From: chengli3 Date: Fri, 12 Jun 2020 08:33:30 +0000 (+0000) Subject: Prevent updating CNF and CR sdewanpuporse label X-Git-Tag: v1.0~23 X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F68%2F3568%2F4;p=icn%2Fsdwan.git Prevent updating CNF and CR sdewanpuporse label In sdewan, we use label 'sdewanpurpose' to identify a cnf and to match with CRs. Updating cnf sdewanpurpose label value means that deleting old cnf and creating a new cnf. But K8s can only receive an "UPDATE" event, reconcile can only get the current info of the CNF, no previous label value. So it can't remove the old rules. This patch is to prevent updating CNF and CR sdewanpurpose label for simplify. Signed-off-by: chengli3 Change-Id: I75b7d400981f3103b02c9d73f68d8b62db7da899 --- diff --git a/platform/crd-ctrlr/examples/sdewan-controller.yaml b/platform/crd-ctrlr/examples/sdewan-controller.yaml index af0694b..98cc9a5 100644 --- a/platform/crd-ctrlr/examples/sdewan-controller.yaml +++ b/platform/crd-ctrlr/examples/sdewan-controller.yaml @@ -1319,3 +1319,31 @@ webhooks: - firewalldnats - ipsecproposals - ipsechosts +- clientConfig: + caBundle: Cg== + service: + name: sdewan-webhook-service + namespace: sdewan-system + path: /validate-label + failurePolicy: Fail + name: validate-label.akraino.org + rules: + - apiGroups: + - apps + - batch.sdewan.akraino.org + apiVersions: + - v1 + - v1alpha1 + operations: + - UPDATE + resources: + - deployments + - mwan3policies + - mwan3rules + - firewallzones + - firewallforwardings + - firewallrules + - firewallsnats + - firewalldnats + - ipsecproposals + - ipsechosts diff --git a/platform/crd-ctrlr/src/api/v1alpha1/label_validate_webhook.go b/platform/crd-ctrlr/src/api/v1alpha1/label_validate_webhook.go new file mode 100644 index 0000000..5fe404e --- /dev/null +++ b/platform/crd-ctrlr/src/api/v1alpha1/label_validate_webhook.go @@ -0,0 +1,115 @@ +/* + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "context" + "errors" + "fmt" + "net/http" + "reflect" + + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/runtime/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// log is for logging in this package. +var label_check_log = logf.Log.WithName("label-validator") + +func SetupLabelValidateWebhookWithManager(mgr ctrl.Manager) error { + mgr.GetWebhookServer().Register( + "/validate-label", + &webhook.Admission{Handler: &labelValidator{Client: mgr.GetClient()}}) + return nil +} + +// +kubebuilder:webhook:path=/validate-label,mutating=false,failurePolicy=fail,groups=apps;batch.sdewan.akraino.org,resources=deployments;mwan3policies;mwan3rules;firewallzones;firewallforwardings;firewallrules;firewallsnats;firewalldnats;ipsecproposals;ipsechosts,verbs=update,versions=v1;v1alpha1,name=validate-label.akraino.org + +type labelValidator struct { + Client client.Client + decoder *admission.Decoder +} + +func (v *labelValidator) Handle(ctx context.Context, req admission.Request) admission.Response { + var obj runtime.Object + switch req.Kind.Kind { + case "Deployment": + obj = &appsv1.Deployment{} + case "Mwan3Policy": + obj = &Mwan3Policy{} + case "Mwan3Rule": + obj = &Mwan3Rule{} + case "FirewallForwarding": + obj = &FirewallForwarding{} + case "FirewallZone": + obj = &FirewallZone{} + case "FirewallRule": + obj = &FirewallRule{} + case "FirewallDNAT": + obj = &FirewallDNAT{} + case "FirewallSNAT": + obj = &FirewallSNAT{} + case "IpsecProposal": + obj = &IpsecProposal{} + case "IpsecHost": + obj = &IpsecHost{} + default: + return admission.Errored( + http.StatusBadRequest, + errors.New(fmt.Sprintf("Kind is not supported: %v", req.Kind))) + } + + if req.Operation != "UPDATE" { + return admission.Allowed("") + } else { + oldobj := obj.DeepCopyObject() + err1 := v.decoder.DecodeRaw(req.OldObject, oldobj) + old_value := get_label(oldobj, "sdewanPurpose") + err2 := v.decoder.Decode(req, obj) + new_value := get_label(obj, "sdewanPurpose") + if err1 != nil || err2 != nil { + return admission.Errored(http.StatusBadRequest, errors.New("object Decode error")) + } + if old_value != new_value { + return admission.Denied(fmt.Sprintf("Label 'sdewanPurpose' is immutable")) + } + return admission.Allowed("") + } +} + +func get_label(oldobj runtime.Object, name string) string { + metadata := reflect.ValueOf(oldobj).Elem().Field(1).Interface().(metav1.ObjectMeta) + if value, ok := metadata.Labels[name]; ok { + return value + } else { + return "" + } +} + +// labelValidator implements admission.DecoderInjector. +// A decoder will be automatically injected. + +// InjectDecoder injects the decoder. +func (v *labelValidator) InjectDecoder(d *admission.Decoder) error { + v.decoder = d + return nil +} diff --git a/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go b/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go index 3e01a17..29e7f04 100644 --- a/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go +++ b/platform/crd-ctrlr/src/api/v1alpha1/zz_generated.deepcopy.go @@ -467,25 +467,6 @@ func (in *FirewallZoneSpec) DeepCopy() *FirewallZoneSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IpsecProposal) DeepCopyInto(out *IpsecProposal) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposal. -func (in *IpsecProposal) DeepCopy() *IpsecProposal { - if in == nil { - return nil - } - out := new(IpsecProposal) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IpsecHost) DeepCopyInto(out *IpsecHost) { *out = *in @@ -505,14 +486,6 @@ func (in *IpsecHost) DeepCopy() *IpsecHost { return out } -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IpsecProposal) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. func (in *IpsecHost) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { @@ -522,62 +495,117 @@ func (in *IpsecHost) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IpsecProposalList) DeepCopyInto(out *IpsecProposalList) { +func (in *IpsecHostList) DeepCopyInto(out *IpsecHostList) { *out = *in out.TypeMeta = in.TypeMeta in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items - *out = make([]IpsecProposal, len(*in)) + *out = make([]IpsecHost, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -func (in *IpsecHostList) DeepCopyInto(out *IpsecHostList) { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecHostList. +func (in *IpsecHostList) DeepCopy() *IpsecHostList { + if in == nil { + return nil + } + out := new(IpsecHostList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *IpsecHostList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IpsecHostSpec) DeepCopyInto(out *IpsecHostSpec) { *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]IpsecHost, len(*in)) + if in.CryptoProposal != nil { + in, out := &in.CryptoProposal, &out.CryptoProposal + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Connections != nil { + in, out := &in.Connections, &out.Connections + *out = make([]Connection, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposalList. -func (in *IpsecProposalList) DeepCopy() *IpsecProposalList { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecHostSpec. +func (in *IpsecHostSpec) DeepCopy() *IpsecHostSpec { if in == nil { return nil } - out := new(IpsecProposalList) + out := new(IpsecHostSpec) in.DeepCopyInto(out) return out } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecHostList. -func (in *IpsecHostList) DeepCopy() *IpsecHostList { +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IpsecProposal) DeepCopyInto(out *IpsecProposal) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposal. +func (in *IpsecProposal) DeepCopy() *IpsecProposal { if in == nil { return nil } - out := new(IpsecHostList) + out := new(IpsecProposal) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IpsecProposalList) DeepCopyObject() runtime.Object { +func (in *IpsecProposal) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IpsecProposalList) DeepCopyInto(out *IpsecProposalList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]IpsecProposal, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecProposalList. +func (in *IpsecProposalList) DeepCopy() *IpsecProposalList { + if in == nil { + return nil + } + out := new(IpsecProposalList) + in.DeepCopyInto(out) + return out +} + // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IpsecHostList) DeepCopyObject() runtime.Object { +func (in *IpsecProposalList) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -599,32 +627,6 @@ func (in *IpsecProposalSpec) DeepCopy() *IpsecProposalSpec { return out } -func (in *IpsecHostSpec) DeepCopyInto(out *IpsecHostSpec) { - *out = *in - if in.CryptoProposal != nil { - in, out := &in.CryptoProposal, &out.CryptoProposal - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Connections != nil { - in, out := &in.Connections, &out.Connections - *out = make([]Connection, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IpsecHostSpec. -func (in *IpsecHostSpec) DeepCopy() *IpsecHostSpec { - if in == nil { - return nil - } - out := new(IpsecHostSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Mwan3Policy) DeepCopyInto(out *Mwan3Policy) { *out = *in diff --git a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_ipsechosts.yaml b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_ipsechosts.yaml index da2c63d..19211a4 100644 --- a/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_ipsechosts.yaml +++ b/platform/crd-ctrlr/src/config/crd/bases/batch.sdewan.akraino.org_ipsechosts.yaml @@ -40,6 +40,8 @@ spec: connections: items: properties: + conn_type: + type: string crypto_proposal: items: type: string @@ -66,12 +68,10 @@ spec: type: string remote_updown: type: string - type: - type: string required: + - conn_type - mode - name - - type type: object type: array crypto_proposal: @@ -96,6 +96,8 @@ spec: type: string shared_ca: type: string + type: + type: string required: - authentication_method - connections diff --git a/platform/crd-ctrlr/src/config/local/webhook_config.yaml b/platform/crd-ctrlr/src/config/local/webhook_config.yaml index cefecce..d5025a5 100644 --- a/platform/crd-ctrlr/src/config/local/webhook_config.yaml +++ b/platform/crd-ctrlr/src/config/local/webhook_config.yaml @@ -9,7 +9,7 @@ webhooks: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYakNDQWthZ0F3SUJBZ0lRWndqK2VKYTNzU3ZVbUQ1d2EwS2FQREFOQmdrcWhraUc5dzBCQVFzRkFEQVgKTVJVd0V3WURWUVFLRXd4alpYSjBMVzFoYm1GblpYSXdIaGNOTWpBd05USTNNREUwTlRNNFdoY05NakF3T0RJMQpNREUwTlRNNFdqQVhNUlV3RXdZRFZRUUtFd3hqWlhKMExXMWhibUZuWlhJd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEVzZTMEp3SE9BeitEajhtTmdYMVBteWRHVUNqTXJLL2ptZmlzZHlFMWkKRVIyNkVZY0NhbWdYVlZjbjB3MHRDZ0pJWW5FR0xhMit4WUsxRUJ0WmZhMU85TGdHNWY3OTRxR1JNU1RzUk9DZgo2d2FPTCtvVEhVWm55dndBOTNYYStmT1pQcXBzeSs1OG9zSlZaYlFKZlhqcnJpZXlLbnBGT2o1aDNDK2NmZE1KCmRlMDR4QWJJdktCaHRwcUFoR0k4TFVzTUNEMVVHYjhKM3Y1L2lqd3dUMDZLb3lMVjRUUi9LUFhqK2ZGblBzVjkKMUNxYXZXb2o0VEgvUWtnUlZocFJUN0hxZy80Sm5BUGgzb0M3eHZOanpPejdkRU5iRk9sWWNCZHA2WXM5Vm9pTQo3TnZjQnIxNFNWUDZPdU9yeEVpQXozdUFkVHFFQUxFQ1RZazBQU2xRbVdldEFnTUJBQUdqZ2FVd2dhSXdEZ1lEClZSMFBBUUgvQkFRREFnV2dNQXdHQTFVZEV3RUIvd1FDTUFBd2dZRUdBMVVkRVFSNk1IaUNLSE5rWlhkaGJpMTMKWldKb2IyOXJMWE5sY25acFkyVXVjMlJsZDJGdUxYTjVjM1JsYlM1emRtT0NObk5rWlhkaGJpMTNaV0pvYjI5cgpMWE5sY25acFkyVXVjMlJsZDJGdUxYTjVjM1JsYlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJSmJHOWpZV3hvCmIzTjBnZ2t4TWpjdU1DNHdMakV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUg2SHovMFh6a1lubHQ1S1U0QlQKMmNQZUV6UlBqTUwrd3BVZCtKdGFLRmJkYlZZR2ZYMHg5QTlqVkllcEV4WndPODlrWXVIVXNpYTNYWklXYWpzNgpwNldOMzZHTVJZZWI2aGhxaURvRHFvSTJEdXIzQUN2TnoxWCtxbnAxTGVaVHZtUlM3Tms1MS85Q1NPbTRXb3NOCmczZExyY3NIaTM1ZjgrUVUySkVFTGhiOWJtbHdmOEc1Uy9HRElNZWl0OU1XWEFMVzdqalJ3VHFrbWpscGdIUWkKT1R0TkVvQmtMUWRDVUQ2TjNLbGhIdmhZU29HKzJDNjI2MGN3N2tvVm5KOXUzMXNjUFJVTlhmY2RDQTEvdWNxNQpBV055QkI1Y1lPYlZ0NTdVbHVoRlVpT01XWUEwcUxSMnJuem8vMksxVjJCdkNPYjhVSytxTURCNFcvZkRaM0xmCnBQVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= url: https://localhost:9443/validate-sdewan-bucket-permission failurePolicy: Fail - name: sdewan.kb.io + name: bucket-permission.kb.io namespaceSelector: {} rules: - apiGroups: @@ -33,3 +33,34 @@ webhooks: scope: '*' sideEffects: Unknown timeoutSeconds: 30 +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYakNDQWthZ0F3SUJBZ0lRWndqK2VKYTNzU3ZVbUQ1d2EwS2FQREFOQmdrcWhraUc5dzBCQVFzRkFEQVgKTVJVd0V3WURWUVFLRXd4alpYSjBMVzFoYm1GblpYSXdIaGNOTWpBd05USTNNREUwTlRNNFdoY05NakF3T0RJMQpNREUwTlRNNFdqQVhNUlV3RXdZRFZRUUtFd3hqWlhKMExXMWhibUZuWlhJd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEVzZTMEp3SE9BeitEajhtTmdYMVBteWRHVUNqTXJLL2ptZmlzZHlFMWkKRVIyNkVZY0NhbWdYVlZjbjB3MHRDZ0pJWW5FR0xhMit4WUsxRUJ0WmZhMU85TGdHNWY3OTRxR1JNU1RzUk9DZgo2d2FPTCtvVEhVWm55dndBOTNYYStmT1pQcXBzeSs1OG9zSlZaYlFKZlhqcnJpZXlLbnBGT2o1aDNDK2NmZE1KCmRlMDR4QWJJdktCaHRwcUFoR0k4TFVzTUNEMVVHYjhKM3Y1L2lqd3dUMDZLb3lMVjRUUi9LUFhqK2ZGblBzVjkKMUNxYXZXb2o0VEgvUWtnUlZocFJUN0hxZy80Sm5BUGgzb0M3eHZOanpPejdkRU5iRk9sWWNCZHA2WXM5Vm9pTQo3TnZjQnIxNFNWUDZPdU9yeEVpQXozdUFkVHFFQUxFQ1RZazBQU2xRbVdldEFnTUJBQUdqZ2FVd2dhSXdEZ1lEClZSMFBBUUgvQkFRREFnV2dNQXdHQTFVZEV3RUIvd1FDTUFBd2dZRUdBMVVkRVFSNk1IaUNLSE5rWlhkaGJpMTMKWldKb2IyOXJMWE5sY25acFkyVXVjMlJsZDJGdUxYTjVjM1JsYlM1emRtT0NObk5rWlhkaGJpMTNaV0pvYjI5cgpMWE5sY25acFkyVXVjMlJsZDJGdUxYTjVjM1JsYlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJSmJHOWpZV3hvCmIzTjBnZ2t4TWpjdU1DNHdMakV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUg2SHovMFh6a1lubHQ1S1U0QlQKMmNQZUV6UlBqTUwrd3BVZCtKdGFLRmJkYlZZR2ZYMHg5QTlqVkllcEV4WndPODlrWXVIVXNpYTNYWklXYWpzNgpwNldOMzZHTVJZZWI2aGhxaURvRHFvSTJEdXIzQUN2TnoxWCtxbnAxTGVaVHZtUlM3Tms1MS85Q1NPbTRXb3NOCmczZExyY3NIaTM1ZjgrUVUySkVFTGhiOWJtbHdmOEc1Uy9HRElNZWl0OU1XWEFMVzdqalJ3VHFrbWpscGdIUWkKT1R0TkVvQmtMUWRDVUQ2TjNLbGhIdmhZU29HKzJDNjI2MGN3N2tvVm5KOXUzMXNjUFJVTlhmY2RDQTEvdWNxNQpBV055QkI1Y1lPYlZ0NTdVbHVoRlVpT01XWUEwcUxSMnJuem8vMksxVjJCdkNPYjhVSytxTURCNFcvZkRaM0xmCnBQVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + url: https://localhost:9443/validate-label + failurePolicy: Fail + name: validate-label.kb.io + namespaceSelector: {} + rules: + - apiGroups: + - batch.sdewan.akraino.org + - apps + apiVersions: + - v1alpha1 + - v1 + operations: + - UPDATE + resources: + - deployments + - mwan3policies + - mwan3rules + - firewalldnats + - firewallforwardings + - firewallrules + - firewallsnats + - firewallzones + - ipsechosts + - ipsecproposals + scope: '*' + sideEffects: Unknown + timeoutSeconds: 30 diff --git a/platform/crd-ctrlr/src/config/rbac/role.yaml b/platform/crd-ctrlr/src/config/rbac/role.yaml index 3cb2ecf..8248c87 100644 --- a/platform/crd-ctrlr/src/config/rbac/role.yaml +++ b/platform/crd-ctrlr/src/config/rbac/role.yaml @@ -125,7 +125,7 @@ rules: - apiGroups: - batch.sdewan.akraino.org resources: - - ipsecproposals + - ipsechosts verbs: - create - delete @@ -137,7 +137,7 @@ rules: - apiGroups: - batch.sdewan.akraino.org resources: - - ipsecproposals/status + - ipsechosts/status verbs: - get - patch @@ -145,7 +145,7 @@ rules: - apiGroups: - batch.sdewan.akraino.org resources: - - ipsechosts + - ipsecproposals verbs: - create - delete @@ -157,7 +157,7 @@ rules: - apiGroups: - batch.sdewan.akraino.org resources: - - ipsechosts/status + - ipsecproposals/status verbs: - get - patch diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml index 1929bd2..cd056d3 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewalldnat.yaml @@ -12,4 +12,4 @@ spec: src_dip: 1.2.3.4 dest: firewallzone-sample2 proto: icmp - +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml index aa77e13..df680a4 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallforwarding.yaml @@ -8,6 +8,6 @@ metadata: sdewanPurpose: cnf1 sdewan-bucket-type: app-intent spec: - # Add fields here src: firewallzone-sample2 dest: firewallzone-sample +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml index c77b9d3..358ea6a 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallrule.yaml @@ -7,9 +7,9 @@ metadata: labels: sdewanPurpose: cnf1 spec: - # Add fields here src: firewallzone-sample src_ip: "192.168.2.2" src_port: "80" proto: tcp target: REJECT +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml index 108a6cd..e27eaae 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallsnat.yaml @@ -12,3 +12,4 @@ spec: src_dip: 1.2.3.5 dest: firewallzone-sample2 proto: icmp +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml index f4a4d7c..5b9f039 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone.yaml @@ -7,9 +7,9 @@ metadata: labels: sdewanPurpose: cnf1 spec: - # Add fields here - network: - - ovn-net1 - - ovn-net2 - input: ACCEPT - output: ACCEPT \ No newline at end of file + network: + - ovn-net1 + - ovn-net2 + input: ACCEPT + output: ACCEPT +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml index 632c6fa..6386932 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_firewallzone2.yaml @@ -7,9 +7,9 @@ metadata: labels: sdewanPurpose: cnf1 spec: - # Add fields here network: - "ovn-net1" - "ovn-net2" input: ACCEPT - output: ACCEPT \ No newline at end of file + output: ACCEPT +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsechost.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsechost.yaml index bfde59b..8d20e1b 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsechost.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsechost.yaml @@ -1,3 +1,4 @@ +--- apiVersion: batch.sdewan.akraino.org/v1alpha1 kind: IpsecHost metadata: @@ -25,4 +26,4 @@ spec: remote_subnet: 192.168.1.1/24,10.10.10.35/32 crypto_proposal: - ipsecproposal - +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsecproposal.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsecproposal.yaml index 91fbf10..16705b0 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsecproposal.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_ipsecproposal.yaml @@ -1,3 +1,4 @@ +--- apiVersion: batch.sdewan.akraino.org/v1alpha1 kind: IpsecProposal metadata: @@ -6,6 +7,7 @@ metadata: labels: sdewanPurpose: cnf1 spec: - dh_group: modp4096 - encryption_algorithm: aes - hash_algorithm: sha1 + dh_group: modp4096 + encryption_algorithm: aes + hash_algorithm: sha1 +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml index 8d631de..18f3fa3 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3policy.yaml @@ -15,3 +15,4 @@ spec: - network: ovn-net2 weight: 3 metric: 3 +... diff --git a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml index ca5c555..ed9e608 100644 --- a/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml +++ b/platform/crd-ctrlr/src/config/samples/batch_v1alpha1_mwan3rule.yaml @@ -8,7 +8,6 @@ metadata: sdewanPurpose: cnf1 # sdewan-bucket-type: app-intent spec: - # Add fields here dest_ip: "10.10.10.1" dest_port: "1000" family: ipv4 @@ -18,4 +17,4 @@ spec: src_port: "22" sticky: "1" timeout: "200" - +... diff --git a/platform/crd-ctrlr/src/config/webhook/manifests.yaml b/platform/crd-ctrlr/src/config/webhook/manifests.yaml index 9374f80..a22fda8 100644 --- a/platform/crd-ctrlr/src/config/webhook/manifests.yaml +++ b/platform/crd-ctrlr/src/config/webhook/manifests.yaml @@ -33,3 +33,31 @@ webhooks: - firewalldnats - ipsecproposals - ipsechosts +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-label + failurePolicy: Fail + name: validate-label.akraino.org + rules: + - apiGroups: + - apps + - batch.sdewan.akraino.org + apiVersions: + - v1 + - v1alpha1 + operations: + - UPDATE + resources: + - deployments + - mwan3policies + - mwan3rules + - firewallzones + - firewallforwardings + - firewallrules + - firewallsnats + - firewalldnats + - ipsecproposals + - ipsechosts diff --git a/platform/crd-ctrlr/src/go.sum b/platform/crd-ctrlr/src/go.sum index 7a41928..3fc7d51 100644 --- a/platform/crd-ctrlr/src/go.sum +++ b/platform/crd-ctrlr/src/go.sum @@ -1,6 +1,5 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= cloud.google.com/go v0.39.0 h1:UgQP9na6OTfp4dsAiz/eFpFA1C6tPdH5wiRdi19tuMw= cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts= @@ -174,7 +173,6 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6 h1:ZgQEtGgCBiWRM39fZuwSd1LwSqqSW0hOdXCYYDX0R3I= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -191,7 +189,6 @@ github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -264,7 +261,6 @@ github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns= github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -478,16 +474,13 @@ go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qL go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk= go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= -go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= -go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.15.0 h1:ZZCA22JRF2gQE5FoNmhmrf7jeJJ2uhqDUNRYKm8dvmM= go.uber.org/zap v1.15.0/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc= @@ -535,7 +528,6 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI= golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e h1:3G+cUijn7XD+S4eJFddp53Pv7+slrESplyjG25HgL+k= @@ -573,7 +565,6 @@ golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7 h1:HmbHVPwrPEKPGLAcHSrMe6+hqSUlvZU0rab6x5EXfGU= golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -608,7 +599,6 @@ golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200502202811-ed308ab3e770/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= diff --git a/platform/crd-ctrlr/src/main.go b/platform/crd-ctrlr/src/main.go index 9eb9759..0a5cc24 100644 --- a/platform/crd-ctrlr/src/main.go +++ b/platform/crd-ctrlr/src/main.go @@ -135,10 +135,6 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "Mwan3Rule") os.Exit(1) } - if err = batchv1alpha1.SetupBucketPermissionWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "Mwan3Policy") - os.Exit(1) - } if err = (&controllers.FirewallZoneReconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("FirewallZone"), @@ -197,6 +193,14 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "IpsecHost") os.Exit(1) } + if err = batchv1alpha1.SetupBucketPermissionWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "BucketPermission") + os.Exit(1) + } + if err = batchv1alpha1.SetupLabelValidateWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "CNFLabelWebhook") + os.Exit(1) + } // +kubebuilder:scaffold:builder setupLog.Info("starting manager")