This way the security group rule task doesn't need to be aware of VPCs, since we know the VPC CIDR ahead of time via cluster spec.
This also fixes the terraform and cloudformation rendering of this rule (see the added cidr block in the integration test outputs)
These rules are for NLB's health checks. The AWS docs recommend allowing access from the entire VPC CIDRs
Also add rules for additionalNetworkCIDRs, supporting VPCs with multiple CIDR blocks.
* refactor TargetLoadBalancer to use DNSTarget interface instead of LoadBalancer
* add LoadBalancerClass fields into api
* make api machinery
* WIP: Implemented API loadbalancer class, allowing NLB and ELB support on AWS for new clusters.
* perform vendoring related tasks and apply fixes identified from hack/
dissallow spotinst + nlb
remove reflection in status_discovery.go
Add precreated additional security groups to the Master nodes in case of NLB
Remove support for attaching individual instances to NLB; only rely on ASG attachments
Don't specify Classic loadbalancer in GCE integration test
* add utility function to the kops model context to make LoadBalancer comparisons simpler
* use DNSTarget interface when locating DNSName of API ELB
* wip: create target group task
* Consolidate TargetGroup tasks
* Use context helper for determining api load balancer type to avoid nil pointers
* Update NLB creation to use target group ARN from separate task rather than creating a TG in-line
* Address staticcheck and bazel failures
* Removing NLB Attachment tasks because they're not used since we switched to defining them as a part of the ASGs
* Address PR review feedback
* Only set LB Class field for AWS clusters, fix nil pointer
* Move target group attributes from NLB task to TG task, removing unused attributes
* Add terraform and cloudformation support for NLBs, listeners, and target groups
* Update integration test for NLB support
* Fix NLB name format to pass terraform validation
* Preserve security group rule names when switching ELB to NLB to reduce destructive terraform changes
* Use elbv2 enums and address some TODOs
* Set healthcheck values in target group
* Find TG tags, fix NLB name detection
* Fix more spurious changes reported by lifecycle integration test
* Fix spotinst validation, more code cleanup
* Address more PR feedback
* ReconcileTargetGroups unit test + more code simplification
* Addressing PR feedback Renaming task 1. awstasks.LoadBalancer -> awstasks.ClassicLoadBalancer
* Addressing PR feedback Renaming task: ELBName() -> CLBName() / LinkToELB() -> LinkToCLB()
* Addressing PR feedback: Various text changes
* fix export of kubecfg
* address TargetGroup should have the same name as the NLB
* should address error when fetching tags due to missing ARN
* Update expected and crds
* Add feature table to NLB docs
* Address more feedback and remove some TODOs that arent applicable anymore
* Update spotinst validation error message
Co-authored-by: Peter Rifel <pgrifel@gmail.com>
```
E3002 Invalid Property Resources/AWSAutoScalingAutoScalingGroupnodesmixedinstancesexamplecom/Properties/MixedInstancesPolicy/InstancesDistribution/SpotInstancePool
//kops/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json:321:13
E3031 CidrIp contains invalid characters (Pattern: x.x.x.x/y) at Resources/AWSEC2SecurityGroupIngresssshexternaltonode2001085a348/Properties/CidrIp
//kops/tests/integration/update_cluster/complex/cloudformation.json:833:9
```
I'm using the strings.Contains to determine if a CIDR is v6 since it seems simplest given that we know the value wont have a port number [0]
[0] https://stackoverflow.com/questions/22751035/golang-distinguish-ipv4-ipv6
This creates a new go module for the e2e code and the kubetest2 skeleton.
Most of the kubetest2 code was copied from sigs.k8s.io/kubetest2/kubetest2-gke.
Currently only building (`make gcs-publish-ci`) is in place.
I used test-infra/scenarios/kubernetes_e2e.py as reference, removing env and make variables that are no longer needed.
Instructions:
```
cd tests/e2e
go install sigs.k8s.io/kubetest2
go install ./kubetest2-kops
kubetest2 kops -v 9 --build --stage-location=gs://foobar/ --kops-root=../../ # runs make gcs-publish-ci and exits
```
When the PublicJWKS feature-flag is set, we expose the apiserver JWKS
document publicly (including enabling anonymous access). This is a
stepping stone to a more hardened configuration where we copy the JWKS
document to S3/GCS/etc.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
This means we no longer have to individually hard-code the `kops set`
fields, however we use the "language" we're now demonstrated.
We add tests to ensure we have parity with our existing (hard-coded)
setter logic.
* Integration test for floatingip cluster
* Implements mocking of floatingIP (only list for now)
* Expands various cloudmocks
* Fixes an NPR in openstack validation
* Fixes a bug where kops tries to use DNS even if the cluster is gossip
This will create / update / update / delete an openstack cluster using cloudmock, ensuring there are no lingering changes reported or orphaned resources
The yaml files were most likely meant to live in tests/integration/update_cluster/minimal_gce but those files already exist.
The md file is very old and not relevant
Each integration test cluster adds many LoC and some overhead in running the integration tests.
Since many of the tests are only testing a specific feature, it would be simpler to combine all of the non-mutually exclusive features into the complex cluster.
This adds any labels defined in the Cluster spec's CloudLabels to the tags of the following AWS resource types:
Elastic IP
Internet Gateway
NAT Gateway
Route Table
Security Group
Subnet
VPC DHCP Options
VPC
According to the upgrade guide [0] resource names cannot start with digits.
Currently both routes and VPC CIDR associations start with digits, so this adds prefixes to them so that they are valid resource identifiers in 0.12.
This is a significant change because on its own, terraform will destroy and recreate the route which impact the cluster networking.
To avoid this, existing clusters this will require moving the resources within the terraform state prior to the next `apply`.
```
kops update cluster --target terraform --out ./
terraform state mv aws_route.0-0-0-0--0 aws_route.route-0-0-0-0--0 # repeat for all aws_route resources
terraform plan
terraform apply
```
The exact terraform state command may vary depending on how Kops' terraform output is used.
See the command documentation [1] for more details.
Always run a terraform plan first to ensure the `aws_route` and `aws_vpc_ipv4_cidr_block_association` resources are not getting recreated.
Due to the potential impact, this notice should be very prominant in the Kops release notes
[0] https://www.terraform.io/upgrade-guides/0-12.html
[1] https://www.terraform.io/docs/commands/state/mv.html
Add tests for no ssh key functionality
Add docs for setting no ssh key
Disable sshKey rendering for cloudformation if nosshkey is set
Fix broken test
make goimports
Fix
Formatting fix
Update kubernetes version for tests
Update expected test output
Fix imports in mesh.pb.go
Run hack/update-expected.sh
Change digital ocean logic to handle *string for SSHKeyName
Fix expected output
Missed a few
Ciprian Hacman