Add new parameter to createLoadBalancerRule API #6460
Conversation
|
SonarCloud Quality Gate failed. |
|
@JoaoJandre |
I would rather move on with this PR only, as it is re-adding a feature that was deprecated/removed without a proper alternative. This PR is small, concise, unit tested, and ready to be used in production. The alternative you pointed out is a huge PR that looks a bit too complicated. Therefore, I would rather move on with this small addition to restore the API workings. |
@JoaoJandre #5799 has milestone "4.18.0.0". Once it is merged, it will be much easier to add more haproxy setting like the one you added in this PR. |
|
@weizhouapache, PR #5799 has being developed through 2 years from now (originally developed in PR #4141). It passed through 4.15, 4.16, and 4.17, and we do not have guarantee that will be merged in 4.18. Also, there is a lot of changes in #5799, which would require a good documentation and a lot of tests. Therefore, I would rather go with these small changes instead of blocking the feature for something we do not have guarantee. |
|
This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch. |
@GutoVeronezi @JoaoJandre |
|
based on tests performed in our labs and code reviews. Lgtm. |
|
@weizhouapache This feature could be part of it, too. |
@soreana |
|
Hey @DaanHoogland could you review and run the tests? |
|
@blueorangutan package |
|
@DaanHoogland a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 3900 |
|
@blueorangutan test |
|
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
...main/java/org/apache/cloudstack/api/command/user/loadbalancer/CreateLoadBalancerRuleCmd.java
Outdated
Show resolved
Hide resolved
|
Trillian test result (tid-4618)
|
|
Found UI changes, kicking a new UI QA build |
|
@acs-robot a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress. |
|
UI build: ✔️ |
|
SonarCloud Quality Gate failed. |
* Add new parameter to createLoadBalancerRule API * address review Co-authored-by: João Paraquetti <[email protected]>
Description
ACL rules are currently not enforced when a Load Balancer is used. When created, ACL rules are implemented in the VR in the FORWARD chain. In order for the LB to work only through the configured IPs, it is necessary to configure the rule in the INPUT chain. However, since all traffic into the VR is being allowed, only forwarding is blocked to the unconfigured IPs.
To work around this situation, it is possible to configure LB rules via
createLoadBalancerRuleAPI. However, thecidrlistparameter used to configure the CIDRs that can access the load balancer, had been deprecated in favor of the firewall rule implementation, which is not intuitive and does not support VRs in VPCs. Therefore, the parameter was reimplemented to allow users to create rules in the Load Balancer backend that restrict the access according to the source IP.Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
New unit tests were created. Alongside that, the changes were manually tested in a local lab. By using the
createLoadBalancerRuleAPI with thecidrlistparameter to restrict network traffic.