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallForwardingList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallForwardingSpec) DeepCopyInto(out *FirewallForwardingSpec) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallForwardingSpec.
+func (in *FirewallForwardingSpec) DeepCopy() *FirewallForwardingSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallForwardingSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallRule) DeepCopyInto(out *FirewallRule) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRule.
+func (in *FirewallRule) DeepCopy() *FirewallRule {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallRule)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallRule) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallRuleList) DeepCopyInto(out *FirewallRuleList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]FirewallRule, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRuleList.
+func (in *FirewallRuleList) DeepCopy() *FirewallRuleList {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallRuleList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallRuleList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallRuleSpec) DeepCopyInto(out *FirewallRuleSpec) {
+ *out = *in
+ if in.IcmpType != nil {
+ in, out := &in.IcmpType, &out.IcmpType
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRuleSpec.
+func (in *FirewallRuleSpec) DeepCopy() *FirewallRuleSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallRuleSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallSNAT) DeepCopyInto(out *FirewallSNAT) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ out.Spec = in.Spec
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSNAT.
+func (in *FirewallSNAT) DeepCopy() *FirewallSNAT {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallSNAT)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallSNAT) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallSNATList) DeepCopyInto(out *FirewallSNATList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]FirewallSNAT, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSNATList.
+func (in *FirewallSNATList) DeepCopy() *FirewallSNATList {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallSNATList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallSNATList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallSNATSpec) DeepCopyInto(out *FirewallSNATSpec) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSNATSpec.
+func (in *FirewallSNATSpec) DeepCopy() *FirewallSNATSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallSNATSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallZone) DeepCopyInto(out *FirewallZone) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallZone.
+func (in *FirewallZone) DeepCopy() *FirewallZone {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallZone)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallZone) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallZoneList) DeepCopyInto(out *FirewallZoneList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]FirewallZone, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallZoneList.
+func (in *FirewallZoneList) DeepCopy() *FirewallZoneList {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallZoneList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FirewallZoneList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FirewallZoneSpec) DeepCopyInto(out *FirewallZoneSpec) {
+ *out = *in
+ if in.Network != nil {
+ in, out := &in.Network, &out.Network
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.MasqSrc != nil {
+ in, out := &in.MasqSrc, &out.MasqSrc
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.MasqDest != nil {
+ in, out := &in.MasqDest, &out.MasqDest
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.Subnet != nil {
+ in, out := &in.Subnet, &out.Subnet
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallZoneSpec.
+func (in *FirewallZoneSpec) DeepCopy() *FirewallZoneSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(FirewallZoneSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Mwan3Policy) DeepCopyInto(out *Mwan3Policy) {
*out = *in
"context"
appsv1 "k8s.io/api/apps/v1"
"k8s.io/apimachinery/pkg/runtime"
+ "sdewan.akraino.org/sdewan/openwrt"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
-
- "sdewan.akraino.org/sdewan/openwrt"
)
type ISdewanHandler interface {
--- /dev/null
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewalldnats.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallDNAT
+ listKind: FirewallDNATList
+ plural: firewalldnats
+ singular: firewalldnat
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallDNAT is the Schema for the firewalldnats API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallDNATSpec defines the desired state of FirewallDNAT
+ properties:
+ dest:
+ type: string
+ dest_ip:
+ type: string
+ dest_port:
+ type: string
+ family:
+ type: string
+ mark:
+ type: string
+ name:
+ description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ Important: Run "make" to regenerate code after modifying this file'
+ type: string
+ proto:
+ type: string
+ src:
+ type: string
+ src_dip:
+ type: string
+ src_dport:
+ type: string
+ src_ip:
+ type: string
+ src_mac:
+ type: string
+ src_port:
+ type: string
+ target:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
--- /dev/null
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallforwardings.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallForwarding
+ listKind: FirewallForwardingList
+ plural: firewallforwardings
+ singular: firewallforwarding
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallForwarding is the Schema for the firewallforwardings API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallForwardingSpec defines the desired state of FirewallForwarding
+ properties:
+ dest:
+ type: string
+ family:
+ type: string
+ name:
+ description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ Important: Run "make" to regenerate code after modifying this file'
+ type: string
+ src:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
--- /dev/null
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallrules.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallRule
+ listKind: FirewallRuleList
+ plural: firewallrules
+ singular: firewallrule
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallRule is the Schema for the firewallrules API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallRuleSpec defines the desired state of FirewallRule
+ properties:
+ dest:
+ type: string
+ dest_ip:
+ type: string
+ dest_port:
+ type: string
+ extra:
+ type: string
+ family:
+ type: string
+ icmp_type:
+ items:
+ type: string
+ type: array
+ mark:
+ type: string
+ name:
+ description: Foo is an example field of FirewallRule. Edit FirewallRule_types.go
+ to remove/update
+ type: string
+ proto:
+ type: string
+ set_mark:
+ type: string
+ set_xmark:
+ type: string
+ src:
+ type: string
+ src_ip:
+ type: string
+ src_mac:
+ type: string
+ src_port:
+ type: string
+ target:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
--- /dev/null
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallsnats.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallSNAT
+ listKind: FirewallSNATList
+ plural: firewallsnats
+ singular: firewallsnat
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallSNAT is the Schema for the firewallsnats API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallSNATSpec defines the desired state of FirewallSNAT
+ properties:
+ dest:
+ type: string
+ dest_ip:
+ type: string
+ dest_port:
+ type: string
+ family:
+ type: string
+ mark:
+ type: string
+ name:
+ description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+ Important: Run "make" to regenerate code after modifying this file'
+ type: string
+ proto:
+ type: string
+ src:
+ type: string
+ src_dip:
+ type: string
+ src_dport:
+ type: string
+ src_ip:
+ type: string
+ src_mac:
+ type: string
+ src_port:
+ type: string
+ target:
+ type: string
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
--- /dev/null
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: firewallzones.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: FirewallZone
+ listKind: FirewallZoneList
+ plural: firewallzones
+ singular: firewallzone
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: FirewallZone is the Schema for the firewallzones API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FirewallZoneSpec defines the desired state of FirewallZone
+ properties:
+ etra_dest:
+ type: string
+ extra_src:
+ type: string
+ family:
+ type: string
+ forward:
+ type: string
+ input:
+ type: string
+ masq:
+ type: string
+ masq_allow_invalid:
+ type: string
+ masq_dest:
+ items:
+ type: string
+ type: array
+ masq_src:
+ items:
+ type: string
+ type: array
+ mtu_fix:
+ type: string
+ name:
+ description: Foo is an example field of FirewallZone. Edit FirewallZone_types.go
+ to remove/update
+ type: string
+ network:
+ items:
+ type: string
+ type: array
+ output:
+ type: string
+ subnet:
+ items:
+ type: string
+ type: array
+ required:
+ - network
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
resources:
- bases/batch.sdewan.akraino.org_mwan3policies.yaml
- bases/batch.sdewan.akraino.org_mwan3rules.yaml
+- bases/batch.sdewan.akraino.org_firewallzones.yaml
+- bases/batch.sdewan.akraino.org_firewallrules.yaml
+- bases/batch.sdewan.akraino.org_firewallsnats.yaml
+- bases/batch.sdewan.akraino.org_firewalldnats.yaml
+- bases/batch.sdewan.akraino.org_firewallforwardings.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge:
# patches here are for enabling the conversion webhook for each CRD
#- patches/webhook_in_mwan3policies.yaml
#- patches/webhook_in_mwan3rules.yaml
+#- patches/webhook_in_firewallzones.yaml
+#- patches/webhook_in_firewallrules.yaml
+#- patches/webhook_in_firewallsnats.yaml
+#- patches/webhook_in_firewalldnats.yaml
+#- patches/webhook_in_firewallforwardings.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_mwan3policies.yaml
#- patches/cainjection_in_mwan3rules.yaml
+#- patches/cainjection_in_firewallzones.yaml
+#- patches/cainjection_in_firewallrules.yaml
+#- patches/cainjection_in_firewallsnats.yaml
+#- patches/cainjection_in_firewalldnats.yaml
+#- patches/cainjection_in_firewallforwardings.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
--- /dev/null
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: firewalldnats.batch.sdewan.akraino.org
--- /dev/null
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: firewallforwardings.batch.sdewan.akraino.org
--- /dev/null
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: firewallrules.batch.sdewan.akraino.org
--- /dev/null
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: firewallsnats.batch.sdewan.akraino.org
--- /dev/null
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: firewallzones.batch.sdewan.akraino.org
--- /dev/null
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: firewalldnats.batch.sdewan.akraino.org
+spec:
+ conversion:
+ strategy: Webhook
+ webhookClientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
--- /dev/null
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: firewallforwardings.batch.sdewan.akraino.org
+spec:
+ conversion:
+ strategy: Webhook
+ webhookClientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
--- /dev/null
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: firewallrules.batch.sdewan.akraino.org
+spec:
+ conversion:
+ strategy: Webhook
+ webhookClientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
--- /dev/null
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: firewallsnats.batch.sdewan.akraino.org
+spec:
+ conversion:
+ strategy: Webhook
+ webhookClientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
--- /dev/null
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: firewallzones.batch.sdewan.akraino.org
+spec:
+ conversion:
+ strategy: Webhook
+ webhookClientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
resources:
- mwan3policies
- mwan3rules
+ - firewalldnats
+ - firewallforwardings
+ - firewallrules
+ - firewallsnats
+ - firewallzones
scope: '*'
sideEffects: Unknown
timeoutSeconds: 30
- get
- list
- watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewalldnats
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewalldnats/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallforwardings
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallforwardings/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallrules
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallrules/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallsnats
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallsnats/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallzones
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - firewallzones/status
+ verbs:
+ - get
+ - patch
+ - update
- apiGroups:
- batch.sdewan.akraino.org
resources:
--- /dev/null
+---
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: FirewallDNAT
+metadata:
+ name: firewalldnat-sample
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+spec:
+ src: firewallzone-sample
+ src_ip: 192.168.1.2
+ src_dip: 1.2.3.4
+ dest: firewallzone-sample2
+ proto: icmp
+
--- /dev/null
+---
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: FirewallForwarding
+metadata:
+ name: firewallforwarding-sample
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+ sdewan-bucket-type: app-intent
+spec:
+ # Add fields here
+ src: firewallzone-sample2
+ dest: firewallzone-sample
--- /dev/null
+---
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: FirewallRule
+metadata:
+ name: firewallrule-sample
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+spec:
+ # Add fields here
+ src: firewallzone-sample
+ src_ip: "192.168.2.2"
+ src_port: "80"
+ proto: tcp
+ target: REJECT
--- /dev/null
+---
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: FirewallSNAT
+metadata:
+ name: firewallsnat-sample
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+spec:
+ src: firewallzone-sample
+ src_ip: 192.168.1.2
+ src_dip: 1.2.3.5
+ dest: firewallzone-sample2
+ proto: icmp
--- /dev/null
+---
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: FirewallZone
+metadata:
+ name: firewallzone-sample
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+spec:
+ # Add fields here
+ network:
+ - ovn-net1
+ - ovn-net2
+ input: ACCEPT
+ output: ACCEPT
\ No newline at end of file
--- /dev/null
+---
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: FirewallZone
+metadata:
+ name: firewallzone-sample2
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+spec:
+ # Add fields here
+ network:
+ - "ovn-net1"
+ - "ovn-net2"
+ input: ACCEPT
+ output: ACCEPT
\ No newline at end of file
+---
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: Mwan3Policy
metadata:
+---
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: Mwan3Rule
metadata:
resources:
- mwan3policies
- mwan3rules
+ - firewallzones
+ - firewallforwardings
+ - firewallrules
+ - firewallsnats
+ - firewalldnats
batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
"sdewan.akraino.org/sdewan/basehandler"
"sdewan.akraino.org/sdewan/cnfprovider"
+ "sdewan.akraino.org/sdewan/openwrt"
)
// Helper functions to check and remove string from a slice of strings.
_, err := cnf.DeleteObject(handler, instance)
if err != nil {
- log.Error(err, "Failed to delete "+handler.GetType())
- setStatus(instance, batchv1alpha1.SdewanStatus{State: batchv1alpha1.Deleting, Message: err.Error()})
- err = r.Status().Update(ctx, instance)
- if err != nil {
- log.Error(err, "Failed to update status for "+handler.GetType())
- return ctrl.Result{}, err
+ if err.(*openwrt.OpenwrtError).Code != 404 {
+ log.Error(err, "Failed to delete "+handler.GetType())
+ setStatus(instance, batchv1alpha1.SdewanStatus{State: batchv1alpha1.Deleting, Message: err.Error()})
+ err = r.Status().Update(ctx, instance)
+ if err != nil {
+ log.Error(err, "Failed to update status for "+handler.GetType())
+ return ctrl.Result{}, err
+ }
+ return ctrl.Result{RequeueAfter: during}, nil
}
- return ctrl.Result{RequeueAfter: during}, nil
}
finalizers := getFinalizers(instance)
if containsString(finalizers, finalizerName) {
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+ "context"
+ "reflect"
+
+ "github.com/go-logr/logr"
+ appsv1 "k8s.io/api/apps/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+
+ batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
+ "sdewan.akraino.org/sdewan/openwrt"
+)
+
+var firewallDnatHandler = new(FirewallDnatHandler)
+
+type FirewallDnatHandler struct {
+}
+
+func (m *FirewallDnatHandler) GetType() string {
+ return "FirewallDnat"
+}
+
+func (m *FirewallDnatHandler) GetName(instance runtime.Object) string {
+ dnat := instance.(*batchv1alpha1.FirewallDNAT)
+ return dnat.Name
+}
+
+func (m *FirewallDnatHandler) GetFinalizer() string {
+ return "dnat.finalizers.sdewan.akraino.org"
+}
+
+func (m *FirewallDnatHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) {
+ instance := &batchv1alpha1.FirewallDNAT{}
+ err := r.Get(ctx, req.NamespacedName, instance)
+ return instance, err
+}
+
+//pupulate "dnat" to target field as default value
+//copy "name" field value from metadata to SPEC.name
+func (m *FirewallDnatHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) {
+ firewalldnat := instance.(*batchv1alpha1.FirewallDNAT)
+ firewalldnat.Spec.Name = firewalldnat.ObjectMeta.Name
+ firewalldnat.Spec.Target = "DNAT"
+ firewalldnatObject := openwrt.SdewanFirewallRedirect(firewalldnat.Spec)
+ return &firewalldnatObject, nil
+}
+
+func (m *FirewallDnatHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool {
+ dnat1 := instance1.(*openwrt.SdewanFirewallRedirect)
+ dnat2 := instance2.(*openwrt.SdewanFirewallRedirect)
+ return reflect.DeepEqual(*dnat1, *dnat2)
+}
+
+func (m *FirewallDnatHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ ret, err := firewall.GetRedirect(name)
+ return ret, err
+}
+
+func (m *FirewallDnatHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ dnat := instance.(*openwrt.SdewanFirewallRedirect)
+ return firewall.CreateRedirect(*dnat)
+}
+
+func (m *FirewallDnatHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ dnat := instance.(*openwrt.SdewanFirewallRedirect)
+ return firewall.UpdateRedirect(*dnat)
+}
+
+func (m *FirewallDnatHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ return firewall.DeleteRedirect(name)
+}
+
+func (m *FirewallDnatHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ service := openwrt.ServiceClient{OpenwrtClient: openwrtClient}
+ return service.ExecuteService("firewall", "restart")
+}
+
+// FirewallDNATReconciler reconciles a FirewallDNAT object
+type FirewallDNATReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewalldnats,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewalldnats/status,verbs=get;update;patch
+
+func (r *FirewallDNATReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ return ProcessReconcile(r, r.Log, req, firewallDnatHandler)
+}
+
+func (r *FirewallDNATReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ ps := builder.WithPredicates(predicate.GenerationChangedPredicate{})
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&batchv1alpha1.FirewallDNAT{}, ps).
+ Complete(r)
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+ "context"
+ "reflect"
+
+ "github.com/go-logr/logr"
+ appsv1 "k8s.io/api/apps/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+
+ batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
+ "sdewan.akraino.org/sdewan/openwrt"
+)
+
+var firewallForwardingHandler = new(FirewallForwardingHandler)
+
+type FirewallForwardingHandler struct {
+}
+
+func (m *FirewallForwardingHandler) GetType() string {
+ return "FirewallForwarding"
+}
+
+func (m *FirewallForwardingHandler) GetName(instance runtime.Object) string {
+ forwarding := instance.(*batchv1alpha1.FirewallForwarding)
+ return forwarding.Name
+}
+
+func (m *FirewallForwardingHandler) GetFinalizer() string {
+ return "forwarding.finalizers.sdewan.akraino.org"
+}
+
+func (m *FirewallForwardingHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) {
+ instance := &batchv1alpha1.FirewallForwarding{}
+ err := r.Get(ctx, req.NamespacedName, instance)
+ return instance, err
+}
+
+func (m *FirewallForwardingHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) {
+ firewallforwarding := instance.(*batchv1alpha1.FirewallForwarding)
+ firewallforwarding.Spec.Name = firewallforwarding.ObjectMeta.Name
+ firewallforwardingObject := openwrt.SdewanFirewallForwarding(firewallforwarding.Spec)
+ return &firewallforwardingObject, nil
+}
+
+func (m *FirewallForwardingHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool {
+ forwarding1 := instance1.(*openwrt.SdewanFirewallForwarding)
+ forwarding2 := instance2.(*openwrt.SdewanFirewallForwarding)
+ return reflect.DeepEqual(*forwarding1, *forwarding2)
+}
+
+func (m *FirewallForwardingHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ ret, err := firewall.GetForwarding(name)
+ return ret, err
+}
+
+func (m *FirewallForwardingHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ forwarding := instance.(*openwrt.SdewanFirewallForwarding)
+ return firewall.CreateForwarding(*forwarding)
+}
+
+func (m *FirewallForwardingHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ forwarding := instance.(*openwrt.SdewanFirewallForwarding)
+ return firewall.UpdateForwarding(*forwarding)
+}
+
+func (m *FirewallForwardingHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ return firewall.DeleteForwarding(name)
+}
+
+func (m *FirewallForwardingHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ service := openwrt.ServiceClient{OpenwrtClient: openwrtClient}
+ return service.ExecuteService("firewall", "restart")
+}
+
+// FirewallForwardingReconciler reconciles a FirewallForwarding object
+type FirewallForwardingReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallforwardings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallforwardings/status,verbs=get;update;patch
+
+func (r *FirewallForwardingReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ return ProcessReconcile(r, r.Log, req, firewallForwardingHandler)
+}
+
+func (r *FirewallForwardingReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ ps := builder.WithPredicates(predicate.GenerationChangedPredicate{})
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&batchv1alpha1.FirewallForwarding{}, ps).
+ Complete(r)
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+ "context"
+ "reflect"
+
+ "github.com/go-logr/logr"
+ appsv1 "k8s.io/api/apps/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+
+ batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
+ "sdewan.akraino.org/sdewan/openwrt"
+)
+
+var firewallRuleHandler = new(FirewallRuleHandler)
+
+type FirewallRuleHandler struct {
+}
+
+func (m *FirewallRuleHandler) GetType() string {
+ return "FirewallRule"
+}
+
+func (m *FirewallRuleHandler) GetName(instance runtime.Object) string {
+ rule := instance.(*batchv1alpha1.FirewallRule)
+ return rule.Name
+}
+
+func (m *FirewallRuleHandler) GetFinalizer() string {
+ return "rule.finalizers.sdewan.akraino.org"
+}
+
+func (m *FirewallRuleHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) {
+ instance := &batchv1alpha1.FirewallRule{}
+ err := r.Get(ctx, req.NamespacedName, instance)
+ return instance, err
+}
+
+func (m *FirewallRuleHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) {
+ firewallrule := instance.(*batchv1alpha1.FirewallRule)
+ firewallrule.Spec.Name = firewallrule.ObjectMeta.Name
+ firewallruleObject := openwrt.SdewanFirewallRule(firewallrule.Spec)
+ return &firewallruleObject, nil
+}
+
+func (m *FirewallRuleHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool {
+ rule1 := instance1.(*openwrt.SdewanFirewallRule)
+ rule2 := instance2.(*openwrt.SdewanFirewallRule)
+ return reflect.DeepEqual(*rule1, *rule2)
+}
+
+func (m *FirewallRuleHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ ret, err := firewall.GetRule(name)
+ return ret, err
+}
+
+func (m *FirewallRuleHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ rule := instance.(*openwrt.SdewanFirewallRule)
+ return firewall.CreateRule(*rule)
+}
+
+func (m *FirewallRuleHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ rule := instance.(*openwrt.SdewanFirewallRule)
+ return firewall.UpdateRule(*rule)
+}
+
+func (m *FirewallRuleHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ return firewall.DeleteRule(name)
+}
+
+func (m *FirewallRuleHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ service := openwrt.ServiceClient{OpenwrtClient: openwrtClient}
+ return service.ExecuteService("firewall", "restart")
+}
+
+// FirewallRuleReconciler reconciles a FirewallRule object
+type FirewallRuleReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallrules,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallrules/status,verbs=get;update;patch
+
+func (r *FirewallRuleReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ return ProcessReconcile(r, r.Log, req, firewallRuleHandler)
+}
+
+func (r *FirewallRuleReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ ps := builder.WithPredicates(predicate.GenerationChangedPredicate{})
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&batchv1alpha1.FirewallRule{}, ps).
+ Complete(r)
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+ "context"
+ "reflect"
+
+ "github.com/go-logr/logr"
+ appsv1 "k8s.io/api/apps/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+
+ batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
+ "sdewan.akraino.org/sdewan/openwrt"
+)
+
+var firewallSnatHandler = new(FirewallSnatHandler)
+
+type FirewallSnatHandler struct {
+}
+
+func (m *FirewallSnatHandler) GetType() string {
+ return "FirewallSnat"
+}
+
+func (m *FirewallSnatHandler) GetName(instance runtime.Object) string {
+ snat := instance.(*batchv1alpha1.FirewallSNAT)
+ return snat.Name
+}
+
+func (m *FirewallSnatHandler) GetFinalizer() string {
+ return "snat.finalizers.sdewan.akraino.org"
+}
+
+func (m *FirewallSnatHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) {
+ instance := &batchv1alpha1.FirewallSNAT{}
+ err := r.Get(ctx, req.NamespacedName, instance)
+ return instance, err
+}
+
+//pupulate "snat" to target field as default value
+//copy "name" field value from metadata to SPEC.name
+func (m *FirewallSnatHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) {
+ firewallsnat := instance.(*batchv1alpha1.FirewallSNAT)
+ firewallsnat.Spec.Name = firewallsnat.ObjectMeta.Name
+ firewallsnat.Spec.Target = "SNAT"
+ firewallsnatObject := openwrt.SdewanFirewallRedirect(firewallsnat.Spec)
+ return &firewallsnatObject, nil
+}
+
+func (m *FirewallSnatHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool {
+ snat1 := instance1.(*openwrt.SdewanFirewallRedirect)
+ snat2 := instance2.(*openwrt.SdewanFirewallRedirect)
+ return reflect.DeepEqual(*snat1, *snat2)
+}
+
+func (m *FirewallSnatHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ ret, err := firewall.GetRedirect(name)
+ return ret, err
+}
+
+func (m *FirewallSnatHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ snat := instance.(*openwrt.SdewanFirewallRedirect)
+ return firewall.CreateRedirect(*snat)
+}
+
+func (m *FirewallSnatHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ snat := instance.(*openwrt.SdewanFirewallRedirect)
+ return firewall.UpdateRedirect(*snat)
+}
+
+func (m *FirewallSnatHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ return firewall.DeleteRedirect(name)
+}
+
+func (m *FirewallSnatHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ service := openwrt.ServiceClient{OpenwrtClient: openwrtClient}
+ return service.ExecuteService("firewall", "restart")
+}
+
+// FirewallSNATReconciler reconciles a FirewallSNAT object
+type FirewallSNATReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallsnats,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallsnats/status,verbs=get;update;patch
+
+func (r *FirewallSNATReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ return ProcessReconcile(r, r.Log, req, firewallSnatHandler)
+}
+
+func (r *FirewallSNATReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ ps := builder.WithPredicates(predicate.GenerationChangedPredicate{})
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&batchv1alpha1.FirewallSNAT{}, ps).
+ Complete(r)
+}
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+ "context"
+ "reflect"
+
+ "github.com/go-logr/logr"
+ appsv1 "k8s.io/api/apps/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+
+ batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
+ "sdewan.akraino.org/sdewan/openwrt"
+)
+
+var firewallZoneHandler = new(FirewallZoneHandler)
+
+type FirewallZoneHandler struct {
+}
+
+func (m *FirewallZoneHandler) GetType() string {
+ return "FirewallZone"
+}
+
+func (m *FirewallZoneHandler) GetName(instance runtime.Object) string {
+ zone := instance.(*batchv1alpha1.FirewallZone)
+ return zone.Name
+}
+
+func (m *FirewallZoneHandler) GetFinalizer() string {
+ return "rule.finalizers.sdewan.akraino.org"
+}
+
+func (m *FirewallZoneHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) {
+ instance := &batchv1alpha1.FirewallZone{}
+ err := r.Get(ctx, req.NamespacedName, instance)
+ return instance, err
+}
+
+func (m *FirewallZoneHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) {
+ firewallzone := instance.(*batchv1alpha1.FirewallZone)
+ instance_to_convert := batchv1alpha1.FirewallZoneSpec(firewallzone.Spec)
+ networks := make([]string, len(instance_to_convert.Network))
+ for index, network := range instance_to_convert.Network {
+ if iface, err := net2iface(network, deployment); err != nil {
+ return nil, err
+ } else {
+ networks[index] = iface
+ }
+ }
+ instance_to_convert.Name = firewallzone.ObjectMeta.Name
+ instance_to_convert.Network = networks
+ firewallzoneObject := openwrt.SdewanFirewallZone(instance_to_convert)
+ return &firewallzoneObject, nil
+}
+
+func (m *FirewallZoneHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool {
+ zone1 := instance1.(*openwrt.SdewanFirewallZone)
+ zone2 := instance2.(*openwrt.SdewanFirewallZone)
+ return reflect.DeepEqual(*zone1, *zone2)
+}
+
+func (m *FirewallZoneHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ ret, err := firewall.GetZone(name)
+ return ret, err
+}
+
+func (m *FirewallZoneHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ zone := instance.(*openwrt.SdewanFirewallZone)
+ return firewall.CreateZone(*zone)
+}
+
+func (m *FirewallZoneHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ zone := instance.(*openwrt.SdewanFirewallZone)
+ return firewall.UpdateZone(*zone)
+}
+
+func (m *FirewallZoneHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient}
+ return firewall.DeleteZone(name)
+}
+
+func (m *FirewallZoneHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ service := openwrt.ServiceClient{OpenwrtClient: openwrtClient}
+ return service.ExecuteService("firewall", "restart")
+}
+
+// FirewallZoneReconciler reconciles a FirewallZone object
+type FirewallZoneReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallzones,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallzones/status,verbs=get;update;patch
+
+func (r *FirewallZoneReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ return ProcessReconcile(r, r.Log, req, firewallZoneHandler)
+}
+
+func (r *FirewallZoneReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ ps := builder.WithPredicates(predicate.GenerationChangedPredicate{})
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&batchv1alpha1.FirewallZone{}, ps).
+ Complete(r)
+}
err = batchv1alpha1.AddToScheme(scheme.Scheme)
Expect(err).NotTo(HaveOccurred())
+ err = batchv1alpha1.AddToScheme(scheme.Scheme)
+ Expect(err).NotTo(HaveOccurred())
+
+ err = batchv1alpha1.AddToScheme(scheme.Scheme)
+ Expect(err).NotTo(HaveOccurred())
+
+ err = batchv1alpha1.AddToScheme(scheme.Scheme)
+ Expect(err).NotTo(HaveOccurred())
+
+ err = batchv1alpha1.AddToScheme(scheme.Scheme)
+ Expect(err).NotTo(HaveOccurred())
+
+ err = batchv1alpha1.AddToScheme(scheme.Scheme)
+ Expect(err).NotTo(HaveOccurred())
+
// +kubebuilder:scaffold:scheme
k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
setupLog.Error(err, "unable to create webhook", "webhook", "Mwan3Policy")
os.Exit(1)
}
+ if err = (&controllers.FirewallZoneReconciler{
+ Client: mgr.GetClient(),
+ Log: ctrl.Log.WithName("controllers").WithName("FirewallZone"),
+ Scheme: mgr.GetScheme(),
+ }).SetupWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create controller", "controller", "FirewallZone")
+ os.Exit(1)
+ }
+ if err = (&controllers.FirewallRuleReconciler{
+ Client: mgr.GetClient(),
+ Log: ctrl.Log.WithName("controllers").WithName("FirewallRule"),
+ Scheme: mgr.GetScheme(),
+ }).SetupWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create controller", "controller", "FirewallRule")
+ os.Exit(1)
+ }
+ if err = (&controllers.FirewallSNATReconciler{
+ Client: mgr.GetClient(),
+ Log: ctrl.Log.WithName("controllers").WithName("FirewallSNAT"),
+ Scheme: mgr.GetScheme(),
+ }).SetupWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create controller", "controller", "FirewallSNAT")
+ os.Exit(1)
+ }
+ if err = (&controllers.FirewallDNATReconciler{
+ Client: mgr.GetClient(),
+ Log: ctrl.Log.WithName("controllers").WithName("FirewallDNAT"),
+ Scheme: mgr.GetScheme(),
+ }).SetupWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create controller", "controller", "FirewallDNAT")
+ os.Exit(1)
+ }
+ if err = (&controllers.FirewallForwardingReconciler{
+ Client: mgr.GetClient(),
+ Log: ctrl.Log.WithName("controllers").WithName("FirewallForwarding"),
+ Scheme: mgr.GetScheme(),
+ }).SetupWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create controller", "controller", "FirewallForwarding")
+ os.Exit(1)
+ }
// +kubebuilder:scaffold:builder
setupLog.Info("starting manager")
ExtraDest string `json:"etra_dest"`
}
+func (o *SdewanFirewallZone) GetName() string {
+ return o.Name
+}
+
type SdewanFirewallZones struct {
Zones []SdewanFirewallZone `json:"zones"`
}
Family string `json:"family"`
}
+func (o *SdewanFirewallForwarding) GetName() string {
+ return o.Name
+}
+
type SdewanFirewallForwardings struct {
Forwardings []SdewanFirewallForwarding `json:"forwardings"`
}
Extra string `json:"extra"`
}
+func (o *SdewanFirewallRule) GetName() string {
+ return o.Name
+}
+
type SdewanFirewallRules struct {
Rules []SdewanFirewallRule `json:"rules"`
}
Family string `json:"family"`
}
+func (o *SdewanFirewallRedirect) GetName() string {
+ return o.Name
+}
+
type SdewanFirewallRedirects struct {
Redirects []SdewanFirewallRedirect `json:"redirects"`
}
Code Review / icn / sdwan.git / commitdiff