cloud_controller_ng icon indicating copy to clipboard operation
cloud_controller_ng copied to clipboard
verified publisher icon cloudfoundry

Add support for comma-delimited destinations in ASGs

Open jrussett opened this issue 1 year ago • 2 comments

A short explanation of the proposed change:

Allow operators to configure Cloud Controller to support ASGs with comma-delimited destinations. For example, the following ASG definition would be valid:

[
 {
   "protocol": "tcp",
   "destination": "1.2.3.4,10.0.0.0/24,25.0.0.0-26.0.0.0",
   "ports": "65432",
   "description": "Valid comma delimited list of destinations"
 }
]

An explanation of the use cases your change solves

Currently, if a developer wants to open connections from their cf app to two non-consecutive IP addresses (e.g. 8.8.8.8 and 10.10.10.10), they'd have to create two separate ASGs. This creates duplication and performance implications on some large environments with many ASGs that are also running networking fabrics other than silk.

One way to reduce said duplication is to enable comma-delimited destinations, so that the firewall rules are consolidated.

Links

  • https://github.com/cloudfoundry/capi-release/pull/386

  • https://github.com/cloudfoundry/cloud_controller_ng/pull/3644

  • https://github.com/cloudfoundry/silk-release/pull/107

  • #186770494

Checklist

  • [X] I have reviewed the contributing guide

  • [X] I have viewed, signed, and submitted the Contributor License Agreement

  • [X] I have made this pull request to the main branch

  • [X] I have run all the unit tests using bundle exec rake

  • [ ] I have run CF Acceptance Tests

jrussett avatar Feb 17 '24 00:02 jrussett

We probably want to clarify in the docs that destinations can be a comma delimited list in our docs: https://v3-apidocs.cloudfoundry.org/version/3.159.0/index.html#the-security-group-object (if enabled)

sethboyles avatar Mar 06 '24 00:03 sethboyles

Hi @sethboyles Thank you for looking over the PR. I have addressed your comments thus far. Please let me know if there is anything else I can answer or fix. 🙇

jrussett avatar Mar 06 '24 22:03 jrussett

I'm curious if you consider having destinations as an [ ] array as an alternative to a comma-separated string.

a-b avatar Mar 25 '24 20:03 a-b

@a-b it's worth noting that CCNG already accepts ports in ASG definitions as a comma-separated list: https://v3-apidocs.cloudfoundry.org/version/3.159.0/index.html#the-security-group-object, so to do so with IP addresses is at least consistent with that

sethboyles avatar Mar 26 '24 23:03 sethboyles

@jrussett unfortunately this has gotten conflicts now so I can't merge directly. Sorry that this got delayed so long that this happened. I can attempt to resolve it myself when I have time, but I think the commits should also be squashed/combined into one. Would you like to resolve this or should I give it a shot?

sethboyles avatar Apr 16 '24 23:04 sethboyles

Oops the conflicts were only on the 'rebase' option, seems like I can squash & merge no problem

sethboyles avatar Apr 17 '24 20:04 sethboyles