Skip to content

Commit bcc360d

Browse files
ewoutpewoutp
committed
Added loadBalancerSourceRanges field to external-access-spec
1 parent 91508e5 commit bcc360d

File tree

3 files changed

+22
-6
lines changed

3 files changed

+22
-6
lines changed

pkg/apis/deployment/v1alpha/external_access_spec.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ package v1alpha
2424

2525
import (
2626
"fmt"
27+
"net"
2728
"net/url"
2829

2930
"github.com/arangodb/kube-arangodb/pkg/util"
@@ -37,6 +38,11 @@ type ExternalAccessSpec struct {
3738
NodePort *int `json:"nodePort,omitempty"`
3839
// Optional IP used to configure a load-balancer on, in case of Auto or LoadBalancer type.
3940
LoadBalancerIP *string `json:"loadBalancerIP,omitempty"`
41+
// If specified and supported by the platform, this will restrict traffic through the cloud-provider
42+
// load-balancer will be restricted to the specified client IPs. This field will be ignored if the
43+
// cloud-provider does not support the feature.
44+
// More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
45+
LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
4046
// Advertised Endpoint is passed to the coordinators/single servers for advertising a specific endpoint
4147
AdvertisedEndpoint *string `json:"advertisedEndpoint,omitempty"`
4248
}
@@ -77,6 +83,11 @@ func (s ExternalAccessSpec) Validate() error {
7783
return maskAny(fmt.Errorf("Failed to parse advertised endpoint '%s': %s", ep, err))
7884
}
7985
}
86+
for _, x := range s.LoadBalancerSourceRanges {
87+
if _, _, err := net.ParseCIDR(x); err != nil {
88+
return maskAny(fmt.Errorf("Failed to parse loadbalancer source range '%s': %s", x, err))
89+
}
90+
}
8091
return nil
8192
}
8293

@@ -95,6 +106,9 @@ func (s *ExternalAccessSpec) SetDefaultsFrom(source ExternalAccessSpec) {
95106
if s.LoadBalancerIP == nil {
96107
s.LoadBalancerIP = util.NewStringOrNil(source.LoadBalancerIP)
97108
}
109+
if s.LoadBalancerSourceRanges == nil && len(source.LoadBalancerSourceRanges) > 0 {
110+
s.LoadBalancerSourceRanges = append([]string{}, source.LoadBalancerSourceRanges...)
111+
}
98112
if s.AdvertisedEndpoint == nil {
99113
s.AdvertisedEndpoint = source.AdvertisedEndpoint
100114
}

pkg/deployment/resources/services.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -202,7 +202,8 @@ func (r *Resources) ensureExternalAccessServices(svcs k8sutil.ServiceInterface,
202202
// Let's create or update the database external access service
203203
nodePort := spec.GetNodePort()
204204
loadBalancerIP := spec.GetLoadBalancerIP()
205-
_, newlyCreated, err := k8sutil.CreateExternalAccessService(svcs, eaServiceName, svcRole, apiObject, eaServiceType, port, nodePort, loadBalancerIP, apiObject.AsOwner())
205+
loadBalancerSourceRanges := spec.LoadBalancerSourceRanges
206+
_, newlyCreated, err := k8sutil.CreateExternalAccessService(svcs, eaServiceName, svcRole, apiObject, eaServiceType, port, nodePort, loadBalancerIP, loadBalancerSourceRanges, apiObject.AsOwner())
206207
if err != nil {
207208
log.Debug().Err(err).Msgf("Failed to create %s external access service", title)
208209
return maskAny(err)

pkg/util/k8sutil/services.go

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ func CreateHeadlessService(svcs ServiceInterface, deployment metav1.Object, owne
120120
}
121121
publishNotReadyAddresses := true
122122
serviceType := v1.ServiceTypeClusterIP
123-
newlyCreated, err := createService(svcs, svcName, deploymentName, deployment.GetNamespace(), ClusterIPNone, "", serviceType, ports, "", publishNotReadyAddresses, owner)
123+
newlyCreated, err := createService(svcs, svcName, deploymentName, deployment.GetNamespace(), ClusterIPNone, "", serviceType, ports, "", nil, publishNotReadyAddresses, owner)
124124
if err != nil {
125125
return "", false, maskAny(err)
126126
}
@@ -149,7 +149,7 @@ func CreateDatabaseClientService(svcs ServiceInterface, deployment metav1.Object
149149
}
150150
serviceType := v1.ServiceTypeClusterIP
151151
publishNotReadyAddresses := false
152-
newlyCreated, err := createService(svcs, svcName, deploymentName, deployment.GetNamespace(), "", role, serviceType, ports, "", publishNotReadyAddresses, owner)
152+
newlyCreated, err := createService(svcs, svcName, deploymentName, deployment.GetNamespace(), "", role, serviceType, ports, "", nil, publishNotReadyAddresses, owner)
153153
if err != nil {
154154
return "", false, maskAny(err)
155155
}
@@ -160,7 +160,7 @@ func CreateDatabaseClientService(svcs ServiceInterface, deployment metav1.Object
160160
// If the service already exists, nil is returned.
161161
// If another error occurs, that error is returned.
162162
// The returned bool is true if the service is created, or false when the service already existed.
163-
func CreateExternalAccessService(svcs ServiceInterface, svcName, role string, deployment metav1.Object, serviceType v1.ServiceType, port, nodePort int, loadBalancerIP string, owner metav1.OwnerReference) (string, bool, error) {
163+
func CreateExternalAccessService(svcs ServiceInterface, svcName, role string, deployment metav1.Object, serviceType v1.ServiceType, port, nodePort int, loadBalancerIP string, loadBalancerSourceRanges []string, owner metav1.OwnerReference) (string, bool, error) {
164164
deploymentName := deployment.GetName()
165165
ports := []v1.ServicePort{
166166
v1.ServicePort{
@@ -171,7 +171,7 @@ func CreateExternalAccessService(svcs ServiceInterface, svcName, role string, de
171171
},
172172
}
173173
publishNotReadyAddresses := false
174-
newlyCreated, err := createService(svcs, svcName, deploymentName, deployment.GetNamespace(), "", role, serviceType, ports, loadBalancerIP, publishNotReadyAddresses, owner)
174+
newlyCreated, err := createService(svcs, svcName, deploymentName, deployment.GetNamespace(), "", role, serviceType, ports, loadBalancerIP, loadBalancerSourceRanges, publishNotReadyAddresses, owner)
175175
if err != nil {
176176
return "", false, maskAny(err)
177177
}
@@ -183,7 +183,7 @@ func CreateExternalAccessService(svcs ServiceInterface, svcName, role string, de
183183
// If another error occurs, that error is returned.
184184
// The returned bool is true if the service is created, or false when the service already existed.
185185
func createService(svcs ServiceInterface, svcName, deploymentName, ns, clusterIP, role string, serviceType v1.ServiceType,
186-
ports []v1.ServicePort, loadBalancerIP string, publishNotReadyAddresses bool, owner metav1.OwnerReference) (bool, error) {
186+
ports []v1.ServicePort, loadBalancerIP string, loadBalancerSourceRanges []string, publishNotReadyAddresses bool, owner metav1.OwnerReference) (bool, error) {
187187
labels := LabelsForDeployment(deploymentName, role)
188188
svc := &v1.Service{
189189
ObjectMeta: metav1.ObjectMeta{
@@ -203,6 +203,7 @@ func createService(svcs ServiceInterface, svcName, deploymentName, ns, clusterIP
203203
ClusterIP: clusterIP,
204204
PublishNotReadyAddresses: publishNotReadyAddresses,
205205
LoadBalancerIP: loadBalancerIP,
206+
LoadBalancerSourceRanges: loadBalancerSourceRanges,
206207
},
207208
}
208209
addOwnerRefToObject(svc.GetObjectMeta(), &owner)

0 commit comments

Comments
 (0)