Add enable_asg_syncing property to vxlan-policy-agent

Signed-off-by: Geoff Franks <gfranks@vmware.com>
cloudfoundry · Feb 23, 2022 · 309e0de · 309e0de
1 parent 16e1d25
commit 309e0de
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 1 deletion.
diff --git a/jobs/vxlan-policy-agent/spec b/jobs/vxlan-policy-agent/spec
@@ -45,6 +45,10 @@ properties:
     description: "The VXLAN policy agent queries the policy server on this interval in seconds and updates local policy rules."
     default: 5
 
+  enable_asg_syncing:
+    description: "Enable dynamic updates to ASG rules for running containers"
+    default: true
+
   asg_poll_interval_seconds:
     description: "The VXLAN policy agent queries the policy server on this interval in seconds and updates local security groups rules."
     default: 60

diff --git a/jobs/vxlan-policy-agent/templates/vxlan-policy-agent.json.erb b/jobs/vxlan-policy-agent/templates/vxlan-policy-agent.json.erb
@@ -8,6 +8,7 @@
       'iptables_asg_logging' => link('cni_config').p('iptables_logging'),
       'iptables_accepted_udp_logs_per_sec' => p('iptables_accepted_udp_logs_per_sec'),
       'poll_interval' => p('policy_poll_interval_seconds'),
+      'enable_asg_syncing' => p('enable_asg_syncing'),
       'asg_poll_interval' => p('asg_poll_interval_seconds'),
       'iptables_denied_logs_per_sec' => link('cni_config').p('iptables_denied_logs_per_sec'),
       'deny_networks' => {

diff --git a/spec/vxlan-policy-agent/vxlan-policy-agent_spec.rb b/spec/vxlan-policy-agent/vxlan-policy-agent_spec.rb
@@ -16,6 +16,7 @@ module Bosh::Template::Test
           'iptables_accepted_udp_logs_per_sec' => 33,
           'policy_poll_interval_seconds' => 22,
           'asg_poll_interval_seconds' => 66,
+          'enable_asg_syncing' => false,
           'policy_server' => {
             'hostname' => 'policy-server-hostname',
             'internal_listent_port' => 234,
@@ -80,6 +81,7 @@ module Bosh::Template::Test
               'enable_overlay_ingress_rules' => true,
               'policy_server_url' => 'https://policy-server-hostname:4003',
               'poll_interval' => 22,
+              'enable_asg_syncing' => false,
               'asg_poll_interval' => 66,
               'vni' => 1,
               'force_policy_poll_cycle_host' => '127.0.0.1',

diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go b/src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go
@@ -236,11 +236,14 @@ func main() {
 	members := grouper.Members{
 		{"metrics_emitter", metricsEmitter},
 		{"policy_poller", policyPoller},
-		{"asg_poller", asgPoller},
 		{"debug-server", debugServer},
 		{"force-policy-poll-cycle-server", forcePolicyPollCycleServer},
 	}
 
+	if conf.EnableASGSyncing {
+		members = append(members, grouper.Member{"asg_poller", asgPoller})
+	}
+
 	monitor := ifrit.Invoke(sigmon.New(grouper.NewOrdered(os.Interrupt, members)))
 	logger.Info("starting")
 	err = <-monitor.Wait()

diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/config/config.go b/src/code.cloudfoundry.org/vxlan-policy-agent/config/config.go
@@ -12,6 +12,7 @@ import (
 
 type VxlanPolicyAgent struct {
 	PollInterval                  int                       `json:"poll_interval" validate:"nonzero"`
+	EnableASGSyncing              bool                      `json:"enable_asg_syncing" default:true`
 	ASGPollInterval               int                       `json:"asg_poll_interval" validate:"min=1" default:"60"`
 	Datastore                     string                    `json:"cni_datastore_path" validate:"nonzero"`
 	PolicyServerURL               string                    `json:"policy_server_url" validate:"min=1"`