C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #3629 from holmsten/terraform-ops-worker-allowed-ports

Browse source 
[contrib/terraform/openstack] Allow user defined port ranges for worker security group
This commit is contained in:
Aivars Sterns 2018-11-03 17:52:00 +02:00 committed by GitHub
commit 3c5f20190f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 23 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
contrib/terraform/openstack/README.md
View file

@ -242,6 +242,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. | |`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. | |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default | |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
#### Terraform state files #### Terraform state files

1
contrib/terraform/openstack/kubespray.tf
View file

@ -54,6 +54,7 @@ module "compute" {
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}" bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
supplementary_master_groups = "${var.supplementary_master_groups}" supplementary_master_groups = "${var.supplementary_master_groups}"
supplementary_node_groups = "${var.supplementary_node_groups}" supplementary_node_groups = "${var.supplementary_node_groups}"
worker_allowed_ports = "${var.worker_allowed_ports}"
network_id = "${module.network.router_id}" network_id = "${module.network.router_id}"
} }

9
contrib/terraform/openstack/modules/compute/main.tf
View file

@ -52,12 +52,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
} }
resource "openstack_networking_secgroup_rule_v2" "worker" { resource "openstack_networking_secgroup_rule_v2" "worker" {
count = "${length(var.worker_allowed_ports)}"
direction = "ingress" direction = "ingress"
ethertype = "IPv4" ethertype = "IPv4"
protocol = "tcp" protocol = "${lookup(var.worker_allowed_ports[count.index], "protocol", "tcp")}"
port_range_min = "30000" port_range_min = "${lookup(var.worker_allowed_ports[count.index], "port_range_min")}"
port_range_max = "32767" port_range_max = "${lookup(var.worker_allowed_ports[count.index], "port_range_max")}"
remote_ip_prefix = "0.0.0.0/0" remote_ip_prefix = "${lookup(var.worker_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0")}"
security_group_id = "${openstack_networking_secgroup_v2.worker.id}" security_group_id = "${openstack_networking_secgroup_v2.worker.id}"
} }

4
contrib/terraform/openstack/modules/compute/variables.tf
View file

@ -73,3 +73,7 @@ variable "supplementary_master_groups" {
variable "supplementary_node_groups" { variable "supplementary_node_groups" {
default = "" default = ""
} }
variable "worker_allowed_ports" {
type = "list"
}

12
contrib/terraform/openstack/variables.tf
View file

@ -144,3 +144,15 @@ variable "bastion_allowed_remote_ips" {
type = "list" type = "list"
default = ["0.0.0.0/0"] default = ["0.0.0.0/0"]
} }
variable "worker_allowed_ports" {
type = "list"
default = [
{
"protocol" = "tcp"
"port_range_min" = 30000
"port_range_max" = 32767
"remote_ip_prefix" = "0.0.0.0/0"
}
]
}