DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

change notes on firewall targets

Browse source
This commit is contained in:
Nick Sardo 2017-04-07 14:41:48 -07:00
parent daffef14b2
commit 5679831ace
3 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
controllers/gce/firewalls/fakes.go
View file

@ -63,6 +63,7 @@ func (f *fakeFirewallsProvider) CreateFirewall(name, msgTag string, srcRange net
Name: prefixedName, Name: prefixedName,
SourceRanges: srcRange.StringSlice(), SourceRanges: srcRange.StringSlice(),
Allowed: []*compute.FirewallAllowed{{Ports: strPorts}}, Allowed: []*compute.FirewallAllowed{{Ports: strPorts}},
TargetTags: hosts, // WARNING: This is actually not correct, but good enough for testing this package
} }
return nil return nil
} }
@ -96,6 +97,7 @@ func (f *fakeFirewallsProvider) UpdateFirewall(name, msgTag string, srcRange net
Name: name, Name: name,
SourceRanges: srcRange.StringSlice(), SourceRanges: srcRange.StringSlice(),
Allowed: []*compute.FirewallAllowed{{Ports: strPorts}}, Allowed: []*compute.FirewallAllowed{{Ports: strPorts}},
TargetTags: hosts, // WARNING: This is actually not correct, but good enough for testing this package
} }
return nil return nil
} }

2
controllers/gce/firewalls/firewalls.go
View file

@ -79,6 +79,8 @@ func (fr *FirewallRules) Sync(nodePorts []int64, nodeNames []string) error {
requiredCIDRs := sets.NewString(l7SrcRanges...) requiredCIDRs := sets.NewString(l7SrcRanges...)
existingCIDRs := sets.NewString(rule.SourceRanges...) existingCIDRs := sets.NewString(rule.SourceRanges...)
// Do not update if ports and source cidrs are not outdated.
// NOTE: We are not checking if nodeNames matches the firwall targetTags
if requiredPorts.Equal(existingPorts) && requiredCIDRs.Equal(existingCIDRs) { if requiredPorts.Equal(existingPorts) && requiredCIDRs.Equal(existingCIDRs) {
return nil return nil
} }

6
controllers/gce/firewalls/firewalls_test.go
View file

@ -47,7 +47,8 @@ func TestSyncFirewallPool(t *testing.T) {
} }
verifyFirewallRule(fwp, ruleName, nodePorts, nodes, l7SrcRanges, t) verifyFirewallRule(fwp, ruleName, nodePorts, nodes, l7SrcRanges, t)
// Add node and expect firwall to change nodes list // Add node and expect firwall to remain the same
// NOTE: See computeHostTag(..) in gce cloudprovider
nodes = []string{"node-a", "node-b", "node-c", "node-d"} nodes = []string{"node-a", "node-b", "node-c", "node-d"}
err = fp.Sync(nodePorts, nodes) err = fp.Sync(nodePorts, nodes)
if err != nil { if err != nil {
@ -89,7 +90,4 @@ func verifyFirewallRule(fwp *fakeFirewallsProvider, ruleName string, expectedPor
if !sets.NewString(f.SourceRanges...).Equal(sets.NewString(expectedCIDRs...)) { if !sets.NewString(f.SourceRanges...).Equal(sets.NewString(expectedCIDRs...)) {
t.Errorf("source CIDRs doesn't equal expected CIDRs. Actual: %v, Expected: %v", f.SourceRanges, expectedCIDRs) t.Errorf("source CIDRs doesn't equal expected CIDRs. Actual: %v, Expected: %v", f.SourceRanges, expectedCIDRs)
} }
// Verify firwall rule has correct nodes
// TODO: Check host tags are updated
} }