Skip to content

Commit

Permalink
create new FirewallRule CRD
Browse files Browse the repository at this point in the history
  • Loading branch information
AshleyDumaine committed Dec 9, 2024
1 parent 7f99e91 commit ce5f735
Show file tree
Hide file tree
Showing 26 changed files with 978 additions and 155 deletions.
8 changes: 8 additions & 0 deletions PROJECT
Original file line number Diff line number Diff line change
Expand Up @@ -121,4 +121,12 @@ resources:
kind: AddressSet
path: github.com/linode/cluster-api-provider-linode/api/v1alpha2
version: v1alpha2
- api:
crdVersion: v1
namespaced: true
domain: cluster.x-k8s.io
group: infrastructure
kind: FirewallRule
path: github.com/linode/cluster-api-provider-linode/api/v1alpha2
version: v1alpha2
version: "3"
1 change: 1 addition & 0 deletions Tiltfile
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ if os.getenv("INSTALL_RKE2_PROVIDER", "false") == "true":
capl_resources = [
"capl-system:namespace",
"addresssets.infrastructure.cluster.x-k8s.io:customresourcedefinition",
"firewallrules.infrastructure.cluster.x-k8s.io:customresourcedefinition",
"linodeclusters.infrastructure.cluster.x-k8s.io:customresourcedefinition",
"linodemachines.infrastructure.cluster.x-k8s.io:customresourcedefinition",
"linodeclustertemplates.infrastructure.cluster.x-k8s.io:customresourcedefinition",
Expand Down
83 changes: 83 additions & 0 deletions api/v1alpha2/firewallrule_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/*
Copyright 2023 Akamai Technologies, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha2

import (
"github.com/linode/linodego"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.

// FirewallRuleSpec defines the desired state of FirewallRule
type FirewallRuleSpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
// Important: Run "make" to regenerate code after modifying this file
Action string `json:"action"`
Label string `json:"label"`
Description string `json:"description,omitempty"`
Ports string `json:"ports,omitempty"`
// +kubebuilder:validation:Enum=TCP;UDP;ICMP;IPENCAP
Protocol linodego.NetworkProtocol `json:"protocol"`
Addresses *NetworkAddresses `json:"addresses,omitempty"`
// AddressSetRefs is a list of references to AddressSets as an alternative to
// using Addresses but can be used in conjunction with it
AddressSetRefs []*corev1.ObjectReference `json:"addressSetRefs,omitempty"`
}

// NetworkAddresses holds a list of IPv4 and IPv6 addresses
// We don't use linodego here since kubebuilder can't generate DeepCopyInto
// for linodego.NetworkAddresses
type NetworkAddresses struct {
IPv4 *[]string `json:"ipv4,omitempty"`
IPv6 *[]string `json:"ipv6,omitempty"`
}

// FirewallRuleStatus defines the observed state of FirewallRule
type FirewallRuleStatus struct {
// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
// Important: Run "make" to regenerate code after modifying this file
}

//+kubebuilder:object:root=true
//+kubebuilder:resource:path=firewallrules,scope=Namespaced,categories=cluster-api,shortName=fwr
//+kubebuilder:subresource:status
// +kubebuilder:metadata:labels="clusterctl.cluster.x-k8s.io/move-hierarchy=true"

// FirewallRule is the Schema for the firewallrules API
type FirewallRule struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec FirewallRuleSpec `json:"spec,omitempty"`
Status FirewallRuleStatus `json:"status,omitempty"`
}

//+kubebuilder:object:root=true

// FirewallRuleList contains a list of FirewallRule
type FirewallRuleList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []FirewallRule `json:"items"`
}

func init() {
SchemeBuilder.Register(&FirewallRule{}, &FirewallRuleList{})
}
36 changes: 12 additions & 24 deletions api/v1alpha2/linodefirewall_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ limitations under the License.
package v1alpha2

import (
"github.com/linode/linodego"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
Expand All @@ -39,7 +38,12 @@ type LinodeFirewallSpec struct {
Enabled bool `json:"enabled,omitempty"`

// +optional
InboundRules []FirewallRule `json:"inboundRules,omitempty"`
InboundRules []FirewallRuleSpec `json:"inboundRules,omitempty"`

// InboundRuleRefs is a list of references to FirewallRules as an alternative to
// using InboundRules but can be used in conjunction with it
// +optional
InboundRuleRefs []*corev1.ObjectReference `json:"inboundRuleRefs,omitempty"`

// InboundPolicy determines if traffic by default should be ACCEPTed or DROPped. Defaults to ACCEPT if not defined.
// +kubebuilder:validation:Enum=ACCEPT;DROP
Expand All @@ -48,7 +52,12 @@ type LinodeFirewallSpec struct {
InboundPolicy string `json:"inboundPolicy,omitempty"`

// +optional
OutboundRules []FirewallRule `json:"outboundRules,omitempty"`
OutboundRules []FirewallRuleSpec `json:"outboundRules,omitempty"`

// OutboundRuleRefs is a list of references to FirewallRules as an alternative to
// using OutboundRules but can be used in conjunction with it
// +optional
OutboundRuleRefs []*corev1.ObjectReference `json:"outboundRuleRefs,omitempty"`

// OutboundPolicy determines if traffic by default should be ACCEPTed or DROPped. Defaults to ACCEPT if not defined.
// +kubebuilder:validation:Enum=ACCEPT;DROP
Expand All @@ -62,27 +71,6 @@ type LinodeFirewallSpec struct {
CredentialsRef *corev1.SecretReference `json:"credentialsRef,omitempty"`
}

type FirewallRule struct {
Action string `json:"action"`
Label string `json:"label"`
Description string `json:"description,omitempty"`
Ports string `json:"ports,omitempty"`
// +kubebuilder:validation:Enum=TCP;UDP;ICMP;IPENCAP
Protocol linodego.NetworkProtocol `json:"protocol"`
Addresses *NetworkAddresses `json:"addresses,omitempty"`
// AddressSetRefs is a list of references to AddressSets as an alternative to
// using Addresses but can be used in conjunction with it
AddressSetRefs []*corev1.ObjectReference `json:"addressSetRefs,omitempty"`
}

// NetworkAddresses holds a list of IPv4 and IPv6 addresses
// We don't use linodego here since kubebuilder can't generate DeepCopyInto
// for linodego.NetworkAddresses
type NetworkAddresses struct {
IPv4 *[]string `json:"ipv4,omitempty"`
IPv6 *[]string `json:"ipv6,omitempty"`
}

// LinodeFirewallStatus defines the observed state of LinodeFirewall
type LinodeFirewallStatus struct {
// Ready is true when the provider resource is ready.
Expand Down
106 changes: 101 additions & 5 deletions api/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit ce5f735

Please sign in to comment.