Working Bastion with ELB - now time to start on the k8s API :) :) :)

upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml

@@ -26,49 +26,87 @@ securityGroup/bastion.{{ ClusterName }}:
   removeExtraRules:
   - port=22
 
-# ---------------------------------------------------------------
-# Security Group Rule - All Egress
-#
-# Open the bastion to all outbound traffic
-# ---------------------------------------------------------------
 securityGroupRule/bastion-egress:
   securityGroup: securityGroup/nodes.{{ ClusterName }}
   egress: true
   cidr: 0.0.0.0/0
 
-
-# ---------------------------------------------------------------
-# Security Group Rule - 22 TCP
-#
-# Open up to/from 22 TCP for admin CIDRs
-# ---------------------------------------------------------------
-{{ range $index, $cidr := AdminCIDR }}
-securityGroupRule/ssh-external-to-bastion-{{ $index }}:
-  securityGroup: securityGroup/bastion.{{ ClusterName }}
-  cidr: {{ $cidr }}
-  protocol: tcp
-  fromPort: 22
-  toPort: 22
-{{ end }}
-
-# ---------------------------------------------------------------
-# Security Group Rule - Nodes to Bastion
-#
-# Open up traffic from the k8s nodes to the bastion
-# ---------------------------------------------------------------
 securityGroupRule/all-node-to-bastion:
   securityGroup: securityGroup/bastion.{{ ClusterName }}
   sourceGroup: securityGroup/nodes.{{ ClusterName }}
 
-# ---------------------------------------------------------------
-# Security Group Rule - Masters to Bastion
-#
-# Open up traffic from the k8s master(s) to the bastion
-# ---------------------------------------------------------------
 securityGroupRule/all-master-to-bastion:
   securityGroup: securityGroup/bastion.{{ ClusterName }}
   sourceGroup: securityGroup/masters.{{ ClusterName }}
 
+securityGroupRule/ssh-external-to-bastion:
+  securityGroup: securityGroup/bastion.{{ ClusterName }}
+  sourceGroup: securityGroup/bastion-elb.{{ ClusterName }}
+  protocol: tcp
+  fromPort: 22
+  toPort: 22
+
+
+# ---------------------------------------------------------------
+# Bastion ELB Security Group
+#
+# The security group that the bastion lives in
+# ---------------------------------------------------------------
+securityGroup/bastion-elb.{{ ClusterName }}:
+  vpc: vpc/{{ ClusterName }}
+  description: 'Security group for bastion ELB'
+  removeExtraRules:
+  - port=22
+
+securityGroupRule/bastion-elb-egress:
+  securityGroup: securityGroup/bastion-elb.{{ ClusterName }}
+  egress: true
+  cidr: 0.0.0.0/0
+
+securityGroupRule/ssh-external-to-bastion-elb:
+  securityGroup: securityGroup/bastion-elb.{{ ClusterName }}
+  cidr:  0.0.0.0/0
+  protocol: tcp
+  fromPort: 22
+  toPort: 22
+
+
+# ---------------------------------------------------------------
+# Public Facing ELBs
+#
+# Our two public endpoints for the cluster
+# ---------------------------------------------------------------
+loadBalancer/bastion.{{ ClusterName }}:
+  id: bastion
+  securityGroups:
+    - securityGroup/bastion-elb.{{ ClusterName }}
+  subnets:
+  {{ range $zone := .Zones }}
+    - subnet/utility-{{ $zone.Name }}.{{ ClusterName }}
+  {{ end }}
+  listeners:
+    22: { instancePort: 22 }
+
+loadBalancerAttachment/bastion-elb-attachment.{{ ClusterName }}:
+  loadBalancer: loadBalancer/bastion.{{ ClusterName }}
+  instance: instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}
+
+loadBalancer/api.{{ ClusterName }}:
+  id: api
+  securityGroups:
+    - securityGroup/api-elb.{{ ClusterName }}
+  subnets:
+  {{ range $zone := .Zones }}
+    - subnet/utility-{{ $zone.Name }}.{{ ClusterName }}
+  {{ end }}
+  listeners:
+    443: { instancePort: 443 }
+
+{{ range $m := Masters }}
+loadBalancerAttachment/bastion-elb-attachment.{{ ClusterName }}:
+  loadBalancer: loadBalancer/bastion.{{ ClusterName }}
+  autoscalingGroup: autoscalingGroup/{{ $m.Name }}.masters.{{ ClusterName }}
+{{ end }}
 
 # ---------------------------------------------------------------
 # Instance - The Bastion itself
@@ -77,17 +115,42 @@ securityGroupRule/all-master-to-bastion:
 # we probably want to abstract this out in a later feature.
 # ---------------------------------------------------------------
 instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}:
-  subnet: subnet/utility-{{ GetBastionZone }}.{{ ClusterName }}
+  subnet: subnet/private-{{ GetBastionZone }}.{{ ClusterName }}
   imageId: {{ GetBastionImageId }}
   InstanceType: t2.small
   SSHKey: sshKey/{{ SSHKeyName }}
   securityGroups:
     - securityGroup/bastion.{{ ClusterName }}
-  AssociatePublicIP: true
+  AssociatePublicIP: false
   name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
   tags:
     Name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
     KubernetesCluster: {{ ClusterName }}
 
 
+
+
+
+
+# Kris TODO - Move this out and into a different yaml file
+securityGroup/api-elb.{{ ClusterName }}:
+  vpc: vpc/{{ ClusterName }}
+  description: 'Security group for api ELB'
+  removeExtraRules:
+  - port=22
+
+securityGroupRule/api-elb-egress:
+  securityGroup: securityGroup/api-elb.{{ ClusterName }}
+  egress: true
+  cidr: 0.0.0.0/0
+
+securityGroupRule/https-api-elb:
+  securityGroup: securityGroup/api-elb.{{ ClusterName }}
+  cidr:  0.0.0.0/0
+  protocol: tcp
+  fromPort: 443
+  toPort: 443
+
+
+
 {{ end }}

upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml

@@ -27,14 +27,14 @@ securityGroupRule/node-egress:
   cidr: 0.0.0.0/0
 
 # SSH is open to CIDRs defined in the cluster configuration
-{{ range $index, $cidr := AdminCIDR }}
+#{{ range $index, $cidr := AdminCIDR }}
-securityGroupRule/ssh-external-to-node-{{ $index }}:
+#securityGroupRule/ssh-external-to-node-{{ $index }}:
-  securityGroup: securityGroup/nodes.{{ ClusterName }}
+#  securityGroup: securityGroup/nodes.{{ ClusterName }}
-  cidr: {{ $cidr }}
+#  cidr: {{ $cidr }}
-  protocol: tcp
+#  protocol: tcp
-  fromPort: 22
+#  fromPort: 22
-  toPort: 22
+#  toPort: 22
-{{ end }}
+#{{ end }}
 
 # Nodes can talk to nodes
 securityGroupRule/all-node-to-node:

upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go

@@ -24,11 +24,15 @@ import (
 	"github.com/golang/glog"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+	"github.com/aws/aws-sdk-go/service/elb"
 )
 
 type LoadBalancerAttachment struct {
 	LoadBalancer     *LoadBalancer
+
+	// LoadBalancerAttachments now support ASGs or direct instances
 	AutoscalingGroup *AutoscalingGroup
+	Instance *Instance
 }
 
 func (e *LoadBalancerAttachment) String() string {
@@ -38,7 +42,18 @@ func (e *LoadBalancerAttachment) String() string {
 func (e *LoadBalancerAttachment) Find(c *fi.Context) (*LoadBalancerAttachment, error) {
 	cloud := c.Cloud.(awsup.AWSCloud)
 
-	if e.AutoscalingGroup != nil {
+	// Instance only
+	if e.Instance != nil && e.AutoscalingGroup == nil {
+		i, err := e.Instance.Find(c)
+		if err != nil {
+			return nil, fmt.Errorf("unable to find instance: %v", err)
+		}
+		actual := &LoadBalancerAttachment{}
+		actual.LoadBalancer = e.LoadBalancer
+		actual.Instance = i
+		return actual, nil
+	// ASG only
+	}else if e.AutoscalingGroup != nil && e.Instance == nil {
 		g, err := findAutoscalingGroup(cloud, *e.AutoscalingGroup.Name)
 		if err != nil {
 			return nil, err
@@ -57,6 +72,9 @@ func (e *LoadBalancerAttachment) Find(c *fi.Context) (*LoadBalancerAttachment, e
 			actual.AutoscalingGroup = e.AutoscalingGroup
 			return actual, nil
 		}
+	}else{
+	// Invalid request
+		return nil, fmt.Errorf("Must specify either an instance or an ASG")
 	}
 
 	return nil, nil
@@ -79,16 +97,29 @@ func (s *LoadBalancerAttachment) CheckChanges(a, e, changes *LoadBalancerAttachm
 }
 
 func (_ *LoadBalancerAttachment) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *LoadBalancerAttachment) error {
+
+	if e.AutoscalingGroup != nil && e.Instance == nil {
 		request := &autoscaling.AttachLoadBalancersInput{}
 		request.AutoScalingGroupName = e.AutoscalingGroup.Name
 		request.LoadBalancerNames = []*string{e.LoadBalancer.ID}
-
 		glog.V(2).Infof("Attaching autoscaling group %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name)
-
 		_, err := t.Cloud.Autoscaling().AttachLoadBalancers(request)
 		if err != nil {
 			return fmt.Errorf("error attaching autoscaling group to ELB: %v", err)
 		}
-
+	}else if e.AutoscalingGroup == nil && e.Instance != nil {
+		request := &elb.RegisterInstancesWithLoadBalancerInput{}
+		var instances []*elb.Instance
+		i := &elb.Instance{
+			InstanceId: e.Instance.ID,
+		}
+		instances = append(instances, i)
+		request.Instances = instances
+		_, err := t.Cloud.ELB().RegisterInstancesWithLoadBalancer(request)
+		glog.V(2).Infof("Attaching instance %q to ELB %q", *e.AutoscalingGroup.Name, *e.LoadBalancer.Name)
+		if err != nil {
+			return fmt.Errorf("error attaching instance to ELB: %v", err)
+		}
+	}
 	return nil
 }