From 200b63031944185473b83a9c47ad56308bc40f24 Mon Sep 17 00:00:00 2001 From: raviranjan Date: Mon, 28 Aug 2023 12:07:03 +0200 Subject: [PATCH] Adding egress IPv6 for node-local-dns queries --- contrib/terraform/openstack/README.md | 7 ++ contrib/terraform/openstack/kubespray.tf | 7 ++ .../openstack/modules/compute/main.tf | 89 +++++++++++++++++++ .../openstack/modules/compute/variables.tf | 28 ++++++ contrib/terraform/openstack/variables.tf | 49 ++++++++++ 5 files changed, 180 insertions(+) diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md index a99669276..f68e22531 100644 --- a/contrib/terraform/openstack/README.md +++ b/contrib/terraform/openstack/README.md @@ -269,11 +269,18 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`. |`supplementary_master_groups` | To add ansible groups to the masters, such as `kube_node` for tainting them as nodes, empty by default. | |`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube_ingress` for running ingress controller pods, empty by default. | |`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default | +|`bastion_allowed_remote_ipv6_ips` | List of IPv6 CIDR allowed to initiate a SSH connection, `["::/0"]` by default | |`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default | +|`master_allowed_remote_ipv6_ips` | List of IPv6 CIDR blocks allowed to initiate an API connection, `["::/0"]` by default | |`bastion_allowed_ports` | List of ports to open on bastion node, `[]` by default | +|`bastion_allowed_ports_ipv6` | List of ports to open on bastion node for IPv6 CIDR blocks, `[]` by default | |`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default | +|`k8s_allowed_remote_ips_ipv6` | List of IPv6 CIDR allowed to initiate a SSH connection, empty by default | +|`k8s_allowed_egress_ipv6_ips` | List of IPv6 CIDRs allowed for egress traffic, `["::/0"]` by default | |`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default | +|`worker_allowed_ports_ipv6` | List of ports to open on worker nodes for IPv6 CIDR blocks, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "::/0"}]` by default | |`master_allowed_ports` | List of ports to open on master nodes, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "0.0.0.0/0"}]`, empty by default | +|`master_allowed_ports_ipv6` | List of ports to open on master nodes for IPv6 CIDR blocks, expected format is `[{ "protocol" = "tcp", "port_range_min" = 443, "port_range_max" = 443, "remote_ip_prefix" = "::/0"}]`, empty by default | |`node_root_volume_size_in_gb` | Size of the root volume for nodes, 0 to use ephemeral storage | |`master_root_volume_size_in_gb` | Size of the root volume for masters, 0 to use ephemeral storage | |`master_volume_type` | Volume type of the root volume for control_plane, 'Default' by default | diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf index a17763432..32c00bd86 100644 --- a/contrib/terraform/openstack/kubespray.tf +++ b/contrib/terraform/openstack/kubespray.tf @@ -77,14 +77,21 @@ module "compute" { k8s_nodes_fips = module.ips.k8s_nodes_fips bastion_fips = module.ips.bastion_fips bastion_allowed_remote_ips = var.bastion_allowed_remote_ips + bastion_allowed_remote_ipv6_ips = var.bastion_allowed_remote_ipv6_ips master_allowed_remote_ips = var.master_allowed_remote_ips + master_allowed_remote_ipv6_ips = var.master_allowed_remote_ipv6_ips k8s_allowed_remote_ips = var.k8s_allowed_remote_ips + k8s_allowed_remote_ips_ipv6 = var.k8s_allowed_remote_ips_ipv6 k8s_allowed_egress_ips = var.k8s_allowed_egress_ips + k8s_allowed_egress_ipv6_ips = var.k8s_allowed_egress_ipv6_ips supplementary_master_groups = var.supplementary_master_groups supplementary_node_groups = var.supplementary_node_groups master_allowed_ports = var.master_allowed_ports + master_allowed_ports_ipv6 = var.master_allowed_ports_ipv6 worker_allowed_ports = var.worker_allowed_ports + worker_allowed_ports_ipv6 = var.worker_allowed_ports_ipv6 bastion_allowed_ports = var.bastion_allowed_ports + bastion_allowed_ports_ipv6 = var.bastion_allowed_ports_ipv6 use_access_ip = var.use_access_ip master_server_group_policy = var.master_server_group_policy node_server_group_policy = var.node_server_group_policy diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf index d161d26f6..2256ea2b4 100644 --- a/contrib/terraform/openstack/modules/compute/main.tf +++ b/contrib/terraform/openstack/modules/compute/main.tf @@ -70,6 +70,36 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master_ports" { security_group_id = openstack_networking_secgroup_v2.k8s_master.id } +resource "openstack_networking_secgroup_rule_v2" "k8s_master_ipv6_ingress" { + count = length(var.master_allowed_remote_ipv6_ips) + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = "6443" + port_range_max = "6443" + remote_ip_prefix = var.master_allowed_remote_ipv6_ips[count.index] + security_group_id = openstack_networking_secgroup_v2.k8s_master.id +} + +resource "openstack_networking_secgroup_rule_v2" "k8s_master_ports_ipv6_ingress" { + count = length(var.master_allowed_ports_ipv6) + direction = "ingress" + ethertype = "IPv6" + protocol = lookup(var.master_allowed_ports_ipv6[count.index], "protocol", "tcp") + port_range_min = lookup(var.master_allowed_ports_ipv6[count.index], "port_range_min") + port_range_max = lookup(var.master_allowed_ports_ipv6[count.index], "port_range_max") + remote_ip_prefix = lookup(var.master_allowed_ports_ipv6[count.index], "remote_ip_prefix", "::/0") + security_group_id = openstack_networking_secgroup_v2.k8s_master.id +} + +resource "openstack_networking_secgroup_rule_v2" "master_egress_ipv6" { + count = length(var.k8s_allowed_egress_ipv6_ips) + direction = "egress" + ethertype = "IPv6" + remote_ip_prefix = var.k8s_allowed_egress_ipv6_ips[count.index] + security_group_id = openstack_networking_secgroup_v2.k8s_master.id +} + resource "openstack_networking_secgroup_v2" "bastion" { name = "${var.cluster_name}-bastion" count = var.number_of_bastions != "" ? 1 : 0 @@ -99,6 +129,28 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports" { security_group_id = openstack_networking_secgroup_v2.bastion[0].id } +resource "openstack_networking_secgroup_rule_v2" "bastion_ipv6_ingress" { + count = var.number_of_bastions != "" ? length(var.bastion_allowed_remote_ipv6_ips) : 0 + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = "22" + port_range_max = "22" + remote_ip_prefix = var.bastion_allowed_remote_ipv6_ips[count.index] + security_group_id = openstack_networking_secgroup_v2.bastion[0].id +} + +resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports_ipv6_ingress" { + count = length(var.bastion_allowed_ports_ipv6) + direction = "ingress" + ethertype = "IPv6" + protocol = lookup(var.bastion_allowed_ports_ipv6[count.index], "protocol", "tcp") + port_range_min = lookup(var.bastion_allowed_ports_ipv6[count.index], "port_range_min") + port_range_max = lookup(var.bastion_allowed_ports_ipv6[count.index], "port_range_max") + remote_ip_prefix = lookup(var.bastion_allowed_ports_ipv6[count.index], "remote_ip_prefix", "::/0") + security_group_id = openstack_networking_secgroup_v2.bastion[0].id +} + resource "openstack_networking_secgroup_v2" "k8s" { name = "${var.cluster_name}-k8s" description = "${var.cluster_name} - Kubernetes" @@ -112,6 +164,13 @@ resource "openstack_networking_secgroup_rule_v2" "k8s" { security_group_id = openstack_networking_secgroup_v2.k8s.id } +resource "openstack_networking_secgroup_rule_v2" "k8s_ipv6" { + direction = "ingress" + ethertype = "IPv6" + remote_group_id = openstack_networking_secgroup_v2.k8s.id + security_group_id = openstack_networking_secgroup_v2.k8s.id +} + resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" { count = length(var.k8s_allowed_remote_ips) direction = "ingress" @@ -123,6 +182,17 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" { security_group_id = openstack_networking_secgroup_v2.k8s.id } +resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips_ipv6" { + count = length(var.k8s_allowed_remote_ips_ipv6) + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = "22" + port_range_max = "22" + remote_ip_prefix = var.k8s_allowed_remote_ips_ipv6[count.index] + security_group_id = openstack_networking_secgroup_v2.k8s.id +} + resource "openstack_networking_secgroup_rule_v2" "egress" { count = length(var.k8s_allowed_egress_ips) direction = "egress" @@ -131,6 +201,14 @@ resource "openstack_networking_secgroup_rule_v2" "egress" { security_group_id = openstack_networking_secgroup_v2.k8s.id } +resource "openstack_networking_secgroup_rule_v2" "egress_ipv6" { + count = length(var.k8s_allowed_egress_ipv6_ips) + direction = "egress" + ethertype = "IPv6" + remote_ip_prefix = var.k8s_allowed_egress_ipv6_ips[count.index] + security_group_id = openstack_networking_secgroup_v2.k8s.id +} + resource "openstack_networking_secgroup_v2" "worker" { name = "${var.cluster_name}-k8s-worker" description = "${var.cluster_name} - Kubernetes worker nodes" @@ -155,6 +233,17 @@ resource "openstack_networking_secgroup_rule_v2" "worker" { security_group_id = openstack_networking_secgroup_v2.worker.id } +resource "openstack_networking_secgroup_rule_v2" "worker_ipv6_ingress" { + count = length(var.worker_allowed_ports_ipv6) + direction = "ingress" + ethertype = "IPv6" + protocol = lookup(var.worker_allowed_ports_ipv6[count.index], "protocol", "tcp") + port_range_min = lookup(var.worker_allowed_ports_ipv6[count.index], "port_range_min") + port_range_max = lookup(var.worker_allowed_ports_ipv6[count.index], "port_range_max") + remote_ip_prefix = lookup(var.worker_allowed_ports_ipv6[count.index], "remote_ip_prefix", "::/0") + security_group_id = openstack_networking_secgroup_v2.worker.id +} + resource "openstack_compute_servergroup_v2" "k8s_master" { count = var.master_server_group_policy != "" ? 1 : 0 name = "k8s-master-srvgrp" diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf index 1a78f503e..006cce9ef 100644 --- a/contrib/terraform/openstack/modules/compute/variables.tf +++ b/contrib/terraform/openstack/modules/compute/variables.tf @@ -104,18 +104,34 @@ variable "bastion_allowed_remote_ips" { type = list } +variable "bastion_allowed_remote_ipv6_ips" { + type = list +} + variable "master_allowed_remote_ips" { type = list } +variable "master_allowed_remote_ipv6_ips" { + type = list +} + variable "k8s_allowed_remote_ips" { type = list } +variable "k8s_allowed_remote_ips_ipv6" { + type = list +} + variable "k8s_allowed_egress_ips" { type = list } +variable "k8s_allowed_egress_ipv6_ips" { + type = list +} + variable "k8s_masters" { type = map(object({ az = string @@ -172,14 +188,26 @@ variable "master_allowed_ports" { type = list } +variable "master_allowed_ports_ipv6" { + type = list +} + variable "worker_allowed_ports" { type = list } +variable "worker_allowed_ports_ipv6" { + type = list +} + variable "bastion_allowed_ports" { type = list } +variable "bastion_allowed_ports_ipv6" { + type = list +} + variable "use_access_ip" {} variable "master_server_group_policy" { diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf index 4bb6efbfd..ef99c7713 100644 --- a/contrib/terraform/openstack/variables.tf +++ b/contrib/terraform/openstack/variables.tf @@ -220,30 +220,60 @@ variable "bastion_allowed_remote_ips" { default = ["0.0.0.0/0"] } +variable "bastion_allowed_remote_ipv6_ips" { + description = "An array of IPv6 CIDRs allowed to SSH to hosts" + type = list(string) + default = ["::/0"] +} + variable "master_allowed_remote_ips" { description = "An array of CIDRs allowed to access API of masters" type = list(string) default = ["0.0.0.0/0"] } +variable "master_allowed_remote_ipv6_ips" { + description = "An array of IPv6 CIDRs allowed to access API of masters" + type = list(string) + default = ["::/0"] +} + variable "k8s_allowed_remote_ips" { description = "An array of CIDRs allowed to SSH to hosts" type = list(string) default = [] } +variable "k8s_allowed_remote_ips_ipv6" { + description = "An array of IPv6 CIDRs allowed to SSH to hosts" + type = list(string) + default = [] +} + variable "k8s_allowed_egress_ips" { description = "An array of CIDRs allowed for egress traffic" type = list(string) default = ["0.0.0.0/0"] } +variable "k8s_allowed_egress_ipv6_ips" { + description = "An array of CIDRs allowed for egress IPv6 traffic" + type = list(string) + default = ["::/0"] +} + variable "master_allowed_ports" { type = list(any) default = [] } +variable "master_allowed_ports_ipv6" { + type = list(any) + + default = [] +} + variable "worker_allowed_ports" { type = list(any) @@ -257,12 +287,31 @@ variable "worker_allowed_ports" { ] } +variable "worker_allowed_ports_ipv6" { + type = list(any) + + default = [ + { + "protocol" = "tcp" + "port_range_min" = 30000 + "port_range_max" = 32767 + "remote_ip_prefix" = "::/0" + }, + ] +} + variable "bastion_allowed_ports" { type = list(any) default = [] } +variable "bastion_allowed_ports_ipv6" { + type = list(any) + + default = [] +} + variable "use_access_ip" { default = 1 }