feat(kaas): ip cidr filtering #46
Conversation
Co-authored-by: Tristan Smagghe <[email protected]>
|
There was a problem hiding this comment.
Pull Request Overview
This PR adds IP CIDR filtering functionality to allow users to whitelist specific CIDR blocks or IPs for accessing the Kubernetes API server in the Infomaniak KaaS (Kubernetes as a Service) resource.
- Adds
acl_rulesfield to the apiserver configuration for specifying allowed CIDR blocks/IPs - Implements API methods for patching and retrieving IP filters
- Updates both resource and data source schemas to support the new filtering capability
Reviewed Changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/services/kaas/kaas_resource.go | Adds acl_rules field to ApiserverModel and implements IP filtering in Create/Update/Read operations |
| internal/services/kaas/kaas_data_source.go | Adds acl_rules field to data source schema and implements IP filter retrieval |
| internal/apis/kaas/spec.go | Defines API interface methods for IP filter operations |
| internal/apis/kaas/mock/client.go | Implements mock client methods for IP filter operations |
| internal/apis/kaas/implementation/endpoints.go | Adds IP filter endpoint constant |
| internal/apis/kaas/implementation/client.go | Implements actual API client methods for IP filter operations |
| examples/kaas-ip-filter/variables.tf | Defines variables for IP filter example configuration |
| examples/kaas-ip-filter/main.tf | Shows usage example of IP filtering in Terraform configuration |
| docs/resources/kaas.md | Documents the new acl_rules configuration option |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| if !data.Apiserver.AllowRequestsFromCIDR.IsNull() { | ||
| allowedCidrs := make([]string, 0, len(data.Apiserver.AllowRequestsFromCIDR.Elements())) | ||
| resp.Diagnostics.Append(data.Apiserver.AllowRequestsFromCIDR.ElementsAs(ctx, &allowedCidrs, true)...) | ||
| ok, err := r.client.Kaas.PatchIPFilters(allowedCidrs, input.Project.PublicCloudId, input.Project.ProjectId, kaasId) | ||
| if !ok || err != nil { | ||
| var errMsg string | ||
| if err != nil { | ||
| errMsg = err.Error() | ||
| } else { | ||
| errMsg = "PatchIPFilters returned false but no error was provided" | ||
| } | ||
| resp.Diagnostics.AddError( | ||
| "Error when applying network filtering", | ||
| errMsg, | ||
| ) | ||
| } | ||
| } |
There was a problem hiding this comment.
The IP filter patching logic is duplicated in both Create and Update methods. Consider extracting this into a separate method to reduce code duplication.
| state.fillApiserverState(ctx, apiserverParams) | ||
| } | ||
|
|
||
| filteredIps, err := r.client.Kaas.GetIPFilters(int(state.PublicCloudId.ValueInt64()), int(state.PublicCloudProjectId.ValueInt64()), kaasObject.Id) |
There was a problem hiding this comment.
The error handling for GetIPFilters doesn't return early on error, which means the function continues executing and may set incomplete state. Consider adding a return statement after the error diagnostic.
| SetPathParam("public_cloud_project_id", fmt.Sprint(projectId)). | ||
| SetPathParam("kaas_id", fmt.Sprint(kaasId)). | ||
| SetBody(body). | ||
| SetDebug(true). |
There was a problem hiding this comment.
Debug mode should not be hardcoded to true in production code. This should be configurable or removed for production builds.
| SetPathParam("public_cloud_id", fmt.Sprint(publicCloudId)). | ||
| SetPathParam("public_cloud_project_id", fmt.Sprint(projectId)). | ||
| SetPathParam("kaas_id", fmt.Sprint(kaasId)). | ||
| SetDebug(true). |
There was a problem hiding this comment.
Debug mode should not be hardcoded to true in production code. This should be configurable or removed for production builds.
yyewolf
added
enhancement
This PR allows users to add a CIDR whitelist to access kubernetes apiserver