Added support for IPv6 CIDRs in security groups

Author: csnitker-godaddy

internal/alb/sg/association.go

@@ -62,10 +62,11 @@ type associationController struct {
 }
 
 type associationConfig struct {
-	LbPorts        []int64
-	LbInboundCIDRs []string
-	LbExternalSGs  []string
-	AdditionalTags map[string]string
+	LbPorts          []int64
+	LbInboundCIDRs   []string
+	LbInboundV6CIDRs []string
+	LbExternalSGs    []string
+	AdditionalTags   map[string]string
 }
 
 func (c *associationController) Reconcile(ctx context.Context, ingress *extensions.Ingress, lbInstance *elbv2.LoadBalancer, tgGroup tg.TargetGroupGroup) error {
@@ -144,11 +145,19 @@ func (c *associationController) reconcileLbSG(ctx context.Context, ingressKey ty
 				Description: aws.String(fmt.Sprintf("Allow ingress on port %v from %v", port, cidr)),
 			})
 		}
+		ipv6Ranges := make([]*ec2.Ipv6Range, 0, len(cfg.LbInboundV6CIDRs))
+		for _, cidr := range cfg.LbInboundV6CIDRs {
+			ipv6Ranges = append(ipv6Ranges, &ec2.Ipv6Range{
+				CidrIpv6:    aws.String(cidr),
+				Description: aws.String(fmt.Sprintf("Allow ingress on port %v from %v", port, cidr)),
+			})
+		}
 		permission := &ec2.IpPermission{
 			IpProtocol: aws.String("tcp"),
 			FromPort:   aws.Int64(port),
 			ToPort:     aws.Int64(port),
 			IpRanges:   ipRanges,
+			Ipv6Ranges: ipv6Ranges,
 		}
 		inboundPermissions = append(inboundPermissions, permission)
 	}
@@ -255,10 +264,11 @@ func (c *associationController) buildAssociationConfig(ctx context.Context, ingr
 		return associationConfig{}, err
 	}
 	return associationConfig{
-		LbPorts:        lbPorts,
-		LbInboundCIDRs: ingressAnnos.LoadBalancer.InboundCidrs,
-		LbExternalSGs:  lbExternalSGs,
-		AdditionalTags: ingressAnnos.Tags.LoadBalancer,
+		LbPorts:          lbPorts,
+		LbInboundCIDRs:   ingressAnnos.LoadBalancer.InboundCidrs,
+		LbInboundV6CIDRs: ingressAnnos.LoadBalancer.InboundV6CIDRs,
+		LbExternalSGs:    lbExternalSGs,
+		AdditionalTags:   ingressAnnos.Tags.LoadBalancer,
 	}, nil
 }
 

internal/ingress/annotations/loadbalancer/main.go

@@ -42,6 +42,7 @@ type Config struct {
 	WebACLId      *string
 
 	InboundCidrs   []string
+	InboundV6CIDRs []string
 	Ports          []PortData
 	SecurityGroups []string
 	Subnets        []string
@@ -102,7 +103,7 @@ func (lb loadBalancer) Parse(ing parser.AnnotationInterface) (interface{}, error
 	securityGroups := parser.GetStringSliceAnnotation("security-groups", ing)
 	subnets := parser.GetStringSliceAnnotation("subnets", ing)
 
-	cidrs, err := parseCidrs(ing)
+	v4CIDRs, v6CIDRs, err := parseCidrs(ing)
 	if err != nil {
 		return nil, err
 	}
@@ -112,9 +113,10 @@ func (lb loadBalancer) Parse(ing parser.AnnotationInterface) (interface{}, error
 		Scheme:        scheme,
 		IPAddressType: ipAddressType,
 
-		Attributes:   attributes,
-		InboundCidrs: cidrs,
-		Ports:        ports,
+		Attributes:     attributes,
+		InboundCidrs:   v4CIDRs,
+		InboundV6CIDRs: v6CIDRs,
+		Ports:          ports,
 
 		Subnets:        subnets,
 		SecurityGroups: securityGroups,
@@ -203,7 +205,7 @@ func parsePorts(ing parser.AnnotationInterface) ([]PortData, error) {
 	return lps, nil
 }
 
-func parseCidrs(ing parser.AnnotationInterface) (out []string, err error) {
+func parseCidrs(ing parser.AnnotationInterface) (v4CIDRs, v6CIDRs []string, err error) {
 	cidrConfig := parser.GetStringSliceAnnotation("security-group-inbound-cidrs", ing)
 	if len(cidrConfig) != 0 {
 		glog.Warningf("`security-group-inbound-cidrs` annotation is deprecated, use `inbound-cidrs` instead")
@@ -214,18 +216,26 @@ func parseCidrs(ing parser.AnnotationInterface) (out []string, err error) {
 	for _, inboundCidr := range cidrConfig {
 		ip, _, err := net.ParseCIDR(inboundCidr)
 		if err != nil {
-			return out, err
+			return v4CIDRs, v6CIDRs, err
 		}
 
 		if ip.To4() == nil {
-			return out, fmt.Errorf("CIDR must use an IPv4 address: %v", inboundCidr)
+			v6CIDRs = append(v6CIDRs, inboundCidr)
+		} else {
+			v4CIDRs = append(v4CIDRs, inboundCidr)
 		}
-		out = append(out, inboundCidr)
 	}
-	if len(out) == 0 {
-		out = append(out, "0.0.0.0/0")
+
+	if len(v4CIDRs) == 0 {
+		v4CIDRs = append(v4CIDRs, "0.0.0.0/0")
 	}
-	return out, nil
+
+	addrType, _ := parser.GetStringAnnotation("ip-address-type", ing)
+	if addrType != nil && *addrType == elbv2.IpAddressTypeDualstack && len(v6CIDRs) == 0 {
+		v6CIDRs = append(v6CIDRs, "::/0")
+	}
+
+	return v4CIDRs, v6CIDRs, nil
 }
 
 func Dummy() *Config {