Merge pull request #3704 from chrislovecnm/fixing-phases

Automatic merge from submit-queue. Fixing phases for security groups and elbs Please only review chrislovecnm@dc338c4 and chrislovecnm@0dc7a6e This PR depends on #3639
kubernetes · Oct 27, 2017 · 1cc2c4b · 1cc2c4b
2 parents 03e6047 + 0dc7a6e
commit 1cc2c4b
Show file tree

Hide file tree

Showing 7 changed files with 236 additions and 267 deletions.
diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
@@ -135,7 +135,6 @@ func TestSharedVPC(t *testing.T) {
 
 // TestPhaseNetwork tests the output of tf for the network phase
 func TestPhaseNetwork(t *testing.T) {
-	t.Skip("unable to pass test w/o removing elb stuff")
 	runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseNetwork)
 }
 
@@ -151,13 +150,6 @@ func TestPhaseCluster(t *testing.T) {
 	runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseCluster)
 }
 
-// TestPhaseCluster tests the output of tf for the loadbalancer phase
-func TestPhaseLoadBalancers(t *testing.T) {
-	t.Skip("unable to test until phase is created")
-	// TODO
-	// runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.LoadBalancers)
-}
-
 func runTest(t *testing.T, h *testutils.IntegrationTestHarness, clusterName string, srcDir string, version string, private bool, zones int, expectedFilenames []string, tfFileName string, phase *cloudup.Phase) {
 	var stdout bytes.Buffer
 
@@ -257,8 +249,8 @@ func runTest(t *testing.T, h *testutils.IntegrationTestHarness, clusterName stri
 		}
 	}
 
-	// Compare data files
-	{
+	// Compare data files if they are provided
+	if len(expectedFilenames) > 0 {
 		files, err := ioutil.ReadDir(path.Join(h.TempDir, "out", "data"))
 		if err != nil {
 			t.Fatalf("failed to read data dir: %v", err)

diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go
@@ -35,7 +35,8 @@ const LoadBalancerDefaultIdleTimeout = 5 * time.Minute
 // APILoadBalancerBuilder builds a LoadBalancer for accessing the API
 type APILoadBalancerBuilder struct {
 	*AWSModelContext
-	Lifecycle *fi.Lifecycle
+	Lifecycle         *fi.Lifecycle
+	SecurityLifecycle *fi.Lifecycle
 }
 
 var _ fi.ModelBuilder = &APILoadBalancerBuilder{}
@@ -144,7 +145,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroup{
 			Name:      s(b.ELBSecurityGroupName("api")),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			VPC:              b.LinkToVPC(),
 			Description:      s("Security group for api ELB"),
@@ -157,7 +158,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("api-elb-egress"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToELBSecurityGroup("api"),
 			Egress:        fi.Bool(true),
@@ -171,7 +172,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess {
 			t := &awstasks.SecurityGroupRule{
 				Name:      s("https-api-elb-" + cidr),
-				Lifecycle: b.Lifecycle,
+				Lifecycle: b.SecurityLifecycle,
 
 				SecurityGroup: b.LinkToELBSecurityGroup("api"),
 				CIDR:          s(cidr),
@@ -187,7 +188,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("https-elb-to-master"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
 			SourceGroup:   b.LinkToELBSecurityGroup("api"),

diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go
@@ -35,7 +35,8 @@ const BastionELBDefaultIdleTimeout = 5 * time.Minute
 
 type BastionModelBuilder struct {
 	*KopsModelContext
-	Lifecycle *fi.Lifecycle
+	Lifecycle         *fi.Lifecycle
+	SecurityLifecycle *fi.Lifecycle
 }
 
 var _ fi.ModelBuilder = &BastionModelBuilder{}
@@ -56,7 +57,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroup{
 			Name:      s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			VPC:              b.LinkToVPC(),
 			Description:      s("Security group for bastion"),
@@ -69,7 +70,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-egress"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
 			Egress:        fi.Bool(true),
@@ -83,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("ssh-elb-to-bastion"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
 			SourceGroup:   b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
@@ -98,7 +99,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-to-master-ssh"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
 			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
@@ -113,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-to-node-ssh"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
 			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
@@ -128,7 +129,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroup{
 			Name:      s(b.ELBSecurityGroupName(BastionELBSecurityGroupPrefix)),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			VPC:              b.LinkToVPC(),
 			Description:      s("Security group for bastion ELB"),
@@ -141,7 +142,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-elb-egress"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
 			Egress:        fi.Bool(true),
@@ -155,7 +156,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	for _, sshAccess := range b.Cluster.Spec.SSHAccess {
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("ssh-external-to-bastion-elb-" + sshAccess),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
 			Protocol:      s("tcp"),

diff --git a/tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf
@@ -81,6 +81,7 @@ resource "aws_subnet" "us-test-1a-privateweave-example-com" {
     KubernetesCluster                                = "privateweave.example.com"
     Name                                             = "us-test-1a.privateweave.example.com"
     "kubernetes.io/cluster/privateweave.example.com" = "owned"
+    "kubernetes.io/role/internal-elb"                = "1"
   }
 }
 
@@ -93,6 +94,7 @@ resource "aws_subnet" "utility-us-test-1a-privateweave-example-com" {
     KubernetesCluster                                = "privateweave.example.com"
     Name                                             = "utility-us-test-1a.privateweave.example.com"
     "kubernetes.io/cluster/privateweave.example.com" = "owned"
+    "kubernetes.io/role/elb"                         = "1"
   }
 }
 

diff --git a/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf
@@ -87,6 +87,214 @@ resource "aws_key_pair" "kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39
   public_key = "${file("${path.module}/data/aws_key_pair_kubernetes.privateweave.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key")}"
 }
 
+resource "aws_security_group" "api-elb-privateweave-example-com" {
+  name        = "api-elb.privateweave.example.com"
+  vpc_id      = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for api ELB"
+
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name              = "api-elb.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "bastion-elb-privateweave-example-com" {
+  name        = "bastion-elb.privateweave.example.com"
+  vpc_id      = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for bastion ELB"
+
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name              = "bastion-elb.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "bastion-privateweave-example-com" {
+  name        = "bastion.privateweave.example.com"
+  vpc_id      = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for bastion"
+
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name              = "bastion.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "masters-privateweave-example-com" {
+  name        = "masters.privateweave.example.com"
+  vpc_id      = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for masters"
+
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name              = "masters.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "nodes-privateweave-example-com" {
+  name        = "nodes.privateweave.example.com"
+  vpc_id      = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for nodes"
+
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name              = "nodes.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group_rule" "all-master-to-master" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+}
+
+resource "aws_security_group_rule" "all-master-to-node" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.nodes-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+}
+
+resource "aws_security_group_rule" "all-node-to-node" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.nodes-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+}
+
+resource "aws_security_group_rule" "api-elb-egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "bastion-egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "bastion-elb-egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "bastion-to-master-ssh" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+}
+
+resource "aws_security_group_rule" "bastion-to-node-ssh" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.nodes-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+}
+
+resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "https-elb-to-master" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+}
+
+resource "aws_security_group_rule" "master-egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "node-egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "node-to-master-tcp-1-4000" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port                = 1
+  to_port                  = 4000
+  protocol                 = "tcp"
+}
+
+resource "aws_security_group_rule" "node-to-master-tcp-4003-65535" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port                = 4003
+  to_port                  = 65535
+  protocol                 = "tcp"
+}
+
+resource "aws_security_group_rule" "node-to-master-udp-1-65535" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port                = 1
+  to_port                  = 65535
+  protocol                 = "udp"
+}
+
+resource "aws_security_group_rule" "ssh-elb-to-bastion" {
+  type                     = "ingress"
+  security_group_id        = "${aws_security_group.bastion-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+}
+
+resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
 terraform = {
   required_version = ">= 0.9.3"
 }