From 45b556c08fdbcec7b7cc864e38a3d184c987ae54 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sat, 3 Mar 2018 16:21:38 -0800
Subject: [PATCH] Fix overly strict firewall for GCP "worker pools"

* Fix issue where worker firewall rules didn't apply to
additional workers attached to a GCP cluster using the new
"worker pools" feature (unreleased, #148). Solves host
connection timeouts and pods not being scheduled to attached
worker pools.
* Add `name` field to GCP internal worker module to represent
the unique name of of the worker pool
* Use `cluster_name` field of GCP internal worker module for
passing the name of the cluster to which workers should be
attached
---
 docs/advanced/worker-pools.md                 | 14 +++++---
 .../container-linux/kubernetes/cluster.tf     |  7 ++--
 .../workers/{network.tf => ingress.tf}        | 10 +++---
 .../kubernetes/workers/variables.tf           | 33 +++++++++++--------
 .../kubernetes/workers/workers.tf             | 10 +++---
 5 files changed, 43 insertions(+), 31 deletions(-)
 rename google-cloud/container-linux/kubernetes/workers/{network.tf => ingress.tf} (81%)

diff --git a/docs/advanced/worker-pools.md b/docs/advanced/worker-pools.md
index 161ea498..c22ef10f 100644
--- a/docs/advanced/worker-pools.md
+++ b/docs/advanced/worker-pools.md
@@ -79,12 +79,17 @@ Create a cluster following the Google Cloud [tutorial](../google-cloud.md#cluste
 module "yavin-worker-pool" {
   source = "git::https://github.com/poseidon/typhoon//google-cloud/container-linux/kubernetes/workers?ref=v1.9.4"
 
+  providers = {
+    google = "google.default"
+  }
+
   # Google Cloud
-  region  = "us-central1"
-  network = "${module.google-cloud-yavin.network_name}"
+  region       = "us-central1"
+  network      = "${module.google-cloud-yavin.network_name}"
+  cluster_name = "yavin"
 
   # configuration
-  cluster_name       = "yavin-16x"
+  name               = "yavin-16x"
   kubeconfig         = "${module.google-cloud-yavin.kubeconfig}"
   ssh_authorized_key = "${var.ssh_authorized_key}"
   
@@ -123,7 +128,8 @@ The Google Cloud internal `workers` module supports a number of [variables](http
 |:-----|:------------|:--------|
 | region | Must be set to `region` of cluster | "us-central1" |
 | network | Must be set to `network_name` output by cluster | "${module.cluster.network_name}" |
-| cluster_name | Unique name | "yavin-worker-pool" |
+| name | Unique name (distinct from cluster name) | "yavin-16x" |
+| cluster_name | Must be set to `cluster_name` of cluster | "yavin" |
 | kubeconfig | Must be set to `kubeconfig` output by cluster | "${module.cluster.kubeconfig}" |
 | ssh_authorized_key | SSH public key for ~/.ssh_authorized_keys | "ssh-rsa AAAAB3NZ..." |
 
diff --git a/google-cloud/container-linux/kubernetes/cluster.tf b/google-cloud/container-linux/kubernetes/cluster.tf
index 786f2b30..6e9a26fe 100644
--- a/google-cloud/container-linux/kubernetes/cluster.tf
+++ b/google-cloud/container-linux/kubernetes/cluster.tf
@@ -3,11 +3,11 @@ module "controllers" {
   cluster_name = "${var.cluster_name}"
 
   # GCE
-  network       = "${google_compute_network.network.name}"
-  count         = "${var.controller_count}"
   region        = "${var.region}"
+  network       = "${google_compute_network.network.name}"
   dns_zone      = "${var.dns_zone}"
   dns_zone_name = "${var.dns_zone_name}"
+  count         = "${var.controller_count}"
   machine_type  = "${var.machine_type}"
   os_image      = "${var.os_image}"
 
@@ -21,11 +21,12 @@ module "controllers" {
 
 module "workers" {
   source       = "workers"
+  name         = "${var.cluster_name}"
   cluster_name = "${var.cluster_name}"
 
   # GCE
-  network      = "${google_compute_network.network.name}"
   region       = "${var.region}"
+  network      = "${google_compute_network.network.name}"
   count        = "${var.worker_count}"
   machine_type = "${var.machine_type}"
   os_image     = "${var.os_image}"
diff --git a/google-cloud/container-linux/kubernetes/workers/network.tf b/google-cloud/container-linux/kubernetes/workers/ingress.tf
similarity index 81%
rename from google-cloud/container-linux/kubernetes/workers/network.tf
rename to google-cloud/container-linux/kubernetes/workers/ingress.tf
index 6cb6c4f6..0355fe2e 100644
--- a/google-cloud/container-linux/kubernetes/workers/network.tf
+++ b/google-cloud/container-linux/kubernetes/workers/ingress.tf
@@ -1,18 +1,18 @@
 # Static IPv4 address for the Network Load Balancer
 resource "google_compute_address" "ingress-ip" {
-  name = "${var.cluster_name}-ingress-ip"
+  name = "${var.name}-ingress-ip"
 }
 
 # Network Load Balancer (i.e. forwarding rules)
 resource "google_compute_forwarding_rule" "worker-http-lb" {
-  name       = "${var.cluster_name}-worker-http-rule"
+  name       = "${var.name}-worker-http-rule"
   ip_address = "${google_compute_address.ingress-ip.address}"
   port_range = "80"
   target     = "${google_compute_target_pool.workers.self_link}"
 }
 
 resource "google_compute_forwarding_rule" "worker-https-lb" {
-  name       = "${var.cluster_name}-worker-https-rule"
+  name       = "${var.name}-worker-https-rule"
   ip_address = "${google_compute_address.ingress-ip.address}"
   port_range = "443"
   target     = "${google_compute_target_pool.workers.self_link}"
@@ -20,7 +20,7 @@ resource "google_compute_forwarding_rule" "worker-https-lb" {
 
 # Network Load Balancer target pool of instances.
 resource "google_compute_target_pool" "workers" {
-  name = "${var.cluster_name}-worker-pool"
+  name = "${var.name}-worker-pool"
 
   health_checks = [
     "${google_compute_http_health_check.ingress.name}",
@@ -31,7 +31,7 @@ resource "google_compute_target_pool" "workers" {
 
 # Ingress HTTP Health Check
 resource "google_compute_http_health_check" "ingress" {
-  name        = "${var.cluster_name}-ingress-health"
+  name        = "${var.name}-ingress-health"
   description = "Health check Ingress controller health host port"
 
   timeout_sec        = 5
diff --git a/google-cloud/container-linux/kubernetes/workers/variables.tf b/google-cloud/container-linux/kubernetes/workers/variables.tf
index e857b9f0..0ff62b16 100644
--- a/google-cloud/container-linux/kubernetes/workers/variables.tf
+++ b/google-cloud/container-linux/kubernetes/workers/variables.tf
@@ -1,11 +1,16 @@
-variable "cluster_name" {
+variable "name" {
   type        = "string"
-  description = "Unique cluster name"
+  description = "Unique name"
 }
 
-variable "ssh_authorized_key" {
+variable "cluster_name" {
   type        = "string"
-  description = "SSH public key for logging in as user 'core'"
+  description = "Cluster name"
+}
+
+variable "region" {
+  type        = "string"
+  description = "Google Cloud region (e.g. us-central1, see `gcloud compute regions list`)."
 }
 
 variable "network" {
@@ -21,11 +26,6 @@ variable "count" {
   description = "Number of worker compute instances the instance group should manage"
 }
 
-variable "region" {
-  type        = "string"
-  description = "Google Cloud region (e.g. us-central1, see `gcloud compute regions list`)."
-}
-
 variable "machine_type" {
   type        = "string"
   default     = "n1-standard-1"
@@ -52,6 +52,16 @@ variable "preemptible" {
 
 # configuration
 
+variable "kubeconfig" {
+  type        = "string"
+  description = "Generated Kubelet kubeconfig"
+}
+
+variable "ssh_authorized_key" {
+  type        = "string"
+  description = "SSH public key for logging in as user 'core'"
+}
+
 variable "service_cidr" {
   description = <<EOD
 CIDR IP range to assign Kubernetes services.
@@ -67,8 +77,3 @@ variable "cluster_domain_suffix" {
   type        = "string"
   default     = "cluster.local"
 }
-
-variable "kubeconfig" {
-  type        = "string"
-  description = "Generated Kubelet kubeconfig"
-}
diff --git a/google-cloud/container-linux/kubernetes/workers/workers.tf b/google-cloud/container-linux/kubernetes/workers/workers.tf
index 8afea90a..6682fec2 100644
--- a/google-cloud/container-linux/kubernetes/workers/workers.tf
+++ b/google-cloud/container-linux/kubernetes/workers/workers.tf
@@ -1,11 +1,11 @@
 # Regional managed instance group maintains a homogeneous set of workers that
 # span the zones in the region.
 resource "google_compute_region_instance_group_manager" "workers" {
-  name        = "${var.cluster_name}-worker-group"
-  description = "Compute instance group of ${var.cluster_name} workers"
+  name        = "${var.name}-worker-group"
+  description = "Compute instance group of ${var.name} workers"
 
   # instance name prefix for instances in the group
-  base_instance_name = "${var.cluster_name}-worker"
+  base_instance_name = "${var.name}-worker"
   instance_template  = "${google_compute_instance_template.worker.self_link}"
   region             = "${var.region}"
 
@@ -35,7 +35,7 @@ data "ct_config" "worker_ign" {
 }
 
 resource "google_compute_instance_template" "worker" {
-  name_prefix  = "${var.cluster_name}-worker-"
+  name_prefix  = "${var.name}-worker-"
   description  = "Worker Instance template"
   machine_type = "${var.machine_type}"
 
@@ -64,7 +64,7 @@ resource "google_compute_instance_template" "worker" {
 
   can_ip_forward = true
 
-  tags = ["worker", "${var.cluster_name}-worker"]
+  tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
 
   lifecycle {
     # To update an Instance Template, Terraform should replace the existing resource