Merge pull request #242 from steveeJ/aws-consolidate-tnc-api-elb

*: clean up AWS ELBs
openshift · Sep 21, 2018 · e03d43f · e03d43f
2 parents da9b472 + 08708cc
commit e03d43f
Show file tree

Hide file tree

Showing 19 changed files with 71 additions and 163 deletions.
diff --git a/installer/pkg/config-generator/ignition.go b/installer/pkg/config-generator/ignition.go
@@ -100,7 +100,7 @@ func parseIgnFile(filePath string) (ignconfigtypes.Config, error) {
 
 func (c *ConfigGenerator) embedAppendBlock(ignCfg *ignconfigtypes.Config, role string, query string) {
 	appendBlock := ignconfigtypes.ConfigReference{
-		Source:       c.getTNCURL(role, query),
+		Source:       c.getMCSURL(role, query),
 		Verification: ignconfigtypes.Verification{Hash: nil},
 	}
 	ignCfg.Ignition.Config.Append = append(ignCfg.Ignition.Config.Append, appendBlock)
@@ -123,21 +123,15 @@ func (c *ConfigGenerator) embedUserBlock(ignCfg *ignconfigtypes.Config) {
 	ignCfg.Passwd.Users = append(ignCfg.Passwd.Users, userBlock)
 }
 
-func (c *ConfigGenerator) getTNCURL(role string, query string) string {
+func (c *ConfigGenerator) getMCSURL(role string, query string) string {
 	var u string
-
-	// cloud platforms put this behind a load balancer which remaps ports;
-	// libvirt doesn't do that - use the tnc port directly
-	port := 80
-	if c.Platform == config.PlatformLibvirt {
-		port = 49500
-	}
+	port := 49500
 
 	if role == "master" || role == "worker" {
 		u = func() *url.URL {
 			return &url.URL{
 				Scheme:   "https",
-				Host:     fmt.Sprintf("%s-tnc.%s:%d", c.Name, c.BaseDomain, port),
+				Host:     fmt.Sprintf("%s-api.%s:%d", c.Name, c.BaseDomain, port),
 				Path:     fmt.Sprintf("/config/%s", role),
 				RawQuery: query,
 			}

diff --git a/installer/pkg/config-generator/tls.go b/installer/pkg/config-generator/tls.go
@@ -240,7 +240,7 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error {
 	}
 
 	// MachineConfigServer certs
-	mcsDomain := fmt.Sprintf("%s-tnc.%s", c.Name, c.BaseDomain)
+	mcsDomain := fmt.Sprintf("%s-api.%s", c.Name, c.BaseDomain)
 	cfg = &tls.CertCfg{
 		ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		DNSNames:     []string{mcsDomain},

diff --git a/installer/pkg/workflow/init.go b/installer/pkg/workflow/init.go
@@ -17,7 +17,6 @@ import (
 const (
 	generatedPath              = "generated"
 	kcoConfigFileName          = "kco-config.yaml"
-	tncoConfigFileName         = "tnco-config.yaml"
 	maoConfigFileName          = "mao-config.yaml"
 	kubeSystemPath             = "generated/manifests"
 	kubeSystemFileName         = "cluster-config.yaml"

diff --git a/modules/aws/master/main.tf b/modules/aws/master/main.tf
@@ -112,12 +112,6 @@ resource "aws_instance" "master" {
   ), var.extra_tags)}"
 }
 
-resource "aws_elb_attachment" "masters_tnc" {
-  count    = "${var.private_endpoints ? var.instance_count : 0}"
-  elb      = "${var.elb_tnc_id}"
-  instance = "${aws_instance.master.*.id[count.index]}"
-}
-
 resource "aws_elb_attachment" "masters_internal" {
   count    = "${var.private_endpoints ? var.instance_count : 0}"
   elb      = "${var.elb_api_internal_id}"

diff --git a/modules/aws/master/variables.tf b/modules/aws/master/variables.tf
@@ -56,10 +56,6 @@ variable "public_endpoints" {
   default     = true
 }
 
-variable "elb_tnc_id" {
-  type = "string"
-}
-
 variable "elb_api_internal_id" {
   type = "string"
 }

diff --git a/modules/aws/vpc/master-elb.tf b/modules/aws/vpc/master-elb.tf
@@ -1,36 +1,3 @@
-resource "aws_elb" "tnc" {
-  count           = "${var.private_master_endpoints ? 1 : 0}"
-  name            = "${var.cluster_name}-tnc"
-  subnets         = ["${local.master_subnet_ids}"]
-  internal        = true
-  security_groups = ["${aws_security_group.tnc.id}"]
-
-  idle_timeout                = 3600
-  connection_draining         = true
-  connection_draining_timeout = 300
-
-  listener {
-    instance_port     = 49500
-    instance_protocol = "tcp"
-    lb_port           = 80
-    lb_protocol       = "tcp"
-  }
-
-  health_check {
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 3
-    target              = "TCP:49500"
-    interval            = 5
-  }
-
-  tags = "${merge(map(
-      "Name", "${var.cluster_name}-int",
-      "kubernetes.io/cluster/${var.cluster_name}", "owned",
-      "tectonicClusterID", "${var.cluster_id}"
-    ), var.extra_tags)}"
-}
-
 resource "aws_elb" "api_internal" {
   count           = "${var.private_master_endpoints ? 1 : 0}"
   name            = "${var.cluster_name}-int"
@@ -49,6 +16,13 @@ resource "aws_elb" "api_internal" {
     lb_protocol       = "tcp"
   }
 
+  listener {
+    instance_port     = 49500
+    instance_protocol = "tcp"
+    lb_port           = 49500
+    lb_protocol       = "tcp"
+  }
+
   health_check {
     healthy_threshold   = 2
     unhealthy_threshold = 2
@@ -57,6 +31,15 @@ resource "aws_elb" "api_internal" {
     interval            = 5
   }
 
+  # TODO: we only have on health_check per ELB but need to check the following too
+  # health_check {
+  #   healthy_threshold   = 2
+  #   unhealthy_threshold = 2
+  #   timeout             = 3
+  #   target              = "TCP:49500"
+  #   interval            = 5
+  # }
+
   tags = "${merge(map(
       "Name", "${var.cluster_name}-int",
       "kubernetes.io/cluster/${var.cluster_name}", "owned",

diff --git a/modules/aws/vpc/outputs.tf b/modules/aws/vpc/outputs.tf
@@ -42,23 +42,19 @@ output "aws_elb_console_id" {
   value = "${aws_elb.console.id}"
 }
 
-output "aws_elb_tnc_id" {
-  value = "${aws_elb.tnc.0.id}"
-}
-
 output "aws_lbs" {
-  value = ["${compact(concat(aws_elb.api_internal.*.id, list(aws_elb.console.id), aws_elb.api_external.*.id, aws_elb.tnc.*.id))}"]
+  value = ["${compact(concat(aws_elb.api_internal.*.id, list(aws_elb.console.id), aws_elb.api_external.*.id))}"]
 }
 
-output "aws_api_external_dns_name" {
+output "aws_elb_api_external_dns_name" {
   value = "${element(concat(aws_elb.api_external.*.dns_name, list("")), 0)}"
 }
 
 output "aws_elb_api_external_zone_id" {
   value = "${element(concat(aws_elb.api_external.*.zone_id, list("")), 0)}"
 }
 
-output "aws_api_internal_dns_name" {
+output "aws_elb_api_internal_dns_name" {
   value = "${element(concat(aws_elb.api_internal.*.dns_name, list("")), 0)}"
 }
 
@@ -73,11 +69,3 @@ output "aws_console_dns_name" {
 output "aws_elb_console_zone_id" {
   value = "${aws_elb.console.zone_id}"
 }
-
-output "aws_elb_tnc_dns_name" {
-  value = "${element(concat(aws_elb.tnc.*.dns_name, list("")), 0)}"
-}
-
-output "aws_elb_tnc_zone_id" {
-  value = "${element(concat(aws_elb.tnc.*.zone_id, list("")), 0)}"
-}
diff --git a/modules/aws/vpc/sg-elb.tf b/modules/aws/vpc/sg-elb.tf
@@ -1,43 +1,3 @@
-resource "aws_security_group" "tnc" {
-  vpc_id = "${data.aws_vpc.cluster_vpc.id}"
-
-  tags = "${merge(map(
-      "Name", "${var.cluster_name}_tnc_sg",
-      "kubernetes.io/cluster/${var.cluster_name}", "owned",
-      "tectonicClusterID", "${var.cluster_id}"
-    ), var.extra_tags)}"
-}
-
-resource "aws_security_group_rule" "tnc_egress" {
-  type              = "egress"
-  security_group_id = "${aws_security_group.tnc.id}"
-
-  from_port   = 0
-  to_port     = 0
-  protocol    = "-1"
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "tnc_ingress_http" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.tnc.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 80
-  to_port     = 80
-}
-
-resource "aws_security_group_rule" "tnc_ingress_https" {
-  type              = "ingress"
-  security_group_id = "${aws_security_group.tnc.id}"
-
-  protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
-  from_port   = 443
-  to_port     = 443
-}
-
 resource "aws_security_group" "api" {
   vpc_id = "${data.aws_vpc.cluster_vpc.id}"
 
@@ -68,6 +28,16 @@ resource "aws_security_group_rule" "api_ingress_console" {
   to_port     = 6443
 }
 
+resource "aws_security_group_rule" "mcs_ingress" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.api.id}"
+
+  protocol    = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+  from_port   = 49500
+  to_port     = 49500
+}
+
 resource "aws_security_group" "console" {
   vpc_id = "${data.aws_vpc.cluster_vpc.id}"
 

diff --git a/modules/aws/vpc/sg-master.tf b/modules/aws/vpc/sg-master.tf
@@ -8,7 +8,7 @@ resource "aws_security_group" "master" {
     ), var.extra_tags)}"
 }
 
-resource "aws_security_group_rule" "master_tnc" {
+resource "aws_security_group_rule" "master_mcs" {
   type              = "ingress"
   security_group_id = "${aws_security_group.master.id}"
 

diff --git a/pkg/asset/ignition/bootstrap.go b/pkg/asset/ignition/bootstrap.go
@@ -59,7 +59,7 @@ type bootstrap struct {
 	apiServerProxyCertKey     asset.Asset
 	adminCertKey              asset.Asset
 	kubeletCertKey            asset.Asset
-	tncCertKey                asset.Asset
+	mcsCertKey                asset.Asset
 	serviceAccountKeyPair     asset.Asset
 	kubeconfig                asset.Asset
 	kubeconfigKubelet         asset.Asset
@@ -90,7 +90,7 @@ func newBootstrap(
 		apiServerProxyCertKey:     tlsStock.APIServerProxyCertKey(),
 		adminCertKey:              tlsStock.AdminCertKey(),
 		kubeletCertKey:            tlsStock.KubeletCertKey(),
-		tncCertKey:                tlsStock.TNCCertKey(),
+		mcsCertKey:                tlsStock.MCSCertKey(),
 		serviceAccountKeyPair:     tlsStock.ServiceAccountKeyPair(),
 		kubeconfig:                kubeconfigStock.KubeconfigAdmin(),
 		kubeconfigKubelet:         kubeconfigStock.KubeconfigKubelet(),
@@ -114,7 +114,7 @@ func (a *bootstrap) Dependencies() []asset.Asset {
 		a.apiServerProxyCertKey,
 		a.adminCertKey,
 		a.kubeletCertKey,
-		a.tncCertKey,
+		a.mcsCertKey,
 		a.serviceAccountKeyPair,
 		a.kubeconfig,
 		a.kubeconfigKubelet,
@@ -200,7 +200,6 @@ func (a *bootstrap) addBootstrapConfigFiles(config *ignition.Config, dependencie
 	// TODO (staebler) - missing the following from assets step
 	//     /opt/tectonic/manifests/cluster-config.yaml
 	//     /opt/tectonic/tectonic/cluster-config.yaml
-	//     /opt/tectonic/tnco-config.yaml
 	//     /opt/tectonic/kco-config.yaml
 	//     /etc/kubernetes/kubeconfig
 	//     /var/lib/kubelet/kubeconfig
@@ -260,8 +259,8 @@ func (a *bootstrap) addTLSCertFiles(config *ignition.Config, dependencies map[as
 		{"admin.key", "admin.crt", dependencies[a.adminCertKey]},
 		{"kubelet.key", "kubelet.crt", dependencies[a.kubeletCertKey]},
 
-		// tnc cert
-		{"tnc.key", "tnc.crt", dependencies[a.tncCertKey]},
+		// mcs cert
+		{"mcs.key", "mcs.crt", dependencies[a.mcsCertKey]},
 
 		// service account cert
 		{"service-account.key", "service-account.crt", dependencies[a.serviceAccountKeyPair]},

diff --git a/pkg/asset/ignition/bootstrap_test.go b/pkg/asset/ignition/bootstrap_test.go
@@ -41,7 +41,7 @@ machines:
 	apiServerProxyCertKeyAsset := &testAsset{"apiserver-proxy-ca"}
 	adminCertKeyAsset := &testAsset{"admin-ca"}
 	kubeletCertKeyAsset := &testAsset{"kubelet-ca"}
-	tncCertKeyAsset := &testAsset{"tnc-ca"}
+	mcsCertKeyAsset := &testAsset{"mcs-ca"}
 	serviceAccountKeyPairAsset := &testAsset{"service-account-ca"}
 	kubeconfigAsset := &testAsset{"kubeconfig"}
 	kubeconfigKubeletAsset := &testAsset{"kubeconfig-kubelet"}
@@ -61,7 +61,7 @@ machines:
 		apiServerProxyCertKey:     apiServerProxyCertKeyAsset,
 		adminCertKey:              adminCertKeyAsset,
 		kubeletCertKey:            kubeletCertKeyAsset,
-		tncCertKey:                tncCertKeyAsset,
+		mcsCertKey:                mcsCertKeyAsset,
 		serviceAccountKeyPair:     serviceAccountKeyPairAsset,
 		kubeconfig:                kubeconfigAsset,
 		kubeconfigKubelet:         kubeconfigKubeletAsset,
@@ -81,7 +81,7 @@ machines:
 		apiServerProxyCertKeyAsset:     stateWithContentsData("test-apiserver-proxy-cert-priv", "test-apiserver-proxy-cert-pub"),
 		adminCertKeyAsset:              stateWithContentsData("test-admin-cert-priv", "test-admin-cert-pub"),
 		kubeletCertKeyAsset:            stateWithContentsData("test-kubelet-cert-priv", "test-kubelet-cert-pub"),
-		tncCertKeyAsset:                stateWithContentsData("test-tnc-cert-priv", "test-tnc-cert-pub"),
+		mcsCertKeyAsset:                stateWithContentsData("test-mcs-cert-priv", "test-mcs-cert-pub"),
 		serviceAccountKeyPairAsset:     stateWithContentsData("test-service-account-cert-priv", "test-service-account-cert-pub"),
 		kubeconfigAsset:                stateWithContentsData("test-kubeconfig"),
 		kubeconfigKubeletAsset:         stateWithContentsData("test-kubeconfig-kubelet"),
@@ -223,12 +223,12 @@ machines:
 			data: "test-kubelet-cert-pub",
 		},
 		fileAssertion{
-			path: "/opt/tectonic/tls/tnc.key",
-			data: "test-tnc-cert-priv",
+			path: "/opt/tectonic/tls/mcs.key",
+			data: "test-mcs-cert-priv",
 		},
 		fileAssertion{
-			path: "/opt/tectonic/tls/tnc.crt",
-			data: "test-tnc-cert-pub",
+			path: "/opt/tectonic/tls/mcs.crt",
+			data: "test-mcs-cert-pub",
 		},
 		fileAssertion{
 			path: "/opt/tectonic/tls/service-account.key",

diff --git a/pkg/asset/ignition/node.go b/pkg/asset/ignition/node.go
@@ -67,7 +67,7 @@ func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, ro
 					Source: func() *url.URL {
 						return &url.URL{
 							Scheme:   "https",
-							Host:     fmt.Sprintf("%s-tnc.%s:49500", installConfig.Name, installConfig.BaseDomain),
+							Host:     fmt.Sprintf("%s-api.%s:49500", installConfig.Name, installConfig.BaseDomain),
 							Path:     fmt.Sprintf("/config/%s", role),
 							RawQuery: query,
 						}

diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go
@@ -34,7 +34,7 @@ type manifests struct {
 	apiServerProxyCertKey     asset.Asset
 	adminCertKey              asset.Asset
 	kubeletCertKey            asset.Asset
-	tncCertKey                asset.Asset
+	mcsCertKey                asset.Asset
 	serviceAccountKeyPair     asset.Asset
 	kubeconfig                asset.Asset
 }
@@ -70,7 +70,7 @@ func (o *manifests) Dependencies() []asset.Asset {
 		o.apiServerProxyCertKey,
 		o.adminCertKey,
 		o.kubeletCertKey,
-		o.tncCertKey,
+		o.mcsCertKey,
 		o.serviceAccountKeyPair,
 		o.kubeconfig,
 	}

diff --git a/pkg/asset/manifests/stock.go b/pkg/asset/manifests/stock.go
@@ -56,7 +56,7 @@ func (s *StockImpl) EstablishStock(rootDir string, stock installconfig.Stock, tl
 		apiServerProxyCertKey:     tlsStock.APIServerProxyCertKey(),
 		adminCertKey:              tlsStock.AdminCertKey(),
 		kubeletCertKey:            tlsStock.KubeletCertKey(),
-		tncCertKey:                tlsStock.TNCCertKey(),
+		mcsCertKey:                tlsStock.MCSCertKey(),
 		serviceAccountKeyPair:     tlsStock.ServiceAccountKeyPair(),
 		kubeconfig:                kubeConfigStock.KubeconfigAdmin(),
 	}

diff --git a/pkg/asset/tls/helper.go b/pkg/asset/tls/helper.go
@@ -79,10 +79,10 @@ func genIPAddressesForOpenshiftAPIServerCertKey(cfg *types.InstallConfig) ([]net
 	return []net.IP{net.ParseIP(apiServerAddress)}, nil
 }
 
-func genDNSNamesForTNCCertKey(cfg *types.InstallConfig) ([]string, error) {
-	return []string{fmt.Sprintf("%s-tnc.%s", cfg.Name, cfg.BaseDomain)}, nil
+func genDNSNamesForMCSCertKey(cfg *types.InstallConfig) ([]string, error) {
+	return []string{fmt.Sprintf("%s-api.%s", cfg.Name, cfg.BaseDomain)}, nil
 }
 
-func genSubjectForTNCCertKey(cfg *types.InstallConfig) (pkix.Name, error) {
-	return pkix.Name{CommonName: fmt.Sprintf("%s-tnc.%s", cfg.Name, cfg.BaseDomain)}, nil
+func genSubjectForMCSCertKey(cfg *types.InstallConfig) (pkix.Name, error) {
+	return pkix.Name{CommonName: fmt.Sprintf("%s-api.%s", cfg.Name, cfg.BaseDomain)}, nil
 }