---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: ipsecproposals.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: IpsecProposal
+ listKind: IpsecProposalList
+ plural: ipsecproposals
+ singular: ipsecproposal
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: IpsecProposal is the Schema for the ipsecproposals API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IpsecProposalSpec defines the desired state of IpsecProposal
+ properties:
+ dh_group:
+ type: string
+ encryption_algorithm:
+ type: string
+ hash_algorithm:
+ type: string
+ name:
+ type: string
+ required:
+ - dh_group
+ - encryption_algorithm
+ - hash_algorithm
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
- get
- patch
- update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - ipsecproposals
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - ipsecproposals/status
+ verbs:
+ - get
+ - patch
+ - update
- apiGroups:
- batch.sdewan.akraino.org
resources:
- firewallrules
- firewallsnats
- firewalldnats
+ - ipsecproposal
- group: batch
kind: FirewallForwarding
version: v1alpha1
+- group: batch
+ kind: IpsecProposal
+ version: v1alpha1
version: "2"
return nil
}
-// +kubebuilder:webhook:path=/validate-sdewan-bucket-permission,mutating=false,failurePolicy=fail,groups="batch.sdewan.akraino.org",resources=mwan3policies;mwan3rules;firewallzones;firewallforwardings;firewallrules;firewallsnats;firewalldnats,verbs=create;update;delete,versions=v1alpha1,name=validate-sdewan-bucket.akraino.org
+// +kubebuilder:webhook:path=/validate-sdewan-bucket-permission,mutating=false,failurePolicy=fail,groups="batch.sdewan.akraino.org",resources=mwan3policies;mwan3rules;firewallzones;firewallforwardings;firewallrules;firewallsnats;firewalldnats;ipsecproposal,verbs=create;update;delete,versions=v1alpha1,name=validate-sdewan-bucket.akraino.org
// bucketPermissionValidator validates Pods
type bucketPermissionValidator struct {
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// IpsecProposalSpec defines the desired state of IpsecProposal
+type IpsecProposalSpec struct {
+ Name string `json:"name,omitempty"`
+ EncryptionAlgorithm string `json:"encryption_algorithm"`
+ HashAlgorithm string `json:"hash_algorithm"`
+ DhGroup string `json:"dh_group"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// IpsecProposal is the Schema for the ipsecproposals API
+type IpsecProposal struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec IpsecProposalSpec `json:"spec,omitempty"`
+ Status SdewanStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// IpsecProposalList contains a list of IpsecProposal
+type IpsecProposalList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []IpsecProposal `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&IpsecProposal{}, &IpsecProposalList{})
+}
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IpsecProposal) DeepCopyInto(out *IpsecProposal) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ out.Spec = in.Spec
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposal.
+func (in *IpsecProposal) DeepCopy() *IpsecProposal {
+ if in == nil {
+ return nil
+ }
+ out := new(IpsecProposal)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *IpsecProposal) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IpsecProposalList) DeepCopyInto(out *IpsecProposalList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]IpsecProposal, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposalList.
+func (in *IpsecProposalList) DeepCopy() *IpsecProposalList {
+ if in == nil {
+ return nil
+ }
+ out := new(IpsecProposalList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *IpsecProposalList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IpsecProposalSpec) DeepCopyInto(out *IpsecProposalSpec) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposalSpec.
+func (in *IpsecProposalSpec) DeepCopy() *IpsecProposalSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(IpsecProposalSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Mwan3Policy) DeepCopyInto(out *Mwan3Policy) {
*out = *in
--- /dev/null
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: ipsecproposals.batch.sdewan.akraino.org
+spec:
+ group: batch.sdewan.akraino.org
+ names:
+ kind: IpsecProposal
+ listKind: IpsecProposalList
+ plural: ipsecproposals
+ singular: ipsecproposal
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: IpsecProposal is the Schema for the ipsecproposals API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IpsecProposalSpec defines the desired state of IpsecProposal
+ properties:
+ dh_group:
+ type: string
+ encryption_algorithm:
+ type: string
+ hash_algorithm:
+ type: string
+ name:
+ type: string
+ required:
+ - dh_group
+ - encryption_algorithm
+ - hash_algorithm
+ type: object
+ status:
+ description: status subsource used for Sdewan rule CRDs
+ properties:
+ appliedGeneration:
+ format: int64
+ type: integer
+ appliedTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ state:
+ type: string
+ required:
+ - state
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
- bases/batch.sdewan.akraino.org_firewallsnats.yaml
- bases/batch.sdewan.akraino.org_firewalldnats.yaml
- bases/batch.sdewan.akraino.org_firewallforwardings.yaml
+- bases/batch.sdewan.akraino.org_ipsecproposals.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge:
#- patches/webhook_in_firewallsnats.yaml
#- patches/webhook_in_firewalldnats.yaml
#- patches/webhook_in_firewallforwardings.yaml
+#- patches/webhook_in_ipsecproposals.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
#- patches/cainjection_in_firewallsnats.yaml
#- patches/cainjection_in_firewalldnats.yaml
#- patches/cainjection_in_firewallforwardings.yaml
+#- patches/cainjection_in_ipsecproposals.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
--- /dev/null
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: ipsecproposals.batch.sdewan.akraino.org
--- /dev/null
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: ipsecproposals.batch.sdewan.akraino.org
+spec:
+ conversion:
+ strategy: Webhook
+ webhookClientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
- get
- patch
- update
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - ipsecproposals
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch.sdewan.akraino.org
+ resources:
+ - ipsecproposals/status
+ verbs:
+ - get
+ - patch
+ - update
- apiGroups:
- batch.sdewan.akraino.org
resources:
--- /dev/null
+apiVersion: batch.sdewan.akraino.org/v1alpha1
+kind: IpsecProposal
+metadata:
+ name: ipsecproposal
+ namespace: default
+ labels:
+ sdewanPurpose: cnf1
+spec:
+ dh_group: modp4096
+ encryption_algorithm: aes
+ hash_algorithm: sha1
- firewallrules
- firewallsnats
- firewalldnats
+ - ipsecproposal
--- /dev/null
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+ "context"
+ "reflect"
+
+ "github.com/go-logr/logr"
+ appsv1 "k8s.io/api/apps/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
+
+ batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1"
+ "sdewan.akraino.org/sdewan/openwrt"
+)
+
+var ipsecProposalHandler = new(IpsecProposalHandler)
+
+type IpsecProposalHandler struct {
+}
+
+func (m *IpsecProposalHandler) GetType() string {
+ return "IpsecProposal"
+}
+
+func (m *IpsecProposalHandler) GetName(instance runtime.Object) string {
+ proposal := instance.(*batchv1alpha1.IpsecProposal)
+ return proposal.Name
+}
+
+func (m *IpsecProposalHandler) GetFinalizer() string {
+ return "proposal.finalizers.sdewan.akraino.org"
+}
+
+func (m *IpsecProposalHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) {
+ instance := &batchv1alpha1.IpsecProposal{}
+ err := r.Get(ctx, req.NamespacedName, instance)
+ return instance, err
+}
+
+func (m *IpsecProposalHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) {
+ proposal := instance.(*batchv1alpha1.IpsecProposal)
+ proposal.Spec.Name = proposal.ObjectMeta.Name
+ proposalObject := openwrt.SdewanIpsecProposal(proposal.Spec)
+ return &proposalObject, nil
+}
+
+func (m *IpsecProposalHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool {
+ proposal1 := instance1.(*openwrt.SdewanIpsecProposal)
+ proposal2 := instance2.(*openwrt.SdewanIpsecProposal)
+ return reflect.DeepEqual(*proposal1, *proposal2)
+}
+
+func (m *IpsecProposalHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ ipsec := openwrt.IpsecClient{OpenwrtClient: openwrtClient}
+ ret, err := ipsec.GetProposal(name)
+ return ret, err
+}
+
+func (m *IpsecProposalHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ ipsec := openwrt.IpsecClient{OpenwrtClient: openwrtClient}
+ proposal := instance.(*openwrt.SdewanIpsecProposal)
+ return ipsec.CreateProposal(*proposal)
+}
+
+func (m *IpsecProposalHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ ipsec := openwrt.IpsecClient{OpenwrtClient: openwrtClient}
+ proposal := instance.(*openwrt.SdewanIpsecProposal)
+ return ipsec.UpdateProposal(*proposal)
+}
+
+func (m *IpsecProposalHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ ipsec := openwrt.IpsecClient{OpenwrtClient: openwrtClient}
+ return ipsec.DeleteProposal(name)
+}
+
+func (m *IpsecProposalHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) {
+ openwrtClient := openwrt.GetOpenwrtClient(*clientInfo)
+ service := openwrt.ServiceClient{OpenwrtClient: openwrtClient}
+ return service.ExecuteService("ipsec", "restart")
+}
+
+// IpsecProposalReconciler reconciles a IpsecProposal object
+type IpsecProposalReconciler struct {
+ client.Client
+ Log logr.Logger
+ Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=ipsecproposals,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=ipsecproposals/status,verbs=get;update;patch
+
+func (r *IpsecProposalReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ return ProcessReconcile(r, r.Log, req, ipsecProposalHandler)
+}
+
+func (r *IpsecProposalReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ ps := builder.WithPredicates(predicate.GenerationChangedPredicate{})
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&batchv1alpha1.IpsecProposal{}, ps).
+ Complete(r)
+}
setupLog.Error(err, "unable to create controller", "controller", "FirewallForwarding")
os.Exit(1)
}
+ if err = (&controllers.IpsecProposalReconciler{
+ Client: mgr.GetClient(),
+ Log: ctrl.Log.WithName("controllers").WithName("IpsecProposal"),
+ Scheme: mgr.GetScheme(),
+ }).SetupWithManager(mgr); err != nil {
+ setupLog.Error(err, "unable to create controller", "controller", "IpsecProposal")
+ os.Exit(1)
+ }
// +kubebuilder:scaffold:builder
setupLog.Info("starting manager")
Proposals []SdewanIpsecProposal `json:"proposals"`
}
+func (o *SdewanIpsecProposal) GetName() string {
+ return o.Name
+}
+
// Sites
type SdewanIpsecConnection struct {
Name string `json:"name"`
Code Review / icn / sdwan.git / commitdiff