mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-03-10 22:19:32 -02:30
Adding egress IPv6 for node-local-dns queries
This commit is contained in:
raviranjan
committed by
Florian Ruynat
Florian Ruynat
parent
21289db181
commit
200b630319
@@ -70,6 +70,36 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master_ports" {
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s_master.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_master_ipv6_ingress" {
|
||||
count = length(var.master_allowed_remote_ipv6_ips)
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
protocol = "tcp"
|
||||
port_range_min = "6443"
|
||||
port_range_max = "6443"
|
||||
remote_ip_prefix = var.master_allowed_remote_ipv6_ips[count.index]
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s_master.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_master_ports_ipv6_ingress" {
|
||||
count = length(var.master_allowed_ports_ipv6)
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
protocol = lookup(var.master_allowed_ports_ipv6[count.index], "protocol", "tcp")
|
||||
port_range_min = lookup(var.master_allowed_ports_ipv6[count.index], "port_range_min")
|
||||
port_range_max = lookup(var.master_allowed_ports_ipv6[count.index], "port_range_max")
|
||||
remote_ip_prefix = lookup(var.master_allowed_ports_ipv6[count.index], "remote_ip_prefix", "::/0")
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s_master.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "master_egress_ipv6" {
|
||||
count = length(var.k8s_allowed_egress_ipv6_ips)
|
||||
direction = "egress"
|
||||
ethertype = "IPv6"
|
||||
remote_ip_prefix = var.k8s_allowed_egress_ipv6_ips[count.index]
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s_master.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_v2" "bastion" {
|
||||
name = "${var.cluster_name}-bastion"
|
||||
count = var.number_of_bastions != "" ? 1 : 0
|
||||
@@ -99,6 +129,28 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports" {
|
||||
security_group_id = openstack_networking_secgroup_v2.bastion[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "bastion_ipv6_ingress" {
|
||||
count = var.number_of_bastions != "" ? length(var.bastion_allowed_remote_ipv6_ips) : 0
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
protocol = "tcp"
|
||||
port_range_min = "22"
|
||||
port_range_max = "22"
|
||||
remote_ip_prefix = var.bastion_allowed_remote_ipv6_ips[count.index]
|
||||
security_group_id = openstack_networking_secgroup_v2.bastion[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_bastion_ports_ipv6_ingress" {
|
||||
count = length(var.bastion_allowed_ports_ipv6)
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
protocol = lookup(var.bastion_allowed_ports_ipv6[count.index], "protocol", "tcp")
|
||||
port_range_min = lookup(var.bastion_allowed_ports_ipv6[count.index], "port_range_min")
|
||||
port_range_max = lookup(var.bastion_allowed_ports_ipv6[count.index], "port_range_max")
|
||||
remote_ip_prefix = lookup(var.bastion_allowed_ports_ipv6[count.index], "remote_ip_prefix", "::/0")
|
||||
security_group_id = openstack_networking_secgroup_v2.bastion[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_v2" "k8s" {
|
||||
name = "${var.cluster_name}-k8s"
|
||||
description = "${var.cluster_name} - Kubernetes"
|
||||
@@ -112,6 +164,13 @@ resource "openstack_networking_secgroup_rule_v2" "k8s" {
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_ipv6" {
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
remote_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
|
||||
count = length(var.k8s_allowed_remote_ips)
|
||||
direction = "ingress"
|
||||
@@ -123,6 +182,17 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips_ipv6" {
|
||||
count = length(var.k8s_allowed_remote_ips_ipv6)
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
protocol = "tcp"
|
||||
port_range_min = "22"
|
||||
port_range_max = "22"
|
||||
remote_ip_prefix = var.k8s_allowed_remote_ips_ipv6[count.index]
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "egress" {
|
||||
count = length(var.k8s_allowed_egress_ips)
|
||||
direction = "egress"
|
||||
@@ -131,6 +201,14 @@ resource "openstack_networking_secgroup_rule_v2" "egress" {
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "egress_ipv6" {
|
||||
count = length(var.k8s_allowed_egress_ipv6_ips)
|
||||
direction = "egress"
|
||||
ethertype = "IPv6"
|
||||
remote_ip_prefix = var.k8s_allowed_egress_ipv6_ips[count.index]
|
||||
security_group_id = openstack_networking_secgroup_v2.k8s.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_v2" "worker" {
|
||||
name = "${var.cluster_name}-k8s-worker"
|
||||
description = "${var.cluster_name} - Kubernetes worker nodes"
|
||||
@@ -155,6 +233,17 @@ resource "openstack_networking_secgroup_rule_v2" "worker" {
|
||||
security_group_id = openstack_networking_secgroup_v2.worker.id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "worker_ipv6_ingress" {
|
||||
count = length(var.worker_allowed_ports_ipv6)
|
||||
direction = "ingress"
|
||||
ethertype = "IPv6"
|
||||
protocol = lookup(var.worker_allowed_ports_ipv6[count.index], "protocol", "tcp")
|
||||
port_range_min = lookup(var.worker_allowed_ports_ipv6[count.index], "port_range_min")
|
||||
port_range_max = lookup(var.worker_allowed_ports_ipv6[count.index], "port_range_max")
|
||||
remote_ip_prefix = lookup(var.worker_allowed_ports_ipv6[count.index], "remote_ip_prefix", "::/0")
|
||||
security_group_id = openstack_networking_secgroup_v2.worker.id
|
||||
}
|
||||
|
||||
resource "openstack_compute_servergroup_v2" "k8s_master" {
|
||||
count = var.master_server_group_policy != "" ? 1 : 0
|
||||
name = "k8s-master-srvgrp"
|
||||
|
||||
@@ -104,18 +104,34 @@ variable "bastion_allowed_remote_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "bastion_allowed_remote_ipv6_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "master_allowed_remote_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "master_allowed_remote_ipv6_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "k8s_allowed_remote_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "k8s_allowed_remote_ips_ipv6" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "k8s_allowed_egress_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "k8s_allowed_egress_ipv6_ips" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "k8s_masters" {
|
||||
type = map(object({
|
||||
az = string
|
||||
@@ -172,14 +188,26 @@ variable "master_allowed_ports" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "master_allowed_ports_ipv6" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "worker_allowed_ports" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "worker_allowed_ports_ipv6" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "bastion_allowed_ports" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "bastion_allowed_ports_ipv6" {
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "use_access_ip" {}
|
||||
|
||||
variable "master_server_group_policy" {
|
||||
|
||||
Reference in New Issue
Block a user