From fa2286e5b703fb4dc0e38b305f30b80da1ecc388 Mon Sep 17 00:00:00 2001
From: Jonathan Juares Beber <jonathanbeber@gmail.com>
Date: Mon, 25 Jan 2021 11:40:24 +0100
Subject: [PATCH] Deprecate kubernetes-enable-east-west feature (#1692)

With #1676 our approach to East-West traffic relies on Kubernetes
objects, Ingresses and RouteGroups, explicitly defining internal
hostnames instead of Skipper adding it automatically. This way, each
application can decide whether it accepts just internal traffic.

This commit deprecates the previous feature handling East-West traffic,
marking it as deprecated on the CLI help, raising a warning message when
used and updating the documentation. On the documentation, it marks the
old feature as deprecated with an `Attention` note, as well as, updates
any reference and tutorials to East-West traffic, suggesting the usage
of the East-West Range feature.

Signed-off-by: Jonathan Juares Beber <jonathanbeber@gmail.com>
---
 config/config.go                      |  8 +++-
 dataclients/kubernetes/kube.go        |  5 ++-
 docs/kubernetes/east-west-usage.md    | 61 +++++++++++++++++++++++----
 docs/kubernetes/ingress-controller.md | 49 +++++++++++++++------
 docs/tutorials/operations.md          |  4 ++
 skipper.go                            |  4 +-
 6 files changed, 105 insertions(+), 26 deletions(-)

diff --git a/config/config.go b/config/config.go
index 373a75eff0..030cf372d8 100644
--- a/config/config.go
+++ b/config/config.go
@@ -365,8 +365,8 @@ const (
 	whitelistedHealthCheckCIDRUsage        = "sets the iprange/CIDRS to be whitelisted during healthcheck"
 	kubernetesPathModeUsage                = "controls the default interpretation of Kubernetes ingress paths: <kubernetes-ingress|path-regexp|path-prefix>"
 	kubernetesNamespaceUsage               = "watch only this namespace for ingresses"
-	kubernetesEnableEastWestUsage          = "enables east-west communication, which automatically adds routes for Ingress objects with hostname <name>.<namespace>.skipper.cluster.local"
-	kubernetesEastWestDomainUsage          = "set the east-west domain, defaults to .skipper.cluster.local"
+	kubernetesEnableEastWestUsage          = "*Deprecated*: use -kubernetes-east-west-range feature. Enables east-west communication, which automatically adds routes for Ingress objects with hostname <name>.<namespace>.skipper.cluster.local"
+	kubernetesEastWestDomainUsage          = "set the east-west domain. *Deprecated*: use -kubernetes-east-west-range feature. Defaults to .skipper.cluster.local"
 	kubernetesEastWestRangeDomainsUsage    = "set the the cluster internal domains for east west traffic. Identified routes to such domains will include the -kubernetes-east-west-range-predicates"
 	kubernetesEastWestRangePredicatesUsage = "set the predicates that will be appended to routes identified as to -kubernetes-east-west-range-domains"
 
@@ -699,6 +699,10 @@ func (c *Config) Parse() error {
 		return err
 	}
 
+	if c.KubernetesEnableEastWest {
+		log.Warn(`"kubernetes-enable-east-west" parameter is deprecated. Check the "kubernetes-east-west-range" feature`)
+	}
+
 	kubernetesEastWestRangePredicates, err := eskip.ParsePredicates(c.KubernetesEastWestRangePredicatesString)
 	if err != nil {
 		return fmt.Errorf("invalid east-west-range-predicates: %w", err)
diff --git a/dataclients/kubernetes/kube.go b/dataclients/kubernetes/kube.go
index 1bec4394a6..078b94d5d4 100644
--- a/dataclients/kubernetes/kube.go
+++ b/dataclients/kubernetes/kube.go
@@ -92,7 +92,7 @@ type Options struct {
 	// in the cluster-scope.
 	KubernetesNamespace string
 
-	// KubernetesEnableEastWest if set adds automatically routes
+	// *DEPRECATED* KubernetesEnableEastWest if set adds automatically routes
 	// with "%s.%s.skipper.cluster.local" domain pattern
 	KubernetesEnableEastWest bool
 
@@ -149,7 +149,8 @@ type Options struct {
 	// specify it with an annotation.
 	PathMode PathMode
 
-	// KubernetesEastWestDomain sets the DNS domain to be used for east west traffic, defaults to "skipper.cluster.local"
+	// *DEPRECATED *KubernetesEastWestDomain sets the DNS domain to be
+	// used for east west traffic, defaults to "skipper.cluster.local"
 	KubernetesEastWestDomain string
 
 	// KubernetesEastWestRangeDomains set the the cluster internal domains for
diff --git a/docs/kubernetes/east-west-usage.md b/docs/kubernetes/east-west-usage.md
index ec187ffd54..1fd009cc10 100644
--- a/docs/kubernetes/east-west-usage.md
+++ b/docs/kubernetes/east-west-usage.md
@@ -4,9 +4,8 @@ If you run Skipper with an [East-West
 setup](ingress-controller.md#run-as-api-gateway-with-east-west-setup),
 you can use the configured ingress also to do service-to-service
 calls, bypassing your ingress loadbalancer and stay inside the
-cluster. It depends on the configuration, but the default is that you
-can connect via HTTP to  `<name>.<namespace>.skipper.cluster.local`
-to your application based on the ingress configuration.
+cluster. You can connect via HTTP to your application based on its
+ingress configuration.
 
 Example:
 
@@ -18,7 +17,7 @@ metadata:
   namespace: default
 spec:
   rules:
-  - host: demo.example.org
+  - host: demo.skipper.cluster.local
     http:
       paths:
       - backend:
@@ -26,7 +25,7 @@ spec:
           servicePort: 80
 ```
 
-Or as a [RouteGroup](../routegroups/):
+Or as a [RouteGroup](./routegroups.md):
 
 ```yaml
 apiVersion: zalando.org/v1
@@ -36,7 +35,7 @@ metadata:
   namespace: default
 spec:
   hosts:
-  - demo.example.org
+  - demo.skipper.cluster.local
   backends:
   - name: backend
     type: service
@@ -47,11 +46,57 @@ spec:
 ```
 
 Your clients inside the cluster should call this example with
-`demo.default.skipper.cluster.local` in their host header. Example
+`demo.skipper.cluster.local` in their host header. Example
 from inside a container:
 
 ```
-curl http://demo.default.skipper.cluster.local/
+curl http://demo.skipper.cluster.local/
+```
+
+You can also use the same ingress or RouteGroup object to accept
+internal and external traffic:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: demo
+  namespace: default
+spec:
+  rules:
+  - host: demo.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: example
+          servicePort: 80
+  - host: demo.skipper.cluster.local
+    http:
+      paths:
+      - backend:
+          serviceName: example
+          servicePort: 80
+```
+
+Or, again, as a [RouteGroup](./routegroups.md):
+
+```yaml
+apiVersion: zalando.org/v1
+kind: RouteGroup
+metadata:
+  name: demo
+  namespace: default
+spec:
+  hosts:
+  - demo.skipper.cluster.local
+  - demo.example.com
+  backends:
+  - name: backend
+    type: service
+    serviceName: example
+    servicePort: 80
+  defaultBackends:
+  - backendName: backend
 ```
 
 Metrics will change, because skipper stores metrics per HTTP Host
diff --git a/docs/kubernetes/ingress-controller.md b/docs/kubernetes/ingress-controller.md
index 4a3866370f..b884fc8775 100644
--- a/docs/kubernetes/ingress-controller.md
+++ b/docs/kubernetes/ingress-controller.md
@@ -468,16 +468,31 @@ Check the repository if you need more configuration possibilities.
 ## Run as API Gateway with East-West setup
 
 East-West means cluster internal service-to-service communication.
-For this you need to resolve DNS to skipper for an additional domain
-`.skipper.cluster.local` we introduce and add HTTP routes to route to
-the specified backend from your normal ingress object.
+For this you need to resolve DNS to skipper for one or more additional
+domains of your choice. When Ingress or RouteGroup objects specify such
+domains Skipper will add the configured predicates.
 
 ### Skipper
 
 To enable the East-West in skipper, you need to run skipper with
-`-enable-kubernetes-east-west` enabled. Skipper will duplicate all
-routes with a `Host()` predicate and change it to match the host
-header scheme: `<name>.<namespace>.skipper.cluster.local`.
+`-kubernetes-east-west-range-domains` and
+`-kubernetes-east-west-range-predicates` configuration flags. Check the
+[East West Range](../tutorials/operations.md#east-west-range) feature.
+Skipper will analyze all routes from Kubernetes objects and, the
+identified East-West routes will have the predicates specified appended.
+
+For example, for running skipper with the `skipper.cluster.local`
+domain, and setting East-West routes to accept just internal traffic,
+use the following config:
+
+```
+skipper \
+  -kubernetes-east-west-range-domains="skipper.cluster.local" \
+  -kubernetes-east-west-range-predicates='ClientIP("10.2.0.0/16")'
+```
+
+It assumes 10.2.0.0/16 is your PODs' CIDR, you have to change it
+accordingly to your environment.
 
 You need also to have a kubernetes service type ClusterIP and write
 down the IP (p.e. `10.3.11.28`), which you will need in CoreDNS setup.
@@ -511,9 +526,8 @@ Corefile example:
 
 ### Usage
 
-If the setup was done correctly, the following ingress example will
-create an internal route with
-`Host(/^demo[.]default[.]skipper[.]cluster[.]local)` predicate:
+If the setup is correct, skipper will protect the following ingress
+example with the `ClientIP` predicate:
 
 ```
 apiVersion: extensions/v1beta1
@@ -523,7 +537,7 @@ metadata:
   namespace: default
 spec:
   rules:
-  - host: demo.example.org
+  - host: demo.skipper.cluster.local
     http:
       paths:
       - backend:
@@ -532,13 +546,24 @@ spec:
 ```
 
 Your clients inside the cluster should call this example with
-`demo.default.skipper.cluster.local` in their host header. Example
+`demo.skipper.cluster.local` in their host header. Example
 from inside a container:
 
 ```
-curl demo.default.skipper.cluster.local
+curl demo.skipper.cluster.local
 ```
 
+Skipper won't accept traffic from any IP outside of the configured
+network CIDR.
+
+!!! note
+    Depending on your environment, you might want to allow traffic not
+    just from the PODs' CIDR, but, also, from your nodes' CIDR. When doing
+    so, pay attention to do not allow traffic from your LoadBalancer
+    and, by consequence, external traffic. You can use different
+    combinations of predicates like `ClientIP` and `SourceFromLast` to
+    achieve the desired protection.
+
 ## Running with Cluster Ratelimits
 
 Cluster ratelimits require a communication exchange method to build a
diff --git a/docs/tutorials/operations.md b/docs/tutorials/operations.md
index 42b23e369f..4eb5ad16ac 100644
--- a/docs/tutorials/operations.md
+++ b/docs/tutorials/operations.md
@@ -105,6 +105,10 @@ because storing the data in memory is good enough for this use case.
 
 #### East West
 
+!!! attention
+    This feature is deprecated. Consider using [EastWest
+    Range](#east-west-range).
+
 Skipper supports cluster internal service-to-service communication as
 part of running as an [API Gateway with an East-West
 setup](../../kubernetes/ingress-controller/#run-as-api-gateway-with-east-west-setup).
diff --git a/skipper.go b/skipper.go
index e864924563..1ae07e24db 100644
--- a/skipper.go
+++ b/skipper.go
@@ -189,10 +189,10 @@ type Options struct {
 	// in the cluster-scope.
 	KubernetesNamespace string
 
-	// KubernetesEnableEastWest enables cluster internal service to service communication, aka east-west traffic
+	// *DEPRECATED* KubernetesEnableEastWest enables cluster internal service to service communication, aka east-west traffic
 	KubernetesEnableEastWest bool
 
-	// KubernetesEastWestDomain sets the cluster internal domain used to create additional routes in skipper, defaults to skipper.cluster.local
+	// *DEPRECATED* KubernetesEastWestDomain sets the cluster internal domain used to create additional routes in skipper, defaults to skipper.cluster.local
 	KubernetesEastWestDomain string
 
 	// KubernetesEastWestRangeDomains set the the cluster internal domains for