Fix overly strict firewall for GCP "worker pools"
* Fix issue where worker firewall rules didn't apply to additional workers attached to a GCP cluster using the new "worker pools" feature (unreleased, #148). Solves host connection timeouts and pods not being scheduled to attached worker pools. * Add `name` field to GCP internal worker module to represent the unique name of of the worker pool * Use `cluster_name` field of GCP internal worker module for passing the name of the cluster to which workers should be attached
This commit is contained in:
parent
da6aafe816
commit
45b556c08f
|
@ -79,12 +79,17 @@ Create a cluster following the Google Cloud [tutorial](../google-cloud.md#cluste
|
||||||
module "yavin-worker-pool" {
|
module "yavin-worker-pool" {
|
||||||
source = "git::https://github.com/poseidon/typhoon//google-cloud/container-linux/kubernetes/workers?ref=v1.9.4"
|
source = "git::https://github.com/poseidon/typhoon//google-cloud/container-linux/kubernetes/workers?ref=v1.9.4"
|
||||||
|
|
||||||
|
providers = {
|
||||||
|
google = "google.default"
|
||||||
|
}
|
||||||
|
|
||||||
# Google Cloud
|
# Google Cloud
|
||||||
region = "us-central1"
|
region = "us-central1"
|
||||||
network = "${module.google-cloud-yavin.network_name}"
|
network = "${module.google-cloud-yavin.network_name}"
|
||||||
|
cluster_name = "yavin"
|
||||||
|
|
||||||
# configuration
|
# configuration
|
||||||
cluster_name = "yavin-16x"
|
name = "yavin-16x"
|
||||||
kubeconfig = "${module.google-cloud-yavin.kubeconfig}"
|
kubeconfig = "${module.google-cloud-yavin.kubeconfig}"
|
||||||
ssh_authorized_key = "${var.ssh_authorized_key}"
|
ssh_authorized_key = "${var.ssh_authorized_key}"
|
||||||
|
|
||||||
|
@ -123,7 +128,8 @@ The Google Cloud internal `workers` module supports a number of [variables](http
|
||||||
|:-----|:------------|:--------|
|
|:-----|:------------|:--------|
|
||||||
| region | Must be set to `region` of cluster | "us-central1" |
|
| region | Must be set to `region` of cluster | "us-central1" |
|
||||||
| network | Must be set to `network_name` output by cluster | "${module.cluster.network_name}" |
|
| network | Must be set to `network_name` output by cluster | "${module.cluster.network_name}" |
|
||||||
| cluster_name | Unique name | "yavin-worker-pool" |
|
| name | Unique name (distinct from cluster name) | "yavin-16x" |
|
||||||
|
| cluster_name | Must be set to `cluster_name` of cluster | "yavin" |
|
||||||
| kubeconfig | Must be set to `kubeconfig` output by cluster | "${module.cluster.kubeconfig}" |
|
| kubeconfig | Must be set to `kubeconfig` output by cluster | "${module.cluster.kubeconfig}" |
|
||||||
| ssh_authorized_key | SSH public key for ~/.ssh_authorized_keys | "ssh-rsa AAAAB3NZ..." |
|
| ssh_authorized_key | SSH public key for ~/.ssh_authorized_keys | "ssh-rsa AAAAB3NZ..." |
|
||||||
|
|
||||||
|
|
|
@ -3,11 +3,11 @@ module "controllers" {
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
|
|
||||||
# GCE
|
# GCE
|
||||||
network = "${google_compute_network.network.name}"
|
|
||||||
count = "${var.controller_count}"
|
|
||||||
region = "${var.region}"
|
region = "${var.region}"
|
||||||
|
network = "${google_compute_network.network.name}"
|
||||||
dns_zone = "${var.dns_zone}"
|
dns_zone = "${var.dns_zone}"
|
||||||
dns_zone_name = "${var.dns_zone_name}"
|
dns_zone_name = "${var.dns_zone_name}"
|
||||||
|
count = "${var.controller_count}"
|
||||||
machine_type = "${var.machine_type}"
|
machine_type = "${var.machine_type}"
|
||||||
os_image = "${var.os_image}"
|
os_image = "${var.os_image}"
|
||||||
|
|
||||||
|
@ -21,11 +21,12 @@ module "controllers" {
|
||||||
|
|
||||||
module "workers" {
|
module "workers" {
|
||||||
source = "workers"
|
source = "workers"
|
||||||
|
name = "${var.cluster_name}"
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
|
|
||||||
# GCE
|
# GCE
|
||||||
network = "${google_compute_network.network.name}"
|
|
||||||
region = "${var.region}"
|
region = "${var.region}"
|
||||||
|
network = "${google_compute_network.network.name}"
|
||||||
count = "${var.worker_count}"
|
count = "${var.worker_count}"
|
||||||
machine_type = "${var.machine_type}"
|
machine_type = "${var.machine_type}"
|
||||||
os_image = "${var.os_image}"
|
os_image = "${var.os_image}"
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
# Static IPv4 address for the Network Load Balancer
|
# Static IPv4 address for the Network Load Balancer
|
||||||
resource "google_compute_address" "ingress-ip" {
|
resource "google_compute_address" "ingress-ip" {
|
||||||
name = "${var.cluster_name}-ingress-ip"
|
name = "${var.name}-ingress-ip"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Network Load Balancer (i.e. forwarding rules)
|
# Network Load Balancer (i.e. forwarding rules)
|
||||||
resource "google_compute_forwarding_rule" "worker-http-lb" {
|
resource "google_compute_forwarding_rule" "worker-http-lb" {
|
||||||
name = "${var.cluster_name}-worker-http-rule"
|
name = "${var.name}-worker-http-rule"
|
||||||
ip_address = "${google_compute_address.ingress-ip.address}"
|
ip_address = "${google_compute_address.ingress-ip.address}"
|
||||||
port_range = "80"
|
port_range = "80"
|
||||||
target = "${google_compute_target_pool.workers.self_link}"
|
target = "${google_compute_target_pool.workers.self_link}"
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_forwarding_rule" "worker-https-lb" {
|
resource "google_compute_forwarding_rule" "worker-https-lb" {
|
||||||
name = "${var.cluster_name}-worker-https-rule"
|
name = "${var.name}-worker-https-rule"
|
||||||
ip_address = "${google_compute_address.ingress-ip.address}"
|
ip_address = "${google_compute_address.ingress-ip.address}"
|
||||||
port_range = "443"
|
port_range = "443"
|
||||||
target = "${google_compute_target_pool.workers.self_link}"
|
target = "${google_compute_target_pool.workers.self_link}"
|
||||||
|
@ -20,7 +20,7 @@ resource "google_compute_forwarding_rule" "worker-https-lb" {
|
||||||
|
|
||||||
# Network Load Balancer target pool of instances.
|
# Network Load Balancer target pool of instances.
|
||||||
resource "google_compute_target_pool" "workers" {
|
resource "google_compute_target_pool" "workers" {
|
||||||
name = "${var.cluster_name}-worker-pool"
|
name = "${var.name}-worker-pool"
|
||||||
|
|
||||||
health_checks = [
|
health_checks = [
|
||||||
"${google_compute_http_health_check.ingress.name}",
|
"${google_compute_http_health_check.ingress.name}",
|
||||||
|
@ -31,7 +31,7 @@ resource "google_compute_target_pool" "workers" {
|
||||||
|
|
||||||
# Ingress HTTP Health Check
|
# Ingress HTTP Health Check
|
||||||
resource "google_compute_http_health_check" "ingress" {
|
resource "google_compute_http_health_check" "ingress" {
|
||||||
name = "${var.cluster_name}-ingress-health"
|
name = "${var.name}-ingress-health"
|
||||||
description = "Health check Ingress controller health host port"
|
description = "Health check Ingress controller health host port"
|
||||||
|
|
||||||
timeout_sec = 5
|
timeout_sec = 5
|
|
@ -1,11 +1,16 @@
|
||||||
variable "cluster_name" {
|
variable "name" {
|
||||||
type = "string"
|
type = "string"
|
||||||
description = "Unique cluster name"
|
description = "Unique name"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "ssh_authorized_key" {
|
variable "cluster_name" {
|
||||||
type = "string"
|
type = "string"
|
||||||
description = "SSH public key for logging in as user 'core'"
|
description = "Cluster name"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "region" {
|
||||||
|
type = "string"
|
||||||
|
description = "Google Cloud region (e.g. us-central1, see `gcloud compute regions list`)."
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "network" {
|
variable "network" {
|
||||||
|
@ -21,11 +26,6 @@ variable "count" {
|
||||||
description = "Number of worker compute instances the instance group should manage"
|
description = "Number of worker compute instances the instance group should manage"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "region" {
|
|
||||||
type = "string"
|
|
||||||
description = "Google Cloud region (e.g. us-central1, see `gcloud compute regions list`)."
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "machine_type" {
|
variable "machine_type" {
|
||||||
type = "string"
|
type = "string"
|
||||||
default = "n1-standard-1"
|
default = "n1-standard-1"
|
||||||
|
@ -52,6 +52,16 @@ variable "preemptible" {
|
||||||
|
|
||||||
# configuration
|
# configuration
|
||||||
|
|
||||||
|
variable "kubeconfig" {
|
||||||
|
type = "string"
|
||||||
|
description = "Generated Kubelet kubeconfig"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ssh_authorized_key" {
|
||||||
|
type = "string"
|
||||||
|
description = "SSH public key for logging in as user 'core'"
|
||||||
|
}
|
||||||
|
|
||||||
variable "service_cidr" {
|
variable "service_cidr" {
|
||||||
description = <<EOD
|
description = <<EOD
|
||||||
CIDR IP range to assign Kubernetes services.
|
CIDR IP range to assign Kubernetes services.
|
||||||
|
@ -67,8 +77,3 @@ variable "cluster_domain_suffix" {
|
||||||
type = "string"
|
type = "string"
|
||||||
default = "cluster.local"
|
default = "cluster.local"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "kubeconfig" {
|
|
||||||
type = "string"
|
|
||||||
description = "Generated Kubelet kubeconfig"
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
# Regional managed instance group maintains a homogeneous set of workers that
|
# Regional managed instance group maintains a homogeneous set of workers that
|
||||||
# span the zones in the region.
|
# span the zones in the region.
|
||||||
resource "google_compute_region_instance_group_manager" "workers" {
|
resource "google_compute_region_instance_group_manager" "workers" {
|
||||||
name = "${var.cluster_name}-worker-group"
|
name = "${var.name}-worker-group"
|
||||||
description = "Compute instance group of ${var.cluster_name} workers"
|
description = "Compute instance group of ${var.name} workers"
|
||||||
|
|
||||||
# instance name prefix for instances in the group
|
# instance name prefix for instances in the group
|
||||||
base_instance_name = "${var.cluster_name}-worker"
|
base_instance_name = "${var.name}-worker"
|
||||||
instance_template = "${google_compute_instance_template.worker.self_link}"
|
instance_template = "${google_compute_instance_template.worker.self_link}"
|
||||||
region = "${var.region}"
|
region = "${var.region}"
|
||||||
|
|
||||||
|
@ -35,7 +35,7 @@ data "ct_config" "worker_ign" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_instance_template" "worker" {
|
resource "google_compute_instance_template" "worker" {
|
||||||
name_prefix = "${var.cluster_name}-worker-"
|
name_prefix = "${var.name}-worker-"
|
||||||
description = "Worker Instance template"
|
description = "Worker Instance template"
|
||||||
machine_type = "${var.machine_type}"
|
machine_type = "${var.machine_type}"
|
||||||
|
|
||||||
|
@ -64,7 +64,7 @@ resource "google_compute_instance_template" "worker" {
|
||||||
|
|
||||||
can_ip_forward = true
|
can_ip_forward = true
|
||||||
|
|
||||||
tags = ["worker", "${var.cluster_name}-worker"]
|
tags = ["worker", "${var.cluster_name}-worker", "${var.name}-worker"]
|
||||||
|
|
||||||
lifecycle {
|
lifecycle {
|
||||||
# To update an Instance Template, Terraform should replace the existing resource
|
# To update an Instance Template, Terraform should replace the existing resource
|
||||||
|
|
Loading…
Reference in New Issue