[octavia-ingress-controller] support for whitelist-source-range annotation (kubernetes#1704)

* support for whitelist-source-range annotation

* fix whitelist annotation's key

* Documentation more clear, and remove useless code

* add condition to avoid useless updates of allowed_cidrs

Author: Hedi Nasr

docs/octavia-ingress-controller/using-octavia-ingress-controller.md

@@ -14,6 +14,7 @@
     - [Create a backend service](#create-a-backend-service)
     - [Create an Ingress resource](#create-an-ingress-resource)
   - [Enable TLS encryption](#enable-tls-encryption)
+  - [Allow CIDRs](#allow-cidrs)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -449,3 +450,34 @@ Ingress and enable the more secure HTTPS protocol.
 > NOTE: octavia-ingress-controller currently doesn't support to integrate with
 > `cert-manager` to create the non-existing secret dynamically. Could be improved
 > in the future.
+
+## Allow CIDRs
+
+By using the annotation `octavia.ingress.kubernetes.io/whitelist-source-range`,
+you can restrict access to certain IP addresses.
+The value should be a comma-separated list of CIDRs.
+
+Example:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test-octavia-ingress
+  annotations:
+    kubernetes.io/ingress.class: "openstack"
+    octavia.ingress.kubernetes.io/internal: "false"
+    octavia.ingress.kubernetes.io/whitelist-source-range: 192.168.1.0/23
+spec:
+  rules:
+    - host: foo.bar.com
+      http:
+        paths:
+        - path: /ping
+          pathType: Exact
+          backend:
+            service:
+              name: webserver
+              port:
+                number: 8080
+```

pkg/ingress/controller/controller.go

@@ -95,6 +95,10 @@ const (
 	// Default to true.
 	IngressAnnotationInternal = "octavia.ingress.kubernetes.io/internal"
 
+	// IngressAnnotationSourceRangesKey is the key of the annotation on an ingress to set allowed IP ranges on their LoadBalancers.
+	// It should be a comma-separated list of CIDRs.
+	IngressAnnotationSourceRangesKey = "octavia.ingress.kubernetes.io/whitelist-source-range"
+
 	// IngressControllerTag is added to the related resources.
 	IngressControllerTag = "octavia.ingress.kubernetes.io"
 
@@ -312,6 +316,10 @@ func NewController(conf config.Config) *Controller {
 				// Two different versions of the same Ingress will always have different RVs.
 				return
 			}
+			newAnnotations := newIng.ObjectMeta.Annotations
+			oldAnnotations := oldIng.ObjectMeta.Annotations
+			delete(newAnnotations, "kubectl.kubernetes.io/last-applied-configuration")
+			delete(oldAnnotations, "kubectl.kubernetes.io/last-applied-configuration")
 
 			key := fmt.Sprintf("%s/%s", newIng.Namespace, newIng.Name)
 			validOld := IsValid(oldIng)
@@ -322,7 +330,7 @@ func NewController(conf config.Config) *Controller {
 			} else if validOld && !validCur {
 				recorder.Event(newIng, apiv1.EventTypeNormal, "Deleting", fmt.Sprintf("Ingress %s", key))
 				controller.queue.AddRateLimited(Event{Obj: newIng, Type: DeleteEvent})
-			} else if validCur && !reflect.DeepEqual(newIng.Spec, oldIng.Spec) {
+			} else if validCur && (!reflect.DeepEqual(newIng.Spec, oldIng.Spec) || !reflect.DeepEqual(newAnnotations, oldAnnotations)) {
 				recorder.Event(newIng, apiv1.EventTypeNormal, "Updating", fmt.Sprintf("Ingress %s", key))
 				controller.queue.AddRateLimited(Event{Obj: newIng, Type: UpdateEvent})
 			} else {
@@ -703,7 +711,9 @@ func (c *Controller) ensureIngress(ing *nwv1.Ingress) error {
 	}
 
 	// Create listener
-	listener, err := c.osClient.EnsureListener(resName, lb.ID, secretRefs)
+	sourceRanges := getStringFromIngressAnnotation(ing, IngressAnnotationSourceRangesKey, "0.0.0.0/0")
+	listenerAllowedCIDRs := strings.Split(sourceRanges, ",")
+	listener, err := c.osClient.EnsureListener(resName, lb.ID, secretRefs, listenerAllowedCIDRs)
 	if err != nil {
 		return err
 	}

pkg/ingress/controller/openstack/octavia.go

@@ -19,6 +19,7 @@ package openstack
 import (
 	"errors"
 	"fmt"
+	"reflect"
 	"strings"
 	"time"
 
@@ -335,7 +336,7 @@ func (os *OpenStack) UpdateLoadBalancerDescription(lbID string, newDescription s
 }
 
 // EnsureListener creates a loadbalancer listener in octavia if it does not exist, wait for the loadbalancer to be ACTIVE.
-func (os *OpenStack) EnsureListener(name string, lbID string, secretRefs []string) (*listeners.Listener, error) {
+func (os *OpenStack) EnsureListener(name string, lbID string, secretRefs []string, listenerAllowedCIDRs []string) (*listeners.Listener, error) {
 	listener, err := openstackutil.GetListenerByName(os.Octavia, name, lbID)
 	if err != nil {
 		if err != openstackutil.ErrNotFound {
@@ -356,12 +357,26 @@ func (os *OpenStack) EnsureListener(name string, lbID string, secretRefs []strin
 			opts.ProtocolPort = 443
 			opts.Protocol = "TERMINATED_HTTPS"
 		}
+		if len(listenerAllowedCIDRs) > 0 {
+			opts.AllowedCIDRs = listenerAllowedCIDRs
+		}
 		listener, err = listeners.Create(os.Octavia, opts).Extract()
 		if err != nil {
 			return nil, fmt.Errorf("error creating listener: %v", err)
 		}
 
 		log.WithFields(log.Fields{"lbID": lbID, "listenerName": name}).Info("listener created")
+	} else {
+		if len(listenerAllowedCIDRs) > 0 && !reflect.DeepEqual(listener.AllowedCIDRs, listenerAllowedCIDRs) {
+			_, err := listeners.Update(os.Octavia, listener.ID, listeners.UpdateOpts{
+				AllowedCIDRs: &listenerAllowedCIDRs,
+			}).Extract()
+			if err != nil {
+				return nil, fmt.Errorf("failed to update listener allowed CIDRs: %v", err)
+			}
+
+			log.WithFields(log.Fields{"listenerID": listener.ID}).Debug("listener allowed CIDRs updated")
+		}
 	}
 
 	_, err = os.waitLoadbalancerActiveProvisioningStatus(lbID)