Remove firewall configuration and make it static with a debug flag

cli/internal/cloudcmd/create.go

@@ -17,6 +17,7 @@ import (
 	"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
 	"github.com/edgelesssys/constellation/internal/config"
+	"github.com/edgelesssys/constellation/internal/constants"
 	"github.com/edgelesssys/constellation/internal/state"
 )
 
@@ -43,6 +44,14 @@ func NewCreator(out io.Writer) *Creator {
 // Create creates the handed amount of instances and all the needed resources.
 func (c *Creator) Create(ctx context.Context, provider cloudprovider.Provider, config *config.Config, name, insType string, controlPlaneCount, workerCount int,
 ) (state.ConstellationState, error) {
+	// Use debug ingress firewall rules when debug mode / image is enabled
+	var ingressRules cloudtypes.Firewall
+	if config.IsDebugCluster() {
+		ingressRules = constants.IngressRulesDebug
+	} else {
+		ingressRules = constants.IngressRulesNoDebug
+	}
+
 	switch provider {
 	case cloudprovider.GCP:
 		cl, err := c.newGCPClient(
@@ -56,7 +65,7 @@ func (c *Creator) Create(ctx context.Context, provider cloudprovider.Provider, c
 			return state.ConstellationState{}, err
 		}
 		defer cl.Close()
-		return c.createGCP(ctx, cl, config, insType, controlPlaneCount, workerCount)
+		return c.createGCP(ctx, cl, config, insType, controlPlaneCount, workerCount, ingressRules)
 	case cloudprovider.Azure:
 		cl, err := c.newAzureClient(
 			config.Provider.Azure.SubscriptionID,
@@ -68,22 +77,23 @@ func (c *Creator) Create(ctx context.Context, provider cloudprovider.Provider, c
 		if err != nil {
 			return state.ConstellationState{}, err
 		}
-		return c.createAzure(ctx, cl, config, insType, controlPlaneCount, workerCount)
+		return c.createAzure(ctx, cl, config, insType, controlPlaneCount, workerCount, ingressRules)
 	default:
 		return state.ConstellationState{}, fmt.Errorf("unsupported cloud provider: %s", provider)
 	}
 }
 
-func (c *Creator) createGCP(ctx context.Context, cl gcpclient, config *config.Config, insType string, controlPlaneCount, workerCount int,
+func (c *Creator) createGCP(ctx context.Context, cl gcpclient, config *config.Config, insType string, controlPlaneCount, workerCount int, ingressRules cloudtypes.Firewall,
 ) (stat state.ConstellationState, retErr error) {
 	defer rollbackOnError(context.Background(), c.out, &retErr, &rollbackerGCP{client: cl})
 
 	if err := cl.CreateVPCs(ctx); err != nil {
 		return state.ConstellationState{}, err
 	}
+
 	if err := cl.CreateFirewall(ctx, gcpcl.FirewallInput{
-		Ingress: cloudtypes.Firewall(config.IngressFirewall),
+		Ingress: ingressRules,
-		Egress:  cloudtypes.Firewall(config.EgressFirewall),
+		Egress:  constants.EgressRules,
 	}); err != nil {
 		return state.ConstellationState{}, err
 	}
@@ -147,7 +157,7 @@ func (c *Creator) createGCP(ctx context.Context, cl gcpclient, config *config.Co
 	return cl.GetState(), nil
 }
 
-func (c *Creator) createAzure(ctx context.Context, cl azureclient, config *config.Config, insType string, controlPlaneCount, workerCount int,
+func (c *Creator) createAzure(ctx context.Context, cl azureclient, config *config.Config, insType string, controlPlaneCount, workerCount int, ingressRules cloudtypes.Firewall,
 ) (stat state.ConstellationState, retErr error) {
 	defer rollbackOnError(context.Background(), c.out, &retErr, &rollbackerAzure{client: cl})
 
@@ -162,8 +172,8 @@ func (c *Creator) createAzure(ctx context.Context, cl azureclient, config *confi
 	}
 
 	if err := cl.CreateSecurityGroup(ctx, azurecl.NetworkSecurityGroupInput{
-		Ingress: cloudtypes.Firewall(config.IngressFirewall),
+		Ingress: ingressRules,
-		Egress:  cloudtypes.Firewall(config.EgressFirewall),
+		Egress:  constants.EgressRules,
 	}); err != nil {
 		return state.ConstellationState{}, err
 	}

internal/cloud/cloudtypes/firewall.go

@@ -12,16 +12,24 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
-	"github.com/edgelesssys/constellation/internal/config"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 	computepb "google.golang.org/genproto/googleapis/cloud/compute/v1"
 	"google.golang.org/protobuf/proto"
 )
 
-type FirewallRule = config.FirewallRule
+// FirewallRule holds a single firewall rule.
+type FirewallRule struct {
+	Name        string
+	Description string
+	Protocol    string
+	IPRange     string
+	FromPort    int
+	ToPort      int
+}
 
-type Firewall config.Firewall
+// Firewall contains all firewall rules to be applied for either ingress or egress.
+type Firewall []FirewallRule
 
 func (f Firewall) GCP() ([]*computepb.Firewall, error) {
 	var fw []*computepb.Firewall

internal/config/config.go

@@ -18,7 +18,6 @@ import (
 
 	"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/internal/config/instancetypes"
-	"github.com/edgelesssys/constellation/internal/constants"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/versions"
 	"github.com/go-playground/locales/en"
@@ -46,22 +45,8 @@ type Config struct {
 	//   Size (in GB) of a node's disk to store the non-volatile state.
 	StateDiskSizeGB int `yaml:"stateDiskSizeGB" validate:"min=0"`
 	// description: |
-	//   Ingress firewall rules for node network.
+	//   DO NOT USE FOR PRODUCTION CLUSTERS: Enable debug cluster mode and use debug images. For usage, see: https://github.com/edgelesssys/constellation/blob/main/debugd/README.md
-	IngressFirewall Firewall `yaml:"ingressFirewall,omitempty" validate:"dive"`
+	DebugCluster *bool `yaml:"debugCluster" validate:"required"`
-	// description: |
-	//   Egress firewall rules for node network.
-	// examples:
-	//   - value: 'Firewall{
-	//     {
-	//       Name: "rule#1",
-	//       Description: "the first rule",
-	//       Protocol: "tcp",
-	//       IPRange: "0.0.0.0/0",
-	//       FromPort: 443,
-	//       ToPort: 443,
-	//     },
-	//   }'
-	EgressFirewall Firewall `yaml:"egressFirewall,omitempty" validate:"dive"`
 	// description: |
 	//   Supported cloud providers and their specific configurations.
 	Provider ProviderConfig `yaml:"provider" validate:"dive"`
@@ -100,29 +85,6 @@ type UserKey struct {
 	PublicKey string `yaml:"publicKey" validate:"required"`
 }
 
-type FirewallRule struct {
-	// description: |
-	//   Name of rule.
-	Name string `yaml:"name" validate:"required"`
-	// description: |
-	//   Description for rule.
-	Description string `yaml:"description"`
-	// description: |
-	//   Protocol, such as 'udp' or 'tcp'.
-	Protocol string `yaml:"protocol" validate:"required"`
-	// description: |
-	//   CIDR range for which this rule is applied.
-	IPRange string `yaml:"iprange" validate:"required"`
-	// description: |
-	//   Start port of a range.
-	FromPort int `yaml:"fromport" validate:"min=0,max=65535"`
-	// description: |
-	//   End port of a range, or 0 if a single port is given by fromport.
-	ToPort int `yaml:"toport" validate:"omitempty,gtefield=FromPort,max=65535"`
-}
-
-type Firewall []FirewallRule
-
 // ProviderConfig are cloud-provider specific configuration values used by the CLI.
 // Fields should remain pointer-types so custom specific configs can nil them
 // if not required.
@@ -234,37 +196,7 @@ func Default() *Config {
 		AutoscalingNodeGroupMin: 1,
 		AutoscalingNodeGroupMax: 10,
 		StateDiskSizeGB:         30,
-		IngressFirewall: Firewall{
+		DebugCluster:            func() *bool { b := false; return &b }(),
-			{
-				Name:        "bootstrapper",
-				Description: "bootstrapper default port",
-				Protocol:    "tcp",
-				IPRange:     "0.0.0.0/0",
-				FromPort:    constants.BootstrapperPort,
-			},
-			{
-				Name:        "ssh",
-				Description: "SSH",
-				Protocol:    "tcp",
-				IPRange:     "0.0.0.0/0",
-				FromPort:    constants.SSHPort,
-			},
-			{
-				Name:        "nodeport",
-				Description: "NodePort",
-				Protocol:    "tcp",
-				IPRange:     "0.0.0.0/0",
-				FromPort:    constants.NodePortFrom,
-				ToPort:      constants.NodePortTo,
-			},
-			{
-				Name:        "kubernetes",
-				Description: "Kubernetes",
-				Protocol:    "tcp",
-				IPRange:     "0.0.0.0/0",
-				FromPort:    constants.KubernetesPort,
-			},
-		},
 		Provider: ProviderConfig{
 			Azure: &AzureConfig{
 				SubscriptionID:       "",
@@ -538,3 +470,11 @@ func validInstanceTypeForProvider(insType string, acceptNonCVM bool, provider cl
 		return false
 	}
 }
+
+// IsDebugCluster checks whether the cluster is configured as a debug cluster.
+func (c *Config) IsDebugCluster() bool {
+	if c.DebugCluster != nil && *c.DebugCluster {
+		return true
+	}
+	return false
+}

internal/config/config_doc.go

@@ -14,7 +14,6 @@ var (
 	ConfigDoc         encoder.Doc
 	UpgradeConfigDoc  encoder.Doc
 	UserKeyDoc        encoder.Doc
-	FirewallRuleDoc   encoder.Doc
 	ProviderConfigDoc encoder.Doc
 	AzureConfigDoc    encoder.Doc
 	GCPConfigDoc      encoder.Doc
@@ -25,7 +24,7 @@ func init() {
 	ConfigDoc.Type = "Config"
 	ConfigDoc.Comments[encoder.LineComment] = "Config defines configuration used by CLI."
 	ConfigDoc.Description = "Config defines configuration used by CLI."
-	ConfigDoc.Fields = make([]encoder.Doc, 10)
+	ConfigDoc.Fields = make([]encoder.Doc, 9)
 	ConfigDoc.Fields[0].Name = "version"
 	ConfigDoc.Fields[0].Type = "string"
 	ConfigDoc.Fields[0].Note = ""
@@ -46,42 +45,35 @@ func init() {
 	ConfigDoc.Fields[3].Note = ""
 	ConfigDoc.Fields[3].Description = "Size (in GB) of a node's disk to store the non-volatile state."
 	ConfigDoc.Fields[3].Comments[encoder.LineComment] = "Size (in GB) of a node's disk to store the non-volatile state."
-	ConfigDoc.Fields[4].Name = "ingressFirewall"
+	ConfigDoc.Fields[4].Name = "debugCluster"
-	ConfigDoc.Fields[4].Type = "Firewall"
+	ConfigDoc.Fields[4].Type = "bool"
 	ConfigDoc.Fields[4].Note = ""
-	ConfigDoc.Fields[4].Description = "Ingress firewall rules for node network."
+	ConfigDoc.Fields[4].Description = "DO NOT USE FOR PRODUCTION CLUSTERS: Enable debug cluster mode and use debug images. For usage, see: https://github.com/edgelesssys/constellation/blob/main/debugd/README.md"
-	ConfigDoc.Fields[4].Comments[encoder.LineComment] = "Ingress firewall rules for node network."
+	ConfigDoc.Fields[4].Comments[encoder.LineComment] = "DO NOT USE FOR PRODUCTION CLUSTERS: Enable debug cluster mode and use debug images. For usage, see: https://github.com/edgelesssys/constellation/blob/main/debugd/README.md"
-	ConfigDoc.Fields[5].Name = "egressFirewall"
+	ConfigDoc.Fields[5].Name = "provider"
-	ConfigDoc.Fields[5].Type = "Firewall"
+	ConfigDoc.Fields[5].Type = "ProviderConfig"
 	ConfigDoc.Fields[5].Note = ""
-	ConfigDoc.Fields[5].Description = "Egress firewall rules for node network."
+	ConfigDoc.Fields[5].Description = "Supported cloud providers and their specific configurations."
-	ConfigDoc.Fields[5].Comments[encoder.LineComment] = "Egress firewall rules for node network."
+	ConfigDoc.Fields[5].Comments[encoder.LineComment] = "Supported cloud providers and their specific configurations."
-
+	ConfigDoc.Fields[6].Name = "sshUsers"
-	ConfigDoc.Fields[5].AddExample("", Firewall{{Name: "rule#1", Description: "the first rule", Protocol: "tcp", IPRange: "0.0.0.0/0", FromPort: 443, ToPort: 443}})
+	ConfigDoc.Fields[6].Type = "[]UserKey"
-	ConfigDoc.Fields[6].Name = "provider"
-	ConfigDoc.Fields[6].Type = "ProviderConfig"
 	ConfigDoc.Fields[6].Note = ""
-	ConfigDoc.Fields[6].Description = "Supported cloud providers and their specific configurations."
+	ConfigDoc.Fields[6].Description = "Create SSH users on Constellation nodes."
-	ConfigDoc.Fields[6].Comments[encoder.LineComment] = "Supported cloud providers and their specific configurations."
+	ConfigDoc.Fields[6].Comments[encoder.LineComment] = "Create SSH users on Constellation nodes."
-	ConfigDoc.Fields[7].Name = "sshUsers"
+
-	ConfigDoc.Fields[7].Type = "[]UserKey"
+	ConfigDoc.Fields[6].AddExample("", []UserKey{{Username: "Alice", PublicKey: "ssh-rsa AAAAB3NzaC...5QXHKW1rufgtJeSeJ8= alice@domain.com"}})
+	ConfigDoc.Fields[7].Name = "kubernetesVersion"
+	ConfigDoc.Fields[7].Type = "string"
 	ConfigDoc.Fields[7].Note = ""
-	ConfigDoc.Fields[7].Description = "Create SSH users on Constellation nodes."
+	ConfigDoc.Fields[7].Description = "Kubernetes version installed in the cluster."
-	ConfigDoc.Fields[7].Comments[encoder.LineComment] = "Create SSH users on Constellation nodes."
+	ConfigDoc.Fields[7].Comments[encoder.LineComment] = "Kubernetes version installed in the cluster."
-
+	ConfigDoc.Fields[8].Name = "upgrade"
-	ConfigDoc.Fields[7].AddExample("", []UserKey{{Username: "Alice", PublicKey: "ssh-rsa AAAAB3NzaC...5QXHKW1rufgtJeSeJ8= alice@domain.com"}})
+	ConfigDoc.Fields[8].Type = "UpgradeConfig"
-	ConfigDoc.Fields[8].Name = "kubernetesVersion"
-	ConfigDoc.Fields[8].Type = "string"
 	ConfigDoc.Fields[8].Note = ""
-	ConfigDoc.Fields[8].Description = "Kubernetes version installed in the cluster."
+	ConfigDoc.Fields[8].Description = "Configuration to apply during constellation upgrade."
-	ConfigDoc.Fields[8].Comments[encoder.LineComment] = "Kubernetes version installed in the cluster."
+	ConfigDoc.Fields[8].Comments[encoder.LineComment] = "Configuration to apply during constellation upgrade."
-	ConfigDoc.Fields[9].Name = "upgrade"
-	ConfigDoc.Fields[9].Type = "UpgradeConfig"
-	ConfigDoc.Fields[9].Note = ""
-	ConfigDoc.Fields[9].Description = "Configuration to apply during constellation upgrade."
-	ConfigDoc.Fields[9].Comments[encoder.LineComment] = "Configuration to apply during constellation upgrade."
 
-	ConfigDoc.Fields[9].AddExample("", UpgradeConfig{Image: "", Measurements: Measurements{}})
+	ConfigDoc.Fields[8].AddExample("", UpgradeConfig{Image: "", Measurements: Measurements{}})
 
 	UpgradeConfigDoc.Type = "UpgradeConfig"
 	UpgradeConfigDoc.Comments[encoder.LineComment] = "UpgradeConfig defines configuration used during constellation upgrade."
@@ -129,41 +121,6 @@ func init() {
 	UserKeyDoc.Fields[1].Description = "Public key of new SSH user."
 	UserKeyDoc.Fields[1].Comments[encoder.LineComment] = "Public key of new SSH user."
 
-	FirewallRuleDoc.Type = "FirewallRule"
-	FirewallRuleDoc.Comments[encoder.LineComment] = ""
-	FirewallRuleDoc.Description = ""
-	FirewallRuleDoc.Fields = make([]encoder.Doc, 6)
-	FirewallRuleDoc.Fields[0].Name = "name"
-	FirewallRuleDoc.Fields[0].Type = "string"
-	FirewallRuleDoc.Fields[0].Note = ""
-	FirewallRuleDoc.Fields[0].Description = "Name of rule."
-	FirewallRuleDoc.Fields[0].Comments[encoder.LineComment] = "Name of rule."
-	FirewallRuleDoc.Fields[1].Name = "description"
-	FirewallRuleDoc.Fields[1].Type = "string"
-	FirewallRuleDoc.Fields[1].Note = ""
-	FirewallRuleDoc.Fields[1].Description = "Description for rule."
-	FirewallRuleDoc.Fields[1].Comments[encoder.LineComment] = "Description for rule."
-	FirewallRuleDoc.Fields[2].Name = "protocol"
-	FirewallRuleDoc.Fields[2].Type = "string"
-	FirewallRuleDoc.Fields[2].Note = ""
-	FirewallRuleDoc.Fields[2].Description = "Protocol, such as 'udp' or 'tcp'."
-	FirewallRuleDoc.Fields[2].Comments[encoder.LineComment] = "Protocol, such as 'udp' or 'tcp'."
-	FirewallRuleDoc.Fields[3].Name = "iprange"
-	FirewallRuleDoc.Fields[3].Type = "string"
-	FirewallRuleDoc.Fields[3].Note = ""
-	FirewallRuleDoc.Fields[3].Description = "CIDR range for which this rule is applied."
-	FirewallRuleDoc.Fields[3].Comments[encoder.LineComment] = "CIDR range for which this rule is applied."
-	FirewallRuleDoc.Fields[4].Name = "fromport"
-	FirewallRuleDoc.Fields[4].Type = "int"
-	FirewallRuleDoc.Fields[4].Note = ""
-	FirewallRuleDoc.Fields[4].Description = "Start port of a range."
-	FirewallRuleDoc.Fields[4].Comments[encoder.LineComment] = "Start port of a range."
-	FirewallRuleDoc.Fields[5].Name = "toport"
-	FirewallRuleDoc.Fields[5].Type = "int"
-	FirewallRuleDoc.Fields[5].Note = ""
-	FirewallRuleDoc.Fields[5].Description = "End port of a range, or 0 if a single port is given by fromport."
-	FirewallRuleDoc.Fields[5].Comments[encoder.LineComment] = "End port of a range, or 0 if a single port is given by fromport."
-
 	ProviderConfigDoc.Type = "ProviderConfig"
 	ProviderConfigDoc.Comments[encoder.LineComment] = "ProviderConfig are cloud-provider specific configuration values used by the CLI."
 	ProviderConfigDoc.Description = "ProviderConfig are cloud-provider specific configuration values used by the CLI.\nFields should remain pointer-types so custom specific configs can nil them\nif not required.\n"
@@ -366,10 +323,6 @@ func (_ UserKey) Doc() *encoder.Doc {
 	return &UserKeyDoc
 }
 
-func (_ FirewallRule) Doc() *encoder.Doc {
-	return &FirewallRuleDoc
-}
-
 func (_ ProviderConfig) Doc() *encoder.Doc {
 	return &ProviderConfigDoc
 }
@@ -395,7 +348,6 @@ func GetConfigurationDoc() *encoder.FileDoc {
 			&ConfigDoc,
 			&UpgradeConfigDoc,
 			&UserKeyDoc,
-			&FirewallRuleDoc,
 			&ProviderConfigDoc,
 			&AzureConfigDoc,
 			&GCPConfigDoc,

internal/config/config_test.go

@@ -288,7 +288,6 @@ func TestConfigGeneratedDocsFresh(t *testing.T) {
 	assert.Len(ConfigDoc.Fields, reflect.ValueOf(Config{}).NumField(), updateMsg)
 	assert.Len(UpgradeConfigDoc.Fields, reflect.ValueOf(UpgradeConfig{}).NumField(), updateMsg)
 	assert.Len(UserKeyDoc.Fields, reflect.ValueOf(UserKey{}).NumField(), updateMsg)
-	assert.Len(FirewallRuleDoc.Fields, reflect.ValueOf(FirewallRule{}).NumField(), updateMsg)
 	assert.Len(ProviderConfigDoc.Fields, reflect.ValueOf(ProviderConfig{}).NumField(), updateMsg)
 	assert.Len(AzureConfigDoc.Fields, reflect.ValueOf(AzureConfig{}).NumField(), updateMsg)
 	assert.Len(GCPConfigDoc.Fields, reflect.ValueOf(GCPConfig{}).NumField(), updateMsg)
@@ -474,3 +473,36 @@ func TestValidInstanceTypeForProvider(t *testing.T) {
 		})
 	}
 }
+
+func TestIsDebugCluster(t *testing.T) {
+	testCases := map[string]struct {
+		config         *Config
+		prepareConfig  func(*Config)
+		expectedResult bool
+	}{
+		"empty config": {
+			config:         &Config{},
+			expectedResult: false,
+		},
+		"default config": {
+			config:         Default(),
+			expectedResult: false,
+		},
+		"enabled": {
+			config: Default(),
+			prepareConfig: func(conf *Config) {
+				*conf.DebugCluster = true
+			},
+			expectedResult: true,
+		},
+	}
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			if tc.prepareConfig != nil {
+				tc.prepareConfig(tc.config)
+			}
+			assert.Equal(tc.expectedResult, tc.config.IsDebugCluster())
+		})
+	}
+}

internal/constants/firewall.go

@@ -0,0 +1,60 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package constants
+
+import (
+	"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
+)
+
+var (
+	// IngressRulesNoDebug is the default set of ingress rules for a Constellation cluster without debug mode.
+	IngressRulesNoDebug = cloudtypes.Firewall{
+		{
+			Name:        "bootstrapper",
+			Description: "bootstrapper default port",
+			Protocol:    "tcp",
+			IPRange:     "0.0.0.0/0",
+			FromPort:    BootstrapperPort,
+		},
+		{
+			Name:        "ssh",
+			Description: "SSH",
+			Protocol:    "tcp",
+			IPRange:     "0.0.0.0/0",
+			FromPort:    SSHPort,
+		},
+		{
+			Name:        "nodeport",
+			Description: "NodePort",
+			Protocol:    "tcp",
+			IPRange:     "0.0.0.0/0",
+			FromPort:    NodePortFrom,
+			ToPort:      NodePortTo,
+		},
+		{
+			Name:        "kubernetes",
+			Description: "Kubernetes",
+			Protocol:    "tcp",
+			IPRange:     "0.0.0.0/0",
+			FromPort:    KubernetesPort,
+		},
+	}
+
+	// IngressRulesDebug is the default set of ingress rules for a Constellation cluster with debug mode.
+	IngressRulesDebug = append(IngressRulesNoDebug, cloudtypes.Firewall{
+		{
+			Name:        "debugd",
+			Description: "debugd",
+			Protocol:    "tcp",
+			IPRange:     "0.0.0.0/0",
+			FromPort:    DebugdPort,
+		},
+	}...)
+
+	// EgressRules is the default set of egress rules for a Constellation cluster.
+	EgressRules = cloudtypes.Firewall{}
+)