Skip to content

Commit

Permalink
terraform: Add rules to allow internal IPsec traffic
Browse files Browse the repository at this point in the history 
Enable ESP and IKE traffic across all installer targets between
worker and master nodes.

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
  • Loading branch information
@markdgray
markdgray committed Dec 17, 2020
1 parent e235783 commit 0c9c6eb
Show file tree
Hide file tree
Showing 5 changed files with 151 additions and 0 deletions.
56 changes: 56 additions & 0 deletions data/data/aws/vpc/sg-master.tf
View file
Expand Up @@ -93,6 +93,34 @@ resource "aws_security_group_rule" "master_ingress_geneve" {
self = true
}

resource "aws_security_group_rule" "master_ingress_ike" {
type = "ingress"
security_group_id = aws_security_group.master.id

protocol = "udp"
from_port = 500
to_port = 500
self = true
}

resource "aws_security_group_rule" "master_ingress_ike_nat_t" {
type = "ingress"
security_group_id = aws_security_group.master.id

protocol = "udp"
from_port = 4500
to_port = 4500
self = true
}

resource "aws_security_group_rule" "master_ingress_esp" {
type = "ingress"
security_group_id = aws_security_group.master.id

protocol = "esp"
self = true
}

resource "aws_security_group_rule" "master_ingress_geneve_from_worker" {
type = "ingress"
security_group_id = aws_security_group.master.id
Expand All @@ -103,6 +131,34 @@ resource "aws_security_group_rule" "master_ingress_geneve_from_worker" {
to_port = 6081
}

resource "aws_security_group_rule" "master_ingress_ike_from_worker" {
type = "ingress"
security_group_id = aws_security_group.master.id
source_security_group_id = aws_security_group.worker.id

protocol = "udp"
from_port = 500
to_port = 500
}

resource "aws_security_group_rule" "master_ingress_ike_nat_t_from_worker" {
type = "ingress"
security_group_id = aws_security_group.master.id
source_security_group_id = aws_security_group.worker.id

protocol = "udp"
from_port = 4500
to_port = 4500
}

resource "aws_security_group_rule" "master_ingress_esp_from_worker" {
type = "ingress"
security_group_id = aws_security_group.master.id
source_security_group_id = aws_security_group.worker.id

protocol = "esp"
}

resource "aws_security_group_rule" "master_ingress_ovndb" {
type = "ingress"
security_group_id = aws_security_group.master.id
Expand Down
28 changes: 28 additions & 0 deletions data/data/aws/vpc/sg-worker.tf
View file
Expand Up @@ -73,6 +73,34 @@ resource "aws_security_group_rule" "worker_ingress_geneve" {
self = true
}

resource "aws_security_group_rule" "worker_ingress_ike" {
type = "ingress"
security_group_id = aws_security_group.worker.id

protocol = "udp"
from_port = 500
to_port = 500
self = true
}

resource "aws_security_group_rule" "worker_ingress_ike_nat_t" {
type = "ingress"
security_group_id = aws_security_group.worker.id

protocol = "udp"
from_port = 4500
to_port = 4500
self = true
}

resource "aws_security_group_rule" "worker_ingress_esp" {
type = "ingress"
security_group_id = aws_security_group.worker.id

protocol = "esp"
self = true
}

resource "aws_security_group_rule" "worker_ingress_geneve_from_master" {
type = "ingress"
security_group_id = aws_security_group.worker.id
Expand Down
11 changes: 11 additions & 0 deletions data/data/gcp/network/firewall.tf
View file
Expand Up @@ -101,6 +101,17 @@ resource "google_compute_firewall" "internal_cluster" {
ports = ["4789", "6081"]
}

# ESP
allow {
protocol = "esp"
}

# IKE and IKE(NAT-T)
allow {
protocol = "udp"
port = ["500", "4500"]
}

# internal tcp
allow {
protocol = "tcp"
Expand Down
28 changes: 28 additions & 0 deletions data/data/openstack/topology/sg-master.tf
View file
Expand Up @@ -98,6 +98,34 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
security_group_id = openstack_networking_secgroup_v2.master.id
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
direction = "ingress"
ethertype = "IPv4"
protocol = "udp"
port_range_min = 500
port_range_max = 500
remote_ip_prefix = var.cidr_block
security_group_id = openstack_networking_secgroup_v2.master.id
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_nat_t" {
direction = "ingress"
ethertype = "IPv4"
protocol = "udp"
port_range_min = 4500
port_range_max = 4500
remote_ip_prefix = var.cidr_block
security_group_id = openstack_networking_secgroup_v2.master.id
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp" {
direction = "ingress"
ethertype = "IPv4"
protocol = "esp"
remote_ip_prefix = var.cidr_block
security_group_id = openstack_networking_secgroup_v2.master.id
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
direction = "ingress"
ethertype = "IPv4"
Expand Down
28 changes: 28 additions & 0 deletions data/data/openstack/topology/sg-worker.tf
View file
Expand Up @@ -87,6 +87,34 @@ resource "openstack_networking_secgroup_rule_v2" "worker_ingress_geneve" {
security_group_id = openstack_networking_secgroup_v2.worker.id
}

resource "openstack_networking_secgroup_rule_v2" "worker_ingress_ike" {
direction = "ingress"
ethertype = "IPv4"
protocol = "udp"
port_range_min = 500
port_range_max = 500
remote_ip_prefix = var.cidr_block
security_group_id = openstack_networking_secgroup_v2.worker.id
}

resource "openstack_networking_secgroup_rule_v2" "worker_ingress_ike_nat_t" {
direction = "ingress"
ethertype = "IPv4"
protocol = "udp"
port_range_min = 4500
port_range_max = 4500
remote_ip_prefix = var.cidr_block
security_group_id = openstack_networking_secgroup_v2.worker.id
}

resource "openstack_networking_secgroup_rule_v2" "worker_ingress_esp" {
direction = "ingress"
ethertype = "IPv4"
protocol = "esp"
remote_ip_prefix = var.cidr_block
security_group_id = openstack_networking_secgroup_v2.worker.id
}

resource "openstack_networking_secgroup_rule_v2" "worker_ingress_internal" {
direction = "ingress"
ethertype = "IPv4"
Expand Down

0 comments on commit 0c9c6eb

Please sign in to comment.