From a94db3ed7a9cc1393a7b1caf6eb32d68552bc0ef Mon Sep 17 00:00:00 2001 From: Utsav Anand Date: Sun, 9 Feb 2020 17:18:38 +0530 Subject: [PATCH] Fix opening on TCP ports on GCE for inlets-pro This PR will now allow for all TCP traffic through the inlets-pro exit node If a firewall-rule for inlets or inlets-pro named 'inlets' already exists, then it will update the firewall-rule with the required rules depending on the user using the `--remote-tcp` flag (inlets-pro) or not in `inletsctl create` command Fixes #44 Fixes #56 Signed-off-by: Utsav Anand --- .gitignore | 1 + cmd/create.go | 1 + go.mod | 1 - pkg/provision/gce.go | 82 +++++++++++++++++++++++++------------------- 4 files changed, 49 insertions(+), 36 deletions(-) diff --git a/.gitignore b/.gitignore index b1441cb2..1cf89dfa 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /inletsctl /bin/** .idea/ +.DS_Store diff --git a/cmd/create.go b/cmd/create.go index ddab9a32..5ac3c5e7 100644 --- a/cmd/create.go +++ b/cmd/create.go @@ -311,6 +311,7 @@ func createHost(provider, name, region, zone, projectID, userData, inletsPort st "zone": zone, "firewall-name": "inlets", "firewall-port": inletsPort, + "pro": fmt.Sprint(pro), }, }, nil } else if provider == "ec2" { diff --git a/go.mod b/go.mod index 681dc150..dbbdf7ce 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,6 @@ require ( github.com/spf13/cobra v0.0.5 github.com/spf13/pflag v1.0.5 go.opencensus.io v0.22.2 // indirect - golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5 // indirect golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 // indirect golang.org/x/oauth2 v0.0.0-20191122200657-5d9234df094c golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9 // indirect diff --git a/pkg/provision/gce.go b/pkg/provision/gce.go index cd4e57f5..377883f9 100644 --- a/pkg/provision/gce.go +++ b/pkg/provision/gce.go @@ -93,17 +93,9 @@ func (p *GCEProvisioner) Provision(host BasicHost) (*ProvisionedHost, error) { }, } - exists, _ := p.gceFirewallExists(host.Additional["projectid"], host.Additional["firewall-name"], host.Additional["firewall-port"]) - - if !exists { - err := p.createInletsFirewallRule(host.Additional["projectid"], host.Additional["firewall-name"], host.Additional["firewall-port"]) - log.Println("inlets firewallRule does not exist") - if err != nil { - return nil, fmt.Errorf("could not create inlets firewall rule: %v", err) - } - log.Printf("Creating inlets firewallRule opening port: %s\n", host.Additional["firewall-port"]) - } else { - log.Println("inlets firewallRule exists") + err := p.createInletsFirewallRule(host.Additional["projectid"], host.Additional["firewall-name"], host.Additional["firewall-port"], host.Additional["pro"]) + if err != nil { + return nil, err } op, err := p.gceProvisioner.Instances.Insert(host.Additional["projectid"], host.Additional["zone"], instance).Do() @@ -116,7 +108,6 @@ func (p *GCEProvisioner) Provision(host BasicHost) (*ProvisionedHost, error) { if op.Status == gceHostRunning { status = ActiveStatus } - return &ProvisionedHost{ ID: toGCEID(host.Name, host.Additional["zone"], host.Additional["projectid"]), Status: status, @@ -124,45 +115,66 @@ func (p *GCEProvisioner) Provision(host BasicHost) (*ProvisionedHost, error) { } // gceFirewallExists checks if the inlets firewall rule exists or not -func (p *GCEProvisioner) gceFirewallExists(projectID string, firewallRuleName string, controlPort string) (bool, error) { +func (p *GCEProvisioner) gceFirewallExists(projectID string, firewallRuleName string) (bool, error) { op, err := p.gceProvisioner.Firewalls.Get(projectID, firewallRuleName).Do() if err != nil { return false, fmt.Errorf("could not get inlets firewall rule: %v", err) } if op.Name == firewallRuleName { - for _, firewallRule := range op.Allowed { - for _, port := range firewallRule.Ports { - if port == controlPort { - return true, nil - } - } - } + return true, nil } return false, nil } // createInletsFirewallRule creates a firewall rule opening up the control port for inlets -func (p *GCEProvisioner) createInletsFirewallRule(projectID string, firewallRuleName string, controlPort string) error { - firewallRule := &compute.Firewall{ - Name: firewallRuleName, - Description: "Firewall rule created by inlets-operator", - Network: fmt.Sprintf("projects/%s/global/networks/default", projectID), - Allowed: []*compute.FirewallAllowed{ - { - IPProtocol: "tcp", - Ports: []string{controlPort}, +func (p *GCEProvisioner) createInletsFirewallRule(projectID string, firewallRuleName string, controlPort string, pro string) error { + var firewallRule *compute.Firewall + if pro == "true" { + firewallRule = &compute.Firewall{ + Name: firewallRuleName, + Description: "Firewall rule created by inlets-operator", + Network: fmt.Sprintf("projects/%s/global/networks/default", projectID), + Allowed: []*compute.FirewallAllowed{ + { + IPProtocol: "tcp", + }, }, - }, - SourceRanges: []string{"0.0.0.0/0"}, - Direction: "INGRESS", - TargetTags: []string{"inlets"}, + SourceRanges: []string{"0.0.0.0/0"}, + Direction: "INGRESS", + TargetTags: []string{"inlets"}, + } + } else { + firewallRule = &compute.Firewall{ + Name: firewallRuleName, + Description: "Firewall rule created by inlets-operator", + Network: fmt.Sprintf("projects/%s/global/networks/default", projectID), + Allowed: []*compute.FirewallAllowed{ + { + IPProtocol: "tcp", + Ports: []string{controlPort, "80", "443"}, + }, + }, + SourceRanges: []string{"0.0.0.0/0"}, + Direction: "INGRESS", + TargetTags: []string{"inlets"}, + } + } + + exists, _ := p.gceFirewallExists(projectID, firewallRuleName) + if exists { + log.Println("inlets firewallRule exists, updating firewall-rules") + _, err := p.gceProvisioner.Firewalls.Update(projectID, firewallRuleName, firewallRule).Do() + if err != nil { + return fmt.Errorf("could not update inlets firewall rule: %v", err) + } + return nil } _, err := p.gceProvisioner.Firewalls.Insert(projectID, firewallRule).Do() + log.Println("creating inlets firewallRule") if err != nil { - return fmt.Errorf("could not create firewall rule: %v", err) + return fmt.Errorf("could not create inlets firewall rule: %v", err) } - return nil }