adapt gce controller to godep updates

2017-07-18 16:16:22 -07:00 · 2017-07-18 16:16:22 -07:00 · ee3054dd52
commit ee3054dd52
parent 4fb61c73d1
25 changed files with 256 additions and 188 deletions
--- a/controllers/gce/firewalls/fakes.go
+++ b/controllers/gce/firewalls/fakes.go
@ -18,86 +18,66 @@ package firewalls

 import (
 	"fmt"
-	"strconv"

 	compute "google.golang.org/api/compute/v1"
-	netset "k8s.io/kubernetes/pkg/util/net/sets"

 	"k8s.io/ingress/controllers/gce/utils"
 )

 type fakeFirewallsProvider struct {
-	fw    map[string]*compute.Firewall
-	namer *utils.Namer
+	fw         map[string]*compute.Firewall
+	networkUrl string
 }

 // NewFakeFirewallsProvider creates a fake for firewall rules.
-func NewFakeFirewallsProvider(namer *utils.Namer) *fakeFirewallsProvider {
+func NewFakeFirewallsProvider() *fakeFirewallsProvider {
 	return &fakeFirewallsProvider{
-		fw:    make(map[string]*compute.Firewall),
-		namer: namer,
+		fw: make(map[string]*compute.Firewall),
 	}
 }

-func (f *fakeFirewallsProvider) GetFirewall(prefixedName string) (*compute.Firewall, error) {
-	rule, exists := f.fw[prefixedName]
+func (ff *fakeFirewallsProvider) GetFirewall(name string) (*compute.Firewall, error) {
+	rule, exists := ff.fw[name]
 	if exists {
 		return rule, nil
 	}
 	return nil, utils.FakeGoogleAPINotFoundErr()
 }

-func (f *fakeFirewallsProvider) CreateFirewall(name, msgTag string, srcRange netset.IPNet, ports []int64, hosts []string) error {
-	prefixedName := f.namer.FrName(name)
-	strPorts := []string{}
-	for _, p := range ports {
-		strPorts = append(strPorts, strconv.FormatInt(p, 10))
-	}
-	if _, exists := f.fw[prefixedName]; exists {
-		return fmt.Errorf("firewall rule %v already exists", prefixedName)
-	}
-
-	f.fw[prefixedName] = &compute.Firewall{
-		// To accurately mimic the cloudprovider we need to add the k8s-fw
-		// prefix to the given rule name.
-		Name:         prefixedName,
-		SourceRanges: srcRange.StringSlice(),
-		Allowed:      []*compute.FirewallAllowed{{Ports: strPorts}},
-		TargetTags:   hosts, // WARNING: This is actually not correct, but good enough for testing this package
+func (ff *fakeFirewallsProvider) CreateFirewall(f *compute.Firewall) error {
+	if _, exists := ff.fw[f.Name]; exists {
+		return fmt.Errorf("firewall rule %v already exists", f.Name)
 	}
+	ff.fw[f.Name] = f
 	return nil
 }

-func (f *fakeFirewallsProvider) DeleteFirewall(name string) error {
+func (ff *fakeFirewallsProvider) DeleteFirewall(name string) error {
 	// We need the full name for the same reason as CreateFirewall.
-	prefixedName := f.namer.FrName(name)
-	_, exists := f.fw[prefixedName]
+	_, exists := ff.fw[name]
 	if !exists {
 		return utils.FakeGoogleAPINotFoundErr()
 	}

-	delete(f.fw, prefixedName)
+	delete(ff.fw, name)
 	return nil
 }

-func (f *fakeFirewallsProvider) UpdateFirewall(name, msgTag string, srcRange netset.IPNet, ports []int64, hosts []string) error {
-	strPorts := []string{}
-	for _, p := range ports {
-		strPorts = append(strPorts, strconv.FormatInt(p, 10))
-	}
-
+func (ff *fakeFirewallsProvider) UpdateFirewall(f *compute.Firewall) error {
 	// We need the full name for the same reason as CreateFirewall.
-	prefixedName := f.namer.FrName(name)
-	_, exists := f.fw[prefixedName]
+	_, exists := ff.fw[f.Name]
 	if !exists {
-		return fmt.Errorf("update failed for rule %v, srcRange %v ports %v, rule not found", prefixedName, srcRange, ports)
+		return fmt.Errorf("update failed for rule %v, srcRange %v ports %+v, rule not found", f.Name, f.SourceRanges, f.Allowed)
 	}

-	f.fw[prefixedName] = &compute.Firewall{
-		Name:         name,
-		SourceRanges: srcRange.StringSlice(),
-		Allowed:      []*compute.FirewallAllowed{{Ports: strPorts}},
-		TargetTags:   hosts, // WARNING: This is actually not correct, but good enough for testing this package
-	}
+	ff.fw[f.Name] = f
 	return nil
 }
+
+func (ff *fakeFirewallsProvider) NetworkURL() string {
+	return ff.networkUrl
+}
+
+func (ff *fakeFirewallsProvider) GetNodeTags(nodeNames []string) ([]string, error) {
+	return nodeNames, nil
+}
--- a/controllers/gce/firewalls/firewalls.go
+++ b/controllers/gce/firewalls/firewalls.go
@ -35,18 +35,18 @@ var l7SrcRanges = []string{"130.211.0.0/22", "35.191.0.0/16"}
 type FirewallRules struct {
 	cloud     Firewall
 	namer     *utils.Namer
-	srcRanges netset.IPNet
+	srcRanges []string
 }

 // NewFirewallPool creates a new firewall rule manager.
 // cloud: the cloud object implementing Firewall.
 // namer: cluster namer.
 func NewFirewallPool(cloud Firewall, namer *utils.Namer) SingleFirewallPool {
-	srcNetSet, err := netset.ParseIPNets(l7SrcRanges...)
+	_, err := netset.ParseIPNets(l7SrcRanges...)
 	if err != nil {
 		glog.Fatalf("Could not parse L7 src ranges %v for firewall rule: %v", l7SrcRanges, err)
 	}
-	return &FirewallRules{cloud: cloud, namer: namer, srcRanges: srcNetSet}
+	return &FirewallRules{cloud: cloud, namer: namer, srcRanges: l7SrcRanges}
 }

 // Sync sync firewall rules with the cloud.
@ -60,9 +60,15 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error {
 	// instead of the whole name.
 	name := fr.namer.FrName(suffix)
 	rule, _ := fr.cloud.GetFirewall(name)
+
+	firewall, err := fr.createFirewallObject(name, "GCE L7 firewall rule", nodePorts, nodeNames)
+	if err != nil {
+		return err
+	}
+
 	if rule == nil {
 		glog.Infof("Creating global l7 firewall rule %v", name)
-		return fr.cloud.CreateFirewall(suffix, "GCE L7 firewall rule", fr.srcRanges, nodePorts, nodeNames)
+		return fr.cloud.CreateFirewall(firewall)
 	}

 	requiredPorts := sets.NewString()
@ -85,17 +91,17 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error {
 		glog.V(4).Info("Firewall does not need update of ports or source ranges")
 		return nil
 	}
-
 	glog.V(3).Infof("Firewall %v already exists, updating nodeports %v", name, nodePorts)
-	return fr.cloud.UpdateFirewall(suffix, "GCE L7 firewall", fr.srcRanges, nodePorts, nodeNames)
+	return fr.cloud.UpdateFirewall(firewall)
 }

 // Shutdown shuts down this firewall rules manager.
 func (fr *FirewallRules) Shutdown() error {
-	glog.Infof("Deleting firewall with suffix %v", fr.namer.FrSuffix())
-	err := fr.cloud.DeleteFirewall(fr.namer.FrSuffix())
+	name := fr.namer.FrName(fr.namer.FrSuffix())
+	glog.Infof("Deleting firewall %v", name)
+	err := fr.cloud.DeleteFirewall(name)
 	if err != nil && utils.IsHTTPErrorCode(err, 404) {
-		glog.Infof("Firewall with suffix %v didn't exist at Shutdown", fr.namer.FrSuffix())
+		glog.Infof("Firewall with name %v didn't exist at Shutdown", name)
 		return nil
 	}
 	return err
@ -107,3 +113,31 @@ func (fr *FirewallRules) Shutdown() error {
 func (fr *FirewallRules) GetFirewall(name string) (*compute.Firewall, error) {
 	return fr.cloud.GetFirewall(name)
 }
+
+func (fr *FirewallRules) createFirewallObject(firewallName, description string, nodePorts []int64, nodeNames []string) (*compute.Firewall, error) {
+	ports := make([]string, len(nodePorts))
+	for ix := range nodePorts {
+		ports[ix] = strconv.Itoa(int(nodePorts[ix]))
+	}
+
+	// If the node tags to be used for this cluster have been predefined in the
+	// provider config, just use them. Otherwise, invoke computeHostTags method to get the tags.
+	targetTags, err := fr.cloud.GetNodeTags(nodeNames)
+	if err != nil {
+		return nil, err
+	}
+
+	return &compute.Firewall{
+		Name:         firewallName,
+		Description:  description,
+		SourceRanges: fr.srcRanges,
+		Network:      fr.cloud.NetworkURL(),
+		Allowed: []*compute.FirewallAllowed{
+			{
+				IPProtocol: "tcp",
+				Ports:      ports,
+			},
+		},
+		TargetTags: targetTags,
+	}, nil
+}
--- a/controllers/gce/firewalls/firewalls_test.go
+++ b/controllers/gce/firewalls/firewalls_test.go
@ -22,14 +22,11 @@ import (

 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/ingress/controllers/gce/utils"
-	netset "k8s.io/kubernetes/pkg/util/net/sets"
 )

-const allCIDR = "0.0.0.0/0"
-
 func TestSyncFirewallPool(t *testing.T) {
 	namer := utils.NewNamer("ABC", "XYZ")
-	fwp := NewFakeFirewallsProvider(namer)
+	fwp := NewFakeFirewallsProvider()
 	fp := NewFirewallPool(fwp, namer)
 	ruleName := namer.FrName(namer.FrSuffix())

@ -50,12 +47,16 @@ func TestSyncFirewallPool(t *testing.T) {
 	}
 	verifyFirewallRule(fwp, ruleName, nodePorts, nodes, l7SrcRanges, t)

-	srcRanges, _ := netset.ParseIPNets(allCIDR)
-	err = fwp.UpdateFirewall(namer.FrSuffix(), "", srcRanges, nodePorts, nodes)
+	firewall, err := fp.(*FirewallRules).createFirewallObject(namer.FrName(namer.FrSuffix()), "", nodePorts, nodes)
+	if err != nil {
+		t.Errorf("unexpected err when creating firewall object, err: %v", err)
+	}
+
+	err = fwp.UpdateFirewall(firewall)
 	if err != nil {
 		t.Errorf("failed to update firewall rule, err: %v", err)
 	}
-	verifyFirewallRule(fwp, ruleName, nodePorts, nodes, []string{allCIDR}, t)
+	verifyFirewallRule(fwp, ruleName, nodePorts, nodes, l7SrcRanges, t)

 	// Run Sync and expect l7 src ranges to be returned
 	err = fp.Sync(nodePorts, nodes)
--- a/controllers/gce/firewalls/interfaces.go
+++ b/controllers/gce/firewalls/interfaces.go
@ -18,7 +18,6 @@ package firewalls

 import (
 	compute "google.golang.org/api/compute/v1"
-	netset "k8s.io/kubernetes/pkg/util/net/sets"
 )

 // SingleFirewallPool syncs the firewall rule for L7 traffic.
@ -32,8 +31,10 @@ type SingleFirewallPool interface {
 // This interface is a little different from the rest because it dovetails into
 // the same firewall methods used by the TCPLoadBalancer.
 type Firewall interface {
-	CreateFirewall(name, msgTag string, srcRange netset.IPNet, ports []int64, hosts []string) error
+	CreateFirewall(f *compute.Firewall) error
 	GetFirewall(name string) (*compute.Firewall, error)
 	DeleteFirewall(name string) error
-	UpdateFirewall(name, msgTag string, srcRange netset.IPNet, ports []int64, hosts []string) error
+	UpdateFirewall(f *compute.Firewall) error
+	GetNodeTags(nodeNames []string) ([]string, error)
+	NetworkURL() string
 }