epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2025-12-14 13:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

[Openstack] Add security groups not managed by terraform (#6865)

Browse Source 
* add custom sec groups

* make sure groups are applied only when created

* fix spacing
This commit is contained in:
Hugo Blom
2020-11-05 14:30:54 +01:00
committed by GitHub
parent 544aa00c17
commit df7ed24389
4 changed files with 53 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/terraform/openstack/kubespray.tf
View File

@@ -80,6 +80,8 @@ module "compute" {
wait_for_floatingip = var.wait_for_floatingip wait_for_floatingip = var.wait_for_floatingip
use_access_ip = var.use_access_ip use_access_ip = var.use_access_ip
use_server_groups = var.use_server_groups use_server_groups = var.use_server_groups
extra_sec_groups = var.extra_sec_groups
extra_sec_groups_name = var.extra_sec_groups_name
network_id = module.network.router_id network_id = module.network.router_id
} }

57
contrib/terraform/openstack/modules/compute/main.tf
View File

@@ -17,6 +17,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" {
delete_default_rules = true delete_default_rules = true
} }
resource "openstack_networking_secgroup_v2" "k8s_master_extra" {
count = "%{if var.extra_sec_groups}1%{else}0%{endif}"
name = "${var.cluster_name}-k8s-master-${var.extra_sec_groups_name}"
description = "${var.cluster_name} - Kubernetes Master nodes - rules not managed by terraform"
delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "k8s_master" { resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
count = length(var.master_allowed_remote_ips) count = length(var.master_allowed_remote_ips)
direction = "ingress" direction = "ingress"
@@ -95,6 +102,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
delete_default_rules = true delete_default_rules = true
} }
resource "openstack_networking_secgroup_v2" "worker_extra" {
count = "%{if var.extra_sec_groups}1%{else}0%{endif}"
name = "${var.cluster_name}-k8s-worker-${var.extra_sec_groups_name}"
description = "${var.cluster_name} - Kubernetes worker nodes - rules not managed by terraform"
delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "worker" { resource "openstack_networking_secgroup_rule_v2" "worker" {
count = length(var.worker_allowed_ports) count = length(var.worker_allowed_ports)
direction = "ingress" direction = "ingress"
@@ -124,6 +138,21 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
policies = ["anti-affinity"] policies = ["anti-affinity"]
} }
locals {
# master groups
master_sec_groups = compact([
openstack_networking_secgroup_v2.k8s_master.name,
openstack_networking_secgroup_v2.k8s.name,
var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
])
# worker groups
worker_sec_groups = compact([
openstack_networking_secgroup_v2.k8s.name,
openstack_networking_secgroup_v2.worker.name,
var.extra_sec_groups ? openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
])
}
resource "openstack_compute_instance_v2" "bastion" { resource "openstack_compute_instance_v2" "bastion" {
name = "${var.cluster_name}-bastion-${count.index + 1}" name = "${var.cluster_name}-bastion-${count.index + 1}"
count = var.number_of_bastions count = var.number_of_bastions
@@ -189,9 +218,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s_master.name, security_groups = local.master_sec_groups
openstack_networking_secgroup_v2.k8s.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -238,9 +265,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s_master.name, security_groups = local.master_sec_groups
openstack_networking_secgroup_v2.k8s.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -327,9 +352,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s_master.name, security_groups = local.master_sec_groups
openstack_networking_secgroup_v2.k8s.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -371,9 +394,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s_master.name, security_groups = local.master_sec_groups
openstack_networking_secgroup_v2.k8s.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -414,9 +435,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s.name, security_groups = local.worker_sec_groups
openstack_networking_secgroup_v2.worker.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -461,9 +480,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s.name, security_groups = local.worker_sec_groups
openstack_networking_secgroup_v2.worker.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -504,9 +521,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
name = var.network_name name = var.network_name
} }
security_groups = [openstack_networking_secgroup_v2.k8s.name, security_groups = local.worker_sec_groups
openstack_networking_secgroup_v2.worker.name,
]
dynamic "scheduler_hints" { dynamic "scheduler_hints" {
for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : [] for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []

8
contrib/terraform/openstack/modules/compute/variables.tf
View File

@@ -127,3 +127,11 @@ variable "use_access_ip" {}
variable "use_server_groups" { variable "use_server_groups" {
type = bool type = bool
} }
variable "extra_sec_groups" {
type = bool
}
variable "extra_sec_groups_name" {
type = string
}

7
contrib/terraform/openstack/variables.tf
View File

@@ -246,3 +246,10 @@ variable "k8s_nodes" {
default = {} default = {}
} }
variable "extra_sec_groups" {
default = false
}
variable "extra_sec_groups_name" {
default = "custom"
}