diff --git a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml index 97b51555be..790b40aa7a 100644 --- a/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml +++ b/upup/models/cloudup/_aws/master/_master_asg/master_asg.yaml @@ -8,7 +8,12 @@ launchConfiguration/{{ $m.Name }}.masters.{{ ClusterName }}: iamInstanceProfile: iamInstanceProfile/masters.{{ ClusterName }} imageId: {{ $m.Spec.Image }} instanceType: {{ $m.Spec.MachineType }} + {{ if IsTopologyPublic }} associatePublicIP: {{ WithDefaultBool $m.Spec.AssociatePublicIP true }} + {{ end }} + {{ if IsTopologyPrivate }} + associatePublicIP: false + {{ end }} userData: resources/nodeup.sh {{ $m.Name }} rootVolumeSize: {{ or $m.Spec.RootVolumeSize "20" }} rootVolumeType: {{ or $m.Spec.RootVolumeType "gp2" }} diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml index 618787a2e0..d203be4c0e 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/bastion.yaml @@ -1,19 +1,47 @@ {{ if WithBastion }} +# --------------------------------------------------------------- +# +# Bastion Host for Private Network Topologies in AWS +# +# The bastion host will live in one of the utility subnets +# created in the private topology. The bastion host will have +# port 22 TCP open to 0.0.0.0/0. And will have internal SSH +# access to all private subnets. +# +# --------------------------------------------------------------- + + + + +# --------------------------------------------------------------- +# Bastion Security Group +# +# The security group that the bastion lives in +# --------------------------------------------------------------- securityGroup/bastion.{{ ClusterName }}: vpc: vpc/{{ ClusterName }} description: 'Security group for bastion' removeExtraRules: - port=22 - +# --------------------------------------------------------------- +# Security Group Rule - All Egress +# +# Open the bastion to all outbound traffic +# --------------------------------------------------------------- securityGroupRule/bastion-egress: securityGroup: securityGroup/nodes.{{ ClusterName }} egress: true cidr: 0.0.0.0/0 +# --------------------------------------------------------------- +# Security Group Rule - 22 TCP +# +# Open up to/from 22 TCP for admin CIDRs +# --------------------------------------------------------------- {{ range $index, $cidr := AdminCIDR }} securityGroupRule/ssh-external-to-bastion-{{ $index }}: securityGroup: securityGroup/bastion.{{ ClusterName }} @@ -23,31 +51,43 @@ securityGroupRule/ssh-external-to-bastion-{{ $index }}: toPort: 22 {{ end }} -# Nodes can talk to bastion +# --------------------------------------------------------------- +# Security Group Rule - Nodes to Bastion +# +# Open up traffic from the k8s nodes to the bastion +# --------------------------------------------------------------- securityGroupRule/all-node-to-bastion: securityGroup: securityGroup/bastion.{{ ClusterName }} sourceGroup: securityGroup/nodes.{{ ClusterName }} -# Masters can talk to bastion +# --------------------------------------------------------------- +# Security Group Rule - Masters to Bastion +# +# Open up traffic from the k8s master(s) to the bastion +# --------------------------------------------------------------- securityGroupRule/all-master-to-bastion: securityGroup: securityGroup/bastion.{{ ClusterName }} sourceGroup: securityGroup/masters.{{ ClusterName }} -{{ range $zone := .Zones }} -instance/bastion-{{ $zone.Name }}.{{ ClusterName }}: - subnet: subnet/utility-{{ $zone.Name }}.{{ ClusterName }} +# --------------------------------------------------------------- +# Instance - The Bastion itself +# +# Define the bastion host. Hard coding to a t2.small for now. +# we probably want to abstract this out in a later feature. +# --------------------------------------------------------------- +instance/bastion-{{ GetBastionZone }}.{{ ClusterName }}: + subnet: subnet/utility-{{ GetBastionZone }}.{{ ClusterName }} imageId: {{ GetBastionImageId }} - # TODO Kris - Hard coding m3.medium here (for now) we will probably want to abstract this out later.. for now.. it's a bastion box - and we are still prototyping this topology - InstanceType: m3.medium + InstanceType: t2.small SSHKey: sshKey/{{ SSHKeyName }} securityGroups: - securityGroup/bastion.{{ ClusterName }} AssociatePublicIP: true - name: bastion-{{ $zone.Name }}.{{ ClusterName }} + name: bastion-{{ GetBastionZone }}.{{ ClusterName }} tags: - Name: bastion-{{ $zone.Name }}.{{ ClusterName }} + Name: bastion-{{ GetBastionZone }}.{{ ClusterName }} KubernetesCluster: {{ ClusterName }} -{{ end }} + {{ end }} diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml index def7c11635..37f53dcbb2 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml @@ -19,9 +19,6 @@ - - - # --------------------------------------------------------------- # VPC # @@ -149,8 +146,7 @@ ngw/{{ $zone.Name }}.{{ ClusterName }}: # --------------------------------------------------------------- # Private Subnet # -# This is the private subnet -# TODO Kris - We need private CIDRs here and with the private route +# This is the private subnet for each AZ # --------------------------------------------------------------- subnet/private-{{ $zone.Name }}.{{ ClusterName }}: vpc: vpc/{{ ClusterName }} diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml index 9b5c676d0c..01f58de73f 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/nodes.yaml @@ -56,7 +56,7 @@ launchConfiguration/{{ $ig.Name }}.{{ ClusterName }}: iamInstanceProfile: iamInstanceProfile/nodes.{{ ClusterName }} imageId: {{ $ig.Spec.Image }} instanceType: {{ $ig.Spec.MachineType }} - associatePublicIP: {{ WithDefaultBool $ig.Spec.AssociatePublicIP true }} + associatePublicIP: false userData: resources/nodeup.sh {{ $ig.Name }} rootVolumeSize: {{ or $ig.Spec.RootVolumeSize "20" }} rootVolumeType: {{ or $ig.Spec.RootVolumeType "gp2" }} diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go index 39b719de40..efdfb32b23 100644 --- a/upup/pkg/fi/cloudup/template_functions.go +++ b/upup/pkg/fi/cloudup/template_functions.go @@ -95,6 +95,7 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap) { dest["IsTopologyPrivateMasters"] = tf.IsTopologyPrivateMasters dest["WithBastion"] = tf.WithBastion dest["GetBastionImageId"] = tf.GetBastionImageId + dest["GetBastionZone"] = tf.GetBastionZone dest["SharedZone"] = tf.SharedZone dest["WellKnownServiceIP"] = tf.WellKnownServiceIP @@ -181,8 +182,18 @@ func (tf *TemplateFunctions) WithBastion() bool { return !tf.cluster.Spec.Topology.BypassBastion } -// TODO Kris - Here we just blindly return the first instance group image -// we should make this better +// This function is replacing existing yaml +func (tf *TemplateFunctions) GetBastionZone() (string, error) { + var name string + if len(tf.cluster.Spec.Zones) <= 1 { + return "", fmt.Errorf("Unable to detect zone name for bastion") + } else { + // If we have a list, always use the first one + name = tf.cluster.Spec.Zones[0].Name + } + return name, nil +} + func (tf *TemplateFunctions) GetBastionImageId() (string, error) { if len(tf.instanceGroups) == 0 { return "", fmt.Errorf("Unable to find AMI in instance group")