diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml index d203be4c0e..d8c2c3333d 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml @@ -26,49 +26,87 @@ securityGroup/bastion.{{ ClusterName }}: removeExtraRules: - port=22 -# --------------------------------------------------------------- -# Security Group Rule - All Egress -# -# Open the bastion to all outbound traffic -# --------------------------------------------------------------- securityGroupRule/bastion-egress: securityGroup: securityGroup/nodes.{{ ClusterName }} egress: true cidr: 0.0.0.0/0 - -# --------------------------------------------------------------- -# Security Group Rule - 22 TCP -# -# Open up to/from 22 TCP for admin CIDRs -# --------------------------------------------------------------- -{{ range $index, $cidr := AdminCIDR }} -securityGroupRule/ssh-external-to-bastion-{{ $index }}: - securityGroup: securityGroup/bastion.{{ ClusterName }} - cidr: {{ $cidr }} - protocol: tcp - fromPort: 22 - toPort: 22 -{{ end }} - -# --------------------------------------------------------------- -# Security Group Rule - Nodes to Bastion -# -# Open up traffic from the k8s nodes to the bastion -# --------------------------------------------------------------- securityGroupRule/all-node-to-bastion: securityGroup: securityGroup/bastion.{{ ClusterName }} sourceGroup: securityGroup/nodes.{{ ClusterName }} -# --------------------------------------------------------------- -# Security Group Rule - Masters to Bastion -# -# Open up traffic from the k8s master(s) to the bastion -# --------------------------------------------------------------- securityGroupRule/all-master-to-bastion: securityGroup: securityGroup/bastion.{{ ClusterName }} sourceGroup: securityGroup/masters.{{ ClusterName }} +securityGroupRule/ssh-external-to-bastion: + securityGroup: securityGroup/bastion.{{ ClusterName }} + sourceGroup: securityGroup/bastion-elb.{{ ClusterName }} + protocol: tcp + fromPort: 22 + toPort: 22 + + +# --------------------------------------------------------------- +# Bastion ELB Security Group +# +# The security group that the bastion lives in +# --------------------------------------------------------------- +securityGroup/bastion-elb.{{ ClusterName }}: + vpc: vpc/{{ ClusterName }} + description: 'Security group for bastion ELB' + removeExtraRules: + - port=22 + +securityGroupRule/bastion-elb-egress: + securityGroup: securityGroup/bastion-elb.{{ ClusterName }} + egress: true + cidr: 0.0.0.0/0 + +securityGroupRule/ssh-external-to-bastion-elb: + securityGroup: securityGroup/bastion-elb.{{ ClusterName }} + cidr: 0.0.0.0/0 + protocol: tcp + fromPort: 22 + toPort: 22 + + +# --------------------------------------------------------------- +# Public Facing ELBs +# +# Our two public endpoints for the cluster +# --------------------------------------------------------------- +loadBalancer/bastion.{{ ClusterName }}: + id: bastion + securityGroups: + - securityGroup/bastion-elb.{{ ClusterName }} + subnets: + {{ range $zone := .Zones }} + - subnet/utility-{{ $zone.Name }}.{{ ClusterName }} + {{ end }} + listeners: + 22: { instancePort: 22 } + +loadBalancerAttachment/bastion-elb-attachment.{{ ClusterName }}: + loadBalancer: loadBalancer/bastion.{{ ClusterName }} + instance: instance/bastion-{{ GetBastionZone }}.{{ ClusterName }} + +loadBalancer/api.{{ ClusterName }}: + id: api + securityGroups: + - securityGroup/api-elb.{{ ClusterName }} + subnets: + {{ range $zone := .Zones }} + - subnet/utility-{{ $zone.Name }}.{{ ClusterName }} + {{ end }} + listeners: + 443: { instancePort: 443 } + +{{ range $m := Masters }} +loadBalancerAttachment/bastion-elb-attachment.{{ ClusterName }}: + loadBalancer: loadBalancer/bastion.{{ ClusterName }} + autoscalingGroup: autoscalingGroup/{{ $m.Name }}.masters.{{ ClusterName }} +{{ end }} # --------------------------------------------------------------- # Instance - The Bastion itself @@ -77,17 +115,42 @@ securityGroupRule/all-master-to-bastion: # we probably want to abstract this out in a later feature. # --------------------------------------------------------------- instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}: - subnet: subnet/utility-{{ GetBastionZone }}.{{ ClusterName }} + subnet: subnet/private-{{ GetBastionZone }}.{{ ClusterName }} imageId: {{ GetBastionImageId }} InstanceType: t2.small SSHKey: sshKey/{{ SSHKeyName }} securityGroups: - securityGroup/bastion.{{ ClusterName }} - AssociatePublicIP: true + AssociatePublicIP: false name: bastion-{{ GetBastionZone }}.{{ ClusterName }} tags: Name: bastion-{{ GetBastionZone }}.{{ ClusterName }} KubernetesCluster: {{ ClusterName }} + + + + +# Kris TODO - Move this out and into a different yaml file +securityGroup/api-elb.{{ ClusterName }}: + vpc: vpc/{{ ClusterName }} + description: 'Security group for api ELB' + removeExtraRules: + - port=22 + +securityGroupRule/api-elb-egress: + securityGroup: securityGroup/api-elb.{{ ClusterName }} + egress: true + cidr: 0.0.0.0/0 + +securityGroupRule/https-api-elb: + securityGroup: securityGroup/api-elb.{{ ClusterName }} + cidr: 0.0.0.0/0 + protocol: tcp + fromPort: 443 + toPort: 443 + + + {{ end }} diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml index 01f58de73f..9b83fe920c 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml @@ -27,14 +27,14 @@ securityGroupRule/node-egress: cidr: 0.0.0.0/0 # SSH is open to CIDRs defined in the cluster configuration -{{ range $index, $cidr := AdminCIDR }} -securityGroupRule/ssh-external-to-node-{{ $index }}: - securityGroup: securityGroup/nodes.{{ ClusterName }} - cidr: {{ $cidr }} - protocol: tcp - fromPort: 22 - toPort: 22 -{{ end }} +#{{ range $index, $cidr := AdminCIDR }} +#securityGroupRule/ssh-external-to-node-{{ $index }}: +# securityGroup: securityGroup/nodes.{{ ClusterName }} +# cidr: {{ $cidr }} +# protocol: tcp +# fromPort: 22 +# toPort: 22 +#{{ end }} # Nodes can talk to nodes securityGroupRule/all-node-to-node: diff --git a/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go b/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go index cf5151c1ab..e0dfbc0ba4 100644 --- a/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go +++ b/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go @@ -24,11 +24,15 @@ import ( "github.com/golang/glog" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/cloudup/awsup" + "github.com/aws/aws-sdk-go/service/elb" ) type LoadBalancerAttachment struct { LoadBalancer *LoadBalancer + + // LoadBalancerAttachments now support ASGs or direct instances AutoscalingGroup *AutoscalingGroup + Instance *Instance } func (e *LoadBalancerAttachment) String() string { @@ -38,7 +42,18 @@ func (e *LoadBalancerAttachment) String() string { func (e *LoadBalancerAttachment) Find(c *fi.Context) (*LoadBalancerAttachment, error) { cloud := c.Cloud.(awsup.AWSCloud) - if e.AutoscalingGroup != nil { + // Instance only + if e.Instance != nil && e.AutoscalingGroup == nil { + i, err := e.Instance.Find(c) + if err != nil { + return nil, fmt.Errorf("unable to find instance: %v", err) + } + actual := &LoadBalancerAttachment{} + actual.LoadBalancer = e.LoadBalancer + actual.Instance = i + return actual, nil + // ASG only + }else if e.AutoscalingGroup != nil && e.Instance == nil { g, err := findAutoscalingGroup(cloud, *e.AutoscalingGroup.Name) if err != nil { return nil, err @@ -57,6 +72,9 @@ func (e *LoadBalancerAttachment) Find(c *fi.Context) (*LoadBalancerAttachment, e actual.AutoscalingGroup = e.AutoscalingGroup return actual, nil } + }else{ + // Invalid request + return nil, fmt.Errorf("Must specify either an instance or an ASG") } return nil, nil @@ -79,16 +97,29 @@ func (s *LoadBalancerAttachment) CheckChanges(a, e, changes *LoadBalancerAttachm } func (_ *LoadBalancerAttachment) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *LoadBalancerAttachment) error { - request := &autoscaling.AttachLoadBalancersInput{} - request.AutoScalingGroupName = e.AutoscalingGroup.Name - request.LoadBalancerNames = []*string{e.LoadBalancer.ID} - glog.V(2).Infof("Attaching autoscaling group %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name) - - _, err := t.Cloud.Autoscaling().AttachLoadBalancers(request) - if err != nil { - return fmt.Errorf("error attaching autoscaling group to ELB: %v", err) + if e.AutoscalingGroup != nil && e.Instance == nil { + request := &autoscaling.AttachLoadBalancersInput{} + request.AutoScalingGroupName = e.AutoscalingGroup.Name + request.LoadBalancerNames = []*string{e.LoadBalancer.ID} + glog.V(2).Infof("Attaching autoscaling group %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name) + _, err := t.Cloud.Autoscaling().AttachLoadBalancers(request) + if err != nil { + return fmt.Errorf("error attaching autoscaling group to ELB: %v", err) + } + }else if e.AutoscalingGroup == nil && e.Instance != nil { + request := &elb.RegisterInstancesWithLoadBalancerInput{} + var instances []*elb.Instance + i := &elb.Instance{ + InstanceId: e.Instance.ID, + } + instances = append(instances, i) + request.Instances = instances + _, err := t.Cloud.ELB().RegisterInstancesWithLoadBalancer(request) + glog.V(2).Infof("Attaching instance %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name) + if err != nil { + return fmt.Errorf("error attaching instance to ELB: %v", err) + } } - return nil }