diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf index 15dafa7f5af5e04aef647234bd4d48ccbe91dd5b..daf21900fb9a17713c1a517df1d50894d0a5e758 100644 --- a/contrib/terraform/openstack/kubespray.tf +++ b/contrib/terraform/openstack/kubespray.tf @@ -74,6 +74,7 @@ module "compute" { k8s_allowed_egress_ips = var.k8s_allowed_egress_ips supplementary_master_groups = var.supplementary_master_groups supplementary_node_groups = var.supplementary_node_groups + master_allowed_ports = var.master_allowed_ports worker_allowed_ports = var.worker_allowed_ports wait_for_floatingip = var.wait_for_floatingip use_access_ip = var.use_access_ip diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf index e91316c43bc08bb7b286293776ebacc63103ee09..5ef4b6c6bc212f283bba6f796b3fb1ab387b2bd2 100644 --- a/contrib/terraform/openstack/modules/compute/main.tf +++ b/contrib/terraform/openstack/modules/compute/main.tf @@ -28,6 +28,17 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" { security_group_id = openstack_networking_secgroup_v2.k8s_master.id } +resource "openstack_networking_secgroup_rule_v2" "k8s_master_ports" { + count = length(var.master_allowed_ports) + direction = "ingress" + ethertype = "IPv4" + protocol = lookup(var.master_allowed_ports[count.index], "protocol", "tcp") + port_range_min = lookup(var.master_allowed_ports[count.index], "port_range_min") + port_range_max = lookup(var.master_allowed_ports[count.index], "port_range_max") + remote_ip_prefix = lookup(var.master_allowed_ports[count.index], "remote_ip_prefix", "0.0.0.0/0") + security_group_id = openstack_networking_secgroup_v2.k8s_master.id +} + resource "openstack_networking_secgroup_v2" "bastion" { name = "${var.cluster_name}-bastion" count = var.number_of_bastions != "" ? 1 : 0 diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf index 1a16a3c4a259a626d0226ba6d6762fb0fe0d61df..11bb5f5634abf55b7849cfde922f2bc31f7f7122 100644 --- a/contrib/terraform/openstack/modules/compute/variables.tf +++ b/contrib/terraform/openstack/modules/compute/variables.tf @@ -114,6 +114,10 @@ variable "supplementary_node_groups" { default = "" } +variable "master_allowed_ports" { + type = list +} + variable "worker_allowed_ports" { type = list } diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf index c6c28f6728bcd0edecfbff6d903dfc9b1e510ff6..04b7e5ab8e27b91dab7ef74fd54d78e63723041f 100644 --- a/contrib/terraform/openstack/variables.tf +++ b/contrib/terraform/openstack/variables.tf @@ -204,6 +204,12 @@ variable "k8s_allowed_egress_ips" { default = ["0.0.0.0/0"] } +variable "master_allowed_ports" { + type = list + + default = [] +} + variable "worker_allowed_ports" { type = list