WiP: Flexible subnet configuration

Signed-off-by: Marcus Noble <[email protected]>
giantswarm · Jan 9, 2023 · 01be7c9 · 01be7c9
1 parent 49e01ec
commit 01be7c9
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 13 deletions.
diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl
@@ -34,13 +34,14 @@ spec:
     vpc:
       availabilityZoneUsageLimit: {{ .Values.network.availabilityZoneUsageLimit }}
       cidrBlock: {{ .Values.network.vpcCIDR }}
-    {{- if (eq .Values.network.vpcMode "private") }}
     subnets:
     {{- range $i, $subnet := .Values.network.subnets }}
     - cidrBlock: "{{ $subnet.cidrBlock }}"
       availabilityZone: "{{ include "aws-region" $ }}{{ add 97 $i | printf "%c" }}"
-    {{- end -}}
-    {{ end }}
+      isPublic: {{ $subnet.isPublic }}
+      tags:
+        {{- toYaml $subnet.tags | nindent 8 }}
+    {{- end }}
   sshKeyName: ssh-key
   region: {{ include "aws-region" . }}
 {{ end }}
diff --git a/helm/cluster-aws/templates/_bastion.tpl b/helm/cluster-aws/templates/_bastion.tpl
@@ -26,6 +26,13 @@ template:
         values:
         - owned
     uncompressedUserData: true
+    subnet:
+      filters:
+        {{- range $i, $tags :=  .Values.controlPlane.subnetTags }}
+        - name: tag:{{ keys $tags | first }}
+          values:
+          - {{ index $tags (keys $tags | first) }}
+        {{- end }}
 {{- end }}
 
 {{- define "bastion" }}

diff --git a/helm/cluster-aws/templates/_control_plane.tpl b/helm/cluster-aws/templates/_control_plane.tpl
@@ -31,6 +31,13 @@ template:
       type: gp3
     iamInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
     sshKeyName: ""
+    subnet:
+      filters:
+        {{- range $i, $tags :=  .Values.controlPlane.subnetTags }}
+        - name: tag:{{ keys $tags | first }}
+          values:
+          - {{ index $tags (keys $tags | first) }}
+        {{- end }}
 {{- end }}
 
 {{- define "control-plane" }}

diff --git a/helm/cluster-aws/templates/_machine_pools.tpl b/helm/cluster-aws/templates/_machine_pools.tpl
@@ -39,14 +39,11 @@ spec:
   availabilityZones: {{ include "aws-availability-zones" . | nindent 2 }}
   subnets:
   - filters:
-    - name: tag:sigs.k8s.io/cluster-api-provider-aws/cluster/{{ include "resource.default.name" $ }}
+    {{- range $i, $tags :=  .subnetTags }}
+    - name: tag:{{ keys $tags | first }}
       values:
-      - owned
-    - name: tag:sigs.k8s.io/cluster-api-provider-aws/role
-      values:
-      - private
-    - name: availabilityZone
-      values: {{ include "aws-availability-zones" . | nindent 6 }}
+      - {{ index $tags (keys $tags | first) }}
+    {{- end }}
   awsLaunchTemplate:
     {{- include "ami" $ | nindent 4 }}
     iamInstanceProfile: nodes-{{ .name }}-{{ include "resource.default.name" $ }}

diff --git a/helm/cluster-aws/templates/_registry-secret.yaml b/helm/cluster-aws/templates/_registry-secret.yaml
@@ -1,10 +1,12 @@
 {{- define "registry-secret" -}}
-{{- if and .Values.registry .Values.registry.configure -}}
+{{- if .Values.registry -}}
+{{- if .Values.registry.configure -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "resource.default.name" $ }}-registry-configuration 
+  name: {{ include "resource.default.name" $ }}-registry-configuration
 data:
   registry-config.toml: {{ tpl ($.Files.Get "files/etc/containerd/conf.d/registry-config.toml") $ | b64enc | quote }}
 {{- end -}}
 {{- end -}}
+{{- end -}}
diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml
@@ -46,22 +46,73 @@ network:
   # prefixListID is the ID of the Managed Prefix List to use when `mode` is set to `UserManaged`.
   prefixListID: ""
 
+  # subnets defines all the subnets for a cluster.
+  # There must be at least as many as the value of `availabilityZoneUsageLimit` and all subnets must be within the `vpcCIDR` range.
   subnets:
-  - cidrBlock: 10.0.0.0/18
+  - cidrBlock: 10.0.0.0/23
+    availabilityZone: eu-west-1a
+    isPublic: true
+    tags:
+      subnet.giantswarm.io/role: load-balancers
+  - cidrBlock: 10.0.2.0/23
+    availabilityZone: eu-west-1b
+    isPublic: true
+    tags:
+      subnet.giantswarm.io/role: load-balancers
+  - cidrBlock: 10.0.4.0/23
+    availabilityZone: eu-west-1c
+    isPublic: true
+    tags:
+      subnet.giantswarm.io/role: load-balancers
+
+  - cidrBlock: 10.0.6.0/23
+    availabilityZone: eu-west-1a
+    isPublic: false
+    tags:
+      subnet.giantswarm.io/role: control-plane
+  - cidrBlock: 10.0.8.0/23
+    availabilityZone: eu-west-1b
+    isPublic: false
+    tags:
+      subnet.giantswarm.io/role: control-plane
+  - cidrBlock: 10.0.10.0/23
+    availabilityZone: eu-west-1c
+    isPublic: false
+    tags:
+      subnet.giantswarm.io/role: control-plane
+
   - cidrBlock: 10.0.64.0/18
+    availabilityZone: eu-west-1a
+    isPublic: false
+    tags:
+      subnet.giantswarm.io/role: workers
   - cidrBlock: 10.0.128.0/18
+    availabilityZone: eu-west-1b
+    isPublic: false
+    tags:
+      subnet.giantswarm.io/role: workers
+  - cidrBlock: 10.0.192.0/18
+    availabilityZone: eu-west-1c
+    isPublic: false
+    tags:
+      subnet.giantswarm.io/role: workers
+
 
 bastion:
   enabled: true
   instanceType: t3.small
   replicas: 1
+  subnetTags:
+    - subnet.giantswarm.io/role: control-plane
 
 controlPlane:
   instanceType: m5.xlarge
   rootVolumeSizeGB: 120
   etcdVolumeSizeGB: 100
   containerdVolumeSizeGB: 100
   kubeletVolumeSizeGB: 100
+  subnetTags:
+    - subnet.giantswarm.io/role: control-plane
 
 machinePools:
 - name: def00  # Name of node pool.
@@ -76,6 +127,8 @@ machinePools:
   # - key: ""
   #   value: ""
   #   effect: "" # Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
+  subnetTags:
+    - subnet.giantswarm.io/role: workers
 
 sshSSOPublicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4cvZ01fLmO9cJbWUj7sfF+NhECgy+Cl0bazSrZX7sU [email protected]"
 flatcarAWSAccount: "075585003325"