From 182e7514f78bfbc285cbd889ec1daa19f666f6a6 Mon Sep 17 00:00:00 2001 From: Simon Murray Date: Mon, 2 Sep 2024 13:11:09 +0100 Subject: [PATCH] Add Firewall Rules to Cluster Nodes (#19) At present you cannot add ephemeral rules to security groups for debug as that will ultimately get reverted and drive you insane, so allow the client to set some up e.g. SSH access for debugging. --- .../cluster-api-cluster-openstack/Chart.yaml | 2 +- .../cluster-api-cluster-openstack/README.md | 2 +- .../templates/cluster.yaml | 4 ++ .../values.schema.json | 41 +++++++++++++++++++ .../cluster-api-cluster-openstack/values.yaml | 9 ++++ 5 files changed, 56 insertions(+), 2 deletions(-) diff --git a/charts/cluster-api-cluster-openstack/Chart.yaml b/charts/cluster-api-cluster-openstack/Chart.yaml index 11b3c83..c81d860 100644 --- a/charts/cluster-api-cluster-openstack/Chart.yaml +++ b/charts/cluster-api-cluster-openstack/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: cluster-api-cluster-openstack description: A Helm chart to deploy a Kubernetes Cluster type: application -version: v0.5.4 +version: v0.5.5 icon: https://raw.githubusercontent.com/unikorn-cloud/helm-cluster-api/main/icons/default.png diff --git a/charts/cluster-api-cluster-openstack/README.md b/charts/cluster-api-cluster-openstack/README.md index 485332c..64dfa6e 100644 --- a/charts/cluster-api-cluster-openstack/README.md +++ b/charts/cluster-api-cluster-openstack/README.md @@ -36,7 +36,7 @@ spec: source: repoURL: https://unikorn-cloud.github.io/helm-cluster-api chart: cluster-api-cluster-openstack - targetRevision: v0.5.4 + targetRevision: v0.5.5 helm: releaseName: foo # Remove the default work queue. diff --git a/charts/cluster-api-cluster-openstack/templates/cluster.yaml b/charts/cluster-api-cluster-openstack/templates/cluster.yaml index f5a9882..ba0c45a 100644 --- a/charts/cluster-api-cluster-openstack/templates/cluster.yaml +++ b/charts/cluster-api-cluster-openstack/templates/cluster.yaml @@ -52,6 +52,10 @@ spec: {{- end }} managedSecurityGroups: allowAllInClusterTraffic: true + {{- if .Values.network.securityGroupRules }} + allNodesSecurityGroupRules: + {{- toYaml .Values.network.securityGroupRules | nindent 4 }} + {{- end }} {{- if .Values.network.provider }} network: id: {{ .Values.network.provider.networkID }} diff --git a/charts/cluster-api-cluster-openstack/values.schema.json b/charts/cluster-api-cluster-openstack/values.schema.json index 7c7e21c..fd95d9c 100644 --- a/charts/cluster-api-cluster-openstack/values.schema.json +++ b/charts/cluster-api-cluster-openstack/values.schema.json @@ -355,6 +355,47 @@ "type": "string" } } + }, + "securityGroupRules": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name", + "direction" + ], + "properties": { + "name": { + "type": "string" + }, + "direction": { + "type": "string", + "enum": [ + "ingress", + "egress" + ] + }, + "etherType": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + }, + "protocol": { + "type": "string", + "enum": [ + "TCP" + ] + }, + "portRangeMin": { + "type": "integer" + }, + "portRangeMax": { + "type": "integer" + } + } + } } } } diff --git a/charts/cluster-api-cluster-openstack/values.yaml b/charts/cluster-api-cluster-openstack/values.yaml index 3298ca6..38ad648 100644 --- a/charts/cluster-api-cluster-openstack/values.yaml +++ b/charts/cluster-api-cluster-openstack/values.yaml @@ -196,3 +196,12 @@ network: # provider: # networkID: 8f526b54-fab3-435d-b4b3-f65fd8474b8a # subnetID: e3b15dd0-17e4-47c0-bc6c-1b8ea1f1018f + + # If specified these security group rules are added to all nodes. + # securityGroupRules: + # - name: ssh-ingress + # direction: ingress + # etherType: IPv4 + # protocol: TCP + # portRangeMin: 22 + # portRangeMax: 22