mirror of https://github.com/kubernetes/kops.git
Refactoring phases to work in sequence properly
This commit is contained in:
chrislovecnm
parent
ceafc684f2
commit
dc338c4829
|
|
@ -35,7 +35,8 @@ const LoadBalancerDefaultIdleTimeout = 5 * time.Minute
|
|||
// APILoadBalancerBuilder builds a LoadBalancer for accessing the API
|
||||
type APILoadBalancerBuilder struct {
|
||||
*AWSModelContext
|
||||
Lifecycle *fi.Lifecycle
|
||||
Lifecycle *fi.Lifecycle
|
||||
SecurityLifecycle *fi.Lifecycle
|
||||
}
|
||||
|
||||
var _ fi.ModelBuilder = &APILoadBalancerBuilder{}
|
||||
|
|
@ -144,7 +145,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroup{
|
||||
Name: s(b.ELBSecurityGroupName("api")),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
VPC: b.LinkToVPC(),
|
||||
Description: s("Security group for api ELB"),
|
||||
|
|
@ -157,7 +158,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("api-elb-egress"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToELBSecurityGroup("api"),
|
||||
Egress: fi.Bool(true),
|
||||
|
|
@ -171,7 +172,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess {
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("https-api-elb-" + cidr),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToELBSecurityGroup("api"),
|
||||
CIDR: s(cidr),
|
||||
|
|
@ -187,7 +188,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("https-elb-to-master"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
|
||||
SourceGroup: b.LinkToELBSecurityGroup("api"),
|
||||
|
|
|
|||
|
|
@ -35,7 +35,8 @@ const BastionELBDefaultIdleTimeout = 5 * time.Minute
|
|||
|
||||
type BastionModelBuilder struct {
|
||||
*KopsModelContext
|
||||
Lifecycle *fi.Lifecycle
|
||||
Lifecycle *fi.Lifecycle
|
||||
SecurityLifecycle *fi.Lifecycle
|
||||
}
|
||||
|
||||
var _ fi.ModelBuilder = &BastionModelBuilder{}
|
||||
|
|
@ -56,7 +57,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroup{
|
||||
Name: s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
VPC: b.LinkToVPC(),
|
||||
Description: s("Security group for bastion"),
|
||||
|
|
@ -69,7 +70,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("bastion-egress"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
|
||||
Egress: fi.Bool(true),
|
||||
|
|
@ -83,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("ssh-elb-to-bastion"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
|
||||
SourceGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
|
||||
|
|
@ -98,7 +99,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("bastion-to-master-ssh"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
|
||||
SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
|
||||
|
|
@ -113,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("bastion-to-node-ssh"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
|
||||
SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
|
||||
|
|
@ -128,7 +129,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroup{
|
||||
Name: s(b.ELBSecurityGroupName(BastionELBSecurityGroupPrefix)),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
VPC: b.LinkToVPC(),
|
||||
Description: s("Security group for bastion ELB"),
|
||||
|
|
@ -141,7 +142,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
{
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("bastion-elb-egress"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
|
||||
Egress: fi.Bool(true),
|
||||
|
|
@ -155,7 +156,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
for _, sshAccess := range b.Cluster.Spec.SSHAccess {
|
||||
t := &awstasks.SecurityGroupRule{
|
||||
Name: s("ssh-external-to-bastion-elb-" + sshAccess),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Lifecycle: b.SecurityLifecycle,
|
||||
|
||||
SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
|
||||
Protocol: s("tcp"),
|
||||
|
|
|
|||
|
|
@ -1,235 +0,0 @@
|
|||
output "bastion_security_group_ids" {
|
||||
value = ["${aws_security_group.bastion-privateweave-example-com.id}"]
|
||||
}
|
||||
|
||||
output "cluster_name" {
|
||||
value = "privateweave.example.com"
|
||||
}
|
||||
|
||||
output "master_security_group_ids" {
|
||||
value = ["${aws_security_group.masters-privateweave-example-com.id}"]
|
||||
}
|
||||
|
||||
output "node_security_group_ids" {
|
||||
value = ["${aws_security_group.nodes-privateweave-example-com.id}"]
|
||||
}
|
||||
|
||||
output "region" {
|
||||
value = "us-test-1"
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
region = "us-test-1"
|
||||
}
|
||||
|
||||
resource "aws_security_group" "api-elb-privateweave-example-com" {
|
||||
name = "api-elb.privateweave.example.com"
|
||||
vpc_id = "${aws_vpc.privateweave-example-com.id}"
|
||||
description = "Security group for api ELB"
|
||||
|
||||
tags = {
|
||||
KubernetesCluster = "privateweave.example.com"
|
||||
Name = "api-elb.privateweave.example.com"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "bastion-elb-privateweave-example-com" {
|
||||
name = "bastion-elb.privateweave.example.com"
|
||||
vpc_id = "${aws_vpc.privateweave-example-com.id}"
|
||||
description = "Security group for bastion ELB"
|
||||
|
||||
tags = {
|
||||
KubernetesCluster = "privateweave.example.com"
|
||||
Name = "bastion-elb.privateweave.example.com"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "bastion-privateweave-example-com" {
|
||||
name = "bastion.privateweave.example.com"
|
||||
vpc_id = "${aws_vpc.privateweave-example-com.id}"
|
||||
description = "Security group for bastion"
|
||||
|
||||
tags = {
|
||||
KubernetesCluster = "privateweave.example.com"
|
||||
Name = "bastion.privateweave.example.com"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "masters-privateweave-example-com" {
|
||||
name = "masters.privateweave.example.com"
|
||||
vpc_id = "${aws_vpc.privateweave-example-com.id}"
|
||||
description = "Security group for masters"
|
||||
|
||||
tags = {
|
||||
KubernetesCluster = "privateweave.example.com"
|
||||
Name = "masters.privateweave.example.com"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group" "nodes-privateweave-example-com" {
|
||||
name = "nodes.privateweave.example.com"
|
||||
vpc_id = "${aws_vpc.privateweave-example-com.id}"
|
||||
description = "Security group for nodes"
|
||||
|
||||
tags = {
|
||||
KubernetesCluster = "privateweave.example.com"
|
||||
Name = "nodes.privateweave.example.com"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "all-master-to-master" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "all-master-to-node" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "all-node-to-node" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "api-elb-egress" {
|
||||
type = "egress"
|
||||
security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "bastion-egress" {
|
||||
type = "egress"
|
||||
security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "bastion-elb-egress" {
|
||||
type = "egress"
|
||||
security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "bastion-to-master-ssh" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
|
||||
from_port = 22
|
||||
to_port = 22
|
||||
protocol = "tcp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "bastion-to-node-ssh" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
|
||||
from_port = 22
|
||||
to_port = 22
|
||||
protocol = "tcp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "https-elb-to-master" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "master-egress" {
|
||||
type = "egress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "node-egress" {
|
||||
type = "egress"
|
||||
security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "node-to-master-tcp-1-4000" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
from_port = 1
|
||||
to_port = 4000
|
||||
protocol = "tcp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "node-to-master-tcp-4003-65535" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
from_port = 4003
|
||||
to_port = 65535
|
||||
protocol = "tcp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "node-to-master-udp-1-65535" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
|
||||
from_port = 1
|
||||
to_port = 65535
|
||||
protocol = "udp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "ssh-elb-to-bastion" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
|
||||
source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
|
||||
from_port = 22
|
||||
to_port = 22
|
||||
protocol = "tcp"
|
||||
}
|
||||
|
||||
resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" {
|
||||
type = "ingress"
|
||||
security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
|
||||
from_port = 22
|
||||
to_port = 22
|
||||
protocol = "tcp"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
terraform = {
|
||||
required_version = ">= 0.9.3"
|
||||
}
|
||||
|
|
@ -535,11 +535,11 @@ func (c *ApplyClusterCmd) Run() error {
|
|||
|
||||
l.Builders = append(l.Builders,
|
||||
&model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
|
||||
&awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: networkLifecycle},
|
||||
&model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle},
|
||||
&model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle},
|
||||
&model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
|
||||
&model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
|
||||
&awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle},
|
||||
&model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle},
|
||||
&model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
|
||||
&model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
|
||||
&model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
|
||||
&model.SSHKeyModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
|
||||
)
|
||||
|
||||
|
|
@ -563,9 +563,9 @@ func (c *ApplyClusterCmd) Run() error {
|
|||
l.Builders = append(l.Builders,
|
||||
&model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
|
||||
|
||||
&gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
|
||||
&gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
|
||||
&gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
|
||||
&gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle},
|
||||
&gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle},
|
||||
&gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle},
|
||||
&gcemodel.NetworkModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
|
||||
)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue