extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2024-11-22 08:03:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

assert service policies for frontend and ctrl <-> metrics (#131)

Browse Source
This commit is contained in:
Michael Quigley 2022-12-05 17:29:35 -05:00
parent 6e42fa0225
commit 95adcfe10a
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
2 changed files with 127 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
controller/bootstrap.go
View File

@ -13,6 +13,7 @@ import (
"github.com/openziti/edge/rest_management_api_client/identity"
"github.com/openziti/edge/rest_management_api_client/service"
"github.com/openziti/edge/rest_management_api_client/service_edge_router_policy"
"github.com/openziti/edge/rest_management_api_client/service_policy"
"github.com/openziti/edge/rest_model"
rest_model_edge "github.com/openziti/edge/rest_model"
"github.com/openziti/sdk-golang/ziti"
@ -79,6 +80,18 @@ func Bootstrap(skipCtrl, skipFrontend bool, inCfg *Config) error {
return err
}
if !skipCtrl {
if err := assertCtrlMetricsBind(ctrlZId, metricsSvcZId, edge); err != nil {
return err
}
}
if !skipFrontend {
if err := assertFrontendMetricsDial(frontendZId, metricsSvcZId, edge); err != nil {
return err
}
}
return nil
}
@ -255,3 +268,51 @@ func assertMetricsSerp(metricsSvcZId string, cfg *Config, edge *rest_management_
logrus.Infof("asserted '%v' serp", cfg.Metrics.ServiceName)
return nil
}
func assertCtrlMetricsBind(ctrlZId, metricsSvcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
filter := fmt.Sprintf("allOf(serviceRoles) = \"@%v\" and allOf(identityRoles) = \"@%v\" and type = 2 and tags.zrok != null", metricsSvcZId, ctrlZId)
limit := int64(0)
offset := int64(0)
listReq := &service_policy.ListServicePoliciesParams{
Filter: &filter,
Limit: &limit,
Offset: &offset,
}
listReq.SetTimeout(30 * time.Second)
listResp, err := edge.ServicePolicy.ListServicePolicies(listReq, nil)
if err != nil {
return errors.Wrapf(err, "error listing 'ctrl-metrics-bind' service policy")
}
if len(listResp.Payload.Data) != 1 {
logrus.Info("creating 'ctrl-metrics-bind' service policy")
if err := createNamedBindServicePolicy("ctrl-metrics-bind", metricsSvcZId, ctrlZId, edge, zrokTags()); err != nil {
return errors.Wrap(err, "error creating 'ctrl-metrics-bind' service policy")
}
}
logrus.Infof("asserted 'ctrl-metrics-bind' service policy")
return nil
}
func assertFrontendMetricsDial(frontendZId, metricsSvcZId string, edge *rest_management_api_client.ZitiEdgeManagement) error {
filter := fmt.Sprintf("allOf(serviceRoles) = \"@%v\" and allOf(identityRoles) = \"@%v\" and type = 1 and tags.zrok != null", metricsSvcZId, frontendZId)
limit := int64(0)
offset := int64(0)
listReq := &service_policy.ListServicePoliciesParams{
Filter: &filter,
Limit: &limit,
Offset: &offset,
}
listReq.SetTimeout(30 * time.Second)
listResp, err := edge.ServicePolicy.ListServicePolicies(listReq, nil)
if err != nil {
return errors.Wrapf(err, "error listing 'frontend-metrics-dial' service policy")
}
if len(listResp.Payload.Data) != 1 {
logrus.Info("creating 'frontend-metrics-dial' service policy")
if err := createNamedDialServicePolicy("frontend-metrics-dial", metricsSvcZId, frontendZId, edge, zrokTags()); err != nil {
return errors.Wrap(err, "error creating 'frontend-metrics-dial' service policy")
}
}
logrus.Infof("asserted 'frontend-metrics-dial' service policy")
return nil
}

66
controller/edge.go
View File

@ -120,6 +120,39 @@ func createServicePolicyBind(envZId, svcToken, svcZId string, edge *rest_managem
return nil
}
func createNamedBindServicePolicy(name, svcZId, idZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
allTags := &rest_model_edge.Tags{SubTags: make(rest_model_edge.SubTags)}
for _, t := range tags {
for k, v := range t.SubTags {
allTags.SubTags[k] = v
}
}
identityRoles := []string{"@" + idZId}
var postureCheckRoles []string
semantic := rest_model.SemanticAllOf
serviceRoles := []string{"@" + svcZId}
dialBind := rest_model.DialBindBind
sp := &rest_model.ServicePolicyCreate{
IdentityRoles: identityRoles,
Name: &name,
PostureCheckRoles: postureCheckRoles,
Semantic: &semantic,
ServiceRoles: serviceRoles,
Type: &dialBind,
Tags: allTags,
}
req := &service_policy.CreateServicePolicyParams{
Policy: sp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
_, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
if err != nil {
return err
}
return nil
}
func deleteServicePolicyBind(envZId, svcToken string, edge *rest_management_api_client.ZitiEdgeManagement) error {
// type=2 == "Bind"
return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceToken=\"%v\" and type=2", svcToken), edge)
@ -165,6 +198,39 @@ func createServicePolicyDial(envZId, svcToken, svcZId string, edge *rest_managem
return nil
}
func createNamedDialServicePolicy(name, svcZId, idZId string, edge *rest_management_api_client.ZitiEdgeManagement, tags ...*rest_model.Tags) error {
allTags := &rest_model_edge.Tags{SubTags: make(rest_model_edge.SubTags)}
for _, t := range tags {
for k, v := range t.SubTags {
allTags.SubTags[k] = v
}
}
identityRoles := []string{"@" + idZId}
var postureCheckRoles []string
semantic := rest_model.SemanticAllOf
serviceRoles := []string{"@" + svcZId}
dialBind := rest_model.DialBindDial
sp := &rest_model.ServicePolicyCreate{
IdentityRoles: identityRoles,
Name: &name,
PostureCheckRoles: postureCheckRoles,
Semantic: &semantic,
ServiceRoles: serviceRoles,
Type: &dialBind,
Tags: allTags,
}
req := &service_policy.CreateServicePolicyParams{
Policy: sp,
Context: context.Background(),
}
req.SetTimeout(30 * time.Second)
_, err := edge.ServicePolicy.CreateServicePolicy(req, nil)
if err != nil {
return err
}
return nil
}
func deleteServicePolicyDial(envZId, svcToken string, edge *rest_management_api_client.ZitiEdgeManagement) error {
// type=1 == "Dial"
return deleteServicePolicy(envZId, fmt.Sprintf("tags.zrokServiceToken=\"%v\" and type=1", svcToken), edge)