scottk/terraform-talos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/terraform-talos.git synced 2025-10-31 18:28:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

nsg fixes

Browse Source
This commit is contained in:
Serge Logvinov
2021-12-21 01:01:11 +02:00
parent 0c88c1ac10
commit b7553cb9b2
5 changed files with 84 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
oracle/instances-controlplane.tf
View File

@@ -25,7 +25,6 @@ resource "oci_core_instance" "contolplane" {
}
metadata = {
ssh_authorized_keys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDd+wfWIKi1dDZuCsd/zNw2n4WuHHa21N/Ltmo3umH2d local"
user_data = base64encode(templatefile("${path.module}/templates/controlplane.yaml",
merge(var.kubernetes, {
name = "contolplane-${count.index + 1}"
@@ -38,7 +37,7 @@ resource "oci_core_instance" "contolplane" {
source_details {
source_type = "image"
source_id = data.oci_core_images.talos_x64.images[0].id
source_id = lookup(var.controlplane, "type", "VM.Standard.E4.Flex") == "VM.Standard.A1.Flex" ? data.oci_core_images.talos_arm.images[0].id : data.oci_core_images.talos_x64.images[0].id
boot_volume_size_in_gbs = "50"
}
create_vnic_details {

2
oracle/instances-workers.tf
View File

@@ -58,7 +58,7 @@ resource "oci_core_instance_configuration" "workers" {
display_name = "${var.project}-workers"
assign_private_dns_record = false
assign_public_ip = false
nsg_ids = [local.nsg_talos, local.nsg_cilium]
nsg_ids = [local.nsg_talos, local.nsg_cilium, local.nsg_worker]
subnet_id = local.network_private[local.zone].id
}

100
oracle/prepare/network-secgroup.tf
View File

@@ -56,39 +56,39 @@ resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_in" {
protocol = "17"
direction = "INGRESS"
source = each.value
stateless = true
stateless = false
udp_options {
source_port_range {
min = 8472
max = 8472
}
# source_port_range {
# min = 8472
# max = 8472
# }
destination_port_range {
min = 8472
max = 8472
}
}
}
resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
# resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" {
# for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.cilium.id
protocol = "17"
direction = "EGRESS"
destination = each.value
stateless = true
# network_security_group_id = oci_core_network_security_group.cilium.id
# protocol = "17"
# direction = "EGRESS"
# destination = each.value
# stateless = true
udp_options {
source_port_range {
min = 8472
max = 8472
}
destination_port_range {
min = 8472
max = 8472
}
}
}
# udp_options {
# source_port_range {
# min = 8472
# max = 8472
# }
# destination_port_range {
# min = 8472
# max = 8472
# }
# }
# }
resource "oci_core_network_security_group_security_rule" "cilium_health" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
@@ -270,12 +270,44 @@ resource "oci_core_network_security_group_security_rule" "contolplane_etcd" {
}
}
}
resource "oci_core_network_security_group_security_rule" "contolplane_kubelet" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.contolplane.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 10250
max = 10250
}
}
}
resource "oci_core_network_security_group" "web" {
display_name = "${var.project}-web"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "web_kubelet" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.web.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 10250
max = 10250
}
}
}
resource "oci_core_network_security_group_security_rule" "web_http_health_check" {
for_each = toset([oci_core_vcn.main.cidr_block])
@@ -340,3 +372,25 @@ resource "oci_core_network_security_group_security_rule" "web_https" {
}
}
}
resource "oci_core_network_security_group" "worker" {
display_name = "${var.project}-worker"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "worker_kubelet" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.worker.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 10250
max = 10250
}
}
}

4
oracle/prepare/output.tf
View File

@@ -83,3 +83,7 @@ output "nsg_web" {
description = "The web Network Security Groups"
value = oci_core_network_security_group.web.id
}
output "nsg_worker" {
description = "The worker Network Security Groups"
value = oci_core_network_security_group.worker.id
}

1
oracle/variables.tf
View File

@@ -37,6 +37,7 @@ locals {
nsg_contolplane_lb = data.terraform_remote_state.prepare.outputs.nsg_contolplane_lb
nsg_contolplane = data.terraform_remote_state.prepare.outputs.nsg_contolplane
nsg_web = data.terraform_remote_state.prepare.outputs.nsg_web
nsg_worker = data.terraform_remote_state.prepare.outputs.nsg_worker
nsg_cilium = data.terraform_remote_state.prepare.outputs.nsg_cilium
nsg_talos = data.terraform_remote_state.prepare.outputs.nsg_talos
}