Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add feature to create a Network Security Group in Azure #200

Open
wants to merge 11 commits into
base: master
Choose a base branch
from

Conversation

escortnotice
Copy link

@escortnotice escortnotice commented Nov 23, 2020

Description of your changes

Create a Network Security Group, which can restrict inbound and outgoing traffic using 5tuple rules. Also restrict traffic based on Service tagging and Application Security Group.

Issue: #168

Fixes #

I have:

  • Read and followed Crossplane's [contribution process].
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

Currently we have tested the code manually on azure cloud, all the configuration files (.yaml) are in the examples folder which can be referred for use.

@escortnotice escortnotice changed the title Feature nsg Add feature to create a Network Security Group in Azure #168 Nov 23, 2020
@escortnotice escortnotice changed the title Add feature to create a Network Security Group in Azure #168 Add feature to create a Network Security Group in Azure Nov 23, 2020
@muvaf muvaf requested review from hasheddan and kasey November 23, 2020 14:58
Copy link
Member

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@escortnotice thanks for your work here :) I have given a first pass review below, but also wanted to point you to these resources:

Also, I believe you will need an update to crossplane-runtime version here 👍 The errors in CI should give you some indication about other existing issues. Let me know if you have any questions!


Spec SecurityGroupSpec `json:"spec"`
Status SecurityGroupStatus `json:"status,omitempty"`
///Properties SecurityGroupPropertiesFormat `json:"properties,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
///Properties SecurityGroupPropertiesFormat `json:"properties,omitempty"`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have implemented this change

}

// A SecurityGroupSpec defines the desired state of a SecurityGroup.
type SecurityGroupSpec struct {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fields that are not imported from crossplane-runtime should be under forProvider struct (ref: https://github.com/crossplane/provider-azure/blob/b55e3a0dabc627726d2f5275d80f662650932d45/apis/cache/v1beta1/redis_types.go#L139)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious to know what is the significance of adding forProvider as it seems to be a level addition to me , and this is also not present in Virtualnetwork Resource.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have added forProvided in the SecurityGroupSpec Struct also.

// SecurityRulePropertiesFormat security rule resource.
type SecurityRulePropertiesFormat struct {
// Description - A description for this rule. Restricted to 140 chars.
Description string `json:"description,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All optional spec fields should be pointer types.

Suggested change
Description string `json:"description,omitempty"`
Description *string `json:"description,omitempty"`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have implemented this change

SourcePortRange string `json:"sourcePortRange,omitempty"`
// DestinationPortRange - The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.
DestinationPortRange string `json:"destinationPortRange,omitempty"`
// SourceAddressPrefix - The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer that comments be wrapped at 80 chars :)

func init() {
SchemeBuilder.Register(&VirtualNetwork{}, &VirtualNetworkList{})
SchemeBuilder.Register(&Subnet{}, &SubnetList{})
SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{})
SchemeBuilder.Register(&SecurityRule{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guessing there should also be a SecurityRuleList?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or is it intended that a SecurityRule just be in the spec of a SecurityGroup? If so, it should not be its own object, but it they are separate APIs on Azure then they should be separate Crossplane objects and the SecurityGroup should reference SecurityRule.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored SecurityRule as it is just a part of Security Group not a independent entity.

@@ -17,6 +17,7 @@ limitations under the License.
package controller

import (
SecurityGroup "github.com/crossplane/provider-azure/pkg/controller/network/securitygroup"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SecurityGroup "github.com/crossplane/provider-azure/pkg/controller/network/securitygroup"
"github.com/crossplane/provider-azure/pkg/controller/network/securitygroup"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have implemented this change

@@ -56,6 +57,7 @@ func Setup(mgr ctrl.Manager, l logging.Logger) error {
resourcegroup.Setup,
account.Setup,
container.Setup,
SecurityGroup.Setup,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SecurityGroup.Setup,
securitygroup.Setup,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have implemented this change

Comment on lines 24 to 26
//"github.com/crossplane/provider-azure/pkg/clients/network"

//"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2019-12-01/network/networkapi"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//"github.com/crossplane/provider-azure/pkg/clients/network"
//"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2019-12-01/network/networkapi"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have implemented this change


type external struct {
client networkapi.SecurityGroupsClientAPI
//client azurenetwork.SecurityGroupsClient
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//client azurenetwork.SecurityGroupsClient

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have implemented this change

@@ -0,0 +1,470 @@
package SecurityGroup

import (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I am unable to understand this statement , could you please share more details what changes are expected.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We require imports to be structured in groups separated by a blank line in the following order:

  1. stdlib packages
  2. external packages (i.e. not from crossplane org)
  3. other crossplane org packages (i.e. crossplane-runtime)
  4. provider-azure packages (i.e. from within this repo)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First running:
goimports -local github.com/crossplane/provider-azure -w pkg/controller/network/securitygroup/managed_test.go pkg/controller/network/securitygroup/managed_test.go,
and then running:
goimports -local github.com/crossplane/crossplane-runtime -w pkg/controller/network/securitygroup/managed_test.go pkg/controller/network/securitygroup/managed_test.go,
should put them into shape.

func init() {
SchemeBuilder.Register(&VirtualNetwork{}, &VirtualNetworkList{})
SchemeBuilder.Register(&Subnet{}, &SubnetList{})
SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{})
//SchemeBuilder.Register(&SecurityRule{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be removed? Is it possible to create a SecurityRule independent of a SecurityGroup? If so, it should be a separate resource type.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants