Skip to content

Commit

Permalink
OpenStack: enable IPv6 primary dual-stack cluster
Browse files Browse the repository at this point in the history 
This commit removes the restriction of only allowing IPv4 first dual-stack
clusters. Also, in preparation for future single stack IPv6 clusters, it duplicates
all the existent security group rules to work with IPv6 ethertype, with exception of
IKE nat, given there is no nat for IPv6.
  • Loading branch information
@MaysaMacedo
MaysaMacedo committed Sep 25, 2023
1 parent 4e4eec6 commit 2748047
Show file tree
Hide file tree
Showing 3 changed files with 397 additions and 3 deletions.
241 changes: 241 additions & 0 deletions data/data/openstack/masters/sg-master.tf
View file
Expand Up @@ -16,6 +16,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_mcs_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22623
port_range_max = 22623
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

# TODO(mandre) Explicitely enable egress

resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
Expand All @@ -30,6 +42,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
port_range_min = 0
port_range_max = 0
# FIXME(mandre) AWS only allows ICMP from cidr_block
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -42,6 +67,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -54,6 +91,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -66,6 +115,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_api" {
direction = "ingress"
ethertype = "IPv4"
Expand Down Expand Up @@ -102,6 +163,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_vxlan" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vxlan_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 4789
port_range_max = 4789
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -114,6 +187,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 6081
port_range_max = 6081
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -126,6 +211,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 500
port_range_max = 500
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_nat_t" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -148,6 +245,16 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "esp"
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -160,6 +267,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 6641
port_range_max = 6642
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -172,6 +291,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 9000
port_range_max = 9999
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -184,6 +315,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 9000
port_range_max = 9999
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -196,6 +339,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler"
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10259
port_range_max = 10259
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller_manager" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -208,6 +363,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller_manager_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10257
port_range_max = 10257
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -220,6 +387,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure"
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10250
port_range_max = 10250
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -232,6 +411,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 2379
port_range_max = 2380
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -244,6 +435,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 30000
port_range_max = 32767
# For OVN LBs the traffic will have the *real* origin source-ip, so anything goes.
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -256,6 +460,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 30000
port_range_max = 32767
# For OVN LBs the traffic will have the *real* origin source-ip, so anything goes.
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -268,6 +485,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
# Explicitly set the vrrp protocol number to prevent cases when the Neutron Plugin
# is disabled and it cannot identify a number by name.
protocol = "112"
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_http" {
count = var.masters_schedulable ? 1 : 0
direction = "ingress"
Expand Down Expand Up @@ -327,3 +556,15 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_router" {
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_router_v6" {
count = (var.masters_schedulable && length(var.machine_v6_cidrs) > 0) ? 1 : 0
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 1936
port_range_max = 1936
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

0 comments on commit 2748047

Please sign in to comment.