spinnaker: [GCE] Firewall rules are duplicated when using Shared VPC

Issue Summary:

When using the shared VPC model within GCP, firewall rules are seemingly “duplicated” for every host project you have connected. This causes a significant increase in the amount of firewalls Spinnaker is storing.

Cloud Provider(s):

  • Google/GCE

Environment:

Spinnaker 1.13 with Host/Service Projects

Feature Area (if this issue is UI/UX related, please tag @spinnaker/ui-ux-team):

Clouddriver/Redis

Description:

Firewall rules are duplicated across host projects when using Shared VPC inside of GCP with Spinnaker. This results in a 8x increase in firewall rules in Spinnaker (there are 16,000 securityGroups but only 1,900 actually in existence). The core of the problem seems to be how our firewall rules are created and hosted inside of GCP. We have a few different host projects that store all firewall rules, and then service projects to which they apply to. This case is already handled in Spinnaker here which our shared rules fall into this firewallProject/firewallName convention for its ID. The problem with this is that the rule looks like it exists for every single service project, instead of just the ones it applies to.

I would expect that Spinnaker would only show the firewall rule once, instead of once per service project. I think in this case if the firewallProject != currentProject we should drop the rule out of Spinnaker and only show the rule in the firewallProject.

To try and get a quick fix in, I tried filtering the firewall lists that get called around this file to only return a unique list, but since most of the securityGroup functions are called once per Spinnaker project, the list is always uniqued already. Due to this we likely need to change how the data is actually cached in Redis, rather than changing the view.

Steps to Reproduce:

  1. Setup a host/service project setup inside of GCP with a few service projects
  2. Add firewall rules to the host project and confirm you can see them in the service projects
  3. Add all projects into Spinnaker accounts
  4. Verify there are duplicate securityGroups in the /securityGroups endpoint.

Additional Details:

N/A

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

Have an initial WIP to fix the issue here but the refactor breaks implicit contracts with the UI in the security group API which will need to be worked out.

FYI @plumpy @maggieneterval

+1
jtk54 on May 10, 2019
Read more comments on GitHub
← spinnaker: GCE: False Traffic guard errors while downscaling server groups
spinnaker: GCP: Orca-Clouddriver FindImage From Tags Timeout  →