Add Firewall Rules to Cluster Nodes

At present you cannot add ephemeral rules to security groups for debug as that will ultimately get reverted and drive you insane, so allow the client to set some up e.g. SSH access for debugging.
unikorn-cloud · Sep 2, 2024 · 9e859e2 · 9e859e2
1 parent 7080a20
commit 9e859e2
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 1 deletion.
diff --git a/charts/cluster-api-cluster-openstack/Chart.yaml b/charts/cluster-api-cluster-openstack/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: cluster-api-cluster-openstack
 description: A Helm chart to deploy a Kubernetes Cluster
 type: application
-version: v0.5.4
+version: v0.5.5
 icon: https://raw.githubusercontent.com/unikorn-cloud/helm-cluster-api/main/icons/default.png
diff --git a/charts/cluster-api-cluster-openstack/templates/cluster.yaml b/charts/cluster-api-cluster-openstack/templates/cluster.yaml
@@ -52,6 +52,10 @@ spec:
     {{- end }}
   managedSecurityGroups:
     allowAllInClusterTraffic: true
+  {{- if .Values.network.securityGroupRules }}
+    allNodesSecurityGroupRules:
+    {{- toYaml .Values.network.securityGroupRules | nindent 4 }}
+  {{- end }}
   {{- if .Values.network.provider }}
   network:
     id: {{ .Values.network.provider.networkID }}

diff --git a/charts/cluster-api-cluster-openstack/values.schema.json b/charts/cluster-api-cluster-openstack/values.schema.json
@@ -355,6 +355,47 @@
 							"type": "string"
 						}
 					}
+				},
+				"securityGroupRules": {
+					"type": "array",
+					"items": {
+						"type": "object",
+						"required": [
+							"name",
+							"direction"
+						],
+						"properties": {
+							"name": {
+								"type": "string"
+							},
+							"direction": {
+								"type": "string",
+								"enum": [
+									"ingress",
+									"egress"
+								]
+							},
+							"etherType": {
+								"type": "string",
+								"enum": [
+									"IPv4",
+									"IPv6"
+								]
+							},
+							"protocol": {
+								"type": "string",
+								"enum": [
+									"TCP"
+								]
+							},
+							"portRangeMin": {
+								"type": "integer"
+							},
+							"portRangeMax": {
+								"type": "integer"
+							}
+						}
+					}
 				}
 			}
 		}

diff --git a/charts/cluster-api-cluster-openstack/values.yaml b/charts/cluster-api-cluster-openstack/values.yaml
@@ -196,3 +196,12 @@ network:
   # provider:
   #   networkID: 8f526b54-fab3-435d-b4b3-f65fd8474b8a
   #   subnetID: e3b15dd0-17e4-47c0-bc6c-1b8ea1f1018f
+
+  # If specified these security group rules are added to all nodes.
+  # securityGroupRules:
+  # - name: ssh-ingress
+  #   direction: ingress
+  #   etherType: IPv4
+  #   protocol: TCP
+  #   portRangeMin: 22
+  #   portRangeMax: 22