From fffa63b827c227462174ba61bb68ffd8017dd1a3 Mon Sep 17 00:00:00 2001 From: Magnus Andersson Date: Tue, 4 Jun 2024 13:53:57 +0200 Subject: [PATCH] Expose ingress externaly and remove external kube api endpoint --- IaC-prod/nodes.tf | 6 ++++-- IaC-prod/securitygroups.tf | 33 +++++++++++++++------------------ IaC-test/nodes.tf | 6 ++++-- IaC-test/securitygroups.tf | 33 +++++++++++++++------------------ 4 files changed, 38 insertions(+), 40 deletions(-) diff --git a/IaC-prod/nodes.tf b/IaC-prod/nodes.tf index 8073891..36890d7 100644 --- a/IaC-prod/nodes.tf +++ b/IaC-prod/nodes.tf @@ -12,7 +12,8 @@ resource "openstack_networking_port_v2" "kubecport" { security_group_ids = [ data.openstack_networking_secgroup_v2.sshfromjumphosts.id, data.openstack_networking_secgroup_v2.allegress.id, - resource.openstack_networking_secgroup_v2.microk8s.id + resource.openstack_networking_secgroup_v2.microk8s.id, + resource.openstack_networking_secgroup_v2.https.id ] admin_state_up = "true" } @@ -34,7 +35,8 @@ resource "openstack_compute_instance_v2" "controller-nodes" { security_groups = [ data.openstack_networking_secgroup_v2.sshfromjumphosts.name, data.openstack_networking_secgroup_v2.allegress.name, - resource.openstack_networking_secgroup_v2.microk8s.name + resource.openstack_networking_secgroup_v2.microk8s.name, + resource.openstack_networking_secgroup_v2.https.name ] block_device { uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot[count.index].id diff --git a/IaC-prod/securitygroups.tf b/IaC-prod/securitygroups.tf index c9c3c56..0cc6649 100644 --- a/IaC-prod/securitygroups.tf +++ b/IaC-prod/securitygroups.tf @@ -13,25 +13,24 @@ resource "openstack_networking_secgroup_v2" "microk8s" { } resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { - #We never know where Richard is, so allow from all of the known internet direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = 16443 port_range_max = 16443 - remote_ip_prefix = "0.0.0.0/0" + remote_group_id = openstack_networking_secgroup_v2.microk8s.id security_group_id = openstack_networking_secgroup_v2.microk8s.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { - #We never know where Richard is, so allow from all of the known internet direction = "ingress" ethertype = "IPv6" protocol = "tcp" port_range_min = 16443 port_range_max = 16443 - remote_ip_prefix = "::/0" + remote_group_id = openstack_networking_secgroup_v2.microk8s.id security_group_id = openstack_networking_secgroup_v2.microk8s.id } + resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { direction = "ingress" ethertype = "IPv4" @@ -177,21 +176,19 @@ resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { remote_group_id = openstack_networking_secgroup_v2.microk8s.id security_group_id = openstack_networking_secgroup_v2.microk8s.id } -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { + +resource "openstack_networking_secgroup_v2" "https" { + name = "https" + description = "Allow https to ingress controller" +} + +resource "openstack_networking_secgroup_rule_v2" "https_rule1" { + # External traffic direction = "ingress" ethertype = "IPv4" protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.https.id } diff --git a/IaC-test/nodes.tf b/IaC-test/nodes.tf index 8073891..36890d7 100644 --- a/IaC-test/nodes.tf +++ b/IaC-test/nodes.tf @@ -12,7 +12,8 @@ resource "openstack_networking_port_v2" "kubecport" { security_group_ids = [ data.openstack_networking_secgroup_v2.sshfromjumphosts.id, data.openstack_networking_secgroup_v2.allegress.id, - resource.openstack_networking_secgroup_v2.microk8s.id + resource.openstack_networking_secgroup_v2.microk8s.id, + resource.openstack_networking_secgroup_v2.https.id ] admin_state_up = "true" } @@ -34,7 +35,8 @@ resource "openstack_compute_instance_v2" "controller-nodes" { security_groups = [ data.openstack_networking_secgroup_v2.sshfromjumphosts.name, data.openstack_networking_secgroup_v2.allegress.name, - resource.openstack_networking_secgroup_v2.microk8s.name + resource.openstack_networking_secgroup_v2.microk8s.name, + resource.openstack_networking_secgroup_v2.https.name ] block_device { uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot[count.index].id diff --git a/IaC-test/securitygroups.tf b/IaC-test/securitygroups.tf index c9c3c56..0cc6649 100644 --- a/IaC-test/securitygroups.tf +++ b/IaC-test/securitygroups.tf @@ -13,25 +13,24 @@ resource "openstack_networking_secgroup_v2" "microk8s" { } resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { - #We never know where Richard is, so allow from all of the known internet direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = 16443 port_range_max = 16443 - remote_ip_prefix = "0.0.0.0/0" + remote_group_id = openstack_networking_secgroup_v2.microk8s.id security_group_id = openstack_networking_secgroup_v2.microk8s.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { - #We never know where Richard is, so allow from all of the known internet direction = "ingress" ethertype = "IPv6" protocol = "tcp" port_range_min = 16443 port_range_max = 16443 - remote_ip_prefix = "::/0" + remote_group_id = openstack_networking_secgroup_v2.microk8s.id security_group_id = openstack_networking_secgroup_v2.microk8s.id } + resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { direction = "ingress" ethertype = "IPv4" @@ -177,21 +176,19 @@ resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { remote_group_id = openstack_networking_secgroup_v2.microk8s.id security_group_id = openstack_networking_secgroup_v2.microk8s.id } -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { + +resource "openstack_networking_secgroup_v2" "https" { + name = "https" + description = "Allow https to ingress controller" +} + +resource "openstack_networking_secgroup_rule_v2" "https_rule1" { + # External traffic direction = "ingress" ethertype = "IPv4" protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.https.id }