Add LoadBalancerSourceRanges (#461)

* Add LoadBalancerSourceRanges

* Only apply fallback rule if no other rule is set

* Make the use  LBSourceRanges configurable

Author: eberlep

api/v1/postgres_types.go

@@ -322,7 +322,7 @@ func (p *Postgres) ToKey() *types.NamespacedName {
 	}
 }
 
-func (p *Postgres) ToSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelector bool, enableLegacyStandbySelector bool) *corev1.Service {
+func (p *Postgres) ToSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelector bool, enableLegacyStandbySelector bool, standbyClustersSourceRanges []string) *corev1.Service {
 	lb := &corev1.Service{}
 	lb.Spec.Type = "LoadBalancer"
 
@@ -334,7 +334,20 @@ func (p *Postgres) ToSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelecto
 	lb.Name = p.ToSvcLBName()
 	lb.SetLabels(SvcLoadBalancerLabel)
 
-	// svc.Spec.LoadBalancerSourceRanges // todo: Do we need to set this?
+	lbsr := []string{}
+	if p.HasSourceRanges() {
+		for _, src := range p.Spec.AccessList.SourceRanges {
+			lbsr = append(lbsr, src)
+		}
+	}
+	for _, scsr := range standbyClustersSourceRanges {
+		lbsr = append(lbsr, scsr)
+	}
+	if len(lbsr) == 0 {
+		// block by default
+		lbsr = append(lbsr, "255.255.255.255/32")
+	}
+	lb.Spec.LoadBalancerSourceRanges = lbsr
 
 	port := corev1.ServicePort{}
 	port.Name = "postgresql"

main.go

@@ -68,6 +68,7 @@ const (
 	etcdBackupSecretNameFlg        = "etcd-backup-secret-name" // nolint
 	etcdPSPNameFlg                 = "etcd-psp-name"
 	postgresletFullnameFlg         = "postgreslet-fullname"
+	enableLBSourceRangesFlg        = "enable-lb-source-ranges"
 )
 
 var (
@@ -116,6 +117,7 @@ func main() {
 		enableStandbyLeaderSelector bool
 		enableLegacyStandbySelector bool
 		deployEtcd                  bool
+		enableLBSourceRanges        bool
 
 		portRangeStart int
 		portRangeSize  int
@@ -240,6 +242,9 @@ func main() {
 	viper.SetDefault(postgresletFullnameFlg, partitionID) // fall back to partition id
 	postgresletFullname = viper.GetString(postgresletFullnameFlg)
 
+	viper.SetDefault(enableLBSourceRangesFlg, true)
+	enableLBSourceRanges = viper.GetBool(enableLBSourceRangesFlg)
+
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
 	ctrl.Log.Info("flag",
@@ -275,6 +280,7 @@ func main() {
 		etcdBackupSecretNameFlg, etcdBackupSecretName,
 		etcdPSPNameFlg, etcdPSPName,
 		postgresletFullnameFlg, postgresletFullname,
+		enableLBSourceRangesFlg, enableLBSourceRanges,
 	)
 
 	svcClusterConf := ctrl.GetConfigOrDie()
@@ -356,6 +362,8 @@ func main() {
 		PortRangeSize:               int32(portRangeSize),
 		EnableStandbyLeaderSelector: enableStandbyLeaderSelector,
 		EnableLegacyStandbySelector: enableLegacyStandbySelector,
+		StandbyClustersSourceRanges: standbyClusterSourceRanges,
+		EnableLBSourceRanges:        enableLBSourceRanges,
 	}
 	if err = (&controllers.PostgresReconciler{
 		CtrlClient:                  ctrlPlaneClusterMgr.GetClient(),

pkg/lbmanager/lbmanager.go

@@ -17,6 +17,8 @@ type Options struct {
 	PortRangeSize               int32
 	EnableStandbyLeaderSelector bool
 	EnableLegacyStandbySelector bool
+	StandbyClustersSourceRanges []string
+	EnableLBSourceRanges        bool
 }
 
 // LBManager Responsible for the creation and deletion of externally accessible Services to access the Postgresql clusters managed by the Postgreslet.
@@ -60,14 +62,28 @@ func (m *LBManager) CreateSvcLBIfNone(ctx context.Context, in *api.Postgres) err
 			lbIPToUse = ""
 		}
 
-		if err := m.Create(ctx, in.ToSvcLB(lbIPToUse, nextFreePort, m.options.EnableStandbyLeaderSelector, m.options.EnableLegacyStandbySelector)); err != nil {
+		svc := in.ToSvcLB(lbIPToUse, nextFreePort, m.options.EnableStandbyLeaderSelector, m.options.EnableLegacyStandbySelector, m.options.StandbyClustersSourceRanges)
+		if !m.options.EnableLBSourceRanges {
+			// leave empty / disable source ranges
+			svc.Spec.LoadBalancerSourceRanges = []string{}
+		}
+		if err := m.Create(ctx, svc); err != nil {
 			return fmt.Errorf("failed to create Service of type LoadBalancer: %w", err)
 		}
 		return nil
 	}
 
+	updated := in.ToSvcLB("", 0, m.options.EnableStandbyLeaderSelector, m.options.EnableLegacyStandbySelector, m.options.StandbyClustersSourceRanges)
 	// update the selector, and only the selector (we do NOT want the change the ip or port here!!!)
-	svc.Spec.Selector = in.ToSvcLB("", 0, m.options.EnableStandbyLeaderSelector, m.options.EnableLegacyStandbySelector).Spec.Selector
+	svc.Spec.Selector = updated.Spec.Selector
+	// also update the source ranges
+	if m.options.EnableLBSourceRanges {
+		// use the given source ranges
+		svc.Spec.LoadBalancerSourceRanges = updated.Spec.LoadBalancerSourceRanges
+	} else {
+		// leave empty / disable source ranges
+		svc.Spec.LoadBalancerSourceRanges = []string{}
+	}
 
 	if err := m.Update(ctx, svc); err != nil {
 		return fmt.Errorf("failed to update Service of type LoadBalancer: %w", err)