From 293842925b6422cfee91615c3c6dd2b80527525c Mon Sep 17 00:00:00 2001 From: yandongxiao Date: Tue, 25 Jun 2024 09:40:18 +0800 Subject: [PATCH] [Enhancement] Add loadBalancerSourceRanges field to restrict the the source ip range (#551) Signed-off-by: yandongxiao --- .../starrocks.com_starrocksclusters.yaml | 36 +++++++++++++ .../starrocks.com_starrockswarehouses.yaml | 9 ++++ deploy/starrocks.com_starrocksclusters.yaml | 16 ++++++ deploy/starrocks.com_starrockswarehouses.yaml | 4 ++ .../starrocks/templates/starrockscluster.yaml | 16 ++++++ .../charts/starrocks/values.yaml | 12 +++++ helm-charts/charts/kube-starrocks/values.yaml | 12 +++++ pkg/apis/starrocks/v1/load_type.go | 7 +++ .../starrocks/v1/zz_generated.deepcopy.go | 5 ++ pkg/common/resource_utils/service.go | 51 +++++++++++-------- pkg/common/resource_utils/service_test.go | 8 +-- 11 files changed, 150 insertions(+), 26 deletions(-) diff --git a/config/crd/bases/starrocks.com_starrocksclusters.yaml b/config/crd/bases/starrocks.com_starrocksclusters.yaml index b09fc658..64386eee 100644 --- a/config/crd/bases/starrocks.com_starrocksclusters.yaml +++ b/config/crd/bases/starrocks.com_starrocksclusters.yaml @@ -2710,6 +2710,15 @@ spec: As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version. type: string + loadBalancerSourceRanges: + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature. + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + items: + type: string + type: array ports: description: |- Ports are the ports that are exposed by this service. @@ -7619,6 +7628,15 @@ spec: As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version. type: string + loadBalancerSourceRanges: + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature. + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + items: + type: string + type: array ports: description: |- Ports are the ports that are exposed by this service. @@ -10388,6 +10406,15 @@ spec: As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version. type: string + loadBalancerSourceRanges: + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature. + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + items: + type: string + type: array ports: description: |- Ports are the ports that are exposed by this service. @@ -13386,6 +13413,15 @@ spec: As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version. type: string + loadBalancerSourceRanges: + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature. + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + items: + type: string + type: array ports: description: |- Ports are the ports that are exposed by this service. diff --git a/config/crd/bases/starrocks.com_starrockswarehouses.yaml b/config/crd/bases/starrocks.com_starrockswarehouses.yaml index 46f575e9..7b07c0a4 100644 --- a/config/crd/bases/starrocks.com_starrockswarehouses.yaml +++ b/config/crd/bases/starrocks.com_starrockswarehouses.yaml @@ -3321,6 +3321,15 @@ spec: As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version. type: string + loadBalancerSourceRanges: + description: |- + If specified and supported by the platform, this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client IPs. This field will be ignored if the + cloud-provider does not support the feature. + More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + items: + type: string + type: array ports: description: |- Ports are the ports that are exposed by this service. diff --git a/deploy/starrocks.com_starrocksclusters.yaml b/deploy/starrocks.com_starrocksclusters.yaml index 4ad5796f..94937d2b 100644 --- a/deploy/starrocks.com_starrocksclusters.yaml +++ b/deploy/starrocks.com_starrocksclusters.yaml @@ -1319,6 +1319,10 @@ spec: type: object loadBalancerIP: type: string + loadBalancerSourceRanges: + items: + type: string + type: array ports: items: properties: @@ -3652,6 +3656,10 @@ spec: type: object loadBalancerIP: type: string + loadBalancerSourceRanges: + items: + type: string + type: array ports: items: properties: @@ -4933,6 +4941,10 @@ spec: type: object loadBalancerIP: type: string + loadBalancerSourceRanges: + items: + type: string + type: array ports: items: properties: @@ -6327,6 +6339,10 @@ spec: type: object loadBalancerIP: type: string + loadBalancerSourceRanges: + items: + type: string + type: array ports: items: properties: diff --git a/deploy/starrocks.com_starrockswarehouses.yaml b/deploy/starrocks.com_starrockswarehouses.yaml index 99d4e5f5..91982008 100644 --- a/deploy/starrocks.com_starrockswarehouses.yaml +++ b/deploy/starrocks.com_starrockswarehouses.yaml @@ -1641,6 +1641,10 @@ spec: type: object loadBalancerIP: type: string + loadBalancerSourceRanges: + items: + type: string + type: array ports: items: properties: diff --git a/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml b/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml index 42b2ca75..c95e17cb 100644 --- a/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml +++ b/helm-charts/charts/kube-starrocks/charts/starrocks/templates/starrockscluster.yaml @@ -38,6 +38,10 @@ spec: {{- if and (eq "LoadBalancer" .Values.starrocksFESpec.service.type) .Values.starrocksFESpec.service.loadbalancerIP }} loadBalancerIP: {{ .Values.starrocksFESpec.service.loadbalancerIP }} {{- end }} + {{- if and (eq "LoadBalancer" .Values.starrocksFESpec.service.type) .Values.starrocksFESpec.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{- toYaml .Values.starrocksFESpec.service.loadBalancerSourceRanges | nindent 8 }} + {{- end }} {{- if .Values.starrocksFESpec.service.ports }} ports: {{- toYaml .Values.starrocksFESpec.service.ports | nindent 8 }} @@ -262,6 +266,10 @@ spec: {{- if and (eq "LoadBalancer" .Values.starrocksBeSpec.service.type) .Values.starrocksBeSpec.service.loadbalancerIP }} loadBalancerIP: {{ .Values.starrocksBeSpec.service.loadbalancerIP }} {{- end }} + {{- if and (eq "LoadBalancer" .Values.starrocksBeSpec.service.type) .Values.starrocksBeSpec.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{- toYaml .Values.starrocksBeSpec.service.loadBalancerSourceRanges | nindent 8 }} + {{- end }} {{- if .Values.starrocksBeSpec.service.ports }} ports: {{- toYaml .Values.starrocksBeSpec.service.ports | nindent 8 }} @@ -628,6 +636,10 @@ spec: {{- if and (eq "LoadBalancer" .Values.starrocksCnSpec.service.type) .Values.starrocksCnSpec.service.loadbalancerIP }} loadBalancerIP: {{ .Values.starrocksCnSpec.service.loadbalancerIP }} {{- end }} + {{- if and (eq "LoadBalancer" .Values.starrocksCnSpec.service.type) .Values.starrocksCnSpec.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{- toYaml .Values.starrocksCnSpec.service.loadBalancerSourceRanges | nindent 8 }} + {{- end }} {{- if .Values.starrocksCnSpec.service.ports }} ports: {{- toYaml .Values.starrocksCnSpec.service.ports | nindent 8 }} @@ -745,6 +757,10 @@ spec: {{- if and (eq "LoadBalancer" .Values.starrocksFeProxySpec.service.type) .Values.starrocksFeProxySpec.service.loadbalancerIP }} loadBalancerIP: {{ .Values.starrocksFeProxySpec.service.loadbalancerIP }} {{- end }} + {{- if and (eq "LoadBalancer" .Values.starrocksFeProxySpec.service.type) .Values.starrocksFeProxySpec.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{- toYaml .Values.starrocksFeProxySpec.service.loadBalancerSourceRanges | nindent 8 }} + {{- end }} {{- if .Values.starrocksFeProxySpec.service.ports }} ports: {{- toYaml .Values.starrocksFeProxySpec.service.ports | nindent 8 }} diff --git a/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml b/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml index aa017e68..01672963 100644 --- a/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml +++ b/helm-charts/charts/kube-starrocks/charts/starrocks/values.yaml @@ -179,6 +179,9 @@ starrocksFESpec: # e.g. specify a dedicated node port for fe service by containerPort. # - nodePort: 30030 # The range of valid ports is 30000-32767 # containerPort: 8030 # The port exported on the container + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets to pull images for pods. imagePullSecrets: [] # - name: "image-pull-secret" @@ -427,6 +430,9 @@ starrocksCnSpec: # e.g. specify a dedicated node port for cn service by containerPort. # - nodePort: 30040 # The range of valid ports is 30000-32767 # containerPort: 8040 # The port on the container to expose + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets for pulling images for your pods. imagePullSecrets: [] # - name: "image-pull-secret" @@ -701,6 +707,9 @@ starrocksBeSpec: # e.g. specify a dedicated node port for be service by containerPort. # - nodePort: 30040 # The range of valid ports is 30000-32767 # containerPort: 8040 # The port on the container to expose + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets to pull images for pods. imagePullSecrets: [] # - name: "image-pull-secret" @@ -954,6 +963,9 @@ starrocksFeProxySpec: # e.g. specify a dedicated node port for fe proxy service by containerPort. # - nodePort: 30080 # The range of valid ports is 30000-32767 # containerPort: 8080 # The port on the container to expose + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets for pulling images for your pods. imagePullSecrets: [] # - name: "image-pull-secret" diff --git a/helm-charts/charts/kube-starrocks/values.yaml b/helm-charts/charts/kube-starrocks/values.yaml index 8c470688..83271afe 100644 --- a/helm-charts/charts/kube-starrocks/values.yaml +++ b/helm-charts/charts/kube-starrocks/values.yaml @@ -287,6 +287,9 @@ starrocks: # e.g. specify a dedicated node port for fe service by containerPort. # - nodePort: 30030 # The range of valid ports is 30000-32767 # containerPort: 8030 # The port exported on the container + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets to pull images for pods. imagePullSecrets: [] # - name: "image-pull-secret" @@ -535,6 +538,9 @@ starrocks: # e.g. specify a dedicated node port for cn service by containerPort. # - nodePort: 30040 # The range of valid ports is 30000-32767 # containerPort: 8040 # The port on the container to expose + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets for pulling images for your pods. imagePullSecrets: [] # - name: "image-pull-secret" @@ -809,6 +815,9 @@ starrocks: # e.g. specify a dedicated node port for be service by containerPort. # - nodePort: 30040 # The range of valid ports is 30000-32767 # containerPort: 8040 # The port on the container to expose + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets to pull images for pods. imagePullSecrets: [] # - name: "image-pull-secret" @@ -1062,6 +1071,9 @@ starrocks: # e.g. specify a dedicated node port for fe proxy service by containerPort. # - nodePort: 30080 # The range of valid ports is 30000-32767 # containerPort: 8080 # The port on the container to expose + # specify the source IP ranges for the load balancer when the type=LoadBalancer. + loadBalancerSourceRanges: [] + # - 10.0.0.0/8 # imagePullSecrets allows you to use secrets for pulling images for your pods. imagePullSecrets: [] # - name: "image-pull-secret" diff --git a/pkg/apis/starrocks/v1/load_type.go b/pkg/apis/starrocks/v1/load_type.go index 7608fc05..1328e582 100644 --- a/pkg/apis/starrocks/v1/load_type.go +++ b/pkg/apis/starrocks/v1/load_type.go @@ -185,6 +185,13 @@ type StarRocksService struct { // StarRocksServicePort.NodePort field. // +optional Ports []StarRocksServicePort `json:"ports,omitempty"` + + // If specified and supported by the platform, this will restrict traffic through the cloud-provider + // load-balancer will be restricted to the specified client IPs. This field will be ignored if the + // cloud-provider does not support the feature. + // More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ + // +optional + LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"` } // StarRocksServicePort defines the port that will be exposed by this service. diff --git a/pkg/apis/starrocks/v1/zz_generated.deepcopy.go b/pkg/apis/starrocks/v1/zz_generated.deepcopy.go index 8c9c094d..97e55f56 100644 --- a/pkg/apis/starrocks/v1/zz_generated.deepcopy.go +++ b/pkg/apis/starrocks/v1/zz_generated.deepcopy.go @@ -683,6 +683,11 @@ func (in *StarRocksService) DeepCopyInto(out *StarRocksService) { *out = make([]StarRocksServicePort, len(*in)) copy(*out, *in) } + if in.LoadBalancerSourceRanges != nil { + in, out := &in.LoadBalancerSourceRanges, &out.LoadBalancerSourceRanges + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StarRocksService. diff --git a/pkg/common/resource_utils/service.go b/pkg/common/resource_utils/service.go index b6c298ba..e1cfa47a 100644 --- a/pkg/common/resource_utils/service.go +++ b/pkg/common/resource_utils/service.go @@ -44,14 +44,15 @@ const ( // HashService service hash components type hashService struct { - name string - namespace string - finalizers []string - ports []corev1.ServicePort - selector map[string]string - serviceType corev1.ServiceType - labels map[string]string - annotations map[string]string + name string + namespace string + finalizers []string + ports []corev1.ServicePort + selector map[string]string + serviceType corev1.ServiceType + labels map[string]string + annotations map[string]string + loadBalancerSourceRanges []string } // BuildExternalService build the external service. not have selector @@ -70,18 +71,19 @@ func BuildExternalService(object object.StarRocksObject, spec srapi.SpecInterfac }, } - setServiceType(spec.GetService(), &svc) - anno := getServiceAnnotations(spec.GetService()) + starRocksService := spec.GetService() + setServiceType(starRocksService, &svc) + anno := getServiceAnnotations(starRocksService) switch spec.(type) { case *srapi.StarRocksFeSpec: - srPorts = getFeServicePorts(config, spec.GetService()) + srPorts = getFeServicePorts(config, starRocksService) case *srapi.StarRocksBeSpec: - srPorts = getBeServicePorts(config, spec.GetService()) + srPorts = getBeServicePorts(config, starRocksService) case *srapi.StarRocksCnSpec: - srPorts = getCnServicePorts(config, spec.GetService()) + srPorts = getCnServicePorts(config, starRocksService) case *srapi.StarRocksFeProxySpec: srPorts = []srapi.StarRocksServicePort{ - mergePort(spec.GetService(), srapi.StarRocksServicePort{ + mergePort(starRocksService, srapi.StarRocksServicePort{ Name: FE_PORXY_HTTP_PORT_NAME, Port: FE_PROXY_HTTP_PORT, ContainerPort: FE_PROXY_HTTP_PORT, @@ -114,6 +116,10 @@ func BuildExternalService(object object.StarRocksObject, spec srapi.SpecInterfac svc.Annotations = anno anno[srapi.ComponentResourceHash] = hash.HashObject(serviceHashObject(&svc)) svc.Annotations = anno + + if starRocksService != nil && starRocksService.LoadBalancerSourceRanges != nil { + svc.Spec.LoadBalancerSourceRanges = starRocksService.LoadBalancerSourceRanges + } return svc } @@ -251,14 +257,15 @@ func ServiceDeepEqual(expectSvc, actualSvc *corev1.Service) bool { func serviceHashObject(svc *corev1.Service) hashService { return hashService{ - name: svc.Name, - namespace: svc.Namespace, - finalizers: svc.Finalizers, - ports: svc.Spec.Ports, - selector: svc.Spec.Selector, - serviceType: svc.Spec.Type, - labels: svc.Labels, - annotations: svc.Annotations, + name: svc.Name, + namespace: svc.Namespace, + finalizers: svc.Finalizers, + ports: svc.Spec.Ports, + loadBalancerSourceRanges: svc.Spec.LoadBalancerSourceRanges, + selector: svc.Spec.Selector, + serviceType: svc.Spec.Type, + labels: svc.Labels, + annotations: svc.Annotations, } } diff --git a/pkg/common/resource_utils/service_test.go b/pkg/common/resource_utils/service_test.go index cbb6768c..dfa9231f 100644 --- a/pkg/common/resource_utils/service_test.go +++ b/pkg/common/resource_utils/service_test.go @@ -103,7 +103,7 @@ func TestBuildExternalService_ForStarRocksWarehouse(t *testing.T) { Name: "test-warehouse-cn-service", Namespace: "default", Annotations: map[string]string{ - srapi.ComponentResourceHash: "1671283410", + srapi.ComponentResourceHash: "2811429284", }, OwnerReferences: func() []metav1.OwnerReference { ref := metav1.NewControllerRef(warehouse, warehouse.GroupVersionKind()) @@ -218,7 +218,7 @@ func TestBuildExternalService_ForStarRocksCluster(t *testing.T) { Name: "test-fe-service", Namespace: "default", Annotations: map[string]string{ - srapi.ComponentResourceHash: "237701170", + srapi.ComponentResourceHash: "1826250052", }, OwnerReferences: func() []metav1.OwnerReference { ref := metav1.NewControllerRef(src, src.GroupVersionKind()) @@ -254,7 +254,7 @@ func TestBuildExternalService_ForStarRocksCluster(t *testing.T) { Name: "test-be-service", Namespace: "default", Annotations: map[string]string{ - srapi.ComponentResourceHash: "1565507602", + srapi.ComponentResourceHash: "2188319972", }, OwnerReferences: func() []metav1.OwnerReference { ref := metav1.NewControllerRef(src, src.GroupVersionKind()) @@ -287,7 +287,7 @@ func TestBuildExternalService_ForStarRocksCluster(t *testing.T) { Name: "test-cn-service", Namespace: "default", Annotations: map[string]string{ - srapi.ComponentResourceHash: "2848177640", + srapi.ComponentResourceHash: "4058356074", }, OwnerReferences: func() []metav1.OwnerReference { ref := metav1.NewControllerRef(src, src.GroupVersionKind())