From 873b5608cf428bdd0aab880495284221aa2d144a Mon Sep 17 00:00:00 2001
From: rptaylor <rptaylor@uvic.ca>
Date: Sun, 21 Apr 2019 01:57:44 -0700
Subject: [PATCH] add master_allowed_remote_ips (with terraform fmt) (#4022)
---
contrib/terraform/openstack/README.md | 1 +
contrib/terraform/openstack/kubespray.tf | 1 +
contrib/terraform/openstack/modules/compute/main.tf | 3 ++-
contrib/terraform/openstack/modules/compute/variables.tf | 4 ++++
contrib/terraform/openstack/variables.tf | 6 ++++++
5 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md
index c22c92e5c..b19d3bb5b 100644
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -243,6 +243,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tf`.
|`supplementary_master_groups` | To add ansible groups to the masters, such as `kube-node` for tainting them as nodes, empty by default. |
|`supplementary_node_groups` | To add ansible groups to the nodes, such as `kube-ingress` for running ingress controller pods, empty by default. |
|`bastion_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, `["0.0.0.0/0"]` by default |
+|`master_allowed_remote_ips` | List of CIDR blocks allowed to initiate an API connection, `["0.0.0.0/0"]` by default |
|`k8s_allowed_remote_ips` | List of CIDR allowed to initiate a SSH connection, empty by default |
|`worker_allowed_ports` | List of ports to open on worker nodes, `[{ "protocol" = "tcp", "port_range_min" = 30000, "port_range_max" = 32767, "remote_ip_prefix" = "0.0.0.0/0"}]` by default |
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index ac10c4f26..97f82c74d 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -52,6 +52,7 @@ module "compute" {
k8s_node_fips = "${module.ips.k8s_node_fips}"
bastion_fips = "${module.ips.bastion_fips}"
bastion_allowed_remote_ips = "${var.bastion_allowed_remote_ips}"
+ master_allowed_remote_ips = "${var.master_allowed_remote_ips}"
k8s_allowed_remote_ips = "${var.k8s_allowed_remote_ips}"
k8s_allowed_egress_ips = "${var.k8s_allowed_egress_ips}"
supplementary_master_groups = "${var.supplementary_master_groups}"
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index 4bfb0c23c..9e35d4d7c 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -10,12 +10,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" {
}
resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
+ count = "${length(var.master_allowed_remote_ips)}"
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "6443"
port_range_max = "6443"
- remote_ip_prefix = "0.0.0.0/0"
+ remote_ip_prefix = "${var.master_allowed_remote_ips[count.index]}"
security_group_id = "${openstack_networking_secgroup_v2.k8s_master.id}"
}
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 73d657e6d..dfb438128 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -66,6 +66,10 @@ variable "bastion_allowed_remote_ips" {
type = "list"
}
+variable "master_allowed_remote_ips" {
+ type = "list"
+}
+
variable "k8s_allowed_remote_ips" {
type = "list"
}
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index 911755d9e..97c8e33ed 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -145,6 +145,12 @@ variable "bastion_allowed_remote_ips" {
default = ["0.0.0.0/0"]
}
+variable "master_allowed_remote_ips" {
+ description = "An array of CIDRs allowed to access API of masters"
+ type = "list"
+ default = ["0.0.0.0/0"]
+}
+
variable "k8s_allowed_remote_ips" {
description = "An array of CIDRs allowed to SSH to hosts"
type = "list"
--
GitLab