From be5a39bce4174f487aa6b7b644b6ebe056b6bddf Mon Sep 17 00:00:00 2001 From: Anand Kumar Date: Thu, 27 Jul 2023 21:41:31 -0700 Subject: [PATCH] Add a flag to enable/disable support for vpc peering Signed-off-by: Anand Kumar --- pkg/cloudprovider/plugins/aws/aws_ec2.go | 8 +++- .../plugins/aws/aws_security_impl.go | 6 ++- .../plugins/aws/aws_security_test.go | 6 ++- pkg/cloudprovider/plugins/aws/aws_test.go | 40 +++++++++++++------ .../plugins/azure/azure_compute.go | 7 +++- .../plugins/azure/azure_security_impl.go | 38 +++++++++--------- .../plugins/azure/azure_security_test.go | 7 ++++ .../plugins/internal/cloud_common.go | 1 + 8 files changed, 76 insertions(+), 37 deletions(-) diff --git a/pkg/cloudprovider/plugins/aws/aws_ec2.go b/pkg/cloudprovider/plugins/aws/aws_ec2.go index 71eb5519..ab156e01 100644 --- a/pkg/cloudprovider/plugins/aws/aws_ec2.go +++ b/pkg/cloudprovider/plugins/aws/aws_ec2.go @@ -237,9 +237,13 @@ func (ec2Cfg *ec2ServiceConfig) DoResourceInventory() error { awsPluginLogger().V(1).Info("Vpcs from cloud", "account", ec2Cfg.accountNamespacedName, "vpcs", len(vpcs)) vpcNameToId := ec2Cfg.buildMapVpcNameToId(vpcs) - vpcPeers, _ := ec2Cfg.buildMapVpcPeers() - allInstances := make(map[types.NamespacedName][]*ec2.Instance) + var vpcPeers map[string][]string + if internal.VpcPeeringEnabled { + vpcPeers, _ = ec2Cfg.buildMapVpcPeers() + } + + allInstances := make(map[types.NamespacedName][]*ec2.Instance) // Call cloud APIs for the configured CloudEntitySelectors CRs. if len(ec2Cfg.selectors) == 0 { awsPluginLogger().V(1).Info("Fetching vm resources from cloud skipped", diff --git a/pkg/cloudprovider/plugins/aws/aws_security_impl.go b/pkg/cloudprovider/plugins/aws/aws_security_impl.go index 543e60a4..64cd43ec 100644 --- a/pkg/cloudprovider/plugins/aws/aws_security_impl.go +++ b/pkg/cloudprovider/plugins/aws/aws_security_impl.go @@ -68,8 +68,10 @@ func (c *awsCloud) UpdateSecurityGroupRules(appliedToGroupIdentifier *cloudresou // make sure all required security groups pre-exist ec2Service := accCfg.GetServiceConfig().(*ec2ServiceConfig) vpcIDs := []string{vpcID} - vpcPeerIDs := ec2Service.getVpcPeers(vpcID) - vpcIDs = append(vpcIDs, vpcPeerIDs...) + if internal.VpcPeeringEnabled { + vpcPeerIDs := ec2Service.getVpcPeers(vpcID) + vpcIDs = append(vpcIDs, vpcPeerIDs...) + } cloudSGNameToCloudSGObj, err := ec2Service.getCloudSecurityGroupsWithNameFromCloud(vpcIDs, cloudSgNames) if err != nil { return err diff --git a/pkg/cloudprovider/plugins/aws/aws_security_test.go b/pkg/cloudprovider/plugins/aws/aws_security_test.go index 052399d6..07bf7fdd 100644 --- a/pkg/cloudprovider/plugins/aws/aws_security_test.go +++ b/pkg/cloudprovider/plugins/aws/aws_security_test.go @@ -34,6 +34,7 @@ import ( crdv1alpha1 "antrea.io/nephe/apis/crd/v1alpha1" runtimev1alpha1 "antrea.io/nephe/apis/runtime/v1alpha1" "antrea.io/nephe/pkg/cloudprovider/cloudresource" + "antrea.io/nephe/pkg/cloudprovider/plugins/internal" "antrea.io/nephe/pkg/cloudprovider/utils" "antrea.io/nephe/pkg/config" ) @@ -120,8 +121,9 @@ var _ = Describe("AWS Cloud Security", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).AnyTimes() mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(&ec2.DescribeVpcsOutput{}, nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, nil).AnyTimes() - + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, nil).AnyTimes() + } fakeClient := fake.NewClientBuilder().Build() _ = fakeClient.Create(context.Background(), secret) cloudInterface = newAWSCloud(mockawsCloudHelper) diff --git a/pkg/cloudprovider/plugins/aws/aws_test.go b/pkg/cloudprovider/plugins/aws/aws_test.go index 666bbb8a..b68a53d9 100644 --- a/pkg/cloudprovider/plugins/aws/aws_test.go +++ b/pkg/cloudprovider/plugins/aws/aws_test.go @@ -35,6 +35,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/fake" "antrea.io/nephe/apis/crd/v1alpha1" + "antrea.io/nephe/pkg/cloudprovider/plugins/internal" ) var ( @@ -145,8 +146,10 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).Times(0) mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(createVpcObject(vpcIDs), nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, - nil).AnyTimes() + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, + nil).AnyTimes() + } _ = fakeClient.Create(context.Background(), secret) c := newAWSCloud(mockawsCloudHelper) @@ -180,8 +183,10 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).Times(0) mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(createVpcObject(vpcIDs), nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, - nil).AnyTimes() + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, + nil).AnyTimes() + } _ = fakeClient.Create(context.Background(), secret) c := newAWSCloud(mockawsCloudHelper) @@ -216,8 +221,10 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).Times(0) mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(createVpcObject(vpcIDs), nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, - nil).AnyTimes() + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, + nil).AnyTimes() + } _ = fakeClient.Create(context.Background(), secret) c := newAWSCloud(mockawsCloudHelper) @@ -237,7 +244,9 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).Times(0) mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).Times(0) mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(&ec2.DescribeVpcsOutput{}, nil).Times(0) - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, nil).Times(0) + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, nil).Times(0) + } }) It("Should discover instances when selector is in different namespace from account", func() { instanceIds := []string{"i-01", "i-02"} @@ -274,8 +283,10 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).AnyTimes() mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(&ec2.DescribeVpcsOutput{}, nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, - nil).AnyTimes() + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, + nil).AnyTimes() + } _ = fakeClient.Create(context.Background(), secret) c := newAWSCloud(mockawsCloudHelper) @@ -300,8 +311,10 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).AnyTimes() mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(&ec2.DescribeVpcsOutput{}, nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, - nil).AnyTimes() + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, + nil).AnyTimes() + } _ = fakeClient.Create(context.Background(), secret) c := newAWSCloud(mockawsCloudHelper) err := c.AddProviderAccount(fakeClient, account) @@ -408,7 +421,10 @@ var _ = Describe("AWS cloud", func() { mockawsEC2.EXPECT().pagedDescribeInstancesWrapper(gomock.Any()).Return(getEc2InstanceObject(instanceIds), nil).AnyTimes() mockawsEC2.EXPECT().pagedDescribeNetworkInterfaces(gomock.Any()).Return([]*ec2.NetworkInterface{}, nil).AnyTimes() mockawsEC2.EXPECT().describeVpcsWrapper(gomock.Any()).Return(&ec2.DescribeVpcsOutput{}, nil).AnyTimes() - mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()).Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, nil).AnyTimes() + if internal.VpcPeeringEnabled { + mockawsEC2.EXPECT().describeVpcPeeringConnectionsWrapper(gomock.Any()). + Return(&ec2.DescribeVpcPeeringConnectionsOutput{}, nil).AnyTimes() + } }) AfterEach(func() { diff --git a/pkg/cloudprovider/plugins/azure/azure_compute.go b/pkg/cloudprovider/plugins/azure/azure_compute.go index 342ce684..120e779f 100644 --- a/pkg/cloudprovider/plugins/azure/azure_compute.go +++ b/pkg/cloudprovider/plugins/azure/azure_compute.go @@ -240,7 +240,12 @@ func (computeCfg *computeServiceConfig) DoResourceInventory() error { } azurePluginLogger().V(1).Info("Vpcs from cloud", "account", computeCfg.accountNamespacedName, "vpcs", len(vnets)) - vnetPeers := computeCfg.buildMapVpcPeers(vnets) + + var vnetPeers map[string][][]string + if internal.VpcPeeringEnabled { + vnetPeers = computeCfg.buildMapVpcPeers(vnets) + } + allVirtualMachines := make(map[types.NamespacedName][]*virtualMachineTable) // Make cloud API calls for fetching vm inventory for each configured CES. diff --git a/pkg/cloudprovider/plugins/azure/azure_security_impl.go b/pkg/cloudprovider/plugins/azure/azure_security_impl.go index 9809baab..b2fd0c89 100644 --- a/pkg/cloudprovider/plugins/azure/azure_security_impl.go +++ b/pkg/cloudprovider/plugins/azure/azure_security_impl.go @@ -102,7 +102,6 @@ func (c *azureCloud) UpdateSecurityGroupRules(appliedToGroupIdentifier *cloudres return err } - vnetPeerPairs := computeService.getVnetPeers(vnetID) vnetCachedIDs := computeService.getManagedVnetIds() vnetVMs := computeService.getAllCachedVirtualMachines() // ruleIP := vnetVMs[len(vnetVMs)-1].NetworkInterfaces[0].PrivateIps[0] @@ -113,26 +112,29 @@ func (c *azureCloud) UpdateSecurityGroupRules(appliedToGroupIdentifier *cloudres // convert to azure security rules and build effective rules to be applied to AT sg azure NSG var rules []*armnetwork.SecurityRule flag := 0 - for _, vnetPeerPair := range vnetPeerPairs { - vnetPeerID, _, _ := vnetPeerPair[0], vnetPeerPair[1], vnetPeerPair[2] - - if _, ok := vnetCachedIDs[vnetPeerID]; ok { - var ruleIP *string - for _, vnetVM := range vnetVMs { - azurePluginLogger().Info("Accessing VM network interfaces", "VM", vnetVM.Name) - if *vnetVM.VnetID == vnetID { - ruleIP = vnetVM.NetworkInterfaces[0].PrivateIps[0] + if internal.VpcPeeringEnabled { + vnetPeerPairs := computeService.getVnetPeers(vnetID) + for _, vnetPeerPair := range vnetPeerPairs { + vnetPeerID, _, _ := vnetPeerPair[0], vnetPeerPair[1], vnetPeerPair[2] + + if _, ok := vnetCachedIDs[vnetPeerID]; ok { + var ruleIP *string + for _, vnetVM := range vnetVMs { + azurePluginLogger().Info("Accessing VM network interfaces", "VM", vnetVM.Name) + if *vnetVM.VnetID == vnetID { + ruleIP = vnetVM.NetworkInterfaces[0].PrivateIps[0] + } + flag = 1 + break + } + rules, err = computeService.buildEffectivePeerNSGSecurityRulesToApply(&appliedToGroupIdentifier.CloudResourceID, addRules, + rmRules, appliedToGroupPerVnetNsgName, rgName, ruleIP) + if err != nil { + azurePluginLogger().Error(err, "fail to build effective rules to be applied") + return err } - flag = 1 break } - rules, err = computeService.buildEffectivePeerNSGSecurityRulesToApply(&appliedToGroupIdentifier.CloudResourceID, addRules, - rmRules, appliedToGroupPerVnetNsgName, rgName, ruleIP) - if err != nil { - azurePluginLogger().Error(err, "fail to build effective rules to be applied") - return err - } - break } } if flag == 0 { diff --git a/pkg/cloudprovider/plugins/azure/azure_security_test.go b/pkg/cloudprovider/plugins/azure/azure_security_test.go index 63f554bf..33048d2d 100644 --- a/pkg/cloudprovider/plugins/azure/azure_security_test.go +++ b/pkg/cloudprovider/plugins/azure/azure_security_test.go @@ -36,6 +36,7 @@ import ( crdv1alpha1 "antrea.io/nephe/apis/crd/v1alpha1" "antrea.io/nephe/apis/runtime/v1alpha1" "antrea.io/nephe/pkg/cloudprovider/cloudresource" + "antrea.io/nephe/pkg/cloudprovider/plugins/internal" "antrea.io/nephe/pkg/cloudprovider/utils" "antrea.io/nephe/pkg/config" ) @@ -783,6 +784,9 @@ var _ = Describe("Azure Cloud Security", func() { }) It("Should update Security rules for Peerings", func() { + if !internal.VpcPeeringEnabled { + Skip("Peering feature is disabled") + } webAddressGroupIdentifier03 := &cloudresource.CloudResource{ Type: cloudresource.CloudResourceTypeVM, CloudResourceID: cloudresource.CloudResourceID{ @@ -829,6 +833,9 @@ var _ = Describe("Azure Cloud Security", func() { // Creating cloud security rules without a description field is not allowed. It("Should fail to update Security rules for Peerings -- invalid namespacedname", func() { + if !internal.VpcPeeringEnabled { + Skip("Peering feature is disabled") + } webAddressGroupIdentifier03 := &cloudresource.CloudResource{ Type: cloudresource.CloudResourceTypeVM, CloudResourceID: cloudresource.CloudResourceID{ diff --git a/pkg/cloudprovider/plugins/internal/cloud_common.go b/pkg/cloudprovider/plugins/internal/cloud_common.go index f9cae697..ea516eb8 100644 --- a/pkg/cloudprovider/plugins/internal/cloud_common.go +++ b/pkg/cloudprovider/plugins/internal/cloud_common.go @@ -37,6 +37,7 @@ var ( MaxCloudResourceResponse int64 = 100 InventoryInitWaitDuration = time.Second * 30 AccountCredentialsDefault = "default" + VpcPeeringEnabled = false ) type InstanceID string