SREP-3725: support VPC CIDR-based security group rules#360
Conversation
Add useVpcCidr option to SecurityGroup spec that uses the VPC CIDR block for security group rules instead of cluster-specific security group IDs. This enables multi-cluster VPC environments where multiple clusters need to access shared VPC endpoints. Also fixes copy-paste bugs in egress rule generation where IngressRules[i] was referenced instead of EgressRules[i].
openshift-ci-robot
added
the
jira/valid-reference
|
@dustman9000: This pull request references SREP-3725 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dustman9000 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@dustman9000: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #360 +/- ##
==========================================
+ Coverage 39.60% 40.69% +1.08%
==========================================
Files 32 32
Lines 2040 2106 +66
==========================================
+ Hits 808 857 +49
- Misses 1134 1145 +11
- Partials 98 104 +6
🚀 New features to boost your workflow:
|
| create := true | ||
| for _, rule := range rulesResp.SecurityGroupRules { | ||
| if avoAndAwsSecurityGroupRuleCandidate(true, resource.Spec.SecurityGroup.IngressRules[i], rule) { | ||
| if avoAndAwsSecurityGroupRuleCandidate(true, resource.Spec.SecurityGroup.EgressRules[i], rule) { |
There was a problem hiding this comment.
Are we sure this was a typo? Looks to have been made over 3 years ago now, I would expect us to have seen issues? d964e88
There was a problem hiding this comment.
Yeah, it is a bug, but it's been harmless in practice because every VpcEndpoint CR we deploy configures identical ingress and egress rules (same ports, same protocol, same CidrIp). So IngressRules[i] and EgressRules[i] always had the same values at matching indices, and the wrong reference produced the correct result by coincidence.
Where it would actually break is if someone configured different rules for ingress vs egress (different ports, different protocols, or CidrIp on one but not the other). In that case the egress rule candidate matching would compare against the wrong port/protocol/CIDR. Since we've never done that, it's never surfaced.
Happy to split the bug fix into a separate commit if that's cleaner.
|
/lgtm |
4 participants
Jira: https://issues.redhat.com/browse/SREP-3725
Summary
useVpcCidroption toSecurityGroupspec that uses the VPC CIDR block for security group rules instead of cluster-specific security group IDsIngressRules[i]was referenced instead ofEgressRules[i]Details
When
spec.securityGroup.useVpcCidris set totrue, rules without an explicitcidrIpwill resolve the VPC CIDR block and create IpRanges-based rules instead of discovering cluster node security group IDs. The default (false) preserves existing behavior.Reference: HCMSEC-2832
Test plan
GetVpcCidrBlockAWS client methoduseVpcCidr: trueand verify SG rules use VPC CIDR