Open ingress port from lb to workers

This commit is contained in:
Magnus Andersson 2024-10-30 23:56:25 +01:00
parent 9b343f32e7
commit f691ae99e6
Signed by: mandersson
GPG key ID: 1F7C896B34B28164
6 changed files with 93 additions and 18 deletions

View file

@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-dco" {
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
resource.openstack_networking_secgroup_v2.microk8s-dco.id
resource.openstack_networking_secgroup_v2.microk8s-dco.id,
resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.id
]
admin_state_up = "true"
provider = openstack.dco
@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-dco" {
provider = openstack.dco
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-dco.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.name
]
block_device {

View file

@ -78,7 +78,8 @@ resource "openstack_networking_port_v2" "kubewport-sto3" {
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
resource.openstack_networking_secgroup_v2.microk8s-sto3.id
resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
]
admin_state_up = "true"
provider = openstack.sto3
@ -112,7 +113,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto3" {
provider = openstack.sto3
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.name
]
block_device {

View file

@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-sto4" {
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
resource.openstack_networking_secgroup_v2.microk8s-sto4.id
resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
]
admin_state_up = "true"
provider = openstack.sto4
@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto4" {
provider = openstack.sto4
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.name
]
block_device {

View file

@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_v2" "k8s-external-control-sto4" {
}
# Rules dco
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule_v4_dco" {
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
@ -42,7 +42,7 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto3.id
}
# Rules dco
# Rules sto4
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto4" {
direction = "ingress"
ethertype = "IPv4"
@ -53,3 +53,62 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto4.id
}
# Security groups for external acccess k8s worker nodes in dco.
resource "openstack_networking_secgroup_v2" "k8s-external-worker-dco" {
name = "k8s-external-worker"
description = "External ingress traffic to k8s worker nodes."
provider=openstack.dco
}
# Security groups for external acccess k8s worker nodes in sto3.
resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto3" {
name = "k8s-external-worker"
description = "External ingress traffic to k8s worker nodes."
provider=openstack.sto3
}
# Security groups for external acccess k8s worker nodes in sto4.
resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto4" {
name = "k8s-external-worker"
description = "External ingress traffic to k8s worker nodes."
provider=openstack.sto4
}
# Rules dco
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.dco
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
}
# Rules sto3
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto3" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.sto3
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
}
# Rules sto4
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto4" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.sto4
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
}

View file

@ -16,3 +16,13 @@ resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" {
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule2_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.dco
remote_ip_prefix = "87.251.31.153/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}

View file

@ -18,13 +18,13 @@ spec:
# - kube-matrixtest.matrix.test.sunet.se
# secretName: tls-secret
rules:
- host: kube-matrixtest.matrix.test.sunet.se
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: health-node
port:
number: 8080
- host: "kube.matrix.test.sunet.se"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: health-node
port:
number: 8080