Add missing security groups for cilium etcd

kubernetes · Aug 11, 2023 · 7679c36 · 7679c36
1 parent edac43f
commit 7679c36
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/pkg/model/openstackmodel/firewall.go b/pkg/model/openstackmodel/firewall.go
@@ -149,6 +149,8 @@ func (b *FirewallModelBuilder) addSSHRules(c *fi.CloudupModelBuilderContext, sgM
 func (b *FirewallModelBuilder) addETCDRules(c *fi.CloudupModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
 	masterName := b.SecurityGroupName(kops.InstanceGroupRoleControlPlane)
 	masterSG := sgMap[masterName]
+	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
+	nodeSG := sgMap[nodeName]
 
 	// ETCD Peer Discovery
 	etcdRule := &openstacktasks.SecurityGroupRule{
@@ -170,6 +172,37 @@ func (b *FirewallModelBuilder) addETCDRules(c *fi.CloudupModelBuilderContext, sg
 	b.addDirectionalGroupRule(c, masterSG, masterSG, etcdRule)
 	b.addDirectionalGroupRule(c, masterSG, masterSG, etcdPeerRule)
 
+	if b.Cluster.Spec.Networking.Cilium != nil && b.Cluster.Spec.Networking.Cilium.EtcdManaged {
+		etcdCiliumPeerRule := &openstacktasks.SecurityGroupRule{
+			Lifecycle:    b.Lifecycle,
+			Direction:    s(string(rules.DirIngress)),
+			Protocol:     s(string(rules.ProtocolTCP)),
+			EtherType:    s(IPV4),
+			PortRangeMin: i(2382),
+			PortRangeMax: i(2382),
+		}
+		etcdCiliumGRPCRule := &openstacktasks.SecurityGroupRule{
+			Lifecycle:    b.Lifecycle,
+			Direction:    s(string(rules.DirIngress)),
+			Protocol:     s(string(rules.ProtocolTCP)),
+			EtherType:    s(IPV4),
+			PortRangeMin: i(wellknownports.EtcdCiliumGRPC),
+			PortRangeMax: i(wellknownports.EtcdCiliumGRPC),
+		}
+		etcdCiliumClientRule := &openstacktasks.SecurityGroupRule{
+			Lifecycle:    b.Lifecycle,
+			Direction:    s(string(rules.DirIngress)),
+			Protocol:     s(string(rules.ProtocolTCP)),
+			EtherType:    s(IPV4),
+			PortRangeMin: i(wellknownports.EtcdCiliumClientPort),
+			PortRangeMax: i(wellknownports.EtcdCiliumClientPort),
+		}
+		b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumPeerRule)
+		b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumGRPCRule)
+		b.addDirectionalGroupRule(c, masterSG, masterSG, etcdCiliumClientRule)
+		b.addDirectionalGroupRule(c, nodeSG, masterSG, etcdCiliumClientRule)
+	}
+
 	for _, portRange := range wellknownports.ETCDPortRanges() {
 		etcdMgmrRule := &openstacktasks.SecurityGroupRule{
 			Lifecycle:    b.Lifecycle,