From 49196c2ec4cfc5659c0370b76f0443d01aa33689 Mon Sep 17 00:00:00 2001 From: Hugo Blom Date: Wed, 28 Sep 2022 07:03:35 +0200 Subject: [PATCH] [Openstack] Add bastion_allowed_ports to allow custom security group rules on bastion node (#9336) * make it possible to configure bastion remote ips * Update README.md --- contrib/terraform/openstack/README.md | 1 + contrib/terraform/openstack/kubespray.tf | 1 + contrib/terraform/openstack/modules/compute/main.tf | 11 +++++++++++ .../terraform/openstack/modules/compute/variables.tf | 4 ++++ contrib/terraform/openstack/variables.tf | 6 ++++++ 5 files changed, 23 insertions(+) diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md index 5566b1c65..1379e5247 100644 --- a/contrib/terraform/openstack/README.md +++ b/contrib/terraform/openstack/README.md @@ -270,6 +270,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`. |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube_ingress` for running ingress controller pods, empty by default. | |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default | |`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default | +|`bastion_allowed_ports` | List of ports to open on bastion node, `[]` by default | |`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default | |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default | |`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default | diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf index 92c4394da..f19885ca8 100644 --- a/contrib/terraform/openstack/kubespray.tf +++ b/contrib/terraform/openstack/kubespray.tf @@ -84,6 +84,7 @@ module "compute" { supplementary_node_groups = var.supplementary_node_groups master_allowed_ports = var.master_allowed_ports worker_allowed_ports = var.worker_allowed_ports + bastion_allowed_ports = var.bastion_allowed_ports use_access_ip = var.use_access_ip master_server_group_policy = var.master_server_group_policy node_server_group_policy = var.node_server_group_policy diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf index 82cbbb4dd..430ed1857 100644 --- a/contrib/terraform/openstack/modules/compute/main.tf +++ b/contrib/terraform/openstack/modules/compute/main.tf @@ -82,6 +82,17 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" { security_group_id = openstack_networking_secgroup_v2.bastion[0].id } +resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports" { + count = length(var.bastion_allowed_ports) + direction = "ingress" + ethertype = "IPv4" + protocol = lookup(var.bastion_allowed_ports[count.index], "protocol", "tcp") + port_range_min = lookup(var.bastion_allowed_ports[count.index], "port_range_min") + port_range_max = lookup(var.bastion_allowed_ports[count.index], "port_range_max") + remote_ip_prefix = lookup(var.bastion_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0") + security_group_id = openstack_networking_secgroup_v2.bastion[0].id +} + resource "openstack_networking_secgroup_v2" "k8s" { name = "${var.cluster_name}-k8s" description = "${var.cluster_name} - Kubernetes" diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf index ca8034bb5..7f8ee5003 100644 --- a/contrib/terraform/openstack/modules/compute/variables.tf +++ b/contrib/terraform/openstack/modules/compute/variables.tf @@ -136,6 +136,10 @@ variable "worker_allowed_ports" { type = list } +variable "bastion_allowed_ports" { + type = list +} + variable "use_access_ip" {} variable "master_server_group_policy" { diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf index 12c7f03a5..821e442b8 100644 --- a/contrib/terraform/openstack/variables.tf +++ b/contrib/terraform/openstack/variables.tf @@ -257,6 +257,12 @@ variable "worker_allowed_ports" { ] } +variable "bastion_allowed_ports" { + type = list(any) + + default = [] +} + variable "use_access_ip" { default = 1 }