In order to let kops fully control the rules for each security group we need to be able to generate names from the info in AWS. This is similar to the approach we used for openstack
Update pkg/model/firewall.go
Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
* Fix: Mount the whole `/etc/ssl/certs` directory for k8s-ec2-srcdst deployment.
Signed-off-by: Marcos Soutullo Rodriguez <marcos.soutullo@vodafone.com>
* Fix: Retrospective change to mount all CA certificates in <k8s-1.16
* Apply suggestions from code review
Co-authored-by: Ciprian Hacman <ciprianhacman@gmail.com>
This way the security group rule task doesn't need to be aware of VPCs, since we know the VPC CIDR ahead of time via cluster spec.
This also fixes the terraform and cloudformation rendering of this rule (see the added cidr block in the integration test outputs)
These rules are for NLB's health checks. The AWS docs recommend allowing access from the entire VPC CIDRs
Also add rules for additionalNetworkCIDRs, supporting VPCs with multiple CIDR blocks.
The ACM bugfix will fail API validation with k8s >=1.19 + `sslCertificate` + `class: Classic`.
The error message will contain this permalink, so I'd like to get eyes on this early.
If/when we handle migration without downtime, we can update these instructions to match.
* refactor TargetLoadBalancer to use DNSTarget interface instead of LoadBalancer
* add LoadBalancerClass fields into api
* make api machinery
* WIP: Implemented API loadbalancer class, allowing NLB and ELB support on AWS for new clusters.
* perform vendoring related tasks and apply fixes identified from hack/
dissallow spotinst + nlb
remove reflection in status_discovery.go
Add precreated additional security groups to the Master nodes in case of NLB
Remove support for attaching individual instances to NLB; only rely on ASG attachments
Don't specify Classic loadbalancer in GCE integration test
* add utility function to the kops model context to make LoadBalancer comparisons simpler
* use DNSTarget interface when locating DNSName of API ELB
* wip: create target group task
* Consolidate TargetGroup tasks
* Use context helper for determining api load balancer type to avoid nil pointers
* Update NLB creation to use target group ARN from separate task rather than creating a TG in-line
* Address staticcheck and bazel failures
* Removing NLB Attachment tasks because they're not used since we switched to defining them as a part of the ASGs
* Address PR review feedback
* Only set LB Class field for AWS clusters, fix nil pointer
* Move target group attributes from NLB task to TG task, removing unused attributes
* Add terraform and cloudformation support for NLBs, listeners, and target groups
* Update integration test for NLB support
* Fix NLB name format to pass terraform validation
* Preserve security group rule names when switching ELB to NLB to reduce destructive terraform changes
* Use elbv2 enums and address some TODOs
* Set healthcheck values in target group
* Find TG tags, fix NLB name detection
* Fix more spurious changes reported by lifecycle integration test
* Fix spotinst validation, more code cleanup
* Address more PR feedback
* ReconcileTargetGroups unit test + more code simplification
* Addressing PR feedback Renaming task 1. awstasks.LoadBalancer -> awstasks.ClassicLoadBalancer
* Addressing PR feedback Renaming task: ELBName() -> CLBName() / LinkToELB() -> LinkToCLB()
* Addressing PR feedback: Various text changes
* fix export of kubecfg
* address TargetGroup should have the same name as the NLB
* should address error when fetching tags due to missing ARN
* Update expected and crds
* Add feature table to NLB docs
* Address more feedback and remove some TODOs that arent applicable anymore
* Update spotinst validation error message
Co-authored-by: Peter Rifel <pgrifel@gmail.com>
The tests create a cluster with 2 node instance groups and 1 master and bastion instance groups.
Only one node instance group requires rolling update.
instanceGroupNodeSpecificErrorClusterValidator mocks a validation failure for a given node group.
rolling update should not fail if the cluster validator reports an error in an unrelated instance group.
When unrelated instance groups produce validation errors, the instance group
being updated produces a failure and is forced to wait for rolling update to continue.
This can be avoided as failures in different node instance groups usually don't affect
the instance group being affected in any way.
The InstanceGroup field in ValidationError struct is an optional field meant
to indicate the InstanceGroup which has reported that failure. This field either
holds a pointer to the instance group which caused the validation error or can be
nil which indicates that we were unable to determine the instance group to which
this failure should be attributed to.
This field is mainly used to identify whether a failure is worth waiting for
when validating a particular instance group.
Kubernetes Prow Robot
Ciprian Hacman
Ole Markus With
Barry Melbourne
Jack Andersen
Peter Rifel
Jesse Haka
Marcos Soutullo Rodriguez
zouyu
Christian Joun
Srikanth Rao
Bharath Vedartham