feat(kubernetes): add support for control-plane IP filtering (#245)

Author: kangasta

CHANGELOG.md

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Add `kubernetes nodegroup show` for displaying node-group details. This also adds _Nodes_ table and _Anti-affinity_ field that were not available in previous `kubernetes show` output.
+- Add `kubernetes modify` command for modifying IP addresses that are allowed to access cluster's Kubernetes API.
+- Add `--kubernetes-api-allow-ip` argument to `kubernetes create` command.
+- Add `Kubernetes API allowed IPs` field to `kubernetes show` output.
 
 ### Changed
 - In human readable output of `kubernetes show` command, show node-groups as table. Node-group datails are available with `kubernetes nodegroup show` command.

go.mod

@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/UpCloudLtd/progress v1.0.1
-	github.com/UpCloudLtd/upcloud-go-api/v6 v6.5.0
+	github.com/UpCloudLtd/upcloud-go-api/v6 v6.6.0
 	github.com/adrg/xdg v0.3.2
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/gemalto/flume v0.12.0

go.sum

@@ -40,8 +40,8 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/UpCloudLtd/progress v1.0.1 h1:e0ptyD2oOGa3udRcLzgRemIN9enGx4Bc9GQ0sZ/1/EY=
 github.com/UpCloudLtd/progress v1.0.1/go.mod h1:hKsRsvlCffcYt/s0krpWvOFozOjpfUYjSkL6CzZztoI=
-github.com/UpCloudLtd/upcloud-go-api/v6 v6.5.0 h1:bOZY2kNRZo7J+9vgG37Z7S36Wb1SSoTNmg+RPaL6eJs=
-github.com/UpCloudLtd/upcloud-go-api/v6 v6.5.0/go.mod h1:I8rWmBBl+OhiY3AGzKbrobiE5TsLCLNYkCQxE4eJcTg=
+github.com/UpCloudLtd/upcloud-go-api/v6 v6.6.0 h1:Fc9a083OBzl8i4pDV2KXCAfxo4gCjJFHgRuPvRnroBY=
+github.com/UpCloudLtd/upcloud-go-api/v6 v6.6.0/go.mod h1:I8rWmBBl+OhiY3AGzKbrobiE5TsLCLNYkCQxE4eJcTg=
 github.com/adrg/xdg v0.3.2 h1:GUSGQ5pHdev83AYhDSS1A/CX+0JIsxbiWtow2DSA+RU=
 github.com/adrg/xdg v0.3.2/go.mod h1:7I2hH/IT30IsupOpKZ5ue7/qNi3CoKzD6tL3HwpaRMQ=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=

internal/commands/all/all.go

@@ -152,6 +152,7 @@ func BuildCommands(rootCmd *cobra.Command, conf *config.Config) {
 	// Kubernetes
 	kubernetesCommand := commands.BuildCommand(kubernetes.BaseKubernetesCommand(), rootCmd, conf)
 	commands.BuildCommand(kubernetes.CreateCommand(), kubernetesCommand.Cobra(), conf)
+	commands.BuildCommand(kubernetes.ModifyCommand(), kubernetesCommand.Cobra(), conf)
 	commands.BuildCommand(kubernetes.ConfigCommand(), kubernetesCommand.Cobra(), conf)
 	commands.BuildCommand(kubernetes.DeleteCommand(), kubernetesCommand.Cobra(), conf)
 	commands.BuildCommand(kubernetes.ListCommand(), kubernetesCommand.Cobra(), conf)

internal/commands/kubernetes/create.go

@@ -125,6 +125,12 @@ func (c *createCommand) InitCommand() {
 			"taint=\"env=dev:NoSchedule\","+
 			"taint=\"env=dev2:NoSchedule\"`",
 	)
+	fs.StringArrayVar(
+		&c.params.ControlPlaneIPFilter,
+		"kubernetes-api-allow-ip",
+		[]string{},
+		"Allow cluster's Kubernetes API to be accessed from an IP address or a network CIDR, multiple can be declared.",
+	)
 	config.AddToggleFlag(fs, &c.params.privateNodeGroups, "private-node-groups", false, "Do not assign public IPs to worker nodes. If set, the attached network should have a NAT gateway configured to provide internet access to the worker nodes.")
 	fs.StringVar(&c.params.Zone, "zone", "", namedargs.ZoneDescription("cluster"))
 	config.AddToggleFlag(fs, &c.params.wait, "wait", false, "Wait for cluster to be in running state before returning.")

internal/commands/kubernetes/create_test.go

@@ -32,9 +32,10 @@ func TestCreateKubernetes(t *testing.T) {
 		}
 	}
 	nodeGroupRequest := request.CreateKubernetesClusterRequest{
-		Name:        "my-cluster",
-		Network:     "aa39e313-d908-418a-a959-459699bdc83a",
-		NetworkCIDR: "172.16.1.0/24",
+		ControlPlaneIPFilter: []string{},
+		Name:                 "my-cluster",
+		Network:              "aa39e313-d908-418a-a959-459699bdc83a",
+		NetworkCIDR:          "172.16.1.0/24",
 		NodeGroups: []request.KubernetesNodeGroup{
 			{
 				Count: 2,

internal/commands/kubernetes/modify.go

@@ -0,0 +1,62 @@
+package kubernetes
+
+import (
+	"fmt"
+
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/completion"
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/output"
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/resolver"
+
+	"github.com/UpCloudLtd/upcloud-go-api/v6/upcloud/request"
+	"github.com/spf13/pflag"
+)
+
+// ModifyCommand creates the "kubernetes modify" command
+func ModifyCommand() commands.Command {
+	return &modifyCommand{
+		BaseCommand: commands.New(
+			"modify",
+			"Modifiy an existing cluster",
+			"upctl cluster modify 00bb4617-c592-4b32-b869-35a60b323b18 --plan 1xCPU-1GB",
+		),
+	}
+}
+
+type modifyCommand struct {
+	*commands.BaseCommand
+	resolver.CachingKubernetes
+	completion.Kubernetes
+	params request.ModifyKubernetesClusterRequest
+}
+
+// InitCommand implements Command.InitCommand
+func (c *modifyCommand) InitCommand() {
+	fs := &pflag.FlagSet{}
+	fs.StringArrayVar(
+		&c.params.Cluster.ControlPlaneIPFilter,
+		"kubernetes-api-allow-ip",
+		[]string{},
+		"Allow cluster's Kubernetes API to be accessed from an IP address or a network CIDR, multiple can be declared.",
+	)
+
+	c.AddFlags(fs)
+}
+
+// Execute implements commands.MultipleArgumentCommand
+func (c *modifyCommand) Execute(exec commands.Executor, arg string) (output.Output, error) {
+	msg := fmt.Sprintf("Modifying Kubernetes cluster %v", arg)
+	exec.PushProgressStarted(msg)
+
+	req := c.params
+	req.ClusterUUID = arg
+
+	res, err := exec.All().ModifyKubernetesCluster(exec.Context(), &req)
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	exec.PushProgressSuccess(msg)
+
+	return output.OnlyMarshaled{Value: res}, nil
+}

internal/commands/kubernetes/modify_test.go

@@ -0,0 +1,75 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/config"
+	smock "github.com/UpCloudLtd/upcloud-cli/v2/internal/mock"
+	"github.com/UpCloudLtd/upcloud-cli/v2/internal/mockexecute"
+
+	"github.com/UpCloudLtd/upcloud-go-api/v6/upcloud"
+	"github.com/UpCloudLtd/upcloud-go-api/v6/upcloud/request"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestModifyKubernetesCluster(t *testing.T) {
+	clusterUUID := "28c80353-98fd-4221-85e0-82d7603756ba"
+
+	for _, test := range []struct {
+		name     string
+		args     []string
+		expected request.ModifyKubernetesClusterRequest
+		errorMsg string
+	}{
+		{
+			name:     "no args",
+			args:     []string{clusterUUID},
+			expected: request.ModifyKubernetesClusterRequest{ClusterUUID: clusterUUID, Cluster: request.ModifyKubernetesCluster{ControlPlaneIPFilter: []string{}}},
+		},
+		{
+			name: "one IP",
+			args: []string{
+				clusterUUID,
+				"--kubernetes-api-allow-ip", "10.144.1.100",
+			},
+			expected: request.ModifyKubernetesClusterRequest{
+				ClusterUUID: clusterUUID,
+				Cluster:     request.ModifyKubernetesCluster{ControlPlaneIPFilter: []string{"10.144.1.100"}},
+			},
+		},
+		{
+			name: "IP and CIDR",
+			args: []string{
+				clusterUUID,
+				"--kubernetes-api-allow-ip", "10.144.1.100",
+				"--kubernetes-api-allow-ip", "10.144.2.0/24",
+			},
+			expected: request.ModifyKubernetesClusterRequest{
+				ClusterUUID: clusterUUID,
+				Cluster:     request.ModifyKubernetesCluster{ControlPlaneIPFilter: []string{"10.144.1.100", "10.144.2.0/24"}},
+			},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			conf := config.New()
+			testCmd := ModifyCommand()
+			mService := new(smock.Service)
+
+			mService.On("ModifyKubernetesCluster", &test.expected).Return(&upcloud.KubernetesCluster{}, nil)
+
+			c := commands.BuildCommand(testCmd, nil, conf)
+
+			c.Cobra().SetArgs(test.args)
+			_, err := mockexecute.MockExecute(c, mService, conf)
+
+			if test.errorMsg != "" {
+				assert.EqualError(t, err, test.errorMsg)
+			} else {
+				require.NoError(t, err)
+				mService.AssertNumberOfCalls(t, "ModifyKubernetesCluster", 1)
+			}
+		})
+	}
+}

internal/commands/kubernetes/show.go

@@ -1,12 +1,16 @@
 package kubernetes
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/UpCloudLtd/upcloud-cli/v2/internal/commands"
 	"github.com/UpCloudLtd/upcloud-cli/v2/internal/completion"
 	"github.com/UpCloudLtd/upcloud-cli/v2/internal/format"
 	"github.com/UpCloudLtd/upcloud-cli/v2/internal/output"
 	"github.com/UpCloudLtd/upcloud-cli/v2/internal/resolver"
 	"github.com/UpCloudLtd/upcloud-cli/v2/internal/ui"
+	"github.com/jedib0t/go-pretty/v6/text"
 
 	"github.com/UpCloudLtd/upcloud-go-api/v6/upcloud/request"
 )
@@ -80,6 +84,7 @@ func (s *showCommand) Execute(exec commands.Executor, uuid string) (output.Outpu
 								{Title: "Network UUID:", Value: cluster.Network, Colour: ui.DefaultUUUIDColours},
 								{Title: "Network name:", Value: networkName, Format: format.PossiblyUnknownString},
 								{Title: "Network CIDR:", Value: cluster.NetworkCIDR, Colour: ui.DefaultAddressColours},
+								{Title: "Kubernetes API allowed IPs:", Value: cluster.ControlPlaneIPFilter, Format: formatIPFilter},
 								{Title: "Private node groups:", Value: cluster.PrivateNodeGroups, Format: format.Boolean},
 								{Title: "Zone:", Value: cluster.Zone},
 								{Title: "Operational state:", Value: cluster.State, Format: format.KubernetesClusterState},
@@ -100,3 +105,30 @@ func (s *showCommand) Execute(exec commands.Executor, uuid string) (output.Outpu
 		},
 	}, nil
 }
+
+func formatIPFilter(val interface{}) (text.Colors, string, error) {
+	addresses, ok := val.([]string)
+	if !ok {
+		return nil, "", fmt.Errorf("cannot parse IP addresses from %T, expected []string", val)
+	}
+
+	allowAll := false
+	var strs []string
+	for _, ipa := range addresses {
+		if ipa == "0.0.0.0/0" {
+			allowAll = true
+		}
+
+		strs = append(strs, ui.DefaultAddressColours.Sprint(ipa))
+	}
+
+	if addresses == nil || allowAll {
+		return nil, "all", nil
+	}
+
+	if addresses == nil || allowAll {
+		return nil, text.FgHiBlack.Sprint("none"), nil
+	}
+
+	return nil, strings.Join(strs, ",\n"), nil
+}

internal/commands/kubernetes/show_test.go

@@ -18,9 +18,10 @@ import (
 func TestShowCommand(t *testing.T) {
 	text.DisableColors()
 	cluster1 := upcloud.KubernetesCluster{
-		Name:        "upcloud-go-sdk-unit-test",
-		Network:     "03a98be3-7daa-443f-bb25-4bc6854b396c",
-		NetworkCIDR: "172.16.1.0/24",
+		ControlPlaneIPFilter: []string{"10.144.1.100", "10.144.2.0/24"},
+		Name:                 "upcloud-go-sdk-unit-test",
+		Network:              "03a98be3-7daa-443f-bb25-4bc6854b396c",
+		NetworkCIDR:          "172.16.1.0/24",
 		NodeGroups: []upcloud.KubernetesNodeGroup{
 			{
 				Count: 4,
@@ -103,14 +104,16 @@ func TestShowCommand(t *testing.T) {
 
 	expected := `  
   Overview:
-    UUID:                0ddab8f4-97c0-4222-91ba-85a4fff7499b 
-    Name:                upcloud-go-sdk-unit-test             
-    Network UUID:        03a98be3-7daa-443f-bb25-4bc6854b396c 
-    Network name:        Test network                         
-    Network CIDR:        172.16.1.0/24                        
-    Private node groups: no                                   
-    Zone:                de-fra1                              
-    Operational state:   running                              
+    UUID:                       0ddab8f4-97c0-4222-91ba-85a4fff7499b 
+    Name:                       upcloud-go-sdk-unit-test             
+    Network UUID:               03a98be3-7daa-443f-bb25-4bc6854b396c 
+    Network name:               Test network                         
+    Network CIDR:               172.16.1.0/24                        
+    Kubernetes API allowed IPs: 10.144.1.100,                        
+                                10.144.2.0/24                        
+    Private node groups:        no                                   
+    Zone:                       de-fra1                              
+    Operational state:          running                              
 
   Node groups: