Working Bastion with ELB - now time to start on the k8s API :) :) :)

2016-11-01 16:52:54 -06:00 · 2016-11-01 16:52:54 -06:00 · 0857ed1732
parent 312621b0d0
commit 0857ed1732
3 changed files with 144 additions and 50 deletions
--- a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml
+++ b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml
@ -26,49 +26,87 @@ securityGroup/bastion.{{ ClusterName }}:
  removeExtraRules:
  - port=22

-# ---------------------------------------------------------------
-# Security Group Rule - All Egress
-#
-# Open the bastion to all outbound traffic
-# ---------------------------------------------------------------
 securityGroupRule/bastion-egress:
  securityGroup: securityGroup/nodes.{{ ClusterName }}
  egress: true
  cidr: 0.0.0.0/0

-
-# ---------------------------------------------------------------
-# Security Group Rule - 22 TCP
-#
-# Open up to/from 22 TCP for admin CIDRs
-# ---------------------------------------------------------------
-{{ range $index, $cidr := AdminCIDR }}
-securityGroupRule/ssh-external-to-bastion-{{ $index }}:
-  securityGroup: securityGroup/bastion.{{ ClusterName }}
-  cidr: {{ $cidr }}
-  protocol: tcp
-  fromPort: 22
-  toPort: 22
-{{ end }}
-
-# ---------------------------------------------------------------
-# Security Group Rule - Nodes to Bastion
-#
-# Open up traffic from the k8s nodes to the bastion
-# ---------------------------------------------------------------
 securityGroupRule/all-node-to-bastion:
  securityGroup: securityGroup/bastion.{{ ClusterName }}
  sourceGroup: securityGroup/nodes.{{ ClusterName }}

-# ---------------------------------------------------------------
-# Security Group Rule - Masters to Bastion
-#
-# Open up traffic from the k8s master(s) to the bastion
-# ---------------------------------------------------------------
 securityGroupRule/all-master-to-bastion:
  securityGroup: securityGroup/bastion.{{ ClusterName }}
  sourceGroup: securityGroup/masters.{{ ClusterName }}

+securityGroupRule/ssh-external-to-bastion:
+  securityGroup: securityGroup/bastion.{{ ClusterName }}
+  sourceGroup: securityGroup/bastion-elb.{{ ClusterName }}
+  protocol: tcp
+  fromPort: 22
+  toPort: 22
+
+
+# ---------------------------------------------------------------
+# Bastion ELB Security Group
+#
+# The security group that the bastion lives in
+# ---------------------------------------------------------------
+securityGroup/bastion-elb.{{ ClusterName }}:
+  vpc: vpc/{{ ClusterName }}
+  description: 'Security group for bastion ELB'
+  removeExtraRules:
+  - port=22
+
+securityGroupRule/bastion-elb-egress:
+  securityGroup: securityGroup/bastion-elb.{{ ClusterName }}
+  egress: true
+  cidr: 0.0.0.0/0
+
+securityGroupRule/ssh-external-to-bastion-elb:
+  securityGroup: securityGroup/bastion-elb.{{ ClusterName }}
+  cidr:  0.0.0.0/0
+  protocol: tcp
+  fromPort: 22
+  toPort: 22
+
+
+# ---------------------------------------------------------------
+# Public Facing ELBs
+#
+# Our two public endpoints for the cluster
+# ---------------------------------------------------------------
+loadBalancer/bastion.{{ ClusterName }}:
+  id: bastion
+  securityGroups:
+    - securityGroup/bastion-elb.{{ ClusterName }}
+  subnets:
+  {{ range $zone := .Zones }}
+    - subnet/utility-{{ $zone.Name }}.{{ ClusterName }}
+  {{ end }}
+  listeners:
+    22: { instancePort: 22 }
+
+loadBalancerAttachment/bastion-elb-attachment.{{ ClusterName }}:
+  loadBalancer: loadBalancer/bastion.{{ ClusterName }}
+  instance: instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}
+
+loadBalancer/api.{{ ClusterName }}:
+  id: api
+  securityGroups:
+    - securityGroup/api-elb.{{ ClusterName }}
+  subnets:
+  {{ range $zone := .Zones }}
+    - subnet/utility-{{ $zone.Name }}.{{ ClusterName }}
+  {{ end }}
+  listeners:
+    443: { instancePort: 443 }
+
+{{ range $m := Masters }}
+loadBalancerAttachment/bastion-elb-attachment.{{ ClusterName }}:
+  loadBalancer: loadBalancer/bastion.{{ ClusterName }}
+  autoscalingGroup: autoscalingGroup/{{ $m.Name }}.masters.{{ ClusterName }}
+{{ end }}

 # ---------------------------------------------------------------
 # Instance - The Bastion itself
@ -77,17 +115,42 @@ securityGroupRule/all-master-to-bastion:
 # we probably want to abstract this out in a later feature.
 # ---------------------------------------------------------------
 instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}:
-  subnet: subnet/utility-{{ GetBastionZone }}.{{ ClusterName }}
+  subnet: subnet/private-{{ GetBastionZone }}.{{ ClusterName }}
  imageId: {{ GetBastionImageId }}
  InstanceType: t2.small
  SSHKey: sshKey/{{ SSHKeyName }}
  securityGroups:
    - securityGroup/bastion.{{ ClusterName }}
-  AssociatePublicIP: true
+  AssociatePublicIP: false
  name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
  tags:
    Name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
    KubernetesCluster: {{ ClusterName }}


+
+
+
+
+# Kris TODO - Move this out and into a different yaml file
+securityGroup/api-elb.{{ ClusterName }}:
+  vpc: vpc/{{ ClusterName }}
+  description: 'Security group for api ELB'
+  removeExtraRules:
+  - port=22
+
+securityGroupRule/api-elb-egress:
+  securityGroup: securityGroup/api-elb.{{ ClusterName }}
+  egress: true
+  cidr: 0.0.0.0/0
+
+securityGroupRule/https-api-elb:
+  securityGroup: securityGroup/api-elb.{{ ClusterName }}
+  cidr:  0.0.0.0/0
+  protocol: tcp
+  fromPort: 443
+  toPort: 443
+
+
+
 {{ end }}
--- a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml
+++ b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml
@ -27,14 +27,14 @@ securityGroupRule/node-egress:
  cidr: 0.0.0.0/0

 # SSH is open to CIDRs defined in the cluster configuration
-{{ range $index, $cidr := AdminCIDR }}
-securityGroupRule/ssh-external-to-node-{{ $index }}:
-  securityGroup: securityGroup/nodes.{{ ClusterName }}
-  cidr: {{ $cidr }}
-  protocol: tcp
-  fromPort: 22
-  toPort: 22
-{{ end }}
+#{{ range $index, $cidr := AdminCIDR }}
+#securityGroupRule/ssh-external-to-node-{{ $index }}:
+#  securityGroup: securityGroup/nodes.{{ ClusterName }}
+#  cidr: {{ $cidr }}
+#  protocol: tcp
+#  fromPort: 22
+#  toPort: 22
+#{{ end }}

 # Nodes can talk to nodes
 securityGroupRule/all-node-to-node:
--- a/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go
+++ b/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go
@ -24,11 +24,15 @@ import (
 	"github.com/golang/glog"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+	"github.com/aws/aws-sdk-go/service/elb"
 )

 type LoadBalancerAttachment struct {
 	LoadBalancer     *LoadBalancer
+
+	// LoadBalancerAttachments now support ASGs or direct instances
 	AutoscalingGroup *AutoscalingGroup
+	Instance *Instance
 }

 func (e *LoadBalancerAttachment) String() string {
@ -38,7 +42,18 @@ func (e *LoadBalancerAttachment) String() string {
 func (e *LoadBalancerAttachment) Find(c *fi.Context) (*LoadBalancerAttachment, error) {
 	cloud := c.Cloud.(awsup.AWSCloud)

-	if e.AutoscalingGroup != nil {
+	// Instance only
+	if e.Instance != nil && e.AutoscalingGroup == nil {
+		i, err := e.Instance.Find(c)
+		if err != nil {
+			return nil, fmt.Errorf("unable to find instance: %v", err)
+		}
+		actual := &LoadBalancerAttachment{}
+		actual.LoadBalancer = e.LoadBalancer
+		actual.Instance = i
+		return actual, nil
+	// ASG only
+	}else if e.AutoscalingGroup != nil && e.Instance == nil {
 		g, err := findAutoscalingGroup(cloud, *e.AutoscalingGroup.Name)
 		if err != nil {
 			return nil, err
@ -57,6 +72,9 @@ func (e *LoadBalancerAttachment) Find(c *fi.Context) (*LoadBalancerAttachment, e
 			actual.AutoscalingGroup = e.AutoscalingGroup
 			return actual, nil
 		}
+	}else{
+	// Invalid request
+		return nil, fmt.Errorf("Must specify either an instance or an ASG")
 	}

 	return nil, nil
@ -79,16 +97,29 @@ func (s *LoadBalancerAttachment) CheckChanges(a, e, changes *LoadBalancerAttachm
 }

 func (_ *LoadBalancerAttachment) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *LoadBalancerAttachment) error {
-	request := &autoscaling.AttachLoadBalancersInput{}
-	request.AutoScalingGroupName = e.AutoscalingGroup.Name
-	request.LoadBalancerNames = []*string{e.LoadBalancer.ID}

-	glog.V(2).Infof("Attaching autoscaling group %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name)
-
-	_, err := t.Cloud.Autoscaling().AttachLoadBalancers(request)
-	if err != nil {
-		return fmt.Errorf("error attaching autoscaling group to ELB: %v", err)
+	if e.AutoscalingGroup != nil && e.Instance == nil {
+		request := &autoscaling.AttachLoadBalancersInput{}
+		request.AutoScalingGroupName = e.AutoscalingGroup.Name
+		request.LoadBalancerNames = []*string{e.LoadBalancer.ID}
+		glog.V(2).Infof("Attaching autoscaling group %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name)
+		_, err := t.Cloud.Autoscaling().AttachLoadBalancers(request)
+		if err != nil {
+			return fmt.Errorf("error attaching autoscaling group to ELB: %v", err)
+		}
+	}else if e.AutoscalingGroup == nil && e.Instance != nil {
+		request := &elb.RegisterInstancesWithLoadBalancerInput{}
+		var instances []*elb.Instance
+		i := &elb.Instance{
+			InstanceId: e.Instance.ID,
+		}
+		instances = append(instances, i)
+		request.Instances = instances
+		_, err := t.Cloud.ELB().RegisterInstancesWithLoadBalancer(request)
+		glog.V(2).Infof("Attaching instance %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name)
+		if err != nil {
+			return fmt.Errorf("error attaching instance to ELB: %v", err)
+		}
 	}
-
 	return nil
 }