feat(gateway): make ICMP and kubernetes configurable in firewall

identiops · Mar 18, 2024 · 46bdd5f · 46bdd5f
1 parent b9b5ee7
commit 46bdd5f
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -213,8 +213,12 @@ EOF
     as expected:
     - Did the node initialization finish successfully? `cloud-init status`
     - Is the cluster up and running? `kubectl cluster-info`
-11. If the tests were successful, retrieve the Kubernetes configuration locally:
-    `./setkubeconfig`
+11. If the tests were successful, retrieve the Kubernetes configuration and
+    store it locally: `./setkubeconfig`
+12. Forward the cluster port locally since it's not exposed to the Internet by
+    default. Do this every time you want to interact with the cluster:
+    `./ssh-node gateway`
+13. Test cluster access from your local machine: `kubectl get nodes`
 
 Enjoy your new cluster! 🚀
 
@@ -236,7 +240,9 @@ In addition, a few convenience scripts were created to help with maintenance:
   `ssh-node` and `scp-node`.
 - `ssh-node`: SSH wrapper for connecting to cluster nodes.
 - `scp-node`: SCP wrapper for connecting to cluster nodes.
-- `.ssh/config`: SSH configuration for the cluster nodes.
+- `.ssh/config`: SSH configuration for connecting to cluster nodes.
+- `.ansible/hosts`: Ansible hosts configuration for executing commands on
+  multiple nodes in parallel.
 
 ## Maintenance
 

diff --git a/gateway.tf b/gateway.tf
@@ -75,7 +75,11 @@ resource "hcloud_server" "gateway" {
     }),
     yamlencode(var.additional_cloud_init)
   )
-  firewall_ids = concat([hcloud_firewall.gateway.id], var.gateway_firewall_ids)
+  firewall_ids = concat(
+    [hcloud_firewall.gateway_ssh.id],
+    var.gateway_firewall_icmp_open ? [hcloud_firewall.gateway_icmp.id] : [],
+    var.gateway_firewall_k8s_open ? [hcloud_firewall.gateway_k8s.id] : [],
+  var.gateway_firewall_ids)
 
   public_net {
     ipv4_enabled = true
@@ -101,16 +105,11 @@ resource "hcloud_network_route" "default" {
   gateway     = hcloud_server_network.gateway.ip
 }
 
-resource "hcloud_firewall" "gateway" {
+resource "hcloud_firewall" "gateway_icmp" {
   lifecycle {
     prevent_destroy = false
-    ignore_changes = [
-      name,
-    ]
   }
-
-  name = "${var.cluster_name}-gateway"
-
+  name = "${var.cluster_name}-gateway-icmp"
   rule {
     direction = "in"
     protocol  = "icmp"
@@ -120,7 +119,13 @@ resource "hcloud_firewall" "gateway" {
       "::/0"
     ]
   }
+}
 
+resource "hcloud_firewall" "gateway_ssh" {
+  lifecycle {
+    prevent_destroy = false
+  }
+  name = "${var.cluster_name}-gateway-ssh"
   rule {
     direction = "in"
     protocol  = "tcp"
@@ -130,7 +135,13 @@ resource "hcloud_firewall" "gateway" {
       "::/0"
     ]
   }
+}
 
+resource "hcloud_firewall" "gateway_k8s" {
+  lifecycle {
+    prevent_destroy = false
+  }
+  name = "${var.cluster_name}-gateway-k8s"
   rule {
     direction = "in"
     protocol  = "tcp"

diff --git a/scripts.tf b/scripts.tf
@@ -19,12 +19,12 @@ resource "local_file" "ssh_config" {
   filename = "./.ssh/config"
   content = templatefile(
     "${path.module}/templates/ssh_config", {
-      cluster_name = var.cluster_name
-      cluster_ip   = hcloud_server.gateway.ipv4_address
-      control_plane_init_ip = [for pool in module.node_pool_cluster_init :
-      [for node in pool.nodes : node.private[0]][0]][0]
-      node_pools = merge(module.node_pool_cluster_init, module.node_pools)
-      cwd        = path.cwd
+      cluster_name          = var.cluster_name
+      cluster_ip            = hcloud_server.gateway.ipv4_address
+      control_plane_init_ip = [for pool in module.node_pool_cluster_init : [for node in pool.nodes : node.private[0]][0]][0]
+      node_pools            = merge(module.node_pool_cluster_init, module.node_pools)
+      firewall_k8s_open     = var.gateway_firewall_k8s_open
+      cwd                   = path.cwd
     }
   )
   file_permission = "0600"
@@ -69,7 +69,7 @@ resource "local_file" "setkubeconfig" {
   content = templatefile(
     "${path.module}/templates/kubeconfig_setkubeconfig", {
       cluster_name       = var.cluster_name
-      cluster_ip         = hcloud_server.gateway.ipv4_address
+      cluster_ip         = var.gateway_firewall_k8s_open ? hcloud_server.gateway.ipv4_address : "localhost"
       oidc_enabled       = var.oidc_enabled
       oidc_issuer_url    = var.oidc_issuer_url
       oidc_client_id     = var.oidc_client_id

diff --git a/templates/ssh_config b/templates/ssh_config
@@ -8,6 +8,9 @@ User root
 
 Host gateway
 HostName ${cluster_ip}
+%{ if !firewall_k8s_open ~}
+LocalForward 6443 localhost:6443
+%{ endif ~}
 Port 22
 
 # Alias for control plane main serever

diff --git a/variables.tf b/variables.tf
@@ -247,6 +247,18 @@ variable "gateway_firewall_ids" {
   default     = []
 }
 
+variable "gateway_firewall_icmp_open" {
+  description = "Allow ping."
+  type        = bool
+  default     = true
+}
+
+variable "gateway_firewall_k8s_open" {
+  description = "Open kubernetes port to the Internet. If it's not open, SSH port fowarding should be used gain access to the cluster."
+  type        = bool
+  default     = false
+}
+
 variable "gateway_server_type" {
   description = "Gateway node type (size)."
   type        = string