Open ingress port from lb to workers

2024-10-30 23:56:25 +01:00 · 2024-10-30 23:56:25 +01:00 · f691ae99e6
parent 9b343f32e7
commit f691ae99e6
6 changed files with 93 additions and 18 deletions
--- a/IaC-test/k8snodes-dco.tf
+++ b/IaC-test/k8snodes-dco.tf
@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-dco" {
  # A list of security group ID
  security_group_ids  = [ 
                          resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-dco.id
+                          resource.openstack_networking_secgroup_v2.microk8s-dco.id,
                          resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.id
                        ]
  admin_state_up      = "true"
  provider            = openstack.dco
@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-dco" {
  provider        = openstack.dco
  security_groups = [
                      resource.openstack_networking_secgroup_v2.microk8s-dco.name,
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
                      resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.name
                    ]
  block_device {
--- a/IaC-test/k8snodes-sto3.tf
+++ b/IaC-test/k8snodes-sto3.tf
@ -78,7 +78,8 @@ resource "openstack_networking_port_v2" "kubewport-sto3" {
  # A list of security group ID
  security_group_ids  = [ 
                          resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-sto3.id
+                          resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
                          resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
                        ]
  admin_state_up      = "true"
  provider            = openstack.sto3
@ -112,7 +113,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto3" {
  provider        = openstack.sto3
  security_groups = [
                      resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
                      resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.name
                    ]
  block_device {
--- a/IaC-test/k8snodes-sto4.tf
+++ b/IaC-test/k8snodes-sto4.tf
@ -77,7 +77,8 @@ resource "openstack_networking_port_v2" "kubewport-sto4" {
  # A list of security group ID
  security_group_ids  = [ 
                          resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-sto4.id
+                          resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
                          resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
                        ]
  admin_state_up      = "true"
  provider            = openstack.sto4
@ -111,7 +112,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto4" {
  provider        = openstack.sto4
  security_groups = [
                      resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
                      resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.name
                    ]
  block_device {
--- a/IaC-test/securitygroup-k8s-external.tf
+++ b/IaC-test/securitygroup-k8s-external.tf
@ -19,7 +19,7 @@ resource "openstack_networking_secgroup_v2" "k8s-external-control-sto4" {
 }
 # Rules dco
-resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule_v4_dco" {
+resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_dco" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
@ -42,7 +42,7 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r
  security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto3.id
 }
-# Rules dco
+# Rules sto4
 resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto4" {
  direction         = "ingress"
  ethertype         = "IPv4"
@ -53,3 +53,62 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_r
  remote_ip_prefix  = "89.47.191.43/32"
  security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto4.id
 }
 # Security groups for external acccess k8s worker nodes in dco.
 resource "openstack_networking_secgroup_v2" "k8s-external-worker-dco" {
  name        = "k8s-external-worker"
  description = "External ingress traffic to k8s worker nodes."
  provider=openstack.dco
 }
 # Security groups for external acccess k8s worker nodes in sto3.
 resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto3" {
  name        = "k8s-external-worker"
  description = "External ingress traffic to k8s worker nodes."
  provider=openstack.sto3
 }
 # Security groups for external acccess k8s worker nodes in sto4.
 resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto4" {
  name        = "k8s-external-worker"
  description = "External ingress traffic to k8s worker nodes."
  provider=openstack.sto4
 }
 # Rules dco
 resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_dco" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = "443"
  port_range_max    = "443"
  provider          = openstack.dco
  remote_ip_prefix  = "89.47.191.43/32"
  security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
 }
 # Rules sto3
 resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto3" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = "443"
  port_range_max    = "443"
  provider          = openstack.sto3
  remote_ip_prefix  = "89.47.191.43/32"
  security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
 }
 # Rules sto4
 resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto4" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = "443"
  port_range_max    = "443"
  provider          = openstack.sto4
  remote_ip_prefix  = "89.47.191.43/32"
  security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
 }
--- a/IaC-test/securitygroups-lb.tf
+++ b/IaC-test/securitygroups-lb.tf
@ -16,3 +16,13 @@ resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" {
  security_group_id = openstack_networking_secgroup_v2.lb-dco.id
 }
 resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule2_v4_dco" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = "16443"
  port_range_max    = "16443"
  provider          = openstack.dco
  remote_ip_prefix  = "87.251.31.153/32"
  security_group_id = openstack_networking_secgroup_v2.lb-dco.id
 }
--- a/k8s/health/overlays/matrix-test/health-ingress.yml
+++ b/k8s/health/overlays/matrix-test/health-ingress.yml
@ -18,7 +18,7 @@ spec:
 #        - kube-matrixtest.matrix.test.sunet.se
 #      secretName: tls-secret
  rules:
-  - host: kube-matrixtest.matrix.test.sunet.se
+    - host: "kube.matrix.test.sunet.se"
      http:
        paths:
          - path: /