Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenStack: enable IPv6 primary dual-stack cluster #7259

Merged
merged 1 commit into from Oct 10, 2023
Merged

OpenStack: enable IPv6 primary dual-stack cluster #7259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
241 changes: 241 additions & 0 deletions data/data/openstack/masters/sg-master.tf
View file
Open in desktop
Expand Up @@ -16,6 +16,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_mcs" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_mcs_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22623
port_range_max = 22623
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

# TODO(mandre) Explicitely enable egress

resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
Expand All @@ -30,6 +42,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_icmp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
port_range_min = 0
port_range_max = 0
# FIXME(mandre) AWS only allows ICMP from cidr_block
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -42,6 +67,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ssh_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -54,6 +91,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_tcp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -66,6 +115,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_dns_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_api" {
direction = "ingress"
ethertype = "IPv4"
Expand Down Expand Up @@ -102,6 +163,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_vxlan" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vxlan_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 4789
port_range_max = 4789
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -114,6 +187,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_geneve_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 6081
port_range_max = 6081
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -126,6 +211,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 500
port_range_max = 500
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ike_nat_t" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -148,6 +245,16 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_esp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "esp"
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -160,6 +267,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_ovndb_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 6641
port_range_max = 6642
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -172,6 +291,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 9000
port_range_max = 9999
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -184,6 +315,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_internal_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 9000
port_range_max = 9999
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -196,6 +339,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler"
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_scheduler_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10259
port_range_max = 10259
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller_manager" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -208,6 +363,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kube_controller_manager_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10257
port_range_max = 10257
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -220,6 +387,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure"
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_kubelet_secure_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 10250
port_range_max = 10250
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -232,6 +411,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_etcd_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 2379
port_range_max = 2380
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -244,6 +435,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_tcp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 30000
port_range_max = 32767
# For OVN LBs the traffic will have the *real* origin source-ip, so anything goes.
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -256,6 +460,19 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_services_udp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
protocol = "udp"
port_range_min = 30000
port_range_max = 32767
# For OVN LBs the traffic will have the *real* origin source-ip, so anything goes.
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
count = length(var.machine_v4_cidrs)
direction = "ingress"
Expand All @@ -268,6 +485,18 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp" {
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_vrrp_v6" {
count = length(var.machine_v6_cidrs)
direction = "ingress"
ethertype = "IPv6"
# Explicitly set the vrrp protocol number to prevent cases when the Neutron Plugin
# is disabled and it cannot identify a number by name.
protocol = "112"
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_http" {
count = var.masters_schedulable ? 1 : 0
direction = "ingress"
Expand Down Expand Up @@ -327,3 +556,15 @@ resource "openstack_networking_secgroup_rule_v2" "master_ingress_router" {
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}

resource "openstack_networking_secgroup_rule_v2" "master_ingress_router_v6" {
count = (var.masters_schedulable && length(var.machine_v6_cidrs) > 0) ? 1 : 0
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 1936
port_range_max = 1936
remote_ip_prefix = element(var.machine_v6_cidrs, count.index)
security_group_id = openstack_networking_secgroup_v2.master.id
description = local.description
}