From 9e859e28a2910ae8b751df2321312266d8c3703b Mon Sep 17 00:00:00 2001 From: Simon Murray Date: Mon, 2 Sep 2024 12:57:49 +0100 Subject: [PATCH] Add Firewall Rules to Cluster Nodes At present you cannot add ephemeral rules to security groups for debug as that will ultimately get reverted and drive you insane, so allow the client to set some up e.g. SSH access for debugging. --- .../cluster-api-cluster-openstack/Chart.yaml | 2 +- .../templates/cluster.yaml | 4 ++ .../values.schema.json | 41 +++++++++++++++++++ .../cluster-api-cluster-openstack/values.yaml | 9 ++++ 4 files changed, 55 insertions(+), 1 deletion(-) diff --git a/charts/cluster-api-cluster-openstack/Chart.yaml b/charts/cluster-api-cluster-openstack/Chart.yaml index 11b3c83..c81d860 100644 --- a/charts/cluster-api-cluster-openstack/Chart.yaml +++ b/charts/cluster-api-cluster-openstack/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: cluster-api-cluster-openstack description: A Helm chart to deploy a Kubernetes Cluster type: application -version: v0.5.4 +version: v0.5.5 icon: https://raw.githubusercontent.com/unikorn-cloud/helm-cluster-api/main/icons/default.png diff --git a/charts/cluster-api-cluster-openstack/templates/cluster.yaml b/charts/cluster-api-cluster-openstack/templates/cluster.yaml index f5a9882..ba0c45a 100644 --- a/charts/cluster-api-cluster-openstack/templates/cluster.yaml +++ b/charts/cluster-api-cluster-openstack/templates/cluster.yaml @@ -52,6 +52,10 @@ spec: {{- end }} managedSecurityGroups: allowAllInClusterTraffic: true + {{- if .Values.network.securityGroupRules }} + allNodesSecurityGroupRules: + {{- toYaml .Values.network.securityGroupRules | nindent 4 }} + {{- end }} {{- if .Values.network.provider }} network: id: {{ .Values.network.provider.networkID }} diff --git a/charts/cluster-api-cluster-openstack/values.schema.json b/charts/cluster-api-cluster-openstack/values.schema.json index 7c7e21c..fd95d9c 100644 --- a/charts/cluster-api-cluster-openstack/values.schema.json +++ b/charts/cluster-api-cluster-openstack/values.schema.json @@ -355,6 +355,47 @@ "type": "string" } } + }, + "securityGroupRules": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name", + "direction" + ], + "properties": { + "name": { + "type": "string" + }, + "direction": { + "type": "string", + "enum": [ + "ingress", + "egress" + ] + }, + "etherType": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + }, + "protocol": { + "type": "string", + "enum": [ + "TCP" + ] + }, + "portRangeMin": { + "type": "integer" + }, + "portRangeMax": { + "type": "integer" + } + } + } } } } diff --git a/charts/cluster-api-cluster-openstack/values.yaml b/charts/cluster-api-cluster-openstack/values.yaml index 3298ca6..38ad648 100644 --- a/charts/cluster-api-cluster-openstack/values.yaml +++ b/charts/cluster-api-cluster-openstack/values.yaml @@ -196,3 +196,12 @@ network: # provider: # networkID: 8f526b54-fab3-435d-b4b3-f65fd8474b8a # subnetID: e3b15dd0-17e4-47c0-bc6c-1b8ea1f1018f + + # If specified these security group rules are added to all nodes. + # securityGroupRules: + # - name: ssh-ingress + # direction: ingress + # etherType: IPv4 + # protocol: TCP + # portRangeMin: 22 + # portRangeMax: 22