From e693aa1d694603fc09984c5d0acaa435bc07c7a8 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 22 Jan 2024 14:59:34 +0100 Subject: [PATCH 01/22] Introduce firewall egress and ingress rules for firewall allocation. --- cmd/metal-api/internal/metal/machine.go | 94 ++++++++++++++ .../internal/service/firewall-service.go | 2 +- .../internal/service/machine-service.go | 121 ++++++++++++++---- cmd/metal-api/internal/service/v1/firewall.go | 24 +++- spec/metal-api.json | 98 +++++++++++++- 5 files changed, 306 insertions(+), 33 deletions(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index 339e9cf85..35dba0c72 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -2,6 +2,7 @@ package metal import ( "fmt" + "net" "os" "strings" "time" @@ -147,6 +148,99 @@ type MachineAllocation struct { MachineSetup *MachineSetup `rethinkdb:"setup" json:"setup"` Role Role `rethinkdb:"role" json:"role"` VPN *MachineVPN `rethinkdb:"vpn" json:"vpn"` + Egress []EgressRule `rethinkdb:"egress" json:"egress"` + Ingress []IngressRule `rethinkdb:"ingress" json:"ingress"` +} + +type EgressRule struct { + Protocol Protocol `rethinkdb:"protocol" json:"protocol"` + Ports []int `rethinkdb:"ports" json:"ports"` + FromCIDRs []string `rethinkdb:"from_cidrs" json:"from_cidrs"` + Comment string `rethinkdb:"comment" json:"comment"` +} + +type IngressRule struct { + Protocol Protocol `rethinkdb:"protocol" json:"protocol"` + Ports []int `rethinkdb:"ports" json:"ports"` + ToCIDRs []string `rethinkdb:"to_cidrs" json:"from_cidrs"` + Comment string `rethinkdb:"comment" json:"comment"` +} + +type Protocol string + +const ( + ProtocolTCP Protocol = "TCP" + ProtocolUDP Protocol = "UDP" +) + +func ProtocolFromString(s string) (Protocol, error) { + switch strings.ToLower(s) { + case "tcp": + return ProtocolTCP, nil + case "udp": + return ProtocolTCP, nil + default: + return Protocol(""), fmt.Errorf("no such protocol: %s", s) + } +} + +func (r EgressRule) Validate() error { + switch r.Protocol { + case ProtocolTCP, ProtocolUDP: + // ok + default: + return fmt.Errorf("invalid procotol: %s", r.Protocol) + } + + if err := validatePorts(r.Ports); err != nil { + return err + } + + if err := validateCIDRs(r.FromCIDRs); err != nil { + return err + } + + return nil +} + +func (r IngressRule) Validate() error { + switch r.Protocol { + case ProtocolTCP, ProtocolUDP: + // ok + default: + return fmt.Errorf("invalid procotol: %s", r.Protocol) + } + + if err := validatePorts(r.Ports); err != nil { + return err + } + + if err := validateCIDRs(r.ToCIDRs); err != nil { + return err + } + + return nil +} + +func validatePorts(ports []int) error { + for _, port := range ports { + if port < 0 || port > 65535 { + return fmt.Errorf("port is out of range") + } + } + + return nil +} + +func validateCIDRs(cidrs []string) error { + for _, cidr := range cidrs { + _, _, err := net.ParseCIDR(cidr) + if err != nil { + return fmt.Errorf("invalid cidr: %w", err) + } + } + + return nil } // A MachineSetup stores the data used for machine reinstallations. diff --git a/cmd/metal-api/internal/service/firewall-service.go b/cmd/metal-api/internal/service/firewall-service.go index 3f5552c97..8d8309145 100644 --- a/cmd/metal-api/internal/service/firewall-service.go +++ b/cmd/metal-api/internal/service/firewall-service.go @@ -206,7 +206,7 @@ func (r *firewallResource) allocateFirewall(request *restful.Request, response * return } - spec, err := createMachineAllocationSpec(r.ds, requestPayload.MachineAllocateRequest, metal.RoleFirewall, user) + spec, err := createMachineAllocationSpec(r.ds, requestPayload.MachineAllocateRequest, &requestPayload.FirewallAllocateRequest, user) if err != nil { r.sendError(request, response, httperrors.BadRequest(err)) return diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index 041d52ee7..2415d790f 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -76,6 +76,8 @@ type machineAllocationSpec struct { Role metal.Role VPN *metal.MachineVPN PlacementTags []string + EgressRules []metal.EgressRule + IngressRules []metal.IngressRule } // allocationNetwork is intermediate struct to create machine networks from regular networks during machine allocation @@ -976,7 +978,7 @@ func (r *machineResource) allocateMachine(request *restful.Request, response *re return } - spec, err := createMachineAllocationSpec(r.ds, requestPayload, metal.RoleMachine, user) + spec, err := createMachineAllocationSpec(r.ds, requestPayload, nil, user) if err != nil { r.sendError(request, response, httperrors.BadRequest(err)) return @@ -997,39 +999,92 @@ func (r *machineResource) allocateMachine(request *restful.Request, response *re r.send(request, response, http.StatusOK, resp) } -func createMachineAllocationSpec(ds *datastore.RethinkStore, requestPayload v1.MachineAllocateRequest, role metal.Role, user *security.User) (*machineAllocationSpec, error) { +func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.MachineAllocateRequest, firewallRequest *v1.FirewallAllocateRequest, user *security.User) (*machineAllocationSpec, error) { var uuid string - if requestPayload.UUID != nil { - uuid = *requestPayload.UUID + if machineRequest.UUID != nil { + uuid = *machineRequest.UUID } var name string - if requestPayload.Name != nil { - name = *requestPayload.Name + if machineRequest.Name != nil { + name = *machineRequest.Name } var description string - if requestPayload.Description != nil { - description = *requestPayload.Description + if machineRequest.Description != nil { + description = *machineRequest.Description } hostname := "metal" - if requestPayload.Hostname != nil { - hostname = *requestPayload.Hostname + if machineRequest.Hostname != nil { + hostname = *machineRequest.Hostname } var userdata string - if requestPayload.UserData != nil { - userdata = *requestPayload.UserData + if machineRequest.UserData != nil { + userdata = *machineRequest.UserData } - if requestPayload.Networks == nil { + if machineRequest.Networks == nil { return nil, errors.New("network ids cannot be nil") } - if len(requestPayload.Networks) <= 0 { + if len(machineRequest.Networks) <= 0 { return nil, errors.New("network ids cannot be empty") } - image, err := ds.FindImage(requestPayload.ImageID) + image, err := ds.FindImage(machineRequest.ImageID) if err != nil { return nil, err } + var ( + egress []metal.EgressRule + ingress []metal.IngressRule + role = metal.RoleMachine + ) + + if firewallRequest != nil { + role = metal.RoleFirewall + + for _, ruleSpec := range firewallRequest.Egress { + ruleSpec := ruleSpec + + protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) + if err != nil { + return nil, err + } + + rule := metal.EgressRule{ + Protocol: protocol, + Ports: ruleSpec.Ports, + FromCIDRs: ruleSpec.FromCIDRs, + Comment: ruleSpec.Comment, + } + + if err := rule.Validate(); err != nil { + return nil, err + } + + egress = append(egress, rule) + } + + for _, ruleSpec := range firewallRequest.Ingress { + ruleSpec := ruleSpec + + protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) + if err != nil { + return nil, err + } + + rule := metal.IngressRule{ + Protocol: protocol, + Ports: ruleSpec.Ports, + Comment: ruleSpec.Comment, + } + + if err := rule.Validate(); err != nil { + return nil, err + } + + ingress = append(ingress, rule) + } + } + imageFeatureType := metal.ImageFeatureMachine if role == metal.RoleFirewall { imageFeatureType = metal.ImageFeatureFirewall @@ -1039,8 +1094,8 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, requestPayload v1.M return nil, fmt.Errorf("given image is not usable for a %s, features: %s", imageFeatureType, image.ImageFeatureString()) } - partitionID := requestPayload.PartitionID - sizeID := requestPayload.SizeID + partitionID := machineRequest.PartitionID + sizeID := machineRequest.SizeID if uuid == "" && partitionID == "" { return nil, errors.New("when no machine id is given, a partition id must be specified") @@ -1072,19 +1127,21 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, requestPayload v1.M Name: name, Description: description, Hostname: hostname, - ProjectID: requestPayload.ProjectID, + ProjectID: machineRequest.ProjectID, PartitionID: partitionID, Machine: m, Size: size, Image: image, - SSHPubKeys: requestPayload.SSHPubKeys, + SSHPubKeys: machineRequest.SSHPubKeys, UserData: userdata, - Tags: requestPayload.Tags, - Networks: requestPayload.Networks, - IPs: requestPayload.IPs, + Tags: machineRequest.Tags, + Networks: machineRequest.Networks, + IPs: machineRequest.IPs, Role: role, - FilesystemLayoutID: requestPayload.FilesystemLayoutID, - PlacementTags: requestPayload.PlacementTags, + FilesystemLayoutID: machineRequest.FilesystemLayoutID, + PlacementTags: machineRequest.PlacementTags, + EgressRules: egress, + IngressRules: ingress, }, nil } @@ -1170,6 +1227,8 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam MachineNetworks: []*metal.MachineNetwork{}, Role: allocationSpec.Role, VPN: allocationSpec.VPN, + Egress: allocationSpec.EgressRules, + Ingress: allocationSpec.IngressRules, } rollbackOnError := func(err error) error { if err != nil { @@ -1211,6 +1270,20 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam return nil, rollbackOnError(fmt.Errorf("unable to make networks:%w", err)) } + for _, n := range networks { + n := n + + if n.networkType != metal.PrivatePrimaryUnshared { + continue + } + + for _, rule := range allocationSpec.IngressRules { + rule := rule + + rule.ToCIDRs = n.network.Prefixes.String() + } + } + // refetch the machine to catch possible updates after dealing with the network... machine, err := ds.FindMachineByID(machineCandidate.ID) if err != nil { diff --git a/cmd/metal-api/internal/service/v1/firewall.go b/cmd/metal-api/internal/service/v1/firewall.go index 69ffd716b..a32d1c60c 100644 --- a/cmd/metal-api/internal/service/v1/firewall.go +++ b/cmd/metal-api/internal/service/v1/firewall.go @@ -2,10 +2,26 @@ package v1 type FirewallCreateRequest struct { MachineAllocateRequest - // HA if set to true firewall is created in ha configuration - // - // Deprecated: will be removed in the next release - HA *bool `json:"ha" description:"if set to true, this firewall is set up in a High Available manner" optional:"true"` + FirewallAllocateRequest +} + +type FirewallAllocateRequest struct { + Egress []FirewallEgressRule `json:"egress,omitempty" description:"list of egress rules to be deployed during firewall allocation" optional:"true"` + Ingress []FirewallIngressRule `json:"ingress,omitempty" description:"list of ingress rules to be deployed during firewall allocation" optional:"true"` +} + +type FirewallEgressRule struct { + Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` + Ports []int `json:"ports" description:"the ports affected by this rule"` + FromCIDRs []string `json:"from_cidrs" description:"the cidrs affected by this rule"` + Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` +} + +type FirewallIngressRule struct { + Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` + Ports []int `json:"ports" description:"the ports affected by this rule"` + // no ToCIDRs, destination is always the node network + Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` } type FirewallResponse struct { diff --git a/spec/metal-api.json b/spec/metal-api.json index 58c04be6a..1d236c8bc 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1015,20 +1015,41 @@ "id" ] }, + "v1.FirewallAllocateRequest": { + "properties": { + "egress": { + "description": "list of egress rules to be deployed during firewall allocation", + "items": { + "$ref": "#/definitions/v1.FirewallEgressRule" + }, + "type": "array" + }, + "ingress": { + "description": "list of ingress rules to be deployed during firewall allocation", + "items": { + "$ref": "#/definitions/v1.FirewallIngressRule" + }, + "type": "array" + } + } + }, "v1.FirewallCreateRequest": { "properties": { "description": { "description": "a description for this entity", "type": "string" }, + "egress": { + "description": "list of egress rules to be deployed during firewall allocation", + "items": { + "$ref": "#/definitions/v1.FirewallEgressRule" + }, + "type": "array" + }, "filesystemlayoutid": { "description": "the filesystemlayout id to assing to this machine", "type": "string" }, - "ha": { - "description": "if set to true, this firewall is set up in a High Available manner", - "type": "boolean" - }, "hostname": { "description": "the hostname for the allocated machine (defaults to metal)", "type": "string" @@ -1037,6 +1058,13 @@ "description": "the image id to assign this machine to", "type": "string" }, + "ingress": { + "description": "list of ingress rules to be deployed during firewall allocation", + "items": { + "$ref": "#/definitions/v1.FirewallIngressRule" + }, + "type": "array" + }, "ips": { "description": "the ips to attach to this machine additionally", "items": { @@ -1105,6 +1133,41 @@ "ssh_pub_keys" ] }, + "v1.FirewallEgressRule": { + "properties": { + "comment": { + "description": "an optional comment describing what this rule is used for", + "type": "string" + }, + "from_cidrs": { + "description": "the cidrs affected by this rule", + "items": { + "type": "string" + }, + "type": "array" + }, + "ports": { + "description": "the ports affected by this rule", + "items": { + "format": "int32", + "type": "integer" + }, + "type": "array" + }, + "protocol": { + "description": "the protocol for the rule, defaults to tcp", + "enum": [ + "tcp", + "udp" + ], + "type": "string" + } + }, + "required": [ + "from_cidrs", + "ports" + ] + }, "v1.FirewallFindRequest": { "properties": { "allocation_hostname": { @@ -1287,6 +1350,33 @@ } } }, + "v1.FirewallIngressRule": { + "properties": { + "comment": { + "description": "an optional comment describing what this rule is used for", + "type": "string" + }, + "ports": { + "description": "the ports affected by this rule", + "items": { + "format": "int32", + "type": "integer" + }, + "type": "array" + }, + "protocol": { + "description": "the protocol for the rule, defaults to tcp", + "enum": [ + "tcp", + "udp" + ], + "type": "string" + } + }, + "required": [ + "ports" + ] + }, "v1.FirewallResponse": { "properties": { "allocation": { From e96760e87bd0a226a6042d61a9e4a6f5f5fa583c Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 22 Jan 2024 15:45:15 +0100 Subject: [PATCH 02/22] Fix tests. --- .../internal/datastore/machine_integration_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmd/metal-api/internal/datastore/machine_integration_test.go b/cmd/metal-api/internal/datastore/machine_integration_test.go index 0fe9d6cfb..fbf12686d 100644 --- a/cmd/metal-api/internal/datastore/machine_integration_test.go +++ b/cmd/metal-api/internal/datastore/machine_integration_test.go @@ -92,6 +92,12 @@ func (_ *machineTestable) defaultBody(m *metal.Machine) *metal.Machine { if m.Allocation.SSHPubKeys == nil { m.Allocation.SSHPubKeys = []string{} } + if m.Allocation.Egress == nil { + m.Allocation.Egress = []metal.EgressRule{} + } + if m.Allocation.Ingress == nil { + m.Allocation.Ingress = []metal.IngressRule{} + } for i := range m.Allocation.MachineNetworks { n := m.Allocation.MachineNetworks[i] if n.Prefixes == nil { From c54e748789eb23ba1a1ad7a8003bb8a7d893cfeb Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 22 Jan 2024 15:51:02 +0100 Subject: [PATCH 03/22] Review comments. --- cmd/metal-api/internal/metal/machine.go | 22 +++++++++---------- .../internal/service/machine-service.go | 10 ++++----- cmd/metal-api/internal/service/v1/firewall.go | 8 +++---- spec/metal-api.json | 18 +++++++-------- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index 35dba0c72..b826dadc0 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -2,7 +2,7 @@ package metal import ( "fmt" - "net" + "net/netip" "os" "strings" "time" @@ -153,19 +153,19 @@ type MachineAllocation struct { } type EgressRule struct { + Protocol Protocol `rethinkdb:"protocol" json:"protocol"` + Ports []int `rethinkdb:"ports" json:"ports"` + ToCIDRs []string `rethinkdb:"to_cidrs" json:"to_cidrs"` + Comment string `rethinkdb:"comment" json:"comment"` +} + +type IngressRule struct { Protocol Protocol `rethinkdb:"protocol" json:"protocol"` Ports []int `rethinkdb:"ports" json:"ports"` FromCIDRs []string `rethinkdb:"from_cidrs" json:"from_cidrs"` Comment string `rethinkdb:"comment" json:"comment"` } -type IngressRule struct { - Protocol Protocol `rethinkdb:"protocol" json:"protocol"` - Ports []int `rethinkdb:"ports" json:"ports"` - ToCIDRs []string `rethinkdb:"to_cidrs" json:"from_cidrs"` - Comment string `rethinkdb:"comment" json:"comment"` -} - type Protocol string const ( @@ -196,7 +196,7 @@ func (r EgressRule) Validate() error { return err } - if err := validateCIDRs(r.FromCIDRs); err != nil { + if err := validateCIDRs(r.ToCIDRs); err != nil { return err } @@ -215,7 +215,7 @@ func (r IngressRule) Validate() error { return err } - if err := validateCIDRs(r.ToCIDRs); err != nil { + if err := validateCIDRs(r.FromCIDRs); err != nil { return err } @@ -234,7 +234,7 @@ func validatePorts(ports []int) error { func validateCIDRs(cidrs []string) error { for _, cidr := range cidrs { - _, _, err := net.ParseCIDR(cidr) + _, err := netip.ParsePrefix(cidr) if err != nil { return fmt.Errorf("invalid cidr: %w", err) } diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index 2415d790f..f0a21aa37 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1050,10 +1050,10 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M } rule := metal.EgressRule{ - Protocol: protocol, - Ports: ruleSpec.Ports, - FromCIDRs: ruleSpec.FromCIDRs, - Comment: ruleSpec.Comment, + Protocol: protocol, + Ports: ruleSpec.Ports, + ToCIDRs: ruleSpec.ToCIDRs, + Comment: ruleSpec.Comment, } if err := rule.Validate(); err != nil { @@ -1280,7 +1280,7 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam for _, rule := range allocationSpec.IngressRules { rule := rule - rule.ToCIDRs = n.network.Prefixes.String() + rule.FromCIDRs = n.network.Prefixes.String() } } diff --git a/cmd/metal-api/internal/service/v1/firewall.go b/cmd/metal-api/internal/service/v1/firewall.go index a32d1c60c..dcb7d6be7 100644 --- a/cmd/metal-api/internal/service/v1/firewall.go +++ b/cmd/metal-api/internal/service/v1/firewall.go @@ -11,10 +11,10 @@ type FirewallAllocateRequest struct { } type FirewallEgressRule struct { - Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` - Ports []int `json:"ports" description:"the ports affected by this rule"` - FromCIDRs []string `json:"from_cidrs" description:"the cidrs affected by this rule"` - Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` + Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` + Ports []int `json:"ports" description:"the ports affected by this rule"` + ToCIDRs []string `json:"to_cidrs" description:"the cidrs affected by this rule"` + Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` } type FirewallIngressRule struct { diff --git a/spec/metal-api.json b/spec/metal-api.json index 1d236c8bc..5369c3a9a 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1139,13 +1139,6 @@ "description": "an optional comment describing what this rule is used for", "type": "string" }, - "from_cidrs": { - "description": "the cidrs affected by this rule", - "items": { - "type": "string" - }, - "type": "array" - }, "ports": { "description": "the ports affected by this rule", "items": { @@ -1161,11 +1154,18 @@ "udp" ], "type": "string" + }, + "to_cidrs": { + "description": "the cidrs affected by this rule", + "items": { + "type": "string" + }, + "type": "array" } }, "required": [ - "from_cidrs", - "ports" + "ports", + "to_cidrs" ] }, "v1.FirewallFindRequest": { From 0cf1a12f3fa8d8e5570419ba6a43d84b357b3b05 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 22 Jan 2024 15:59:49 +0100 Subject: [PATCH 04/22] Review comments. --- .../internal/service/machine-service.go | 21 ++++--------------- cmd/metal-api/internal/service/v1/firewall.go | 8 +++---- spec/metal-api.json | 8 +++++++ 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index f0a21aa37..548c711f7 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1072,9 +1072,10 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M } rule := metal.IngressRule{ - Protocol: protocol, - Ports: ruleSpec.Ports, - Comment: ruleSpec.Comment, + Protocol: protocol, + Ports: ruleSpec.Ports, + FromCIDRs: ruleSpec.FromCIDRs, + Comment: ruleSpec.Comment, } if err := rule.Validate(); err != nil { @@ -1270,20 +1271,6 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam return nil, rollbackOnError(fmt.Errorf("unable to make networks:%w", err)) } - for _, n := range networks { - n := n - - if n.networkType != metal.PrivatePrimaryUnshared { - continue - } - - for _, rule := range allocationSpec.IngressRules { - rule := rule - - rule.FromCIDRs = n.network.Prefixes.String() - } - } - // refetch the machine to catch possible updates after dealing with the network... machine, err := ds.FindMachineByID(machineCandidate.ID) if err != nil { diff --git a/cmd/metal-api/internal/service/v1/firewall.go b/cmd/metal-api/internal/service/v1/firewall.go index dcb7d6be7..0a372f19f 100644 --- a/cmd/metal-api/internal/service/v1/firewall.go +++ b/cmd/metal-api/internal/service/v1/firewall.go @@ -18,10 +18,10 @@ type FirewallEgressRule struct { } type FirewallIngressRule struct { - Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` - Ports []int `json:"ports" description:"the ports affected by this rule"` - // no ToCIDRs, destination is always the node network - Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` + Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` + Ports []int `json:"ports" description:"the ports affected by this rule"` + FromCIDRs []string `json:"from_cidrs" description:"the cidrs affected by this rule"` + Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` } type FirewallResponse struct { diff --git a/spec/metal-api.json b/spec/metal-api.json index 5369c3a9a..11157fbc4 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1356,6 +1356,13 @@ "description": "an optional comment describing what this rule is used for", "type": "string" }, + "from_cidrs": { + "description": "the cidrs affected by this rule", + "items": { + "type": "string" + }, + "type": "array" + }, "ports": { "description": "the ports affected by this rule", "items": { @@ -1374,6 +1381,7 @@ } }, "required": [ + "from_cidrs", "ports" ] }, From 48e169ce8555df8631972c6f76978fc34c903df8 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 5 Feb 2024 14:04:57 +0100 Subject: [PATCH 05/22] Merge master --- go.mod | 58 ++++++++++-------- go.sum | 159 ++++++++++++++++++++++++------------------------- proto/Makefile | 2 +- 3 files changed, 111 insertions(+), 108 deletions(-) diff --git a/go.mod b/go.mod index 702d65647..816b730fb 100644 --- a/go.mod +++ b/go.mod @@ -11,14 +11,14 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 github.com/go-openapi/spec v0.20.14 github.com/google/go-cmp v0.6.0 - github.com/google/uuid v1.5.0 + github.com/google/uuid v1.6.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/juanfont/headscale v0.22.3 github.com/looplab/fsm v0.3.0 github.com/metal-stack/go-ipam v1.8.5 github.com/metal-stack/masterdata-api v0.10.1 - github.com/metal-stack/metal-lib v0.14.2 + github.com/metal-stack/metal-lib v0.14.4 github.com/metal-stack/security v0.7.1 github.com/metal-stack/v v1.0.3 github.com/nsqio/go-nsq v1.1.0 @@ -31,11 +31,22 @@ require ( go.uber.org/zap v1.26.0 golang.org/x/crypto v0.18.0 golang.org/x/sync v0.6.0 - google.golang.org/grpc v1.60.1 + google.golang.org/grpc v1.61.0 google.golang.org/protobuf v1.32.0 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.2 ) +require ( + github.com/felixge/httpsnoop v1.0.3 // indirect + github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/moby/sys/user v0.1.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect + go.opentelemetry.io/otel v1.19.0 // indirect + go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/trace v1.19.0 // indirect +) + replace ( // netipx and x/exp must be replaced for tailscale < 1.48 go4.org/netipx => go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 @@ -47,19 +58,19 @@ replace ( require ( connectrpc.com/connect v1.14.0 // indirect dario.cat/mergo v1.0.0 // indirect - filippo.io/edwards25519 v1.0.0 // indirect + filippo.io/edwards25519 v1.1.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/Microsoft/hcsshim v0.11.4 // indirect github.com/akutz/memconn v0.1.0 // indirect github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect - github.com/andybalholm/brotli v1.0.6 // indirect + github.com/andybalholm/brotli v1.1.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/avast/retry-go v3.0.0+incompatible // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/containerd/containerd v1.7.11 // indirect + github.com/containerd/containerd v1.7.13 // indirect github.com/containerd/log v0.1.0 // indirect github.com/coreos/go-oidc/v3 v3.9.0 // indirect github.com/cpuguy83/dockercfg v0.3.1 // indirect @@ -67,8 +78,7 @@ require ( github.com/deckarep/golang-set/v2 v2.6.0 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/distribution/reference v0.5.0 // indirect - github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v24.0.7+incompatible // indirect + github.com/docker/docker v25.0.2+incompatible // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect @@ -80,9 +90,9 @@ require ( github.com/go-openapi/errors v0.21.0 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect - github.com/go-openapi/runtime v0.26.2 // indirect + github.com/go-openapi/runtime v0.27.1 // indirect github.com/go-openapi/strfmt v0.22.0 // indirect - github.com/go-openapi/swag v0.22.7 // indirect + github.com/go-openapi/swag v0.22.9 // indirect github.com/goccy/go-json v0.10.2 // indirect github.com/gofrs/uuid/v5 v5.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -94,7 +104,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2 // indirect github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hdevalence/ed25519consensus v0.1.0 // indirect + github.com/hdevalence/ed25519consensus v0.2.0 // indirect github.com/icza/dyno v0.0.0-20230330125955-09f820a8d9c0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect @@ -106,10 +116,9 @@ require ( github.com/jmoiron/sqlx v1.3.5 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect - github.com/jsimonetti/rtnetlink v1.4.0 // indirect + github.com/jsimonetti/rtnetlink v1.4.1 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.4 // indirect - github.com/leodido/go-urn v1.2.4 // indirect + github.com/klauspost/compress v1.17.5 // indirect github.com/lestrrat-go/blackmagic v1.0.2 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/httprc v1.0.4 // indirect @@ -117,7 +126,7 @@ require ( github.com/lestrrat-go/jwx/v2 v2.0.19 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/lib/pq v1.10.9 // indirect - github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect + github.com/lufia/plan9stats v0.0.0-20231016141302-07b5767bb0ed // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect @@ -125,7 +134,7 @@ require ( github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mdlayher/netlink v1.7.2 // indirect github.com/mdlayher/socket v0.5.0 // indirect - github.com/meilisearch/meilisearch-go v0.26.0 // indirect + github.com/meilisearch/meilisearch-go v0.26.1 // indirect github.com/mitchellh/go-ps v1.0.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/patternmatcher v0.6.0 // indirect @@ -136,15 +145,14 @@ require ( github.com/morikuni/aec v1.0.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc5 // indirect - github.com/opencontainers/runc v1.1.9 // indirect + github.com/opencontainers/image-spec v1.1.0-rc6 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/patrickmn/go-cache v2.1.0+incompatible // indirect - github.com/pelletier/go-toml/v2 v2.1.0 // indirect + github.com/pelletier/go-toml/v2 v2.1.1 // indirect github.com/philip-bui/grpc-zerolog v1.0.1 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect + github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect @@ -165,8 +173,8 @@ require ( github.com/stretchr/objx v0.5.1 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect - github.com/tklauser/go-sysconf v0.3.12 // indirect - github.com/tklauser/numcpus v0.6.1 // indirect + github.com/tklauser/go-sysconf v0.3.13 // indirect + github.com/tklauser/numcpus v0.7.0 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect github.com/valyala/fasthttp v1.51.0 // indirect github.com/x448/float16 v0.8.4 // indirect @@ -177,14 +185,14 @@ require ( go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20231121144256-b99613f794b6 // indirect - golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc + golang.org/x/exp v0.0.0-20240119083558-1b970713d09a golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.20.0 // indirect golang.org/x/oauth2 v0.16.0 // indirect golang.org/x/sys v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect; indirecct - golang.org/x/tools v0.16.1 // indirect + golang.org/x/tools v0.17.0 // indirect golang.zx2c4.com/wireguard/windows v0.5.3 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20240108191215-35c7eff3a6b1 // indirect @@ -201,6 +209,6 @@ require ( modernc.org/mathutil v1.5.0 // indirect modernc.org/memory v1.5.0 // indirect modernc.org/sqlite v1.20.3 // indirect - nhooyr.io/websocket v1.8.7 // indirect + nhooyr.io/websocket v1.8.10 // indirect tailscale.com v1.54.0 // indirect ) diff --git a/go.sum b/go.sum index 3168e17f0..eee4264b1 100644 --- a/go.sum +++ b/go.sum @@ -25,8 +25,8 @@ connectrpc.com/connect v1.14.0 h1:PDS+J7uoz5Oui2VEOMcfz6Qft7opQM9hPiKvtGC01pA= connectrpc.com/connect v1.14.0/go.mod h1:uoAq5bmhhn43TwhaKdGKN/bZcGtzPW1v+ngDTn5u+8s= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= -filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc= filippo.io/mkcert v1.4.4/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= @@ -79,8 +79,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= -github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI= -github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M= +github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= @@ -150,8 +150,8 @@ github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1: github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= -github.com/containerd/containerd v1.7.11 h1:lfGKw3eU35sjV0aG2eYZTiwFEY1pCzxdzicHP3SZILw= -github.com/containerd/containerd v1.7.11/go.mod h1:5UluHxHTX2rdvYuZ5OJTC5m/KJNs0Zs9wVoJm9zf5ZE= +github.com/containerd/containerd v1.7.13 h1:wPYKIeGMN8vaggSKuV1X0wZulpMz4CrgEsZdaCyB6Is= +github.com/containerd/containerd v1.7.13/go.mod h1:zT3up6yTRfEUa6+GsITYIJNgSVL9NQ4x4h1RPzk0Wu4= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -227,11 +227,9 @@ github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyG github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= -github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= -github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v25.0.2+incompatible h1:/OaKeauroa10K4Nqavw4zlhcDq/WBcPMc5DbjOGgozY= +github.com/docker/docker v25.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= @@ -264,6 +262,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= @@ -277,10 +277,6 @@ github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrt github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= -github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= -github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14= -github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M= github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4= github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0= github.com/glebarez/sqlite v1.7.0 h1:A7Xj/KN2Lvie4Z4rrgQHY8MsbebX3NyWsL3n2i82MVI= @@ -296,11 +292,16 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78= -github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc= -github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo= +github.com/go-openapi/analysis v0.21.5 h1:3tHfEBh6Ia8eKc4M7khOGjPOAlWKJ10d877Cr9teujI= +github.com/go-openapi/analysis v0.21.5/go.mod h1:25YcZosX9Lwz2wBsrFrrsL8bmjjXdlyP6zsr2AMy29M= github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY= github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= @@ -313,10 +314,10 @@ github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL9 github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= -github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= -github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= -github.com/go-openapi/runtime v0.26.2 h1:elWyB9MacRzvIVgAZCBJmqTi7hBzU0hlKD4IvfX0Zl0= -github.com/go-openapi/runtime v0.26.2/go.mod h1:O034jyRZ557uJKzngbMDJXkcKJVzXJiymdSfgejrcRw= +github.com/go-openapi/loads v0.21.3 h1:8sSH2FIm/SnbDUGv572md4YqVMFne/a9Eubvcd3anew= +github.com/go-openapi/loads v0.21.3/go.mod h1:Y3aMR24iHbKHppOj91nQ/SHc0cuPbAr4ndY4a02xydc= +github.com/go-openapi/runtime v0.27.1 h1:ae53yaOoh+fx/X5Eaq8cRmavHgDma65XPZuvBqvJYto= +github.com/go-openapi/runtime v0.27.1/go.mod h1:fijeJEiEclyS8BRurYE1DE5TLb9/KZl6eAdbzjsrlLU= github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= github.com/go-openapi/spec v0.20.14 h1:7CBlRnw+mtjFGlPDRZmAMnq35cRzI91xj03HVyUi/Do= @@ -326,28 +327,15 @@ github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv271 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= -github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= -github.com/go-openapi/validate v0.22.3 h1:KxG9mu5HBRYbecRb37KRCihvGGtND2aXziBAv0NNfyI= -github.com/go-openapi/validate v0.22.3/go.mod h1:kVxh31KbfsxU8ZyoHaDbLBWU5CnMdqBUEtadQ2G4d5M= -github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= -github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q= -github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= -github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no= -github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= -github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1Vv0sFl1UcHBOY= -github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= +github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= +github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= +github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8= +github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0= -github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo= -github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8= -github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= -github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo= -github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= @@ -433,8 +421,8 @@ github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= -github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= @@ -445,8 +433,6 @@ github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= @@ -467,8 +453,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hdevalence/ed25519consensus v0.1.0 h1:jtBwzzcHuTmFrQN6xQZn6CQEO/V9f7HsjsjeEZ6auqU= -github.com/hdevalence/ed25519consensus v0.1.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo= +github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU= +github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/icza/dyno v0.0.0-20230330125955-09f820a8d9c0 h1:nHoRIX8iXob3Y2kdt9KsjyIb7iApSvb3vgsd93xb5Ow= @@ -506,11 +492,10 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk= github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8= -github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I= -github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E= +github.com/jsimonetti/rtnetlink v1.4.1 h1:JfD4jthWBqZMEffc5RjgmlzpYttAVw1sdnmiNaPO3hE= +github.com/jsimonetti/rtnetlink v1.4.1/go.mod h1:xJjT7t59UIZ62GLZbv6PLLo8VFrostJMPBAheR6OM8w= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= @@ -526,13 +511,12 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.6/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= -github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.5 h1:d4vBd+7CHydUqpFBgUEKkSdtSugf9YFmSkvUYPquI5E= +github.com/klauspost/compress v1.17.5/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -548,9 +532,6 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= -github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q= -github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4= github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k= github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= @@ -569,8 +550,9 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/looplab/fsm v0.3.0 h1:kIgNS3Yyud1tyxhG8kDqh853B7QqwnlWdgL3TD2s3Sw= github.com/looplab/fsm v0.3.0/go.mod h1:PmD3fFvQEIsjMEfvZdrCDZ6y8VwKTwWNjlpEr6IKPO4= -github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= +github.com/lufia/plan9stats v0.0.0-20231016141302-07b5767bb0ed h1:036IscGBfJsFIgJQzlui7nK1Ncm0tp2ktmPj8xO4N/0= +github.com/lufia/plan9stats v0.0.0-20231016141302-07b5767bb0ed/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -585,7 +567,6 @@ github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -603,14 +584,14 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/ github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI= github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI= -github.com/meilisearch/meilisearch-go v0.26.0 h1:6IdFC9S53gEp7FMkt99swIFyEZE+4TwJAgen3eQdw40= -github.com/meilisearch/meilisearch-go v0.26.0/go.mod h1:SxuSqDcPBIykjWz1PX+KzsYzArNLSCadQodWs8extS0= +github.com/meilisearch/meilisearch-go v0.26.1 h1:3bmo2uLijX7kvBmiZ9LupVfC95TFcRJDgrRTzbOoE4A= +github.com/meilisearch/meilisearch-go v0.26.1/go.mod h1:SxuSqDcPBIykjWz1PX+KzsYzArNLSCadQodWs8extS0= github.com/metal-stack/go-ipam v1.8.5 h1:XE1XfaU6Ck1Ucc7svTO25dlT7kEcE1oxOM3lBrWIQmE= github.com/metal-stack/go-ipam v1.8.5/go.mod h1:JgsddJabu8A7lWD+4MJKqbQhmSA/zhBbO+Bp8pLhRZM= github.com/metal-stack/masterdata-api v0.10.1 h1:r7KuFJvMBfjMcMn5Cppy2n39uK+7D284PXGPDhRYzec= github.com/metal-stack/masterdata-api v0.10.1/go.mod h1:cet+ezlcRoEpN8jEjRo/8xn8v946gnsdX0lDaF8/ZJY= -github.com/metal-stack/metal-lib v0.14.2 h1:ntIZiV8fVoWsgPLXOy9xrObZr1NdU5caYUP0zzefUME= -github.com/metal-stack/metal-lib v0.14.2/go.mod h1:2wKxFXSCpA1Dr+Rq0ddpQCPKPGMWJp4cpIaVTM4lDi0= +github.com/metal-stack/metal-lib v0.14.4 h1:vm2868vcua6khoyWL7d0to8Hq5RayrjMse0FZTyWEec= +github.com/metal-stack/metal-lib v0.14.4/go.mod h1:Z3PAh8dkyWC4B19fXsu6EYwXXee0Lk9JZbjoHPLbDbc= github.com/metal-stack/security v0.7.1 h1:bwiPhT/gArl9IRJlhpDZzAs5Us6rmIt9bcuQXcLKO5k= github.com/metal-stack/security v0.7.1/go.mod h1:v+JrV2tIvoKESY0puONL3rAocfLkol1pqm2osm9PLcw= github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs= @@ -629,6 +610,8 @@ github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ= +github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= +github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= @@ -654,8 +637,8 @@ github.com/nsqio/go-diskqueue v1.1.0 h1:r0dJ0DMXT3+2mOq+79cvCjnhoBxyGC2S9O+OjQrp github.com/nsqio/go-diskqueue v1.1.0/go.mod h1:INuJIxl4ayUsyoNtHL5+9MFPDfSZ0zY93hNY6vhBRsI= github.com/nsqio/go-nsq v1.1.0 h1:PQg+xxiUjA7V+TLdXw7nVrJ5Jbl3sN86EhGCQj4+FYE= github.com/nsqio/go-nsq v1.1.0/go.mod h1:vKq36oyeVXgsS5Q8YEO7WghqidAVXQlcFxzQbQTuDEY= -github.com/nsqio/nsq v1.2.1 h1:ZVjANYLnX1vPLmuSNCOdiw4nNPnzWgAC4t8wFhznMqU= -github.com/nsqio/nsq v1.2.1/go.mod h1:vXbwehoIygyVoX44oLFaN7MA0xrmudeuborDpMPiLTY= +github.com/nsqio/nsq v1.3.0 h1:v7NtyO844ieTIOCQEqQ7IUSSi1ImhgrTTto1rgIYGEU= +github.com/nsqio/nsq v1.3.0/go.mod h1:RxNr6UC0kSkNF44LnJrlN3U3CQnQGTXk+QKfSZLzqvc= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= @@ -679,15 +662,13 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= -github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= +github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= -github.com/opencontainers/runc v1.1.9 h1:XR0VIHTGce5eWPkaPesqTBrhW2yAcaraWfsEalNwQLM= -github.com/opencontainers/runc v1.1.9/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= @@ -701,8 +682,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+ github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= -github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= -github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= +github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI= +github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA= github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ= @@ -714,8 +695,9 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= +github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b h1:0LFwY6Q3gMACTjAbMZBjXAqTOzOwFaj2Ld6cjeQ7Rig= +github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -844,16 +826,14 @@ github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ github.com/testcontainers/testcontainers-go v0.10.0/go.mod h1:zFYk0JndthnMHEwtVRHCpLwIP/Ik1G7mvIAQ2MdZ+Ig= github.com/testcontainers/testcontainers-go v0.27.0 h1:IeIrJN4twonTDuMuBNQdKZ+K97yd7VrmNGu+lDpYcDk= github.com/testcontainers/testcontainers-go v0.27.0/go.mod h1:+HgYZcd17GshBUZv9b+jKFJ198heWPQq3KQIp2+N+7U= -github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= -github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk= +github.com/tklauser/go-sysconf v0.3.13 h1:GBUpcahXSpR2xN01jhkNAbTLRk2Yzgggk8IM08lq3r4= +github.com/tklauser/go-sysconf v0.3.13/go.mod h1:zwleP4Q4OehZHGn4CYZDipCgg9usW5IJePewFCGVEa0= github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= +github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr4= +github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo= -github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= -github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs= -github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= github.com/undefinedlabs/go-mpatch v1.0.7 h1:943FMskd9oqfbZV0qRVKOUsXQhTLXL0bQTVbQSpzmBs= github.com/undefinedlabs/go-mpatch v1.0.7/go.mod h1:TyJZDQ/5AgyN7FSLiBJ8RO9u2c6wbtRvK827b6AVqY4= github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= @@ -899,12 +879,28 @@ go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -1060,7 +1056,6 @@ golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1167,8 +1162,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= +golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= +golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1238,8 +1233,8 @@ google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= -google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= +google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= +google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1335,8 +1330,8 @@ modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds= modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= modernc.org/sqlite v1.20.3 h1:SqGJMMxjj1PHusLxdYxeQSodg7Jxn9WWkaAQjKrntZs= modernc.org/sqlite v1.20.3/go.mod h1:zKcGyrICaxNTMEHSr1HQ2GUraP0j+845GYw37+EyT6A= -nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g= -nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= +nhooyr.io/websocket v1.8.10 h1:mv4p+MnGrLDcPlBoWsvPP7XCzTYMXP9F9eIGoKbgx7Q= +nhooyr.io/websocket v1.8.10/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/proto/Makefile b/proto/Makefile index 4132591f3..5afd3f93c 100644 --- a/proto/Makefile +++ b/proto/Makefile @@ -1,5 +1,5 @@ MAKEFLAGS += --no-print-directory -BUF_VERSION := 1.28.1 +BUF_VERSION := 1.29.0 _buf: docker run --rm \ From a9747982d9e8185ed1e563360fa6dbbd7bb23655 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 5 Feb 2024 15:29:14 +0100 Subject: [PATCH 06/22] Fill response --- .github/workflows/docker.yaml | 8 ++-- cmd/metal-api/internal/service/v1/machine.go | 39 ++++++++++++++++++++ spec/metal-api.json | 25 +++++++++++++ 3 files changed, 68 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index f63e608ab..b770f28f1 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -22,7 +22,7 @@ jobs: steps: - name: Log in to the container registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.DOCKER_REGISTRY_USER }} @@ -32,7 +32,7 @@ jobs: uses: actions/checkout@v3 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version-file: 'go.mod' cache: false @@ -63,10 +63,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version-file: 'go.mod' diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index b135b0bb3..51b983bd0 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -43,6 +43,12 @@ type MachineAllocation struct { Role string `json:"role" enum:"machine|firewall" description:"the role of the machine"` VPN *MachineVPN `json:"vpn" description:"vpn connection info for machine" optional:"true"` AllocationUUID string `json:"allocationuuid" description:"a unique identifier for this machine allocation, can be used to distinguish between machine allocations over time."` + FirewallRules *FirewallRules `json:"firewall_rules" description:"a set of firewall rules to apply"` +} + +type FirewallRules struct { + EgressRules []*FirewallEgressRule `json:"egress_rules"` + IngressRule []*FirewallIngressRule `json:"ingress_rules"` } type BootInfo struct { @@ -512,6 +518,38 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * networks = append(networks, network) } + var firewallRules *FirewallRules + if m.Allocation.Role == metal.RoleFirewall { + var ( + egressRules []*FirewallEgressRule + ingressRules []*FirewallIngressRule + ) + + for _, r := range m.Allocation.Egress { + r := r + egressRules = append(egressRules, &FirewallEgressRule{ + Protocol: string(r.Protocol), + Ports: r.Ports, + ToCIDRs: r.ToCIDRs, + Comment: r.Comment, + }) + } + for _, r := range m.Allocation.Ingress { + r := r + egressRules = append(egressRules, &FirewallEgressRule{ + Protocol: string(r.Protocol), + Ports: r.Ports, + ToCIDRs: r.FromCIDRs, + Comment: r.Comment, + }) + } + + firewallRules = &FirewallRules{ + EgressRules: egressRules, + IngressRule: ingressRules, + } + } + allocation = &MachineAllocation{ Creator: m.Allocation.Creator, Created: m.Allocation.Created, @@ -528,6 +566,7 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * Role: string(m.Allocation.Role), VPN: NewMachineVPN(m.Allocation.VPN), AllocationUUID: m.Allocation.UUID, + FirewallRules: firewallRules, } allocation.Reinstall = m.Allocation.Reinstall diff --git a/spec/metal-api.json b/spec/metal-api.json index d6daf4729..a77d8ce8a 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1474,6 +1474,26 @@ "tags" ] }, + "v1.FirewallRules": { + "properties": { + "egress_rules": { + "items": { + "$ref": "#/definitions/v1.FirewallEgressRule" + }, + "type": "array" + }, + "ingress_rules": { + "items": { + "$ref": "#/definitions/v1.FirewallIngressRule" + }, + "type": "array" + } + }, + "required": [ + "egress_rules", + "ingress_rules" + ] + }, "v1.FirmwaresResponse": { "properties": { "revisions": { @@ -2121,6 +2141,10 @@ "$ref": "#/definitions/v1.FilesystemLayoutResponse", "description": "filesystemlayout to create on this machine" }, + "firewall_rules": { + "$ref": "#/definitions/v1.FirewallRules", + "description": "a set of firewall rules to apply" + }, "hostname": { "description": "the hostname which will be used when creating the machine", "type": "string" @@ -2181,6 +2205,7 @@ "allocationuuid", "created", "creator", + "firewall_rules", "hostname", "name", "networks", From 1d75046f3d72a713436594c81c1426e3cb6384df Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 5 Feb 2024 16:40:36 +0100 Subject: [PATCH 07/22] Better naming --- cmd/metal-api/internal/service/v1/machine.go | 8 ++++---- spec/metal-api.json | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index 51b983bd0..3cc80322e 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -47,8 +47,8 @@ type MachineAllocation struct { } type FirewallRules struct { - EgressRules []*FirewallEgressRule `json:"egress_rules"` - IngressRule []*FirewallIngressRule `json:"ingress_rules"` + Egress []*FirewallEgressRule `json:"egress"` + Ingress []*FirewallIngressRule `json:"ingress"` } type BootInfo struct { @@ -545,8 +545,8 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * } firewallRules = &FirewallRules{ - EgressRules: egressRules, - IngressRule: ingressRules, + Egress: egressRules, + Ingress: ingressRules, } } diff --git a/spec/metal-api.json b/spec/metal-api.json index a77d8ce8a..448e8bc4a 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1476,13 +1476,13 @@ }, "v1.FirewallRules": { "properties": { - "egress_rules": { + "egress": { "items": { "$ref": "#/definitions/v1.FirewallEgressRule" }, "type": "array" }, - "ingress_rules": { + "ingress": { "items": { "$ref": "#/definitions/v1.FirewallIngressRule" }, @@ -1490,8 +1490,8 @@ } }, "required": [ - "egress_rules", - "ingress_rules" + "egress", + "ingress" ] }, "v1.FirmwaresResponse": { From 641a2a6d33b914a3c8fffe14de7730da6a75ea35 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 6 Feb 2024 08:43:03 +0100 Subject: [PATCH 08/22] API refinement --- .../internal/service/machine-service.go | 6 +-- cmd/metal-api/internal/service/v1/firewall.go | 3 +- cmd/metal-api/internal/service/v1/machine.go | 12 +++--- spec/metal-api.json | 42 +++++-------------- 4 files changed, 20 insertions(+), 43 deletions(-) diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index 069036320..0ba9a34e3 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1039,10 +1039,10 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M role = metal.RoleMachine ) - if firewallRequest != nil { + if firewallRequest != nil && firewallRequest.FirewallRules != nil { role = metal.RoleFirewall - for _, ruleSpec := range firewallRequest.Egress { + for _, ruleSpec := range firewallRequest.FirewallRules.Egress { ruleSpec := ruleSpec protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) @@ -1064,7 +1064,7 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M egress = append(egress, rule) } - for _, ruleSpec := range firewallRequest.Ingress { + for _, ruleSpec := range firewallRequest.FirewallRules.Ingress { ruleSpec := ruleSpec protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) diff --git a/cmd/metal-api/internal/service/v1/firewall.go b/cmd/metal-api/internal/service/v1/firewall.go index 0a372f19f..33d361eb3 100644 --- a/cmd/metal-api/internal/service/v1/firewall.go +++ b/cmd/metal-api/internal/service/v1/firewall.go @@ -6,8 +6,7 @@ type FirewallCreateRequest struct { } type FirewallAllocateRequest struct { - Egress []FirewallEgressRule `json:"egress,omitempty" description:"list of egress rules to be deployed during firewall allocation" optional:"true"` - Ingress []FirewallIngressRule `json:"ingress,omitempty" description:"list of ingress rules to be deployed during firewall allocation" optional:"true"` + FirewallRules *FirewallRules `json:"firewall_rules" description:"optional egress and ingress firewall rules to deploy during firewall allocation" optional:"true"` } type FirewallEgressRule struct { diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index 3cc80322e..6ff30ee04 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -47,8 +47,8 @@ type MachineAllocation struct { } type FirewallRules struct { - Egress []*FirewallEgressRule `json:"egress"` - Ingress []*FirewallIngressRule `json:"ingress"` + Egress []FirewallEgressRule `json:"egress,omitempty" description:"list of egress rules to be deployed during firewall allocation" optional:"true"` + Ingress []FirewallIngressRule `json:"ingress,omitempty" description:"list of ingress rules to be deployed during firewall allocation" optional:"true"` } type BootInfo struct { @@ -521,13 +521,13 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * var firewallRules *FirewallRules if m.Allocation.Role == metal.RoleFirewall { var ( - egressRules []*FirewallEgressRule - ingressRules []*FirewallIngressRule + egressRules []FirewallEgressRule + ingressRules []FirewallIngressRule ) for _, r := range m.Allocation.Egress { r := r - egressRules = append(egressRules, &FirewallEgressRule{ + egressRules = append(egressRules, FirewallEgressRule{ Protocol: string(r.Protocol), Ports: r.Ports, ToCIDRs: r.ToCIDRs, @@ -536,7 +536,7 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * } for _, r := range m.Allocation.Ingress { r := r - egressRules = append(egressRules, &FirewallEgressRule{ + egressRules = append(egressRules, FirewallEgressRule{ Protocol: string(r.Protocol), Ports: r.Ports, ToCIDRs: r.FromCIDRs, diff --git a/spec/metal-api.json b/spec/metal-api.json index 448e8bc4a..91d6aafcd 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1017,19 +1017,9 @@ }, "v1.FirewallAllocateRequest": { "properties": { - "egress": { - "description": "list of egress rules to be deployed during firewall allocation", - "items": { - "$ref": "#/definitions/v1.FirewallEgressRule" - }, - "type": "array" - }, - "ingress": { - "description": "list of ingress rules to be deployed during firewall allocation", - "items": { - "$ref": "#/definitions/v1.FirewallIngressRule" - }, - "type": "array" + "firewall_rules": { + "$ref": "#/definitions/v1.FirewallRules", + "description": "optional egress and ingress firewall rules to deploy during firewall allocation" } } }, @@ -1039,17 +1029,14 @@ "description": "a description for this entity", "type": "string" }, - "egress": { - "description": "list of egress rules to be deployed during firewall allocation", - "items": { - "$ref": "#/definitions/v1.FirewallEgressRule" - }, - "type": "array" - }, "filesystemlayoutid": { "description": "the filesystemlayout id to assing to this machine", "type": "string" }, + "firewall_rules": { + "$ref": "#/definitions/v1.FirewallRules", + "description": "optional egress and ingress firewall rules to deploy during firewall allocation" + }, "hostname": { "description": "the hostname for the allocated machine (defaults to metal)", "type": "string" @@ -1058,13 +1045,6 @@ "description": "the image id to assign this machine to", "type": "string" }, - "ingress": { - "description": "list of ingress rules to be deployed during firewall allocation", - "items": { - "$ref": "#/definitions/v1.FirewallIngressRule" - }, - "type": "array" - }, "ips": { "description": "the ips to attach to this machine additionally", "items": { @@ -1477,22 +1457,20 @@ "v1.FirewallRules": { "properties": { "egress": { + "description": "list of egress rules to be deployed during firewall allocation", "items": { "$ref": "#/definitions/v1.FirewallEgressRule" }, "type": "array" }, "ingress": { + "description": "list of ingress rules to be deployed during firewall allocation", "items": { "$ref": "#/definitions/v1.FirewallIngressRule" }, "type": "array" } - }, - "required": [ - "egress", - "ingress" - ] + } }, "v1.FirmwaresResponse": { "properties": { From 11533decef658ef17818f2c2f1d5b47c2e442eae Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 6 Feb 2024 10:47:07 +0100 Subject: [PATCH 09/22] Consistent api --- .../internal/datastore/machine_integration_test.go | 14 ++++++++++---- cmd/metal-api/internal/metal/machine.go | 8 ++++++-- cmd/metal-api/internal/service/machine-service.go | 12 ++++++++++-- cmd/metal-api/internal/service/v1/machine.go | 6 +++--- 4 files changed, 29 insertions(+), 11 deletions(-) diff --git a/cmd/metal-api/internal/datastore/machine_integration_test.go b/cmd/metal-api/internal/datastore/machine_integration_test.go index fbf12686d..a28556d6b 100644 --- a/cmd/metal-api/internal/datastore/machine_integration_test.go +++ b/cmd/metal-api/internal/datastore/machine_integration_test.go @@ -92,11 +92,17 @@ func (_ *machineTestable) defaultBody(m *metal.Machine) *metal.Machine { if m.Allocation.SSHPubKeys == nil { m.Allocation.SSHPubKeys = []string{} } - if m.Allocation.Egress == nil { - m.Allocation.Egress = []metal.EgressRule{} + if m.Allocation.FirewallRules == nil { + m.Allocation.FirewallRules = &metal.FirewallRules{ + Egress: []metal.EgressRule{}, + Ingress: []metal.IngressRule{}, + } + } + if m.Allocation.FirewallRules.Egress == nil { + m.Allocation.FirewallRules.Egress = []metal.EgressRule{} } - if m.Allocation.Ingress == nil { - m.Allocation.Ingress = []metal.IngressRule{} + if m.Allocation.FirewallRules.Ingress == nil { + m.Allocation.FirewallRules.Ingress = []metal.IngressRule{} } for i := range m.Allocation.MachineNetworks { n := m.Allocation.MachineNetworks[i] diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index bf420706c..755280af3 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -149,8 +149,12 @@ type MachineAllocation struct { Role Role `rethinkdb:"role" json:"role"` VPN *MachineVPN `rethinkdb:"vpn" json:"vpn"` UUID string `rethinkdb:"uuid" json:"uuid"` - Egress []EgressRule `rethinkdb:"egress" json:"egress"` - Ingress []IngressRule `rethinkdb:"ingress" json:"ingress"` + FirewallRules *FirewallRules `rethinkdb:"firewall_rules" json:"firewall_rules"` +} + +type FirewallRules struct { + Egress []EgressRule `rethinkdb:"egress" json:"egress"` + Ingress []IngressRule `rethinkdb:"ingress" json:"ingress"` } type EgressRule struct { diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index 0ba9a34e3..1277aef05 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1213,6 +1213,15 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam if err != nil { return nil, err } + + var firewallRules *metal.FirewallRules + if len(allocationSpec.EgressRules) > 0 || len(allocationSpec.IngressRules) > 0 { + firewallRules = &metal.FirewallRules{ + Egress: allocationSpec.EgressRules, + Ingress: allocationSpec.IngressRules, + } + } + // as some fields in the allocation spec are optional, they will now be clearly defined by the machine candidate allocationSpec.UUID = machineCandidate.ID @@ -1229,8 +1238,7 @@ func allocateMachine(logger *zap.SugaredLogger, ds *datastore.RethinkStore, ipam MachineNetworks: []*metal.MachineNetwork{}, Role: allocationSpec.Role, VPN: allocationSpec.VPN, - Egress: allocationSpec.EgressRules, - Ingress: allocationSpec.IngressRules, + FirewallRules: firewallRules, UUID: uuid.New().String(), } rollbackOnError := func(err error) error { diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index 6ff30ee04..06266edec 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -519,13 +519,13 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * } var firewallRules *FirewallRules - if m.Allocation.Role == metal.RoleFirewall { + if m.Allocation.Role == metal.RoleFirewall && m.Allocation.FirewallRules != nil { var ( egressRules []FirewallEgressRule ingressRules []FirewallIngressRule ) - for _, r := range m.Allocation.Egress { + for _, r := range m.Allocation.FirewallRules.Egress { r := r egressRules = append(egressRules, FirewallEgressRule{ Protocol: string(r.Protocol), @@ -534,7 +534,7 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * Comment: r.Comment, }) } - for _, r := range m.Allocation.Ingress { + for _, r := range m.Allocation.FirewallRules.Ingress { r := r egressRules = append(egressRules, FirewallEgressRule{ Protocol: string(r.Protocol), From e3d6526be956468238ca586d396ff8113a883e5b Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 6 Feb 2024 11:00:19 +0100 Subject: [PATCH 10/22] Simplify integration tests --- .../internal/datastore/machine_integration_test.go | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/cmd/metal-api/internal/datastore/machine_integration_test.go b/cmd/metal-api/internal/datastore/machine_integration_test.go index a28556d6b..0fe9d6cfb 100644 --- a/cmd/metal-api/internal/datastore/machine_integration_test.go +++ b/cmd/metal-api/internal/datastore/machine_integration_test.go @@ -92,18 +92,6 @@ func (_ *machineTestable) defaultBody(m *metal.Machine) *metal.Machine { if m.Allocation.SSHPubKeys == nil { m.Allocation.SSHPubKeys = []string{} } - if m.Allocation.FirewallRules == nil { - m.Allocation.FirewallRules = &metal.FirewallRules{ - Egress: []metal.EgressRule{}, - Ingress: []metal.IngressRule{}, - } - } - if m.Allocation.FirewallRules.Egress == nil { - m.Allocation.FirewallRules.Egress = []metal.EgressRule{} - } - if m.Allocation.FirewallRules.Ingress == nil { - m.Allocation.FirewallRules.Ingress = []metal.IngressRule{} - } for i := range m.Allocation.MachineNetworks { n := m.Allocation.MachineNetworks[i] if n.Prefixes == nil { From dd3538008563a1f80a843c15f863044ac56cc7eb Mon Sep 17 00:00:00 2001 From: Gerrit91 Date: Tue, 6 Feb 2024 16:05:26 +0100 Subject: [PATCH 11/22] Fix. --- .../internal/service/machine-service.go | 68 ++++++++++--------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index 1277aef05..3cc39141f 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1039,51 +1039,53 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M role = metal.RoleMachine ) - if firewallRequest != nil && firewallRequest.FirewallRules != nil { + if firewallRequest != nil { role = metal.RoleFirewall - for _, ruleSpec := range firewallRequest.FirewallRules.Egress { - ruleSpec := ruleSpec + if firewallRequest.FirewallRules != nil { + for _, ruleSpec := range firewallRequest.FirewallRules.Egress { + ruleSpec := ruleSpec - protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) - if err != nil { - return nil, err - } + protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) + if err != nil { + return nil, err + } - rule := metal.EgressRule{ - Protocol: protocol, - Ports: ruleSpec.Ports, - ToCIDRs: ruleSpec.ToCIDRs, - Comment: ruleSpec.Comment, - } + rule := metal.EgressRule{ + Protocol: protocol, + Ports: ruleSpec.Ports, + ToCIDRs: ruleSpec.ToCIDRs, + Comment: ruleSpec.Comment, + } + + if err := rule.Validate(); err != nil { + return nil, err + } - if err := rule.Validate(); err != nil { - return nil, err + egress = append(egress, rule) } - egress = append(egress, rule) - } + for _, ruleSpec := range firewallRequest.FirewallRules.Ingress { + ruleSpec := ruleSpec - for _, ruleSpec := range firewallRequest.FirewallRules.Ingress { - ruleSpec := ruleSpec + protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) + if err != nil { + return nil, err + } - protocol, err := metal.ProtocolFromString(ruleSpec.Protocol) - if err != nil { - return nil, err - } + rule := metal.IngressRule{ + Protocol: protocol, + Ports: ruleSpec.Ports, + FromCIDRs: ruleSpec.FromCIDRs, + Comment: ruleSpec.Comment, + } - rule := metal.IngressRule{ - Protocol: protocol, - Ports: ruleSpec.Ports, - FromCIDRs: ruleSpec.FromCIDRs, - Comment: ruleSpec.Comment, - } + if err := rule.Validate(); err != nil { + return nil, err + } - if err := rule.Validate(); err != nil { - return nil, err + ingress = append(ingress, rule) } - - ingress = append(ingress, rule) } } From 46bbc65562079e770e4af81f44a3193fe15a4855 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Thu, 8 Feb 2024 08:19:07 +0100 Subject: [PATCH 12/22] Ensure rule comment is not dangerous --- .../datastore/integer_integration_test.go | 4 +++- cmd/metal-api/internal/metal/machine.go | 19 ++++++++++++++++++- .../internal/service/integration_test.go | 4 +++- .../machine-service_allocation_test.go | 4 +++- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/cmd/metal-api/internal/datastore/integer_integration_test.go b/cmd/metal-api/internal/datastore/integer_integration_test.go index 24e8bdbc9..a830d6980 100644 --- a/cmd/metal-api/internal/datastore/integer_integration_test.go +++ b/cmd/metal-api/internal/datastore/integer_integration_test.go @@ -96,7 +96,9 @@ func TestRethinkStore_AcquireUniqueIntegerPoolExhaustionIntegration(t *testing.T go func() { defer wg.Done() got, err := pool.AcquireRandomUniqueInteger() - require.NoError(t, err) + if err != nil { + t.Fail() + } assert.GreaterOrEqual(t, got, uint(rs.VRFPoolRangeMin)) assert.LessOrEqual(t, got, uint(rs.VRFPoolRangeMax)) t.Logf("acquired a vrf %d at: %s", got, time.Now()) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index 755280af3..ae4f78759 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -197,6 +197,9 @@ func (r EgressRule) Validate() error { return fmt.Errorf("invalid procotol: %s", r.Protocol) } + if err := validateComment(r.Comment); err != nil { + return err + } if err := validatePorts(r.Ports); err != nil { return err } @@ -213,7 +216,10 @@ func (r IngressRule) Validate() error { case ProtocolTCP, ProtocolUDP: // ok default: - return fmt.Errorf("invalid procotol: %s", r.Protocol) + return fmt.Errorf("invalid protocol: %s", r.Protocol) + } + if err := validateComment(r.Comment); err != nil { + return err } if err := validatePorts(r.Ports); err != nil { @@ -227,6 +233,17 @@ func (r IngressRule) Validate() error { return nil } +const allowedCharacters = "abcdefghijklmnopqrstuvwxyz_- " + +func validateComment(comment string) error { + for _, c := range comment { + if !strings.Contains(allowedCharacters, strings.ToLower(string(c))) { + return fmt.Errorf("illegal character in comment found:%q", c) + } + } + return nil +} + func validatePorts(ports []int) error { for _, port := range ports { if port < 0 || port > 65535 { diff --git a/cmd/metal-api/internal/service/integration_test.go b/cmd/metal-api/internal/service/integration_test.go index 59fe11020..b7478d047 100644 --- a/cmd/metal-api/internal/service/integration_test.go +++ b/cmd/metal-api/internal/service/integration_test.go @@ -99,7 +99,9 @@ func createTestEnvironment(t *testing.T) testEnv { ResponseInterval: 2 * time.Millisecond, CheckInterval: 1 * time.Hour, }) - require.NoError(t, err) + if err != nil { + t.Fail() + } }() hma := security.NewHMACAuth(testUserDirectory.admin.Name, []byte{1, 2, 3}, security.WithUser(testUserDirectory.admin)) diff --git a/cmd/metal-api/internal/service/machine-service_allocation_test.go b/cmd/metal-api/internal/service/machine-service_allocation_test.go index 38d788600..85d711c87 100644 --- a/cmd/metal-api/internal/service/machine-service_allocation_test.go +++ b/cmd/metal-api/internal/service/machine-service_allocation_test.go @@ -327,7 +327,9 @@ func setupTestEnvironment(machineCount int, t *testing.T) (*datastore.RethinkSto ResponseInterval: 2 * time.Millisecond, CheckInterval: 1 * time.Hour, }) - require.NoError(t, err) + if err != nil { + t.Fail() + } }() usergetter := security.NewCreds(security.WithHMAC(hma)) From d2fde048762842556507b3f39911673792e09890 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Thu, 8 Feb 2024 13:25:33 +0100 Subject: [PATCH 13/22] Update deps --- cmd/metal-api/main.go | 2 +- go.mod | 48 +++++++++++++++++-------------------- go.sum | 56 ++++++++++++++++++++----------------------- 3 files changed, 49 insertions(+), 57 deletions(-) diff --git a/cmd/metal-api/main.go b/cmd/metal-api/main.go index f3780c22b..11bb5264a 100644 --- a/cmd/metal-api/main.go +++ b/cmd/metal-api/main.go @@ -541,7 +541,7 @@ func initMasterData() { var err error for { ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) - mdc, err = mdm.NewClient(ctx, hostname, port, certpath, certkeypath, ca, hmacKey, logger.Desugar()) + mdc, err = mdm.NewClient(ctx, hostname, port, certpath, certkeypath, ca, hmacKey, false, logger.Desugar()) if err == nil { cancel() break diff --git a/go.mod b/go.mod index 816b730fb..77065fdc2 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/metal-stack/metal-api -go 1.21 +go 1.22 require ( github.com/Masterminds/semver/v3 v3.2.1 @@ -8,7 +8,7 @@ require ( github.com/aws/aws-sdk-go v1.44.326 github.com/dustin/go-humanize v1.0.1 github.com/emicklei/go-restful-openapi/v2 v2.9.1 - github.com/emicklei/go-restful/v3 v3.11.0 + github.com/emicklei/go-restful/v3 v3.11.2 github.com/go-openapi/spec v0.20.14 github.com/google/go-cmp v0.6.0 github.com/google/uuid v1.6.0 @@ -17,9 +17,9 @@ require ( github.com/juanfont/headscale v0.22.3 github.com/looplab/fsm v0.3.0 github.com/metal-stack/go-ipam v1.8.5 - github.com/metal-stack/masterdata-api v0.10.1 + github.com/metal-stack/masterdata-api v0.10.2 github.com/metal-stack/metal-lib v0.14.4 - github.com/metal-stack/security v0.7.1 + github.com/metal-stack/security v0.7.2 github.com/metal-stack/v v1.0.3 github.com/nsqio/go-nsq v1.1.0 github.com/prometheus/client_golang v1.18.0 @@ -29,24 +29,13 @@ require ( github.com/testcontainers/testcontainers-go v0.27.0 github.com/undefinedlabs/go-mpatch v1.0.7 go.uber.org/zap v1.26.0 - golang.org/x/crypto v0.18.0 + golang.org/x/crypto v0.19.0 golang.org/x/sync v0.6.0 google.golang.org/grpc v1.61.0 google.golang.org/protobuf v1.32.0 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.2 ) -require ( - github.com/felixge/httpsnoop v1.0.3 // indirect - github.com/go-logr/logr v1.3.0 // indirect - github.com/go-logr/stdr v1.2.2 // indirect - github.com/moby/sys/user v0.1.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect - go.opentelemetry.io/otel v1.19.0 // indirect - go.opentelemetry.io/otel/metric v1.19.0 // indirect - go.opentelemetry.io/otel/trace v1.19.0 // indirect -) - replace ( // netipx and x/exp must be replaced for tailscale < 1.48 go4.org/netipx => go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35 @@ -78,14 +67,17 @@ require ( github.com/deckarep/golang-set/v2 v2.6.0 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/distribution/reference v0.5.0 // indirect - github.com/docker/docker v25.0.2+incompatible // indirect + github.com/docker/docker v25.0.3+incompatible // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect + github.com/felixge/httpsnoop v1.0.3 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fxamacker/cbor/v2 v2.5.0 // indirect github.com/glebarez/go-sqlite v1.20.3 // indirect github.com/glebarez/sqlite v1.7.0 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect + github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/go-openapi/errors v0.21.0 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect @@ -131,7 +123,6 @@ require ( github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/mdlayher/netlink v1.7.2 // indirect github.com/mdlayher/socket v0.5.0 // indirect github.com/meilisearch/meilisearch-go v0.26.1 // indirect @@ -139,6 +130,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/sequential v0.5.0 // indirect + github.com/moby/sys/user v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -154,11 +146,11 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.45.0 // indirect + github.com/prometheus/common v0.46.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect - github.com/puzpuzpuz/xsync/v2 v2.4.1 // indirect + github.com/puzpuzpuz/xsync/v2 v2.5.1 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect - github.com/rs/zerolog v1.30.0 // indirect + github.com/rs/zerolog v1.32.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/samber/lo v1.38.1 // indirect @@ -180,16 +172,20 @@ require ( github.com/x448/float16 v0.8.4 // indirect github.com/yusufpapurcu/wmi v1.2.3 // indirect go.mongodb.org/mongo-driver v1.13.1 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect + go.opentelemetry.io/otel v1.19.0 // indirect + go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/trace v1.19.0 // indirect go.uber.org/multierr v1.11.0 // indirect go4.org/intern v0.0.0-20230205224052-192e9f60865c // indirect go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect - go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect + go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20231121144256-b99613f794b6 // indirect - golang.org/x/exp v0.0.0-20240119083558-1b970713d09a - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.20.0 // indirect + golang.org/x/exp v0.0.0-20240205201215-2c58cdc269a3 + golang.org/x/mod v0.15.0 // indirect + golang.org/x/net v0.21.0 // indirect golang.org/x/oauth2 v0.16.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect; indirecct golang.org/x/tools v0.17.0 // indirect diff --git a/go.sum b/go.sum index eee4264b1..1c7dce6c6 100644 --- a/go.sum +++ b/go.sum @@ -228,8 +228,8 @@ github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TT github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v25.0.2+incompatible h1:/OaKeauroa10K4Nqavw4zlhcDq/WBcPMc5DbjOGgozY= -github.com/docker/docker v25.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v25.0.3+incompatible h1:D5fy/lYmY7bvZa0XTZ5/UJPljor41F+vdyJG5luQLfQ= +github.com/docker/docker v25.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= @@ -254,8 +254,8 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT github.com/emicklei/go-restful-openapi/v2 v2.9.1 h1:Of8B1rXdG81il5TTiSY+9Qrh7pYOr8aLdynHIpvo7fM= github.com/emicklei/go-restful-openapi/v2 v2.9.1/go.mod h1:VKNgZyYviM1hnyrjD9RDzP2RuE94xTXxV+u6MGN4v4k= github.com/emicklei/go-restful/v3 v3.7.3/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= -github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= +github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -563,12 +563,11 @@ github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= @@ -578,8 +577,6 @@ github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOj github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g= github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI= @@ -588,12 +585,12 @@ github.com/meilisearch/meilisearch-go v0.26.1 h1:3bmo2uLijX7kvBmiZ9LupVfC95TFcRJ github.com/meilisearch/meilisearch-go v0.26.1/go.mod h1:SxuSqDcPBIykjWz1PX+KzsYzArNLSCadQodWs8extS0= github.com/metal-stack/go-ipam v1.8.5 h1:XE1XfaU6Ck1Ucc7svTO25dlT7kEcE1oxOM3lBrWIQmE= github.com/metal-stack/go-ipam v1.8.5/go.mod h1:JgsddJabu8A7lWD+4MJKqbQhmSA/zhBbO+Bp8pLhRZM= -github.com/metal-stack/masterdata-api v0.10.1 h1:r7KuFJvMBfjMcMn5Cppy2n39uK+7D284PXGPDhRYzec= -github.com/metal-stack/masterdata-api v0.10.1/go.mod h1:cet+ezlcRoEpN8jEjRo/8xn8v946gnsdX0lDaF8/ZJY= +github.com/metal-stack/masterdata-api v0.10.2 h1:0H/JhIMRPwKZICFD1BWigWkrCsNeq+IQkUzkWA1b4io= +github.com/metal-stack/masterdata-api v0.10.2/go.mod h1:DscUdLAKrLIjduaIPdUh9YZEIqiyN0Bb8Vg2d+Q3NjY= github.com/metal-stack/metal-lib v0.14.4 h1:vm2868vcua6khoyWL7d0to8Hq5RayrjMse0FZTyWEec= github.com/metal-stack/metal-lib v0.14.4/go.mod h1:Z3PAh8dkyWC4B19fXsu6EYwXXee0Lk9JZbjoHPLbDbc= -github.com/metal-stack/security v0.7.1 h1:bwiPhT/gArl9IRJlhpDZzAs5Us6rmIt9bcuQXcLKO5k= -github.com/metal-stack/security v0.7.1/go.mod h1:v+JrV2tIvoKESY0puONL3rAocfLkol1pqm2osm9PLcw= +github.com/metal-stack/security v0.7.2 h1:kUdWej+a0+YPBGt4fT56Mu8cWX/tOjeKL/FWNlUuoe8= +github.com/metal-stack/security v0.7.2/go.mod h1:dTidiZIEzZajwqizrOCTJbmjQSYVbe1tG52IoMlnKZo= github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs= github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg= github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= @@ -717,8 +714,8 @@ github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7q github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -730,8 +727,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/puzpuzpuz/xsync/v2 v2.4.1 h1:aGdE1C/HaR/QC6YAFdtZXi60Df8/qBIrs8PKrzkItcM= -github.com/puzpuzpuz/xsync/v2 v2.4.1/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU= +github.com/puzpuzpuz/xsync/v2 v2.5.1 h1:mVGYAvzDSu52+zaGyNjC+24Xw2bQi3kTr4QJ6N9pIIU= +github.com/puzpuzpuz/xsync/v2 v2.5.1/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= @@ -741,8 +738,8 @@ github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTE github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= -github.com/rs/zerolog v1.30.0 h1:SymVODrcRsaRaSInD9yQtKbtWqwsfoPcRff/oRXLj4c= -github.com/rs/zerolog v1.30.0/go.mod h1:/tk+P47gFdPXq4QYjvCmT5/Gsug2nagsFWBWhAiSi1w= +github.com/rs/zerolog v1.32.0 h1:keLypqrlIjaFsbmJOBdB/qvyF8KEtCWHwobLp5l/mQ0= +github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= @@ -939,8 +936,8 @@ golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw= golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -960,8 +957,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= +golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1002,8 +999,8 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1081,8 +1078,6 @@ golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1096,15 +1091,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 2c2afd16a720671e07a740cc8723ae698f6161c3 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Thu, 8 Feb 2024 13:39:00 +0100 Subject: [PATCH 14/22] Add validation test --- cmd/metal-api/internal/metal/machine_test.go | 64 ++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/cmd/metal-api/internal/metal/machine_test.go b/cmd/metal-api/internal/metal/machine_test.go index d689bc6b9..b1df1bb6d 100644 --- a/cmd/metal-api/internal/metal/machine_test.go +++ b/cmd/metal-api/internal/metal/machine_test.go @@ -195,3 +195,67 @@ func TestMachineNetwork_NetworkType(t *testing.T) { } // TODO: Write tests for machine allocation + +func TestEgressRule_Validate(t *testing.T) { + tests := []struct { + name string + Protocol Protocol + Ports []int + ToCIDRs []string + Comment string + wantErr bool + }{ + { + name: "valid egress rule", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", + }, + { + name: "wrong protocol", + Protocol: Protocol("sctp"), + Ports: []int{1, 2, 3}, + ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", + wantErr: true, + }, + { + name: "wrong port", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3, -1}, + ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", + wantErr: true, + }, + { + name: "wrong cidr", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/33"}, + Comment: "allow apt update", + wantErr: true, + }, + { + name: "wrong cidr", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update\n", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := EgressRule{ + Protocol: tt.Protocol, + Ports: tt.Ports, + ToCIDRs: tt.ToCIDRs, + Comment: tt.Comment, + } + if err := r.Validate(); (err != nil) != tt.wantErr { + t.Errorf("EgressRule.Validate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} From 5459307c8a42df9e2f23ec1ed533dcdd0238d29b Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 12 Feb 2024 13:18:43 +0100 Subject: [PATCH 15/22] Fix --- cmd/metal-api/internal/service/v1/machine.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index 06266edec..b301d4430 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -536,11 +536,11 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * } for _, r := range m.Allocation.FirewallRules.Ingress { r := r - egressRules = append(egressRules, FirewallEgressRule{ - Protocol: string(r.Protocol), - Ports: r.Ports, - ToCIDRs: r.FromCIDRs, - Comment: r.Comment, + ingressRules = append(ingressRules, FirewallIngressRule{ + Protocol: string(r.Protocol), + Ports: r.Ports, + FromCIDRs: r.FromCIDRs, + Comment: r.Comment, }) } From 53e84626dd118daaf82a0667189a742b19a70f25 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 12 Feb 2024 14:00:07 +0100 Subject: [PATCH 16/22] Fix protocol --- cmd/metal-api/internal/metal/machine.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index ae4f78759..f4d09cb18 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -183,7 +183,7 @@ func ProtocolFromString(s string) (Protocol, error) { case "tcp": return ProtocolTCP, nil case "udp": - return ProtocolTCP, nil + return ProtocolUDP, nil default: return Protocol(""), fmt.Errorf("no such protocol: %s", s) } From 8c2bdce0980a4d73f5bb569d6a997c619b4c2e62 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 13 Feb 2024 07:56:59 +0100 Subject: [PATCH 17/22] Use range over int --- cmd/metal-api/internal/datastore/machine_test.go | 4 ++-- .../internal/grpc/boot-service-wait_integration_test.go | 8 ++++---- cmd/metal-api/internal/metal/network_test.go | 4 ++-- .../internal/service/machine-service_allocation_test.go | 9 ++++----- .../internal/service/machine-service_integration_test.go | 6 +++--- 5 files changed, 15 insertions(+), 16 deletions(-) diff --git a/cmd/metal-api/internal/datastore/machine_test.go b/cmd/metal-api/internal/datastore/machine_test.go index 09bdd31be..b745d10e1 100644 --- a/cmd/metal-api/internal/datastore/machine_test.go +++ b/cmd/metal-api/internal/datastore/machine_test.go @@ -696,7 +696,7 @@ func BenchmarkElectMachine(b *testing.B) { } for _, t := range tests { b.Run(t.name, func(b *testing.B) { - for i := 0; i < b.N; i++ { + for range b.N { spreadAcrossRacks(t.args.allMachines, t.args.projectMachines, t.args.tags) } }) @@ -707,7 +707,7 @@ func getTestMachines(numPerRack int, rackids []string, tags []string) metal.Mach machines := make(metal.Machines, 0) for _, id := range rackids { - for i := 0; i < numPerRack; i++ { + for range numPerRack { m := metal.Machine{ RackID: id, Tags: tags, diff --git a/cmd/metal-api/internal/grpc/boot-service-wait_integration_test.go b/cmd/metal-api/internal/grpc/boot-service-wait_integration_test.go index 5fd1c39c5..3a306e11f 100644 --- a/cmd/metal-api/internal/grpc/boot-service-wait_integration_test.go +++ b/cmd/metal-api/internal/grpc/boot-service-wait_integration_test.go @@ -129,7 +129,7 @@ func (t *test) run() { } ds, mock := datastore.InitMockDB(t.T) - for i := 0; i < t.numberMachineInstances; i++ { + for i := range t.numberMachineInstances { machineID := strconv.Itoa(i) mock.On(r.DB("mockdb").Table("machine").Get(machineID)).Return(metal.Machine{Base: metal.Base{ID: machineID}}, nil) mock.On(insertMock(true, machineID)).Return(returnMock(true, machineID), nil) @@ -214,7 +214,7 @@ func (t *test) stopMachineInstances() { } func (t *test) startApiInstances(ds *datastore.RethinkStore) { - for i := 0; i < t.numberApiInstances; i++ { + for i := range t.numberApiInstances { ctx, cancel := context.WithCancel(context.Background()) allocate := make(chan string) @@ -252,7 +252,7 @@ func (t *test) startMachineInstances() { grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock(), } - for i := 0; i < t.numberMachineInstances; i++ { + for i := range t.numberMachineInstances { machineID := strconv.Itoa(i) port := 50005 + t.randNumber(t.numberApiInstances) ctx, cancel := context.WithCancel(context.Background()) @@ -317,7 +317,7 @@ func (t *test) waitForAllocation(machineID string, c v1.BootServiceClient, ctx c func (t *test) allocateMachines() { var alreadyAllocated []string - for i := 0; i < t.numberAllocations; i++ { + for range t.numberAllocations { machineID := t.selectMachine(alreadyAllocated) alreadyAllocated = append(alreadyAllocated, machineID) t.mtx.Lock() diff --git a/cmd/metal-api/internal/metal/network_test.go b/cmd/metal-api/internal/metal/network_test.go index 49c825442..fa9c96950 100644 --- a/cmd/metal-api/internal/metal/network_test.go +++ b/cmd/metal-api/internal/metal/network_test.go @@ -10,7 +10,7 @@ func TestNics_ByIdentifier(t *testing.T) { // Create Nics countOfNics := 3 nicArray := make([]Nic, countOfNics) - for i := 0; i < countOfNics; i++ { + for i := range countOfNics { nicArray[i] = Nic{ MacAddress: MacAddress("11:11:1" + fmt.Sprintf("%d", i)), Name: "swp" + fmt.Sprintf("%d", i), @@ -19,7 +19,7 @@ func TestNics_ByIdentifier(t *testing.T) { } // all have all as Neighbors - for i := 0; i < countOfNics; i++ { + for i := range countOfNics { nicArray[i].Neighbors = append(nicArray[0:i], nicArray[i+1:countOfNics]...) } diff --git a/cmd/metal-api/internal/service/machine-service_allocation_test.go b/cmd/metal-api/internal/service/machine-service_allocation_test.go index 85d711c87..94d9dff0d 100644 --- a/cmd/metal-api/internal/service/machine-service_allocation_test.go +++ b/cmd/metal-api/internal/service/machine-service_allocation_test.go @@ -67,8 +67,7 @@ func TestMachineAllocationIntegration(t *testing.T) { // Register e, _ := errgroup.WithContext(context.Background()) - for i := 0; i < machineCount; i++ { - i := i + for i := range machineCount { e.Go(func() error { var ma *grpcv1.BootServiceRegisterResponse mr := createMachineRegisterRequest(i) @@ -113,7 +112,7 @@ func TestMachineAllocationIntegration(t *testing.T) { ips := make(map[string]string) start := time.Now() - for i := 0; i < machineCount; i++ { + for range machineCount { g.Go(func() error { var ma v1.MachineResponse err := retry.Do( @@ -341,7 +340,7 @@ func setupTestEnvironment(machineCount int, t *testing.T) (*datastore.RethinkSto } func createTestdata(machineCount int, rs *datastore.RethinkStore, ipamer goipam.Ipamer, t *testing.T) { - for i := 0; i < machineCount; i++ { + for i := range machineCount { id := fmt.Sprintf("WaitingMachine%d", i) m := &metal.Machine{ Base: metal.Base{ID: id}, @@ -377,7 +376,7 @@ func createTestdata(machineCount int, rs *datastore.RethinkStore, ipamer goipam. sw1nics := metal.Nics{} sw2nics := metal.Nics{} - for j := 0; j < machineCount; j++ { + for j := range machineCount { sw1nic := metal.Nic{ Name: fmt.Sprintf("swp-%d", j), MacAddress: metal.MacAddress(fmt.Sprintf("%s:%d", swp1MacPrefix, j)), diff --git a/cmd/metal-api/internal/service/machine-service_integration_test.go b/cmd/metal-api/internal/service/machine-service_integration_test.go index 0c08511c8..03f4ad3c7 100644 --- a/cmd/metal-api/internal/service/machine-service_integration_test.go +++ b/cmd/metal-api/internal/service/machine-service_integration_test.go @@ -227,7 +227,7 @@ func BenchmarkMachineList(b *testing.B) { refCount := 100 machineCount := 1000 - for i := 0; i < refCount; i++ { + for i := range refCount { base := metal.Base{ID: strconv.Itoa(i)} img := &metal.Image{ Base: base, @@ -248,7 +248,7 @@ func BenchmarkMachineList(b *testing.B) { require.NoError(b, err) } - for i := 0; i < machineCount; i++ { + for i := range machineCount { base := metal.Base{ID: uuid.NewString()} refID := strconv.Itoa(i % refCount) @@ -276,7 +276,7 @@ func BenchmarkMachineList(b *testing.B) { b.ResetTimer() - for i := 0; i < b.N; i++ { + for range b.N { var machines []v1.MachineResponse code := webRequestGet(b, machineService, &testUserDirectory.admin, nil, "/v1/machine", &machines) From 84a6e412a0432be712e0b11f388eb567b91aea65 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 13 Feb 2024 08:08:19 +0100 Subject: [PATCH 18/22] update masterdata --- cmd/metal-api/main.go | 3 +- go.mod | 35 +++++++++++---------- go.sum | 73 ++++++++++++++++++++++--------------------- 3 files changed, 57 insertions(+), 54 deletions(-) diff --git a/cmd/metal-api/main.go b/cmd/metal-api/main.go index 11bb5264a..478395fc2 100644 --- a/cmd/metal-api/main.go +++ b/cmd/metal-api/main.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "fmt" + "log/slog" "net/http" httppprof "net/http/pprof" "os" @@ -541,7 +542,7 @@ func initMasterData() { var err error for { ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) - mdc, err = mdm.NewClient(ctx, hostname, port, certpath, certkeypath, ca, hmacKey, false, logger.Desugar()) + mdc, err = mdm.NewClient(ctx, hostname, port, certpath, certkeypath, ca, hmacKey, false, slog.Default()) if err == nil { cancel() break diff --git a/go.mod b/go.mod index 77065fdc2..b6c79bb0c 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/juanfont/headscale v0.22.3 github.com/looplab/fsm v0.3.0 github.com/metal-stack/go-ipam v1.8.5 - github.com/metal-stack/masterdata-api v0.10.2 + github.com/metal-stack/masterdata-api v0.10.3 github.com/metal-stack/metal-lib v0.14.4 github.com/metal-stack/security v0.7.2 github.com/metal-stack/v v1.0.3 @@ -70,13 +70,13 @@ require ( github.com/docker/docker v25.0.3+incompatible // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect - github.com/felixge/httpsnoop v1.0.3 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fxamacker/cbor/v2 v2.5.0 // indirect github.com/glebarez/go-sqlite v1.20.3 // indirect github.com/glebarez/sqlite v1.7.0 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect - github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/go-openapi/errors v0.21.0 // indirect @@ -93,7 +93,8 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/gorilla/mux v1.8.1 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2 // indirect + github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.1 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hdevalence/ed25519consensus v0.2.0 // indirect @@ -110,7 +111,7 @@ require ( github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect github.com/jsimonetti/rtnetlink v1.4.1 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.5 // indirect + github.com/klauspost/compress v1.17.6 // indirect github.com/lestrrat-go/blackmagic v1.0.2 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/httprc v1.0.4 // indirect @@ -155,7 +156,7 @@ require ( github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/samber/lo v1.38.1 // indirect github.com/segmentio/asm v1.2.0 // indirect - github.com/shirou/gopsutil/v3 v3.23.11 // indirect + github.com/shirou/gopsutil/v3 v3.24.1 // indirect github.com/shoenig/go-m1cpu v0.1.6 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sourcegraph/conc v0.3.0 // indirect @@ -168,14 +169,14 @@ require ( github.com/tklauser/go-sysconf v0.3.13 // indirect github.com/tklauser/numcpus v0.7.0 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect - github.com/valyala/fasthttp v1.51.0 // indirect + github.com/valyala/fasthttp v1.52.0 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/yusufpapurcu/wmi v1.2.3 // indirect + github.com/yusufpapurcu/wmi v1.2.4 // indirect go.mongodb.org/mongo-driver v1.13.1 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect - go.opentelemetry.io/otel v1.19.0 // indirect - go.opentelemetry.io/otel/metric v1.19.0 // indirect - go.opentelemetry.io/otel/trace v1.19.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect + go.opentelemetry.io/otel v1.22.0 // indirect + go.opentelemetry.io/otel/metric v1.22.0 // indirect + go.opentelemetry.io/otel/trace v1.22.0 // indirect go.uber.org/multierr v1.11.0 // indirect go4.org/intern v0.0.0-20230205224052-192e9f60865c // indirect go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect @@ -184,16 +185,16 @@ require ( golang.org/x/exp v0.0.0-20240205201215-2c58cdc269a3 golang.org/x/mod v0.15.0 // indirect golang.org/x/net v0.21.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect + golang.org/x/oauth2 v0.17.0 // indirect golang.org/x/sys v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect; indirecct - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.18.0 // indirect golang.zx2c4.com/wireguard/windows v0.5.3 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20240108191215-35c7eff3a6b1 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240108191215-35c7eff3a6b1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240108191215-35c7eff3a6b1 // indirect + google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect gopkg.in/cenkalti/backoff.v2 v2.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 1c7dce6c6..f7e8cf672 100644 --- a/go.sum +++ b/go.sum @@ -262,8 +262,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= -github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= @@ -293,8 +293,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= @@ -357,8 +357,6 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= -github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -438,11 +436,13 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:Fecb github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.1 h1:HcUWd006luQPljE73d5sk+/VgYPGUReEVz2y1/qylwY= +github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.1/go.mod h1:w9Y7gY31krpLmrVU5ZPG9H7l9fZuRu5/3R3S3FMtVQ4= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2 h1:dygLcbEBA+t/P7ck6a8AkXv6juQ4cK0RHBoh32jxhHM= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2/go.mod h1:Ap9RLCIJVtgQg1/BBgVEfypOAySvvlcpcVQkSzJCH4Y= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -515,8 +515,8 @@ github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYs github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.6/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.17.5 h1:d4vBd+7CHydUqpFBgUEKkSdtSugf9YFmSkvUYPquI5E= -github.com/klauspost/compress v1.17.5/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI= +github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -585,8 +585,8 @@ github.com/meilisearch/meilisearch-go v0.26.1 h1:3bmo2uLijX7kvBmiZ9LupVfC95TFcRJ github.com/meilisearch/meilisearch-go v0.26.1/go.mod h1:SxuSqDcPBIykjWz1PX+KzsYzArNLSCadQodWs8extS0= github.com/metal-stack/go-ipam v1.8.5 h1:XE1XfaU6Ck1Ucc7svTO25dlT7kEcE1oxOM3lBrWIQmE= github.com/metal-stack/go-ipam v1.8.5/go.mod h1:JgsddJabu8A7lWD+4MJKqbQhmSA/zhBbO+Bp8pLhRZM= -github.com/metal-stack/masterdata-api v0.10.2 h1:0H/JhIMRPwKZICFD1BWigWkrCsNeq+IQkUzkWA1b4io= -github.com/metal-stack/masterdata-api v0.10.2/go.mod h1:DscUdLAKrLIjduaIPdUh9YZEIqiyN0Bb8Vg2d+Q3NjY= +github.com/metal-stack/masterdata-api v0.10.3 h1:Y/P3CU1b13a7oLmVYK6ZAHV2dMUYk+a3QWJQnXj+vRw= +github.com/metal-stack/masterdata-api v0.10.3/go.mod h1:ubIFC++2Csgx884Lol38AfY3MlAMlOXsTFHFIenI234= github.com/metal-stack/metal-lib v0.14.4 h1:vm2868vcua6khoyWL7d0to8Hq5RayrjMse0FZTyWEec= github.com/metal-stack/metal-lib v0.14.4/go.mod h1:Z3PAh8dkyWC4B19fXsu6EYwXXee0Lk9JZbjoHPLbDbc= github.com/metal-stack/security v0.7.2 h1:kUdWej+a0+YPBGt4fT56Mu8cWX/tOjeKL/FWNlUuoe8= @@ -753,8 +753,8 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= -github.com/shirou/gopsutil/v3 v3.23.11 h1:i3jP9NjCPUz7FiZKxlMnODZkdSIp2gnzfrvsu9CuWEQ= -github.com/shirou/gopsutil/v3 v3.23.11/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM= +github.com/shirou/gopsutil/v3 v3.24.1 h1:R3t6ondCEvmARp3wxODhXMTLC/klMa87h2PHUw5m7QI= +github.com/shirou/gopsutil/v3 v3.24.1/go.mod h1:UU7a2MSBQa+kW1uuDq8DeEBS8kmrnQwsv2b5O513rwU= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU= @@ -840,8 +840,8 @@ github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.37.1-0.20220607072126-8a320890c08d/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I= -github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= -github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= +github.com/valyala/fasthttp v1.52.0 h1:wqBQpxH71XW0e2g+Og4dzQM8pk34aFYlA1Ga8db7gU0= +github.com/valyala/fasthttp v1.52.0/go.mod h1:hf5C4QnVMkNXMspnsUlfM3WitlgYflyhHYoKol/szxQ= github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= @@ -862,8 +862,9 @@ github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7Jul github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw= github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= +github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= @@ -876,20 +877,20 @@ go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q= -go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= -go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= +go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y= +go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= -go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg= +go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= -go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= -go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= +go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0= +go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1006,8 +1007,8 @@ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= +golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1092,7 +1093,7 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1158,8 +1159,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= +golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1208,12 +1209,12 @@ google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20240108191215-35c7eff3a6b1 h1:/IWabOtPziuXTEtI1KYCpM6Ss7vaAkeMxk+uXV/xvZs= -google.golang.org/genproto v0.0.0-20240108191215-35c7eff3a6b1/go.mod h1:+Rvu7ElI+aLzyDQhpHMFMMltsD6m7nqpuWDd2CwJw3k= -google.golang.org/genproto/googleapis/api v0.0.0-20240108191215-35c7eff3a6b1 h1:OPXtXn7fNMaXwO3JvOmF1QyTc00jsSFFz1vXXBOdCDo= -google.golang.org/genproto/googleapis/api v0.0.0-20240108191215-35c7eff3a6b1/go.mod h1:B5xPO//w8qmBDjGReYLpR6UJPnkldGkCSMoH/2vxJeg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240108191215-35c7eff3a6b1 h1:gphdwh0npgs8elJ4T6J+DQJHPVF7RsuJHCfwztUb4J4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240108191215-35c7eff3a6b1/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA= +google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac h1:ZL/Teoy/ZGnzyrqK/Optxxp2pmVh+fmJ97slxSRyzUg= +google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:+Rvu7ElI+aLzyDQhpHMFMMltsD6m7nqpuWDd2CwJw3k= +google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe h1:0poefMBYvYbs7g5UkjS6HcxBPaTRAmznle9jnxYoAI8= +google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe h1:bQnxqljG/wqi4NTXu2+DJ3n7APcEA882QZ1JvhQAq9o= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= From f477814dae2a9c94d16c4d99985ff88a129a3acf Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 13 Feb 2024 15:54:11 +0100 Subject: [PATCH 19/22] Ingress Rule with toCidrs as well --- cmd/metal-api/internal/metal/machine.go | 5 ++++- cmd/metal-api/internal/service/machine-service.go | 1 + cmd/metal-api/internal/service/v1/firewall.go | 1 + cmd/metal-api/internal/service/v1/machine.go | 1 + spec/metal-api.json | 10 +++++++++- 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index f4d09cb18..d2bc8ffe9 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -167,6 +167,7 @@ type EgressRule struct { type IngressRule struct { Protocol Protocol `rethinkdb:"protocol" json:"protocol"` Ports []int `rethinkdb:"ports" json:"ports"` + ToCIDRs []string `rethinkdb:"to_cidrs" json:"to_cidrs"` FromCIDRs []string `rethinkdb:"from_cidrs" json:"from_cidrs"` Comment string `rethinkdb:"comment" json:"comment"` } @@ -225,7 +226,9 @@ func (r IngressRule) Validate() error { if err := validatePorts(r.Ports); err != nil { return err } - + if err := validateCIDRs(r.ToCIDRs); err != nil { + return err + } if err := validateCIDRs(r.FromCIDRs); err != nil { return err } diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index 3cc39141f..ecac314d4 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1076,6 +1076,7 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M rule := metal.IngressRule{ Protocol: protocol, Ports: ruleSpec.Ports, + ToCIDRs: ruleSpec.ToCIDRs, FromCIDRs: ruleSpec.FromCIDRs, Comment: ruleSpec.Comment, } diff --git a/cmd/metal-api/internal/service/v1/firewall.go b/cmd/metal-api/internal/service/v1/firewall.go index 33d361eb3..aeddce0bc 100644 --- a/cmd/metal-api/internal/service/v1/firewall.go +++ b/cmd/metal-api/internal/service/v1/firewall.go @@ -19,6 +19,7 @@ type FirewallEgressRule struct { type FirewallIngressRule struct { Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` Ports []int `json:"ports" description:"the ports affected by this rule"` + ToCIDRs []string `json:"to_cidrs" description:"the cidrs affected by this rule"` FromCIDRs []string `json:"from_cidrs" description:"the cidrs affected by this rule"` Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` } diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index b301d4430..e25f39c5d 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -539,6 +539,7 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * ingressRules = append(ingressRules, FirewallIngressRule{ Protocol: string(r.Protocol), Ports: r.Ports, + ToCIDRs: r.ToCIDRs, FromCIDRs: r.FromCIDRs, Comment: r.Comment, }) diff --git a/spec/metal-api.json b/spec/metal-api.json index 91d6aafcd..5a97ee387 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1358,11 +1358,19 @@ "udp" ], "type": "string" + }, + "to_cidrs": { + "description": "the cidrs affected by this rule", + "items": { + "type": "string" + }, + "type": "array" } }, "required": [ "from_cidrs", - "ports" + "ports", + "to_cidrs" ] }, "v1.FirewallResponse": { From ede53780030beedf3b6efe6c190fc6ceb2b3355c Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 14 Feb 2024 07:45:52 +0100 Subject: [PATCH 20/22] More validation --- cmd/metal-api/internal/metal/machine.go | 19 ++++++- cmd/metal-api/internal/metal/machine_test.go | 60 +++++++++++++++++++- go.mod | 12 ++-- go.sum | 20 +++---- 4 files changed, 92 insertions(+), 19 deletions(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index d2bc8ffe9..412706f9b 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -4,6 +4,7 @@ import ( "fmt" "net/netip" "os" + "slices" "strings" "time" @@ -232,6 +233,10 @@ func (r IngressRule) Validate() error { if err := validateCIDRs(r.FromCIDRs); err != nil { return err } + // AddressFamily of toCidrs and fromCidrs must be identical + if err := validateCIDRs(slices.Concat(r.FromCIDRs, r.ToCIDRs)); err != nil { + return err + } return nil } @@ -258,13 +263,23 @@ func validatePorts(ports []int) error { } func validateCIDRs(cidrs []string) error { + af := "" for _, cidr := range cidrs { - _, err := netip.ParsePrefix(cidr) + p, err := netip.ParsePrefix(cidr) if err != nil { return fmt.Errorf("invalid cidr: %w", err) } + var newaf string + if p.Addr().Is4() { + newaf = "ipv4" + } else { + newaf = "ipv6" + } + if af != "" && af != newaf { + return fmt.Errorf("mixed address family in one rule is not supported:%v", cidrs) + } + af = newaf } - return nil } diff --git a/cmd/metal-api/internal/metal/machine_test.go b/cmd/metal-api/internal/metal/machine_test.go index b1df1bb6d..bbd7c8062 100644 --- a/cmd/metal-api/internal/metal/machine_test.go +++ b/cmd/metal-api/internal/metal/machine_test.go @@ -237,13 +237,21 @@ func TestEgressRule_Validate(t *testing.T) { wantErr: true, }, { - name: "wrong cidr", + name: "wrong comment", Protocol: ProtocolTCP, Ports: []int{1, 2, 3}, ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, Comment: "allow apt update\n", wantErr: true, }, + { + name: "mixed address family in cidrs", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32", "2001:db8::/32"}, + Comment: "mixed address family", + wantErr: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -259,3 +267,53 @@ func TestEgressRule_Validate(t *testing.T) { }) } } +func TestIngressRule_Validate(t *testing.T) { + tests := []struct { + name string + Protocol Protocol + Ports []int + ToCIDRs []string + FromCIDRs []string + Comment string + wantErr bool + }{ + { + name: "valid ingress rule", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + FromCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", + }, + { + name: "valid ingress rule", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + FromCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + ToCIDRs: []string{"100.2.3.0/24", "200.3.4.5/32"}, + Comment: "allow apt update", + }, + { + name: "invalid ingress rule, mixed address families in to and from", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + FromCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + ToCIDRs: []string{"100.2.3.0/24", "2001:db8::/32"}, + Comment: "allow apt update", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + r := IngressRule{ + Protocol: tt.Protocol, + Ports: tt.Ports, + ToCIDRs: tt.ToCIDRs, + FromCIDRs: tt.FromCIDRs, + Comment: tt.Comment, + } + if err := r.Validate(); (err != nil) != tt.wantErr { + t.Errorf("IngressRule.Validate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/go.mod b/go.mod index b6c79bb0c..184b5b579 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( go.uber.org/zap v1.26.0 golang.org/x/crypto v0.19.0 golang.org/x/sync v0.6.0 - google.golang.org/grpc v1.61.0 + google.golang.org/grpc v1.61.1 google.golang.org/protobuf v1.32.0 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.2 ) @@ -154,7 +154,7 @@ require ( github.com/rs/zerolog v1.32.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect - github.com/samber/lo v1.38.1 // indirect + github.com/samber/lo v1.39.0 // indirect github.com/segmentio/asm v1.2.0 // indirect github.com/shirou/gopsutil/v3 v3.24.1 // indirect github.com/shoenig/go-m1cpu v0.1.6 // indirect @@ -182,7 +182,7 @@ require ( go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20231121144256-b99613f794b6 // indirect - golang.org/x/exp v0.0.0-20240205201215-2c58cdc269a3 + golang.org/x/exp v0.0.0-20240213143201-ec583247a57a golang.org/x/mod v0.15.0 // indirect golang.org/x/net v0.21.0 // indirect golang.org/x/oauth2 v0.17.0 // indirect @@ -192,9 +192,9 @@ require ( golang.org/x/tools v0.18.0 // indirect golang.zx2c4.com/wireguard/windows v0.5.3 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect + google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240213162025-012b6fc9bca9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 // indirect gopkg.in/cenkalti/backoff.v2 v2.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index f7e8cf672..880b6210f 100644 --- a/go.sum +++ b/go.sum @@ -747,8 +747,8 @@ github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6ke github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= -github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM= -github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA= +github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA= +github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= @@ -1209,12 +1209,12 @@ google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac h1:ZL/Teoy/ZGnzyrqK/Optxxp2pmVh+fmJ97slxSRyzUg= -google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:+Rvu7ElI+aLzyDQhpHMFMMltsD6m7nqpuWDd2CwJw3k= -google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe h1:0poefMBYvYbs7g5UkjS6HcxBPaTRAmznle9jnxYoAI8= -google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:4jWUdICTdgc3Ibxmr8nAJiiLHwQBY0UI0XZcEMaFKaA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe h1:bQnxqljG/wqi4NTXu2+DJ3n7APcEA882QZ1JvhQAq9o= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s= +google.golang.org/genproto/googleapis/api v0.0.0-20240213162025-012b6fc9bca9 h1:4++qSzdWBUy9/2x8L5KZgwZw+mjJZ2yDSCGMVM0YzRs= +google.golang.org/genproto/googleapis/api v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:PVreiBMirk8ypES6aw9d4p6iiBNSIfZEBqr3UGoAi2E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 h1:hZB7eLIaYlW9qXRfCq/qDaPdbeY3757uARz5Vvfv+cY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:YUWgXUFRPfoYK1IHMuxH5K6nPEXSCzIMljnQ59lLRCk= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -1230,8 +1230,8 @@ google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= -google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= +google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 01c4d0277e0fd974bcbe2c0637d3fb5f9596eb28 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 14 Feb 2024 13:55:06 +0100 Subject: [PATCH 21/22] Renaming in the api --- cmd/metal-api/internal/metal/machine.go | 21 +++-- cmd/metal-api/internal/metal/machine_test.go | 76 +++++++++---------- .../internal/service/machine-service.go | 12 +-- .../internal/service/machine-service_test.go | 9 +-- cmd/metal-api/internal/service/v1/firewall.go | 12 +-- cmd/metal-api/internal/service/v1/machine.go | 12 +-- spec/metal-api.json | 12 +-- 7 files changed, 76 insertions(+), 78 deletions(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index 412706f9b..cd7865cdd 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -161,16 +161,16 @@ type FirewallRules struct { type EgressRule struct { Protocol Protocol `rethinkdb:"protocol" json:"protocol"` Ports []int `rethinkdb:"ports" json:"ports"` - ToCIDRs []string `rethinkdb:"to_cidrs" json:"to_cidrs"` + To []string `rethinkdb:"to" json:"to"` Comment string `rethinkdb:"comment" json:"comment"` } type IngressRule struct { - Protocol Protocol `rethinkdb:"protocol" json:"protocol"` - Ports []int `rethinkdb:"ports" json:"ports"` - ToCIDRs []string `rethinkdb:"to_cidrs" json:"to_cidrs"` - FromCIDRs []string `rethinkdb:"from_cidrs" json:"from_cidrs"` - Comment string `rethinkdb:"comment" json:"comment"` + Protocol Protocol `rethinkdb:"protocol" json:"protocol"` + Ports []int `rethinkdb:"ports" json:"ports"` + To []string `rethinkdb:"to" json:"to"` + From []string `rethinkdb:"from" json:"from"` + Comment string `rethinkdb:"comment" json:"comment"` } type Protocol string @@ -206,7 +206,7 @@ func (r EgressRule) Validate() error { return err } - if err := validateCIDRs(r.ToCIDRs); err != nil { + if err := validateCIDRs(r.To); err != nil { return err } @@ -227,14 +227,13 @@ func (r IngressRule) Validate() error { if err := validatePorts(r.Ports); err != nil { return err } - if err := validateCIDRs(r.ToCIDRs); err != nil { + if err := validateCIDRs(r.To); err != nil { return err } - if err := validateCIDRs(r.FromCIDRs); err != nil { + if err := validateCIDRs(r.From); err != nil { return err } - // AddressFamily of toCidrs and fromCidrs must be identical - if err := validateCIDRs(slices.Concat(r.FromCIDRs, r.ToCIDRs)); err != nil { + if err := validateCIDRs(slices.Concat(r.From, r.To)); err != nil { return err } diff --git a/cmd/metal-api/internal/metal/machine_test.go b/cmd/metal-api/internal/metal/machine_test.go index bbd7c8062..811c07401 100644 --- a/cmd/metal-api/internal/metal/machine_test.go +++ b/cmd/metal-api/internal/metal/machine_test.go @@ -201,7 +201,7 @@ func TestEgressRule_Validate(t *testing.T) { name string Protocol Protocol Ports []int - ToCIDRs []string + To []string Comment string wantErr bool }{ @@ -209,14 +209,14 @@ func TestEgressRule_Validate(t *testing.T) { name: "valid egress rule", Protocol: ProtocolTCP, Ports: []int{1, 2, 3}, - ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, Comment: "allow apt update", }, { name: "wrong protocol", Protocol: Protocol("sctp"), Ports: []int{1, 2, 3}, - ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, Comment: "allow apt update", wantErr: true, }, @@ -224,7 +224,7 @@ func TestEgressRule_Validate(t *testing.T) { name: "wrong port", Protocol: ProtocolTCP, Ports: []int{1, 2, 3, -1}, - ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, Comment: "allow apt update", wantErr: true, }, @@ -232,7 +232,7 @@ func TestEgressRule_Validate(t *testing.T) { name: "wrong cidr", Protocol: ProtocolTCP, Ports: []int{1, 2, 3}, - ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/33"}, + To: []string{"1.2.3.0/24", "2.3.4.5/33"}, Comment: "allow apt update", wantErr: true, }, @@ -240,7 +240,7 @@ func TestEgressRule_Validate(t *testing.T) { name: "wrong comment", Protocol: ProtocolTCP, Ports: []int{1, 2, 3}, - ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, Comment: "allow apt update\n", wantErr: true, }, @@ -248,7 +248,7 @@ func TestEgressRule_Validate(t *testing.T) { name: "mixed address family in cidrs", Protocol: ProtocolTCP, Ports: []int{1, 2, 3}, - ToCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32", "2001:db8::/32"}, + To: []string{"1.2.3.0/24", "2.3.4.5/32", "2001:db8::/32"}, Comment: "mixed address family", wantErr: true, }, @@ -258,7 +258,7 @@ func TestEgressRule_Validate(t *testing.T) { r := EgressRule{ Protocol: tt.Protocol, Ports: tt.Ports, - ToCIDRs: tt.ToCIDRs, + To: tt.To, Comment: tt.Comment, } if err := r.Validate(); (err != nil) != tt.wantErr { @@ -269,47 +269,47 @@ func TestEgressRule_Validate(t *testing.T) { } func TestIngressRule_Validate(t *testing.T) { tests := []struct { - name string - Protocol Protocol - Ports []int - ToCIDRs []string - FromCIDRs []string - Comment string - wantErr bool + name string + Protocol Protocol + Ports []int + To []string + From []string + Comment string + wantErr bool }{ { - name: "valid ingress rule", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - FromCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, - Comment: "allow apt update", + name: "valid ingress rule", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + From: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", }, { - name: "valid ingress rule", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - FromCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, - ToCIDRs: []string{"100.2.3.0/24", "200.3.4.5/32"}, - Comment: "allow apt update", + name: "valid ingress rule", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + From: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"100.2.3.0/24", "200.3.4.5/32"}, + Comment: "allow apt update", }, { - name: "invalid ingress rule, mixed address families in to and from", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - FromCIDRs: []string{"1.2.3.0/24", "2.3.4.5/32"}, - ToCIDRs: []string{"100.2.3.0/24", "2001:db8::/32"}, - Comment: "allow apt update", - wantErr: true, + name: "invalid ingress rule, mixed address families in to and from", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + From: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"100.2.3.0/24", "2001:db8::/32"}, + Comment: "allow apt update", + wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { r := IngressRule{ - Protocol: tt.Protocol, - Ports: tt.Ports, - ToCIDRs: tt.ToCIDRs, - FromCIDRs: tt.FromCIDRs, - Comment: tt.Comment, + Protocol: tt.Protocol, + Ports: tt.Ports, + To: tt.To, + From: tt.From, + Comment: tt.Comment, } if err := r.Validate(); (err != nil) != tt.wantErr { t.Errorf("IngressRule.Validate() error = %v, wantErr %v", err, tt.wantErr) diff --git a/cmd/metal-api/internal/service/machine-service.go b/cmd/metal-api/internal/service/machine-service.go index ecac314d4..7e7ab5e86 100644 --- a/cmd/metal-api/internal/service/machine-service.go +++ b/cmd/metal-api/internal/service/machine-service.go @@ -1054,7 +1054,7 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M rule := metal.EgressRule{ Protocol: protocol, Ports: ruleSpec.Ports, - ToCIDRs: ruleSpec.ToCIDRs, + To: ruleSpec.To, Comment: ruleSpec.Comment, } @@ -1074,11 +1074,11 @@ func createMachineAllocationSpec(ds *datastore.RethinkStore, machineRequest v1.M } rule := metal.IngressRule{ - Protocol: protocol, - Ports: ruleSpec.Ports, - ToCIDRs: ruleSpec.ToCIDRs, - FromCIDRs: ruleSpec.FromCIDRs, - Comment: ruleSpec.Comment, + Protocol: protocol, + Ports: ruleSpec.Ports, + To: ruleSpec.To, + From: ruleSpec.From, + Comment: ruleSpec.Comment, } if err := rule.Validate(); err != nil { diff --git a/cmd/metal-api/internal/service/machine-service_test.go b/cmd/metal-api/internal/service/machine-service_test.go index 77e4757c7..1f3b944e3 100644 --- a/cmd/metal-api/internal/service/machine-service_test.go +++ b/cmd/metal-api/internal/service/machine-service_test.go @@ -9,11 +9,6 @@ import ( "testing" "github.com/emicklei/go-restful/v3" - "github.com/stretchr/testify/require" - "go.uber.org/zap/zaptest" - "golang.org/x/crypto/ssh" - r "gopkg.in/rethinkdb/rethinkdb-go.v6" - goipam "github.com/metal-stack/go-ipam" "github.com/metal-stack/metal-api/cmd/metal-api/internal/datastore" "github.com/metal-stack/metal-api/cmd/metal-api/internal/ipam" @@ -22,6 +17,10 @@ import ( "github.com/metal-stack/metal-api/cmd/metal-api/internal/testdata" "github.com/metal-stack/metal-lib/bus" "github.com/metal-stack/security" + "github.com/stretchr/testify/require" + "go.uber.org/zap/zaptest" + "golang.org/x/crypto/ssh" + r "gopkg.in/rethinkdb/rethinkdb-go.v6" ) const ( diff --git a/cmd/metal-api/internal/service/v1/firewall.go b/cmd/metal-api/internal/service/v1/firewall.go index aeddce0bc..f0289007b 100644 --- a/cmd/metal-api/internal/service/v1/firewall.go +++ b/cmd/metal-api/internal/service/v1/firewall.go @@ -12,16 +12,16 @@ type FirewallAllocateRequest struct { type FirewallEgressRule struct { Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` Ports []int `json:"ports" description:"the ports affected by this rule"` - ToCIDRs []string `json:"to_cidrs" description:"the cidrs affected by this rule"` + To []string `json:"to" description:"the cidrs affected by this rule"` Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` } type FirewallIngressRule struct { - Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` - Ports []int `json:"ports" description:"the ports affected by this rule"` - ToCIDRs []string `json:"to_cidrs" description:"the cidrs affected by this rule"` - FromCIDRs []string `json:"from_cidrs" description:"the cidrs affected by this rule"` - Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` + Protocol string `json:"protocol,omitempty" description:"the protocol for the rule, defaults to tcp" enum:"tcp|udp" optional:"true"` + Ports []int `json:"ports" description:"the ports affected by this rule"` + To []string `json:"to" description:"the cidrs affected by this rule"` + From []string `json:"from" description:"the cidrs affected by this rule"` + Comment string `json:"comment,omitempty" description:"an optional comment describing what this rule is used for" optional:"true"` } type FirewallResponse struct { diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go index e25f39c5d..54cfd9c8b 100644 --- a/cmd/metal-api/internal/service/v1/machine.go +++ b/cmd/metal-api/internal/service/v1/machine.go @@ -530,18 +530,18 @@ func NewMachineResponse(m *metal.Machine, s *metal.Size, p *metal.Partition, i * egressRules = append(egressRules, FirewallEgressRule{ Protocol: string(r.Protocol), Ports: r.Ports, - ToCIDRs: r.ToCIDRs, + To: r.To, Comment: r.Comment, }) } for _, r := range m.Allocation.FirewallRules.Ingress { r := r ingressRules = append(ingressRules, FirewallIngressRule{ - Protocol: string(r.Protocol), - Ports: r.Ports, - ToCIDRs: r.ToCIDRs, - FromCIDRs: r.FromCIDRs, - Comment: r.Comment, + Protocol: string(r.Protocol), + Ports: r.Ports, + To: r.To, + From: r.From, + Comment: r.Comment, }) } diff --git a/spec/metal-api.json b/spec/metal-api.json index 5a97ee387..d57a0032b 100644 --- a/spec/metal-api.json +++ b/spec/metal-api.json @@ -1135,7 +1135,7 @@ ], "type": "string" }, - "to_cidrs": { + "to": { "description": "the cidrs affected by this rule", "items": { "type": "string" @@ -1145,7 +1145,7 @@ }, "required": [ "ports", - "to_cidrs" + "to" ] }, "v1.FirewallFindRequest": { @@ -1336,7 +1336,7 @@ "description": "an optional comment describing what this rule is used for", "type": "string" }, - "from_cidrs": { + "from": { "description": "the cidrs affected by this rule", "items": { "type": "string" @@ -1359,7 +1359,7 @@ ], "type": "string" }, - "to_cidrs": { + "to": { "description": "the cidrs affected by this rule", "items": { "type": "string" @@ -1368,9 +1368,9 @@ } }, "required": [ - "from_cidrs", + "from", "ports", - "to_cidrs" + "to" ] }, "v1.FirewallResponse": { From 90b3adc3080d02f93b09965c2615c269a89c11c6 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 14 Feb 2024 16:35:04 +0100 Subject: [PATCH 22/22] Better tests --- cmd/metal-api/internal/metal/machine.go | 10 +- cmd/metal-api/internal/metal/machine_test.go | 127 +++++++++++-------- 2 files changed, 85 insertions(+), 52 deletions(-) diff --git a/cmd/metal-api/internal/metal/machine.go b/cmd/metal-api/internal/metal/machine.go index cd7865cdd..f7fdb5d6c 100644 --- a/cmd/metal-api/internal/metal/machine.go +++ b/cmd/metal-api/internal/metal/machine.go @@ -240,14 +240,20 @@ func (r IngressRule) Validate() error { return nil } -const allowedCharacters = "abcdefghijklmnopqrstuvwxyz_- " +const ( + allowedCharacters = "abcdefghijklmnopqrstuvwxyz_- " + maxCommentLength = 100 +) func validateComment(comment string) error { for _, c := range comment { if !strings.Contains(allowedCharacters, strings.ToLower(string(c))) { - return fmt.Errorf("illegal character in comment found:%q", c) + return fmt.Errorf("illegal character in comment found, only: %q allowed", allowedCharacters) } } + if len(comment) > maxCommentLength { + return fmt.Errorf("comments can not exceed %d characters", maxCommentLength) + } return nil } diff --git a/cmd/metal-api/internal/metal/machine_test.go b/cmd/metal-api/internal/metal/machine_test.go index 811c07401..6e4b969bc 100644 --- a/cmd/metal-api/internal/metal/machine_test.go +++ b/cmd/metal-api/internal/metal/machine_test.go @@ -198,12 +198,13 @@ func TestMachineNetwork_NetworkType(t *testing.T) { func TestEgressRule_Validate(t *testing.T) { tests := []struct { - name string - Protocol Protocol - Ports []int - To []string - Comment string - wantErr bool + name string + Protocol Protocol + Ports []int + To []string + Comment string + wantErr bool + wantErrmsg string }{ { name: "valid egress rule", @@ -213,44 +214,58 @@ func TestEgressRule_Validate(t *testing.T) { Comment: "allow apt update", }, { - name: "wrong protocol", - Protocol: Protocol("sctp"), - Ports: []int{1, 2, 3}, - To: []string{"1.2.3.0/24", "2.3.4.5/32"}, - Comment: "allow apt update", - wantErr: true, + name: "wrong protocol", + Protocol: Protocol("sctp"), + Ports: []int{1, 2, 3}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", + wantErr: true, + wantErrmsg: "invalid procotol: sctp", }, { - name: "wrong port", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3, -1}, - To: []string{"1.2.3.0/24", "2.3.4.5/32"}, - Comment: "allow apt update", - wantErr: true, + name: "wrong port", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3, -1}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update", + wantErr: true, + wantErrmsg: "port is out of range", }, { - name: "wrong cidr", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - To: []string{"1.2.3.0/24", "2.3.4.5/33"}, - Comment: "allow apt update", - wantErr: true, + name: "wrong cidr", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + To: []string{"1.2.3.0/24", "2.3.4.5/33"}, + Comment: "allow apt update", + wantErr: true, + wantErrmsg: "invalid cidr: netip.ParsePrefix(\"2.3.4.5/33\"): prefix length out of range", }, { - name: "wrong comment", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - To: []string{"1.2.3.0/24", "2.3.4.5/32"}, - Comment: "allow apt update\n", - wantErr: true, + name: "wrong comment", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "allow apt update\n", + wantErr: true, + wantErrmsg: "illegal character in comment found, only: \"abcdefghijklmnopqrstuvwxyz_- \" allowed", }, { - name: "mixed address family in cidrs", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - To: []string{"1.2.3.0/24", "2.3.4.5/32", "2001:db8::/32"}, - Comment: "mixed address family", - wantErr: true, + name: "too long comment", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + To: []string{"1.2.3.0/24", "2.3.4.5/32"}, + Comment: "much too long comment aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + wantErr: true, + wantErrmsg: "comments can not exceed 100 characters", + }, + { + name: "mixed address family in cidrs", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + To: []string{"1.2.3.0/24", "2.3.4.5/32", "2001:db8::/32"}, + Comment: "mixed address family", + wantErr: true, + wantErrmsg: "mixed address family in one rule is not supported:[1.2.3.0/24 2.3.4.5/32 2001:db8::/32]", }, } for _, tt := range tests { @@ -264,18 +279,24 @@ func TestEgressRule_Validate(t *testing.T) { if err := r.Validate(); (err != nil) != tt.wantErr { t.Errorf("EgressRule.Validate() error = %v, wantErr %v", err, tt.wantErr) } + if err := r.Validate(); err != nil { + if tt.wantErrmsg != err.Error() { + t.Errorf("IngressRule.Validate() error = %v, wantErrmsg %v", err.Error(), tt.wantErrmsg) + } + } }) } } func TestIngressRule_Validate(t *testing.T) { tests := []struct { - name string - Protocol Protocol - Ports []int - To []string - From []string - Comment string - wantErr bool + name string + Protocol Protocol + Ports []int + To []string + From []string + Comment string + wantErr bool + wantErrmsg string }{ { name: "valid ingress rule", @@ -293,13 +314,14 @@ func TestIngressRule_Validate(t *testing.T) { Comment: "allow apt update", }, { - name: "invalid ingress rule, mixed address families in to and from", - Protocol: ProtocolTCP, - Ports: []int{1, 2, 3}, - From: []string{"1.2.3.0/24", "2.3.4.5/32"}, - To: []string{"100.2.3.0/24", "2001:db8::/32"}, - Comment: "allow apt update", - wantErr: true, + name: "invalid ingress rule, mixed address families in to and from", + Protocol: ProtocolTCP, + Ports: []int{1, 2, 3}, + From: []string{"1.2.3.0/24", "2.3.4.5/32"}, + To: []string{"100.2.3.0/24", "2001:db8::/32"}, + Comment: "allow apt update", + wantErr: true, + wantErrmsg: "mixed address family in one rule is not supported:[100.2.3.0/24 2001:db8::/32]", }, } for _, tt := range tests { @@ -314,6 +336,11 @@ func TestIngressRule_Validate(t *testing.T) { if err := r.Validate(); (err != nil) != tt.wantErr { t.Errorf("IngressRule.Validate() error = %v, wantErr %v", err, tt.wantErr) } + if err := r.Validate(); err != nil { + if tt.wantErrmsg != err.Error() { + t.Errorf("IngressRule.Validate() error = %v, wantErrmsg %v", err.Error(), tt.wantErrmsg) + } + } }) } }