Pushing up some last minute tweaks before asking for help and feedback from testing

2016-10-31 22:43:03 -06:00 · 2016-10-31 22:43:03 -06:00 · 312621b0d0
parent e962f9c5fd
commit 312621b0d0
5 changed files with 71 additions and 19 deletions
--- a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml
+++ b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml
@ -8,7 +8,12 @@ launchConfiguration/{{ $m.Name }}.masters.{{ ClusterName }}:
  iamInstanceProfile: iamInstanceProfile/masters.{{ ClusterName }}
  imageId: {{ $m.Spec.Image }}
  instanceType: {{ $m.Spec.MachineType }}
+  {{ if IsTopologyPublic }}
  associatePublicIP: {{ WithDefaultBool $m.Spec.AssociatePublicIP true }}
+  {{ end }}
+  {{ if IsTopologyPrivate }}
+  associatePublicIP: false
+  {{ end }}
  userData: resources/nodeup.sh {{ $m.Name }}
  rootVolumeSize: {{ or $m.Spec.RootVolumeSize "20" }}
  rootVolumeType: {{ or $m.Spec.RootVolumeType "gp2" }}
--- a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml
+++ b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml
@ -1,19 +1,47 @@
 {{ if WithBastion }}
+# ---------------------------------------------------------------
+#
+# Bastion Host for Private Network Topologies in AWS
+#
+# The bastion host will live in one of the utility subnets
+# created in the private topology. The bastion host will have
+# port 22 TCP open to 0.0.0.0/0. And will have internal SSH
+# access to all private subnets.
+#
+# ---------------------------------------------------------------


+
+
+
+
+# ---------------------------------------------------------------
+# Bastion Security Group
+#
+# The security group that the bastion lives in
+# ---------------------------------------------------------------
 securityGroup/bastion.{{ ClusterName }}:
  vpc: vpc/{{ ClusterName }}
  description: 'Security group for bastion'
  removeExtraRules:
  - port=22

-
+# ---------------------------------------------------------------
+# Security Group Rule - All Egress
+#
+# Open the bastion to all outbound traffic
+# ---------------------------------------------------------------
 securityGroupRule/bastion-egress:
  securityGroup: securityGroup/nodes.{{ ClusterName }}
  egress: true
  cidr: 0.0.0.0/0


+# ---------------------------------------------------------------
+# Security Group Rule - 22 TCP
+#
+# Open up to/from 22 TCP for admin CIDRs
+# ---------------------------------------------------------------
 {{ range $index, $cidr := AdminCIDR }}
 securityGroupRule/ssh-external-to-bastion-{{ $index }}:
  securityGroup: securityGroup/bastion.{{ ClusterName }}
@ -23,31 +51,43 @@ securityGroupRule/ssh-external-to-bastion-{{ $index }}:
  toPort: 22
 {{ end }}

-# Nodes can talk to bastion
+# ---------------------------------------------------------------
+# Security Group Rule - Nodes to Bastion
+#
+# Open up traffic from the k8s nodes to the bastion
+# ---------------------------------------------------------------
 securityGroupRule/all-node-to-bastion:
  securityGroup: securityGroup/bastion.{{ ClusterName }}
  sourceGroup: securityGroup/nodes.{{ ClusterName }}

-# Masters can talk to bastion
+# ---------------------------------------------------------------
+# Security Group Rule - Masters to Bastion
+#
+# Open up traffic from the k8s master(s) to the bastion
+# ---------------------------------------------------------------
 securityGroupRule/all-master-to-bastion:
  securityGroup: securityGroup/bastion.{{ ClusterName }}
  sourceGroup: securityGroup/masters.{{ ClusterName }}


-{{ range $zone := .Zones }}
-instance/bastion-{{ $zone.Name }}.{{ ClusterName }}:
-  subnet: subnet/utility-{{ $zone.Name }}.{{ ClusterName }}
+# ---------------------------------------------------------------
+# Instance - The Bastion itself
+#
+# Define the bastion host. Hard coding to a t2.small for now.
+# we probably want to abstract this out in a later feature.
+# ---------------------------------------------------------------
+instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}:
+  subnet: subnet/utility-{{ GetBastionZone }}.{{ ClusterName }}
  imageId: {{ GetBastionImageId }}
-  # TODO Kris - Hard coding m3.medium here (for now) we will probably want to abstract this out later.. for now.. it's a bastion box - and we are still prototyping this topology
-  InstanceType: m3.medium
+  InstanceType: t2.small
  SSHKey: sshKey/{{ SSHKeyName }}
  securityGroups:
    - securityGroup/bastion.{{ ClusterName }}
  AssociatePublicIP: true
-  name: bastion-{{ $zone.Name }}.{{ ClusterName }}
+  name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
  tags:
-    Name: bastion-{{ $zone.Name }}.{{ ClusterName }}
+    Name: bastion-{{ GetBastionZone }}.{{ ClusterName }}
    KubernetesCluster: {{ ClusterName }}
-{{ end }}
+

 {{ end }}
--- a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml
+++ b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml
@ -19,9 +19,6 @@



-
-
-
 # ---------------------------------------------------------------
 # VPC
 #
@ -149,8 +146,7 @@ ngw/{{ $zone.Name }}.{{ ClusterName }}:
 # ---------------------------------------------------------------
 # Private Subnet
 #
-# This is the private subnet
-# TODO Kris - We need private CIDRs here and with the private route
+# This is the private subnet for each AZ
 # ---------------------------------------------------------------
 subnet/private-{{ $zone.Name }}.{{ ClusterName }}:
  vpc: vpc/{{ ClusterName }}
--- a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml
+++ b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml
@ -56,7 +56,7 @@ launchConfiguration/{{ $ig.Name }}.{{ ClusterName }}:
  iamInstanceProfile: iamInstanceProfile/nodes.{{ ClusterName }}
  imageId: {{ $ig.Spec.Image }}
  instanceType: {{ $ig.Spec.MachineType }}
-  associatePublicIP: {{ WithDefaultBool $ig.Spec.AssociatePublicIP true }}
+  associatePublicIP: false
  userData: resources/nodeup.sh {{ $ig.Name }}
  rootVolumeSize: {{ or $ig.Spec.RootVolumeSize "20" }}
  rootVolumeType: {{ or $ig.Spec.RootVolumeType "gp2" }}
--- a/upup/pkg/fi/cloudup/template_functions.go
+++ b/upup/pkg/fi/cloudup/template_functions.go
@ -95,6 +95,7 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap) {
 	dest["IsTopologyPrivateMasters"] = tf.IsTopologyPrivateMasters
 	dest["WithBastion"] = tf.WithBastion
 	dest["GetBastionImageId"] = tf.GetBastionImageId
+	dest["GetBastionZone"] = tf.GetBastionZone

 	dest["SharedZone"] = tf.SharedZone
 	dest["WellKnownServiceIP"] = tf.WellKnownServiceIP
@ -181,8 +182,18 @@ func (tf *TemplateFunctions) WithBastion()  bool  {
 	 return !tf.cluster.Spec.Topology.BypassBastion
 }

-// TODO Kris - Here we just blindly return the first instance group image
-// we should make this better
+// This function is replacing existing yaml
+func (tf *TemplateFunctions) GetBastionZone() (string, error) {
+	var name string
+	if len(tf.cluster.Spec.Zones) <= 1 {
+		return "", fmt.Errorf("Unable to detect zone name for bastion")
+	} else {
+		// If we have a list, always use the first one
+		name = tf.cluster.Spec.Zones[0].Name
+	}
+	return name, nil
+}
+
 func (tf *TemplateFunctions) GetBastionImageId() (string, error) {
 	if len(tf.instanceGroups) == 0 {
 		return "", fmt.Errorf("Unable to find AMI in instance group")