check if firewall is connected to VPN (#336)

metal-stack · Sep 23, 2022 · b1760b9 · b1760b9
1 parent 2d5507a
commit b1760b9
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 3 deletions.
diff --git a/cmd/metal-api/internal/headscale/client.go b/cmd/metal-api/internal/headscale/client.go
@@ -119,6 +119,30 @@ func (h *HeadscaleClient) CreatePreAuthKey(namespace string, expiration time.Tim
 	return resp.PreAuthKey.Key, nil
 }
 
+func (h *HeadscaleClient) DescribeMachine(machineid, projectID string) (connected bool, err error) {
+	req := &headscalev1.ListMachinesRequest{
+		Namespace: projectID,
+	}
+	resp, err := h.client.ListMachines(h.ctx, req)
+	if err != nil || resp == nil {
+		return false, fmt.Errorf("failed to list machines: %w", err)
+	}
+
+	for _, m := range resp.Machines {
+		if m.Name == machineid {
+			if m.LastSeen.AsTime().After(
+				time.Now().Add(-5 * time.Minute),
+			) {
+				connected = true
+			}
+
+			return
+		}
+	}
+
+	return false, nil
+}
+
 // Close client
 func (h *HeadscaleClient) Close() error {
 	h.cancelFunc()

diff --git a/cmd/metal-api/internal/service/firewall-service.go b/cmd/metal-api/internal/service/firewall-service.go
@@ -135,7 +135,16 @@ func (r *firewallResource) findFirewall(request *restful.Request, response *rest
 		return
 	}
 
-	resp, err := makeFirewallResponse(fw, r.ds)
+	var connected bool
+	if fw.Allocation != nil && r.headscaleClient != nil {
+		connected, err = r.headscaleClient.DescribeMachine(fw.ID, fw.Allocation.Project)
+		if err != nil {
+			r.sendError(request, response, defaultError(err))
+			return
+		}
+	}
+
+	resp, err := makeFirewallResponse(fw, connected, r.ds)
 	if err != nil {
 		r.sendError(request, response, defaultError(err))
 		return
@@ -254,12 +263,16 @@ func (r firewallResource) setVPNConfigInSpec(allocationSpec *machineAllocationSp
 	return nil
 }
 
-func makeFirewallResponse(fw *metal.Machine, ds *datastore.RethinkStore) (*v1.FirewallResponse, error) {
+func makeFirewallResponse(fw *metal.Machine, connectedToVPN bool, ds *datastore.RethinkStore) (*v1.FirewallResponse, error) {
 	ms, err := makeMachineResponse(fw, ds)
 	if err != nil {
 		return nil, err
 	}
 
+	if ms.VPN == nil {
+		ms.VPN = &v1.MachineVPN{}
+	}
+	ms.VPN.Connected = connectedToVPN
 	return &v1.FirewallResponse{MachineResponse: *ms}, nil
 }
 

diff --git a/cmd/metal-api/internal/service/v1/machine.go b/cmd/metal-api/internal/service/v1/machine.go
@@ -22,6 +22,7 @@ type MachineBase struct {
 	Liveliness               string                          `json:"liveliness" description:"the liveliness of this machine"`
 	RecentProvisioningEvents MachineRecentProvisioningEvents `json:"events" description:"recent events of this machine during provisioning"`
 	Tags                     []string                        `json:"tags" description:"tags for this machine"`
+	VPN                      *MachineVPN                     `json:"vpn" description:"vpn connection info for machine" optional:"true"`
 }
 
 type MachineAllocation struct {
@@ -245,6 +246,7 @@ type MachineAbortReinstallRequest struct {
 type MachineVPN struct {
 	ControlPlaneAddress string `json:"address" description:"address of VPN control plane"`
 	AuthKey             string `json:"auth_key" description:"auth key used to connect to VPN"`
+	Connected           bool   `json:"connected" description:"connected to the VPN"`
 }
 
 func NewMetalMachineHardware(r *MachineHardware) metal.MachineHardware {

diff --git a/spec/metal-api.json b/spec/metal-api.json
@@ -1204,6 +1204,10 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "vpn": {
+          "$ref": "#/definitions/v1.MachineVPN",
+          "description": "vpn connection info for machine"
         }
       },
       "required": [
@@ -1982,6 +1986,10 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "vpn": {
+          "$ref": "#/definitions/v1.MachineVPN",
+          "description": "vpn connection info for machine"
         }
       },
       "required": [
@@ -2454,6 +2462,10 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "vpn": {
+          "$ref": "#/definitions/v1.MachineVPN",
+          "description": "vpn connection info for machine"
         }
       },
       "required": [
@@ -2782,6 +2794,10 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "vpn": {
+          "$ref": "#/definitions/v1.MachineVPN",
+          "description": "vpn connection info for machine"
         }
       },
       "required": [
@@ -2883,11 +2899,16 @@
         "auth_key": {
           "description": "auth key used to connect to VPN",
           "type": "string"
+        },
+        "connected": {
+          "description": "connected to the VPN",
+          "type": "boolean"
         }
       },
       "required": [
         "address",
-        "auth_key"
+        "auth_key",
+        "connected"
       ]
     },
     "v1.Meta": {