From c1c1eec51bdfa68077ba4905ff7be722833b6403 Mon Sep 17 00:00:00 2001 From: Jose Armesto Date: Tue, 10 Oct 2023 17:02:17 +0200 Subject: [PATCH 1/5] Add value to configure control plane load balancer allow list --- CHANGELOG.md | 3 ++- helm/cluster-aws/README.md | 2 ++ helm/cluster-aws/templates/_aws_cluster.tpl | 9 +++++++++ helm/cluster-aws/values.schema.json | 12 ++++++++++++ helm/cluster-aws/values.yaml | 2 ++ 5 files changed, 27 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93bd0df0..acba042b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- Add teleport.service: Secure SSH access via Teleport +- Add teleport.service: Secure SSH access via Teleport. +- Add `controlPlane.loadBalancerIngressRules` to configure control plane load balancer ingress rules. ## [0.45.0] - 2023-10-04 diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md index 6b71a9ec..a7fdf200 100644 --- a/helm/cluster-aws/README.md +++ b/helm/cluster-aws/README.md @@ -100,6 +100,8 @@ Properties within the `.controlPlane` top-level object | `controlPlane.etcdVolumeSizeGB` | **Etcd volume size (GB)**|**Type:** `integer`
**Default:** `100`| | `controlPlane.instanceType` | **EC2 instance type**|**Type:** `string`
**Default:** `"r6i.xlarge"`| | `controlPlane.kubeletVolumeSizeGB` | **Kubelet volume size (GB)**|**Type:** `integer`
**Default:** `100`| +| `controlPlane.loadBalancerIngressRules` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.|**Type:** `array`
**Default:** `["0.0.0.0/0"]`| +| `controlPlane.loadBalancerIngressRules[*]` | **Address range**|**Type:** `string`
| | `controlPlane.machineHealthCheck` | **Machine health check**|**Type:** `object`
| | `controlPlane.machineHealthCheck.enabled` | **Enable**|**Type:** `boolean`
**Default:** `true`| | `controlPlane.machineHealthCheck.maxUnhealthy` | **Maximum unhealthy nodes**|**Type:** `string`
**Example:** `"40%"`
**Default:** `"40%"`| diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl index 0984d312..7aa768b4 100644 --- a/helm/cluster-aws/templates/_aws_cluster.tpl +++ b/helm/cluster-aws/templates/_aws_cluster.tpl @@ -32,6 +32,15 @@ spec: {{- end }} controlPlaneLoadBalancer: scheme: {{ if (eq .Values.controlPlane.apiMode "public") }}internet-facing{{ else }}internal{{ end }} + {{- if .Values.controlPlane.loadBalancerIngressRules }} + ingressRules: + - description: "Kubernetes API" + protocol: tcp + fromPort: 6443 + toPort: 6443 + cidrBlocks: + {{- toYaml .Values.controlPlane.loadBalancerIngressRules | nindent 6 }} + {{- end }} network: cni: cniIngressRules: diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json index 120fd006..8bce0be4 100644 --- a/helm/cluster-aws/values.schema.json +++ b/helm/cluster-aws/values.schema.json @@ -585,6 +585,18 @@ "title": "Kubelet volume size (GB)", "default": 100 }, + "loadBalancerIngressRules": { + "type": "array", + "title": "Load balancer allow list", + "description": "IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.", + "items": { + "type": "string", + "title": "Address range" + }, + "default": [ + "0.0.0.0/0" + ] + }, "machineHealthCheck": { "type": "object", "title": "Machine health check", diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml index f35c81a7..be12b2b6 100644 --- a/helm/cluster-aws/values.yaml +++ b/helm/cluster-aws/values.yaml @@ -48,6 +48,8 @@ controlPlane: etcdVolumeSizeGB: 100 instanceType: r6i.xlarge kubeletVolumeSizeGB: 100 + loadBalancerIngressRules: + - 0.0.0.0/0 machineHealthCheck: enabled: true maxUnhealthy: 40% From 2eaa49c16a73b67d0a3476161c1a69e79b2e6415 Mon Sep 17 00:00:00 2001 From: Jose Armesto Date: Tue, 10 Oct 2023 17:23:15 +0200 Subject: [PATCH 2/5] Use better name for new exposed value --- CHANGELOG.md | 2 +- helm/cluster-aws/README.md | 4 ++-- helm/cluster-aws/templates/_aws_cluster.tpl | 4 ++-- helm/cluster-aws/values.schema.json | 2 +- helm/cluster-aws/values.yaml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index acba042b..e020a2b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Add teleport.service: Secure SSH access via Teleport. -- Add `controlPlane.loadBalancerIngressRules` to configure control plane load balancer ingress rules. +- Add `controlPlane.loadBalancerIngressAllowCidrBlocks` to configure control plane load balancer ingress rules. ## [0.45.0] - 2023-10-04 diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md index a7fdf200..99800114 100644 --- a/helm/cluster-aws/README.md +++ b/helm/cluster-aws/README.md @@ -100,8 +100,8 @@ Properties within the `.controlPlane` top-level object | `controlPlane.etcdVolumeSizeGB` | **Etcd volume size (GB)**|**Type:** `integer`
**Default:** `100`| | `controlPlane.instanceType` | **EC2 instance type**|**Type:** `string`
**Default:** `"r6i.xlarge"`| | `controlPlane.kubeletVolumeSizeGB` | **Kubelet volume size (GB)**|**Type:** `integer`
**Default:** `100`| -| `controlPlane.loadBalancerIngressRules` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.|**Type:** `array`
**Default:** `["0.0.0.0/0"]`| -| `controlPlane.loadBalancerIngressRules[*]` | **Address range**|**Type:** `string`
| +| `controlPlane.loadBalancerIngressAllowCidrBlocks` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.|**Type:** `array`
**Default:** `["0.0.0.0/0"]`| +| `controlPlane.loadBalancerIngressAllowCidrBlocks[*]` | **Address range**|**Type:** `string`
| | `controlPlane.machineHealthCheck` | **Machine health check**|**Type:** `object`
| | `controlPlane.machineHealthCheck.enabled` | **Enable**|**Type:** `boolean`
**Default:** `true`| | `controlPlane.machineHealthCheck.maxUnhealthy` | **Maximum unhealthy nodes**|**Type:** `string`
**Example:** `"40%"`
**Default:** `"40%"`| diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl index 7aa768b4..e9b36969 100644 --- a/helm/cluster-aws/templates/_aws_cluster.tpl +++ b/helm/cluster-aws/templates/_aws_cluster.tpl @@ -32,14 +32,14 @@ spec: {{- end }} controlPlaneLoadBalancer: scheme: {{ if (eq .Values.controlPlane.apiMode "public") }}internet-facing{{ else }}internal{{ end }} - {{- if .Values.controlPlane.loadBalancerIngressRules }} + {{- if .Values.controlPlane.loadBalancerIngressAllowCidrBlocks }} ingressRules: - description: "Kubernetes API" protocol: tcp fromPort: 6443 toPort: 6443 cidrBlocks: - {{- toYaml .Values.controlPlane.loadBalancerIngressRules | nindent 6 }} + {{- toYaml .Values.controlPlane.loadBalancerIngressAllowCidrBlocks | nindent 6 }} {{- end }} network: cni: diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json index 8bce0be4..1359fc8f 100644 --- a/helm/cluster-aws/values.schema.json +++ b/helm/cluster-aws/values.schema.json @@ -585,7 +585,7 @@ "title": "Kubelet volume size (GB)", "default": 100 }, - "loadBalancerIngressRules": { + "loadBalancerIngressAllowCidrBlocks": { "type": "array", "title": "Load balancer allow list", "description": "IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.", diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml index be12b2b6..a27b7f00 100644 --- a/helm/cluster-aws/values.yaml +++ b/helm/cluster-aws/values.yaml @@ -48,7 +48,7 @@ controlPlane: etcdVolumeSizeGB: 100 instanceType: r6i.xlarge kubeletVolumeSizeGB: 100 - loadBalancerIngressRules: + loadBalancerIngressAllowCidrBlocks: - 0.0.0.0/0 machineHealthCheck: enabled: true From f6ce8e2aa27e92a9122f419cf7da16cece9fee7c Mon Sep 17 00:00:00 2001 From: Jose Armesto Date: Wed, 11 Oct 2023 11:02:58 +0200 Subject: [PATCH 3/5] Remove default --- helm/cluster-aws/README.md | 2 +- helm/cluster-aws/values.schema.json | 7 ++----- helm/cluster-aws/values.yaml | 2 -- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md index 99800114..423d37f6 100644 --- a/helm/cluster-aws/README.md +++ b/helm/cluster-aws/README.md @@ -100,7 +100,7 @@ Properties within the `.controlPlane` top-level object | `controlPlane.etcdVolumeSizeGB` | **Etcd volume size (GB)**|**Type:** `integer`
**Default:** `100`| | `controlPlane.instanceType` | **EC2 instance type**|**Type:** `string`
**Default:** `"r6i.xlarge"`| | `controlPlane.kubeletVolumeSizeGB` | **Kubelet volume size (GB)**|**Type:** `integer`
**Default:** `100`| -| `controlPlane.loadBalancerIngressAllowCidrBlocks` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.|**Type:** `array`
**Default:** `["0.0.0.0/0"]`| +| `controlPlane.loadBalancerIngressAllowCidrBlocks` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed. These Nat Gateway IPs can be found in the Management Cluster AWSCluster '.status.networkStatus.natGatewaysIPs' field.|**Type:** `array`
| | `controlPlane.loadBalancerIngressAllowCidrBlocks[*]` | **Address range**|**Type:** `string`
| | `controlPlane.machineHealthCheck` | **Machine health check**|**Type:** `object`
| | `controlPlane.machineHealthCheck.enabled` | **Enable**|**Type:** `boolean`
**Default:** `true`| diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json index 1359fc8f..1ed10ac3 100644 --- a/helm/cluster-aws/values.schema.json +++ b/helm/cluster-aws/values.schema.json @@ -588,14 +588,11 @@ "loadBalancerIngressAllowCidrBlocks": { "type": "array", "title": "Load balancer allow list", - "description": "IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.", + "description": "IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed. These Nat Gateway IPs can be found in the Management Cluster AWSCluster '.status.networkStatus.natGatewaysIPs' field.", "items": { "type": "string", "title": "Address range" - }, - "default": [ - "0.0.0.0/0" - ] + } }, "machineHealthCheck": { "type": "object", diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml index a27b7f00..f35c81a7 100644 --- a/helm/cluster-aws/values.yaml +++ b/helm/cluster-aws/values.yaml @@ -48,8 +48,6 @@ controlPlane: etcdVolumeSizeGB: 100 instanceType: r6i.xlarge kubeletVolumeSizeGB: 100 - loadBalancerIngressAllowCidrBlocks: - - 0.0.0.0/0 machineHealthCheck: enabled: true maxUnhealthy: 40% From 0810b4dfc5361220e11f8f8e99b8abf9a43abc92 Mon Sep 17 00:00:00 2001 From: Jose Armesto Date: Wed, 11 Oct 2023 14:02:36 +0200 Subject: [PATCH 4/5] Always add GS VPN IPs --- helm/cluster-aws/templates/_aws_cluster.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl index e9b36969..dc81f568 100644 --- a/helm/cluster-aws/templates/_aws_cluster.tpl +++ b/helm/cluster-aws/templates/_aws_cluster.tpl @@ -39,6 +39,8 @@ spec: fromPort: 6443 toPort: 6443 cidrBlocks: + - 185.102.95.187/32 + - 95.179.153.65/32 {{- toYaml .Values.controlPlane.loadBalancerIngressAllowCidrBlocks | nindent 6 }} {{- end }} network: From 829050ae82b3bf3da16488928ee299d7a389e5fc Mon Sep 17 00:00:00 2001 From: Andreas Sommer Date: Thu, 12 Oct 2023 10:41:10 +0200 Subject: [PATCH 5/5] Document definitive source of VPN IPs --- helm/cluster-aws/templates/_aws_cluster.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl index dc81f568..97436312 100644 --- a/helm/cluster-aws/templates/_aws_cluster.tpl +++ b/helm/cluster-aws/templates/_aws_cluster.tpl @@ -39,8 +39,10 @@ spec: fromPort: 6443 toPort: 6443 cidrBlocks: + # Giant Swarm VPN IPs (internal link: https://github.com/giantswarm/vpn/tree/master/hosts_inventory, https://intranet.giantswarm.io/docs/support-and-ops/ops-recipes/tc_api_whitelisting/) - 185.102.95.187/32 - 95.179.153.65/32 + {{- toYaml .Values.controlPlane.loadBalancerIngressAllowCidrBlocks | nindent 6 }} {{- end }} network: