Fix opening of TCP ports on GCE for inlets-pro and update existing firewall-rules if one already exists #58
Conversation
pkg/provision/gce.go
Outdated
| Allowed: []*compute.FirewallAllowed{ | ||
| { | ||
| IPProtocol: "tcp", | ||
| Ports: []string{controlPort}, |
There was a problem hiding this comment.
I think this is incorrect, it also needs to open port 80
That's why I had an issue with it and @angelbarrera92 too
There was a problem hiding this comment.
But we are aleardy opening the port with the http-server tag on the exit node (every GCE project by default has the http-server flag, provided that the user has not deleted it, it works fine)
Do you want me to create one explicitly?
There was a problem hiding this comment.
@alexellis If we're not opening the port 80 then this wouldn't have worked
There was a problem hiding this comment.
I've added port 80 and 443 to the inlets firewall rule now. I would've added this in the beginning but have been reluctant to do so because the firewall rules in GCE have a priority number (defaults to 1000), I didn't want to create a conflict with some locked down systems where they block ingress with a much lower priority number (means firewall-rule has higher priority) and then have inconsistent behaviour. So left this decision to the user assuming most users never delete the default firewall-rules, as we're assuming that the user might not have deleted the default network. If a user deletes the default network then that would cause problems too.
There was a problem hiding this comment.
443 is not required because it's not proxied by default for inlets OSS, only 8080 (control) and (80) is what should be done..
This PR will now allow for all TCP traffic through the inlets-pro exit node If a firewall-rule for inlets or inlets-pro named 'inlets' already exists, then it will update the firewall-rule with the required rules depending on the user using the `--remote-tcp` flag (inlets-pro) or not in `inletsctl create` command Fixes inlets#44 Fixes inlets#56 Signed-off-by: Utsav Anand <[email protected]>
utsavanand2
force-pushed
the
fix-gce-ports
branch
from
55d04cb to
a94db3e
Compare
utsavanand2
changed the title
Fix opening of TCP ports on GCE for inlets-pro and update existing firewall-rules
if one already exists
Fixes #44
Fixes #56
Signed-off-by: Utsav Anand [email protected]
Description
This PR will now allow for all TCP traffic through
the inlets-pro exit node
If a firewall-rule for inlets or inlets-pro named 'inlets' already
exists, then it will update the firewall-rule with the
required rules depending on the user using the
--remote-tcpflag (inlets-pro) or not in
inletsctl createcommandHow Has This Been Tested?
Here is an unedited screenshot depicting the update of the
inletsfirewall-ruleand the curl to the exit nodes provisioned with inlets-OSS and inlets-pro running
How are existing users impacted? What migration steps/scripts do we need?
Users will be able to switch between using inlets and inlets-pro through inletsctl without manually updating the firewall rules.
Checklist:
I have:
git commit -s