[contrib/terraform/openstack] Add k8s_allowed_remote_ips variable (#4506)
* Add k8s_allowed_remote_ips variable Useful for defining CIDRs allowed to initiate a SSH connection when you don't want to use a bastion. * Add TF_VAR_k8s_allowed_remote_ips variable to tf-apply-ovh
This commit is contained in:
Andreas Holmsten
Kubernetes Prow Robot
parent
c5fb734098
commit
7f1d9ff543
6 changed files with 36 additions and 18 deletions
|
|
@ -837,3 +837,4 @@ tf-apply-ovh:
|
||||||
TF_VAR_flavor_k8s_master: "defa64c3-bd46-43b4-858a-d93bbae0a229" #s1-8
|
TF_VAR_flavor_k8s_master: "defa64c3-bd46-43b4-858a-d93bbae0a229" #s1-8
|
||||||
TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229" #s1-8
|
TF_VAR_flavor_k8s_node: "defa64c3-bd46-43b4-858a-d93bbae0a229" #s1-8
|
||||||
TF_VAR_image: "Ubuntu 18.04"
|
TF_VAR_image: "Ubuntu 18.04"
|
||||||
|
TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]'
|
||||||
|
|
|
||||||
|
|
@ -243,6 +243,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
|
||||||
|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
|
|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
|
||||||
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
|
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
|
||||||
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
|
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
|
||||||
|
|`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
|
||||||
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
|
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
|
||||||
|
|
||||||
#### Terraform state files
|
#### Terraform state files
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,7 @@ module "compute" {
|
||||||
k8s_node_fips = "${module.ips.k8s_node_fips}"
|
k8s_node_fips = "${module.ips.k8s_node_fips}"
|
||||||
bastion_fips = "${module.ips.bastion_fips}"
|
bastion_fips = "${module.ips.bastion_fips}"
|
||||||
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
|
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
|
||||||
|
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
|
||||||
supplementary_master_groups = "${var.supplementary_master_groups}"
|
supplementary_master_groups = "${var.supplementary_master_groups}"
|
||||||
supplementary_node_groups = "${var.supplementary_node_groups}"
|
supplementary_node_groups = "${var.supplementary_node_groups}"
|
||||||
worker_allowed_ports = "${var.worker_allowed_ports}"
|
worker_allowed_ports = "${var.worker_allowed_ports}"
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,17 @@ resource "openstack_networking_secgroup_rule_v2" "k8s" {
|
||||||
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
|
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
|
||||||
|
count = "${length(var.k8s_allowed_remote_ips)}"
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
remote_ip_prefix = "${var.k8s_allowed_remote_ips[count.index]}"
|
||||||
|
security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
|
||||||
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_v2" "worker" {
|
resource "openstack_networking_secgroup_v2" "worker" {
|
||||||
name = "${var.cluster_name}-k8s-worker"
|
name = "${var.cluster_name}-k8s-worker"
|
||||||
description = "${var.cluster_name} - Kubernetes worker nodes"
|
description = "${var.cluster_name} - Kubernetes worker nodes"
|
||||||
|
|
@ -102,20 +113,17 @@ resource "openstack_compute_instance_v2" "k8s_master" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# The join() hack is described here: https://github.com/hashicorp/terraform/issues/11566
|
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
||||||
# As a workaround for creating "dynamic" lists (when, for example, no bastion host is created)
|
"${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
|
|
||||||
security_groups = ["${compact(list(
|
|
||||||
openstack_networking_secgroup_v2.k8s_master.name,
|
|
||||||
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
|
|
||||||
openstack_networking_secgroup_v2.k8s.name,
|
|
||||||
"default",
|
"default",
|
||||||
))}"]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user}"
|
ssh_user = "${var.ssh_user}"
|
||||||
kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
|
kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
|
||||||
depends_on = "${var.network_id}"
|
depends_on = "${var.network_id}"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
|
command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
|
||||||
}
|
}
|
||||||
|
|
@ -133,11 +141,10 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
security_groups = ["${compact(list(
|
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
||||||
openstack_networking_secgroup_v2.k8s_master.name,
|
"${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
|
"default",
|
||||||
openstack_networking_secgroup_v2.k8s.name,
|
]
|
||||||
))}"]
|
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user}"
|
ssh_user = "${var.ssh_user}"
|
||||||
|
|
@ -230,12 +237,10 @@ resource "openstack_compute_instance_v2" "k8s_node" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
security_groups = ["${compact(list(
|
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
||||||
openstack_networking_secgroup_v2.k8s_master.name,
|
"${openstack_networking_secgroup_v2.worker.name}",
|
||||||
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
|
|
||||||
openstack_networking_secgroup_v2.k8s.name,
|
|
||||||
"default",
|
"default",
|
||||||
))}"]
|
]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user}"
|
ssh_user = "${var.ssh_user}"
|
||||||
|
|
|
||||||
|
|
@ -66,6 +66,10 @@ variable "bastion_allowed_remote_ips" {
|
||||||
type = "list"
|
type = "list"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "k8s_allowed_remote_ips" {
|
||||||
|
type = "list"
|
||||||
|
}
|
||||||
|
|
||||||
variable "supplementary_master_groups" {
|
variable "supplementary_master_groups" {
|
||||||
default = ""
|
default = ""
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -145,6 +145,12 @@ variable "bastion_allowed_remote_ips" {
|
||||||
default = ["0.0.0.0/0"]
|
default = ["0.0.0.0/0"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "k8s_allowed_remote_ips" {
|
||||||
|
description = "An array of CIDRs allowed to SSH to hosts"
|
||||||
|
type = "list"
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
variable "worker_allowed_ports" {
|
variable "worker_allowed_ports" {
|
||||||
type = "list"
|
type = "list"
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue