refactor to use default source ranges

zac-nixon · zac-nixon · commit 5c1f93008222 · 2025-04-18T12:14:55.000-07:00
diff --git a/apis/gateway/v1beta1/loadbalancerconfig_types.go b/apis/gateway/v1beta1/loadbalancerconfig_types.go
@@ -73,7 +73,7 @@ type SubnetConfiguration struct {
 
 	// SourceNatIPv6Prefix [Network LoadBalancer] The IPv6 prefix to use for source NAT. Specify an IPv6 prefix (/80 netmask) from the subnet CIDR block or auto_assigned to use an IPv6 prefix selected at random from the subnet CIDR block.
 	// +optional
-	SourceNatIPv6Prefix *string `json:"sourceNAT,omitempty"`
+	SourceNatIPv6Prefix *string `json:"sourceNatIPv6Prefix,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=HTTP1Only;HTTP2Only;HTTP2Optional;HTTP2Preferred;None
diff --git a/config/crd/gateway/gateway-crds.yaml b/config/crd/gateway/gateway-crds.yaml
@@ -205,7 +205,7 @@ spec:
                       description: privateIPv4Allocation [Network LoadBalancer] the
                         private ipv4 address to assign to this subnet.
                       type: string
-                    sourceNAT:
+                    sourceNatIPv6Prefix:
                       description: SourceNatIPv6Prefix [Network LoadBalancer] The
                         IPv6 prefix to use for source NAT. Specify an IPv6 prefix
                         (/80 netmask) from the subnet CIDR block or auto_assigned
diff --git a/config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml b/config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml
@@ -206,7 +206,7 @@ spec:
                       description: privateIPv4Allocation [Network LoadBalancer] the
                         private ipv4 address to assign to this subnet.
                       type: string
-                    sourceNAT:
+                    sourceNatIPv6Prefix:
                       description: SourceNatIPv6Prefix [Network LoadBalancer] The
                         IPv6 prefix to use for source NAT. Specify an IPv6 prefix
                         (/80 netmask) from the subnet CIDR block or auto_assigned
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -194,43 +194,19 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gatewayclasses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gatewayclasses/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gatewayclasses/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
   - gateways
   verbs:
   - get
   - list
-  - patch
   - watch
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
   - gateways/finalizers
   verbs:
-  - patch
   - update
 - apiGroups:
   - gateway.networking.k8s.io
diff --git a/pkg/gateway/model/model_build_security_group.go b/pkg/gateway/model/model_build_security_group.go
@@ -177,19 +177,25 @@ func (builder *securityGroupBuilderImpl) buildManagedSecurityGroupName(gw *gwv1.
 func (builder *securityGroupBuilderImpl) buildManagedSecurityGroupIngressPermissions(lbConf *elbv2gw.LoadBalancerConfiguration, routes map[int][]routeutils.RouteDescriptor, ipAddressType elbv2model.IPAddressType) []ec2model.IPPermission {
 	var permissions []ec2model.IPPermission
 
-	var sourceRanges []string
+	// Default to 0.0.0.0/0 and ::/0
+	// If user specified actual ranges, then these values will be overridden.
+	// TODO - Document this
+	sourceRanges := []string{
+		"0.0.0.0/0",
+		"::/0",
+	}
 	var prefixes []string
 	var enableICMP bool
 
-	if lbConf.Spec.SourceRanges != nil {
+	if lbConf != nil && lbConf.Spec.SourceRanges != nil {
 		sourceRanges = *lbConf.Spec.SourceRanges
 	}
 
-	if lbConf.Spec.SecurityGroupPrefixes != nil {
+	if lbConf != nil && lbConf.Spec.SecurityGroupPrefixes != nil {
 		prefixes = *lbConf.Spec.SecurityGroupPrefixes
 	}
 
-	if lbConf.Spec.EnableICMP {
+	if lbConf != nil && lbConf.Spec.EnableICMP {
 		enableICMP = true
 	}
 
diff --git a/pkg/gateway/model/model_build_security_group_test.go b/pkg/gateway/model/model_build_security_group_test.go
@@ -325,6 +325,31 @@ func Test_BuildSecurityGroups_BuildManagedSecurityGroupIngressPermissions(t *tes
 			lbConf:   &elbv2gw.LoadBalancerConfiguration{},
 			expected: make([]ec2model.IPPermission, 0),
 		},
+		{
+			name: "ipv4 - tcp - with default source ranges",
+			lbConf: &elbv2gw.LoadBalancerConfiguration{
+				Spec: elbv2gw.LoadBalancerConfigurationSpec{},
+			},
+			routes: map[int][]routeutils.RouteDescriptor{
+				80: {
+					&routeutils.MockRoute{
+						Kind: routeutils.TCPRouteKind,
+					},
+				},
+			},
+			expected: []ec2model.IPPermission{
+				{
+					IPProtocol: "tcp",
+					FromPort:   awssdk.Int32(80),
+					ToPort:     awssdk.Int32(80),
+					IPRanges: []ec2model.IPRange{
+						{
+							CIDRIP: "0.0.0.0/0",
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "ipv4 - tcp - with source range",
 			lbConf: &elbv2gw.LoadBalancerConfiguration{
@@ -651,6 +676,45 @@ func Test_BuildSecurityGroups_BuildManagedSecurityGroupIngressPermissions(t *tes
 				},
 			},
 		},
+		{
+			name:          "ipv6 - with default source ranges",
+			ipAddressType: elbv2model.IPAddressTypeDualStack,
+			lbConf: &elbv2gw.LoadBalancerConfiguration{
+				Spec: elbv2gw.LoadBalancerConfigurationSpec{},
+			},
+			routes: map[int][]routeutils.RouteDescriptor{
+				80: {
+					&routeutils.MockRoute{
+						Kind: routeutils.TCPRouteKind,
+					},
+					&routeutils.MockRoute{
+						Kind: routeutils.HTTPRouteKind,
+					},
+				},
+			},
+			expected: []ec2model.IPPermission{
+				{
+					IPProtocol: "tcp",
+					FromPort:   awssdk.Int32(80),
+					ToPort:     awssdk.Int32(80),
+					IPRanges: []ec2model.IPRange{
+						{
+							CIDRIP: "0.0.0.0/0",
+						},
+					},
+				},
+				{
+					IPProtocol: "tcp",
+					FromPort:   awssdk.Int32(80),
+					ToPort:     awssdk.Int32(80),
+					IPv6Range: []ec2model.IPv6Range{
+						{
+							CIDRIPv6: "::/0",
+						},
+					},
+				},
+			},
+		},
 		{
 			name:          "ipv6 - with source range",
 			ipAddressType: elbv2model.IPAddressTypeDualStack,
diff --git a/pkg/gateway/routeutils/mock_route.go b/pkg/gateway/routeutils/mock_route.go
@@ -9,6 +9,11 @@ type MockRoute struct {
 	Kind string
 }
 
+func (m *MockRoute) GetBackendRefs() []gwv1.BackendRef {
+	//TODO implement me
+	panic("implement me")
+}
+
 func (m *MockRoute) GetRouteNamespacedName() types.NamespacedName {
 	//TODO implement me
 	panic("implement me")

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ type SubnetConfiguration struct {`
`73`	`73`
`74`	`74`	`// SourceNatIPv6Prefix [Network LoadBalancer] The IPv6 prefix to use for source NAT. Specify an IPv6 prefix (/80 netmask) from the subnet CIDR block or auto_assigned to use an IPv6 prefix selected at random from the subnet CIDR block.`
`75`	`75`	`// +optional`
`76`		- SourceNatIPv6Prefix *string `json:"sourceNAT,omitempty"`
	`76`	+ SourceNatIPv6Prefix *string `json:"sourceNatIPv6Prefix,omitempty"`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`// +kubebuilder:validation:Enum=HTTP1Only;HTTP2Only;HTTP2Optional;HTTP2Preferred;None`