Sync changes that been corrected in prod but not in test.

2025-04-11 07:24:53 +02:00 · 2025-04-11 07:24:53 +02:00 · f039d710c2
commit f039d710c2
parent 4de56d13f5
4 changed files with 132 additions and 4 deletions
--- a/kubernetes.tf
+++ b/kubernetes.tf
@ -203,7 +203,7 @@ resource "openstack_compute_instance_v2" "controller-nodes" {
  name            = "${var.controller_name}-${count.index}.${var.dns_suffix}"
  flavor_name     = "${var.controller_instance_type}"
  key_pair        = "mifr-yubi"
-  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world", "naemon"]
  

  block_device {
@ -226,7 +226,7 @@ resource "openstack_compute_instance_v2" "worker-nodes" {
  name            = "${var.worker_name}-${count.index}.${var.dns_suffix}"
  flavor_name     = "${var.worker_instance_type}"
  key_pair        = "mifr-yubi"
-  security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world", "naemon"]

  block_device {
    uuid                  = "5d24aca9-11be-4de1-9770-4a097d68f361"
--- a/main.tf
+++ b/main.tf
@ -13,6 +13,94 @@ required_version = ">= 0.14.0"
 provider "openstack" {
  cloud = "sto4-rut"
 }
+
+resource "openstack_networking_secgroup_v2" "naemon" {
+  name        = "naemon"
+  description = "Rule to allow naemon traffic"
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule1" {
+  direction             = "ingress"
+  ethertype             = "IPv4"
+  protocol              = "tcp"
+  port_range_min        = 4317
+  port_range_max        = 4318
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule2" {
+  direction             = "ingress"
+  ethertype             = "IPv6"
+  protocol              = "tcp"
+  port_range_min        = 4317
+  port_range_max        = 4318
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule3" {
+  direction             = "ingress"
+  ethertype             = "IPv4"
+  protocol              = "icmp"
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" {
+  direction             = "ingress"
+  ethertype             = "IPv6"
+  protocol              = "ipv6-icmp"
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule5" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = "109.105.111.111/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  remote_ip_prefix  = "2001:948:4:6::111/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule7" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 5666
+  port_range_max    = 5666
+  remote_ip_prefix  = "89.46.21.190/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule8" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 5666
+  port_range_max    = 5666
+  remote_ip_prefix  = "2001:6b0:6c::37f/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule9" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = "109.105.111.111/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule10" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "ipv6-icmp"
+  remote_ip_prefix  = "2001:948:4:6::111/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+
 resource "openstack_networking_secgroup_v2" "https" {
  name        = "https"
  description = "Traffic to allow between microk8s hosts"
@ -53,6 +141,46 @@ resource "openstack_networking_secgroup_rule_v2" "https_rule4" {
  remote_ip_prefix  = "::/0"
  security_group_id = openstack_networking_secgroup_v2.https.id
 }
+resource "openstack_networking_secgroup_v2" "jumphosts" {
+  name        = "Allow SSH from SUNET jumphosts"
+  description = "Traffic to allow ssh access from jumphosts"
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule1" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "130.242.125.68/32"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule2" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "130.242.121.73/32"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule3" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "2001:6b0:8:4::68/128"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule4" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "2001:6b0:7:6::73/128"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
 resource "openstack_compute_instance_v2" "monitor-node" {
  name            = "monitor-1.${var.dns_suffix}"
  flavor_name     = "${var.monitor_instance_type}"
--- a/pgcluster.tf
+++ b/pgcluster.tf
@ -3,7 +3,7 @@ resource "openstack_compute_instance_v2" "pg-nodes" {
  name            = "${var.pgcluster_name}-${count.index}.${var.dns_suffix}"
  flavor_name     = "${var.pgcluster_instance_type}"
  key_pair        = "mifr-yubi"
-  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "naemon"]
  

  block_device {
--- a/vars.tf
+++ b/vars.tf
@ -1,5 +1,5 @@
 variable "worker_instance_count" {
-  default = "10"
+  default = "8"
 }
 variable "controller_instance_count" {
  default = "3"