contrib/terraform/gcp: allow extra ingress firewalls (#9658)
Signed-off-by: Mathieu Parent <math.parent@gmail.com> Signed-off-by: Mathieu Parent <math.parent@gmail.com>pull/9674/head
parent
8a03bb1bb4
commit
c80bb0007a
|
@ -75,6 +75,11 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
|
||||||
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
|
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
|
||||||
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
|
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
|
||||||
* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
|
* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
|
||||||
|
* `extra_ingress_firewalls`: Additional ingress firewall rules. Key will be used as the name of the rule
|
||||||
|
* `source_ranges`: List of IP ranges (CIDR). Example: `["8.8.8.8"]`
|
||||||
|
* `protocol`: Protocol. Example `"tcp"`
|
||||||
|
* `ports`: List of ports, as string. Example `["53"]`
|
||||||
|
* `target_tags`: List of target tag (either the machine name or `control-plane` or `worker`). Example: `["control-plane", "worker-0"]`
|
||||||
|
|
||||||
### Optional
|
### Optional
|
||||||
|
|
||||||
|
|
|
@ -34,4 +34,6 @@ module "kubernetes" {
|
||||||
api_server_whitelist = var.api_server_whitelist
|
api_server_whitelist = var.api_server_whitelist
|
||||||
nodeport_whitelist = var.nodeport_whitelist
|
nodeport_whitelist = var.nodeport_whitelist
|
||||||
ingress_whitelist = var.ingress_whitelist
|
ingress_whitelist = var.ingress_whitelist
|
||||||
|
|
||||||
|
extra_ingress_firewalls = var.extra_ingress_firewalls
|
||||||
}
|
}
|
||||||
|
|
|
@ -219,7 +219,7 @@ resource "google_compute_instance" "master" {
|
||||||
machine_type = each.value.size
|
machine_type = each.value.size
|
||||||
zone = each.value.zone
|
zone = each.value.zone
|
||||||
|
|
||||||
tags = ["master"]
|
tags = ["control-plane", "master", each.key]
|
||||||
|
|
||||||
boot_disk {
|
boot_disk {
|
||||||
initialize_params {
|
initialize_params {
|
||||||
|
@ -325,7 +325,7 @@ resource "google_compute_instance" "worker" {
|
||||||
machine_type = each.value.size
|
machine_type = each.value.size
|
||||||
zone = each.value.zone
|
zone = each.value.zone
|
||||||
|
|
||||||
tags = ["worker"]
|
tags = ["worker", each.key]
|
||||||
|
|
||||||
boot_disk {
|
boot_disk {
|
||||||
initialize_params {
|
initialize_params {
|
||||||
|
@ -398,3 +398,24 @@ resource "google_compute_target_pool" "worker_lb" {
|
||||||
name = "${var.prefix}-worker-lb-pool"
|
name = "${var.prefix}-worker-lb-pool"
|
||||||
instances = local.worker_target_list
|
instances = local.worker_target_list
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "google_compute_firewall" "extra_ingress_firewall" {
|
||||||
|
for_each = {
|
||||||
|
for name, firewall in var.extra_ingress_firewalls :
|
||||||
|
name => firewall
|
||||||
|
}
|
||||||
|
|
||||||
|
name = "${var.prefix}-${each.key}-ingress"
|
||||||
|
network = google_compute_network.main.name
|
||||||
|
|
||||||
|
priority = 100
|
||||||
|
|
||||||
|
source_ranges = each.value.source_ranges
|
||||||
|
|
||||||
|
target_tags = each.value.target_tags
|
||||||
|
|
||||||
|
allow {
|
||||||
|
protocol = each.value.protocol
|
||||||
|
ports = each.value.ports
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@ variable "machines" {
|
||||||
}))
|
}))
|
||||||
boot_disk = object({
|
boot_disk = object({
|
||||||
image_name = string
|
image_name = string
|
||||||
size = number
|
size = number
|
||||||
})
|
})
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
@ -73,3 +73,14 @@ variable "ingress_whitelist" {
|
||||||
variable "private_network_cidr" {
|
variable "private_network_cidr" {
|
||||||
default = "10.0.10.0/24"
|
default = "10.0.10.0/24"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "extra_ingress_firewalls" {
|
||||||
|
type = map(object({
|
||||||
|
source_ranges = set(string)
|
||||||
|
protocol = string
|
||||||
|
ports = list(string)
|
||||||
|
target_tags = set(string)
|
||||||
|
}))
|
||||||
|
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
|
@ -95,3 +95,14 @@ variable "ingress_whitelist" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
default = ["0.0.0.0/0"]
|
default = ["0.0.0.0/0"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "extra_ingress_firewalls" {
|
||||||
|
type = map(object({
|
||||||
|
source_ranges = set(string)
|
||||||
|
protocol = string
|
||||||
|
ports = list(string)
|
||||||
|
target_tags = set(string)
|
||||||
|
}))
|
||||||
|
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue