Skip to content

Commit

Permalink
Add custom VPC support in GCP
Browse files Browse the repository at this point in the history
Signed-off-by: Aswin Suryanarayanan <[email protected]>
  • Loading branch information
aswinsuryan authored and tpantelis committed Jan 21, 2025
1 parent 73b9578 commit afc9872
Show file tree
Hide file tree
Showing 5 changed files with 44 additions and 17 deletions.
10 changes: 6 additions & 4 deletions pkg/gcp/cloud_info.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,12 @@ import (
)

type CloudInfo struct {
InfraID string
Region string
ProjectID string
Client gcpclient.Interface
InfraID string
Region string
ProjectID string
VpcName string
PublicSubnetName string
Client gcpclient.Interface
}

// Open expected ports by creating related firewall rule.
Expand Down
12 changes: 6 additions & 6 deletions pkg/gcp/firewall_rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,24 +33,24 @@ const (
submarinerGatewayNodeTag = "submariner-io-gateway-node"
)

func newExternalFirewallRules(projectID, infraID string, ports []api.PortSpec) *compute.Firewall {
func newExternalFirewallRules(projectID, infraID, network string, ports []api.PortSpec) *compute.Firewall {
ingressName := generateRuleName(infraID, publicPortsRuleName)

// We want the external firewall rules to be applied only to Gateway nodes. So, we use the TargetTags
// field and include submarinerGatewayNodeTag for selection of Gateway nodes. All the Submariner Gateway
// instances will be tagged with submarinerGatewayNodeTag.
ingressRule := newFirewallRule(projectID, infraID, ingressName, ingressDirection, ports)
ingressRule := newFirewallRule(projectID, ingressName, ingressDirection, network, ports)
ingressRule.TargetTags = []string{
submarinerGatewayNodeTag,
}

return ingressRule
}

func newInternalFirewallRule(projectID, infraID string, ports []api.PortSpec) *compute.Firewall {
func newInternalFirewallRule(projectID, infraID, network string, ports []api.PortSpec) *compute.Firewall {
ingressName := generateRuleName(infraID, internalPortsRuleName)

rule := newFirewallRule(projectID, infraID, ingressName, ingressDirection, ports)
rule := newFirewallRule(projectID, ingressName, ingressDirection, network, ports)
rule.TargetTags = []string{
infraID + "-worker",
infraID + "-master",
Expand All @@ -63,7 +63,7 @@ func newInternalFirewallRule(projectID, infraID string, ports []api.PortSpec) *c
return rule
}

func newFirewallRule(projectID, infraID, name, direction string, ports []api.PortSpec) *compute.Firewall {
func newFirewallRule(projectID, name, direction, network string, ports []api.PortSpec) *compute.Firewall {
allowedPorts := []*compute.FirewallAllowed{}

for _, port := range ports {
Expand All @@ -79,7 +79,7 @@ func newFirewallRule(projectID, infraID, name, direction string, ports []api.Por

return &compute.Firewall{
Name: name,
Network: fmt.Sprintf("projects/%s/global/networks/%s-network", projectID, infraID),
Network: fmt.Sprintf("projects/%s/global/networks/%s", projectID, network),
Direction: direction,
Allowed: allowedPorts,
}
Expand Down
17 changes: 14 additions & 3 deletions pkg/gcp/gcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,27 @@ type gcpCloud struct {
}

// NewCloud creates a new api.Cloud instance which can prepare GCP for Submariner to be deployed on it.
func NewCloud(info CloudInfo) api.Cloud {
return &gcpCloud{CloudInfo: info}
func NewCloud(info CloudInfo, //nolint: gocritic //Ignore 'hugeParam' - pass by value for CloudInfo is intentional.
) api.Cloud {
gcpCloud := &gcpCloud{CloudInfo: info}

if gcpCloud.VpcName == "" {
gcpCloud.VpcName = info.InfraID + "-network"
}

if gcpCloud.PublicSubnetName == "" {
gcpCloud.PublicSubnetName = info.InfraID + "-worker-subnet"
}

return gcpCloud
}

func (gc *gcpCloud) OpenPorts(ports []api.PortSpec, status reporter.Interface) error {
// Create the inbound firewall rule for submariner internal ports.
status.Start("Opening internal ports %q for intra-cluster communications on GCP", formatPorts(ports))
defer status.End()

internalIngress := newInternalFirewallRule(gc.ProjectID, gc.InfraID, ports)
internalIngress := newInternalFirewallRule(gc.ProjectID, gc.InfraID, gc.VpcName, ports)
if err := gc.openPorts(internalIngress); err != nil {
return status.Error(err, "unable to open ports")
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/gcp/gw-machineset.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,8 @@ spec:
machineType: {{.InstanceType}}
metadata:
networkInterfaces:
- network: {{.InfraID}}-network
subnetwork: {{.InfraID}}-worker-subnet
- network: {{.VpcNetworkName}}
subnetwork: {{.PublicSubnetName}}
publicIP: true
projectID: {{.ProjectID}}
region: {{.Region}}
Expand Down
18 changes: 16 additions & 2 deletions pkg/gcp/ocpgwdeployer.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,19 @@ type ocpGatewayDeployer struct {
}

// NewOcpGatewayDeployer returns a GatewayDeployer capable of deploying gateways using OCP.
func NewOcpGatewayDeployer(info CloudInfo, msDeployer ocp.MachineSetDeployer, instanceType, image string,

func NewOcpGatewayDeployer(info CloudInfo, //nolint: gocritic // Ignore 'hugeParam' - pass by value for CloudInfo is intentional.
msDeployer ocp.MachineSetDeployer, instanceType, image string,
k8sClient k8s.Interface,
) api.GatewayDeployer {
if info.VpcName == "" {
info.VpcName = info.InfraID + "-network"
}

if info.PublicSubnetName == "" {
info.PublicSubnetName = info.InfraID + "-worker-subnet"
}

return &ocpGatewayDeployer{
CloudInfo: info,
msDeployer: msDeployer,
Expand All @@ -60,7 +70,7 @@ func (d *ocpGatewayDeployer) Deploy(input api.GatewayDeployInput, status reporte
status.Start("Configuring the required firewall rules for inter-cluster traffic")
defer status.End()

externalIngress := newExternalFirewallRules(d.ProjectID, d.InfraID, input.PublicPorts)
externalIngress := newExternalFirewallRules(d.ProjectID, d.InfraID, d.VpcName, input.PublicPorts)
if err := d.openPorts(externalIngress); err != nil {
return status.Error(err, "error creating firewall rule %q", externalIngress.Name)
}
Expand Down Expand Up @@ -166,6 +176,8 @@ type machineSetConfig struct {
Region string
Image string
SubmarinerGWNodeTag string
VpcNetworkName string
PublicSubnetName string
}

func (d *ocpGatewayDeployer) loadGatewayYAML(zone, image string) ([]byte, error) {
Expand All @@ -184,6 +196,8 @@ func (d *ocpGatewayDeployer) loadGatewayYAML(zone, image string) ([]byte, error)
Region: d.Region,
Image: image,
SubmarinerGWNodeTag: submarinerGatewayNodeTag,
VpcNetworkName: d.VpcName,
PublicSubnetName: d.PublicSubnetName,
}

err = tpl.Execute(&buf, tplVars)
Expand Down

0 comments on commit afc9872

Please sign in to comment.