GCE: Set firewall rules for Internal LBs also

It seems we can use the exact same rules.
2023-07-09 19:01:58 -04:00 · 2023-07-09 19:01:58 -04:00 · 3613f586c8
parent 114ac311c1
commit 3613f586c8
4 changed files with 105 additions and 6 deletions
--- a/pkg/model/gcemodel/api_loadbalancer.go
+++ b/pkg/model/gcemodel/api_loadbalancer.go
@ -38,7 +38,7 @@ var _ fi.CloudupModelBuilder = &APILoadBalancerBuilder{}

 // createPublicLB validates the existence of a target pool with the given name,
 // and creates an IP address and forwarding rule pointing to that target pool.
-func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error {
+func (b *APILoadBalancerBuilder) createPublicLB(c *fi.CloudupModelBuilderContext) error {
 	healthCheck := &gcetasks.HTTPHealthcheck{
 		Name:        s(b.NameForHealthcheck("api")),
 		Port:        i64(wellknownports.KubeAPIServerHealthCheck),
@ -89,6 +89,10 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext)
 		})
 	}

+	return b.addFirewallRules(c)
+}
+
+func (b *APILoadBalancerBuilder) addFirewallRules(c *fi.CloudupModelBuilderContext) error {
 	// Allow traffic into the API from KubernetesAPIAccess CIDRs
 	{
 		network, err := b.LinkToNetwork()
@ -132,7 +136,7 @@ func createPublicLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext)
 // createInternalLB creates an internal load balancer for the cluster.  In
 // GCP this entails creating a health check, backend service, and one forwarding rule
 // per specified subnet pointing to that backend service.
-func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContext) error {
+func (b *APILoadBalancerBuilder) createInternalLB(c *fi.CloudupModelBuilderContext) error {
 	hc := &gcetasks.HealthCheck{
 		Name:      s(b.NameForHealthCheck("api")),
 		Port:      wellknownports.KubeAPIServer,
@ -215,8 +219,7 @@ func createInternalLB(b *APILoadBalancerBuilder, c *fi.CloudupModelBuilderContex
 			})
 		}
 	}
-
-	return nil
+	return b.addFirewallRules(c)
 }

 func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {
@ -232,10 +235,10 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error {

 	switch lbSpec.Type {
 	case kops.LoadBalancerTypePublic:
-		return createPublicLB(b, c)
+		return b.createPublicLB(c)

 	case kops.LoadBalancerTypeInternal:
-		return createInternalLB(b, c)
+		return b.createInternalLB(c)

 	default:
 		return fmt.Errorf("unhandled LoadBalancer type %q", lbSpec.Type)
--- a/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_dns-none/kubernetes.tf
@ -211,6 +211,54 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-example-com" {
  zone = "us-test1-a"
 }

+resource "google_compute_firewall" "https-api-ipv6-minimal-gce-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-ipv6-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "https-api-minimal-gce-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "kops-controller-ipv6-minimal-gce-example-com" {
+  allow {
+    ports    = ["3988"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "kops-controller-ipv6-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "kops-controller-minimal-gce-example-com" {
+  allow {
+    ports    = ["3988"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "kops-controller-minimal-gce-example-com"
+  network       = google_compute_network.minimal-gce-example-com.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-example-com-k8s-io-role-control-plane"]
+}
+
 resource "google_compute_firewall" "lb-health-checks-minimal-gce-example-com" {
  allow {
    protocol = "tcp"
--- a/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_ilb/kubernetes.tf
@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-ilb-example-com" {
  zone = "us-test1-a"
 }

+resource "google_compute_firewall" "https-api-ipv6-minimal-gce-ilb-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-ipv6-minimal-gce-ilb-example-com"
+  network       = google_compute_network.minimal-gce-ilb-example-com.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "https-api-minimal-gce-ilb-example-com" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-minimal-gce-ilb-example-com"
+  network       = google_compute_network.minimal-gce-ilb-example-com.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-ilb-example-com-k8s-io-role-control-plane"]
+}
+
 resource "google_compute_firewall" "lb-health-checks-minimal-gce-ilb-example-com" {
  allow {
    protocol = "tcp"
--- a/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal_gce_ilb_longclustername/kubernetes.tf
@ -219,6 +219,30 @@ resource "google_compute_disk" "a-etcd-main-minimal-gce-with-a-very-very-very-ve
  zone = "us-test1-a"
 }

+resource "google_compute_firewall" "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-ipv6-minimal-gce-with-a-very-very-very-very-ve-96dqvi"
+  network       = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
+  source_ranges = ["::/0"]
+  target_tags   = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
+}
+
+resource "google_compute_firewall" "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi" {
+  allow {
+    ports    = ["443"]
+    protocol = "tcp"
+  }
+  disabled      = false
+  name          = "https-api-minimal-gce-with-a-very-very-very-very-very-lo-96dqvi"
+  network       = google_compute_network.minimal-gce-with-a-very-very-very-very-very-long-name-ex-96dqvi.name
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["minimal-gce-with-a-very-very-v-96dqvi-k8s-io-role-control-plane"]
+}
+
 resource "google_compute_firewall" "lb-health-checks-minimal-gce-with-a-very-very-very-very--96dqvi" {
  allow {
    protocol = "tcp"