Skip to content

Commit

Permalink
Azure: Add network security group rules (testing)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jhixson74
jhixson74 committed Apr 12, 2024
1 parent dccbe52 commit 7bec6cc
Show file tree
Hide file tree
Showing 3 changed files with 177 additions and 5 deletions.
7 changes: 4 additions & 3 deletions pkg/asset/machines/azure/machines.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,15 +298,16 @@ func ConfigMasters(machines []machineapi.Machine, controlPlane *machinev1.Contro
}

func getNetworkInfo(platform *azure.Platform, clusterID, role string) (string, string, string, error) {
networkResourceGroupName := platform.NetworkResourceGroupName
if platform.VirtualNetwork == "" {
return platform.ClusterResourceGroupName(clusterID), fmt.Sprintf("%s-vnet", clusterID), fmt.Sprintf("%s-%s-subnet", clusterID, role), nil
networkResourceGroupName = platform.ClusterResourceGroupName(clusterID)
}

switch role {
case "worker":
return platform.NetworkResourceGroupName, platform.VirtualNetwork, platform.ComputeSubnet, nil
return networkResourceGroupName, platform.VirtualNetwork, platform.ComputeSubnetName(clusterID), nil
case "master":
return platform.NetworkResourceGroupName, platform.VirtualNetwork, platform.ControlPlaneSubnet, nil
return networkResourceGroupName, platform.VirtualNetwork, platform.ControlPlaneSubnetName(), nil
default:
return "", "", "", fmt.Errorf("unrecognized machine role %s", role)
}
Expand Down
158 changes: 156 additions & 2 deletions pkg/asset/manifests/azure/cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"

"github.com/openshift/installer/pkg/asset"
Expand Down Expand Up @@ -38,6 +39,9 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
})

resourceGroup := installConfig.Config.Platform.Azure.ClusterResourceGroupName(clusterID.InfraID)
controlPlaneSubnet := installConfig.Config.Platform.Azure.ControlPlaneSubnetName()
workerSubnet := installConfig.Config.Platform.Azure.ComputeSubnetName(clusterID.InfraID)

azureCluster := &capz.AzureCluster{
ObjectMeta: metav1.ObjectMeta{
Name: clusterID.InfraID,
Expand Down Expand Up @@ -79,21 +83,171 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
Subnets: capz.Subnets{
{
SubnetClassSpec: capz.SubnetClassSpec{
Name: "control-plane-subnet",
Name: controlPlaneSubnet,
Role: capz.SubnetControlPlane,
CIDRBlocks: []string{
subnets[0].String(),
},
},
SecurityGroup: capz.SecurityGroup{
Name: fmt.Sprintf("%s-nsg", clusterID.InfraID),
SecurityGroupClass: capz.SecurityGroupClass{
SecurityRules: []capz.SecurityRule{
{
Name: "everything",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 100,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("*"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
/*
{
Name: "apiserver_in",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 101,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("6443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ignition",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 102,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22623"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ssh",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 103,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "http",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 104,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("80"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "https",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 105,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
*/
},
},
},
},
{
SubnetClassSpec: capz.SubnetClassSpec{
Name: "worker-subnet",
Name: workerSubnet,
Role: capz.SubnetNode,
CIDRBlocks: []string{
subnets[1].String(),
},
},
SecurityGroup: capz.SecurityGroup{
Name: fmt.Sprintf("%s-worker-nsg", clusterID.InfraID),
SecurityGroupClass: capz.SecurityGroupClass{
SecurityRules: []capz.SecurityRule{
{
Name: "everything",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 100,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("*"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
/*
{
Name: "apiserver_in",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 101,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("6443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ignition",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 102,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22623"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ssh",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 103,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "http",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 104,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("80"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "https",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 105,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
*/
},
},
},
},
},
},
Expand Down
17 changes: 17 additions & 0 deletions pkg/types/azure/platform.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,23 @@ func (p *Platform) ClusterResourceGroupName(infraID string) string {
return fmt.Sprintf("%s-rg", infraID)
}

// ControlPlaneSubnetName returns the name of the control plane subnet for the
// cluster.
func (p *Platform) ControlPlaneSubnetName() string {
if len(p.ControlPlaneSubnet) > 0 {
return p.ControlPlaneSubnet
}
return "control-plane-subnet"
}

// computeSubnetName returns the name of the compute subnet for the cluster.
func (p *Platform) ComputeSubnetName(infraID string) string {
if len(p.ComputeSubnet) > 0 {
return p.ComputeSubnet
}
return fmt.Sprintf("%s-worker-subnet", infraID)
}

// IsARO returns true if ARO-only modifications are enabled
func (p *Platform) IsARO() bool {
return aro
Expand Down

0 comments on commit 7bec6cc

Please sign in to comment.