feat(terraform): add firewalls to nodes

akrantz01 · akrantz01 · commit 95bc4e0f755e · 2023-02-13T13:15:41.000-08:00
diff --git a/contour/overlay/envoy-service.yaml b/contour/overlay/envoy-service.yaml
@@ -4,6 +4,7 @@ metadata:
   name: envoy
   namespace: projectcontour
   annotations:
+    kubernetes.digitalocean.com/firewall-managed: "true"
     service.beta.kubernetes.io/do-loadbalancer-protocol: "tcp"
     service.beta.kubernetes.io/do-loadbalancer-http2-ports: "80,443"
     service.beta.kubernetes.io/do-loadbalancer-http3-ports: "443"
diff --git a/terraform/manifests/digitalocean-ccm.yaml b/terraform/manifests/digitalocean-ccm.yaml
@@ -60,6 +60,10 @@ spec:
                 key: access-token
           - name: DO_CLUSTER_VPC_ID
             value: ${vpc_id}
+          - name: PUBLIC_ACCESS_FIREWALL_NAME
+            value: k3s-firewall
+          - name: PUBLIC_ACCESS_FIREWALL_TAGS
+            value: k3s
 ---
 apiVersion: v1
 kind: ServiceAccount
diff --git a/terraform/networking.tf b/terraform/networking.tf
@@ -2,3 +2,75 @@ resource "digitalocean_vpc" "vpc" {
   name   = "k3s-testing"
   region = var.region
 }
+
+resource "digitalocean_firewall" "control_plane" {
+  name = "k3s-control-plane"
+
+  droplet_ids = [digitalocean_droplet.control_plane.id]
+
+  inbound_rule {
+    protocol    = "tcp"
+    port_range  = "6443"
+    source_tags = ["agent"]
+  }
+
+  inbound_rule {
+    protocol    = "tcp"
+    port_range  = "10250"
+    source_tags = ["k3s"]
+  }
+
+  inbound_rule {
+    protocol    = "udp"
+    port_range  = "8472"
+    source_tags = ["k3s"]
+  }
+
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "22"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  dynamic "outbound_rule" {
+    for_each = ["tcp", "udp"]
+    content {
+      protocol              = outbound_rule.value
+      port_range            = "1-65535"
+      destination_addresses = ["0.0.0.0/0", "::/0"]
+    }
+  }
+}
+
+resource "digitalocean_firewall" "agent" {
+  name = "k3s-agent"
+
+  droplet_ids = [for droplet in digitalocean_droplet.agent : droplet.id]
+
+  inbound_rule {
+    protocol    = "tcp"
+    port_range  = "10250"
+    source_tags = ["k3s"]
+  }
+
+  inbound_rule {
+    protocol    = "udp"
+    port_range  = "8472"
+    source_tags = ["k3s"]
+  }
+
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "22"
+    source_addresses = ["0.0.0.0/0", "::/0"]
+  }
+
+  dynamic "outbound_rule" {
+    for_each = ["tcp", "udp"]
+    content {
+      protocol              = outbound_rule.value
+      port_range            = "1-65535"
+      destination_addresses = ["0.0.0.0/0", "::/0"]
+    }
+  }
+}
