Merge pull request #103 from jtherin/pick-0.21-acl

fix(loadbalancers): make sure to split huge ACLs

Author: jtherin

go.mod

@@ -3,7 +3,7 @@ module github.com/scaleway/scaleway-cloud-controller-manager
 go 1.15
 
 require (
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210817142252-2836d8ffcc09
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.9
 	github.com/spf13/pflag v1.0.5
 	k8s.io/api v0.21.0
 	k8s.io/apimachinery v0.21.0

go.sum

@@ -94,6 +94,7 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dnaeon/go-vcr v1.0.1 h1:r8L/HqC0Hje5AXMu1ooW8oyQyOFv4GxqpL0nRP7SLLY=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
+github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
@@ -286,6 +287,7 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
@@ -339,8 +341,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210817142252-2836d8ffcc09 h1:yhJDl3IfiMEtenYzmBE8txehmXD9jztfUTtpdLb/WYU=
-github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210817142252-2836d8ffcc09/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.9 h1:0roa6gXKgyta64uqh52AQG3wzZXH21unn+ltzQSXML0=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.9/go.mod h1:fCa7OJZ/9DRTnOKmxvT6pn+LPWUptQAmHF/SBJUGEcg=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=

scaleway/baremetal.go

@@ -19,7 +19,7 @@ package scaleway
 import (
 	"context"
 
-	scwbaremetal "github.com/scaleway/scaleway-sdk-go/api/baremetal/v1alpha1"
+	scwbaremetal "github.com/scaleway/scaleway-sdk-go/api/baremetal/v1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"

scaleway/baremetal_test.go

@@ -22,7 +22,7 @@ import (
 	"strings"
 	"testing"
 
-	scwbaremetal "github.com/scaleway/scaleway-sdk-go/api/baremetal/v1alpha1"
+	scwbaremetal "github.com/scaleway/scaleway-sdk-go/api/baremetal/v1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

scaleway/loadbalancers.go

@@ -19,6 +19,7 @@ package scaleway
 import (
 	"context"
 	"fmt"
+	"math"
 	"os"
 	"strconv"
 	"strings"
@@ -153,6 +154,8 @@ const (
 	serviceAnnotationLoadBalancerCertificateIDs = "service.beta.kubernetes.io/scw-loadbalancer-certificate-ids"
 )
 
+const MaxEntriesPerACL = 60
+
 type loadbalancers struct {
 	api           LoadBalancerAPI
 	client        *client // for patcher
@@ -180,6 +183,7 @@ type LoadBalancerAPI interface {
 	CreateACL(req *scwlb.ZonedAPICreateACLRequest, opts ...scw.RequestOption) (*scwlb.ACL, error)
 	DeleteACL(req *scwlb.ZonedAPIDeleteACLRequest, opts ...scw.RequestOption) error
 	UpdateACL(req *scwlb.ZonedAPIUpdateACLRequest, opts ...scw.RequestOption) (*scwlb.ACL, error)
+	SetACLs(req *scwlb.ZonedAPISetACLsRequest, opts ...scw.RequestOption) (*scwlb.SetACLsResponse, error)
 }
 
 func newLoadbalancers(client *client, defaultLBType string) *loadbalancers {
@@ -771,48 +775,50 @@ func (l *loadbalancers) updateLoadBalancer(ctx context.Context, loadbalancer *sc
 			aclIPs := extractNodesInternalIps(nodes)
 			aclIPs = append(aclIPs, extractNodesExternalIps(nodes)...)
 			aclIPs = append(aclIPs, service.Spec.LoadBalancerSourceRanges...)
-			aclIPsPtr := make([]*string, len(aclIPs))
+			aclIPsPtr := []*string{}
+			newAcls := []*scwlb.ACLSpec{}
+
+			// Loop through all addresses and make sure to split ACLs every MaxEntriesPerACL.
 			for i := range aclIPs {
-				aclIPsPtr[i] = &aclIPs[i]
+				if i != 0 && i%MaxEntriesPerACL == 0 {
+					aclIndex := int32((i / MaxEntriesPerACL) - 1)
+					newAcls = append(newAcls, &scwlb.ACLSpec{
+						Name: fmt.Sprintf("%v-%d", aclName, aclIndex),
+						Action: &scwlb.ACLAction{
+							Type: scwlb.ACLActionTypeAllow,
+						},
+						Index: aclIndex,
+						Match: &scwlb.ACLMatch{
+							IPSubnet: aclIPsPtr,
+						},
+					})
+
+					aclIPsPtr = []*string{}
+				}
+				aclIPsPtr = append(aclIPsPtr, &aclIPs[i])
 			}
 
-			if len(acls.ACLs) != 1 {
-				_, err := l.api.CreateACL(&scwlb.ZonedAPICreateACLRequest{
-					Zone:       loadbalancer.Zone,
-					FrontendID: frontendID,
-					Name:       aclName,
-					Action: &scwlb.ACLAction{
-						Type: scwlb.ACLActionTypeDeny,
-					},
-					Index: 0,
-					Match: &scwlb.ACLMatch{
-						IPSubnet: aclIPsPtr,
-						Invert:   true,
-					},
-				})
-				if err != nil {
-					return err
-				}
-			} else if len(acls.ACLs) == 1 {
-				_, err := l.api.UpdateACL(&scwlb.ZonedAPIUpdateACLRequest{
-					Zone:   loadbalancer.Zone,
-					ACLID:  acls.ACLs[0].ID,
-					Action: &scwlb.ACLAction{
-						Type: scwlb.ACLActionTypeDeny,
-					},
-					Index: 0,
-					Match: &scwlb.ACLMatch{
-						Invert:   true,
-						IPSubnet: aclIPsPtr,
-					},
-					Name: aclName,
-				})
-				if err != nil {
-					return err
-				}
+			// Add last ACL with remaining addresses.
+			newAcls = append(newAcls, &scwlb.ACLSpec{
+				Name: aclName + "-end",
+				Action: &scwlb.ACLAction{
+					Type: scwlb.ACLActionTypeDeny,
+				},
+				Index: math.MaxInt32,
+				Match: &scwlb.ACLMatch{
+					IPSubnet: aclIPsPtr,
+					Invert:   true,
+				},
+			})
 
+			_, err := l.api.SetACLs(&scwlb.ZonedAPISetACLsRequest{
+				Zone:       loadbalancer.Zone,
+				FrontendID: frontendID,
+				ACLs:       newAcls,
+			})
+			if err != nil {
+				return err
 			}
-
 		}
 	}