From 90b8d463a626de37b73b381c851b72b0506d5b4e Mon Sep 17 00:00:00 2001 From: Abdirahman Osman Date: Wed, 17 Jan 2024 22:30:56 -0600 Subject: [PATCH 1/6] add policy module --- api/ingress/v1alpha1/httpsedge_types.go | 2 + api/ingress/v1alpha1/ngrok_common.go | 80 ++++++++++++++++ api/ingress/v1alpha1/ngrokmoduleset_types.go | 5 + api/ingress/v1alpha1/zz_generated.deepcopy.go | 92 +++++++++++++++++++ go.mod | 2 +- go.sum | 4 +- .../ingress.k8s.ngrok.com_httpsedges.yaml | 57 ++++++++++++ ...ingress.k8s.ngrok.com_ngrokmodulesets.yaml | 57 ++++++++++++ .../ingress/httpsedge_controller.go | 34 ++++++- internal/ngrokapi/edge_modules_https.go | 8 ++ internal/store/driver.go | 1 + 11 files changed, 336 insertions(+), 6 deletions(-) diff --git a/api/ingress/v1alpha1/httpsedge_types.go b/api/ingress/v1alpha1/httpsedge_types.go index e89b0374..93d583c1 100644 --- a/api/ingress/v1alpha1/httpsedge_types.go +++ b/api/ingress/v1alpha1/httpsedge_types.go @@ -73,6 +73,8 @@ type HTTPSEdgeRouteSpec struct { // WebhookVerification is webhook verification configuration to apply to this route WebhookVerification *EndpointWebhookVerification `json:"webhookVerification,omitempty"` + + Policies *EndpointPolicies `json:"policies,omitempty"` } // HTTPSEdgeSpec defines the desired state of HTTPSEdge diff --git a/api/ingress/v1alpha1/ngrok_common.go b/api/ingress/v1alpha1/ngrok_common.go index 738c5f70..f7af26a4 100644 --- a/api/ingress/v1alpha1/ngrok_common.go +++ b/api/ingress/v1alpha1/ngrok_common.go @@ -1,6 +1,8 @@ package v1alpha1 import ( + "encoding/json" + "github.com/ngrok/ngrok-api-go/v5" "k8s.io/apimachinery/pkg/api/resource" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -428,3 +430,81 @@ func (amazon *EndpointOAuthAmazon) ToNgrok(clientSecret *string) *ngrok.Endpoint } return mod } + +type EndpointPolicies struct { + // Determines if the policy will be applied to traffic + Enabled *bool `json:"enabled,omitempty"` + // Policies for inbound traffic + Inbound []EndpointPolicy `json:"inbound,omitempty"` + // Policies for outbound traffic + Outbound []EndpointPolicy `json:"outbound,omitempty"` +} + +type EndpointPolicy struct { + // Expressions + Expressions []string `json:"expressions,omitempty"` + // Actions + Actions []EndpointAction `json:"actions,omitempty"` + // Name + Name string `json:"name,omitempty"` +} + +type EndpointAction struct { + Type string `json:"type,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + // +kubebuilder:validation:Type=object + Config json.RawMessage `json:"config,omitempty"` +} + +func (policies *EndpointPolicies) ToNgrok() *ngrok.EndpointPolicies { + if policies == nil { + return nil + } + + var inbound []ngrok.EndpointPolicy + for _, policy := range policies.Inbound { + p := policy + inbound = append(inbound, *p.ToNgrok()) + } + var outbound []ngrok.EndpointPolicy + for _, policy := range policies.Outbound { + p := policy + outbound = append(outbound, *p.ToNgrok()) + } + + return &ngrok.EndpointPolicies{ + Enabled: policies.Enabled, + Inbound: inbound, + Outbound: outbound, + } +} + +func (policy *EndpointPolicy) ToNgrok() *ngrok.EndpointPolicy { + if policy == nil { + return nil + } + + var actions []ngrok.EndpointAction + for _, action := range policy.Actions { + a := action + actions = append(actions, *a.ToNgrok()) + } + + return &ngrok.EndpointPolicy{ + Expressions: policy.Expressions, + Actions: actions, + Name: policy.Name, + } +} + +func (action *EndpointAction) ToNgrok() *ngrok.EndpointAction { + if action == nil { + return nil + } + + return &ngrok.EndpointAction{ + Type: action.Type, + Config: action.Config, + } +} diff --git a/api/ingress/v1alpha1/ngrokmoduleset_types.go b/api/ingress/v1alpha1/ngrokmoduleset_types.go index 317cbddb..9d5ead02 100644 --- a/api/ingress/v1alpha1/ngrokmoduleset_types.go +++ b/api/ingress/v1alpha1/ngrokmoduleset_types.go @@ -39,6 +39,8 @@ type NgrokModuleSetModules struct { IPRestriction *EndpointIPPolicy `json:"ipRestriction,omitempty"` // OAuth configuration for this module set OAuth *EndpointOAuth `json:"oauth,omitempty"` + // Policies configuration for this module set + Policies *EndpointPolicies `json:"policies,omitempty"` // OIDC configuration for this module set OIDC *EndpointOIDC `json:"oidc,omitempty"` // SAML configuration for this module set @@ -83,6 +85,9 @@ func (ms *NgrokModuleSet) Merge(o *NgrokModuleSet) { if omod.OAuth != nil { msmod.OAuth = omod.OAuth } + if omod.Policies != nil { + msmod.Policies = omod.Policies + } if omod.OIDC != nil { msmod.OIDC = omod.OIDC } diff --git a/api/ingress/v1alpha1/zz_generated.deepcopy.go b/api/ingress/v1alpha1/zz_generated.deepcopy.go index 6f6f9396..53475863 100644 --- a/api/ingress/v1alpha1/zz_generated.deepcopy.go +++ b/api/ingress/v1alpha1/zz_generated.deepcopy.go @@ -30,6 +30,7 @@ SOFTWARE. package v1alpha1 import ( + "encoding/json" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -143,6 +144,26 @@ func (in *DomainStatus) DeepCopy() *DomainStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EndpointAction) DeepCopyInto(out *EndpointAction) { + *out = *in + if in.Config != nil { + in, out := &in.Config, &out.Config + *out = make(json.RawMessage, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointAction. +func (in *EndpointAction) DeepCopy() *EndpointAction { + if in == nil { + return nil + } + out := new(EndpointAction) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EndpointCircuitBreaker) DeepCopyInto(out *EndpointCircuitBreaker) { *out = *in @@ -457,6 +478,67 @@ func (in *EndpointOIDC) DeepCopy() *EndpointOIDC { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EndpointPolicies) DeepCopyInto(out *EndpointPolicies) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.Inbound != nil { + in, out := &in.Inbound, &out.Inbound + *out = make([]EndpointPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Outbound != nil { + in, out := &in.Outbound, &out.Outbound + *out = make([]EndpointPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointPolicies. +func (in *EndpointPolicies) DeepCopy() *EndpointPolicies { + if in == nil { + return nil + } + out := new(EndpointPolicies) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EndpointPolicy) DeepCopyInto(out *EndpointPolicy) { + *out = *in + if in.Expressions != nil { + in, out := &in.Expressions, &out.Expressions + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Actions != nil { + in, out := &in.Actions, &out.Actions + *out = make([]EndpointAction, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointPolicy. +func (in *EndpointPolicy) DeepCopy() *EndpointPolicy { + if in == nil { + return nil + } + out := new(EndpointPolicy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EndpointRequestHeaders) DeepCopyInto(out *EndpointRequestHeaders) { *out = *in @@ -697,6 +779,11 @@ func (in *HTTPSEdgeRouteSpec) DeepCopyInto(out *HTTPSEdgeRouteSpec) { *out = new(EndpointWebhookVerification) (*in).DeepCopyInto(*out) } + if in.Policies != nil { + in, out := &in.Policies, &out.Policies + *out = new(EndpointPolicies) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPSEdgeRouteSpec. @@ -995,6 +1082,11 @@ func (in *NgrokModuleSetModules) DeepCopyInto(out *NgrokModuleSetModules) { *out = new(EndpointOAuth) (*in).DeepCopyInto(*out) } + if in.Policies != nil { + in, out := &in.Policies, &out.Policies + *out = new(EndpointPolicies) + (*in).DeepCopyInto(*out) + } if in.OIDC != nil { in, out := &in.OIDC, &out.OIDC *out = new(EndpointOIDC) diff --git a/go.mod b/go.mod index 3781232e..996e21a7 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/go-logr/logr v1.2.4 github.com/golang/mock v1.4.4 github.com/imdario/mergo v0.3.16 - github.com/ngrok/ngrok-api-go/v5 v5.0.0 + github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/spf13/cobra v1.7.0 diff --git a/go.sum b/go.sum index 792f0dd2..ce52a016 100644 --- a/go.sum +++ b/go.sum @@ -415,8 +415,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= -github.com/ngrok/ngrok-api-go/v5 v5.0.0 h1:eksowVztKNQU0JBaYS2hXGiC/xtGXj8LAx8lAuzYlsw= -github.com/ngrok/ngrok-api-go/v5 v5.0.0/go.mod h1:cxMRsWuE0EwK/JB/5prvHK0LEWB3KP16iwvIMqvDVP0= +github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303 h1:td6hx8jy4X+U/Ed/zl6gTrCVmyldZ7tMNJQHa2YvcXc= +github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303/go.mod h1:UVTaHI5B4gEsfHCOZTlRg8WkT6+KBijIkVtjpDqCyIU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= diff --git a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml index 06b8f21d..e86e3ce5 100644 --- a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml +++ b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml @@ -908,6 +908,63 @@ spec: type: string type: array type: object + policies: + properties: + enabled: + description: Determines if the policy will be applied to + traffic + type: boolean + inbound: + description: Policies for inbound traffic + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Policies for outbound traffic + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object saml: description: SAML is the SAML configuration to apply to this route diff --git a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml index 2e0c0327..beea08dd 100644 --- a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml +++ b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml @@ -793,6 +793,63 @@ spec: type: string type: array type: object + policies: + description: Policies configuration for this module set + properties: + enabled: + description: Determines if the policy will be applied to traffic + type: boolean + inbound: + description: Policies for inbound traffic + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Policies for outbound traffic + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object saml: description: SAML configuration for this module set properties: diff --git a/internal/controller/ingress/httpsedge_controller.go b/internal/controller/ingress/httpsedge_controller.go index d535b928..001655e1 100644 --- a/internal/controller/ingress/httpsedge_controller.go +++ b/internal/controller/ingress/httpsedge_controller.go @@ -37,7 +37,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/tools/record" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/reconcile" @@ -342,7 +342,7 @@ func (r *HTTPSEdgeReconciler) setEdgeTLSTermination(ctx context.Context, edge *n _, err := client.Replace(ctx, &ngrok.EdgeTLSTerminationAtEdgeReplace{ ID: edge.ID, Module: ngrok.EndpointTLSTerminationAtEdge{ - MinVersion: pointer.String(tlsTermination.MinVersion), + MinVersion: ptr.To(tlsTermination.MinVersion), }, }) return err @@ -523,6 +523,7 @@ func (u *edgeRouteModuleUpdater) updateModulesForRoute(ctx context.Context, rout u.setEdgeRouteOIDC, u.setEdgeRouteSAML, u.setEdgeRouteWebhookVerification, + u.setEdgeRoutePolicies, } for _, f := range funcs { @@ -605,7 +606,7 @@ func (u *edgeRouteModuleUpdater) setEdgeRouteCompression(ctx context.Context, ro EdgeID: route.EdgeID, ID: route.ID, Module: ngrok.EndpointCompression{ - Enabled: pointer.Bool(routeSpec.Compression.Enabled), + Enabled: ptr.To(routeSpec.Compression.Enabled), }, }) return err @@ -1028,3 +1029,30 @@ func (r *HTTPSEdgeReconciler) takeOfflineWithoutAuth(ctx context.Context, route return nil } + +func (u *edgeRouteModuleUpdater) setEdgeRoutePolicies(ctx context.Context, route *ngrok.HTTPSEdgeRoute, routeSpec *ingressv1alpha1.HTTPSEdgeRouteSpec) error { + log := ctrl.LoggerFrom(ctx) + policies := routeSpec.Policies + client := u.clientset.Policies() + + module := policies.ToNgrok() + + // Early return if nothing to be done + if module == nil { + if route.Policies == nil { + u.logMatches(log, "Policies", routeModuleComparisonBothNil) + return nil + } + + log.Info("Deleting Policies module") + return client.Delete(ctx, edgeRouteItem(route)) + } + + log.Info("Updating Policies module") + _, err := client.Replace(ctx, &ngrok.EdgeRoutePoliciesReplace{ + EdgeID: route.EdgeID, + ID: route.ID, + Module: *module, + }) + return err +} diff --git a/internal/ngrokapi/edge_modules_https.go b/internal/ngrokapi/edge_modules_https.go index 5719a937..d0b3cd33 100644 --- a/internal/ngrokapi/edge_modules_https.go +++ b/internal/ngrokapi/edge_modules_https.go @@ -9,6 +9,7 @@ import ( "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_ip_restriction" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_oauth" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_oidc" + "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_policies" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_request_headers" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_response_headers" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_saml" @@ -55,6 +56,7 @@ type HTTPSEdgeRouteModulesClientset interface { Compression() *https_edge_route_compression.Client IPRestriction() *https_edge_route_ip_restriction.Client OAuth() *https_edge_route_oauth.Client + Policies() *https_edge_route_policies.Client OIDC() *https_edge_route_oidc.Client RequestHeaders() *https_edge_route_request_headers.Client ResponseHeaders() *https_edge_route_response_headers.Client @@ -69,6 +71,7 @@ type defaultHTTPSEdgeRouteModulesClientset struct { compression *https_edge_route_compression.Client ipRestriction *https_edge_route_ip_restriction.Client oauth *https_edge_route_oauth.Client + policies *https_edge_route_policies.Client oidc *https_edge_route_oidc.Client requestHeaders *https_edge_route_request_headers.Client responseHeaders *https_edge_route_response_headers.Client @@ -84,6 +87,7 @@ func newHTTPSEdgeRouteModulesClient(config *ngrok.ClientConfig) *defaultHTTPSEdg compression: https_edge_route_compression.NewClient(config), ipRestriction: https_edge_route_ip_restriction.NewClient(config), oauth: https_edge_route_oauth.NewClient(config), + policies: https_edge_route_policies.NewClient(config), oidc: https_edge_route_oidc.NewClient(config), requestHeaders: https_edge_route_request_headers.NewClient(config), responseHeaders: https_edge_route_response_headers.NewClient(config), @@ -113,6 +117,10 @@ func (c *defaultHTTPSEdgeRouteModulesClientset) OAuth() *https_edge_route_oauth. return c.oauth } +func (c *defaultHTTPSEdgeRouteModulesClientset) Policies() *https_edge_route_policies.Client { + return c.policies +} + func (c *defaultHTTPSEdgeRouteModulesClientset) OIDC() *https_edge_route_oidc.Client { return c.oidc } diff --git a/internal/store/driver.go b/internal/store/driver.go index 4c75ca70..ebc2059e 100644 --- a/internal/store/driver.go +++ b/internal/store/driver.go @@ -629,6 +629,7 @@ func (d *Driver) calculateHTTPSEdges() map[string]ingressv1alpha1.HTTPSEdge { IPRestriction: modSet.Modules.IPRestriction, Headers: modSet.Modules.Headers, OAuth: modSet.Modules.OAuth, + Policies: modSet.Modules.Policies, OIDC: modSet.Modules.OIDC, SAML: modSet.Modules.SAML, WebhookVerification: modSet.Modules.WebhookVerification, From 63439622f1fba676de8547c0c819c7efe22fdebc Mon Sep 17 00:00:00 2001 From: Abdirahman Osman Date: Tue, 23 Jan 2024 11:21:31 -0600 Subject: [PATCH 2/6] add null ptr check --- api/ingress/v1alpha1/ngrok_common.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/api/ingress/v1alpha1/ngrok_common.go b/api/ingress/v1alpha1/ngrok_common.go index f7af26a4..1d3c40d6 100644 --- a/api/ingress/v1alpha1/ngrok_common.go +++ b/api/ingress/v1alpha1/ngrok_common.go @@ -470,7 +470,10 @@ func (policies *EndpointPolicies) ToNgrok() *ngrok.EndpointPolicies { var outbound []ngrok.EndpointPolicy for _, policy := range policies.Outbound { p := policy - outbound = append(outbound, *p.ToNgrok()) + mod := p.ToNgrok() + if mod != nil { + outbound = append(outbound, *mod) + } } return &ngrok.EndpointPolicies{ @@ -488,7 +491,10 @@ func (policy *EndpointPolicy) ToNgrok() *ngrok.EndpointPolicy { var actions []ngrok.EndpointAction for _, action := range policy.Actions { a := action - actions = append(actions, *a.ToNgrok()) + mod := a.ToNgrok() + if mod != nil { + actions = append(actions, *mod) + } } return &ngrok.EndpointPolicy{ From 9c5b654660bc504c97d21a777b5395a1838ab223 Mon Sep 17 00:00:00 2001 From: Abdirahman A Osman Date: Wed, 31 Jan 2024 20:08:50 -0800 Subject: [PATCH 3/6] rename policy module components --- api/ingress/v1alpha1/httpsedge_types.go | 2 +- api/ingress/v1alpha1/ngrok_common.go | 46 ++++++------ api/ingress/v1alpha1/ngrokmoduleset_types.go | 8 +-- api/ingress/v1alpha1/zz_generated.deepcopy.go | 72 +++++++++---------- go.mod | 2 +- go.sum | 4 +- .../ingress.k8s.ngrok.com_httpsedges.yaml | 9 ++- ...ingress.k8s.ngrok.com_ngrokmodulesets.yaml | 10 +-- .../ingress/httpsedge_controller.go | 20 +++--- internal/ngrokapi/edge_modules_https.go | 12 ++-- internal/store/driver.go | 2 +- 11 files changed, 93 insertions(+), 94 deletions(-) diff --git a/api/ingress/v1alpha1/httpsedge_types.go b/api/ingress/v1alpha1/httpsedge_types.go index 93d583c1..6edd84ee 100644 --- a/api/ingress/v1alpha1/httpsedge_types.go +++ b/api/ingress/v1alpha1/httpsedge_types.go @@ -74,7 +74,7 @@ type HTTPSEdgeRouteSpec struct { // WebhookVerification is webhook verification configuration to apply to this route WebhookVerification *EndpointWebhookVerification `json:"webhookVerification,omitempty"` - Policies *EndpointPolicies `json:"policies,omitempty"` + Policy *EndpointPolicy `json:"policy,omitempty"` } // HTTPSEdgeSpec defines the desired state of HTTPSEdge diff --git a/api/ingress/v1alpha1/ngrok_common.go b/api/ingress/v1alpha1/ngrok_common.go index 1d3c40d6..558b1349 100644 --- a/api/ingress/v1alpha1/ngrok_common.go +++ b/api/ingress/v1alpha1/ngrok_common.go @@ -431,16 +431,16 @@ func (amazon *EndpointOAuthAmazon) ToNgrok(clientSecret *string) *ngrok.Endpoint return mod } -type EndpointPolicies struct { - // Determines if the policy will be applied to traffic +type EndpointPolicy struct { + // Determines if the rule will be applied to traffic Enabled *bool `json:"enabled,omitempty"` - // Policies for inbound traffic - Inbound []EndpointPolicy `json:"inbound,omitempty"` - // Policies for outbound traffic - Outbound []EndpointPolicy `json:"outbound,omitempty"` + // Inbound traffic rule + Inbound []EndpointRule `json:"inbound,omitempty"` + // Outbound traffic rule + Outbound []EndpointRule `json:"outbound,omitempty"` } -type EndpointPolicy struct { +type EndpointRule struct { // Expressions Expressions []string `json:"expressions,omitempty"` // Actions @@ -457,39 +457,39 @@ type EndpointAction struct { Config json.RawMessage `json:"config,omitempty"` } -func (policies *EndpointPolicies) ToNgrok() *ngrok.EndpointPolicies { - if policies == nil { +func (policy *EndpointPolicy) ToNgrok() *ngrok.EndpointPolicy { + if policy == nil { return nil } - var inbound []ngrok.EndpointPolicy - for _, policy := range policies.Inbound { - p := policy + var inbound []ngrok.EndpointRule + for _, rule := range policy.Inbound { + p := rule inbound = append(inbound, *p.ToNgrok()) } - var outbound []ngrok.EndpointPolicy - for _, policy := range policies.Outbound { - p := policy + var outbound []ngrok.EndpointRule + for _, rule := range policy.Outbound { + p := rule mod := p.ToNgrok() if mod != nil { outbound = append(outbound, *mod) } } - return &ngrok.EndpointPolicies{ - Enabled: policies.Enabled, + return &ngrok.EndpointPolicy{ + Enabled: policy.Enabled, Inbound: inbound, Outbound: outbound, } } -func (policy *EndpointPolicy) ToNgrok() *ngrok.EndpointPolicy { - if policy == nil { +func (rule *EndpointRule) ToNgrok() *ngrok.EndpointRule { + if rule == nil { return nil } var actions []ngrok.EndpointAction - for _, action := range policy.Actions { + for _, action := range rule.Actions { a := action mod := a.ToNgrok() if mod != nil { @@ -497,10 +497,10 @@ func (policy *EndpointPolicy) ToNgrok() *ngrok.EndpointPolicy { } } - return &ngrok.EndpointPolicy{ - Expressions: policy.Expressions, + return &ngrok.EndpointRule{ + Expressions: rule.Expressions, Actions: actions, - Name: policy.Name, + Name: rule.Name, } } diff --git a/api/ingress/v1alpha1/ngrokmoduleset_types.go b/api/ingress/v1alpha1/ngrokmoduleset_types.go index 9d5ead02..b783596d 100644 --- a/api/ingress/v1alpha1/ngrokmoduleset_types.go +++ b/api/ingress/v1alpha1/ngrokmoduleset_types.go @@ -39,8 +39,8 @@ type NgrokModuleSetModules struct { IPRestriction *EndpointIPPolicy `json:"ipRestriction,omitempty"` // OAuth configuration for this module set OAuth *EndpointOAuth `json:"oauth,omitempty"` - // Policies configuration for this module set - Policies *EndpointPolicies `json:"policies,omitempty"` + // Policy configuration for this module set + Policy *EndpointPolicy `json:"policy,omitempty"` // OIDC configuration for this module set OIDC *EndpointOIDC `json:"oidc,omitempty"` // SAML configuration for this module set @@ -85,8 +85,8 @@ func (ms *NgrokModuleSet) Merge(o *NgrokModuleSet) { if omod.OAuth != nil { msmod.OAuth = omod.OAuth } - if omod.Policies != nil { - msmod.Policies = omod.Policies + if omod.Policy != nil { + msmod.Policy = omod.Policy } if omod.OIDC != nil { msmod.OIDC = omod.OIDC diff --git a/api/ingress/v1alpha1/zz_generated.deepcopy.go b/api/ingress/v1alpha1/zz_generated.deepcopy.go index 53475863..7bf0727f 100644 --- a/api/ingress/v1alpha1/zz_generated.deepcopy.go +++ b/api/ingress/v1alpha1/zz_generated.deepcopy.go @@ -479,7 +479,7 @@ func (in *EndpointOIDC) DeepCopy() *EndpointOIDC { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *EndpointPolicies) DeepCopyInto(out *EndpointPolicies) { +func (in *EndpointPolicy) DeepCopyInto(out *EndpointPolicy) { *out = *in if in.Enabled != nil { in, out := &in.Enabled, &out.Enabled @@ -488,41 +488,14 @@ func (in *EndpointPolicies) DeepCopyInto(out *EndpointPolicies) { } if in.Inbound != nil { in, out := &in.Inbound, &out.Inbound - *out = make([]EndpointPolicy, len(*in)) + *out = make([]EndpointRule, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } if in.Outbound != nil { in, out := &in.Outbound, &out.Outbound - *out = make([]EndpointPolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointPolicies. -func (in *EndpointPolicies) DeepCopy() *EndpointPolicies { - if in == nil { - return nil - } - out := new(EndpointPolicies) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *EndpointPolicy) DeepCopyInto(out *EndpointPolicy) { - *out = *in - if in.Expressions != nil { - in, out := &in.Expressions, &out.Expressions - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Actions != nil { - in, out := &in.Actions, &out.Actions - *out = make([]EndpointAction, len(*in)) + *out = make([]EndpointRule, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } @@ -593,6 +566,33 @@ func (in *EndpointResponseHeaders) DeepCopy() *EndpointResponseHeaders { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EndpointRule) DeepCopyInto(out *EndpointRule) { + *out = *in + if in.Expressions != nil { + in, out := &in.Expressions, &out.Expressions + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Actions != nil { + in, out := &in.Actions, &out.Actions + *out = make([]EndpointAction, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointRule. +func (in *EndpointRule) DeepCopy() *EndpointRule { + if in == nil { + return nil + } + out := new(EndpointRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EndpointSAML) DeepCopyInto(out *EndpointSAML) { *out = *in @@ -779,9 +779,9 @@ func (in *HTTPSEdgeRouteSpec) DeepCopyInto(out *HTTPSEdgeRouteSpec) { *out = new(EndpointWebhookVerification) (*in).DeepCopyInto(*out) } - if in.Policies != nil { - in, out := &in.Policies, &out.Policies - *out = new(EndpointPolicies) + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(EndpointPolicy) (*in).DeepCopyInto(*out) } } @@ -1082,9 +1082,9 @@ func (in *NgrokModuleSetModules) DeepCopyInto(out *NgrokModuleSetModules) { *out = new(EndpointOAuth) (*in).DeepCopyInto(*out) } - if in.Policies != nil { - in, out := &in.Policies, &out.Policies - *out = new(EndpointPolicies) + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(EndpointPolicy) (*in).DeepCopyInto(*out) } if in.OIDC != nil { diff --git a/go.mod b/go.mod index 996e21a7..a4bffa5e 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/go-logr/logr v1.2.4 github.com/golang/mock v1.4.4 github.com/imdario/mergo v0.3.16 - github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303 + github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240202164311-e46cf17c1b3b github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/spf13/cobra v1.7.0 diff --git a/go.sum b/go.sum index ce52a016..16660a9c 100644 --- a/go.sum +++ b/go.sum @@ -415,8 +415,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= -github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303 h1:td6hx8jy4X+U/Ed/zl6gTrCVmyldZ7tMNJQHa2YvcXc= -github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240117170843-c468056fd303/go.mod h1:UVTaHI5B4gEsfHCOZTlRg8WkT6+KBijIkVtjpDqCyIU= +github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240202164311-e46cf17c1b3b h1:zVNitZT1l6S2thahznTlMO+Fknsynoi++7SJQJf7RIY= +github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240202164311-e46cf17c1b3b/go.mod h1:UVTaHI5B4gEsfHCOZTlRg8WkT6+KBijIkVtjpDqCyIU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= diff --git a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml index e86e3ce5..7de6c37c 100644 --- a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml +++ b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml @@ -908,14 +908,13 @@ spec: type: string type: array type: object - policies: + policy: properties: enabled: - description: Determines if the policy will be applied to - traffic + description: Determines if the rule will be applied to traffic type: boolean inbound: - description: Policies for inbound traffic + description: Inbound traffic rule items: properties: actions: @@ -940,7 +939,7 @@ spec: type: object type: array outbound: - description: Policies for outbound traffic + description: Outbound traffic rule items: properties: actions: diff --git a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml index beea08dd..800fa04f 100644 --- a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml +++ b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml @@ -793,14 +793,14 @@ spec: type: string type: array type: object - policies: - description: Policies configuration for this module set + policy: + description: Policy configuration for this module set properties: enabled: - description: Determines if the policy will be applied to traffic + description: Determines if the rule will be applied to traffic type: boolean inbound: - description: Policies for inbound traffic + description: Inbound traffic rule items: properties: actions: @@ -825,7 +825,7 @@ spec: type: object type: array outbound: - description: Policies for outbound traffic + description: Outbound traffic rule items: properties: actions: diff --git a/internal/controller/ingress/httpsedge_controller.go b/internal/controller/ingress/httpsedge_controller.go index 001655e1..f859137e 100644 --- a/internal/controller/ingress/httpsedge_controller.go +++ b/internal/controller/ingress/httpsedge_controller.go @@ -523,7 +523,7 @@ func (u *edgeRouteModuleUpdater) updateModulesForRoute(ctx context.Context, rout u.setEdgeRouteOIDC, u.setEdgeRouteSAML, u.setEdgeRouteWebhookVerification, - u.setEdgeRoutePolicies, + u.setEdgeRoutePolicy, } for _, f := range funcs { @@ -1030,26 +1030,26 @@ func (r *HTTPSEdgeReconciler) takeOfflineWithoutAuth(ctx context.Context, route return nil } -func (u *edgeRouteModuleUpdater) setEdgeRoutePolicies(ctx context.Context, route *ngrok.HTTPSEdgeRoute, routeSpec *ingressv1alpha1.HTTPSEdgeRouteSpec) error { +func (u *edgeRouteModuleUpdater) setEdgeRoutePolicy(ctx context.Context, route *ngrok.HTTPSEdgeRoute, routeSpec *ingressv1alpha1.HTTPSEdgeRouteSpec) error { log := ctrl.LoggerFrom(ctx) - policies := routeSpec.Policies - client := u.clientset.Policies() + policy := routeSpec.Policy + client := u.clientset.Policy() - module := policies.ToNgrok() + module := policy.ToNgrok() // Early return if nothing to be done if module == nil { - if route.Policies == nil { - u.logMatches(log, "Policies", routeModuleComparisonBothNil) + if route.Policy == nil { + u.logMatches(log, "Policy", routeModuleComparisonBothNil) return nil } - log.Info("Deleting Policies module") + log.Info("Deleting Policy module") return client.Delete(ctx, edgeRouteItem(route)) } - log.Info("Updating Policies module") - _, err := client.Replace(ctx, &ngrok.EdgeRoutePoliciesReplace{ + log.Info("Updating Policy module") + _, err := client.Replace(ctx, &ngrok.EdgeRoutePolicyReplace{ EdgeID: route.EdgeID, ID: route.ID, Module: *module, diff --git a/internal/ngrokapi/edge_modules_https.go b/internal/ngrokapi/edge_modules_https.go index d0b3cd33..fa50eabc 100644 --- a/internal/ngrokapi/edge_modules_https.go +++ b/internal/ngrokapi/edge_modules_https.go @@ -9,7 +9,7 @@ import ( "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_ip_restriction" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_oauth" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_oidc" - "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_policies" + "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_policy" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_request_headers" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_response_headers" "github.com/ngrok/ngrok-api-go/v5/edge_modules/https_edge_route_saml" @@ -56,7 +56,7 @@ type HTTPSEdgeRouteModulesClientset interface { Compression() *https_edge_route_compression.Client IPRestriction() *https_edge_route_ip_restriction.Client OAuth() *https_edge_route_oauth.Client - Policies() *https_edge_route_policies.Client + Policy() *https_edge_route_policy.Client OIDC() *https_edge_route_oidc.Client RequestHeaders() *https_edge_route_request_headers.Client ResponseHeaders() *https_edge_route_response_headers.Client @@ -71,7 +71,7 @@ type defaultHTTPSEdgeRouteModulesClientset struct { compression *https_edge_route_compression.Client ipRestriction *https_edge_route_ip_restriction.Client oauth *https_edge_route_oauth.Client - policies *https_edge_route_policies.Client + policy *https_edge_route_policy.Client oidc *https_edge_route_oidc.Client requestHeaders *https_edge_route_request_headers.Client responseHeaders *https_edge_route_response_headers.Client @@ -87,7 +87,7 @@ func newHTTPSEdgeRouteModulesClient(config *ngrok.ClientConfig) *defaultHTTPSEdg compression: https_edge_route_compression.NewClient(config), ipRestriction: https_edge_route_ip_restriction.NewClient(config), oauth: https_edge_route_oauth.NewClient(config), - policies: https_edge_route_policies.NewClient(config), + policy: https_edge_route_policy.NewClient(config), oidc: https_edge_route_oidc.NewClient(config), requestHeaders: https_edge_route_request_headers.NewClient(config), responseHeaders: https_edge_route_response_headers.NewClient(config), @@ -117,8 +117,8 @@ func (c *defaultHTTPSEdgeRouteModulesClientset) OAuth() *https_edge_route_oauth. return c.oauth } -func (c *defaultHTTPSEdgeRouteModulesClientset) Policies() *https_edge_route_policies.Client { - return c.policies +func (c *defaultHTTPSEdgeRouteModulesClientset) Policy() *https_edge_route_policy.Client { + return c.policy } func (c *defaultHTTPSEdgeRouteModulesClientset) OIDC() *https_edge_route_oidc.Client { diff --git a/internal/store/driver.go b/internal/store/driver.go index ebc2059e..5a1fe9f7 100644 --- a/internal/store/driver.go +++ b/internal/store/driver.go @@ -629,7 +629,7 @@ func (d *Driver) calculateHTTPSEdges() map[string]ingressv1alpha1.HTTPSEdge { IPRestriction: modSet.Modules.IPRestriction, Headers: modSet.Modules.Headers, OAuth: modSet.Modules.OAuth, - Policies: modSet.Modules.Policies, + Policy: modSet.Modules.Policy, OIDC: modSet.Modules.OIDC, SAML: modSet.Modules.SAML, WebhookVerification: modSet.Modules.WebhookVerification, From 41f50da03fb7e76562424e2f4db9793179a0f45c Mon Sep 17 00:00:00 2001 From: Abdirahman Osman Date: Mon, 5 Feb 2024 11:07:31 -0600 Subject: [PATCH 4/6] rename module for readability --- internal/controller/ingress/httpsedge_controller.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/controller/ingress/httpsedge_controller.go b/internal/controller/ingress/httpsedge_controller.go index f859137e..2f94e1e2 100644 --- a/internal/controller/ingress/httpsedge_controller.go +++ b/internal/controller/ingress/httpsedge_controller.go @@ -1035,10 +1035,10 @@ func (u *edgeRouteModuleUpdater) setEdgeRoutePolicy(ctx context.Context, route * policy := routeSpec.Policy client := u.clientset.Policy() - module := policy.ToNgrok() + endpointPolicy := policy.ToNgrok() // Early return if nothing to be done - if module == nil { + if endpointPolicy == nil { if route.Policy == nil { u.logMatches(log, "Policy", routeModuleComparisonBothNil) return nil @@ -1052,7 +1052,7 @@ func (u *edgeRouteModuleUpdater) setEdgeRoutePolicy(ctx context.Context, route * _, err := client.Replace(ctx, &ngrok.EdgeRoutePolicyReplace{ EdgeID: route.EdgeID, ID: route.ID, - Module: *module, + Module: *endpointPolicy, }) return err } From c2c48b6910f91acaed3b409020fc48ecead60d40 Mon Sep 17 00:00:00 2001 From: Abdirahman Osman Date: Mon, 5 Feb 2024 11:55:05 -0600 Subject: [PATCH 5/6] add policy to tcp and tls edges --- api/ingress/v1alpha1/tcpedge_types.go | 2 + api/ingress/v1alpha1/tlsedge_types.go | 2 + .../crds/ingress.k8s.ngrok.com_tcpedges.yaml | 56 +++++++++++++++++++ .../crds/ingress.k8s.ngrok.com_tlsedges.yaml | 56 +++++++++++++++++++ .../controller/ingress/tcpedge_controller.go | 30 ++++++++++ .../controller/ingress/tlsedge_controller.go | 30 ++++++++++ .../ngrokapi/edge_modules_tcp_clientset.go | 8 +++ .../ngrokapi/edge_modules_tls_clientset.go | 8 +++ 8 files changed, 192 insertions(+) diff --git a/api/ingress/v1alpha1/tcpedge_types.go b/api/ingress/v1alpha1/tcpedge_types.go index 9b6385eb..d883539a 100644 --- a/api/ingress/v1alpha1/tcpedge_types.go +++ b/api/ingress/v1alpha1/tcpedge_types.go @@ -42,6 +42,8 @@ type TCPEdgeSpec struct { // IPRestriction is an IPRestriction to apply to this edge IPRestriction *EndpointIPPolicy `json:"ipRestriction,omitempty"` + + Policy *EndpointPolicy `json:"policy,omitempty"` } // TCPEdgeStatus defines the observed state of TCPEdge diff --git a/api/ingress/v1alpha1/tlsedge_types.go b/api/ingress/v1alpha1/tlsedge_types.go index 051a1777..c4adc38e 100644 --- a/api/ingress/v1alpha1/tlsedge_types.go +++ b/api/ingress/v1alpha1/tlsedge_types.go @@ -50,6 +50,8 @@ type TLSEdgeSpec struct { TLSTermination *EndpointTLSTermination `json:"tlsTermination,omitempty"` MutualTLS *EndpointMutualTLS `json:"mutualTls,omitempty"` + + Policy *EndpointPolicy `json:"policy,omitempty"` } // TLSEdgeStatus defines the observed state of TLSEdge diff --git a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml index 3ae1b679..19160590 100644 --- a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml +++ b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml @@ -90,6 +90,62 @@ spec: description: Metadata is a string of arbitrary data associated with the object in the ngrok API/Dashboard type: string + policy: + properties: + enabled: + description: Determines if the rule will be applied to traffic + type: boolean + inbound: + description: Inbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Outbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object type: object status: description: TCPEdgeStatus defines the observed state of TCPEdge diff --git a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml index 7f804456..670936e4 100644 --- a/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml +++ b/helm/ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml @@ -104,6 +104,62 @@ spec: type: string type: array type: object + policy: + properties: + enabled: + description: Determines if the rule will be applied to traffic + type: boolean + inbound: + description: Inbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + outbound: + description: Outbound traffic rule + items: + properties: + actions: + description: Actions + items: + properties: + config: + type: object + x-kubernetes-preserve-unknown-fields: true + type: + type: string + type: object + type: array + expressions: + description: Expressions + items: + type: string + type: array + name: + description: Name + type: string + type: object + type: array + type: object tlsTermination: properties: minVersion: diff --git a/internal/controller/ingress/tcpedge_controller.go b/internal/controller/ingress/tcpedge_controller.go index c1905c37..1750dc3a 100644 --- a/internal/controller/ingress/tcpedge_controller.go +++ b/internal/controller/ingress/tcpedge_controller.go @@ -266,6 +266,10 @@ func (r *TCPEdgeReconciler) updateEdge(ctx context.Context, edge *ingressv1alpha return err } + if err := r.updatePolicyModule(ctx, edge, remoteEdge); err != nil { + return err + } + return nil } @@ -380,3 +384,29 @@ func (r *TCPEdgeReconciler) listTCPEdgesForIPPolicy(ctx context.Context, obj cli r.Log.Info("IPPolicy change triggered TCPEdge reconciliation", "count", len(recs), "policy", policy.Name, "namespace", policy.Namespace) return recs } + +func (r *TCPEdgeReconciler) updatePolicyModule(ctx context.Context, edge *ingressv1alpha1.TCPEdge, remoteEdge *ngrok.TCPEdge) error { + policy := edge.Spec.Policy + client := r.NgrokClientset.EdgeModules().TCP().Policy() + + endpointPolicy := policy.ToNgrok() + + // Early return if nothing to be done + if endpointPolicy == nil { + if remoteEdge.Policy == nil { + r.Log.Info("Module matches desired state, skipping update", "module", "Policy", "comparison", routeModuleComparisonBothNil) + + return nil + } + + r.Log.Info("Deleting Policy module") + return client.Delete(ctx, edge.Status.ID) + } + + r.Log.Info("Updating Policy module") + _, err := client.Replace(ctx, &ngrok.EdgePolicyReplace{ + ID: remoteEdge.ID, + Module: *endpointPolicy, + }) + return err +} diff --git a/internal/controller/ingress/tlsedge_controller.go b/internal/controller/ingress/tlsedge_controller.go index c30c2268..6b6b0af2 100644 --- a/internal/controller/ingress/tlsedge_controller.go +++ b/internal/controller/ingress/tlsedge_controller.go @@ -197,6 +197,10 @@ func (r *TLSEdgeReconciler) updateEdge(ctx context.Context, edge *ingressv1alpha return err } + if err := r.updatePolicyModule(ctx, edge, resp); err != nil { + return err + } + return nil } @@ -391,3 +395,29 @@ func (r *TLSEdgeReconciler) listTLSEdgesForIPPolicy(ctx context.Context, obj cli r.Log.Info("IPPolicy change triggered TLSEdge reconciliation", "count", len(recs), "policy", policy.Name, "namespace", policy.Namespace) return recs } + +func (r *TLSEdgeReconciler) updatePolicyModule(ctx context.Context, edge *ingressv1alpha1.TLSEdge, remoteEdge *ngrok.TLSEdge) error { + policy := edge.Spec.Policy + client := r.NgrokClientset.EdgeModules().TLS().Policy() + + endpointPolicy := policy.ToNgrok() + + // Early return if nothing to be done + if endpointPolicy == nil { + if remoteEdge.Policy == nil { + r.Log.Info("Module matches desired state, skipping update", "module", "Policy", "comparison", routeModuleComparisonBothNil) + + return nil + } + + r.Log.Info("Deleting Policy module") + return client.Delete(ctx, edge.Status.ID) + } + + r.Log.Info("Updating Policy module") + _, err := client.Replace(ctx, &ngrok.EdgePolicyReplace{ + ID: remoteEdge.ID, + Module: *endpointPolicy, + }) + return err +} diff --git a/internal/ngrokapi/edge_modules_tcp_clientset.go b/internal/ngrokapi/edge_modules_tcp_clientset.go index 61d433bd..15338eec 100644 --- a/internal/ngrokapi/edge_modules_tcp_clientset.go +++ b/internal/ngrokapi/edge_modules_tcp_clientset.go @@ -4,22 +4,26 @@ import ( "github.com/ngrok/ngrok-api-go/v5" "github.com/ngrok/ngrok-api-go/v5/edge_modules/tcp_edge_backend" "github.com/ngrok/ngrok-api-go/v5/edge_modules/tcp_edge_ip_restriction" + "github.com/ngrok/ngrok-api-go/v5/edge_modules/tcp_edge_policy" ) type TCPEdgeModulesClientset interface { Backend() *tcp_edge_backend.Client IPRestriction() *tcp_edge_ip_restriction.Client + Policy() *tcp_edge_policy.Client } type defaultTCPEdgeModulesClientset struct { backend *tcp_edge_backend.Client ipRestriction *tcp_edge_ip_restriction.Client + policy *tcp_edge_policy.Client } func newTCPEdgeModulesClientset(config *ngrok.ClientConfig) *defaultTCPEdgeModulesClientset { return &defaultTCPEdgeModulesClientset{ backend: tcp_edge_backend.NewClient(config), ipRestriction: tcp_edge_ip_restriction.NewClient(config), + policy: tcp_edge_policy.NewClient(config), } } @@ -30,3 +34,7 @@ func (c *defaultTCPEdgeModulesClientset) Backend() *tcp_edge_backend.Client { func (c *defaultTCPEdgeModulesClientset) IPRestriction() *tcp_edge_ip_restriction.Client { return c.ipRestriction } + +func (c *defaultTCPEdgeModulesClientset) Policy() *tcp_edge_policy.Client { + return c.policy +} diff --git a/internal/ngrokapi/edge_modules_tls_clientset.go b/internal/ngrokapi/edge_modules_tls_clientset.go index 4afc217b..fe332cb5 100644 --- a/internal/ngrokapi/edge_modules_tls_clientset.go +++ b/internal/ngrokapi/edge_modules_tls_clientset.go @@ -5,6 +5,7 @@ import ( "github.com/ngrok/ngrok-api-go/v5/edge_modules/tls_edge_backend" "github.com/ngrok/ngrok-api-go/v5/edge_modules/tls_edge_ip_restriction" "github.com/ngrok/ngrok-api-go/v5/edge_modules/tls_edge_mutual_tls" + "github.com/ngrok/ngrok-api-go/v5/edge_modules/tls_edge_policy" "github.com/ngrok/ngrok-api-go/v5/edge_modules/tls_edge_tls_termination" ) @@ -13,6 +14,7 @@ type TLSEdgeModulesClientset interface { IPRestriction() *tls_edge_ip_restriction.Client MutualTLS() *tls_edge_mutual_tls.Client TLSTermination() *tls_edge_tls_termination.Client + Policy() *tls_edge_policy.Client } type defaultTLSEdgeModulesClientset struct { @@ -20,6 +22,7 @@ type defaultTLSEdgeModulesClientset struct { ipRestriction *tls_edge_ip_restriction.Client mutualTLS *tls_edge_mutual_tls.Client tlsTermination *tls_edge_tls_termination.Client + policy *tls_edge_policy.Client } func newTLSEdgeModulesClientset(config *ngrok.ClientConfig) *defaultTLSEdgeModulesClientset { @@ -28,6 +31,7 @@ func newTLSEdgeModulesClientset(config *ngrok.ClientConfig) *defaultTLSEdgeModul ipRestriction: tls_edge_ip_restriction.NewClient(config), mutualTLS: tls_edge_mutual_tls.NewClient(config), tlsTermination: tls_edge_tls_termination.NewClient(config), + policy: tls_edge_policy.NewClient(config), } } @@ -46,3 +50,7 @@ func (c *defaultTLSEdgeModulesClientset) MutualTLS() *tls_edge_mutual_tls.Client func (c *defaultTLSEdgeModulesClientset) TLSTermination() *tls_edge_tls_termination.Client { return c.tlsTermination } + +func (c *defaultTLSEdgeModulesClientset) Policy() *tls_edge_policy.Client { + return c.policy +} From 6fac1d6ee5a541c7b900b7a136ad80a7c3e44637 Mon Sep 17 00:00:00 2001 From: Abdirahman Osman Date: Tue, 6 Feb 2024 11:07:14 -0600 Subject: [PATCH 6/6] use ngrok-api-go v5.3.0 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a4bffa5e..b41566e6 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/go-logr/logr v1.2.4 github.com/golang/mock v1.4.4 github.com/imdario/mergo v0.3.16 - github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240202164311-e46cf17c1b3b + github.com/ngrok/ngrok-api-go/v5 v5.3.0 github.com/onsi/ginkgo/v2 v2.11.0 github.com/onsi/gomega v1.27.10 github.com/spf13/cobra v1.7.0 diff --git a/go.sum b/go.sum index 16660a9c..0b4e97bb 100644 --- a/go.sum +++ b/go.sum @@ -415,8 +415,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= -github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240202164311-e46cf17c1b3b h1:zVNitZT1l6S2thahznTlMO+Fknsynoi++7SJQJf7RIY= -github.com/ngrok/ngrok-api-go/v5 v5.2.1-0.20240202164311-e46cf17c1b3b/go.mod h1:UVTaHI5B4gEsfHCOZTlRg8WkT6+KBijIkVtjpDqCyIU= +github.com/ngrok/ngrok-api-go/v5 v5.3.0 h1:J9ZQ54aG9RuEvk8wZmQhQXafL4HF+ZBnlHo/QC/ES74= +github.com/ngrok/ngrok-api-go/v5 v5.3.0/go.mod h1:UVTaHI5B4gEsfHCOZTlRg8WkT6+KBijIkVtjpDqCyIU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=