diff --git a/CHANGES.md b/CHANGES.md index 7a0f1de2..671b1fe1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -13,6 +13,8 @@ Notable changes between versions. ### AWS +* Add `worker_ipv4_address` variable to associate public IPv4 addresses to worker instances (default true) + * When IPv6 is all you need, set to false to remove IPv4 access to instances and outbound IPv4 access to the internet * Relax `aws` provider version constraint to allow upgrades to v6.x ([#1617](https://github.com/poseidon/typhoon/pull/1617)) ### Azure diff --git a/aws/fedora-coreos/kubernetes/nlb.tf b/aws/fedora-coreos/kubernetes/nlb.tf index ab98f1ee..c796a18f 100644 --- a/aws/fedora-coreos/kubernetes/nlb.tf +++ b/aws/fedora-coreos/kubernetes/nlb.tf @@ -13,6 +13,20 @@ resource "aws_route53_record" "apiserver" { } } +resource "aws_route53_record" "apiserver-ipv6" { + zone_id = var.dns_zone_id + + name = format("%s.%s.", var.cluster_name, var.dns_zone) + type = "AAAA" + + # AWS recommends their special "alias" records for NLBs + alias { + name = aws_lb.nlb.dns_name + zone_id = aws_lb.nlb.zone_id + evaluate_target_health = true + } +} + # Network Load Balancer for apiservers and ingress resource "aws_lb" "nlb" { name = "${var.cluster_name}-nlb" diff --git a/aws/fedora-coreos/kubernetes/security.tf b/aws/fedora-coreos/kubernetes/security.tf index 19aec254..dd15767e 100644 --- a/aws/fedora-coreos/kubernetes/security.tf +++ b/aws/fedora-coreos/kubernetes/security.tf @@ -40,11 +40,12 @@ resource "aws_security_group_rule" "controller-icmp-self" { resource "aws_security_group_rule" "controller-ssh" { security_group_id = aws_security_group.controller.id - type = "ingress" - protocol = "tcp" - from_port = 22 - to_port = 22 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } resource "aws_security_group_rule" "controller-etcd" { diff --git a/aws/fedora-coreos/kubernetes/variables.tf b/aws/fedora-coreos/kubernetes/variables.tf index 3020437c..40b3a9f9 100644 --- a/aws/fedora-coreos/kubernetes/variables.tf +++ b/aws/fedora-coreos/kubernetes/variables.tf @@ -76,6 +76,12 @@ variable "worker_type" { default = "t3.small" } +variable "worker_public_ipv4" { + type = bool + description = "Associate a public IPv4 address to instances (otherwise, no IPv4 access to instances from the internet and no outbound IPv4 access to the internet)" + default = true +} + variable "worker_disk_size" { type = number description = "Size of the EBS volume in GB" diff --git a/aws/fedora-coreos/kubernetes/workers.tf b/aws/fedora-coreos/kubernetes/workers.tf index debe57a6..bbfd4f60 100644 --- a/aws/fedora-coreos/kubernetes/workers.tf +++ b/aws/fedora-coreos/kubernetes/workers.tf @@ -19,6 +19,8 @@ module "workers" { spot_price = var.worker_price target_groups = var.worker_target_groups + associate_public_ipv4_address = var.worker_public_ipv4 + # configuration kubeconfig = module.bootstrap.kubeconfig-kubelet ssh_authorized_key = var.ssh_authorized_key diff --git a/aws/fedora-coreos/kubernetes/workers/variables.tf b/aws/fedora-coreos/kubernetes/workers/variables.tf index 4b743368..ad29335b 100644 --- a/aws/fedora-coreos/kubernetes/workers/variables.tf +++ b/aws/fedora-coreos/kubernetes/workers/variables.tf @@ -34,6 +34,12 @@ variable "instance_type" { default = "t3.small" } +variable "associate_public_ipv4_address" { + type = bool + description = "Associate a public IPv4 address to instances (otherwise, no IPv4 access to instances from the internet and no outbound IPv4 access to the internet)" + default = true +} + variable "os_stream" { type = string description = "Fedora CoreOS image stream for instances (e.g. stable, testing, next)" diff --git a/aws/fedora-coreos/kubernetes/workers/workers.tf b/aws/fedora-coreos/kubernetes/workers/workers.tf index 2d07d8b4..abe8ac02 100644 --- a/aws/fedora-coreos/kubernetes/workers/workers.tf +++ b/aws/fedora-coreos/kubernetes/workers/workers.tf @@ -75,7 +75,7 @@ resource "aws_launch_template" "worker" { # network network_interfaces { - associate_public_ip_address = true + associate_public_ip_address = var.associate_public_ipv4_address security_groups = var.security_groups } diff --git a/aws/flatcar-linux/kubernetes/nlb.tf b/aws/flatcar-linux/kubernetes/nlb.tf index ab98f1ee..c796a18f 100644 --- a/aws/flatcar-linux/kubernetes/nlb.tf +++ b/aws/flatcar-linux/kubernetes/nlb.tf @@ -13,6 +13,20 @@ resource "aws_route53_record" "apiserver" { } } +resource "aws_route53_record" "apiserver-ipv6" { + zone_id = var.dns_zone_id + + name = format("%s.%s.", var.cluster_name, var.dns_zone) + type = "AAAA" + + # AWS recommends their special "alias" records for NLBs + alias { + name = aws_lb.nlb.dns_name + zone_id = aws_lb.nlb.zone_id + evaluate_target_health = true + } +} + # Network Load Balancer for apiservers and ingress resource "aws_lb" "nlb" { name = "${var.cluster_name}-nlb" diff --git a/aws/flatcar-linux/kubernetes/security.tf b/aws/flatcar-linux/kubernetes/security.tf index 19aec254..dd15767e 100644 --- a/aws/flatcar-linux/kubernetes/security.tf +++ b/aws/flatcar-linux/kubernetes/security.tf @@ -40,11 +40,12 @@ resource "aws_security_group_rule" "controller-icmp-self" { resource "aws_security_group_rule" "controller-ssh" { security_group_id = aws_security_group.controller.id - type = "ingress" - protocol = "tcp" - from_port = 22 - to_port = 22 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } resource "aws_security_group_rule" "controller-etcd" { diff --git a/aws/flatcar-linux/kubernetes/variables.tf b/aws/flatcar-linux/kubernetes/variables.tf index 7d2bac48..ee04da00 100644 --- a/aws/flatcar-linux/kubernetes/variables.tf +++ b/aws/flatcar-linux/kubernetes/variables.tf @@ -76,6 +76,12 @@ variable "worker_type" { default = "t3.small" } +variable "worker_public_ipv4" { + type = bool + description = "Associate a public IPv4 address to instances (otherwise, no IPv4 access to instances from the internet and no outbound IPv4 access to the internet)" + default = true +} + variable "worker_disk_size" { type = number description = "Size of the EBS volume in GB" diff --git a/aws/flatcar-linux/kubernetes/workers.tf b/aws/flatcar-linux/kubernetes/workers.tf index 9e5de509..cc218e27 100644 --- a/aws/flatcar-linux/kubernetes/workers.tf +++ b/aws/flatcar-linux/kubernetes/workers.tf @@ -18,6 +18,8 @@ module "workers" { spot_price = var.worker_price target_groups = var.worker_target_groups + associate_public_ipv4_address = var.worker_public_ipv4 + # configuration kubeconfig = module.bootstrap.kubeconfig-kubelet ssh_authorized_key = var.ssh_authorized_key diff --git a/aws/flatcar-linux/kubernetes/workers/variables.tf b/aws/flatcar-linux/kubernetes/workers/variables.tf index 13a203ed..9a51f51e 100644 --- a/aws/flatcar-linux/kubernetes/workers/variables.tf +++ b/aws/flatcar-linux/kubernetes/workers/variables.tf @@ -34,6 +34,12 @@ variable "instance_type" { default = "t3.small" } +variable "associate_public_ipv4_address" { + type = bool + description = "Associate a public IPv4 address to instances (otherwise, no IPv4 access to instances from the internet and no outbound IPv4 access to the internet)" + default = true +} + variable "os_image" { type = string description = "AMI channel for a Container Linux derivative (flatcar-stable, flatcar-beta, flatcar-alpha)" diff --git a/aws/flatcar-linux/kubernetes/workers/workers.tf b/aws/flatcar-linux/kubernetes/workers/workers.tf index 268650c7..a8c8d301 100644 --- a/aws/flatcar-linux/kubernetes/workers/workers.tf +++ b/aws/flatcar-linux/kubernetes/workers/workers.tf @@ -74,7 +74,7 @@ resource "aws_launch_template" "worker" { # network network_interfaces { - associate_public_ip_address = true + associate_public_ip_address = var.associate_public_ipv4_address security_groups = var.security_groups }