Releasing xDS-adaptor v0.9.9.1 (#34)

* Releasing xDS-adaptor v0.9.9-1

Signed-off-by: “Subash <subash.dangol@citrix.com>

Author: subashd

adsclient/ads_client.go

@@ -552,12 +552,12 @@ func (client *AdsClient) assignConfigAdaptor() error {
 	defer client.nsConfigAdaptorMux.Unlock()
 	if client.nsConfigAdaptor == nil {
 		client.nsConfigAdaptor, err = newConfigAdaptor(client.nsInfo)
-		client.certWatcher.nsConfig = client.nsConfigAdaptor
-		client.nsConfigAdaptor.watch = client.certWatcher
 		if err != nil {
 			xDSLogger.Error("assignConfigAdaptor: Could not create nsConfigAdaptor", "error", err.Error())
 			return err
 		}
+		client.certWatcher.nsConfig = client.nsConfigAdaptor
+		client.nsConfigAdaptor.watch = client.certWatcher
 		client.nsConfigAdaptor.startConfigAdaptor(client)
 	}
 	return nil

adsclient/ads_handler.go

@@ -47,7 +47,10 @@ const (
 	localHostIP         = "127.0.0.1"
 	nsLoopbackIP        = "192.0.0.2"
 	logStreamPort       = 5557 // Logstream is used for Transactional data which is used in tracing (e.g. zipkin)
+	logStreamPort5558   = 5558
 	ulfdRestPort        = 5563 // Rest port is used for time-series data which is used in Prometheus
+	licensingPort       = 27000
+	licensingPort7279   = 7279
 	defaultWeight       = 1
 	defaultMirrorWeight = 100
 	citrixEgressGateway = "citrix-egressgateway"

adsclient/nsconf_adaptor.go

@@ -147,6 +147,7 @@ func newConfigAdaptor(nsinfo *NSDetails) (*configAdaptor, error) {
 	jsonLogFormat := getBoolEnv("JSONLOG")
 	configAdaptor.client, err = netscaler.NewNitroClientFromParams(netscaler.NitroParams{Url: nsinfo.NetscalerURL, Username: nsinfo.NetscalerUsername, Password: nsinfo.NetscalerPassword, SslVerify: nsinfo.SslVerify, RootCAPath: nsinfo.RootCAPath, ServerName: nsinfo.ServerName, LogLevel: logLevel, JSONLogFormat: jsonLogFormat})
 	if err != nil {
+		xDSLogger.Error("newConfigAdaptor: Nitroclient creation failed", "error", err)
 		return nil, err
 	}
 	for {
@@ -162,6 +163,7 @@ func newConfigAdaptor(nsinfo *NSDetails) (*configAdaptor, error) {
 		if isCPX(nsinfo.NetscalerURL) {
 			err = configAdaptor.sidecarBootstrapConfig()
 			if err != nil {
+				xDSLogger.Error("newConfigAdaptor: BootstrapConfig failed", "error", err)
 				return nil, err
 			}
 		}
@@ -232,14 +234,19 @@ func (confAdaptor *configAdaptor) sidecarBootstrapConfig() error {
 		listenPolicy = listenPolicy + " && CLIENT.TCP.DSTPORT.NE(" + confAdaptor.caServerPort + ")"
 	}
 	if len(confAdaptor.analyticsServerIP) > 0 {
-		listenPolicy = listenPolicy + " && CLIENT.IP.DST.NE(" + confAdaptor.analyticsServerIP + ")"
+		// Refer https://docs.citrix.com/en-us/citrix-application-delivery-management-service/system-requirements.html#ports
+		listenPolicy = listenPolicy + " && CLIENT.IP.DST.NE(" + confAdaptor.analyticsServerIP + ")" + " && CLIENT.TCP.DSTPORT.NE(" + fmt.Sprint(logStreamPort) + ")" + " && CLIENT.TCP.DSTPORT.NE(" + fmt.Sprint(logStreamPort5558) + ")" + " && CLIENT.TCP.DSTPORT.NE(" + fmt.Sprint(ulfdRestPort) + ")"
 		configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Nsacl.Type(), ResourceName: "allowadmserver", Resource: ns.Nsacl{Aclname: "allowadmserver", Aclaction: "ALLOW", Srcip: true, Srcipval: confAdaptor.analyticsServerIP, Priority: 65537}})
+		// Identify secure Nitro port to allow Nitro traffic from ADM
+		snp, _ := nsconfigengine.GetParticularNSField(confAdaptor.client, "nsparam", "mgmthttpsport")
+		secureNitroPort := fmt.Sprintf("%v", snp)
+		configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Nsacl.Type(), ResourceName: "allownitro", Resource: ns.Nsacl{Aclname: "allownitro", Aclaction: "ALLOW", Protocol: "TCP", Destport: true, Destportval: secureNitroPort, Priority: 65540}})
+		configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Nsacl.Type(), ResourceName: "allowicmp", Resource: ns.Nsacl{Aclname: "allowicmp", Aclaction: "ALLOW", Protocol: "ICMP", Priority: 65546}})
 	}
 	if len(confAdaptor.licenseServerIP) > 0 && confAdaptor.licenseServerIP != confAdaptor.analyticsServerIP {
-		listenPolicy = listenPolicy + " && CLIENT.IP.DST.NE(" + confAdaptor.licenseServerIP + ")"
+		listenPolicy = listenPolicy + " && CLIENT.IP.DST.NE(" + confAdaptor.licenseServerIP + ")" + " && CLIENT.TCP.DSTPORT.NE(" + fmt.Sprint(licensingPort) + ")" + " && CLIENT.TCP.DSTPORT.NE(" + fmt.Sprint(licensingPort7279) + ")"
 		configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Nsacl.Type(), ResourceName: "allowlicenseserver", Resource: ns.Nsacl{Aclname: "allowlicenseserver", Aclaction: "ALLOW", Srcip: true, Srcipval: confAdaptor.licenseServerIP, Priority: 65538}})
 	}
-	// Create drop_all_vserver config
 	configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Lbvserver.Type(), ResourceName: "drop_all_vserver", Resource: lb.Lbvserver{Name: "drop_all_vserver", Servicetype: "ANY", Ipv46: "*", Port: 65535, Listenpolicy: listenPolicy}})
 	configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Nsacl.Type(), ResourceName: "denyall", Resource: ns.Nsacl{Aclname: "denyall", Aclaction: "DENY", Priority: 100000}})
 	configs = append(configs, nsconfigengine.NsConfigEntity{ResourceType: netscaler.Nsacls.Type(), ResourceName: "", Resource: ns.Nsacls{}, Operation: "apply"})

adsclient/nsconf_adaptor_test.go

@@ -105,7 +105,9 @@ func Test_bootstrapConfig(t *testing.T) {
 		configs2 := []env.VerifyNitroConfig{
 			{"nsacl", "allowadmserver", map[string]interface{}{"aclname": "allowadmserver", "aclaction": "ALLOW", "srcipval": "1.1.1.1", "priority": 65537}},
 			{"nsacl", "allowlicenseserver", map[string]interface{}{"aclname": "allowlicenseserver", "aclaction": "ALLOW", "srcipval": "1.1.1.2", "priority": 65538}},
-			{"lbvserver", "drop_all_vserver", map[string]interface{}{"name": "drop_all_vserver", "servicetype": "ANY", "ipv46": "*", "port": 65535, "listenpolicy": "CLIENT.TCP.DSTPORT.NE(15010) && CLIENT.IP.DST.NE(1.1.1.1) && CLIENT.IP.DST.NE(1.1.1.2)"}},
+			{"nsacl", "allownitro", map[string]interface{}{"aclname": "allownitro", "aclaction": "ALLOW", "protocol": "TCP", "destportval": "9443", "priority": 65540, "kernelstate": "APPLIED"}},
+			{"nsacl", "allowicmp", map[string]interface{}{"aclname": "allowicmp", "aclaction": "ALLOW", "protocol": "ICMP", "priority": 65546, "kernelstate": "APPLIED"}},
+			{"lbvserver", "drop_all_vserver", map[string]interface{}{"name": "drop_all_vserver", "servicetype": "ANY", "ipv46": "*", "port": 65535, "listenpolicy": "CLIENT.TCP.DSTPORT.NE(15010) && CLIENT.IP.DST.NE(1.1.1.1) && CLIENT.TCP.DSTPORT.NE(5557) && CLIENT.TCP.DSTPORT.NE(5558) && CLIENT.TCP.DSTPORT.NE(5563) && CLIENT.IP.DST.NE(1.1.1.2) && CLIENT.TCP.DSTPORT.NE(27000) && CLIENT.TCP.DSTPORT.NE(7279)"}},
 		}
 		configs3 := []env.VerifyNitroConfig{}
 		configs3 = append(configs, configs2...)
@@ -123,7 +125,7 @@ func Test_bootstrapConfig(t *testing.T) {
 		}
 		configs2 = []env.VerifyNitroConfig{
 			{"nsacl", "allowlicenseserver", map[string]interface{}{"aclname": "allowlicenseserver", "aclaction": "ALLOW", "srcipval": "1.1.1.2", "priority": 65538}},
-			{"lbvserver", "drop_all_vserver", map[string]interface{}{"name": "drop_all_vserver", "servicetype": "ANY", "ipv46": "*", "port": 65535, "listenpolicy": "CLIENT.TCP.DSTPORT.NE(15010) && CLIENT.TCP.DSTPORT.NE(15012) && CLIENT.IP.DST.NE(1.1.1.2)"}},
+			{"lbvserver", "drop_all_vserver", map[string]interface{}{"name": "drop_all_vserver", "servicetype": "ANY", "ipv46": "*", "port": 65535, "listenpolicy": "CLIENT.TCP.DSTPORT.NE(15010) && CLIENT.TCP.DSTPORT.NE(15012) && CLIENT.IP.DST.NE(1.1.1.2) && CLIENT.TCP.DSTPORT.NE(27000) && CLIENT.TCP.DSTPORT.NE(7279)"}},
 		}
 		configs3 = append(configs, configs2...)
 		err = env.VerifyConfigBlockPresence(configAd.client, configs3)
@@ -140,7 +142,7 @@ func Test_bootstrapConfig(t *testing.T) {
 		}
 		configs2 = []env.VerifyNitroConfig{
 			{"nsacl", "allowadmserver", map[string]interface{}{"aclname": "allowadmserver", "aclaction": "ALLOW", "srcipval": "1.1.1.1", "priority": 65537}},
-			{"lbvserver", "drop_all_vserver", map[string]interface{}{"name": "drop_all_vserver", "servicetype": "ANY", "ipv46": "*", "port": 65535, "listenpolicy": "CLIENT.TCP.DSTPORT.NE(15010) && CLIENT.IP.DST.NE(1.1.1.1)"}},
+			{"lbvserver", "drop_all_vserver", map[string]interface{}{"name": "drop_all_vserver", "servicetype": "ANY", "ipv46": "*", "port": 65535, "listenpolicy": "CLIENT.TCP.DSTPORT.NE(15010) && CLIENT.IP.DST.NE(1.1.1.1) && CLIENT.TCP.DSTPORT.NE(5557) && CLIENT.TCP.DSTPORT.NE(5558) && CLIENT.TCP.DSTPORT.NE(5563)"}},
 		}
 		configs3 = append(configs, configs2...)
 		err = env.VerifyConfigBlockPresence(configAd.client, configs3)

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/kr/pretty v0.2.1
 	github.com/openshift/api v3.9.1-0.20191008181517-e4fd21196097+incompatible
 	github.com/sirupsen/logrus v1.7.0
+	github.com/spf13/cobra v1.0.0 // indirect
 	github.com/spiffe/go-spiffe v1.0.0
 	github.com/stretchr/testify v1.7.0
 	github.com/txn2/txeh v1.3.0

go.sum

@@ -174,6 +174,7 @@ github.com/citrix/adc-nitro-go v0.0.0-20210616092114-c917a2b77ef3 h1:qc1KwolVG6G
 github.com/citrix/adc-nitro-go v0.0.0-20210616092114-c917a2b77ef3/go.mod h1:1SPLFfIOtWnKiNWEuLhRqGrEi6VxGkXt4gpWa+mhaCg=
 github.com/citrix/adc-nitro-go v0.0.0-20210701174421-a3bd5f0e580a h1:eVmWPQ/A+dk+dAVLszXUZEY5Dpuxd4pwK6peOdU6/gQ=
 github.com/citrix/adc-nitro-go v0.0.0-20210701174421-a3bd5f0e580a/go.mod h1:1SPLFfIOtWnKiNWEuLhRqGrEi6VxGkXt4gpWa+mhaCg=
+github.com/citrix/adc-nitro-go v0.0.0-20210906082353-a57db5c1f504 h1:t+zgkZvOJW9P9IwGw4SowOTGNoYxeryuN4iqC0TbL8I=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
@@ -577,6 +578,7 @@ github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=

nsconfigengine/config.go

@@ -281,3 +281,15 @@ func GetLogString(data interface{}) string {
 	m1 = regexp.MustCompile("BEGIN EC PRIVATE KEY(.*)END EC PRIVATE KEY")
 	return m1.ReplaceAllString(s, " XXX ")
 }
+
+// GetParticularNSField function will return the value for the provided fieldName from the provided resourceType.
+// If fieldName doesn't exist in resourceType, then returned value will be nil.
+func GetParticularNSField(client *netscaler.NitroClient, resourceType, fieldName string) (interface{}, error) {
+	res, err := client.FindResource(resourceType, "")
+	//[]map[string]interface{}, error = FindResourceArrayWithParams(findParams FindParams)
+	if err != nil {
+		nsconfLogger.Error("GetParticularNSField: Could not get fieldName value for resource", "resource", resourceType, "fieldName", fieldName, "error", err)
+		return nil, err
+	}
+	return res[fieldName], nil
+}