From f691ae99e6498ee6fc0b9af8279497dab86c0af5 Mon Sep 17 00:00:00 2001 From: Magnus Andersson Date: Wed, 30 Oct 2024 23:56:25 +0100 Subject: [PATCH] Open ingress port from lb to workers --- IaC-test/k8snodes-dco.tf | 6 +- IaC-test/k8snodes-sto3.tf | 6 +- IaC-test/k8snodes-sto4.tf | 6 +- IaC-test/securitygroup-k8s-external.tf | 63 ++++++++++++++++++- IaC-test/securitygroups-lb.tf | 10 +++ .../overlays/matrix-test/health-ingress.yml | 20 +++--- 6 files changed, 93 insertions(+), 18 deletions(-) diff --git a/IaC-test/k8snodes-dco.tf b/IaC-test/k8snodes-dco.tf index 08ff25b..d8c99ea 100644 --- a/IaC-test/k8snodes-dco.tf +++ b/IaC-test/k8snodes-dco.tf @@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-dco" { # A list of security group ID security_group_ids = [ resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id, - resource.openstack_networking_secgroup_v2.microk8s-dco.id + resource.openstack_networking_secgroup_v2.microk8s-dco.id, + resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.id ] admin_state_up = "true" provider = openstack.dco @@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-dco" { provider = openstack.dco security_groups = [ resource.openstack_networking_secgroup_v2.microk8s-dco.name, - resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name + resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name, + resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.name ] block_device { diff --git a/IaC-test/k8snodes-sto3.tf b/IaC-test/k8snodes-sto3.tf index 271f8f3..9aaf420 100644 --- a/IaC-test/k8snodes-sto3.tf +++ b/IaC-test/k8snodes-sto3.tf @@ -78,7 +78,8 @@ resource "openstack_networking_port_v2" "kubewport-sto3" { # A list of security group ID security_group_ids = [ resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id, - resource.openstack_networking_secgroup_v2.microk8s-sto3.id + resource.openstack_networking_secgroup_v2.microk8s-sto3.id, + resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.id ] admin_state_up = "true" provider = openstack.sto3 @@ -112,7 +113,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto3" { provider = openstack.sto3 security_groups = [ resource.openstack_networking_secgroup_v2.microk8s-sto3.name, - resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name + resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name, + resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.name ] block_device { diff --git a/IaC-test/k8snodes-sto4.tf b/IaC-test/k8snodes-sto4.tf index 66fc50c..7d736c9 100644 --- a/IaC-test/k8snodes-sto4.tf +++ b/IaC-test/k8snodes-sto4.tf @@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-sto4" { # A list of security group ID security_group_ids = [ resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id, - resource.openstack_networking_secgroup_v2.microk8s-sto4.id + resource.openstack_networking_secgroup_v2.microk8s-sto4.id, + resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.id ] admin_state_up = "true" provider = openstack.sto4 @@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto4" { provider = openstack.sto4 security_groups = [ resource.openstack_networking_secgroup_v2.microk8s-sto4.name, - resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name + resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name, + resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.name ] block_device { diff --git a/IaC-test/securitygroup-k8s-external.tf b/IaC-test/securitygroup-k8s-external.tf index b1bc3a2..8a444d2 100644 --- a/IaC-test/securitygroup-k8s-external.tf +++ b/IaC-test/securitygroup-k8s-external.tf @@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_v2" "k8s-external-control-sto4" { } # Rules dco -resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule_v4_dco" { +resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_dco" { direction = "ingress" ethertype = "IPv4" protocol = "tcp" @@ -42,7 +42,7 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto3.id } -# Rules dco +# Rules sto4 resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto4" { direction = "ingress" ethertype = "IPv4" @@ -53,3 +53,62 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r remote_ip_prefix = "89.47.191.43/32" security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto4.id } + + +# Security groups for external acccess k8s worker nodes in dco. +resource "openstack_networking_secgroup_v2" "k8s-external-worker-dco" { + name = "k8s-external-worker" + description = "External ingress traffic to k8s worker nodes." + provider=openstack.dco +} + +# Security groups for external acccess k8s worker nodes in sto3. +resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto3" { + name = "k8s-external-worker" + description = "External ingress traffic to k8s worker nodes." + provider=openstack.sto3 +} +# Security groups for external acccess k8s worker nodes in sto4. +resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto4" { + name = "k8s-external-worker" + description = "External ingress traffic to k8s worker nodes." + provider=openstack.sto4 +} + +# Rules dco + +resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_dco" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = "443" + port_range_max = "443" + provider = openstack.dco + remote_ip_prefix = "89.47.191.43/32" + security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id +} + +# Rules sto3 +resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto3" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = "443" + port_range_max = "443" + provider = openstack.sto3 + remote_ip_prefix = "89.47.191.43/32" + security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto3.id +} + +# Rules sto4 +resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto4" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = "443" + port_range_max = "443" + provider = openstack.sto4 + remote_ip_prefix = "89.47.191.43/32" + security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto4.id +} + diff --git a/IaC-test/securitygroups-lb.tf b/IaC-test/securitygroups-lb.tf index a686ed4..c761b45 100644 --- a/IaC-test/securitygroups-lb.tf +++ b/IaC-test/securitygroups-lb.tf @@ -16,3 +16,13 @@ resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" { security_group_id = openstack_networking_secgroup_v2.lb-dco.id } +resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule2_v4_dco" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = "16443" + port_range_max = "16443" + provider = openstack.dco + remote_ip_prefix = "87.251.31.153/32" + security_group_id = openstack_networking_secgroup_v2.lb-dco.id +} diff --git a/k8s/health/overlays/matrix-test/health-ingress.yml b/k8s/health/overlays/matrix-test/health-ingress.yml index f0f3c39..def49cc 100644 --- a/k8s/health/overlays/matrix-test/health-ingress.yml +++ b/k8s/health/overlays/matrix-test/health-ingress.yml @@ -18,13 +18,13 @@ spec: # - kube-matrixtest.matrix.test.sunet.se # secretName: tls-secret rules: - - host: kube-matrixtest.matrix.test.sunet.se - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: health-node - port: - number: 8080 + - host: "kube.matrix.test.sunet.se" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: health-node + port: + number: 8080