diff --git a/scaleway/Makefile b/scaleway/Makefile index 20e5d77..24fbcd4 100644 --- a/scaleway/Makefile +++ b/scaleway/Makefile @@ -20,7 +20,7 @@ create-templates: @echo 'apiDomain: api.cluster.local' >> _cfgs/tfstate.vars @yq eval '.cluster.network.dnsDomain' _cfgs/controlplane.yaml | awk '{ print "domain: "$$1}' >> _cfgs/tfstate.vars @yq eval '.cluster.clusterName' _cfgs/controlplane.yaml | awk '{ print "clusterName: "$$1}' >> _cfgs/tfstate.vars - @yq eval '.cluster.id' _cfgs/controlplane.yaml | awk '{ print "clusterId: "$$1}' >> _cfgs/tfstate.vars + @yq eval '.cluster.id' _cfgs/controlplane.yaml | awk '{ print "clusterID: "$$1}' >> _cfgs/tfstate.vars @yq eval '.cluster.secret' _cfgs/controlplane.yaml | awk '{ print "clusterSecret: "$$1}'>> _cfgs/tfstate.vars @yq eval '.machine.token' _cfgs/controlplane.yaml | awk '{ print "tokenMachine: "$$1}' >> _cfgs/tfstate.vars @yq eval '.machine.ca.crt' _cfgs/controlplane.yaml | awk '{ print "caMachine: "$$1}' >> _cfgs/tfstate.vars diff --git a/scaleway/README.md b/scaleway/README.md index 447d0e0..85d0076 100644 --- a/scaleway/README.md +++ b/scaleway/README.md @@ -9,7 +9,7 @@ Local utilities ## Kubernetes addons -* [cilium](https://github.com/cilium/cilium) 1.10.0 +* [cilium](https://github.com/cilium/cilium) 1.11.1 * [kubelet-serving-cert-approver](https://github.com/alex1989hu/kubelet-serving-cert-approver) * [metrics-server](https://github.com/kubernetes-sigs/metrics-server) 0.5.0 * [rancher.io/local-path](https://github.com/rancher/local-path-provisioner) 0.0.19 @@ -32,6 +32,13 @@ controlplane = { count = 1, type = "DEV1-S" } + +instances = { + web_count = 1, + web_instance_type = "DEV1-S", + worker_count = 1, + worker_instance_type = "DEV1-S", +} ``` And deploy the kubernetes master nodes diff --git a/scaleway/instances-web.tf b/scaleway/instances-web.tf index 44eb7ad..824355d 100644 --- a/scaleway/instances-web.tf +++ b/scaleway/instances-web.tf @@ -8,6 +8,7 @@ resource "scaleway_instance_server" "web" { type = lookup(var.instances, "web_instance_type", "DEV1-M") enable_ipv6 = true enable_dynamic_ip = true + security_group_id = scaleway_instance_security_group.web.id tags = concat(var.tags, ["web"]) private_network { diff --git a/scaleway/network-secgroup.tf b/scaleway/network-secgroup.tf index 4255fa9..da97921 100644 --- a/scaleway/network-secgroup.tf +++ b/scaleway/network-secgroup.tf @@ -5,7 +5,7 @@ resource "scaleway_instance_security_group" "controlplane" { outbound_default_policy = "accept" dynamic "inbound_rule" { - for_each = ["50000", "50001", "6443", "2379", "2380"] + for_each = ["50000", "6443", "2379", "2380"] content { action = "accept" @@ -15,7 +15,7 @@ resource "scaleway_instance_security_group" "controlplane" { } dynamic "inbound_rule" { - for_each = ["50000", "50001", "6443"] + for_each = ["50000", "6443"] content { action = "accept" @@ -25,8 +25,33 @@ resource "scaleway_instance_security_group" "controlplane" { } } + inbound_rule { + action = "accept" + protocol = "ANY" + ip_range = local.main_subnet + } + + # KubeSpan + inbound_rule { + action = "accept" + protocol = "UDP" + port = 51820 + } + inbound_rule { + action = "accept" + protocol = "UDP" + port = 51820 + ip_range = "::/0" + } +} + +resource "scaleway_instance_security_group" "web" { + name = "web" + inbound_default_policy = "drop" + outbound_default_policy = "accept" + dynamic "inbound_rule" { - for_each = ["10250"] + for_each = ["80", "443"] content { action = "accept" @@ -37,65 +62,45 @@ resource "scaleway_instance_security_group" "controlplane" { inbound_rule { action = "accept" - protocol = "UDP" + protocol = "ANY" + ip_range = local.main_subnet } + # KubeSpan inbound_rule { action = "accept" - protocol = "ICMP" + protocol = "UDP" + port = 51820 + } + inbound_rule { + action = "accept" + protocol = "UDP" + port = 51820 + ip_range = "::/0" } } -# resource "scaleway_instance_security_group" "web" { -# name = "web" -# inbound_default_policy = "drop" -# outbound_default_policy = "accept" +resource "scaleway_instance_security_group" "worker" { + name = "worker" + inbound_default_policy = "drop" + outbound_default_policy = "accept" -# dynamic "inbound_rule" { -# for_each = ["80", "443"] + inbound_rule { + action = "accept" + protocol = "ANY" + ip_range = local.main_subnet + } -# content { -# action = "accept" -# protocol = "TCP" -# port = inbound_rule.value -# } -# } - -# dynamic "inbound_rule" { -# for_each = ["4240"] - -# content { -# action = "accept" -# protocol = "TCP" -# port = inbound_rule.value -# ip_range = "::/0" -# } -# } - -# inbound_rule { -# action = "accept" -# protocol = "ICMP" -# } -# } - -# resource "scaleway_instance_security_group" "worker" { -# name = "worker" -# inbound_default_policy = "drop" -# outbound_default_policy = "accept" - -# dynamic "inbound_rule" { -# for_each = ["4240"] - -# content { -# action = "accept" -# protocol = "TCP" -# port = inbound_rule.value -# ip_range = "::/0" -# } -# } - -# inbound_rule { -# action = "accept" -# protocol = "ICMP" -# } -# } + # KubeSpan + inbound_rule { + action = "accept" + protocol = "UDP" + port = 51820 + } + inbound_rule { + action = "accept" + protocol = "UDP" + port = 51820 + ip_range = "::/0" + } +} diff --git a/scaleway/templates/controlplane.yaml.tpl b/scaleway/templates/controlplane.yaml.tpl index 198428b..9e99b84 100644 --- a/scaleway/templates/controlplane.yaml.tpl +++ b/scaleway/templates/controlplane.yaml.tpl @@ -59,6 +59,9 @@ cluster: endpoint: https://${ipv4_vip}:6443 discovery: enabled: true + registries: + service: + disabled: true network: dnsDomain: ${domain} podSubnets: ${format("%#v",split(",",podSubnets))} diff --git a/scaleway/templates/web.yaml.tpl b/scaleway/templates/web.yaml.tpl index e91877d..fe113b3 100644 --- a/scaleway/templates/web.yaml.tpl +++ b/scaleway/templates/web.yaml.tpl @@ -53,6 +53,9 @@ cluster: clusterName: ${clusterName} discovery: enabled: true + registries: + service: + disabled: true network: dnsDomain: ${domain} serviceSubnets: ${format("%#v",split(",",serviceSubnets))}