Open ingress port from lb to workers

IaC-test/k8snodes-dco.tf

@@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-dco" {
   # A list of security group ID
   security_group_ids  = [ 
                           resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-dco.id
+                          resource.openstack_networking_secgroup_v2.microk8s-dco.id,
+                          resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.id
                         ]
   admin_state_up      = "true"
   provider            = openstack.dco
@@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-dco" {
   provider        = openstack.dco
   security_groups = [
                       resource.openstack_networking_secgroup_v2.microk8s-dco.name,
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
+                      resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.name
                     ]
 
   block_device {

IaC-test/k8snodes-sto3.tf

@@ -78,7 +78,8 @@ resource "openstack_networking_port_v2" "kubewport-sto3" {
   # A list of security group ID
   security_group_ids  = [ 
                           resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-sto3.id
+                          resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
+                          resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
                         ]
   admin_state_up      = "true"
   provider            = openstack.sto3
@@ -112,7 +113,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto3" {
   provider        = openstack.sto3
   security_groups = [
                       resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
+                      resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.name
                     ]
 
   block_device {

IaC-test/k8snodes-sto4.tf

@@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-sto4" {
   # A list of security group ID
   security_group_ids  = [ 
                           resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-sto4.id
+                          resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
+                          resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
                         ]
   admin_state_up      = "true"
   provider            = openstack.sto4
@@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto4" {
   provider        = openstack.sto4
   security_groups = [
                       resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
+                      resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.name
                     ]
 
   block_device {

IaC-test/securitygroup-k8s-external.tf

@@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_v2" "k8s-external-control-sto4" {
 }
 
 # Rules dco
-resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule_v4_dco" {
+resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_dco" {
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "tcp"
@@ -42,7 +42,7 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r
   security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto3.id
 }
 
-# Rules dco
+# Rules sto4
 resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto4" {
   direction         = "ingress"
   ethertype         = "IPv4"
@@ -53,3 +53,62 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r
   remote_ip_prefix  = "89.47.191.43/32"
   security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto4.id
 }
+
+
+# Security groups for external acccess k8s worker nodes in dco.
+resource "openstack_networking_secgroup_v2" "k8s-external-worker-dco" {
+  name        = "k8s-external-worker"
+  description = "External ingress traffic to k8s worker nodes."
+  provider=openstack.dco
+}
+
+# Security groups for external acccess k8s worker nodes in sto3.
+resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto3" {
+  name        = "k8s-external-worker"
+  description = "External ingress traffic to k8s worker nodes."
+  provider=openstack.sto3
+}
+# Security groups for external acccess k8s worker nodes in sto4.
+resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto4" {
+  name        = "k8s-external-worker"
+  description = "External ingress traffic to k8s worker nodes."
+  provider=openstack.sto4
+}
+
+# Rules dco
+
+resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_dco" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = "443"
+  port_range_max    = "443"
+  provider          = openstack.dco
+  remote_ip_prefix  = "89.47.191.43/32"
+  security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
+}
+
+# Rules sto3
+resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto3" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = "443"
+  port_range_max    = "443"
+  provider          = openstack.sto3
+  remote_ip_prefix  = "89.47.191.43/32"
+  security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
+}
+
+# Rules sto4
+resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto4" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = "443"
+  port_range_max    = "443"
+  provider          = openstack.sto4
+  remote_ip_prefix  = "89.47.191.43/32"
+  security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
+}
+

IaC-test/securitygroups-lb.tf

@@ -16,3 +16,13 @@ resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" {
   security_group_id = openstack_networking_secgroup_v2.lb-dco.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule2_v4_dco" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = "16443"
+  port_range_max    = "16443"
+  provider          = openstack.dco
+  remote_ip_prefix  = "87.251.31.153/32"
+  security_group_id = openstack_networking_secgroup_v2.lb-dco.id
+}

k8s/health/overlays/matrix-test/health-ingress.yml

@@ -18,13 +18,13 @@ spec:
 #        - kube-matrixtest.matrix.test.sunet.se
 #      secretName: tls-secret
   rules:
-  - host: kube-matrixtest.matrix.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: health-node
-            port:
-              number: 8080
+    - host: "kube.matrix.test.sunet.se"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: health-node
+                port:
+                  number: 8080