Re-add the support for existing use-cases of combining vpcId and mapP…

…ublicIPs, routeTableId to let kube-aws create all the nodes and the api load-balancer inside either private or public subnets
kubernetes-retired · Jan 31, 2017 · 80885cb · 80885cb
1 parent 242783d
commit 80885cb
Show file tree

Hide file tree

Showing 5 changed files with 345 additions and 35 deletions.
diff --git a/config/config.go b/config/config.go
@@ -181,10 +181,41 @@ func (c *Cluster) SetDefaults() {
 		}
 	}
 
+	privateTopologyImplied := c.RouteTableID != "" && !c.MapPublicIPs
+	publicTopologyImplied := c.RouteTableID != "" && c.MapPublicIPs
+
 	for i, s := range c.Subnets {
 		if s.CustomName == "" {
 			c.Subnets[i].CustomName = fmt.Sprintf("Subnet%d", i)
 		}
+
+		// DEPRECATED AND REMOVED IN THE FUTURE
+		// See https://github.com/coreos/kube-aws/pull/284#issuecomment-275998862
+		//
+		// This implies a deployment to an existing VPC with a route table with a preconfigured Internet Gateway
+		// and all the subnets created by kube-aws are public
+		if publicTopologyImplied {
+			c.Subnets[i].InternetGateway.Preconfigured = true
+			c.Subnets[i].RouteTable.ID = c.RouteTableID
+			if s.Private {
+				panic(fmt.Sprintf("mapPublicIPs(=%v) and subnets[%d].private(=%v) conflicts: %+v", c.MapPublicIPs, i, s.Private, s))
+			}
+			c.Subnets[i].Private = false
+		}
+
+		// DEPRECATED AND REMOVED IN THE FUTURE
+		// See https://github.com/coreos/kube-aws/pull/284#issuecomment-275998862
+		//
+		// This implies a deployment to an existing VPC with a route table with a preconfigured NAT Gateway
+		// and all the subnets created by kube-aws are private
+		if privateTopologyImplied {
+			c.Subnets[i].NATGateway.Preconfigured = true
+			c.Subnets[i].RouteTable.ID = c.RouteTableID
+			if s.Private {
+				panic(fmt.Sprintf("mapPublicIPs(=%v) and subnets[%d].private(=%v) conflicts. You don't need to set true to both of them. If you want to make all the subnets private, make mapPublicIPs false. If you want to make only part of subnets private, make subnets[].private true accordingly: %+v", c.MapPublicIPs, i, s.Private, s))
+			}
+			c.Subnets[i].Private = true
+		}
 	}
 
 	for i, s := range c.Worker.Subnets {
@@ -208,23 +239,36 @@ func (c *Cluster) SetDefaults() {
 	}
 
 	if len(c.Worker.Subnets) == 0 {
-		c.Worker.Subnets = c.PublicSubnets()
+		if privateTopologyImplied {
+			c.Worker.Subnets = c.PrivateSubnets()
+		} else {
+			c.Worker.Subnets = c.PublicSubnets()
+		}
 	}
 
 	if len(c.Controller.Subnets) == 0 {
-		c.Controller.Subnets = c.PublicSubnets()
+		if privateTopologyImplied {
+			c.Controller.Subnets = c.PrivateSubnets()
+		} else {
+			c.Controller.Subnets = c.PublicSubnets()
+		}
 	}
 
 	if len(c.Controller.LoadBalancer.Subnets) == 0 {
-		if c.Controller.LoadBalancer.Private == true {
+		if c.Controller.LoadBalancer.Private || privateTopologyImplied {
 			c.Controller.LoadBalancer.Subnets = c.PrivateSubnets()
+			c.Controller.LoadBalancer.Private = true
 		} else {
 			c.Controller.LoadBalancer.Subnets = c.PublicSubnets()
 		}
 	}
 
 	if len(c.Etcd.Subnets) == 0 {
-		c.Etcd.Subnets = c.PublicSubnets()
+		if privateTopologyImplied {
+			c.Etcd.Subnets = c.PrivateSubnets()
+		} else {
+			c.Etcd.Subnets = c.PublicSubnets()
+		}
 	}
 }
 
@@ -863,6 +907,9 @@ func (c DeploymentSettings) Valid() (*DeploymentValidationResult, error) {
 
 		var instanceCIDRs = make([]*net.IPNet, 0)
 
+		allPrivate := true
+		allPublic := true
+
 		for i, subnet := range c.Subnets {
 			if subnet.ID != "" || subnet.IDFromStackOutput != "" {
 				continue
@@ -882,6 +929,17 @@ func (c DeploymentSettings) Valid() (*DeploymentValidationResult, error) {
 					i,
 				)
 			}
+
+			if subnet.RouteTableID() != "" && c.RouteTableID != "" {
+				return nil, fmt.Errorf("either subnets[].routeTable.id(%s) or routeTableId(%s) but not both can be specified", subnet.RouteTableID(), c.RouteTableID)
+			}
+
+			allPrivate = allPrivate && subnet.Private
+			allPublic = allPublic && subnet.Public()
+		}
+
+		if c.RouteTableID != "" && !allPublic && !allPrivate {
+			return nil, fmt.Errorf("network topology including both private and public subnets specified while the single route table(%s) is also specified. You must differentiate the route table at least between private and public subnets. Use subets[].routeTable.id instead of routeTableId for that.", c.RouteTableID)
 		}
 
 		for i, a := range instanceCIDRs {

diff --git a/config/templates/stack-template.json b/config/templates/stack-template.json
@@ -1206,24 +1206,8 @@
       },
       "Type": "AWS::EC2::RouteTable"
     }
-    {{if $subnet.Public}}
+    {{if $subnet.ManageRouteToInternet}}
     ,
-    "{{$subnet.RouteTableName}}": {
-      "Properties": {
-        "Tags": [
-          {
-            "Key": "Name",
-            "Value": "{{$.ClusterName}}-{{$subnet.RouteTableName}}"
-          },
-          {
-            "Key": "KubernetesCluster",
-            "Value": "{{$.ClusterName}}"
-          }
-        ],
-        "VpcId": {{$.VPCRef}}
-      },
-      "Type": "AWS::EC2::RouteTable"
-    },
     "{{$subnet.RouteTableName}}ToInternet": {
       "Properties": {
         "DestinationCidrBlock": "0.0.0.0/0",

diff --git a/model/internet_gateway.go b/model/internet_gateway.go
@@ -0,0 +1,10 @@
+package model
+
+type InternetGateway struct {
+	Identifier    `yaml:",inline"`
+	Preconfigured bool `yaml:"preconfigured,omitempty"`
+}
+
+func (g InternetGateway) ManageInternetGateway() bool {
+	return !g.HasIdentifier()
+}
diff --git a/model/subnet.go b/model/subnet.go
@@ -59,6 +59,38 @@ func NewExistingPrivateSubnetWithPreconfiguredNATGateway(az string, id string, r
 	}
 }
 
+func NewPublicSubnetWithPreconfiguredInternetGateway(az string, cidr string, rtb string) Subnet {
+	return Subnet{
+		AvailabilityZone: az,
+		InstanceCIDR:     cidr,
+		Private:          false,
+		RouteTable: RouteTable{
+			Identifier: Identifier{
+				ID: rtb,
+			},
+		},
+		InternetGateway: InternetGateway{
+			Preconfigured: true,
+		},
+	}
+}
+
+func NewPrivateSubnetWithPreconfiguredNATGateway(az string, cidr string, rtb string) Subnet {
+	return Subnet{
+		AvailabilityZone: az,
+		InstanceCIDR:     cidr,
+		Private:          true,
+		RouteTable: RouteTable{
+			Identifier: Identifier{
+				ID: rtb,
+			},
+		},
+		NATGateway: NATGatewayConfig{
+			Preconfigured: true,
+		},
+	}
+}
+
 func NewImportedPrivateSubnet(az string, name string) Subnet {
 	return Subnet{
 		Identifier: Identifier{
@@ -130,8 +162,8 @@ func (s *Subnet) ManageRouteTable() bool {
 	return !s.RouteTable.HasIdentifier()
 }
 
-func (s *Subnet) ManageInternetGateway() bool {
-	return !s.InternetGateway.HasIdentifier()
+func (s *Subnet) ManageRouteToInternet() bool {
+	return s.Public() && !s.InternetGateway.Preconfigured
 }
 
 func (s *Subnet) NATGatewayRouteName() string {
@@ -153,10 +185,6 @@ func (s *Subnet) RouteTableRef() string {
 	return s.RouteTable.Ref(logicalName)
 }
 
-type InternetGateway struct {
-	Identifier `yaml:",inline"`
-}
-
 type RouteTable struct {
 	Identifier `yaml:",inline"`
 }