diff --git a/.golangci.yml b/.golangci.yml index 4b047d1..f5746a1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -37,7 +37,7 @@ linters-settings: threshold: 150 funlen: Lines: 175 - Statements: 85 + Statements: 90 goconst: min-len: 2 min-occurrences: 2 diff --git a/README.md b/README.md index 5c3560d..3ddf59a 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ docker build . * `NSM_CONNECT_TO` - url to connect to (default: "unix:///var/lib/networkservicemesh/nsm.io.sock") * `NSM_MAX_TOKEN_LIFETIME` - maximum lifetime of tokens (default: "10m") * `NSM_REGISTRY_CLIENT_POLICIES` - paths to files and directories that contain registry client policies (default: "etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego") +* `NSM_IPAM_POLICY` - polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR (default: "polite") * `NSM_SERVICE_NAMES` - Name of provided services (default: "icmp-responder") * `NSM_PAYLOAD` - Name of provided service payload (default: "ETHERNET") * `NSM_LABELS` - Endpoint labels diff --git a/go.mod b/go.mod index 447d478..9ef246b 100644 --- a/go.mod +++ b/go.mod @@ -8,8 +8,8 @@ require ( github.com/edwarnicke/grpcfd v1.1.4 github.com/kelseyhightower/envconfig v1.4.0 github.com/networkservicemesh/api v1.13.4-0.20240815101554-fdbfcd84fd0e - github.com/networkservicemesh/sdk v0.5.1-0.20240819093036-ae25bb43f39a - github.com/networkservicemesh/sdk-sriov v0.0.0-20240819093621-8447a4a3f199 + github.com/networkservicemesh/sdk v0.5.1-0.20240820090035-6fad31a9f0aa + github.com/networkservicemesh/sdk-sriov v0.0.0-20240117141758-43f62c9df101 github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.9.0 github.com/spiffe/go-spiffe/v2 v2.1.7 diff --git a/go.sum b/go.sum index 10407c4..f8d9890 100644 --- a/go.sum +++ b/go.sum @@ -105,10 +105,10 @@ github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= github.com/networkservicemesh/api v1.13.4-0.20240815101554-fdbfcd84fd0e h1:Fs34ZZN+bujq5OQEQUpxm0gYQ3g7uSCkcKcoUt70Be0= github.com/networkservicemesh/api v1.13.4-0.20240815101554-fdbfcd84fd0e/go.mod h1:B8FmS3XZ7NZY7ZEtdcNg2NHYppDHlr4kl4eecdZN9eI= -github.com/networkservicemesh/sdk v0.5.1-0.20240819093036-ae25bb43f39a h1:yGa3JaE4yLKzKTefxu/5sT7ESFmIxj2Ai0VnxvQ69co= -github.com/networkservicemesh/sdk v0.5.1-0.20240819093036-ae25bb43f39a/go.mod h1:nz2VJ3l/UDvsEusdIZf7OMxC7zLrRCV1PuziPjxJeVE= -github.com/networkservicemesh/sdk-sriov v0.0.0-20240819093621-8447a4a3f199 h1:wUo1fWJAZ5RkW0FaZ1DekwOKKCe6zhjJrBcQdGGfUBw= -github.com/networkservicemesh/sdk-sriov v0.0.0-20240819093621-8447a4a3f199/go.mod h1:pMxDdhmCcfwQFrtcljU5CmSFyrCMsbAlH6dZjb5BjGU= +github.com/networkservicemesh/sdk v0.5.1-0.20240820090035-6fad31a9f0aa h1:+/bYBzySJJLgnCSjR8SLHsA+r6PYmAusUbka/W/bw5w= +github.com/networkservicemesh/sdk v0.5.1-0.20240820090035-6fad31a9f0aa/go.mod h1:nz2VJ3l/UDvsEusdIZf7OMxC7zLrRCV1PuziPjxJeVE= +github.com/networkservicemesh/sdk-sriov v0.0.0-20240117141758-43f62c9df101 h1:W5+jo/V7S24ll+GYyE6H+3pegDGyH1UYIAwRdbFRlq0= +github.com/networkservicemesh/sdk-sriov v0.0.0-20240117141758-43f62c9df101/go.mod h1:Pc/BcobqUlQ6XhiirKc4d5biBLL8+BF2TAAFsjZWRXA= github.com/open-policy-agent/opa v0.44.0 h1:sEZthsrWBqIN+ShTMJ0Hcz6a3GkYsY4FaB2S/ou2hZk= github.com/open-policy-agent/opa v0.44.0/go.mod h1:YpJaFIk5pq89n/k72c1lVvfvR5uopdJft2tMg1CW/yU= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= diff --git a/internal/pkg/imports/imports_linux.go b/internal/pkg/imports/imports_linux.go index 2151d0b..1c9204c 100644 --- a/internal/pkg/imports/imports_linux.go +++ b/internal/pkg/imports/imports_linux.go @@ -25,6 +25,8 @@ import ( _ "github.com/networkservicemesh/sdk/pkg/networkservice/common/policyroute" _ "github.com/networkservicemesh/sdk/pkg/networkservice/connectioncontext/dnscontext" _ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/groupipam" + _ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam" + _ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/strictipam" _ "github.com/networkservicemesh/sdk/pkg/registry/chains/client" _ "github.com/networkservicemesh/sdk/pkg/registry/common/authorize" _ "github.com/networkservicemesh/sdk/pkg/registry/common/begin" @@ -64,10 +66,12 @@ import ( _ "google.golang.org/grpc/credentials" _ "google.golang.org/grpc/health/grpc_health_v1" _ "gopkg.in/yaml.v2" + _ "net" _ "net/url" _ "os" _ "os/signal" _ "path/filepath" + _ "strings" _ "sync/atomic" _ "syscall" _ "testing" diff --git a/main.go b/main.go index f535553..33e79e1 100644 --- a/main.go +++ b/main.go @@ -29,10 +29,12 @@ import ( "context" "crypto/tls" "fmt" + "net" "net/url" "os" "os/signal" "path/filepath" + "strings" "sync/atomic" "syscall" "time" @@ -65,6 +67,8 @@ import ( "github.com/networkservicemesh/sdk/pkg/networkservice/common/policyroute" "github.com/networkservicemesh/sdk/pkg/networkservice/connectioncontext/dnscontext" "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/groupipam" + "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam" + "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/strictipam" registryclient "github.com/networkservicemesh/sdk/pkg/registry/chains/client" registryauthorize "github.com/networkservicemesh/sdk/pkg/registry/common/authorize" "github.com/networkservicemesh/sdk/pkg/registry/common/clientinfo" @@ -90,6 +94,7 @@ type Config struct { ConnectTo url.URL `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to" split_words:"true"` MaxTokenLifetime time.Duration `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"` RegistryClientPolicies []string `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego" desc:"paths to files and directories that contain registry client policies" split_words:"true"` + IPAMPolicy ipamPolicyFunc `default:"polite" desc:"defines NSE's IPAM Policy. Possible values: polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR." split_words:"true"` ServiceNames []string `default:"icmp-responder" desc:"Name of provided services" split_words:"true"` Payload string `default:"ETHERNET" desc:"Name of provided service payload" split_words:"true"` Labels map[string]string `default:"" desc:"Endpoint labels"` @@ -106,6 +111,23 @@ type Config struct { PprofListenOn string `default:"localhost:6060" desc:"pprof URL to ListenAndServe" split_words:"true"` } +type ipamPolicyFunc func(...*net.IPNet) networkservice.NetworkServiceServer + +// Decode takes a string IPAM Policy and returns the IPAM Policy func +func (f *ipamPolicyFunc) Decode(policy string) error { + switch strings.ToLower(policy) { + case "strict": + *f = func(prefixes ...*net.IPNet) networkservice.NetworkServiceServer { + return strictipam.NewServer(point2pointipam.NewServer, prefixes...) + } + return nil + case "polite": + *f = point2pointipam.NewServer + return nil + } + return errors.Errorf("not a valid IPAM Policy: %s", policy) +} + // Process prints and processes env to config func (c *Config) Process() error { if err := envconfig.Usage("nsm", c); err != nil { @@ -223,7 +245,7 @@ func main() { endpoint.WithAuthorizeServer(authorize.NewServer()), endpoint.WithAdditionalFunctionality( onidle.NewServer(ctx, cancel, config.IdleTimeout), - groupipam.NewServer(config.CidrPrefix), + groupipam.NewServer(config.CidrPrefix, groupipam.WithCustomIPAMServer(config.IPAMPolicy)), policyroute.NewServer(newPolicyRoutesGetter(ctx, config.PBRConfigPath).Get), mechanisms.NewServer(map[string]networkservice.NetworkServiceServer{ kernelmech.MECHANISM: kernel.NewServer(),