Skip to content

Commit

Permalink
Merge pull request #7259 from shiftstack/v6-primary
Browse files Browse the repository at this point in the history 
OpenStack: enable IPv6 primary dual-stack cluster
  • Loading branch information
@openshift-ci
openshift-ci[bot] committed Oct 10, 2023
2 parents c926532 + 2748047 commit 92e2484
Show file tree
Hide file tree
Showing 3 changed files with 397 additions and 3 deletions.
241 changes: 241 additions & 0 deletions data/data/openstack/masters/sg-master.tf
View file
Expand Up @@ -16,6 +16,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_mcs_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22623
port_range_max = 22623
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

# TODO(mandre) Explicitely enable egress

resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
Expand All @@ -30,6 +42,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
port_range_min = 0
port_range_max = 0
# FIXME(mandre) AWS only allows ICMP from cidr_block
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -42,6 +67,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -54,6 +91,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -66,6 +115,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_api" {
direction = "ingress"
ethertype = "IPv4"
Expand Down Expand Up @@ -102,6 +163,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_vxlan" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vxlan_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 4789
port_range_max = 4789
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -114,6 +187,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 6081
port_range_max = 6081
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -126,6 +211,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 500
port_range_max = 500
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_nat_t" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -148,6 +245,16 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "esp"
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -160,6 +267,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 6641
port_range_max = 6642
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -172,6 +291,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 9000
port_range_max = 9999
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -184,6 +315,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 9000
port_range_max = 9999
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -196,6 +339,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler"
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10259
port_range_max = 10259
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller_manager" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -208,6 +363,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller_manager_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10257
port_range_max = 10257
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -220,6 +387,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure"
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10250
port_range_max = 10250
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -232,6 +411,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 2379
port_range_max = 2380
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -244,6 +435,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 30000
port_range_max = 32767
# For OVN LBs the traffic will have the *real* origin source-ip, so anything goes.
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -256,6 +460,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 30000
port_range_max = 32767
# For OVN LBs the traffic will have the *real* origin source-ip, so anything goes.
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -268,6 +485,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
# Explicitly set the vrrp protocol number to prevent cases when the Neutron Plugin
# is disabled and it cannot identify a number by name.
protocol = "112"
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_http" {
count = var.masters_schedulable ? 1 : 0
direction = "ingress"
Expand Down Expand Up @@ -327,3 +556,15 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_router" {
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_router_v6" {
count = (var.masters_schedulable && length(var.machine_v6_cidrs) > 0) ? 1 : 0
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 1936
port_range_max = 1936
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

0 comments on commit 92e2484

Please sign in to comment.