-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add feature to create a Network Security Group in Azure #200
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: shreya <[email protected]>
Signed-off-by: shreya <[email protected]>
Signed-off-by: shreya <[email protected]>
Signed-off-by: shreya <[email protected]>
Feature nsg unit test to feature msg
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@escortnotice thanks for your work here :) I have given a first pass review below, but also wanted to point you to these resources:
- https://github.com/crossplane/crossplane/blob/master/design/one-pager-managed-resource-api-design.md
- https://crossplane.io/docs/v1.0/introduction/managed-resources.html
Also, I believe you will need an update to crossplane-runtime
version here 👍 The errors in CI should give you some indication about other existing issues. Let me know if you have any questions!
apis/network/v1alpha3/types.go
Outdated
|
||
Spec SecurityGroupSpec `json:"spec"` | ||
Status SecurityGroupStatus `json:"status,omitempty"` | ||
///Properties SecurityGroupPropertiesFormat `json:"properties,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
///Properties SecurityGroupPropertiesFormat `json:"properties,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have implemented this change
} | ||
|
||
// A SecurityGroupSpec defines the desired state of a SecurityGroup. | ||
type SecurityGroupSpec struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fields that are not imported from crossplane-runtime should be under forProvider
struct (ref: https://github.com/crossplane/provider-azure/blob/b55e3a0dabc627726d2f5275d80f662650932d45/apis/cache/v1beta1/redis_types.go#L139)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious to know what is the significance of adding forProvider as it seems to be a level addition to me , and this is also not present in Virtualnetwork Resource.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we have added forProvided in the SecurityGroupSpec Struct also.
apis/network/v1alpha3/types.go
Outdated
// SecurityRulePropertiesFormat security rule resource. | ||
type SecurityRulePropertiesFormat struct { | ||
// Description - A description for this rule. Restricted to 140 chars. | ||
Description string `json:"description,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All optional spec fields should be pointer types.
Description string `json:"description,omitempty"` | |
Description *string `json:"description,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have implemented this change
apis/network/v1alpha3/types.go
Outdated
SourcePortRange string `json:"sourcePortRange,omitempty"` | ||
// DestinationPortRange - The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | ||
DestinationPortRange string `json:"destinationPortRange,omitempty"` | ||
// SourceAddressPrefix - The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer that comments be wrapped at 80 chars :)
apis/network/v1alpha3/register.go
Outdated
func init() { | ||
SchemeBuilder.Register(&VirtualNetwork{}, &VirtualNetworkList{}) | ||
SchemeBuilder.Register(&Subnet{}, &SubnetList{}) | ||
SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{}) | ||
SchemeBuilder.Register(&SecurityRule{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Guessing there should also be a SecurityRuleList
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or is it intended that a SecurityRule
just be in the spec of a SecurityGroup
? If so, it should not be its own object, but it they are separate APIs on Azure then they should be separate Crossplane objects and the SecurityGroup
should reference SecurityRule
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Refactored SecurityRule as it is just a part of Security Group not a independent entity.
pkg/controller/azure.go
Outdated
@@ -17,6 +17,7 @@ limitations under the License. | |||
package controller | |||
|
|||
import ( | |||
SecurityGroup "github.com/crossplane/provider-azure/pkg/controller/network/securitygroup" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SecurityGroup "github.com/crossplane/provider-azure/pkg/controller/network/securitygroup" | |
"github.com/crossplane/provider-azure/pkg/controller/network/securitygroup" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have implemented this change
pkg/controller/azure.go
Outdated
@@ -56,6 +57,7 @@ func Setup(mgr ctrl.Manager, l logging.Logger) error { | |||
resourcegroup.Setup, | |||
account.Setup, | |||
container.Setup, | |||
SecurityGroup.Setup, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SecurityGroup.Setup, | |
securitygroup.Setup, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have implemented this change
//"github.com/crossplane/provider-azure/pkg/clients/network" | ||
|
||
//"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2019-12-01/network/networkapi" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
//"github.com/crossplane/provider-azure/pkg/clients/network" | |
//"github.com/Azure/azure-sdk-for-go/services/network/mgmt/2019-12-01/network/networkapi" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have implemented this change
|
||
type external struct { | ||
client networkapi.SecurityGroupsClientAPI | ||
//client azurenetwork.SecurityGroupsClient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
//client azurenetwork.SecurityGroupsClient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have implemented this change
@@ -0,0 +1,470 @@ | |||
package SecurityGroup | |||
|
|||
import ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these imports will fail linting https://github.com/crossplane/provider-azure/blob/b55e3a0dabc627726d2f5275d80f662650932d45/.golangci.yml#L38
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I am unable to understand this statement , could you please share more details what changes are expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We require imports to be structured in groups separated by a blank line in the following order:
- stdlib packages
- external packages (i.e. not from crossplane org)
- other crossplane org packages (i.e.
crossplane-runtime
) - provider-azure packages (i.e. from within this repo)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First running:
goimports -local github.com/crossplane/provider-azure -w pkg/controller/network/securitygroup/managed_test.go pkg/controller/network/securitygroup/managed_test.go
,
and then running:
goimports -local github.com/crossplane/crossplane-runtime -w pkg/controller/network/securitygroup/managed_test.go pkg/controller/network/securitygroup/managed_test.go
,
should put them into shape.
func init() { | ||
SchemeBuilder.Register(&VirtualNetwork{}, &VirtualNetworkList{}) | ||
SchemeBuilder.Register(&Subnet{}, &SubnetList{}) | ||
SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{}) | ||
//SchemeBuilder.Register(&SecurityRule{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be removed? Is it possible to create a SecurityRule
independent of a SecurityGroup
? If so, it should be a separate resource type.
Description of your changes
Create a Network Security Group, which can restrict inbound and outgoing traffic using 5tuple rules. Also restrict traffic based on Service tagging and Application Security Group.
Issue: #168
Fixes #
I have:
make reviewable test
to ensure this PR is ready for review.How has this code been tested
Currently we have tested the code manually on azure cloud, all the configuration files (.yaml) are in the examples folder which can be referred for use.