Skip to content

Commit

Permalink
Azure: Add network security group rules (testing)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jhixson74
jhixson74 committed Apr 12, 2024
1 parent dccbe52 commit db0869e
Show file tree
Hide file tree
Showing 2 changed files with 162 additions and 4 deletions.
13 changes: 10 additions & 3 deletions pkg/asset/machines/azure/machines.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,15 +298,22 @@ func ConfigMasters(machines []machineapi.Machine, controlPlane *machinev1.Contro
}

func getNetworkInfo(platform *azure.Platform, clusterID, role string) (string, string, string, error) {
networkResourceGroupName := platform.NetworkResourceGroupName
if platform.ControlPlaneSubnet == "" {
platform.ControlPlaneSubnet = "control-plane-subnet"
}
if platform.ComputeSubnet == "" {
platform.ComputeSubnet = fmt.Sprintf("%s-worker-subnet", clusterID)
}
if platform.VirtualNetwork == "" {
return platform.ClusterResourceGroupName(clusterID), fmt.Sprintf("%s-vnet", clusterID), fmt.Sprintf("%s-%s-subnet", clusterID, role), nil
networkResourceGroupName = platform.ClusterResourceGroupName(clusterID)
}

switch role {
case "worker":
return platform.NetworkResourceGroupName, platform.VirtualNetwork, platform.ComputeSubnet, nil
return networkResourceGroupName, platform.VirtualNetwork, platform.ComputeSubnet, nil
case "master":
return platform.NetworkResourceGroupName, platform.VirtualNetwork, platform.ControlPlaneSubnet, nil
return networkResourceGroupName, platform.VirtualNetwork, platform.ControlPlaneSubnet, nil
default:
return "", "", "", fmt.Errorf("unrecognized machine role %s", role)
}
Expand Down
153 changes: 152 additions & 1 deletion pkg/asset/manifests/azure/cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"

"github.com/openshift/installer/pkg/asset"
Expand Down Expand Up @@ -85,15 +86,165 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
subnets[0].String(),
},
},
SecurityGroup: capz.SecurityGroup{
Name: fmt.Sprintf("%s-nsg", clusterID.InfraID),
SecurityGroupClass: capz.SecurityGroupClass{
SecurityRules: []capz.SecurityRule{
{
Name: "everything",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 100,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("*"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
/*
{
Name: "apiserver_in",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 101,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("6443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ignition",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 102,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22623"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ssh",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 103,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "http",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 104,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("80"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "https",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 105,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
*/
},
},
},
},
{
SubnetClassSpec: capz.SubnetClassSpec{
Name: "worker-subnet",
Name: fmt.Sprintf("%s-worker-subnet", clusterID.InfraID),
Role: capz.SubnetNode,
CIDRBlocks: []string{
subnets[1].String(),
},
},
SecurityGroup: capz.SecurityGroup{
Name: fmt.Sprintf("%s-worker-nsg", clusterID.InfraID),
SecurityGroupClass: capz.SecurityGroupClass{
SecurityRules: []capz.SecurityRule{
{
Name: "everything",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 100,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("*"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
/*
{
Name: "apiserver_in",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 101,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("6443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ignition",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 102,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22623"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "ssh",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 103,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("22"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "http",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 104,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("80"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
{
Name: "https",
Protocol: capz.SecurityGroupProtocolTCP,
Direction: capz.SecurityRuleDirectionInbound,
Priority: 105,
SourcePorts: ptr.To("*"),
DestinationPorts: ptr.To("443"),
Source: ptr.To("*"),
Destination: ptr.To("*"),
Action: capz.SecurityRuleActionAllow,
},
*/
},
},
},
},
},
},
Expand Down

0 comments on commit db0869e

Please sign in to comment.