scottk/terraform-talos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/terraform-talos.git synced 2025-11-03 19:57:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

nsg fixes

Browse Source
This commit is contained in:
Serge Logvinov
2021-12-21 01:01:11 +02:00
parent 0c88c1ac10
commit b7553cb9b2
5 changed files with 84 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
oracle/instances-controlplane.tf
View File

@@ -25,7 +25,6 @@ resource "oci_core_instance" "contolplane" {
} }
metadata = { metadata = {
ssh_authorized_keys = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDd+wfWIKi1dDZuCsd/zNw2n4WuHHa21N/Ltmo3umH2d local"
user_data = base64encode(templatefile("${path.module}/templates/controlplane.yaml", user_data = base64encode(templatefile("${path.module}/templates/controlplane.yaml",
merge(var.kubernetes, { merge(var.kubernetes, {
name = "contolplane-${count.index + 1}" name = "contolplane-${count.index + 1}"
@@ -38,7 +37,7 @@ resource "oci_core_instance" "contolplane" {
source_details { source_details {
source_type = "image" source_type = "image"
source_id = data.oci_core_images.talos_x64.images[0].id source_id = lookup(var.controlplane, "type", "VM.Standard.E4.Flex") == "VM.Standard.A1.Flex" ? data.oci_core_images.talos_arm.images[0].id : data.oci_core_images.talos_x64.images[0].id
boot_volume_size_in_gbs = "50" boot_volume_size_in_gbs = "50"
} }
create_vnic_details { create_vnic_details {

2
oracle/instances-workers.tf
View File

@@ -58,7 +58,7 @@ resource "oci_core_instance_configuration" "workers" {
display_name = "${var.project}-workers" display_name = "${var.project}-workers"
assign_private_dns_record = false assign_private_dns_record = false
assign_public_ip = false assign_public_ip = false
nsg_ids = [local.nsg_talos, local.nsg_cilium] nsg_ids = [local.nsg_talos, local.nsg_cilium, local.nsg_worker]
subnet_id = local.network_private[local.zone].id subnet_id = local.network_private[local.zone].id
} }

100
oracle/prepare/network-secgroup.tf
View File

@@ -56,39 +56,39 @@ resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_in" {
protocol = "17" protocol = "17"
direction = "INGRESS" direction = "INGRESS"
source = each.value source = each.value
stateless = true stateless = false
udp_options { udp_options {
source_port_range { # source_port_range {
min = 8472 # min = 8472
max = 8472 # max = 8472
} # }
destination_port_range { destination_port_range {
min = 8472 min = 8472
max = 8472 max = 8472
} }
} }
} }
resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" { # resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]]) # for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.cilium.id # network_security_group_id = oci_core_network_security_group.cilium.id
protocol = "17" # protocol = "17"
direction = "EGRESS" # direction = "EGRESS"
destination = each.value # destination = each.value
stateless = true # stateless = true
udp_options { # udp_options {
source_port_range { # source_port_range {
min = 8472 # min = 8472
max = 8472 # max = 8472
} # }
destination_port_range { # destination_port_range {
min = 8472 # min = 8472
max = 8472 # max = 8472
} # }
} # }
} # }
resource "oci_core_network_security_group_security_rule" "cilium_health" { resource "oci_core_network_security_group_security_rule" "cilium_health" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]]) for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
@@ -270,12 +270,44 @@ resource "oci_core_network_security_group_security_rule" "contolplane_etcd" {
} }
} }
} }
resource "oci_core_network_security_group_security_rule" "contolplane_kubelet" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.contolplane.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 10250
max = 10250
}
}
}
resource "oci_core_network_security_group" "web" { resource "oci_core_network_security_group" "web" {
display_name = "${var.project}-web" display_name = "${var.project}-web"
compartment_id = var.compartment_ocid compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id vcn_id = oci_core_vcn.main.id
} }
resource "oci_core_network_security_group_security_rule" "web_kubelet" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.web.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 10250
max = 10250
}
}
}
resource "oci_core_network_security_group_security_rule" "web_http_health_check" { resource "oci_core_network_security_group_security_rule" "web_http_health_check" {
for_each = toset([oci_core_vcn.main.cidr_block]) for_each = toset([oci_core_vcn.main.cidr_block])
@@ -340,3 +372,25 @@ resource "oci_core_network_security_group_security_rule" "web_https" {
} }
} }
} }
resource "oci_core_network_security_group" "worker" {
display_name = "${var.project}-worker"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "worker_kubelet" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.worker.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 10250
max = 10250
}
}
}

4
oracle/prepare/output.tf
View File

@@ -83,3 +83,7 @@ output "nsg_web" {
description = "The web Network Security Groups" description = "The web Network Security Groups"
value = oci_core_network_security_group.web.id value = oci_core_network_security_group.web.id
} }
output "nsg_worker" {
description = "The worker Network Security Groups"
value = oci_core_network_security_group.worker.id
}

1
oracle/variables.tf
View File

@@ -37,6 +37,7 @@ locals {
nsg_contolplane_lb = data.terraform_remote_state.prepare.outputs.nsg_contolplane_lb nsg_contolplane_lb = data.terraform_remote_state.prepare.outputs.nsg_contolplane_lb
nsg_contolplane = data.terraform_remote_state.prepare.outputs.nsg_contolplane nsg_contolplane = data.terraform_remote_state.prepare.outputs.nsg_contolplane
nsg_web = data.terraform_remote_state.prepare.outputs.nsg_web nsg_web = data.terraform_remote_state.prepare.outputs.nsg_web
nsg_worker = data.terraform_remote_state.prepare.outputs.nsg_worker
nsg_cilium = data.terraform_remote_state.prepare.outputs.nsg_cilium nsg_cilium = data.terraform_remote_state.prepare.outputs.nsg_cilium
nsg_talos = data.terraform_remote_state.prepare.outputs.nsg_talos nsg_talos = data.terraform_remote_state.prepare.outputs.nsg_talos
} }