[Enhancement] Add loadBalancerSourceRanges field to restrict the the …

…source ip range (#551) Signed-off-by: yandongxiao <yandongxiao@starrocks.com>
StarRocks · Jun 25, 2024 · 2938429 · 2938429
1 parent f58c451
commit 2938429
Show file tree

Hide file tree

Showing 11 changed files with 150 additions and 26 deletions.
diff --git a/config/crd/bases/starrocks.com_starrocksclusters.yaml b/config/crd/bases/starrocks.com_starrocksclusters.yaml
@@ -2710,6 +2710,15 @@ spec:
                           As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available.
                           This field may be removed in a future API version.
                         type: string
+                      loadBalancerSourceRanges:
+                        description: |-
+                          If specified and supported by the platform, this will restrict traffic through the cloud-provider
+                          load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+                          cloud-provider does not support the feature.
+                          More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+                        items:
+                          type: string
+                        type: array
                       ports:
                         description: |-
                           Ports are the ports that are exposed by this service.
@@ -7619,6 +7628,15 @@ spec:
                           As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available.
                           This field may be removed in a future API version.
                         type: string
+                      loadBalancerSourceRanges:
+                        description: |-
+                          If specified and supported by the platform, this will restrict traffic through the cloud-provider
+                          load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+                          cloud-provider does not support the feature.
+                          More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+                        items:
+                          type: string
+                        type: array
                       ports:
                         description: |-
                           Ports are the ports that are exposed by this service.
@@ -10388,6 +10406,15 @@ spec:
                           As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available.
                           This field may be removed in a future API version.
                         type: string
+                      loadBalancerSourceRanges:
+                        description: |-
+                          If specified and supported by the platform, this will restrict traffic through the cloud-provider
+                          load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+                          cloud-provider does not support the feature.
+                          More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+                        items:
+                          type: string
+                        type: array
                       ports:
                         description: |-
                           Ports are the ports that are exposed by this service.
@@ -13386,6 +13413,15 @@ spec:
                           As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available.
                           This field may be removed in a future API version.
                         type: string
+                      loadBalancerSourceRanges:
+                        description: |-
+                          If specified and supported by the platform, this will restrict traffic through the cloud-provider
+                          load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+                          cloud-provider does not support the feature.
+                          More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+                        items:
+                          type: string
+                        type: array
                       ports:
                         description: |-
                           Ports are the ports that are exposed by this service.

diff --git a/config/crd/bases/starrocks.com_starrockswarehouses.yaml b/config/crd/bases/starrocks.com_starrockswarehouses.yaml
@@ -3321,6 +3321,15 @@ spec:
                           As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available.
                           This field may be removed in a future API version.
                         type: string
+                      loadBalancerSourceRanges:
+                        description: |-
+                          If specified and supported by the platform, this will restrict traffic through the cloud-provider
+                          load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+                          cloud-provider does not support the feature.
+                          More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+                        items:
+                          type: string
+                        type: array
                       ports:
                         description: |-
                           Ports are the ports that are exposed by this service.

diff --git a/deploy/starrocks.com_starrocksclusters.yaml b/deploy/starrocks.com_starrocksclusters.yaml
@@ -1319,6 +1319,10 @@ spec:
                         type: object
                       loadBalancerIP:
                         type: string
+                      loadBalancerSourceRanges:
+                        items:
+                          type: string
+                        type: array
                       ports:
                         items:
                           properties:
@@ -3652,6 +3656,10 @@ spec:
                         type: object
                       loadBalancerIP:
                         type: string
+                      loadBalancerSourceRanges:
+                        items:
+                          type: string
+                        type: array
                       ports:
                         items:
                           properties:
@@ -4933,6 +4941,10 @@ spec:
                         type: object
                       loadBalancerIP:
                         type: string
+                      loadBalancerSourceRanges:
+                        items:
+                          type: string
+                        type: array
                       ports:
                         items:
                           properties:
@@ -6327,6 +6339,10 @@ spec:
                         type: object
                       loadBalancerIP:
                         type: string
+                      loadBalancerSourceRanges:
+                        items:
+                          type: string
+                        type: array
                       ports:
                         items:
                           properties:

diff --git a/deploy/starrocks.com_starrockswarehouses.yaml b/deploy/starrocks.com_starrockswarehouses.yaml
@@ -1641,6 +1641,10 @@ spec:
                         type: object
                       loadBalancerIP:
                         type: string
+                      loadBalancerSourceRanges:
+                        items:
+                          type: string
+                        type: array
                       ports:
                         items:
                           properties:

diff --git a/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml b/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml
@@ -38,6 +38,10 @@ spec:
       {{- if and (eq "LoadBalancer" .Values.starrocksFESpec.service.type) .Values.starrocksFESpec.service.loadbalancerIP }}
       loadBalancerIP: {{ .Values.starrocksFESpec.service.loadbalancerIP }}
       {{- end }}
+      {{- if and (eq "LoadBalancer" .Values.starrocksFESpec.service.type) .Values.starrocksFESpec.service.loadBalancerSourceRanges}}
+      loadBalancerSourceRanges:
+        {{- toYaml .Values.starrocksFESpec.service.loadBalancerSourceRanges | nindent 8 }}
+      {{- end }}
       {{- if .Values.starrocksFESpec.service.ports }}
       ports:
         {{- toYaml .Values.starrocksFESpec.service.ports | nindent 8 }}
@@ -262,6 +266,10 @@ spec:
       {{- if and (eq "LoadBalancer" .Values.starrocksBeSpec.service.type) .Values.starrocksBeSpec.service.loadbalancerIP }}
       loadBalancerIP: {{ .Values.starrocksBeSpec.service.loadbalancerIP }}
       {{- end }}
+      {{- if and (eq "LoadBalancer" .Values.starrocksBeSpec.service.type) .Values.starrocksBeSpec.service.loadBalancerSourceRanges}}
+      loadBalancerSourceRanges:
+        {{- toYaml .Values.starrocksBeSpec.service.loadBalancerSourceRanges | nindent 8 }}
+      {{- end }}
       {{- if .Values.starrocksBeSpec.service.ports }}
       ports:
         {{- toYaml .Values.starrocksBeSpec.service.ports | nindent 8 }}
@@ -628,6 +636,10 @@ spec:
       {{- if and (eq "LoadBalancer" .Values.starrocksCnSpec.service.type) .Values.starrocksCnSpec.service.loadbalancerIP }}
       loadBalancerIP: {{ .Values.starrocksCnSpec.service.loadbalancerIP }}
       {{- end }}
+      {{- if and (eq "LoadBalancer" .Values.starrocksCnSpec.service.type) .Values.starrocksCnSpec.service.loadBalancerSourceRanges}}
+      loadBalancerSourceRanges:
+        {{- toYaml .Values.starrocksCnSpec.service.loadBalancerSourceRanges | nindent 8 }}
+      {{- end }}
       {{- if .Values.starrocksCnSpec.service.ports }}
       ports:
         {{- toYaml .Values.starrocksCnSpec.service.ports | nindent 8 }}
@@ -745,6 +757,10 @@ spec:
       {{- if and (eq "LoadBalancer" .Values.starrocksFeProxySpec.service.type) .Values.starrocksFeProxySpec.service.loadbalancerIP }}
       loadBalancerIP: {{ .Values.starrocksFeProxySpec.service.loadbalancerIP }}
       {{- end }}
+      {{- if and (eq "LoadBalancer" .Values.starrocksFeProxySpec.service.type) .Values.starrocksFeProxySpec.service.loadBalancerSourceRanges}}
+      loadBalancerSourceRanges:
+        {{- toYaml .Values.starrocksFeProxySpec.service.loadBalancerSourceRanges | nindent 8 }}
+      {{- end }}
       {{- if .Values.starrocksFeProxySpec.service.ports }}
       ports:
         {{- toYaml .Values.starrocksFeProxySpec.service.ports | nindent 8 }}

diff --git a/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml b/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml
@@ -179,6 +179,9 @@ starrocksFESpec:
       # e.g. specify a dedicated node port for fe service by containerPort.
       # - nodePort: 30030 # The range of valid ports is 30000-32767
       #   containerPort: 8030 # The port exported on the container
+    # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+    loadBalancerSourceRanges: []
+      # - 10.0.0.0/8
   # imagePullSecrets allows you to use secrets to pull images for pods.
   imagePullSecrets: []
     # - name: "image-pull-secret"
@@ -427,6 +430,9 @@ starrocksCnSpec:
       # e.g. specify a dedicated node port for cn service by containerPort.
       # - nodePort: 30040 # The range of valid ports is 30000-32767
       #   containerPort: 8040 # The port on the container to expose
+    # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+    loadBalancerSourceRanges: []
+      # - 10.0.0.0/8
   # imagePullSecrets allows you to use secrets for pulling images for your pods.
   imagePullSecrets: []
     # - name: "image-pull-secret"
@@ -701,6 +707,9 @@ starrocksBeSpec:
       # e.g. specify a dedicated node port for be service by containerPort.
       # - nodePort: 30040 # The range of valid ports is 30000-32767
       #   containerPort: 8040 # The port on the container to expose
+    # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+    loadBalancerSourceRanges: []
+      # - 10.0.0.0/8
   # imagePullSecrets allows you to use secrets to pull images for pods.
   imagePullSecrets: []
     # - name: "image-pull-secret"
@@ -954,6 +963,9 @@ starrocksFeProxySpec:
       # e.g. specify a dedicated node port for fe proxy service by containerPort.
       # - nodePort: 30080 # The range of valid ports is 30000-32767
       #   containerPort: 8080 # The port on the container to expose
+    # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+    loadBalancerSourceRanges: []
+      # - 10.0.0.0/8
   # imagePullSecrets allows you to use secrets for pulling images for your pods.
   imagePullSecrets: []
   # - name: "image-pull-secret"

diff --git a/helm-charts/charts/kube-starrocks/values.yaml b/helm-charts/charts/kube-starrocks/values.yaml
@@ -287,6 +287,9 @@ starrocks:
         # e.g. specify a dedicated node port for fe service by containerPort.
         # - nodePort: 30030 # The range of valid ports is 30000-32767
         #   containerPort: 8030 # The port exported on the container
+      # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+      loadBalancerSourceRanges: []
+        # - 10.0.0.0/8
     # imagePullSecrets allows you to use secrets to pull images for pods.
     imagePullSecrets: []
       # - name: "image-pull-secret"
@@ -535,6 +538,9 @@ starrocks:
         # e.g. specify a dedicated node port for cn service by containerPort.
         # - nodePort: 30040 # The range of valid ports is 30000-32767
         #   containerPort: 8040 # The port on the container to expose
+      # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+      loadBalancerSourceRanges: []
+        # - 10.0.0.0/8
     # imagePullSecrets allows you to use secrets for pulling images for your pods.
     imagePullSecrets: []
       # - name: "image-pull-secret"
@@ -809,6 +815,9 @@ starrocks:
         # e.g. specify a dedicated node port for be service by containerPort.
         # - nodePort: 30040 # The range of valid ports is 30000-32767
         #   containerPort: 8040 # The port on the container to expose
+      # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+      loadBalancerSourceRanges: []
+        # - 10.0.0.0/8
     # imagePullSecrets allows you to use secrets to pull images for pods.
     imagePullSecrets: []
       # - name: "image-pull-secret"
@@ -1062,6 +1071,9 @@ starrocks:
         # e.g. specify a dedicated node port for fe proxy service by containerPort.
         # - nodePort: 30080 # The range of valid ports is 30000-32767
         #   containerPort: 8080 # The port on the container to expose
+      # specify the source IP ranges for the load balancer when the type=LoadBalancer.
+      loadBalancerSourceRanges: []
+        # - 10.0.0.0/8
     # imagePullSecrets allows you to use secrets for pulling images for your pods.
     imagePullSecrets: []
     # - name: "image-pull-secret"

diff --git a/pkg/apis/starrocks/v1/load_type.go b/pkg/apis/starrocks/v1/load_type.go
@@ -185,6 +185,13 @@ type StarRocksService struct {
 	// StarRocksServicePort.NodePort field.
 	// +optional
 	Ports []StarRocksServicePort `json:"ports,omitempty"`
+
+	// If specified and supported by the platform, this will restrict traffic through the cloud-provider
+	// load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+	// cloud-provider does not support the feature.
+	// More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+	// +optional
+	LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
 }
 
 // StarRocksServicePort defines the port that will be exposed by this service.

diff --git a/pkg/apis/starrocks/v1/zz_generated.deepcopy.go b/pkg/apis/starrocks/v1/zz_generated.deepcopy.go
diff --git a/pkg/common/resource_utils/service.go b/pkg/common/resource_utils/service.go
@@ -44,14 +44,15 @@ const (
 
 // HashService service hash components
 type hashService struct {
-	name        string
-	namespace   string
-	finalizers  []string
-	ports       []corev1.ServicePort
-	selector    map[string]string
-	serviceType corev1.ServiceType
-	labels      map[string]string
-	annotations map[string]string
+	name                     string
+	namespace                string
+	finalizers               []string
+	ports                    []corev1.ServicePort
+	selector                 map[string]string
+	serviceType              corev1.ServiceType
+	labels                   map[string]string
+	annotations              map[string]string
+	loadBalancerSourceRanges []string
 }
 
 // BuildExternalService build the external service. not have selector
@@ -70,18 +71,19 @@ func BuildExternalService(object object.StarRocksObject, spec srapi.SpecInterfac
 		},
 	}
 
-	setServiceType(spec.GetService(), &svc)
-	anno := getServiceAnnotations(spec.GetService())
+	starRocksService := spec.GetService()
+	setServiceType(starRocksService, &svc)
+	anno := getServiceAnnotations(starRocksService)
 	switch spec.(type) {
 	case *srapi.StarRocksFeSpec:
-		srPorts = getFeServicePorts(config, spec.GetService())
+		srPorts = getFeServicePorts(config, starRocksService)
 	case *srapi.StarRocksBeSpec:
-		srPorts = getBeServicePorts(config, spec.GetService())
+		srPorts = getBeServicePorts(config, starRocksService)
 	case *srapi.StarRocksCnSpec:
-		srPorts = getCnServicePorts(config, spec.GetService())
+		srPorts = getCnServicePorts(config, starRocksService)
 	case *srapi.StarRocksFeProxySpec:
 		srPorts = []srapi.StarRocksServicePort{
-			mergePort(spec.GetService(), srapi.StarRocksServicePort{
+			mergePort(starRocksService, srapi.StarRocksServicePort{
 				Name:          FE_PORXY_HTTP_PORT_NAME,
 				Port:          FE_PROXY_HTTP_PORT,
 				ContainerPort: FE_PROXY_HTTP_PORT,
@@ -114,6 +116,10 @@ func BuildExternalService(object object.StarRocksObject, spec srapi.SpecInterfac
 	svc.Annotations = anno
 	anno[srapi.ComponentResourceHash] = hash.HashObject(serviceHashObject(&svc))
 	svc.Annotations = anno
+
+	if starRocksService != nil && starRocksService.LoadBalancerSourceRanges != nil {
+		svc.Spec.LoadBalancerSourceRanges = starRocksService.LoadBalancerSourceRanges
+	}
 	return svc
 }
 
@@ -251,14 +257,15 @@ func ServiceDeepEqual(expectSvc, actualSvc *corev1.Service) bool {
 
 func serviceHashObject(svc *corev1.Service) hashService {
 	return hashService{
-		name:        svc.Name,
-		namespace:   svc.Namespace,
-		finalizers:  svc.Finalizers,
-		ports:       svc.Spec.Ports,
-		selector:    svc.Spec.Selector,
-		serviceType: svc.Spec.Type,
-		labels:      svc.Labels,
-		annotations: svc.Annotations,
+		name:                     svc.Name,
+		namespace:                svc.Namespace,
+		finalizers:               svc.Finalizers,
+		ports:                    svc.Spec.Ports,
+		loadBalancerSourceRanges: svc.Spec.LoadBalancerSourceRanges,
+		selector:                 svc.Spec.Selector,
+		serviceType:              svc.Spec.Type,
+		labels:                   svc.Labels,
+		annotations:              svc.Annotations,
 	}
 }