create clusterwidenetworkpolicy from AccessList.SourceRanges

Makefile

@@ -125,4 +125,7 @@ create-postgres:
 	kubectl --kubeconfig kubeconfig apply -f config/samples/database_v1_postgres.yaml
 
 delete-postgres:
-	kubectl --kubeconfig kubeconfig delete -f config/samples/database_v1_postgres.yaml
+	kubectl --kubeconfig kubeconfig delete -f config/samples/database_v1_postgres.yaml
+
+test-cwnp:
+	./hack/test-cwnp.sh

api/v1/postgres_types.go

@@ -17,10 +17,16 @@ limitations under the License.
 package v1
 
 import (
+	"fmt"
 	"time"
 
+	firewall "github.com/metal-stack/firewall-controller/api/v1"
+	"inet.af/netaddr"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -69,8 +75,8 @@ type PostgresSpec struct {
 
 // AccessList defines the type of restrictions to access the database
 type AccessList struct {
-	// SourceRanges defines a list of prefixes in CIDR Notation e.g. 1.2.3.0/24
-	// FIXME implement validation if source is a parsable CIDR
+	// +kubebuilder:validation:Required
+	// SourceRanges defines a list of prefixes in CIDR Notation e.g. 1.2.3.0/24 or fdaa::/104
 	SourceRanges []string `json:"sourceRanges,omitempty"`
 }
 
@@ -143,6 +149,35 @@ func (p *Postgres) IsBeingDeleted() bool {
 	return !p.ObjectMeta.DeletionTimestamp.IsZero()
 }
 
+func (p *Postgres) ToCWNP(port int) (*firewall.ClusterwideNetworkPolicy, error) {
+	portObj := intstr.FromInt(port)
+	tcp := corev1.ProtocolTCP
+	ports := []networkingv1.NetworkPolicyPort{
+		{Port: &portObj, Protocol: &tcp},
+	}
+
+	ipblocks := []networkingv1.IPBlock{}
+	for _, src := range p.Spec.AccessList.SourceRanges {
+		parsedSrc, err := netaddr.ParseIPPrefix(src)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse source range %s: %w", src, err)
+		}
+		ipblock := networkingv1.IPBlock{
+			CIDR: parsedSrc.String(),
+		}
+		ipblocks = append(ipblocks, ipblock)
+	}
+
+	policy := &firewall.ClusterwideNetworkPolicy{}
+	policy.Namespace = "firewall"
+	policy.Name = p.Spec.ProjectID + "--" + string(p.UID)
+	policy.Spec.Ingress = []firewall.IngressRule{
+		{Ports: ports, From: ipblocks},
+	}
+
+	return policy, nil
+}
+
 func (p *Postgres) ToKey() *types.NamespacedName {
 	return &types.NamespacedName{
 		Namespace: p.Namespace,

config/crd/bases/database.fits.cloud_postgres.yaml

@@ -48,8 +48,7 @@ spec:
               properties:
                 sourceRanges:
                   description: SourceRanges defines a list of prefixes in CIDR Notation
-                    e.g. 1.2.3.0/24 FIXME implement validation if source is a parsable
-                    CIDR
+                    e.g. 1.2.3.0/24 or fdaa::/104
                   items:
                     type: string
                   type: array

config/samples/_test_cwnp.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: database
+---
+apiVersion: database.fits.cloud/v1
+kind: Postgres
+metadata:
+  namespace: database
+  name: sample-name-a
+spec:
+  accessList:
+    sourceRanges:
+    - 1.2.3.4/24
+  backup:
+    s3BucketURL: ""
+  numberOfInstances: 2
+  partitionID: sample-partition
+  projectID: projectid-a
+  size:
+    storageSize: 1Gi
+  tenant: sample-tenant
+  version: "12"

config/samples/database_v1_postgres.yaml

@@ -9,6 +9,9 @@ metadata:
   namespace: database
   name: sample-name-a
 spec:
+  accessList:
+    sourceRanges:
+    - 1.2.3.4/24
   backup:
     s3BucketURL: ""
   numberOfInstances: 2
@@ -25,6 +28,9 @@ metadata:
   namespace: database
   name: sample-name-b
 spec:
+  accessList:
+    sourceRanges:
+    - 1.2.3.4/24
   backup:
     s3BucketURL: ""
   numberOfInstances: 2

controllers/postgres_controller.go

@@ -24,11 +24,15 @@ import (
 	"github.com/go-logr/logr"
 	zalando "github.com/zalando/postgres-operator/pkg/apis/acid.zalan.do/v1"
 	corev1 "k8s.io/api/core/v1"
+
+	firewall "github.com/metal-stack/firewall-controller/api/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	pg "github.com/fi-ts/postgres-controller/api/v1"
 	"github.com/fi-ts/postgres-controller/pkg/operatormanager"
@@ -81,6 +85,10 @@ func (r *PostgresReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			return ctrl.Result{}, err
 		}
 
+		if err := r.deleteCWNP(ctx, instance); err != nil {
+			return ctrl.Result{}, fmt.Errorf("unable to delete `ClusterwideNetworkPolicy` for instance %v: %w", k, err)
+		}
+
 		namespace := instance.Spec.ProjectID
 		isIdle, err := r.IsOperatorDeletable(ctx, namespace)
 		if err != nil {
@@ -143,6 +151,9 @@ func (r *PostgresReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	}
 
 	// Update status will be handled by the StatusReconciler, based on the Zalando Status
+	if err := r.createOrUpdateCWNP(ctx, instance, 12345); err != nil { // todo: what port?
+		return ctrl.Result{}, fmt.Errorf("unable to create or update `ClusterwideNetworkPolicy`: %W", err)
+	}
 
 	return ctrl.Result{}, nil
 }
@@ -236,6 +247,7 @@ func (r *PostgresReconciler) deleteZPostgresql(ctx context.Context, k *types.Nam
 }
 
 func patchRawZ(out *zalando.Postgresql, in *pg.Postgres) {
+	out.Spec.AllowedSourceRanges = in.Spec.AccessList.SourceRanges
 	out.Spec.NumberOfInstances = in.Spec.NumberOfInstances
 
 	// todo: Check if the validation should be performed here.
@@ -268,3 +280,43 @@ func patchRawZ(out *zalando.Postgresql, in *pg.Postgres) {
 
 	// todo: in.Spec.Backup, in.Spec.AccessList
 }
+
+// createCWNP will create a ingress firewall rule on the firewall in front of the k8s cluster
+// based on the spec.AccessList.SourceRanges given.
+// TODO for a kind cluster:
+// - the firewall namespace must be present
+// - the firewall.ClusterwideNetworkPolicy CRD must be deployed in a kind cluster with:
+//   k apply -f https://github.com/metal-stack/firewall-controller/config/crd/bases/metal-stack.io_clusterwidenetworkpolicies.yaml
+// TODO overall:
+// - deleteCWNP
+
+// todo: Change to `controllerutl.CreateOrPatch`
+// createOrUpdateCWNP will create an ingress firewall rule on the firewall in front of the k8s cluster
+// based on the spec.AccessList.SourceRanges given.
+func (r *PostgresReconciler) createOrUpdateCWNP(ctx context.Context, in *pg.Postgres, port int) error {
+	policy, err := in.ToCWNP(port)
+	if err != nil {
+		return fmt.Errorf("unable to convert instance %v to `ClusterwideNetworkPolicy`: %w", in.ToKey(), err)
+	}
+
+	// placeholder of the object with the specified namespaced name
+	key := &firewall.ClusterwideNetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: policy.Name, Namespace: policy.Namespace}}
+	if _, err := controllerutil.CreateOrUpdate(ctx, r.Service, key, func() error {
+		key.Spec.Ingress = policy.Spec.Ingress
+		return nil
+	}); err != nil {
+		return fmt.Errorf("unable to deploy `ClusterwideNetworkPolicy` for instance %s: %w", in.ToKey(), err)
+	}
+
+	return nil
+}
+
+func (r *PostgresReconciler) deleteCWNP(ctx context.Context, in *pg.Postgres) error {
+	policy := &firewall.ClusterwideNetworkPolicy{}
+	policy.Namespace = "firewall"
+	policy.Name = in.Spec.ProjectID + "--" + string(in.UID)
+	if err := r.Service.Delete(ctx, policy); err != nil {
+		return fmt.Errorf("unable to delete `ClusterwideNetworkPolicy` %v: %w", policy.Name, err)
+	}
+	return nil
+}

go.mod

@@ -4,13 +4,14 @@ go 1.15
 
 require (
 	github.com/go-logr/logr v0.3.0
-	github.com/go-logr/zapr v0.3.0 // indirect
+	github.com/metal-stack/firewall-controller v1.0.1
 	github.com/metal-stack/v v1.0.2
 	github.com/onsi/ginkgo v1.14.2
 	github.com/onsi/gomega v1.10.4
 	github.com/zalando/postgres-operator v1.5.0
+	inet.af/netaddr v0.0.0-20210115183222-bffc12a571f6
 	k8s.io/api v0.19.4
-	k8s.io/apiextensions-apiserver v0.18.6
+	k8s.io/apiextensions-apiserver v0.18.9
 	k8s.io/apimachinery v0.19.4
 	k8s.io/client-go v11.0.0+incompatible
 	sigs.k8s.io/controller-runtime v0.6.4