chore(*) add transparent-proxy firewalld support (kumahq#1702)

* chore(*) firewalld translation from iptables * chore(*) kumactl install with firewalld Signed-off-by: Nikolay Nikolaev <nicknickolaev@gmail.com>
rizalgowandy · Mar 29, 2021 · 47009e1 · 47009e1
1 parent f17a84c
commit 47009e1
Show file tree

Hide file tree

Showing 34 changed files with 498 additions and 34 deletions.
diff --git a/app/kumactl/cmd/completion/testdata/bash.golden b/app/kumactl/cmd/completion/testdata/bash.golden
@@ -2394,8 +2394,6 @@ _kumactl_install_transparent-proxy()
     local_nonpersistent_flags+=("--kuma-dp-user=")
     flags+=("--modify-iptables")
     local_nonpersistent_flags+=("--modify-iptables")
-    flags+=("--modify-resolv-conf")
-    local_nonpersistent_flags+=("--modify-resolv-conf")
     flags+=("--redirect-inbound")
     local_nonpersistent_flags+=("--redirect-inbound")
     flags+=("--redirect-inbound-port=")
@@ -2404,6 +2402,10 @@ _kumactl_install_transparent-proxy()
     flags+=("--redirect-outbound-port=")
     two_word_flags+=("--redirect-outbound-port")
     local_nonpersistent_flags+=("--redirect-outbound-port=")
+    flags+=("--skip-resolv-conf")
+    local_nonpersistent_flags+=("--skip-resolv-conf")
+    flags+=("--store-firewalld")
+    local_nonpersistent_flags+=("--store-firewalld")
     flags+=("--config-file=")
     two_word_flags+=("--config-file")
     flags+=("--log-level=")

diff --git a/app/kumactl/cmd/completion/testdata/zsh.golden b/app/kumactl/cmd/completion/testdata/zsh.golden
@@ -974,10 +974,11 @@ function _kumactl_install_transparent-proxy {
     '--kuma-dp-uid[the UID of the user that will run kuma-dp]:' \
     '--kuma-dp-user[the user that will run kuma-dp]:' \
     '--modify-iptables[modify the host iptables to redirect the traffic to Envoy]' \
-    '--modify-resolv-conf[modify the host `/etc/resolv.conf` to allow `.mesh` resolution through kuma-cp]' \
     '--redirect-inbound[redirect the inbound traffic to the Envoy. Should be disabled for Gateway data plane proxies.]' \
     '--redirect-inbound-port[inbound port redirected to Envoy, as specified in dataplane'\''s `networking.transparentProxying.redirectPortInbound`]:' \
     '--redirect-outbound-port[outbound port redirected to Envoy, as specified in dataplane'\''s `networking.transparentProxying.redirectPortOutbound`]:' \
+    '--skip-resolv-conf[skip modifying the host `/etc/resolv.conf`]' \
+    '--store-firewalld[store the iptables changes with firewalld]' \
     '--config-file[path to the configuration file to use]:' \
     '--log-level[log level: one of off|info|debug]:' \
     '(-m --mesh)'{-m,--mesh}'[mesh to use]:'

diff --git a/app/kumactl/cmd/install/install_transparent_proxy.go b/app/kumactl/cmd/install/install_transparent_proxy.go
@@ -1,13 +1,17 @@
 package install
 
 import (
+	"bufio"
 	"fmt"
 	"io/ioutil"
 	"net"
 	os_user "os/user"
+	"regexp"
 	"runtime"
 	"strings"
 
+	"github.com/kumahq/kuma/pkg/transparentproxy/firewalld"
+
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 
@@ -25,7 +29,8 @@ type transparenProxyArgs struct {
 	ExcludeOutboundPorts string
 	UID                  string
 	User                 string
-	ModifyResolvConf     bool
+	SkipResolvConf       bool
+	StoreFirewalld       bool
 	KumaCpIP             net.IP
 }
 
@@ -40,7 +45,8 @@ func newInstallTransparentProxy() *cobra.Command {
 		ExcludeOutboundPorts: "",
 		UID:                  "",
 		User:                 "",
-		ModifyResolvConf:     true,
+		SkipResolvConf:       false,
+		StoreFirewalld:       false,
 		KumaCpIP:             net.IPv4(0, 0, 0, 0),
 	}
 	cmd := &cobra.Command{
@@ -107,7 +113,7 @@ runuser -u kuma-dp -- \
 				return errors.Errorf("--kuma-dp-user or --kuma-dp-uid should be supplied")
 			}
 
-			if args.ModifyResolvConf && args.KumaCpIP.String() == net.IPv4(0, 0, 0, 0).String() {
+			if !args.SkipResolvConf && args.KumaCpIP.String() == net.IPv4(0, 0, 0, 0).String() {
 				return errors.Errorf("please supply a valid `--kuma-cp-ip`")
 			}
 
@@ -117,7 +123,7 @@ runuser -u kuma-dp -- \
 				}
 			}
 
-			if args.ModifyResolvConf {
+			if !args.SkipResolvConf {
 				if err := modifyResolvConf(cmd, &args); err != nil {
 					return err
 				}
@@ -137,7 +143,8 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringVar(&args.ExcludeOutboundPorts, "exclude-outbound-ports", args.ExcludeOutboundPorts, "a comma separated list of outbound ports to exclude from redirect to Envoy")
 	cmd.Flags().StringVar(&args.User, "kuma-dp-user", args.UID, "the user that will run kuma-dp")
 	cmd.Flags().StringVar(&args.UID, "kuma-dp-uid", args.UID, "the UID of the user that will run kuma-dp")
-	cmd.Flags().BoolVar(&args.ModifyResolvConf, "modify-resolv-conf", args.ModifyResolvConf, "modify the host `/etc/resolv.conf` to allow `.mesh` resolution through kuma-cp")
+	cmd.Flags().BoolVar(&args.SkipResolvConf, "skip-resolv-conf", args.SkipResolvConf, "skip modifying the host `/etc/resolv.conf`")
+	cmd.Flags().BoolVar(&args.StoreFirewalld, "store-firewalld", args.StoreFirewalld, "store the iptables changes with firewalld")
 	cmd.Flags().IPVar(&args.KumaCpIP, "kuma-cp-ip", args.KumaCpIP, "the IP address of the Kuma CP which exposes the DNS service on port 53.")
 
 	return cmd
@@ -184,7 +191,55 @@ func modifyIpTables(cmd *cobra.Command, args *transparenProxyArgs) error {
 	if args.DryRun {
 		_, _ = cmd.OutOrStdout().Write([]byte(output))
 	} else {
-		_, _ = cmd.OutOrStdout().Write([]byte("iptables set to diverge the traffic to Envoy."))
+		_, _ = cmd.OutOrStdout().Write([]byte("iptables set to diverge the traffic to Envoy.\n"))
+	}
+
+	if args.StoreFirewalld {
+		err = storeFirewalld(cmd, args, output)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func storeFirewalld(cmd *cobra.Command, args *transparenProxyArgs, output string) error {
+	translator := firewalld.NewFirewalldIptablesTranslator(args.DryRun)
+	parser := regexp.MustCompile(`\* (?P<table>\w*)`)
+	rules := map[string][]string{}
+
+	scanner := bufio.NewScanner(strings.NewReader(output))
+	table := ""
+
+	scanner.Split(bufio.ScanLines)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.Contains(line, "COMMIT") {
+			table = ""
+			continue
+		}
+
+		matches := parser.FindStringSubmatch(line)
+		if len(matches) > 1 {
+			table = matches[parser.SubexpIndex("table")]
+			continue
+		}
+
+		if table != "" {
+			rules[table] = append(rules[table], line)
+		}
+	}
+
+	translated, err := translator.StoreRules(rules)
+	if err != nil {
+		return err
+	}
+
+	if args.DryRun {
+		_, _ = cmd.OutOrStdout().Write([]byte("\n\n" + translated + "\n\n"))
+	} else {
+		_, _ = cmd.OutOrStdout().Write([]byte("iptables saved with firewalld."))
 	}
 
 	return nil

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go
@@ -409,7 +409,7 @@ func (i *KumaInjector) NewInitContainer(pod *kube_core.Pod) (kube_core.Container
 			excludeInboundPorts,
 			"--exclude-outbound-ports",
 			excludeOutboundPorts,
-			"--modify-resolv-conf=false",
+			"--skip-resolv-conf",
 		},
 		SecurityContext: &kube_core.SecurityContext{
 			RunAsUser:  new(int64), // way to get pointer to int64(0)

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.01.golden.yaml
@@ -122,7 +122,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.02.golden.yaml
@@ -130,7 +130,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.03.golden.yaml
@@ -184,7 +184,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.04.golden.yaml
@@ -122,7 +122,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.05.golden.yaml
@@ -115,7 +115,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.06.golden.yaml
@@ -123,7 +123,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.07.golden.yaml
@@ -122,7 +122,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.08.golden.yaml
@@ -125,7 +125,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.09.golden.yaml
@@ -124,7 +124,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.11.golden.yaml
@@ -123,7 +123,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.12.golden.yaml
@@ -122,7 +122,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.13.golden.yaml
@@ -122,7 +122,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.14.golden.yaml
@@ -134,7 +134,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.15.golden.yaml
@@ -134,7 +134,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.16.golden.yaml
@@ -134,7 +134,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.17.golden.yaml
@@ -131,7 +131,7 @@ spec:
     - 1234,1235
     - --exclude-outbound-ports
     - "1236"
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.18.golden.yaml
@@ -131,7 +131,7 @@ spec:
     - 1234,5678
     - --exclude-outbound-ports
     - 4321,7654
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.19.golden.yaml
@@ -131,7 +131,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.21.golden.yaml
@@ -134,7 +134,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.22.golden.yaml
@@ -134,7 +134,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.23.golden.yaml
@@ -139,7 +139,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.24.golden.yaml
@@ -135,7 +135,7 @@ spec:
     - ""
     - --exclude-outbound-ports
     - ""
-    - --modify-resolv-conf=false
+    - --skip-resolv-conf
     command:
     - /usr/bin/kumactl
     - install

diff --git a/pkg/test/matchers/golden.go b/pkg/test/matchers/golden.go
@@ -18,6 +18,10 @@ func MatchGoldenJSON(goldenFilePath string) types.GomegaMatcher {
 	return MatchGolden(gomega.MatchJSON, goldenFilePath)
 }
 
+func MatchGoldenXML(goldenFilePath string) types.GomegaMatcher {
+	return MatchGolden(gomega.MatchXML, goldenFilePath)
+}
+
 func MatchGoldenEqual(goldenFilePath string) types.GomegaMatcher {
 	return MatchGolden(func(expected interface{}) types.GomegaMatcher {
 		if expectedBytes, ok := expected.([]byte); ok {