From 587dfab7cf9e2a0f34a845936ca7957613174a79 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 20 Nov 2023 13:57:50 +0100 Subject: [PATCH 1/2] First draft of API for isolated clusters --- example/controller-registration.yaml | 2 +- pkg/apis/metal/types_cloudprofile.go | 31 +++++++ pkg/apis/metal/types_controlplane.go | 27 ++++++ pkg/apis/metal/v1alpha1/types_cloudprofile.go | 30 +++++++ pkg/apis/metal/v1alpha1/types_controlplane.go | 25 ++++++ .../metal/v1alpha1/zz_generated.conversion.go | 85 +++++++++++++++++++ .../metal/v1alpha1/zz_generated.deepcopy.go | 58 +++++++++++++ pkg/apis/metal/zz_generated.deepcopy.go | 58 +++++++++++++ 8 files changed, 315 insertions(+), 1 deletion(-) diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index b88bb4f14..c539f1a2a 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -8,7 +8,7 @@ providerConfig: chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIpYe2h0j78NoOBORQ13YT3yW2YftSHIoi0Er0rmKtqJKSH03z32/40lurlZ04TSvCgFfUzHBIzgyHw6EWLvVxhKmFbxMcsYBEVkzJdeBD1Qonbjh68uAyhrK7vS3+Q6n+F78nW7PJdHu6s8PrJztb49kTtP3wprtLyhKXIvSEEpKsg+t6/5WWRef87y9dmth37iq8bxt8gndms9b5n27NyvM/harxEzT+lB1tK3/z+Xfj4C2mfN4ddD0x3DjOHs2JPTYNHzOPBnEiqvbQKxyukMdFAl0SipIlRi+VCKE3XF7QqRIflEmUEbkr7KBOUTOuddNjG9o2vvTY/B1Kt/77xLMX5CFtdOn/9tZuxf7vzsbbg/4/RhmNFsRZcAlwE4zYElkeMm17BH/XOPIJHS2CZJnObY+sRlpY8h9L17saaXTLI1FCSRiC7FC8CFgCtSBRNpAtCxWy0TffeW6CZEtvD8/Oj06Ov1eP+NZdxSEetZHjaxHaly9PQzfCjiR6FF1SF6BSL0mprvyZ0CtM5YNpGKMROgWe3QVWVgxH7jzEDJWGIY1joiycqgyihTB2HqEUewnKeUMl3oy4SP3Pb8K69T/BMBkwKuzenmBv/2863hpPB//vMUqf+X+3xGEMS7SdxL18wQ77P5lOdyrzP92ZDvb/UcqHDxby8WUQYWRyN81E1sePRrerxvFgfRDQRpFI6M5xyGxwJO0rfCfJiYd0jmmEQY7sgIx4UyUaLSSu3TBVPH34gILIC1M/49RGCnENI3XcKoOcioNaIFT7oqV6L4IIhCfysEC3z3CIXYbtY2CukbOMtWAFK4TkDCH+JrhES5edUnh/i0y2dKfbOw40+5Y3D01xeDtxFyjDiGkQJZfI/Af74R+sCklxTFiQEHq3jgT0ETcRdO5NEDpb6Hd1Qnwch+RuhaNE+fmZcLARbD2Kw/WlteLvU/rYf/B5LoPFyo0tMfnX4AcRahGYzRsaJLg1RtDl/892tir2f5dXDfb/EYqyPiWtfism9kTPq7R9pTDBVRD5DnfBQR7euLHBJcV3E9cBSyA3+83WullwFBID17nBlIpqaWSkYXYazDkn/wdUgiwnaMahNTuiRfauLKUO+oMTWdvrMrmCUfvSU/ZJy730v2c0sEP/tye72xX935rMJoP+P0b5VIqdycZnVWbZSqbCCIplWeJ/sSNCcG0tx3Ym2sxWBLTU215IUh+8DzeMl+5EEMqGQO3v5WCkcn9vVOyloueFAfAKkBEYEQCTPQR+K/WOqAVmPQ/HvB4YSy7uYszEUFH8WxpQ7COzg75dJ4ACluGbXfw14SuWxSDr2p5cFTD7sVNEzPj4Le47KoDRr12OkLU3TylLerYocPq1KVHKS0qzVK1cbwme85FYwTSfpUqhPQn5Hw+IrUVuXcyaW76Erty4YXgE00IjN5Q7k5yJtvdr+Gkl2ZM1vKCYsQPMkiASKpkxVX+zhp0GMq2MCOKJ52vtZeAnwKjqR67mLmPH2jxWWwJMW6HYGWQudoDuglUMkrtubAVYkFnXu0rjnBPmLbGfhu2MSARbwxXZ8HGYuOeRG7MlSU4xDYjfRaYBJTd9sLJiupf6QaL5k7HWRqpFcFvBaVIur7wg53GYRlcb0CrBF4k1S1QruGxoib0LcoWj7pY0ZI7LBeq2G1GAlVp8RZQp6mqQA5YwTwndDJMD5phJyA43HdEcttTy/t5PAZe8kmvd1roEznXueV3lKmrmp5SwXNLXzL9WF4HRPf+t4Lqp2KVJwG2EdAXWWJUyqQpe3tnJtMHCiE3IaRqGpyQMvEZjUAFp71IGeI49irlCecTH/gHxrrRD8+/zk+Na0xI8V7FGrLWcdTf4V91JfZ2lz/4vD+D12wCu3/9NJpPtav7H1tb2kP/xKKW4bdKRWLkDOshme+Nd4GfZ+7EYe7xhiq8DzuergFvZu9fBChwLNBZvYjCHLisZJlW5T9JILXMMeOEhHkf50Ym3fL0ZHzuSgNYERaAwKMJLiSKSaL9TLx0bhtcyTxBWxiuWrgqhVqGEzXGz0jR8JwL46Bv7QnFp/wgDf+omS2RuFLk1vxddlocPwEORr8pS1cLq2tDAPZjdiC0YXRc40yMMw0UDTy/j5x4FAY8WpdWcEgBa4jQ7iHKQ2XB+Y7ZgME6T4yQ0xTnQU37O4aZhghQLfMBiwrsZRIV0AYuCQAYr3EI9Fu6bWRBkRU65a2b7nGil0gARTm4IBWWuxTsSormwYHgYpiAIoP5hSG6wvxm+D1LeDyNO56CQloLpjU2Da55ishE6bO1ISj0YvDohQLNgt0ISZvHDvHwArMSLrdlsK6fcYRWeZ46qslBCLWCiXdh302wirC6TKYtQzPLM187ePn50aq/lCZxZptPiRkqMuORAZvpMVitQpFx8LDRqcA6kOVrexZgWIMsuQzEPCGhCm0VYSxkE6xI2AC9GsJ0cNQ+NMgSjQtCvSoa3EvMMIGjnlld4KaUwNxbF/AEaYC/KzqriK/stsO0c8/wu8lhxXHhLSwye/By7iZUtby/WrG5NiEAb31gBD35cwwgxzp/fylyGZwu8I4V2LrGqrQSlvKf+Q1HG7xqMYBERaIXEWIZErXzha21AoJxojL0MoUr7RiRr9e+BxOvi/AbPQfGvtPz1nMsKtjIa3F4XuVJQ+2o/KIDKO21JzQ8YX6AKqlLqnHqdR6F5eOo9rCbIfGa20VJtNxH6Wb1qoVJxU8pLTqkt9cqagxG0XN/nUbQXTutytc6DUAoSJst2avJ9EyOZbVLJBMVOZ1ZfvSvi4ui6aOOkbX59uHdwePbu8PXh/sXRyfG74703h+ene/uHGSRCIhXkJ1isnUIlD4Xi0D/Dl+VaVc89GifzFO1M4u7rH2p+j97svTx8C8yenL07eXt49vPZ0UWNVweNRBJi4fBz1Hgaum6SwuAaRpKxU0rmuNjHZZLEL/NYgSyx6O9Iztrv5VfVuFTz1PLCg5O8l68uLk4LL4IoSAI3PMChe6csoYMm4wyCYtcPevPKse4ehdVto9gAq0uhtjDSahTIZU5FLbi3ibkRLmZCPBI66GL/tBoyypylIk5W2RTsyjH+QJEOaY0bQlq8XJMwXeE3fBvW0GVpTAusrjigVJtu1+ChatSWjdDETE2VCnBchk6iEJwtvidoVyc+P4GH9zyPEz7udgufIvfykgvTnZPVcPHx98B732t4hbKDqIMUtliLcxnnh19HYg1W1Ye32EuLB5JP1bgIN/e8tFHWL8WA8E3z4W3M7XRxo5tDWOgK37Wm02UJdzU8hKRDAa2io6jhtTBpDQ3yJjdI3iujJSQmIVnc/YfzapaT+paEJWIiFI4U4Jo7X5FATx+ZF43Mxifmuqgt5BviA95sqm1bL/HeTLj789ulLGt4H8K9f9rSJ/4LdgfcSZqKy2Dz1F/gzQLBnfd/ZpX7P/BjdzrEfx+jKNOySNB3PFTVFD39Hk2qKYCxCB+MridzEBEdMD4l/kEmHj8K8fhzRI5hO/nfyL12g5BvhQR5ls47O/zgiPHXYPr66D+du959LgJ36P9sZ1K7/zHh978H/f/8hafPFTVbzLGbJktCg9/llbar58IvyrMDZarGGQlxH/3uo7k0DbnHZfGsvpeUpLFwvyxUyOQrR3aN0paFg6qEEiYfCsG+hpoRyECSyhflYFhjXRFcRp5Kv/PX4CXNFTvcGAoHO2Dyxw23JuJXnP1KYxhLXO92Wzy73msZbvWz2jIT5j/NOnGPEOqrJCg113W6whZXqHmw7REeYK1XD2xD1wvTL99VAswAyh+EeeZZmWKE65YsC6M2z0XbcJum+MePQ8WPeTZBrdohEfxVIPZFpRuhRYA4KEhw4UXh7KJtdLLlkVUeR7ALdMPgdy2F4KPDVlv8ZCIZIxN4ud1QUOpwSj7lJ/u15xHz3BArcmL7yooPrtzLsqLOgV7hWgUP8UH/ZH0OUXv1nszlD/A28x8j2K1JAU8TcRlXBT68YnKuBIddX+B3wHjAFlnpERYXlIL8rZoN4eQEG+mQSra0mRsLxWycQY7ZTQqki/AhXycLQCMBZyWEkdHgcvYrxJ/KTGiLO0LBZeChNruqwBLXu2psUCdvlmb1JuD61neoNCm7X5vZk5ZnXVEW3a7WdYJWV+MigWsDev4GKxHAAHc0UBKfP/ZZKB6yFEKL/AiF+qzy2IuBBzkKP0oV/2z+AjShYvB6mNZwaGRJ/gVPpoMf2DC8h8VGKI9EPi8F8z7N/ubx/b8+/r8y+b23AB3+/3R7Vs3/mu5sDff/HqU03v9Rov3pd++1HKlNkjYuKVnxk+HQt3giiDg7Qd/+8sHUxxqmY17sn5rPTP7OdDY7Hvn467f9OBCJIxj7lkwAskBswFQyS2WLlBir8lE+FH1W5fxevOjTonV8PNYAZbNv6ZCJ4qAQM4F2K5H20rko8CiJmjBANcRKe9zeA4LI4zF7cQoukyVWkYzTPA8AhjDgWYT50mrIQ4OLk4MTB10sAyZXJb41oAR8Pn7zBxwQWE7BQPoiES0iKCTRAlNgBzxLn2d/8Q/HXKYiuQKd4RW5xrxqhVyGGCER/1/7tM4P1xN7d5t/FgDNMY5gTRca5dv9JEVG6qx6t0WaU5NA34v+J1OC+8T3EnFTTS3mR/wcNg/cbZbZmR3IWurwdzbbEuNQPjkVR0dilHodxH5pG7+u3GP9V1u+zd2Arvj/dDaprP+z6XjI/36Usm79167tFw3if+kB+ouXbv2XB+8P+QBoh/5vTXer3/8Yz3aH+P+jFJl2LGIGOs3YQYulR7WDpqIkTbnAlU9C8bVx4SCxVvD9cFxIQt4Lb9w7ZhjFYzYHTYw8UoE+fDSMgovgoOfj52MjT70SFRPDKGRMqk8CZIF8uaeoZIHKxKtyCH8NYBYzljBN+bcO2uLZDTLcv67NtrRXB126IcOGUU/zdNAvvxqVpE1RZzxFTXkf/Lolz2oJ1H3wp4UMkNhNmcwwFcljhsx+kQN+Vpzu/AuPuYNe/DkPyXy0crl7NZqnQQhuNCc9ktf7eB63oZOPClSlDC0IWYT4XZ4XL3Etd+XvzBSakBtzi39uVlZkH4Kd2JOJfft192pS65X5rxe8Z1P5wrZtwyj5j44hc8V0wh/3Ro2nT6Eu4XFtJj5MqXTlGcL2wkZM33SZ3yHh1OfXSgBTKxYnDHTk5ZjsoorGFS8NfbVW351RSW2Gl7HW/FWLpm9awD6JqzsHGr1nJNK6kn9fohFCfPlhMpYpROqzDBOhc+WvH3C9aLz3L1+0fqVA4WVX+is3jfPr/LpCX9CXDJXu3Gc37g2dBlW/RW80XYfPLjBLW9B4zb0GU7iOLp7kBXP9Qtwa1w9CdOSWJb/brV+qu9pGpe+lO9YNjdfvQnOz3XDp5OjyGHoP84JFaLTxgnHb9WIj+/yg1APNtl5u1PddBs9wKEMZylCGMpShDGUoQxnKUIYylKEMZShDGcpQhjKUoQylqfwfDhFVpwB4AAA= values: image: - tag: v0.21.1 + tag: v0.20.20 --- apiVersion: core.gardener.cloud/v1beta1 kind: ControllerRegistration diff --git a/pkg/apis/metal/types_cloudprofile.go b/pkg/apis/metal/types_cloudprofile.go index 5f671a14e..1a5231c86 100644 --- a/pkg/apis/metal/types_cloudprofile.go +++ b/pkg/apis/metal/types_cloudprofile.go @@ -1,6 +1,7 @@ package metal import ( + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -66,4 +67,34 @@ const ( type Partition struct { // FirewallTypes is a list of available firewall machine types in this partition. When empty, allows all values. FirewallTypes []string + + // NetworkIsolation if given allows the creation of shoot clusters which have network restrictions activated. + // +optional + NetworkIsolation *NetworkIsolation +} + +type NetworkIsolation struct { + // AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters. + AllowedNetworks []string + // DNSServers + DNSServers []NetworkServer + // NTPServers + NTPServers []NetworkServer + // The registry which serves the images required to create a shoot. + Registry NetworkServer +} + +type NetworkServer struct { + // Name describes this server + Name string + // Hostname is typically the dns name of this server + Hostname string + // IP is the ipv4 or ipv6 address of this server + IP string + // IPFamily defines the family of the ip + IPFamily corev1.IPFamily + // Port at which port the service is reachable + Port int32 + // Proto the network protocol to reach the service + Proto corev1.Protocol } diff --git a/pkg/apis/metal/types_controlplane.go b/pkg/apis/metal/types_controlplane.go index fb0c49b93..e3ebd9aae 100644 --- a/pkg/apis/metal/types_controlplane.go +++ b/pkg/apis/metal/types_controlplane.go @@ -19,6 +19,10 @@ type ControlPlaneConfig struct { // CustomDefaultStorageClass CustomDefaultStorageClass *CustomDefaultStorageClass + + // NetworkAccessType defines how the cluster can reach external networks. + // +optional + NetworkAccessType *NetworkAccessType } // CustomDefaultStorageClass defines the custom storageclass which should be set as default @@ -52,6 +56,7 @@ type ControlPlaneFeatures struct { // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries) // by using DNS egress policies. // Requires firewall-controller >= 1.2.0. + // Deprecated: Will be replaced by NetworkAccessRestricted. // +optional RestrictEgress *bool `json:"restrictEgress,omitempty"` } @@ -66,3 +71,25 @@ type CloudControllerManagerConfig struct { // +optional DefaultExternalNetwork *string } + +type ( + // NetworkAccessType defines how a cluster is capable of accessing external networks + NetworkAccessType string +) + +const ( + // NetworkAccessBaseline allows the cluster to access external networks in a baseline manner + NetworkAccessBaseline = NetworkAccessType("baseline") + // NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations. + // Therefor registries, dns and ntp destinations must be specified in the cloud-profile accordingly- + // If this is not the case, restricting the access must not be possible. + // Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry. + // customers can define own rules to access external networks as in the baseline. + // Service type loadbalancers are also not restricted. + NetworkAccessRestricted = NetworkAccessType("restricted") + // NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks. + // which are outside of a given list of allowed networks. This is enforced by the firewall. + // Service type loadbalancers are also not possible to open a service ip which is not in the list of allowed networks. + // This is also enforced by the firewall. + NetworkAccessForbidden = NetworkAccessType("baseline") +) diff --git a/pkg/apis/metal/v1alpha1/types_cloudprofile.go b/pkg/apis/metal/v1alpha1/types_cloudprofile.go index a1741334a..4e1338afd 100644 --- a/pkg/apis/metal/v1alpha1/types_cloudprofile.go +++ b/pkg/apis/metal/v1alpha1/types_cloudprofile.go @@ -1,6 +1,7 @@ package v1alpha1 import ( + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -72,4 +73,33 @@ const ( type Partition struct { // FirewallTypes is a list of available firewall machine types in this partition. When empty, allows all values. FirewallTypes []string `json:"firewallTypes"` + + // NetworkIsolation if given allows the creation of shoot clusters which have network restrictions activated. + NetworkIsolation *NetworkIsolation `json:"networkIsolation,omitempty"` +} + +type NetworkIsolation struct { + // AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters. + AllowedNetworks []string `json:"allowedNetworks,omitempty"` + // DNSServers + DNSServers []NetworkServer `json:"dnsServers,omitempty"` + // NTPServers + NTPServers []NetworkServer `json:"ntpServers,omitempty"` + // The registry which serves the images required to create a shoot. + Registry NetworkServer `json:"registry,omitempty"` +} + +type NetworkServer struct { + // Name describes this server + Name string `json:"name,omitempty"` + // Hostname is typically the dns name of this server + Hostname string `json:"hostname,omitempty"` + // IP is the ipv4 or ipv6 address of this server + IP string `json:"ip,omitempty"` + // IPFamily defines the family of the ip + IPFamily corev1.IPFamily `json:"ipfamily,omitempty"` + // Port at which port the service is reachable + Port int32 `json:"port,omitempty"` + // Proto the network protocol to reach the service + Proto corev1.Protocol `json:"proto,omitempty"` } diff --git a/pkg/apis/metal/v1alpha1/types_controlplane.go b/pkg/apis/metal/v1alpha1/types_controlplane.go index ca17e09db..7962b7ba3 100644 --- a/pkg/apis/metal/v1alpha1/types_controlplane.go +++ b/pkg/apis/metal/v1alpha1/types_controlplane.go @@ -19,6 +19,10 @@ type ControlPlaneConfig struct { // CustomDefaultStorageClass CustomDefaultStorageClass *CustomDefaultStorageClass `json:"customDefaultStorageClass,omitempty"` + + // NetworkAccessType defines how the cluster can reach external networks. + // +optional + NetworkAccessType *NetworkAccessType `json:"networkAccessType,omitempty"` } // CustomDefaultStorageClass defines the custom storageclass which should be set as default @@ -67,3 +71,24 @@ type CloudControllerManagerConfig struct { // +optional DefaultExternalNetwork *string `json:"defaultExternalNetwork" optional:"true"` } +type ( + // NetworkAccessType defines how a cluster is capable of accessing external networks + NetworkAccessType string +) + +const ( + // NetworkAccessBaseline allows the cluster to access external networks in a baseline manner + NetworkAccessBaseline = NetworkAccessType("baseline") + // NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations. + // Therefor registries, dns and ntp destinations must be specified in the cloud-profile accordingly- + // If this is not the case, restricting the access must not be possible. + // Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry. + // customers can define own rules to access external networks as in the baseline. + // Service type loadbalancers are also not restricted. + NetworkAccessRestricted = NetworkAccessType("restricted") + // NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks. + // which are outside of a given list of allowed networks. This is enforced by the firewall. + // Service type loadbalancers are also not possible to open a service ip which is not in the list of allowed networks. + // This is also enforced by the firewall. + NetworkAccessForbidden = NetworkAccessType("baseline") +) diff --git a/pkg/apis/metal/v1alpha1/zz_generated.conversion.go b/pkg/apis/metal/v1alpha1/zz_generated.conversion.go index 47193daff..d3a8b3ad9 100644 --- a/pkg/apis/metal/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/metal/v1alpha1/zz_generated.conversion.go @@ -13,6 +13,7 @@ import ( unsafe "unsafe" metal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" + v1 "k8s.io/api/core/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -154,6 +155,26 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*NetworkIsolation)(nil), (*metal.NetworkIsolation)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_NetworkIsolation_To_metal_NetworkIsolation(a.(*NetworkIsolation), b.(*metal.NetworkIsolation), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*metal.NetworkIsolation)(nil), (*NetworkIsolation)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_metal_NetworkIsolation_To_v1alpha1_NetworkIsolation(a.(*metal.NetworkIsolation), b.(*NetworkIsolation), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*NetworkServer)(nil), (*metal.NetworkServer)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_NetworkServer_To_metal_NetworkServer(a.(*NetworkServer), b.(*metal.NetworkServer), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*metal.NetworkServer)(nil), (*NetworkServer)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_metal_NetworkServer_To_v1alpha1_NetworkServer(a.(*metal.NetworkServer), b.(*NetworkServer), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*NftablesExporter)(nil), (*metal.NftablesExporter)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_NftablesExporter_To_metal_NftablesExporter(a.(*NftablesExporter), b.(*metal.NftablesExporter), scope) }); err != nil { @@ -245,6 +266,7 @@ func autoConvert_v1alpha1_ControlPlaneConfig_To_metal_ControlPlaneConfig(in *Con return err } out.CustomDefaultStorageClass = (*metal.CustomDefaultStorageClass)(unsafe.Pointer(in.CustomDefaultStorageClass)) + out.NetworkAccessType = (*metal.NetworkAccessType)(unsafe.Pointer(in.NetworkAccessType)) return nil } @@ -259,6 +281,7 @@ func autoConvert_metal_ControlPlaneConfig_To_v1alpha1_ControlPlaneConfig(in *met return err } out.CustomDefaultStorageClass = (*CustomDefaultStorageClass)(unsafe.Pointer(in.CustomDefaultStorageClass)) + out.NetworkAccessType = (*NetworkAccessType)(unsafe.Pointer(in.NetworkAccessType)) return nil } @@ -521,6 +544,66 @@ func Convert_metal_MetalControlPlane_To_v1alpha1_MetalControlPlane(in *metal.Met return autoConvert_metal_MetalControlPlane_To_v1alpha1_MetalControlPlane(in, out, s) } +func autoConvert_v1alpha1_NetworkIsolation_To_metal_NetworkIsolation(in *NetworkIsolation, out *metal.NetworkIsolation, s conversion.Scope) error { + out.AllowedNetworks = *(*[]string)(unsafe.Pointer(&in.AllowedNetworks)) + out.DNSServers = *(*[]metal.NetworkServer)(unsafe.Pointer(&in.DNSServers)) + out.NTPServers = *(*[]metal.NetworkServer)(unsafe.Pointer(&in.NTPServers)) + if err := Convert_v1alpha1_NetworkServer_To_metal_NetworkServer(&in.Registry, &out.Registry, s); err != nil { + return err + } + return nil +} + +// Convert_v1alpha1_NetworkIsolation_To_metal_NetworkIsolation is an autogenerated conversion function. +func Convert_v1alpha1_NetworkIsolation_To_metal_NetworkIsolation(in *NetworkIsolation, out *metal.NetworkIsolation, s conversion.Scope) error { + return autoConvert_v1alpha1_NetworkIsolation_To_metal_NetworkIsolation(in, out, s) +} + +func autoConvert_metal_NetworkIsolation_To_v1alpha1_NetworkIsolation(in *metal.NetworkIsolation, out *NetworkIsolation, s conversion.Scope) error { + out.AllowedNetworks = *(*[]string)(unsafe.Pointer(&in.AllowedNetworks)) + out.DNSServers = *(*[]NetworkServer)(unsafe.Pointer(&in.DNSServers)) + out.NTPServers = *(*[]NetworkServer)(unsafe.Pointer(&in.NTPServers)) + if err := Convert_metal_NetworkServer_To_v1alpha1_NetworkServer(&in.Registry, &out.Registry, s); err != nil { + return err + } + return nil +} + +// Convert_metal_NetworkIsolation_To_v1alpha1_NetworkIsolation is an autogenerated conversion function. +func Convert_metal_NetworkIsolation_To_v1alpha1_NetworkIsolation(in *metal.NetworkIsolation, out *NetworkIsolation, s conversion.Scope) error { + return autoConvert_metal_NetworkIsolation_To_v1alpha1_NetworkIsolation(in, out, s) +} + +func autoConvert_v1alpha1_NetworkServer_To_metal_NetworkServer(in *NetworkServer, out *metal.NetworkServer, s conversion.Scope) error { + out.Name = in.Name + out.Hostname = in.Hostname + out.IP = in.IP + out.IPFamily = v1.IPFamily(in.IPFamily) + out.Port = in.Port + out.Proto = v1.Protocol(in.Proto) + return nil +} + +// Convert_v1alpha1_NetworkServer_To_metal_NetworkServer is an autogenerated conversion function. +func Convert_v1alpha1_NetworkServer_To_metal_NetworkServer(in *NetworkServer, out *metal.NetworkServer, s conversion.Scope) error { + return autoConvert_v1alpha1_NetworkServer_To_metal_NetworkServer(in, out, s) +} + +func autoConvert_metal_NetworkServer_To_v1alpha1_NetworkServer(in *metal.NetworkServer, out *NetworkServer, s conversion.Scope) error { + out.Name = in.Name + out.Hostname = in.Hostname + out.IP = in.IP + out.IPFamily = v1.IPFamily(in.IPFamily) + out.Port = in.Port + out.Proto = v1.Protocol(in.Proto) + return nil +} + +// Convert_metal_NetworkServer_To_v1alpha1_NetworkServer is an autogenerated conversion function. +func Convert_metal_NetworkServer_To_v1alpha1_NetworkServer(in *metal.NetworkServer, out *NetworkServer, s conversion.Scope) error { + return autoConvert_metal_NetworkServer_To_v1alpha1_NetworkServer(in, out, s) +} + func autoConvert_v1alpha1_NftablesExporter_To_metal_NftablesExporter(in *NftablesExporter, out *metal.NftablesExporter, s conversion.Scope) error { out.Version = in.Version out.URL = in.URL @@ -545,6 +628,7 @@ func Convert_metal_NftablesExporter_To_v1alpha1_NftablesExporter(in *metal.Nftab func autoConvert_v1alpha1_Partition_To_metal_Partition(in *Partition, out *metal.Partition, s conversion.Scope) error { out.FirewallTypes = *(*[]string)(unsafe.Pointer(&in.FirewallTypes)) + out.NetworkIsolation = (*metal.NetworkIsolation)(unsafe.Pointer(in.NetworkIsolation)) return nil } @@ -555,6 +639,7 @@ func Convert_v1alpha1_Partition_To_metal_Partition(in *Partition, out *metal.Par func autoConvert_metal_Partition_To_v1alpha1_Partition(in *metal.Partition, out *Partition, s conversion.Scope) error { out.FirewallTypes = *(*[]string)(unsafe.Pointer(&in.FirewallTypes)) + out.NetworkIsolation = (*NetworkIsolation)(unsafe.Pointer(in.NetworkIsolation)) return nil } diff --git a/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go index 98d9a1194..e9679d473 100644 --- a/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go @@ -88,6 +88,11 @@ func (in *ControlPlaneConfig) DeepCopyInto(out *ControlPlaneConfig) { *out = new(CustomDefaultStorageClass) **out = **in } + if in.NetworkAccessType != nil { + in, out := &in.NetworkAccessType, &out.NetworkAccessType + *out = new(NetworkAccessType) + **out = **in + } return } @@ -361,6 +366,54 @@ func (in *MetalControlPlane) DeepCopy() *MetalControlPlane { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkIsolation) DeepCopyInto(out *NetworkIsolation) { + *out = *in + if in.AllowedNetworks != nil { + in, out := &in.AllowedNetworks, &out.AllowedNetworks + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DNSServers != nil { + in, out := &in.DNSServers, &out.DNSServers + *out = make([]NetworkServer, len(*in)) + copy(*out, *in) + } + if in.NTPServers != nil { + in, out := &in.NTPServers, &out.NTPServers + *out = make([]NetworkServer, len(*in)) + copy(*out, *in) + } + out.Registry = in.Registry + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkIsolation. +func (in *NetworkIsolation) DeepCopy() *NetworkIsolation { + if in == nil { + return nil + } + out := new(NetworkIsolation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkServer) DeepCopyInto(out *NetworkServer) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkServer. +func (in *NetworkServer) DeepCopy() *NetworkServer { + if in == nil { + return nil + } + out := new(NetworkServer) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NftablesExporter) DeepCopyInto(out *NftablesExporter) { *out = *in @@ -385,6 +438,11 @@ func (in *Partition) DeepCopyInto(out *Partition) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.NetworkIsolation != nil { + in, out := &in.NetworkIsolation, &out.NetworkIsolation + *out = new(NetworkIsolation) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/apis/metal/zz_generated.deepcopy.go b/pkg/apis/metal/zz_generated.deepcopy.go index e6ce0ce2e..4513f046c 100644 --- a/pkg/apis/metal/zz_generated.deepcopy.go +++ b/pkg/apis/metal/zz_generated.deepcopy.go @@ -88,6 +88,11 @@ func (in *ControlPlaneConfig) DeepCopyInto(out *ControlPlaneConfig) { *out = new(CustomDefaultStorageClass) **out = **in } + if in.NetworkAccessType != nil { + in, out := &in.NetworkAccessType, &out.NetworkAccessType + *out = new(NetworkAccessType) + **out = **in + } return } @@ -361,6 +366,54 @@ func (in *MetalControlPlane) DeepCopy() *MetalControlPlane { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkIsolation) DeepCopyInto(out *NetworkIsolation) { + *out = *in + if in.AllowedNetworks != nil { + in, out := &in.AllowedNetworks, &out.AllowedNetworks + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DNSServers != nil { + in, out := &in.DNSServers, &out.DNSServers + *out = make([]NetworkServer, len(*in)) + copy(*out, *in) + } + if in.NTPServers != nil { + in, out := &in.NTPServers, &out.NTPServers + *out = make([]NetworkServer, len(*in)) + copy(*out, *in) + } + out.Registry = in.Registry + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkIsolation. +func (in *NetworkIsolation) DeepCopy() *NetworkIsolation { + if in == nil { + return nil + } + out := new(NetworkIsolation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkServer) DeepCopyInto(out *NetworkServer) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkServer. +func (in *NetworkServer) DeepCopy() *NetworkServer { + if in == nil { + return nil + } + out := new(NetworkServer) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NftablesExporter) DeepCopyInto(out *NftablesExporter) { *out = *in @@ -385,6 +438,11 @@ func (in *Partition) DeepCopyInto(out *Partition) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.NetworkIsolation != nil { + in, out := &in.NetworkIsolation, &out.NetworkIsolation + *out = new(NetworkIsolation) + (*in).DeepCopyInto(*out) + } return } From eb7bf00b7c747d75d0990434c6f6afc01892d499 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 29 Nov 2023 14:08:59 +0100 Subject: [PATCH 2/2] More doc --- pkg/apis/metal/types_cloudprofile.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/apis/metal/types_cloudprofile.go b/pkg/apis/metal/types_cloudprofile.go index 1a5231c86..1aaaa7089 100644 --- a/pkg/apis/metal/types_cloudprofile.go +++ b/pkg/apis/metal/types_cloudprofile.go @@ -69,6 +69,7 @@ type Partition struct { FirewallTypes []string // NetworkIsolation if given allows the creation of shoot clusters which have network restrictions activated. + // Will be taken into account if NetworkAccessRestricted or NetworkAccessForbidden is defined // +optional NetworkIsolation *NetworkIsolation }