From b7553cb9b20596d197836a3766a6367b10f15e0e Mon Sep 17 00:00:00 2001
From: Serge Logvinov <serge.logvinov@sinextra.dev>
Date: Tue, 21 Dec 2021 01:01:11 +0200
Subject: [PATCH] nsg fixes

---
 oracle/instances-controlplane.tf   |   3 +-
 oracle/instances-workers.tf        |   2 +-
 oracle/prepare/network-secgroup.tf | 100 ++++++++++++++++++++++-------
 oracle/prepare/output.tf           |   4 ++
 oracle/variables.tf                |   1 +
 5 files changed, 84 insertions(+), 26 deletions(-)

diff --git a/oracle/instances-controlplane.tf b/oracle/instances-controlplane.tf
index dd4d546..8da6272 100644
--- a/oracle/instances-controlplane.tf
+++ b/oracle/instances-controlplane.tf
@@ -25,7 +25,6 @@ resource "oci_core_instance" "contolplane" {
   }
 
   metadata = {
-    ssh_authorized_keys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDd+wfWIKi1dDZuCsd/zNw2n4WuHHa21N/Ltmo3umH2d local"
     user_data = base64encode(templatefile("${path.module}/templates/controlplane.yaml",
       merge(var.kubernetes, {
         name        = "contolplane-${count.index + 1}"
@@ -38,7 +37,7 @@ resource "oci_core_instance" "contolplane" {
 
   source_details {
     source_type             = "image"
-    source_id               = data.oci_core_images.talos_x64.images[0].id
+    source_id               = lookup(var.controlplane, "type", "VM.Standard.E4.Flex") == "VM.Standard.A1.Flex" ? data.oci_core_images.talos_arm.images[0].id : data.oci_core_images.talos_x64.images[0].id
     boot_volume_size_in_gbs = "50"
   }
   create_vnic_details {
diff --git a/oracle/instances-workers.tf b/oracle/instances-workers.tf
index 7a375c0..151c8f9 100644
--- a/oracle/instances-workers.tf
+++ b/oracle/instances-workers.tf
@@ -58,7 +58,7 @@ resource "oci_core_instance_configuration" "workers" {
         display_name              = "${var.project}-workers"
         assign_private_dns_record = false
         assign_public_ip          = false
-        nsg_ids                   = [local.nsg_talos, local.nsg_cilium]
+        nsg_ids                   = [local.nsg_talos, local.nsg_cilium, local.nsg_worker]
         subnet_id                 = local.network_private[local.zone].id
       }
 
diff --git a/oracle/prepare/network-secgroup.tf b/oracle/prepare/network-secgroup.tf
index 6b50dbf..2cf7a3b 100644
--- a/oracle/prepare/network-secgroup.tf
+++ b/oracle/prepare/network-secgroup.tf
@@ -56,39 +56,39 @@ resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_in" {
   protocol                  = "17"
   direction                 = "INGRESS"
   source                    = each.value
-  stateless                 = true
+  stateless                 = false
 
   udp_options {
-    source_port_range {
-      min = 8472
-      max = 8472
-    }
+    # source_port_range {
+    #   min = 8472
+    #   max = 8472
+    # }
     destination_port_range {
       min = 8472
       max = 8472
     }
   }
 }
-resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" {
-  for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
+# resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" {
+#   for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
 
-  network_security_group_id = oci_core_network_security_group.cilium.id
-  protocol                  = "17"
-  direction                 = "EGRESS"
-  destination               = each.value
-  stateless                 = true
+#   network_security_group_id = oci_core_network_security_group.cilium.id
+#   protocol                  = "17"
+#   direction                 = "EGRESS"
+#   destination               = each.value
+#   stateless                 = true
 
-  udp_options {
-    source_port_range {
-      min = 8472
-      max = 8472
-    }
-    destination_port_range {
-      min = 8472
-      max = 8472
-    }
-  }
-}
+#   udp_options {
+#     source_port_range {
+#       min = 8472
+#       max = 8472
+#     }
+#     destination_port_range {
+#       min = 8472
+#       max = 8472
+#     }
+#   }
+# }
 resource "oci_core_network_security_group_security_rule" "cilium_health" {
   for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
 
@@ -270,12 +270,44 @@ resource "oci_core_network_security_group_security_rule" "contolplane_etcd" {
     }
   }
 }
+resource "oci_core_network_security_group_security_rule" "contolplane_kubelet" {
+  for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
+
+  network_security_group_id = oci_core_network_security_group.contolplane.id
+  protocol                  = "6"
+  direction                 = "INGRESS"
+  source                    = each.value
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = 10250
+      max = 10250
+    }
+  }
+}
 
 resource "oci_core_network_security_group" "web" {
   display_name   = "${var.project}-web"
   compartment_id = var.compartment_ocid
   vcn_id         = oci_core_vcn.main.id
 }
+resource "oci_core_network_security_group_security_rule" "web_kubelet" {
+  for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
+
+  network_security_group_id = oci_core_network_security_group.web.id
+  protocol                  = "6"
+  direction                 = "INGRESS"
+  source                    = each.value
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = 10250
+      max = 10250
+    }
+  }
+}
 resource "oci_core_network_security_group_security_rule" "web_http_health_check" {
   for_each = toset([oci_core_vcn.main.cidr_block])
 
@@ -340,3 +372,25 @@ resource "oci_core_network_security_group_security_rule" "web_https" {
     }
   }
 }
+
+resource "oci_core_network_security_group" "worker" {
+  display_name   = "${var.project}-worker"
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.main.id
+}
+resource "oci_core_network_security_group_security_rule" "worker_kubelet" {
+  for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
+
+  network_security_group_id = oci_core_network_security_group.worker.id
+  protocol                  = "6"
+  direction                 = "INGRESS"
+  source                    = each.value
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = 10250
+      max = 10250
+    }
+  }
+}
diff --git a/oracle/prepare/output.tf b/oracle/prepare/output.tf
index 665b4e0..f746fe9 100644
--- a/oracle/prepare/output.tf
+++ b/oracle/prepare/output.tf
@@ -83,3 +83,7 @@ output "nsg_web" {
   description = "The web Network Security Groups"
   value       = oci_core_network_security_group.web.id
 }
+output "nsg_worker" {
+  description = "The worker Network Security Groups"
+  value       = oci_core_network_security_group.worker.id
+}
diff --git a/oracle/variables.tf b/oracle/variables.tf
index 0209fdd..d4c6d40 100644
--- a/oracle/variables.tf
+++ b/oracle/variables.tf
@@ -37,6 +37,7 @@ locals {
   nsg_contolplane_lb = data.terraform_remote_state.prepare.outputs.nsg_contolplane_lb
   nsg_contolplane    = data.terraform_remote_state.prepare.outputs.nsg_contolplane
   nsg_web            = data.terraform_remote_state.prepare.outputs.nsg_web
+  nsg_worker         = data.terraform_remote_state.prepare.outputs.nsg_worker
   nsg_cilium         = data.terraform_remote_state.prepare.outputs.nsg_cilium
   nsg_talos          = data.terraform_remote_state.prepare.outputs.nsg_talos
 }