From 949ccb69bed1e542c6bbe1b076d21730097e95e1 Mon Sep 17 00:00:00 2001 From: Lucas TESSON Date: Sat, 25 Jan 2025 12:55:35 +0100 Subject: [PATCH] fix: ingress exposure missing information for it to work --- examples/exposed-monopod/main.go | 8 ++ sdk/kubernetes/exposed-monopod.go | 106 +++++++++++++----- .../software-development-kit/index.md | 4 +- webdocs/tutorials/a-complete-example/index.md | 17 ++- 4 files changed, 101 insertions(+), 34 deletions(-) diff --git a/examples/exposed-monopod/main.go b/examples/exposed-monopod/main.go index 865d774..d3bed68 100644 --- a/examples/exposed-monopod/main.go +++ b/examples/exposed-monopod/main.go @@ -25,6 +25,14 @@ func main() { Files: pulumi.StringMap{ "/app/flag.txt": variated, }, + // The following fits for a Traefik-based use case + IngressAnnotations: pulumi.ToStringMap(map[string]string{ + "traefik.ingress.kubernetes.io/router.entrypoints": "web, websecure", + }), + IngressNamespace: pulumi.String("networking"), + IngressLabels: pulumi.ToStringMap(map[string]string{ + "app": "traefik", + }), }, opts...) if err != nil { return err diff --git a/sdk/kubernetes/exposed-monopod.go b/sdk/kubernetes/exposed-monopod.go index 0e4c396..ab3120c 100644 --- a/sdk/kubernetes/exposed-monopod.go +++ b/sdk/kubernetes/exposed-monopod.go @@ -51,7 +51,11 @@ type ( // WARNING: provisionning a file in a directory makes adjacent // files unavailable. // For more info, refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#populate-a-volume-with-data-stored-in-a-configmap - Files pulumi.StringMapInput + Files pulumi.StringMapInput + + // FromCIDR can be configured to specify an IP range that will + // be able to access the pod. + // TODO @NicoFgrx support it when ExposeIngress too FromCIDR pulumi.StringPtrInput fromCIDR pulumi.StringOutput @@ -61,6 +65,14 @@ type ( // put on the ingress, if the `ExposeType` is set to // `ExposeIngress`. IngressAnnotations pulumi.StringMapInput + + // IngressNamespace must be configured to the namespace in + // which the ingress (e.g. nginx, traefik) is deployed. + IngressNamespace pulumi.StringInput + + // IngressLabels must be configured to the labels of the ingress + // pods (e.g. app=traefik, ...). + IngressLabels pulumi.StringMapInput } ExposeType int @@ -264,6 +276,41 @@ func (emp *ExposedMonopod) provision(ctx *pulumi.Context, args *ExposedMonopodAr // Specific exposures switch args.ExposeType { + case ExposeNodePort: + emp.ntp, err = netwv1.NewNetworkPolicy(ctx, "emp-ntp", &netwv1.NetworkPolicyArgs{ + Metadata: metav1.ObjectMetaArgs{ + Labels: labels, + Name: pulumi.Sprintf("emp-ntp-%s", args.Identity), + }, + Spec: netwv1.NetworkPolicySpecArgs{ + PodSelector: metav1.LabelSelectorArgs{ + MatchLabels: labels, + }, + PolicyTypes: pulumi.ToStringArray([]string{ + "Ingress", + }), + Ingress: netwv1.NetworkPolicyIngressRuleArray{ + netwv1.NetworkPolicyIngressRuleArgs{ + From: netwv1.NetworkPolicyPeerArray{ + netwv1.NetworkPolicyPeerArgs{ + IpBlock: &netwv1.IPBlockArgs{ + Cidr: args.fromCIDR, + }, + }, + }, + Ports: netwv1.NetworkPolicyPortArray{ + netwv1.NetworkPolicyPortArgs{ + Port: args.Port, + }, + }, + }, + }, + }, + }, opts...) + if err != nil { + return err + } + case ExposeIngress: emp.ing, err = netwv1.NewIngress(ctx, "emp-ing", &netwv1.IngressArgs{ Metadata: metav1.ObjectMetaArgs{ @@ -309,40 +356,45 @@ func (emp *ExposedMonopod) provision(ctx *pulumi.Context, args *ExposedMonopodAr if err != nil { return err } - } - emp.ntp, err = netwv1.NewNetworkPolicy(ctx, "emp-ntp", &netwv1.NetworkPolicyArgs{ - Metadata: metav1.ObjectMetaArgs{ - Labels: labels, - Name: pulumi.Sprintf("emp-ntp-%s", args.Identity), - }, - Spec: netwv1.NetworkPolicySpecArgs{ - PodSelector: metav1.LabelSelectorArgs{ - MatchLabels: labels, + emp.ntp, err = netwv1.NewNetworkPolicy(ctx, "emp-ntp", &netwv1.NetworkPolicyArgs{ + Metadata: metav1.ObjectMetaArgs{ + Labels: labels, + Name: pulumi.Sprintf("emp-ntp-%s", args.Identity), }, - PolicyTypes: pulumi.ToStringArray([]string{ - "Ingress", - }), - Ingress: netwv1.NetworkPolicyIngressRuleArray{ - netwv1.NetworkPolicyIngressRuleArgs{ - From: netwv1.NetworkPolicyPeerArray{ - netwv1.NetworkPolicyPeerArgs{ - IpBlock: &netwv1.IPBlockArgs{ - Cidr: args.fromCIDR, + Spec: netwv1.NetworkPolicySpecArgs{ + PodSelector: metav1.LabelSelectorArgs{ + MatchLabels: labels, + }, + PolicyTypes: pulumi.ToStringArray([]string{ + "Ingress", + }), + Ingress: netwv1.NetworkPolicyIngressRuleArray{ + netwv1.NetworkPolicyIngressRuleArgs{ + From: netwv1.NetworkPolicyPeerArray{ + netwv1.NetworkPolicyPeerArgs{ + NamespaceSelector: metav1.LabelSelectorArgs{ + MatchLabels: pulumi.StringMap{ + "kubernetes.io/metadata.name": args.IngressNamespace, + }, + }, + PodSelector: metav1.LabelSelectorArgs{ + MatchLabels: args.IngressLabels, + }, }, }, - }, - Ports: netwv1.NetworkPolicyPortArray{ - netwv1.NetworkPolicyPortArgs{ - Port: args.Port, + Ports: netwv1.NetworkPolicyPortArray{ + netwv1.NetworkPolicyPortArgs{ + Port: args.Port, + }, }, }, }, }, - }, - }, opts...) - if err != nil { - return err + }, opts...) + if err != nil { + return + } } return nil diff --git a/webdocs/challmaker-guides/software-development-kit/index.md b/webdocs/challmaker-guides/software-development-kit/index.md index fa74720..865c379 100644 --- a/webdocs/challmaker-guides/software-development-kit/index.md +++ b/webdocs/challmaker-guides/software-development-kit/index.md @@ -62,7 +62,7 @@ func main() { cm, err := kubernetes.NewExposedMonopod(req.Ctx, &kubernetes.ExposedMonopodArgs{ Image: pulumi.String("myprofile/my-challenge:latest"), Port: pulumi.Int(8080), - ExposeType: kubernetes.ExposeIngress, + ExposeType: kubernetes.ExposeNodePort, Hostname: pulumi.String("brefctf.ctfer.io"), Identity: pulumi.String(req.Config.Identity), }, opts...) @@ -70,7 +70,7 @@ func main() { return err } - resp.ConnectionInfo = pulumi.Sprintf("curl -v https://%s", cm.URL) + resp.ConnectionInfo = pulumi.Sprintf("curl -v http://%s", cm.URL) return nil }) } diff --git a/webdocs/tutorials/a-complete-example/index.md b/webdocs/tutorials/a-complete-example/index.md index 25d85af..7c4468e 100644 --- a/webdocs/tutorials/a-complete-example/index.md +++ b/webdocs/tutorials/a-complete-example/index.md @@ -92,11 +92,18 @@ import ( func main() { sdk.Run(func(req *sdk.Request, resp *sdk.Response, opts ...pulumi.ResourceOption) error { cm, err := kubernetes.NewExposedMonopod(req.Ctx, &kubernetes.ExposedMonopodArgs{ - Image: pulumi.String("account/challenge:latest"), // challenge Docker image - Port: pulumi.Int(8080), // pod listens on port 8080 - ExposeType: kubernetes.ExposeIngress, // expose the challenge through an ingress (HTTP) - Hostname: pulumi.String("brefctf.ctfer.io"), // CTF hostname - Identity: pulumi.String(req.Config.Identity), // identity will be prepended to hostname + Image: pulumi.String("account/challenge:latest"), // challenge Docker image + Port: pulumi.Int(8080), // pod listens on port 8080 + ExposeType: kubernetes.ExposeIngress, // expose the challenge through an ingress (HTTP) + Hostname: pulumi.String("brefctf.ctfer.io"), // CTF hostname + Identity: pulumi.String(req.Config.Identity), // identity will be prepended to hostname + IngressAnnotations: pulumi.ToStringMap(map[string]string{ // annotations for the ingress to target the service + "traefik.ingress.kubernetes.io/router.entrypoints": "web, websecure", + }), + IngressNamespace: pulumi.String("networking"), // the namespace in which the ingress is deployed + IngressLabels: pulumi.ToStringMap(map[string]string{ // the labels of the ingress pods + "app": "traefik", + }), }, opts...) if err != nil { return err