limit fw-rule description to 100 chars

Rahul Sharma · Rahul Sharma · commit e0602b2f7d2a · 2025-02-10T20:37:00.000Z
diff --git a/cloud/linode/firewall/firewalls.go b/cloud/linode/firewall/firewalls.go
@@ -20,6 +20,7 @@ import (
 
 const (
 	maxFirewallRuleLabelLen = 32
+	maxFirewallRuleDescLen  = 100
 	maxIPsPerFirewall       = 255
 	maxRulesPerFirewall     = 25
 )
@@ -205,10 +206,16 @@ func processACL(fwcreateOpts *linodego.FirewallCreateOptions, aclType, label, sv
 		ipv4chunks := chunkIPs(ipv4s)
 		for i, chunk := range ipv4chunks {
 			v4chunk := chunk
+			desc := fmt.Sprintf("Rule %d, Created by linode-ccm: %s, for %s", i, label, svcName)
+			if len(desc) > maxFirewallRuleDescLen {
+				newDesc := desc[0:maxFirewallRuleDescLen-3] + "..."
+				klog.Infof("Firewall rule description '%s' is too long. Stripping it to '%s'", desc, newDesc)
+				desc = newDesc
+			}
 			fwcreateOpts.Rules.Inbound = append(fwcreateOpts.Rules.Inbound, linodego.FirewallRule{
 				Action:      aclType,
 				Label:       ruleLabel,
-				Description: fmt.Sprintf("Rule %d, Created by linode-ccm: %s, for %s", i, label, svcName),
+				Description: desc,
 				Protocol:    linodego.TCP, // Nodebalancers support only TCP.
 				Ports:       ports,
 				Addresses:   linodego.NetworkAddresses{IPv4: &v4chunk},
@@ -218,20 +225,32 @@ func processACL(fwcreateOpts *linodego.FirewallCreateOptions, aclType, label, sv
 		ipv6chunks := chunkIPs(ipv6s)
 		for i, chunk := range ipv6chunks {
 			v6chunk := chunk
+			desc := fmt.Sprintf("Rule %d, Created by linode-ccm: %s, for %s", i, label, svcName)
+			if len(desc) > maxFirewallRuleDescLen {
+				newDesc := desc[0:maxFirewallRuleDescLen-3] + "..."
+				klog.Infof("Firewall rule description '%s' is too long. Stripping it to '%s'", desc, newDesc)
+				desc = newDesc
+			}
 			fwcreateOpts.Rules.Inbound = append(fwcreateOpts.Rules.Inbound, linodego.FirewallRule{
 				Action:      aclType,
 				Label:       ruleLabel,
-				Description: fmt.Sprintf("Rule %d, Created by linode-ccm: %s, for %s", i, label, svcName),
+				Description: desc,
 				Protocol:    linodego.TCP, // Nodebalancers support only TCP.
 				Ports:       ports,
 				Addresses:   linodego.NetworkAddresses{IPv6: &v6chunk},
 			})
 		}
 	} else {
+		desc := fmt.Sprintf("Created by linode-ccm: %s, for %s", label, svcName)
+		if len(desc) > maxFirewallRuleDescLen {
+			newDesc := desc[0:maxFirewallRuleDescLen-3] + "..."
+			klog.Infof("Firewall rule description '%s' is too long. Stripping it to '%s'", desc, newDesc)
+			desc = newDesc
+		}
 		fwcreateOpts.Rules.Inbound = append(fwcreateOpts.Rules.Inbound, linodego.FirewallRule{
 			Action:      aclType,
 			Label:       ruleLabel,
-			Description: fmt.Sprintf("Created by linode-ccm: %s, for %s", label, svcName),
+			Description: desc,
 			Protocol:    linodego.TCP, // Nodebalancers support only TCP.
 			Ports:       ports,
 			Addresses:   ips,
@@ -453,7 +472,7 @@ func (l *LinodeClient) updateNodeBalancerFirewallWithACL(
 				return nil
 			}
 
-			fwCreateOpts, err := CreateFirewallOptsForSvc(service.Name, []string{""}, service)
+			fwCreateOpts, err := CreateFirewallOptsForSvc(firewalls[0].Label, []string{""}, service)
 			if err != nil {
 				return err
 			}
diff --git a/cloud/linode/loadbalancers_test.go b/cloud/linode/loadbalancers_test.go
@@ -258,6 +258,10 @@ func TestCCMLoadBalancers(t *testing.T) {
 			name: "Update Load Balancer - No Nodes",
 			f:    testUpdateLoadBalancerNoNodes,
 		},
+		{
+			name: "Create Load Balancer - Very long Service name",
+			f:    testVeryLongServiceName,
+		},
 	}
 
 	for _, tc := range testCases {
@@ -816,6 +820,59 @@ func testUpdateLoadBalancerAddPortAnnotation(t *testing.T, client *linodego.Clie
 	}
 }
 
+func testVeryLongServiceName(t *testing.T, client *linodego.Client, _ *fakeAPI) {
+	svc := &v1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: strings.Repeat(randString(), 6),
+			UID:  "foobar123",
+			Annotations: map[string]string{
+				annotations.AnnLinodeCloudFirewallACL: `{
+					"denyList": {
+						"ipv4": ["2.2.2.2/32"],
+						"ipv6": ["2001:db8::/128"]
+					}
+				}`,
+			},
+		},
+		Spec: v1.ServiceSpec{
+			Ports: []v1.ServicePort{
+				{
+					Name:     randString(),
+					Protocol: "TCP",
+					Port:     int32(80),
+					NodePort: int32(30000),
+				},
+			},
+		},
+	}
+
+	nodes := []*v1.Node{
+		{
+			Status: v1.NodeStatus{
+				Addresses: []v1.NodeAddress{
+					{
+						Type:    v1.NodeInternalIP,
+						Address: "127.0.0.1",
+					},
+				},
+			},
+		},
+	}
+
+	lb := newLoadbalancers(client, "us-west").(*loadbalancers)
+	fakeClientset := fake.NewSimpleClientset()
+	lb.kubeClient = fakeClientset
+
+	defer func() {
+		_ = lb.EnsureLoadBalancerDeleted(context.TODO(), "linodelb", svc)
+	}()
+
+	_, err := lb.EnsureLoadBalancer(context.TODO(), "linodelb", svc, nodes)
+	if err != nil {
+		t.Errorf("EnsureLoadBalancer returned an error: %s", err)
+	}
+}
+
 func testUpdateLoadBalancerAddTags(t *testing.T, client *linodego.Client, _ *fakeAPI) {
 	svc := &v1.Service{
 		ObjectMeta: metav1.ObjectMeta{
