From: chengli3 Date: Thu, 28 May 2020 03:01:51 +0000 (+0000) Subject: Implemente the firewall group CRDs and Controllers X-Git-Tag: v1.0~28^2 X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F23%2F3523%2F1;p=icn%2Fsdwan.git Implemente the firewall group CRDs and Controllers This patch implement the firewall groups CRDs/Controllers: - firewallzones - firewallrules - firewallforwardings - firewallsnat - firewalldnat After these firewall* CRDs, we will implement ipsec group CRDs Signed-off-by: chengli3 Change-Id: I4a792b97771e82776aaa455ad550546eb7a09f92 --- diff --git a/platform/crd-ctrlr/README.md b/platform/crd-ctrlr/README.md index 86616a5..5699c92 100644 --- a/platform/crd-ctrlr/README.md +++ b/platform/crd-ctrlr/README.md @@ -68,7 +68,7 @@ To create new CRD and controller kubebuilder create api --group batch --version v1alpha1 --kind Mwan3Policy ``` -**NOTE:** For each new created CRD, we need to make correspond changes for webhook. +**NOTE:** For each new created CRD, we need to make correspond changes(add switch cases and webhook resources) for [webhook](src/api/v1alpha1/bucket_permission_webhook.go). To run local controller(For test/debug purpose) ``` @@ -93,6 +93,7 @@ make gen-yaml IMG="integratedcloudnative/sdewan-controller:dev" - One CRD one controller - Controller watches itself CR and the Deployment(ready status only) - Reconcile calls WrtProvider to add/update/delete rules for CNF +- `GenerationChangedPredicate` should be added to each CRD controller, to prevent status/meta changes triggering reconcile - CnfProvider interfaces defines the function CNF function calls. WrtProvider is one implementation of CnfProvider - For the users, CNF rules are CRs. But for openwrt, the rules are openwrt rule entities. We can pass the CRs to OpenWRT API. Instead, we need to convert the CRs to OpenWRT entities. - Finalizer should be added to CR only when AddUpdate call succeed. Likewise, finalizer should be removed from CR only when Delete call succeed. @@ -105,12 +106,20 @@ make gen-yaml IMG="integratedcloudnative/sdewan-controller:dev" - A runable framework with Mwan3Policy CRD and controller implemented. It means we can run the controller and add/update/delete mwan3policy rules. - We have extracted the common logics of controllers, and implemeted the second crd/controller with it - The label based permission system implemented by webhook +- Supported CRDs: + - Mwan3Policy + - Mwan3Rule + - FirewallForwarding + - FirewallZone + - FirewallRule + - FirewallDNAT + - FirewallSNAT ### What we don't have yet - Add a watch for deployment, so that the controller can get the CNF ready status change. [predicate feature](https://godoc.org/sigs.k8s.io/controller-runtime/pkg/predicate#example-Funcs) should be used to filter no-status event. -- Implemente the remain CRDs/controllers. As all the controller logics are almost the same, some workload will be the extracting of the similar logic and make them functions. -- Add validation webhook to validate CR +- Implemente the ipsec CRDs/controllers +- Add validation webhook to validate CR ( as we have the validation in openwrt, so not validate the CR at frontend) ### NOTEs diff --git a/platform/crd-ctrlr/examples/clusterrole-allow-intent.yaml b/platform/crd-ctrlr/examples/clusterrole-allow-intent.yaml index 9d013e2..102f2dd 100644 --- a/platform/crd-ctrlr/examples/clusterrole-allow-intent.yaml +++ b/platform/crd-ctrlr/examples/clusterrole-allow-intent.yaml @@ -5,8 +5,17 @@ metadata: annotations: sdewan-bucket-type-permission: |- { "mwan3rules": ["app-intent", "k8s-service"], - "mwan3policies": ["*"] } + "mwan3policies": ["*"], + "firewall*": ["app-intent"] + } rules: - apiGroups: ["batch.sdewan.akraino.org"] - resources: ["mwan3policies", "mwan3rules"] + resources: + - mwan3policies + - mwan3rules + - firewallzones + - firewallforwardings + - firewallsnats + - firewalldnats + - firewallrules verbs: ["create", "get", "watch", "list", "delete"] diff --git a/platform/crd-ctrlr/examples/sdewan-controller.yaml b/platform/crd-ctrlr/examples/sdewan-controller.yaml index e8c3f3b..eff53cc 100644 --- a/platform/crd-ctrlr/examples/sdewan-controller.yaml +++ b/platform/crd-ctrlr/examples/sdewan-controller.yaml @@ -7,6 +7,482 @@ metadata: --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewalldnats.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallDNAT + listKind: FirewallDNATList + plural: firewalldnats + singular: firewalldnat + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallDNAT is the Schema for the firewalldnats API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallDNATSpec defines the desired state of FirewallDNAT + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + family: + type: string + mark: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + proto: + type: string + src: + type: string + src_dip: + type: string + src_dport: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallforwardings.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallForwarding + listKind: FirewallForwardingList + plural: firewallforwardings + singular: firewallforwarding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallForwarding is the Schema for the firewallforwardings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallForwardingSpec defines the desired state of FirewallForwarding + properties: + dest: + type: string + family: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + src: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallrules.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallRule + listKind: FirewallRuleList + plural: firewallrules + singular: firewallrule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallRule is the Schema for the firewallrules API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallRuleSpec defines the desired state of FirewallRule + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + extra: + type: string + family: + type: string + icmp_type: + items: + type: string + type: array + mark: + type: string + name: + description: Foo is an example field of FirewallRule. Edit FirewallRule_types.go + to remove/update + type: string + proto: + type: string + set_mark: + type: string + set_xmark: + type: string + src: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallsnats.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallSNAT + listKind: FirewallSNATList + plural: firewallsnats + singular: firewallsnat + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallSNAT is the Schema for the firewallsnats API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallSNATSpec defines the desired state of FirewallSNAT + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + family: + type: string + mark: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + proto: + type: string + src: + type: string + src_dip: + type: string + src_dport: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallzones.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallZone + listKind: FirewallZoneList + plural: firewallzones + singular: firewallzone + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallZone is the Schema for the firewallzones API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallZoneSpec defines the desired state of FirewallZone + properties: + etra_dest: + type: string + extra_src: + type: string + family: + type: string + forward: + type: string + input: + type: string + masq: + type: string + masq_allow_invalid: + type: string + masq_dest: + items: + type: string + type: array + masq_src: + items: + type: string + type: array + mtu_fix: + type: string + name: + description: Foo is an example field of FirewallZone. Edit FirewallZone_types.go + to remove/update + type: string + network: + items: + type: string + type: array + output: + type: string + subnet: + items: + type: string + type: array + required: + - network + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.5 @@ -241,6 +717,106 @@ rules: - get - list - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewalldnats + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewalldnats/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallforwardings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallforwardings/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallrules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallrules/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallsnats + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallsnats/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallzones/status + verbs: + - get + - patch + - update - apiGroups: - batch.sdewan.akraino.org resources: @@ -485,3 +1061,8 @@ webhooks: resources: - mwan3policies - mwan3rules + - firewallzones + - firewallforwardings + - firewallrules + - firewallsnats + - firewalldnats diff --git a/platform/crd-ctrlr/src/PROJECT b/platform/crd-ctrlr/src/PROJECT index 63278f3..2167712 100644 --- a/platform/crd-ctrlr/src/PROJECT +++ b/platform/crd-ctrlr/src/PROJECT @@ -7,4 +7,19 @@ resources: - group: batch kind: Mwan3Rule version: v1alpha1 +- group: batch + kind: FirewallZone + version: v1alpha1 +- group: batch + kind: FirewallRule + version: v1alpha1 +- group: batch + kind: FirewallSNAT + version: v1alpha1 +- group: batch + kind: FirewallDNAT + version: v1alpha1 +- group: batch + kind: FirewallForwarding + version: v1alpha1 version: "2" diff --git a/platform/crd-ctrlr/src/api/v1alpha1/bucket_permission_webhook.go b/platform/crd-ctrlr/src/api/v1alpha1/bucket_permission_webhook.go index 66b197b..ac63ee4 100644 --- a/platform/crd-ctrlr/src/api/v1alpha1/bucket_permission_webhook.go +++ b/platform/crd-ctrlr/src/api/v1alpha1/bucket_permission_webhook.go @@ -45,7 +45,7 @@ func SetupBucketPermissionWebhookWithManager(mgr ctrl.Manager) error { return nil } -// +kubebuilder:webhook:path=/validate-sdewan-bucket-permission,mutating=false,failurePolicy=fail,groups="batch.sdewan.akraino.org",resources=mwan3policies;mwan3rules,verbs=create;update;delete,versions=v1alpha1,name=validate-sdewan-bucket.akraino.org +// +kubebuilder:webhook:path=/validate-sdewan-bucket-permission,mutating=false,failurePolicy=fail,groups="batch.sdewan.akraino.org",resources=mwan3policies;mwan3rules;firewallzones;firewallforwardings;firewallrules;firewallsnats;firewalldnats,verbs=create;update;delete,versions=v1alpha1,name=validate-sdewan-bucket.akraino.org // bucketPermissionValidator validates Pods type bucketPermissionValidator struct { @@ -87,6 +87,16 @@ func (v *bucketPermissionValidator) Handle(ctx context.Context, req admission.Re obj = &Mwan3Policy{} case "Mwan3Rule": obj = &Mwan3Rule{} + case "FirewallForwarding": + obj = &FirewallForwarding{} + case "FirewallZone": + obj = &FirewallZone{} + case "FirewallRule": + obj = &FirewallRule{} + case "FirewallDNAT": + obj = &FirewallDNAT{} + case "FirewallSNAT": + obj = &FirewallSNAT{} default: return admission.Errored( http.StatusBadRequest, diff --git a/platform/crd-ctrlr/src/api/v1alpha1/firewalldnat_types.go b/platform/crd-ctrlr/src/api/v1alpha1/firewalldnat_types.go new file mode 100644 index 0000000..099d892 --- /dev/null +++ b/platform/crd-ctrlr/src/api/v1alpha1/firewalldnat_types.go @@ -0,0 +1,68 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// FirewallDNATSpec defines the desired state of FirewallDNAT +type FirewallDNATSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + Name string `json:"name,omitempty"` + Src string `json:"src,omitempty"` + SrcIp string `json:"src_ip,omitempty"` + SrcDIp string `json:"src_dip,omitempty"` + SrcMac string `json:"src_mac,omitempty"` + SrcPort string `json:"src_port,omitempty"` + SrcDPort string `json:"src_dport,omitempty"` + Proto string `json:"proto,omitempty"` + Dest string `json:"dest,omitempty"` + DestIp string `json:"dest_ip,omitempty"` + DestPort string `json:"dest_port,omitempty"` + Mark string `json:"mark,omitempty"` + Target string `json:"target,omitempty"` + Family string `json:"family,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status + +// FirewallDNAT is the Schema for the firewalldnats API +type FirewallDNAT struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec FirewallDNATSpec `json:"spec,omitempty"` + Status SdewanStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// FirewallDNATList contains a list of FirewallDNAT +type FirewallDNATList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []FirewallDNAT `json:"items"` +} + +func init() { + SchemeBuilder.Register(&FirewallDNAT{}, &FirewallDNATList{}) +} diff --git a/platform/crd-ctrlr/src/api/v1alpha1/firewallforwarding_types.go b/platform/crd-ctrlr/src/api/v1alpha1/firewallforwarding_types.go new file mode 100644 index 0000000..2f1e264 --- /dev/null +++ b/platform/crd-ctrlr/src/api/v1alpha1/firewallforwarding_types.go @@ -0,0 +1,58 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// FirewallForwardingSpec defines the desired state of FirewallForwarding +type FirewallForwardingSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + Name string `json:"name,omitempty"` + Src string `json:"src,omitempty"` + Dest string `json:"dest,omitempty"` + Family string `json:"family,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status + +// FirewallForwarding is the Schema for the firewallforwardings API +type FirewallForwarding struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec FirewallForwardingSpec `json:"spec,omitempty"` + Status SdewanStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// FirewallForwardingList contains a list of FirewallForwarding +type FirewallForwardingList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []FirewallForwarding `json:"items"` +} + +func init() { + SchemeBuilder.Register(&FirewallForwarding{}, &FirewallForwardingList{}) +} diff --git a/platform/crd-ctrlr/src/api/v1alpha1/firewallrule_types.go b/platform/crd-ctrlr/src/api/v1alpha1/firewallrule_types.go new file mode 100644 index 0000000..a2ddd53 --- /dev/null +++ b/platform/crd-ctrlr/src/api/v1alpha1/firewallrule_types.go @@ -0,0 +1,72 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// FirewallRuleSpec defines the desired state of FirewallRule +type FirewallRuleSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + + // Foo is an example field of FirewallRule. Edit FirewallRule_types.go to remove/update + Name string `json:"name,omitempty"` + Src string `json:"src,omitempty"` + SrcIp string `json:"src_ip,omitempty"` + SrcMac string `json:"src_mac,omitempty"` + SrcPort string `json:"src_port,omitempty"` + Proto string `json:"proto,omitempty"` + IcmpType []string `json:"icmp_type,omitempty"` + Dest string `json:"dest,omitempty"` + DestIp string `json:"dest_ip,omitempty"` + DestPort string `json:"dest_port,omitempty"` + Mark string `json:"mark,omitempty"` + Target string `json:"target,omitempty"` + SetMark string `json:"set_mark,omitempty"` + SetXmark string `json:"set_xmark,omitempty"` + Family string `json:"family,omitempty"` + Extra string `json:"extra,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status + +// FirewallRule is the Schema for the firewallrules API +type FirewallRule struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec FirewallRuleSpec `json:"spec,omitempty"` + Status SdewanStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// FirewallRuleList contains a list of FirewallRule +type FirewallRuleList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []FirewallRule `json:"items"` +} + +func init() { + SchemeBuilder.Register(&FirewallRule{}, &FirewallRuleList{}) +} diff --git a/platform/crd-ctrlr/src/api/v1alpha1/firewallsnat_types.go b/platform/crd-ctrlr/src/api/v1alpha1/firewallsnat_types.go new file mode 100644 index 0000000..4969fb8 --- /dev/null +++ b/platform/crd-ctrlr/src/api/v1alpha1/firewallsnat_types.go @@ -0,0 +1,68 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// FirewallSNATSpec defines the desired state of FirewallSNAT +type FirewallSNATSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + Name string `json:"name,omitempty"` + Src string `json:"src,omitempty"` + SrcIp string `json:"src_ip,omitempty"` + SrcDIp string `json:"src_dip,omitempty"` + SrcMac string `json:"src_mac,omitempty"` + SrcPort string `json:"src_port,omitempty"` + SrcDPort string `json:"src_dport,omitempty"` + Proto string `json:"proto,omitempty"` + Dest string `json:"dest,omitempty"` + DestIp string `json:"dest_ip,omitempty"` + DestPort string `json:"dest_port,omitempty"` + Mark string `json:"mark,omitempty"` + Target string `json:"target,omitempty"` + Family string `json:"family,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status + +// FirewallSNAT is the Schema for the firewallsnats API +type FirewallSNAT struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec FirewallSNATSpec `json:"spec,omitempty"` + Status SdewanStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// FirewallSNATList contains a list of FirewallSNAT +type FirewallSNATList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []FirewallSNAT `json:"items"` +} + +func init() { + SchemeBuilder.Register(&FirewallSNAT{}, &FirewallSNATList{}) +} diff --git a/platform/crd-ctrlr/src/api/v1alpha1/firewallzone_types.go b/platform/crd-ctrlr/src/api/v1alpha1/firewallzone_types.go new file mode 100644 index 0000000..e08a17e --- /dev/null +++ b/platform/crd-ctrlr/src/api/v1alpha1/firewallzone_types.go @@ -0,0 +1,69 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! +// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + +// FirewallZoneSpec defines the desired state of FirewallZone +type FirewallZoneSpec struct { + // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + // Important: Run "make" to regenerate code after modifying this file + + // Foo is an example field of FirewallZone. Edit FirewallZone_types.go to remove/update + Name string `json:"name,omitempty"` + Network []string `json:"network"` + Masq string `json:"masq,omitempty"` + MasqSrc []string `json:"masq_src,omitempty"` + MasqDest []string `json:"masq_dest,omitempty"` + MasqAllowInvalid string `json:"masq_allow_invalid,omitempty"` + MtuFix string `json:"mtu_fix,omitempty"` + Input string `json:"input,omitempty"` + Forward string `json:"forward,omitempty"` + Output string `json:"output,omitempty"` + Family string `json:"family,omitempty"` + Subnet []string `json:"subnet,omitempty"` + ExtraSrc string `json:"extra_src,omitempty"` + ExtraDest string `json:"etra_dest,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// FirewallZone is the Schema for the firewallzones API +type FirewallZone struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec FirewallZoneSpec `json:"spec,omitempty"` + Status SdewanStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// FirewallZoneList contains a list of FirewallZone +type FirewallZoneList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []FirewallZone `json:"items"` +} + +func init() { + SchemeBuilder.Register(&FirewallZone{}, &FirewallZoneList{}) +} diff --git a/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go b/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go index 32a04a5..16a31d9 100644 --- a/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go +++ b/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go @@ -52,6 +52,401 @@ func (in BucketPermission) DeepCopy() BucketPermission { return *out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallDNAT) DeepCopyInto(out *FirewallDNAT) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDNAT. +func (in *FirewallDNAT) DeepCopy() *FirewallDNAT { + if in == nil { + return nil + } + out := new(FirewallDNAT) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallDNAT) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallDNATList) DeepCopyInto(out *FirewallDNATList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]FirewallDNAT, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDNATList. +func (in *FirewallDNATList) DeepCopy() *FirewallDNATList { + if in == nil { + return nil + } + out := new(FirewallDNATList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallDNATList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallDNATSpec) DeepCopyInto(out *FirewallDNATSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDNATSpec. +func (in *FirewallDNATSpec) DeepCopy() *FirewallDNATSpec { + if in == nil { + return nil + } + out := new(FirewallDNATSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallForwarding) DeepCopyInto(out *FirewallForwarding) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallForwarding. +func (in *FirewallForwarding) DeepCopy() *FirewallForwarding { + if in == nil { + return nil + } + out := new(FirewallForwarding) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallForwarding) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallForwardingList) DeepCopyInto(out *FirewallForwardingList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]FirewallForwarding, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallForwardingList. +func (in *FirewallForwardingList) DeepCopy() *FirewallForwardingList { + if in == nil { + return nil + } + out := new(FirewallForwardingList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallForwardingList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallForwardingSpec) DeepCopyInto(out *FirewallForwardingSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallForwardingSpec. +func (in *FirewallForwardingSpec) DeepCopy() *FirewallForwardingSpec { + if in == nil { + return nil + } + out := new(FirewallForwardingSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallRule) DeepCopyInto(out *FirewallRule) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRule. +func (in *FirewallRule) DeepCopy() *FirewallRule { + if in == nil { + return nil + } + out := new(FirewallRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallRule) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallRuleList) DeepCopyInto(out *FirewallRuleList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]FirewallRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRuleList. +func (in *FirewallRuleList) DeepCopy() *FirewallRuleList { + if in == nil { + return nil + } + out := new(FirewallRuleList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallRuleList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallRuleSpec) DeepCopyInto(out *FirewallRuleSpec) { + *out = *in + if in.IcmpType != nil { + in, out := &in.IcmpType, &out.IcmpType + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRuleSpec. +func (in *FirewallRuleSpec) DeepCopy() *FirewallRuleSpec { + if in == nil { + return nil + } + out := new(FirewallRuleSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallSNAT) DeepCopyInto(out *FirewallSNAT) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSNAT. +func (in *FirewallSNAT) DeepCopy() *FirewallSNAT { + if in == nil { + return nil + } + out := new(FirewallSNAT) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallSNAT) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallSNATList) DeepCopyInto(out *FirewallSNATList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]FirewallSNAT, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSNATList. +func (in *FirewallSNATList) DeepCopy() *FirewallSNATList { + if in == nil { + return nil + } + out := new(FirewallSNATList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallSNATList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallSNATSpec) DeepCopyInto(out *FirewallSNATSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSNATSpec. +func (in *FirewallSNATSpec) DeepCopy() *FirewallSNATSpec { + if in == nil { + return nil + } + out := new(FirewallSNATSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallZone) DeepCopyInto(out *FirewallZone) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallZone. +func (in *FirewallZone) DeepCopy() *FirewallZone { + if in == nil { + return nil + } + out := new(FirewallZone) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallZone) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallZoneList) DeepCopyInto(out *FirewallZoneList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]FirewallZone, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallZoneList. +func (in *FirewallZoneList) DeepCopy() *FirewallZoneList { + if in == nil { + return nil + } + out := new(FirewallZoneList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *FirewallZoneList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallZoneSpec) DeepCopyInto(out *FirewallZoneSpec) { + *out = *in + if in.Network != nil { + in, out := &in.Network, &out.Network + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.MasqSrc != nil { + in, out := &in.MasqSrc, &out.MasqSrc + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.MasqDest != nil { + in, out := &in.MasqDest, &out.MasqDest + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Subnet != nil { + in, out := &in.Subnet, &out.Subnet + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallZoneSpec. +func (in *FirewallZoneSpec) DeepCopy() *FirewallZoneSpec { + if in == nil { + return nil + } + out := new(FirewallZoneSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Mwan3Policy) DeepCopyInto(out *Mwan3Policy) { *out = *in diff --git a/platform/crd-ctrlr/src/basehandler/isdewanhandler.go b/platform/crd-ctrlr/src/basehandler/isdewanhandler.go index fda9ccd..bb5b3e2 100644 --- a/platform/crd-ctrlr/src/basehandler/isdewanhandler.go +++ b/platform/crd-ctrlr/src/basehandler/isdewanhandler.go @@ -4,10 +4,9 @@ import ( "context" appsv1 "k8s.io/api/apps/v1" "k8s.io/apimachinery/pkg/runtime" + "sdewan.akraino.org/sdewan/openwrt" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - - "sdewan.akraino.org/sdewan/openwrt" ) type ISdewanHandler interface { diff --git a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewalldnats.yaml b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewalldnats.yaml new file mode 100644 index 0000000..4fd61ba --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewalldnats.yaml @@ -0,0 +1,97 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewalldnats.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallDNAT + listKind: FirewallDNATList + plural: firewalldnats + singular: firewalldnat + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallDNAT is the Schema for the firewalldnats API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallDNATSpec defines the desired state of FirewallDNAT + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + family: + type: string + mark: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + proto: + type: string + src: + type: string + src_dip: + type: string + src_dport: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallforwardings.yaml b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallforwardings.yaml new file mode 100644 index 0000000..4beabd1 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallforwardings.yaml @@ -0,0 +1,77 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallforwardings.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallForwarding + listKind: FirewallForwardingList + plural: firewallforwardings + singular: firewallforwarding + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallForwarding is the Schema for the firewallforwardings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallForwardingSpec defines the desired state of FirewallForwarding + properties: + dest: + type: string + family: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + src: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallrules.yaml b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallrules.yaml new file mode 100644 index 0000000..f792280 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallrules.yaml @@ -0,0 +1,103 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallrules.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallRule + listKind: FirewallRuleList + plural: firewallrules + singular: firewallrule + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallRule is the Schema for the firewallrules API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallRuleSpec defines the desired state of FirewallRule + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + extra: + type: string + family: + type: string + icmp_type: + items: + type: string + type: array + mark: + type: string + name: + description: Foo is an example field of FirewallRule. Edit FirewallRule_types.go + to remove/update + type: string + proto: + type: string + set_mark: + type: string + set_xmark: + type: string + src: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallsnats.yaml b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallsnats.yaml new file mode 100644 index 0000000..bc21ad9 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallsnats.yaml @@ -0,0 +1,97 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallsnats.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallSNAT + listKind: FirewallSNATList + plural: firewallsnats + singular: firewallsnat + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallSNAT is the Schema for the firewallsnats API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallSNATSpec defines the desired state of FirewallSNAT + properties: + dest: + type: string + dest_ip: + type: string + dest_port: + type: string + family: + type: string + mark: + type: string + name: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + type: string + proto: + type: string + src: + type: string + src_dip: + type: string + src_dport: + type: string + src_ip: + type: string + src_mac: + type: string + src_port: + type: string + target: + type: string + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallzones.yaml b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallzones.yaml new file mode 100644 index 0000000..5dc1154 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_firewallzones.yaml @@ -0,0 +1,107 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: firewallzones.batch.sdewan.akraino.org +spec: + group: batch.sdewan.akraino.org + names: + kind: FirewallZone + listKind: FirewallZoneList + plural: firewallzones + singular: firewallzone + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: FirewallZone is the Schema for the firewallzones API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FirewallZoneSpec defines the desired state of FirewallZone + properties: + etra_dest: + type: string + extra_src: + type: string + family: + type: string + forward: + type: string + input: + type: string + masq: + type: string + masq_allow_invalid: + type: string + masq_dest: + items: + type: string + type: array + masq_src: + items: + type: string + type: array + mtu_fix: + type: string + name: + description: Foo is an example field of FirewallZone. Edit FirewallZone_types.go + to remove/update + type: string + network: + items: + type: string + type: array + output: + type: string + subnet: + items: + type: string + type: array + required: + - network + type: object + status: + description: status subsource used for Sdewan rule CRDs + properties: + appliedGeneration: + format: int64 + type: integer + appliedTime: + format: date-time + type: string + message: + type: string + state: + type: string + required: + - state + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/platform/crd-ctrlr/src/config/crd/kustomization.yaml b/platform/crd-ctrlr/src/config/crd/kustomization.yaml index 3535427..3d5d1f6 100644 --- a/platform/crd-ctrlr/src/config/crd/kustomization.yaml +++ b/platform/crd-ctrlr/src/config/crd/kustomization.yaml @@ -4,6 +4,11 @@ resources: - bases/batch.sdewan.akraino.org_mwan3policies.yaml - bases/batch.sdewan.akraino.org_mwan3rules.yaml +- bases/batch.sdewan.akraino.org_firewallzones.yaml +- bases/batch.sdewan.akraino.org_firewallrules.yaml +- bases/batch.sdewan.akraino.org_firewallsnats.yaml +- bases/batch.sdewan.akraino.org_firewalldnats.yaml +- bases/batch.sdewan.akraino.org_firewallforwardings.yaml # +kubebuilder:scaffold:crdkustomizeresource patchesStrategicMerge: @@ -11,12 +16,22 @@ patchesStrategicMerge: # patches here are for enabling the conversion webhook for each CRD #- patches/webhook_in_mwan3policies.yaml #- patches/webhook_in_mwan3rules.yaml +#- patches/webhook_in_firewallzones.yaml +#- patches/webhook_in_firewallrules.yaml +#- patches/webhook_in_firewallsnats.yaml +#- patches/webhook_in_firewalldnats.yaml +#- patches/webhook_in_firewallforwardings.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD #- patches/cainjection_in_mwan3policies.yaml #- patches/cainjection_in_mwan3rules.yaml +#- patches/cainjection_in_firewallzones.yaml +#- patches/cainjection_in_firewallrules.yaml +#- patches/cainjection_in_firewallsnats.yaml +#- patches/cainjection_in_firewalldnats.yaml +#- patches/cainjection_in_firewallforwardings.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewalldnats.yaml b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewalldnats.yaml new file mode 100644 index 0000000..9e7458b --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewalldnats.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: firewalldnats.batch.sdewan.akraino.org diff --git a/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallforwardings.yaml b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallforwardings.yaml new file mode 100644 index 0000000..2717d7f --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallforwardings.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: firewallforwardings.batch.sdewan.akraino.org diff --git a/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallrules.yaml b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallrules.yaml new file mode 100644 index 0000000..8f157fb --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallrules.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: firewallrules.batch.sdewan.akraino.org diff --git a/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallsnats.yaml b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallsnats.yaml new file mode 100644 index 0000000..f51dd82 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallsnats.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: firewallsnats.batch.sdewan.akraino.org diff --git a/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallzones.yaml b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallzones.yaml new file mode 100644 index 0000000..cd5db2a --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/cainjection_in_firewallzones.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: firewallzones.batch.sdewan.akraino.org diff --git a/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewalldnats.yaml b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewalldnats.yaml new file mode 100644 index 0000000..1752b89 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewalldnats.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: firewalldnats.batch.sdewan.akraino.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallforwardings.yaml b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallforwardings.yaml new file mode 100644 index 0000000..6258c81 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallforwardings.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: firewallforwardings.batch.sdewan.akraino.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallrules.yaml b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallrules.yaml new file mode 100644 index 0000000..d9d9bc8 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallrules.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: firewallrules.batch.sdewan.akraino.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallsnats.yaml b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallsnats.yaml new file mode 100644 index 0000000..9f649b6 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallsnats.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: firewallsnats.batch.sdewan.akraino.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallzones.yaml b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallzones.yaml new file mode 100644 index 0000000..2f48797 --- /dev/null +++ b/platform/crd-ctrlr/src/config/crd/patches/webhook_in_firewallzones.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: firewallzones.batch.sdewan.akraino.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/platform/crd-ctrlr/src/config/local/webhook_config.yaml b/platform/crd-ctrlr/src/config/local/webhook_config.yaml index 9221e05..17651a7 100644 --- a/platform/crd-ctrlr/src/config/local/webhook_config.yaml +++ b/platform/crd-ctrlr/src/config/local/webhook_config.yaml @@ -23,6 +23,11 @@ webhooks: resources: - mwan3policies - mwan3rules + - firewalldnats + - firewallforwardings + - firewallrules + - firewallsnats + - firewallzones scope: '*' sideEffects: Unknown timeoutSeconds: 30 diff --git a/platform/crd-ctrlr/src/config/rbac/role.yaml b/platform/crd-ctrlr/src/config/rbac/role.yaml index 4ff0191..ceb67f0 100644 --- a/platform/crd-ctrlr/src/config/rbac/role.yaml +++ b/platform/crd-ctrlr/src/config/rbac/role.yaml @@ -22,6 +22,106 @@ rules: - get - list - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewalldnats + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewalldnats/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallforwardings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallforwardings/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallrules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallrules/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallsnats + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallsnats/status + verbs: + - get + - patch + - update +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch.sdewan.akraino.org + resources: + - firewallzones/status + verbs: + - get + - patch + - update - apiGroups: - batch.sdewan.akraino.org resources: diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml new file mode 100644 index 0000000..1929bd2 --- /dev/null +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: batch.sdewan.akraino.org/v1alpha1 +kind: FirewallDNAT +metadata: + name: firewalldnat-sample + namespace: default + labels: + sdewanPurpose: cnf1 +spec: + src: firewallzone-sample + src_ip: 192.168.1.2 + src_dip: 1.2.3.4 + dest: firewallzone-sample2 + proto: icmp + diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml new file mode 100644 index 0000000..aa77e13 --- /dev/null +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: batch.sdewan.akraino.org/v1alpha1 +kind: FirewallForwarding +metadata: + name: firewallforwarding-sample + namespace: default + labels: + sdewanPurpose: cnf1 + sdewan-bucket-type: app-intent +spec: + # Add fields here + src: firewallzone-sample2 + dest: firewallzone-sample diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml new file mode 100644 index 0000000..c77b9d3 --- /dev/null +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: batch.sdewan.akraino.org/v1alpha1 +kind: FirewallRule +metadata: + name: firewallrule-sample + namespace: default + labels: + sdewanPurpose: cnf1 +spec: + # Add fields here + src: firewallzone-sample + src_ip: "192.168.2.2" + src_port: "80" + proto: tcp + target: REJECT diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml new file mode 100644 index 0000000..108a6cd --- /dev/null +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: batch.sdewan.akraino.org/v1alpha1 +kind: FirewallSNAT +metadata: + name: firewallsnat-sample + namespace: default + labels: + sdewanPurpose: cnf1 +spec: + src: firewallzone-sample + src_ip: 192.168.1.2 + src_dip: 1.2.3.5 + dest: firewallzone-sample2 + proto: icmp diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml new file mode 100644 index 0000000..f4a4d7c --- /dev/null +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: batch.sdewan.akraino.org/v1alpha1 +kind: FirewallZone +metadata: + name: firewallzone-sample + namespace: default + labels: + sdewanPurpose: cnf1 +spec: + # Add fields here + network: + - ovn-net1 + - ovn-net2 + input: ACCEPT + output: ACCEPT \ No newline at end of file diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml new file mode 100644 index 0000000..632c6fa --- /dev/null +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: batch.sdewan.akraino.org/v1alpha1 +kind: FirewallZone +metadata: + name: firewallzone-sample2 + namespace: default + labels: + sdewanPurpose: cnf1 +spec: + # Add fields here + network: + - "ovn-net1" + - "ovn-net2" + input: ACCEPT + output: ACCEPT \ No newline at end of file diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml index 4acddb9..8d631de 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml @@ -1,3 +1,4 @@ +--- apiVersion: batch.sdewan.akraino.org/v1alpha1 kind: Mwan3Policy metadata: diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml index 9316f03..ca5c555 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml @@ -1,3 +1,4 @@ +--- apiVersion: batch.sdewan.akraino.org/v1alpha1 kind: Mwan3Rule metadata: diff --git a/platform/crd-ctrlr/src/config/webhook/manifests.yaml b/platform/crd-ctrlr/src/config/webhook/manifests.yaml index 0acbf0d..bd55f32 100644 --- a/platform/crd-ctrlr/src/config/webhook/manifests.yaml +++ b/platform/crd-ctrlr/src/config/webhook/manifests.yaml @@ -26,3 +26,8 @@ webhooks: resources: - mwan3policies - mwan3rules + - firewallzones + - firewallforwardings + - firewallrules + - firewallsnats + - firewalldnats diff --git a/platform/crd-ctrlr/src/controllers/base_controller.go b/platform/crd-ctrlr/src/controllers/base_controller.go index b86e198..4b7f282 100644 --- a/platform/crd-ctrlr/src/controllers/base_controller.go +++ b/platform/crd-ctrlr/src/controllers/base_controller.go @@ -18,6 +18,7 @@ import ( batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1" "sdewan.akraino.org/sdewan/basehandler" "sdewan.akraino.org/sdewan/cnfprovider" + "sdewan.akraino.org/sdewan/openwrt" ) // Helper functions to check and remove string from a slice of strings. @@ -201,14 +202,16 @@ func ProcessReconcile(r client.Client, logger logr.Logger, req ctrl.Request, han _, err := cnf.DeleteObject(handler, instance) if err != nil { - log.Error(err, "Failed to delete "+handler.GetType()) - setStatus(instance, batchv1alpha1.SdewanStatus{State: batchv1alpha1.Deleting, Message: err.Error()}) - err = r.Status().Update(ctx, instance) - if err != nil { - log.Error(err, "Failed to update status for "+handler.GetType()) - return ctrl.Result{}, err + if err.(*openwrt.OpenwrtError).Code != 404 { + log.Error(err, "Failed to delete "+handler.GetType()) + setStatus(instance, batchv1alpha1.SdewanStatus{State: batchv1alpha1.Deleting, Message: err.Error()}) + err = r.Status().Update(ctx, instance) + if err != nil { + log.Error(err, "Failed to update status for "+handler.GetType()) + return ctrl.Result{}, err + } + return ctrl.Result{RequeueAfter: during}, nil } - return ctrl.Result{RequeueAfter: during}, nil } finalizers := getFinalizers(instance) if containsString(finalizers, finalizerName) { diff --git a/platform/crd-ctrlr/src/controllers/firewalldnat_controller.go b/platform/crd-ctrlr/src/controllers/firewalldnat_controller.go new file mode 100644 index 0000000..6303c70 --- /dev/null +++ b/platform/crd-ctrlr/src/controllers/firewalldnat_controller.go @@ -0,0 +1,126 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "reflect" + + "github.com/go-logr/logr" + appsv1 "k8s.io/api/apps/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1" + "sdewan.akraino.org/sdewan/openwrt" +) + +var firewallDnatHandler = new(FirewallDnatHandler) + +type FirewallDnatHandler struct { +} + +func (m *FirewallDnatHandler) GetType() string { + return "FirewallDnat" +} + +func (m *FirewallDnatHandler) GetName(instance runtime.Object) string { + dnat := instance.(*batchv1alpha1.FirewallDNAT) + return dnat.Name +} + +func (m *FirewallDnatHandler) GetFinalizer() string { + return "dnat.finalizers.sdewan.akraino.org" +} + +func (m *FirewallDnatHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) { + instance := &batchv1alpha1.FirewallDNAT{} + err := r.Get(ctx, req.NamespacedName, instance) + return instance, err +} + +//pupulate "dnat" to target field as default value +//copy "name" field value from metadata to SPEC.name +func (m *FirewallDnatHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) { + firewalldnat := instance.(*batchv1alpha1.FirewallDNAT) + firewalldnat.Spec.Name = firewalldnat.ObjectMeta.Name + firewalldnat.Spec.Target = "DNAT" + firewalldnatObject := openwrt.SdewanFirewallRedirect(firewalldnat.Spec) + return &firewalldnatObject, nil +} + +func (m *FirewallDnatHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool { + dnat1 := instance1.(*openwrt.SdewanFirewallRedirect) + dnat2 := instance2.(*openwrt.SdewanFirewallRedirect) + return reflect.DeepEqual(*dnat1, *dnat2) +} + +func (m *FirewallDnatHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + ret, err := firewall.GetRedirect(name) + return ret, err +} + +func (m *FirewallDnatHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + dnat := instance.(*openwrt.SdewanFirewallRedirect) + return firewall.CreateRedirect(*dnat) +} + +func (m *FirewallDnatHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + dnat := instance.(*openwrt.SdewanFirewallRedirect) + return firewall.UpdateRedirect(*dnat) +} + +func (m *FirewallDnatHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + return firewall.DeleteRedirect(name) +} + +func (m *FirewallDnatHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + service := openwrt.ServiceClient{OpenwrtClient: openwrtClient} + return service.ExecuteService("firewall", "restart") +} + +// FirewallDNATReconciler reconciles a FirewallDNAT object +type FirewallDNATReconciler struct { + client.Client + Log logr.Logger + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewalldnats,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewalldnats/status,verbs=get;update;patch + +func (r *FirewallDNATReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + return ProcessReconcile(r, r.Log, req, firewallDnatHandler) +} + +func (r *FirewallDNATReconciler) SetupWithManager(mgr ctrl.Manager) error { + ps := builder.WithPredicates(predicate.GenerationChangedPredicate{}) + return ctrl.NewControllerManagedBy(mgr). + For(&batchv1alpha1.FirewallDNAT{}, ps). + Complete(r) +} diff --git a/platform/crd-ctrlr/src/controllers/firewallforwarding_controller.go b/platform/crd-ctrlr/src/controllers/firewallforwarding_controller.go new file mode 100644 index 0000000..3cdaa22 --- /dev/null +++ b/platform/crd-ctrlr/src/controllers/firewallforwarding_controller.go @@ -0,0 +1,123 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "reflect" + + "github.com/go-logr/logr" + appsv1 "k8s.io/api/apps/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1" + "sdewan.akraino.org/sdewan/openwrt" +) + +var firewallForwardingHandler = new(FirewallForwardingHandler) + +type FirewallForwardingHandler struct { +} + +func (m *FirewallForwardingHandler) GetType() string { + return "FirewallForwarding" +} + +func (m *FirewallForwardingHandler) GetName(instance runtime.Object) string { + forwarding := instance.(*batchv1alpha1.FirewallForwarding) + return forwarding.Name +} + +func (m *FirewallForwardingHandler) GetFinalizer() string { + return "forwarding.finalizers.sdewan.akraino.org" +} + +func (m *FirewallForwardingHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) { + instance := &batchv1alpha1.FirewallForwarding{} + err := r.Get(ctx, req.NamespacedName, instance) + return instance, err +} + +func (m *FirewallForwardingHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) { + firewallforwarding := instance.(*batchv1alpha1.FirewallForwarding) + firewallforwarding.Spec.Name = firewallforwarding.ObjectMeta.Name + firewallforwardingObject := openwrt.SdewanFirewallForwarding(firewallforwarding.Spec) + return &firewallforwardingObject, nil +} + +func (m *FirewallForwardingHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool { + forwarding1 := instance1.(*openwrt.SdewanFirewallForwarding) + forwarding2 := instance2.(*openwrt.SdewanFirewallForwarding) + return reflect.DeepEqual(*forwarding1, *forwarding2) +} + +func (m *FirewallForwardingHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + ret, err := firewall.GetForwarding(name) + return ret, err +} + +func (m *FirewallForwardingHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + forwarding := instance.(*openwrt.SdewanFirewallForwarding) + return firewall.CreateForwarding(*forwarding) +} + +func (m *FirewallForwardingHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + forwarding := instance.(*openwrt.SdewanFirewallForwarding) + return firewall.UpdateForwarding(*forwarding) +} + +func (m *FirewallForwardingHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + return firewall.DeleteForwarding(name) +} + +func (m *FirewallForwardingHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + service := openwrt.ServiceClient{OpenwrtClient: openwrtClient} + return service.ExecuteService("firewall", "restart") +} + +// FirewallForwardingReconciler reconciles a FirewallForwarding object +type FirewallForwardingReconciler struct { + client.Client + Log logr.Logger + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallforwardings,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallforwardings/status,verbs=get;update;patch + +func (r *FirewallForwardingReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + return ProcessReconcile(r, r.Log, req, firewallForwardingHandler) +} + +func (r *FirewallForwardingReconciler) SetupWithManager(mgr ctrl.Manager) error { + ps := builder.WithPredicates(predicate.GenerationChangedPredicate{}) + return ctrl.NewControllerManagedBy(mgr). + For(&batchv1alpha1.FirewallForwarding{}, ps). + Complete(r) +} diff --git a/platform/crd-ctrlr/src/controllers/firewallrule_controller.go b/platform/crd-ctrlr/src/controllers/firewallrule_controller.go new file mode 100644 index 0000000..b3a2999 --- /dev/null +++ b/platform/crd-ctrlr/src/controllers/firewallrule_controller.go @@ -0,0 +1,123 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "reflect" + + "github.com/go-logr/logr" + appsv1 "k8s.io/api/apps/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1" + "sdewan.akraino.org/sdewan/openwrt" +) + +var firewallRuleHandler = new(FirewallRuleHandler) + +type FirewallRuleHandler struct { +} + +func (m *FirewallRuleHandler) GetType() string { + return "FirewallRule" +} + +func (m *FirewallRuleHandler) GetName(instance runtime.Object) string { + rule := instance.(*batchv1alpha1.FirewallRule) + return rule.Name +} + +func (m *FirewallRuleHandler) GetFinalizer() string { + return "rule.finalizers.sdewan.akraino.org" +} + +func (m *FirewallRuleHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) { + instance := &batchv1alpha1.FirewallRule{} + err := r.Get(ctx, req.NamespacedName, instance) + return instance, err +} + +func (m *FirewallRuleHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) { + firewallrule := instance.(*batchv1alpha1.FirewallRule) + firewallrule.Spec.Name = firewallrule.ObjectMeta.Name + firewallruleObject := openwrt.SdewanFirewallRule(firewallrule.Spec) + return &firewallruleObject, nil +} + +func (m *FirewallRuleHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool { + rule1 := instance1.(*openwrt.SdewanFirewallRule) + rule2 := instance2.(*openwrt.SdewanFirewallRule) + return reflect.DeepEqual(*rule1, *rule2) +} + +func (m *FirewallRuleHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + ret, err := firewall.GetRule(name) + return ret, err +} + +func (m *FirewallRuleHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + rule := instance.(*openwrt.SdewanFirewallRule) + return firewall.CreateRule(*rule) +} + +func (m *FirewallRuleHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + rule := instance.(*openwrt.SdewanFirewallRule) + return firewall.UpdateRule(*rule) +} + +func (m *FirewallRuleHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + return firewall.DeleteRule(name) +} + +func (m *FirewallRuleHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + service := openwrt.ServiceClient{OpenwrtClient: openwrtClient} + return service.ExecuteService("firewall", "restart") +} + +// FirewallRuleReconciler reconciles a FirewallRule object +type FirewallRuleReconciler struct { + client.Client + Log logr.Logger + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallrules,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallrules/status,verbs=get;update;patch + +func (r *FirewallRuleReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + return ProcessReconcile(r, r.Log, req, firewallRuleHandler) +} + +func (r *FirewallRuleReconciler) SetupWithManager(mgr ctrl.Manager) error { + ps := builder.WithPredicates(predicate.GenerationChangedPredicate{}) + return ctrl.NewControllerManagedBy(mgr). + For(&batchv1alpha1.FirewallRule{}, ps). + Complete(r) +} diff --git a/platform/crd-ctrlr/src/controllers/firewallsnat_controller.go b/platform/crd-ctrlr/src/controllers/firewallsnat_controller.go new file mode 100644 index 0000000..6538885 --- /dev/null +++ b/platform/crd-ctrlr/src/controllers/firewallsnat_controller.go @@ -0,0 +1,126 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "reflect" + + "github.com/go-logr/logr" + appsv1 "k8s.io/api/apps/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1" + "sdewan.akraino.org/sdewan/openwrt" +) + +var firewallSnatHandler = new(FirewallSnatHandler) + +type FirewallSnatHandler struct { +} + +func (m *FirewallSnatHandler) GetType() string { + return "FirewallSnat" +} + +func (m *FirewallSnatHandler) GetName(instance runtime.Object) string { + snat := instance.(*batchv1alpha1.FirewallSNAT) + return snat.Name +} + +func (m *FirewallSnatHandler) GetFinalizer() string { + return "snat.finalizers.sdewan.akraino.org" +} + +func (m *FirewallSnatHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) { + instance := &batchv1alpha1.FirewallSNAT{} + err := r.Get(ctx, req.NamespacedName, instance) + return instance, err +} + +//pupulate "snat" to target field as default value +//copy "name" field value from metadata to SPEC.name +func (m *FirewallSnatHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) { + firewallsnat := instance.(*batchv1alpha1.FirewallSNAT) + firewallsnat.Spec.Name = firewallsnat.ObjectMeta.Name + firewallsnat.Spec.Target = "SNAT" + firewallsnatObject := openwrt.SdewanFirewallRedirect(firewallsnat.Spec) + return &firewallsnatObject, nil +} + +func (m *FirewallSnatHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool { + snat1 := instance1.(*openwrt.SdewanFirewallRedirect) + snat2 := instance2.(*openwrt.SdewanFirewallRedirect) + return reflect.DeepEqual(*snat1, *snat2) +} + +func (m *FirewallSnatHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + ret, err := firewall.GetRedirect(name) + return ret, err +} + +func (m *FirewallSnatHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + snat := instance.(*openwrt.SdewanFirewallRedirect) + return firewall.CreateRedirect(*snat) +} + +func (m *FirewallSnatHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + snat := instance.(*openwrt.SdewanFirewallRedirect) + return firewall.UpdateRedirect(*snat) +} + +func (m *FirewallSnatHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + return firewall.DeleteRedirect(name) +} + +func (m *FirewallSnatHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + service := openwrt.ServiceClient{OpenwrtClient: openwrtClient} + return service.ExecuteService("firewall", "restart") +} + +// FirewallSNATReconciler reconciles a FirewallSNAT object +type FirewallSNATReconciler struct { + client.Client + Log logr.Logger + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallsnats,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallsnats/status,verbs=get;update;patch + +func (r *FirewallSNATReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + return ProcessReconcile(r, r.Log, req, firewallSnatHandler) +} + +func (r *FirewallSNATReconciler) SetupWithManager(mgr ctrl.Manager) error { + ps := builder.WithPredicates(predicate.GenerationChangedPredicate{}) + return ctrl.NewControllerManagedBy(mgr). + For(&batchv1alpha1.FirewallSNAT{}, ps). + Complete(r) +} diff --git a/platform/crd-ctrlr/src/controllers/firewallzone_controller.go b/platform/crd-ctrlr/src/controllers/firewallzone_controller.go new file mode 100644 index 0000000..bae5ca7 --- /dev/null +++ b/platform/crd-ctrlr/src/controllers/firewallzone_controller.go @@ -0,0 +1,133 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "reflect" + + "github.com/go-logr/logr" + appsv1 "k8s.io/api/apps/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + batchv1alpha1 "sdewan.akraino.org/sdewan/api/v1alpha1" + "sdewan.akraino.org/sdewan/openwrt" +) + +var firewallZoneHandler = new(FirewallZoneHandler) + +type FirewallZoneHandler struct { +} + +func (m *FirewallZoneHandler) GetType() string { + return "FirewallZone" +} + +func (m *FirewallZoneHandler) GetName(instance runtime.Object) string { + zone := instance.(*batchv1alpha1.FirewallZone) + return zone.Name +} + +func (m *FirewallZoneHandler) GetFinalizer() string { + return "rule.finalizers.sdewan.akraino.org" +} + +func (m *FirewallZoneHandler) GetInstance(r client.Client, ctx context.Context, req ctrl.Request) (runtime.Object, error) { + instance := &batchv1alpha1.FirewallZone{} + err := r.Get(ctx, req.NamespacedName, instance) + return instance, err +} + +func (m *FirewallZoneHandler) Convert(instance runtime.Object, deployment appsv1.Deployment) (openwrt.IOpenWrtObject, error) { + firewallzone := instance.(*batchv1alpha1.FirewallZone) + instance_to_convert := batchv1alpha1.FirewallZoneSpec(firewallzone.Spec) + networks := make([]string, len(instance_to_convert.Network)) + for index, network := range instance_to_convert.Network { + if iface, err := net2iface(network, deployment); err != nil { + return nil, err + } else { + networks[index] = iface + } + } + instance_to_convert.Name = firewallzone.ObjectMeta.Name + instance_to_convert.Network = networks + firewallzoneObject := openwrt.SdewanFirewallZone(instance_to_convert) + return &firewallzoneObject, nil +} + +func (m *FirewallZoneHandler) IsEqual(instance1 openwrt.IOpenWrtObject, instance2 openwrt.IOpenWrtObject) bool { + zone1 := instance1.(*openwrt.SdewanFirewallZone) + zone2 := instance2.(*openwrt.SdewanFirewallZone) + return reflect.DeepEqual(*zone1, *zone2) +} + +func (m *FirewallZoneHandler) GetObject(clientInfo *openwrt.OpenwrtClientInfo, name string) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + ret, err := firewall.GetZone(name) + return ret, err +} + +func (m *FirewallZoneHandler) CreateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + zone := instance.(*openwrt.SdewanFirewallZone) + return firewall.CreateZone(*zone) +} + +func (m *FirewallZoneHandler) UpdateObject(clientInfo *openwrt.OpenwrtClientInfo, instance openwrt.IOpenWrtObject) (openwrt.IOpenWrtObject, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + zone := instance.(*openwrt.SdewanFirewallZone) + return firewall.UpdateZone(*zone) +} + +func (m *FirewallZoneHandler) DeleteObject(clientInfo *openwrt.OpenwrtClientInfo, name string) error { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + firewall := openwrt.FirewallClient{OpenwrtClient: openwrtClient} + return firewall.DeleteZone(name) +} + +func (m *FirewallZoneHandler) Restart(clientInfo *openwrt.OpenwrtClientInfo) (bool, error) { + openwrtClient := openwrt.GetOpenwrtClient(*clientInfo) + service := openwrt.ServiceClient{OpenwrtClient: openwrtClient} + return service.ExecuteService("firewall", "restart") +} + +// FirewallZoneReconciler reconciles a FirewallZone object +type FirewallZoneReconciler struct { + client.Client + Log logr.Logger + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallzones,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=batch.sdewan.akraino.org,resources=firewallzones/status,verbs=get;update;patch + +func (r *FirewallZoneReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + return ProcessReconcile(r, r.Log, req, firewallZoneHandler) +} + +func (r *FirewallZoneReconciler) SetupWithManager(mgr ctrl.Manager) error { + ps := builder.WithPredicates(predicate.GenerationChangedPredicate{}) + return ctrl.NewControllerManagedBy(mgr). + For(&batchv1alpha1.FirewallZone{}, ps). + Complete(r) +} diff --git a/platform/crd-ctrlr/src/controllers/suite_test.go b/platform/crd-ctrlr/src/controllers/suite_test.go index b93ab6e..176be3c 100644 --- a/platform/crd-ctrlr/src/controllers/suite_test.go +++ b/platform/crd-ctrlr/src/controllers/suite_test.go @@ -68,6 +68,21 @@ var _ = BeforeSuite(func(done Done) { err = batchv1alpha1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) + err = batchv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = batchv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = batchv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = batchv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = batchv1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + // +kubebuilder:scaffold:scheme k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) diff --git a/platform/crd-ctrlr/src/main.go b/platform/crd-ctrlr/src/main.go index 215328c..6ff7658 100644 --- a/platform/crd-ctrlr/src/main.go +++ b/platform/crd-ctrlr/src/main.go @@ -119,6 +119,46 @@ func main() { setupLog.Error(err, "unable to create webhook", "webhook", "Mwan3Policy") os.Exit(1) } + if err = (&controllers.FirewallZoneReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("FirewallZone"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "FirewallZone") + os.Exit(1) + } + if err = (&controllers.FirewallRuleReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("FirewallRule"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "FirewallRule") + os.Exit(1) + } + if err = (&controllers.FirewallSNATReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("FirewallSNAT"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "FirewallSNAT") + os.Exit(1) + } + if err = (&controllers.FirewallDNATReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("FirewallDNAT"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "FirewallDNAT") + os.Exit(1) + } + if err = (&controllers.FirewallForwardingReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("FirewallForwarding"), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "FirewallForwarding") + os.Exit(1) + } // +kubebuilder:scaffold:builder setupLog.Info("starting manager") diff --git a/platform/crd-ctrlr/src/openwrt/firewall.go b/platform/crd-ctrlr/src/openwrt/firewall.go index 0cacfa4..deaa449 100644 --- a/platform/crd-ctrlr/src/openwrt/firewall.go +++ b/platform/crd-ctrlr/src/openwrt/firewall.go @@ -30,6 +30,10 @@ type SdewanFirewallZone struct { ExtraDest string `json:"etra_dest"` } +func (o *SdewanFirewallZone) GetName() string { + return o.Name +} + type SdewanFirewallZones struct { Zones []SdewanFirewallZone `json:"zones"` } @@ -42,6 +46,10 @@ type SdewanFirewallForwarding struct { Family string `json:"family"` } +func (o *SdewanFirewallForwarding) GetName() string { + return o.Name +} + type SdewanFirewallForwardings struct { Forwardings []SdewanFirewallForwarding `json:"forwardings"` } @@ -66,6 +74,10 @@ type SdewanFirewallRule struct { Extra string `json:"extra"` } +func (o *SdewanFirewallRule) GetName() string { + return o.Name +} + type SdewanFirewallRules struct { Rules []SdewanFirewallRule `json:"rules"` } @@ -88,6 +100,10 @@ type SdewanFirewallRedirect struct { Family string `json:"family"` } +func (o *SdewanFirewallRedirect) GetName() string { + return o.Name +} + type SdewanFirewallRedirects struct { Redirects []SdewanFirewallRedirect `json:"redirects"` }