From 01be7c9fd94e1bc5e9f8d84dc7fd6955fc5854e9 Mon Sep 17 00:00:00 2001 From: Marcus Noble Date: Mon, 9 Jan 2023 15:30:36 +0000 Subject: [PATCH] WiP: Flexible subnet configuration Signed-off-by: Marcus Noble --- helm/cluster-aws/templates/_aws_cluster.tpl | 7 ++- helm/cluster-aws/templates/_bastion.tpl | 7 +++ helm/cluster-aws/templates/_control_plane.tpl | 7 +++ helm/cluster-aws/templates/_machine_pools.tpl | 11 ++-- .../templates/_registry-secret.yaml | 6 +- helm/cluster-aws/values.yaml | 55 ++++++++++++++++++- 6 files changed, 80 insertions(+), 13 deletions(-) diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl index 8d1242ac..17609c1e 100644 --- a/helm/cluster-aws/templates/_aws_cluster.tpl +++ b/helm/cluster-aws/templates/_aws_cluster.tpl @@ -34,13 +34,14 @@ spec: vpc: availabilityZoneUsageLimit: {{ .Values.network.availabilityZoneUsageLimit }} cidrBlock: {{ .Values.network.vpcCIDR }} - {{- if (eq .Values.network.vpcMode "private") }} subnets: {{- range $i, $subnet := .Values.network.subnets }} - cidrBlock: "{{ $subnet.cidrBlock }}" availabilityZone: "{{ include "aws-region" $ }}{{ add 97 $i | printf "%c" }}" - {{- end -}} - {{ end }} + isPublic: {{ $subnet.isPublic }} + tags: + {{- toYaml $subnet.tags | nindent 8 }} + {{- end }} sshKeyName: ssh-key region: {{ include "aws-region" . }} {{ end }} diff --git a/helm/cluster-aws/templates/_bastion.tpl b/helm/cluster-aws/templates/_bastion.tpl index fda1e08e..91f58001 100644 --- a/helm/cluster-aws/templates/_bastion.tpl +++ b/helm/cluster-aws/templates/_bastion.tpl @@ -26,6 +26,13 @@ template: values: - owned uncompressedUserData: true + subnet: + filters: + {{- range $i, $tags := .Values.controlPlane.subnetTags }} + - name: tag:{{ keys $tags | first }} + values: + - {{ index $tags (keys $tags | first) }} + {{- end }} {{- end }} {{- define "bastion" }} diff --git a/helm/cluster-aws/templates/_control_plane.tpl b/helm/cluster-aws/templates/_control_plane.tpl index 7b025d48..1e1e2735 100644 --- a/helm/cluster-aws/templates/_control_plane.tpl +++ b/helm/cluster-aws/templates/_control_plane.tpl @@ -31,6 +31,13 @@ template: type: gp3 iamInstanceProfile: control-plane-{{ include "resource.default.name" $ }} sshKeyName: "" + subnet: + filters: + {{- range $i, $tags := .Values.controlPlane.subnetTags }} + - name: tag:{{ keys $tags | first }} + values: + - {{ index $tags (keys $tags | first) }} + {{- end }} {{- end }} {{- define "control-plane" }} diff --git a/helm/cluster-aws/templates/_machine_pools.tpl b/helm/cluster-aws/templates/_machine_pools.tpl index 6f74a318..71d34c88 100644 --- a/helm/cluster-aws/templates/_machine_pools.tpl +++ b/helm/cluster-aws/templates/_machine_pools.tpl @@ -39,14 +39,11 @@ spec: availabilityZones: {{ include "aws-availability-zones" . | nindent 2 }} subnets: - filters: - - name: tag:sigs.k8s.io/cluster-api-provider-aws/cluster/{{ include "resource.default.name" $ }} + {{- range $i, $tags := .subnetTags }} + - name: tag:{{ keys $tags | first }} values: - - owned - - name: tag:sigs.k8s.io/cluster-api-provider-aws/role - values: - - private - - name: availabilityZone - values: {{ include "aws-availability-zones" . | nindent 6 }} + - {{ index $tags (keys $tags | first) }} + {{- end }} awsLaunchTemplate: {{- include "ami" $ | nindent 4 }} iamInstanceProfile: nodes-{{ .name }}-{{ include "resource.default.name" $ }} diff --git a/helm/cluster-aws/templates/_registry-secret.yaml b/helm/cluster-aws/templates/_registry-secret.yaml index c9ccfc85..8ba4f6ec 100644 --- a/helm/cluster-aws/templates/_registry-secret.yaml +++ b/helm/cluster-aws/templates/_registry-secret.yaml @@ -1,10 +1,12 @@ {{- define "registry-secret" -}} -{{- if and .Values.registry .Values.registry.configure -}} +{{- if .Values.registry -}} +{{- if .Values.registry.configure -}} apiVersion: v1 kind: Secret metadata: - name: {{ include "resource.default.name" $ }}-registry-configuration + name: {{ include "resource.default.name" $ }}-registry-configuration data: registry-config.toml: {{ tpl ($.Files.Get "files/etc/containerd/conf.d/registry-config.toml") $ | b64enc | quote }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml index 4873f598..1090c78f 100644 --- a/helm/cluster-aws/values.yaml +++ b/helm/cluster-aws/values.yaml @@ -46,15 +46,64 @@ network: # prefixListID is the ID of the Managed Prefix List to use when `mode` is set to `UserManaged`. prefixListID: "" + # subnets defines all the subnets for a cluster. + # There must be at least as many as the value of `availabilityZoneUsageLimit` and all subnets must be within the `vpcCIDR` range. subnets: - - cidrBlock: 10.0.0.0/18 + - cidrBlock: 10.0.0.0/23 + availabilityZone: eu-west-1a + isPublic: true + tags: + subnet.giantswarm.io/role: load-balancers + - cidrBlock: 10.0.2.0/23 + availabilityZone: eu-west-1b + isPublic: true + tags: + subnet.giantswarm.io/role: load-balancers + - cidrBlock: 10.0.4.0/23 + availabilityZone: eu-west-1c + isPublic: true + tags: + subnet.giantswarm.io/role: load-balancers + + - cidrBlock: 10.0.6.0/23 + availabilityZone: eu-west-1a + isPublic: false + tags: + subnet.giantswarm.io/role: control-plane + - cidrBlock: 10.0.8.0/23 + availabilityZone: eu-west-1b + isPublic: false + tags: + subnet.giantswarm.io/role: control-plane + - cidrBlock: 10.0.10.0/23 + availabilityZone: eu-west-1c + isPublic: false + tags: + subnet.giantswarm.io/role: control-plane + - cidrBlock: 10.0.64.0/18 + availabilityZone: eu-west-1a + isPublic: false + tags: + subnet.giantswarm.io/role: workers - cidrBlock: 10.0.128.0/18 + availabilityZone: eu-west-1b + isPublic: false + tags: + subnet.giantswarm.io/role: workers + - cidrBlock: 10.0.192.0/18 + availabilityZone: eu-west-1c + isPublic: false + tags: + subnet.giantswarm.io/role: workers + bastion: enabled: true instanceType: t3.small replicas: 1 + subnetTags: + - subnet.giantswarm.io/role: control-plane controlPlane: instanceType: m5.xlarge @@ -62,6 +111,8 @@ controlPlane: etcdVolumeSizeGB: 100 containerdVolumeSizeGB: 100 kubeletVolumeSizeGB: 100 + subnetTags: + - subnet.giantswarm.io/role: control-plane machinePools: - name: def00 # Name of node pool. @@ -76,6 +127,8 @@ machinePools: # - key: "" # value: "" # effect: "" # Valid effects are NoSchedule, PreferNoSchedule and NoExecute. + subnetTags: + - subnet.giantswarm.io/role: workers sshSSOPublicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4cvZ01fLmO9cJbWUj7sfF+NhECgy+Cl0bazSrZX7sU vault-ca@vault.operations.giantswarm.io" flatcarAWSAccount: "075585003325"