Merge pull request #991 from csnitker/master

IPv6 Support in Inbound CIDR Annotation

Author: k8s-ci-robot

internal/alb/sg/association.go

@@ -62,10 +62,11 @@ type associationController struct {
 }
 
 type associationConfig struct {
-	LbPorts        []int64
-	LbInboundCIDRs []string
-	LbExternalSGs  []string
-	AdditionalTags map[string]string
+	LbPorts          []int64
+	LbInboundCIDRs   []string
+	LbInboundV6CIDRs []string
+	LbExternalSGs    []string
+	AdditionalTags   map[string]string
 }
 
 func (c *associationController) Reconcile(ctx context.Context, ingress *extensions.Ingress, lbInstance *elbv2.LoadBalancer, tgGroup tg.TargetGroupGroup) error {
@@ -144,12 +145,31 @@ func (c *associationController) reconcileLbSG(ctx context.Context, ingressKey ty
 				Description: aws.String(fmt.Sprintf("Allow ingress on port %v from %v", port, cidr)),
 			})
 		}
+
+		ipv6Ranges := make([]*ec2.Ipv6Range, 0, len(cfg.LbInboundV6CIDRs))
+		for _, cidr := range cfg.LbInboundV6CIDRs {
+			ipv6Ranges = append(ipv6Ranges, &ec2.Ipv6Range{
+				CidrIpv6:    aws.String(cidr),
+				Description: aws.String(fmt.Sprintf("Allow ingress on port %v from %v", port, cidr)),
+			})
+		}
+
+		if len(ipv6Ranges) > 0 {
+			inboundPermissions = append(inboundPermissions, &ec2.IpPermission{
+				IpProtocol: aws.String("tcp"),
+				FromPort:   aws.Int64(port),
+				ToPort:     aws.Int64(port),
+				Ipv6Ranges: ipv6Ranges,
+			})
+		}
+
 		permission := &ec2.IpPermission{
 			IpProtocol: aws.String("tcp"),
 			FromPort:   aws.Int64(port),
 			ToPort:     aws.Int64(port),
 			IpRanges:   ipRanges,
 		}
+
 		inboundPermissions = append(inboundPermissions, permission)
 	}
 	if err := c.sgController.Reconcile(ctx, sgInstance, inboundPermissions, sgTags); err != nil {
@@ -255,10 +275,11 @@ func (c *associationController) buildAssociationConfig(ctx context.Context, ingr
 		return associationConfig{}, err
 	}
 	return associationConfig{
-		LbPorts:        lbPorts,
-		LbInboundCIDRs: ingressAnnos.LoadBalancer.InboundCidrs,
-		LbExternalSGs:  lbExternalSGs,
-		AdditionalTags: ingressAnnos.Tags.LoadBalancer,
+		LbPorts:          lbPorts,
+		LbInboundCIDRs:   ingressAnnos.LoadBalancer.InboundCidrs,
+		LbInboundV6CIDRs: ingressAnnos.LoadBalancer.InboundV6CIDRs,
+		LbExternalSGs:    lbExternalSGs,
+		AdditionalTags:   ingressAnnos.Tags.LoadBalancer,
 	}, nil
 }
 

internal/alb/sg/security_group.go

@@ -105,6 +105,12 @@ func ipPermissionEquals(source *ec2.IpPermission, target *ec2.IpPermission) bool
 	if len(diffIPRanges(target.IpRanges, source.IpRanges)) != 0 {
 		return false
 	}
+	if len(diffIPv6Ranges(source.Ipv6Ranges, target.Ipv6Ranges)) != 0 {
+		return false
+	}
+	if len(diffIPv6Ranges(target.Ipv6Ranges, source.Ipv6Ranges)) != 0 {
+		return false
+	}
 	if len(diffUserIDGroupPairs(source.UserIdGroupPairs, target.UserIdGroupPairs)) != 0 {
 		return false
 	}
@@ -115,12 +121,29 @@ func ipPermissionEquals(source *ec2.IpPermission, target *ec2.IpPermission) bool
 	return true
 }
 
+// diffIPv6Ranges calculates set_difference as source - target
+func diffIPv6Ranges(source []*ec2.Ipv6Range, target []*ec2.Ipv6Range) (diffs []*ec2.Ipv6Range) {
+	for _, sRange := range source {
+		containsInTarget := false
+		for _, tRange := range target {
+			if ipRangeEquals(sRange.CidrIpv6, tRange.CidrIpv6) {
+				containsInTarget = true
+				break
+			}
+		}
+		if !containsInTarget {
+			diffs = append(diffs, sRange)
+		}
+	}
+	return diffs
+}
+
 // diffIPRanges calculates set_difference as source - target
 func diffIPRanges(source []*ec2.IpRange, target []*ec2.IpRange) (diffs []*ec2.IpRange) {
 	for _, sRange := range source {
 		containsInTarget := false
 		for _, tRange := range target {
-			if ipRangeEquals(sRange, tRange) {
+			if ipRangeEquals(sRange.CidrIp, tRange.CidrIp) {
 				containsInTarget = true
 				break
 			}
@@ -133,8 +156,8 @@ func diffIPRanges(source []*ec2.IpRange, target []*ec2.IpRange) (diffs []*ec2.Ip
 }
 
 // ipRangeEquals test whether two IPRange instance are equals
-func ipRangeEquals(source *ec2.IpRange, target *ec2.IpRange) bool {
-	return aws.StringValue(source.CidrIp) == aws.StringValue(target.CidrIp)
+func ipRangeEquals(source *string, target *string) bool {
+	return aws.StringValue(source) == aws.StringValue(target)
 }
 
 // diffUserIDGroupPairs calculates set_difference as source - target

internal/alb/sg/security_group_test.go

@@ -390,6 +390,11 @@ func TestDiffIPPermissions(t *testing.T) {
 							CidrIp: aws.String("192.168.1.1/32"),
 						},
 					},
+					Ipv6Ranges: []*ec2.Ipv6Range{
+						{
+							CidrIpv6: aws.String("::/0"),
+						},
+					},
 					UserIdGroupPairs: []*ec2.UserIdGroupPair{
 						{
 							GroupId: aws.String("groupA"),
@@ -398,6 +403,69 @@ func TestDiffIPPermissions(t *testing.T) {
 				},
 			},
 			target: []*ec2.IpPermission{},
+			expectedDiffs: []*ec2.IpPermission{
+				{
+					IpProtocol: aws.String("tcp"),
+					FromPort:   aws.Int64(80),
+					ToPort:     aws.Int64(81),
+					IpRanges: []*ec2.IpRange{
+						{
+							CidrIp: aws.String("192.168.1.1/32"),
+						},
+					},
+					Ipv6Ranges: []*ec2.Ipv6Range{
+						{
+							CidrIpv6: aws.String("::/0"),
+						},
+					},
+					UserIdGroupPairs: []*ec2.UserIdGroupPair{
+						{
+							GroupId: aws.String("groupA"),
+						},
+					},
+				},
+			},
+		},
+		{
+			source: []*ec2.IpPermission{
+				{
+					IpProtocol: aws.String("tcp"),
+					FromPort:   aws.Int64(80),
+					ToPort:     aws.Int64(81),
+					IpRanges: []*ec2.IpRange{
+						{
+							CidrIp: aws.String("192.168.1.1/32"),
+						},
+					},
+					UserIdGroupPairs: []*ec2.UserIdGroupPair{
+						{
+							GroupId: aws.String("groupA"),
+						},
+					},
+				},
+			},
+			target: []*ec2.IpPermission{
+				{
+					IpProtocol: aws.String("tcp"),
+					FromPort:   aws.Int64(80),
+					ToPort:     aws.Int64(81),
+					IpRanges: []*ec2.IpRange{
+						{
+							CidrIp: aws.String("192.168.1.1/32"),
+						},
+					},
+					Ipv6Ranges: []*ec2.Ipv6Range{
+						{
+							CidrIpv6: aws.String("::/0"),
+						},
+					},
+					UserIdGroupPairs: []*ec2.UserIdGroupPair{
+						{
+							GroupId: aws.String("groupA"),
+						},
+					},
+				},
+			},
 			expectedDiffs: []*ec2.IpPermission{
 				{
 					IpProtocol: aws.String("tcp"),

internal/ingress/annotations/loadbalancer/main.go

@@ -42,6 +42,7 @@ type Config struct {
 	WebACLId      *string
 
 	InboundCidrs   []string
+	InboundV6CIDRs []string
 	Ports          []PortData
 	SecurityGroups []string
 	Subnets        []string
@@ -102,7 +103,7 @@ func (lb loadBalancer) Parse(ing parser.AnnotationInterface) (interface{}, error
 	securityGroups := parser.GetStringSliceAnnotation("security-groups", ing)
 	subnets := parser.GetStringSliceAnnotation("subnets", ing)
 
-	cidrs, err := parseCidrs(ing)
+	v4CIDRs, v6CIDRs, err := parseCidrs(ing)
 	if err != nil {
 		return nil, err
 	}
@@ -112,9 +113,10 @@ func (lb loadBalancer) Parse(ing parser.AnnotationInterface) (interface{}, error
 		Scheme:        scheme,
 		IPAddressType: ipAddressType,
 
-		Attributes:   attributes,
-		InboundCidrs: cidrs,
-		Ports:        ports,
+		Attributes:     attributes,
+		InboundCidrs:   v4CIDRs,
+		InboundV6CIDRs: v6CIDRs,
+		Ports:          ports,
 
 		Subnets:        subnets,
 		SecurityGroups: securityGroups,
@@ -203,7 +205,7 @@ func parsePorts(ing parser.AnnotationInterface) ([]PortData, error) {
 	return lps, nil
 }
 
-func parseCidrs(ing parser.AnnotationInterface) (out []string, err error) {
+func parseCidrs(ing parser.AnnotationInterface) (v4CIDRs, v6CIDRs []string, err error) {
 	cidrConfig := parser.GetStringSliceAnnotation("security-group-inbound-cidrs", ing)
 	if len(cidrConfig) != 0 {
 		glog.Warningf("`security-group-inbound-cidrs` annotation is deprecated, use `inbound-cidrs` instead")
@@ -212,20 +214,28 @@ func parseCidrs(ing parser.AnnotationInterface) (out []string, err error) {
 	}
 
 	for _, inboundCidr := range cidrConfig {
-		ip, _, err := net.ParseCIDR(inboundCidr)
+		_, _, err := net.ParseCIDR(inboundCidr)
 		if err != nil {
-			return out, err
+			return v4CIDRs, v6CIDRs, err
 		}
 
-		if ip.To4() == nil {
-			return out, fmt.Errorf("CIDR must use an IPv4 address: %v", inboundCidr)
+		if strings.Contains(inboundCidr, ":") {
+			v6CIDRs = append(v6CIDRs, inboundCidr)
+		} else {
+			v4CIDRs = append(v4CIDRs, inboundCidr)
 		}
-		out = append(out, inboundCidr)
 	}
-	if len(out) == 0 {
-		out = append(out, "0.0.0.0/0")
+
+	if len(v4CIDRs) == 0 && len(v6CIDRs) == 0 {
+		v4CIDRs = append(v4CIDRs, "0.0.0.0/0")
+
+		addrType, _ := parser.GetStringAnnotation("ip-address-type", ing)
+		if addrType != nil && *addrType == elbv2.IpAddressTypeDualstack {
+			v6CIDRs = append(v6CIDRs, "::/0")
+		}
 	}
-	return out, nil
+
+	return v4CIDRs, v6CIDRs, nil
 }
 
 func Dummy() *Config {