From e58b4248823575520594bd11d471bb03ad1155a5 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Tue, 21 Aug 2018 23:21:05 -0700
Subject: [PATCH] Fix firewall to allow etcd client traffic between controllers

* Broaden internal-etcd firewall rule to allow etcd client
traffic (2379) from other controller nodes
* Previously, kube-apiservers were only able to connect to their
node's local etcd peer. While master node outages were tolerated,
reaching a healthy peer took longer than neccessary in some cases
* Reduce time needed to bootstrap a cluster
---
 CHANGES.md                                         | 3 +++
 docs/topics/performance.md                         | 2 +-
 google-cloud/container-linux/kubernetes/network.tf | 2 +-
 google-cloud/fedora-atomic/kubernetes/network.tf   | 2 +-
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 307284ab..27011527 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -14,6 +14,9 @@ Notable changes between versions.
 
 #### Google Cloud
 
+* Fix firewall to allow etcd client port 2379 traffic between controller nodes ([#287](https://github.com/poseidon/typhoon/pull/287))
+  * kube-apiservers were only able to connect to their node's local etcd peer. While master node outages were tolerated, reaching a healthy peer took longer than neccessary in some cases
+  * Reduce time needed to bootstrap the cluster
 * Remove firewall rule allowing workers to access Nginx Ingress health check ([#284](https://github.com/poseidon/typhoon/pull/284))
   * Nginx Ingress addon no longer uses hostNetwork, Prometheus scrapes via CNI network
 
diff --git a/docs/topics/performance.md b/docs/topics/performance.md
index a59be467..6802fc30 100644
--- a/docs/topics/performance.md
+++ b/docs/topics/performance.md
@@ -9,7 +9,7 @@ Provisioning times vary based on the operating system and platform. Sampling the
 | AWS           | 6 min | 5 min   |
 | Bare-Metal    | 10-15 min | NA  |
 | Digital Ocean | 3 min 30 sec | 20 sec |
-| Google Cloud  | 10 min | 4 min 30 sec |
+| Google Cloud  | 6 min | 4 min 30 sec |
 
 Notes:
 
diff --git a/google-cloud/container-linux/kubernetes/network.tf b/google-cloud/container-linux/kubernetes/network.tf
index 512f1056..5734200e 100644
--- a/google-cloud/container-linux/kubernetes/network.tf
+++ b/google-cloud/container-linux/kubernetes/network.tf
@@ -23,7 +23,7 @@ resource "google_compute_firewall" "internal-etcd" {
 
   allow {
     protocol = "tcp"
-    ports    = [2380]
+    ports    = [2379, 2380]
   }
 
   source_tags = ["${var.cluster_name}-controller"]
diff --git a/google-cloud/fedora-atomic/kubernetes/network.tf b/google-cloud/fedora-atomic/kubernetes/network.tf
index 512f1056..5734200e 100644
--- a/google-cloud/fedora-atomic/kubernetes/network.tf
+++ b/google-cloud/fedora-atomic/kubernetes/network.tf
@@ -23,7 +23,7 @@ resource "google_compute_firewall" "internal-etcd" {
 
   allow {
     protocol = "tcp"
-    ports    = [2380]
+    ports    = [2379, 2380]
   }
 
   source_tags = ["${var.cluster_name}-controller"]