Merge pull request #15 from rancherfederal/clb

change apiserver nlb to classic lb

examples/cloud-enabled/main.tf

@@ -175,10 +175,7 @@ EOT
 
   cluster_data = module.rke2.cluster_data
 
-  tags = merge({
-    "k8s.io/cluster-autoscaler/enabled"               = "true"
-    "k8s.io/cluster-autoscaler/${local.cluster_name}" = "true"
-  }, local.tags)
+  tags = local.tags
 }
 
 # For demonstration only, lock down ssh access in production

examples/quickstart/main.tf

@@ -22,26 +22,6 @@ data "aws_subnet" "default" {
   default_for_az    = true
 }
 
-data "aws_ami" "ubuntu" {
-  owners      = ["513442679011"] # owner is for aws gov cloud
-  most_recent = true
-
-  filter {
-    name   = "name"
-    values = ["ubuntu*-20.04*"]
-  }
-
-  filter {
-    name   = "architecture"
-    values = ["x86_64"]
-  }
-
-  filter {
-    name   = "architecture"
-    values = ["x86_64"]
-  }
-}
-
 # Private Key
 resource "tls_private_key" "ssh" {
   algorithm = "RSA"
@@ -54,6 +34,21 @@ resource "local_file" "pem" {
   file_permission = "0600"
 }
 
+data "aws_ami" "rhel8" {
+  most_recent = true
+  owners      = ["219670896067"] # owner is specific to aws gov cloud
+
+  filter {
+    name   = "name"
+    values = ["RHEL-8*"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
 #
 # Server
 #
@@ -63,7 +58,7 @@ module "rke2" {
   cluster_name          = local.cluster_name
   vpc_id                = data.aws_vpc.default.id
   subnets               = [data.aws_subnet.default.id]
-  ami                   = data.aws_ami.ubuntu.image_id
+  ami                   = data.aws_ami.rhel8.image_id
   ssh_authorized_keys   = [tls_private_key.ssh.public_key_openssh]
   controlplane_internal = false # Note this defaults to best practice of true, but is explicitly set to public for demo purposes
 
@@ -79,7 +74,7 @@ module "agents" {
   name                = "generic"
   vpc_id              = data.aws_vpc.default.id
   subnets             = [data.aws_subnet.default.id]
-  ami                 = data.aws_ami.ubuntu.image_id
+  ami                 = data.aws_ami.rhel8.image_id
   ssh_authorized_keys = [tls_private_key.ssh.public_key_openssh]
   tags                = local.tags
 

main.tf

@@ -46,14 +46,17 @@ module "statestore" {
 # Controlplane Load Balancer
 #
 module "cp_lb" {
-  source  = "./modules/nlb"
+  source  = "./modules/elb"
   name    = local.uname
   vpc_id  = var.vpc_id
   subnets = var.subnets
 
   enable_cross_zone_load_balancing = var.controlplane_enable_cross_zone_load_balancing
   internal                         = var.controlplane_internal
 
+  cp_ingress_cidr_blocks            = var.controlplane_allowed_cidrs
+  cp_supervisor_ingress_cidr_blocks = var.controlplane_allowed_cidrs
+
   tags = merge({}, local.default_tags, local.default_tags, var.tags)
 }
 
@@ -102,21 +105,21 @@ resource "aws_security_group" "server" {
 }
 
 resource "aws_security_group_rule" "server_cp" {
-  from_port         = 6443
-  to_port           = 6443
-  protocol          = "tcp"
-  security_group_id = aws_security_group.server.id
-  type              = "ingress"
-  cidr_blocks       = var.controlplane_allowed_cidrs
+  from_port                = 6443
+  to_port                  = 6443
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.server.id
+  type                     = "ingress"
+  source_security_group_id = module.cp_lb.security_group
 }
 
 resource "aws_security_group_rule" "server_cp_supervisor" {
-  from_port         = 9345
-  to_port           = 9345
-  protocol          = "tcp"
-  security_group_id = aws_security_group.server.id
-  type              = "ingress"
-  cidr_blocks       = var.controlplane_allowed_cidrs
+  from_port                = 9345
+  to_port                  = 9345
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.server.id
+  type                     = "ingress"
+  source_security_group_id = module.cp_lb.security_group
 }
 
 #
@@ -179,10 +182,7 @@ module "servers" {
   block_device_mappings  = var.block_device_mappings
   vpc_security_group_ids = [aws_security_group.server.id, aws_security_group.cluster.id]
   spot                   = var.spot
-  target_group_arns = [
-    module.cp_lb.server_tg_arn,
-    module.cp_lb.server_supervisor_tg_arn,
-  ]
+  load_balancers         = [module.cp_lb.name]
 
   # Overrideable variables
   userdata             = data.template_cloudinit_config.this.rendered

modules/elb/main.tf

@@ -0,0 +1,78 @@
+locals {
+  # Handle case where target group/load balancer name exceeds 32 character limit
+  controlplane_name = substr("${var.name}-rke2-cp", 0, 31)
+  server_name       = substr("${var.name}-rke2-server", 0, 31)
+  supervisor_name   = substr("${var.name}-rke2-supervisor", 0, 31)
+}
+
+resource "aws_security_group" "controlplane" {
+  name        = local.controlplane_name
+  description = "${local.controlplane_name} sg"
+  vpc_id      = var.vpc_id
+
+  tags = merge({}, var.tags)
+}
+
+resource "aws_security_group_rule" "apiserver" {
+  from_port         = var.cp_port
+  to_port           = var.cp_port
+  protocol          = "tcp"
+  security_group_id = aws_security_group.controlplane.id
+  type              = "ingress"
+
+  cidr_blocks = var.cp_ingress_cidr_blocks
+}
+
+resource "aws_security_group_rule" "supervisor" {
+  from_port         = var.cp_supervisor_port
+  to_port           = var.cp_supervisor_port
+  protocol          = "tcp"
+  security_group_id = aws_security_group.controlplane.id
+  type              = "ingress"
+
+  cidr_blocks = var.cp_supervisor_ingress_cidr_blocks
+}
+
+resource "aws_security_group_rule" "egress" {
+  from_port         = "0"
+  to_port           = "0"
+  protocol          = "-1"
+  security_group_id = aws_security_group.controlplane.id
+  type              = "egress"
+
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_elb" "controlplane" {
+  name = local.controlplane_name
+
+  internal        = var.internal
+  subnets         = var.subnets
+  security_groups = [aws_security_group.controlplane.id]
+
+  cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+  listener {
+    instance_port     = var.cp_port
+    instance_protocol = "TCP"
+    lb_port           = var.cp_port
+    lb_protocol       = "TCP"
+  }
+
+  listener {
+    instance_port     = var.cp_supervisor_port
+    instance_protocol = "TCP"
+    lb_port           = var.cp_supervisor_port
+    lb_protocol       = "TCP"
+  }
+
+  health_check {
+    healthy_threshold   = 3
+    interval            = 10
+    target              = "TCP:${var.cp_supervisor_port}"
+    timeout             = 3
+    unhealthy_threshold = 3
+  }
+
+  tags = merge({}, var.tags)
+}

modules/elb/outputs.tf

@@ -0,0 +1,15 @@
+output "dns" {
+  value = aws_elb.controlplane.dns_name
+}
+
+output "id" {
+  value = aws_elb.controlplane.id
+}
+
+output "name" {
+  value = aws_elb.controlplane.name
+}
+
+output "security_group" {
+  value = aws_security_group.controlplane.id
+}

modules/nodepool/main.tf

@@ -50,6 +50,7 @@ resource "aws_autoscaling_group" "this" {
   # Health check and target groups dependent on whether we're a server or not (identified via rke2_url)
   health_check_type = var.health_check_type
   target_group_arns = var.target_group_arns
+  load_balancers    = var.load_balancers
 
   min_elb_capacity = var.min_elb_capacity
 

modules/nodepool/variables.tf

@@ -44,6 +44,11 @@ variable "target_group_arns" {
   default = []
 }
 
+variable "load_balancers" {
+  type    = list(string)
+  default = []
+}
+
 variable "vpc_security_group_ids" {
   type    = list(string)
   default = []

variables.tf

@@ -91,7 +91,6 @@ variable "controlplane_allowed_cidrs" {
   default     = ["0.0.0.0/0"]
 }
 
-
 #
 # RKE2 Variables
 #