Browse Source

Don't create security groups for a bastion host on openstack, if doesn't exist (#4291)

pull/4523/head
Karen Almog 5 years ago
committed by Kubernetes Prow Robot
parent
commit
20ebb49568
1 changed files with 20 additions and 15 deletions
  1. 35
      contrib/terraform/openstack/modules/compute/main.tf

35
contrib/terraform/openstack/modules/compute/main.tf

@ -20,11 +20,12 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
resource "openstack_networking_secgroup_v2" "bastion" {
name = "${var.cluster_name}-bastion"
count = "${var.number_of_bastions ? 1 : 0}"
description = "${var.cluster_name} - Bastion Server"
}
resource "openstack_networking_secgroup_rule_v2" "bastion" {
count = "${length(var.bastion_allowed_remote_ips)}"
count = "${var.number_of_bastions ? length(var.bastion_allowed_remote_ips) : 0}"
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
@ -101,18 +102,20 @@ resource "openstack_compute_instance_v2" "k8s_master" {
name = "${var.network_name}"
}
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.bastion.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
"default",
]
# The join() hack is described here: https://github.com/hashicorp/terraform/issues/11566
# As a workaround for creating "dynamic" lists (when, for example, no bastion host is created)
security_groups = ["${compact(list(
openstack_networking_secgroup_v2.k8s_master.name,
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
openstack_networking_secgroup_v2.k8s.name,
"default",
))}"]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
depends_on = "${var.network_id}"
}
provisioner "local-exec" {
command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
}
@ -130,10 +133,11 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
name = "${var.network_name}"
}
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
"${openstack_networking_secgroup_v2.bastion.name}",
"${openstack_networking_secgroup_v2.k8s.name}",
]
security_groups = ["${compact(list(
openstack_networking_secgroup_v2.k8s_master.name,
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
openstack_networking_secgroup_v2.k8s.name,
))}"]
metadata = {
ssh_user = "${var.ssh_user}"
@ -226,11 +230,12 @@ resource "openstack_compute_instance_v2" "k8s_node" {
name = "${var.network_name}"
}
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
"${openstack_networking_secgroup_v2.bastion.name}",
"${openstack_networking_secgroup_v2.worker.name}",
security_groups = ["${compact(list(
openstack_networking_secgroup_v2.k8s_master.name,
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
openstack_networking_secgroup_v2.k8s.name,
"default",
]
))}"]
metadata = {
ssh_user = "${var.ssh_user}"

Loading…
Cancel
Save