/
root.go
85 lines (72 loc) · 3.43 KB
/
root.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package cmd
import (
"fmt"
"github.com/linkerd/linkerd2/proxy-init/iptables"
"github.com/spf13/cobra"
)
type rootOptions struct {
incomingProxyPort int
outgoingProxyPort int
proxyUserId int
portsToRedirect []int
inboundPortsToIgnore []int
outboundPortsToIgnore []int
simulateOnly bool
}
func newRootOptions() *rootOptions {
return &rootOptions{
incomingProxyPort: -1,
outgoingProxyPort: -1,
proxyUserId: -1,
portsToRedirect: make([]int, 0),
inboundPortsToIgnore: make([]int, 0),
outboundPortsToIgnore: make([]int, 0),
simulateOnly: false,
}
}
func NewRootCmd() *cobra.Command {
options := newRootOptions()
cmd := &cobra.Command{
Use: "proxy-init",
Short: "proxy-init adds a Kubernetes pod to the Linkerd service mesh",
Long: "proxy-init adds a Kubernetes pod to the Linkerd service mesh.",
RunE: func(cmd *cobra.Command, args []string) error {
config, err := buildFirewallConfiguration(options)
if err != nil {
return err
}
return iptables.ConfigureFirewall(*config)
},
}
cmd.PersistentFlags().IntVarP(&options.incomingProxyPort, "incoming-proxy-port", "p", options.incomingProxyPort, "Port to redirect incoming traffic")
cmd.PersistentFlags().IntVarP(&options.outgoingProxyPort, "outgoing-proxy-port", "o", options.outgoingProxyPort, "Port to redirect outgoing traffic")
cmd.PersistentFlags().IntVarP(&options.proxyUserId, "proxy-uid", "u", options.proxyUserId, "User ID that the proxy is running under. Any traffic coming from this user will be ignored to avoid infinite redirection loops.")
cmd.PersistentFlags().IntSliceVarP(&options.portsToRedirect, "ports-to-redirect", "r", options.portsToRedirect, "Port to redirect to proxy, if no port is specified then ALL ports are redirected")
cmd.PersistentFlags().IntSliceVar(&options.inboundPortsToIgnore, "inbound-ports-to-ignore", options.inboundPortsToIgnore, "Inbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
cmd.PersistentFlags().IntSliceVar(&options.outboundPortsToIgnore, "outbound-ports-to-ignore", options.outboundPortsToIgnore, "Outbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
cmd.PersistentFlags().BoolVar(&options.simulateOnly, "simulate", options.simulateOnly, "Don't execute any command, just print what would be executed")
return cmd
}
func buildFirewallConfiguration(options *rootOptions) (*iptables.FirewallConfiguration, error) {
if options.incomingProxyPort < 0 || options.incomingProxyPort > 65535 {
return nil, fmt.Errorf("--incoming-proxy-port must be a valid TCP port number")
}
if options.outgoingProxyPort < 0 || options.outgoingProxyPort > 65535 {
return nil, fmt.Errorf("--outgoing-proxy-port must be a valid TCP port number")
}
firewallConfiguration := &iptables.FirewallConfiguration{
ProxyInboundPort: options.incomingProxyPort,
ProxyOutgoingPort: options.outgoingProxyPort,
ProxyUid: options.proxyUserId,
PortsToRedirectInbound: options.portsToRedirect,
InboundPortsToIgnore: options.inboundPortsToIgnore,
OutboundPortsToIgnore: options.outboundPortsToIgnore,
SimulateOnly: options.simulateOnly,
}
if len(options.portsToRedirect) > 0 {
firewallConfiguration.Mode = iptables.RedirectListedMode
} else {
firewallConfiguration.Mode = iptables.RedirectAllMode
}
return firewallConfiguration, nil
}