diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index bf85feb7ac312e735188bcf7780d75700e0f8c47..b585cd6009b6cc4a51db4fb4ff13bf902d9c4c03 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -21,49 +21,49 @@ resource "hcloud_firewall" "k8s-node" {
direction = "in"
protocol = "tcp"
port = "10250"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Kubernetes NodePort"
direction = "in"
protocol = "tcp"
port = "30000-32767"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Kubernetes NodePort"
direction = "in"
protocol = "udp"
port = "30000-32767"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Calico BGP"
direction = "in"
protocol = "tcp"
port = "179"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Calico VXLAN"
direction = "in"
protocol = "udp"
port = "4789"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Calico Typha"
direction = "in"
protocol = "tcp"
port = "5473"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Calico Wireguard"
direction = "in"
protocol = "udp"
port = "51820"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
# Host level services, including the node exporter on ports 9100-9101.
rule {
@@ -71,7 +71,7 @@ resource "hcloud_firewall" "k8s-node" {
direction = "in"
protocol = "tcp"
port = "9000-9999"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
# Host level services, including the node exporter on ports 9100-9101.
rule {
@@ -79,7 +79,7 @@ resource "hcloud_firewall" "k8s-node" {
direction = "in"
protocol = "udp"
port = "9000-9999"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
}
@@ -87,7 +87,7 @@ resource "hcloud_firewall" "k8s-node" {
resource "hcloud_firewall" "k8s-master" {
name = "k8s-master"
apply_to {
- label_selector = "k8s.io/master"
+ label_selector = "k8s.io/controlplane"
}
# ICMP is always a good idea
@@ -107,28 +107,28 @@ resource "hcloud_firewall" "k8s-master" {
direction = "in"
protocol = "tcp"
port = "6443"
- source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.nodes.ipv4_addresses) : "${s}/32"]
+ source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "etcd"
direction = "in"
protocol = "tcp"
port = "2379-2381"
- source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
+ source_ips = [for s in module.controllers.ipv4_addresses : "${s}/32"]
}
rule {
description = "kube-scheduler"
direction = "in"
protocol = "tcp"
port = "10251"
- source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "kube-controller-manager"
direction = "in"
protocol = "tcp"
port = "10252"
- source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
}
@@ -155,13 +155,13 @@ resource "hcloud_firewall" "k8s-ingress" {
direction = "in"
protocol = "tcp"
port = "32080"
- source_ips = [for s in [hcloud_load_balancer.lb.ipv4] : "${s}/32"]
+ source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
description = "Public HTTPS"
direction = "in"
protocol = "tcp"
port = "32443"
- source_ips = [for s in [hcloud_load_balancer.lb.ipv4] : "${s}/32"]
+ source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
}
diff --git a/terraform/loadbalancer.tf b/terraform/loadbalancer.tf
index f01dca818304fd3be5c6c6d45a2c1261e39aa95c..3ff60529b48f2dea71a1f3ac193d316a5ba06ba3 100644
--- a/terraform/loadbalancer.tf
+++ b/terraform/loadbalancer.tf
@@ -7,7 +7,7 @@ resource "hcloud_load_balancer" "lb" {
resource "hcloud_load_balancer_target" "lb_target_master" {
type = "label_selector"
load_balancer_id = hcloud_load_balancer.lb.id
- label_selector = "k8s.io/master"
+ label_selector = "k8s.io/controlplane"
use_private_ip = false
}
diff --git a/terraform/main.tf b/terraform/main.tf
index cd1dd2a206c5869a571559e29d96970324b9b128..cd652b33d4e9bd2cef173e7b850ae152c01a46bb 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -6,17 +6,17 @@ resource "hcloud_placement_group" "k8s" {
}
}
-module "nodes" {
+module "controllers" {
source = "./modules/hcloud_instance"
instance_count = var.replicas_nodes
location = var.location
- name = "node"
+ name = "cp"
dns_domain = var.dns_domain
dns_zone_id = var.dns_zone_id
image = var.image
labels = {
"k8s.io/node" = "true",
- "k8s.io/master" = "true",
+ "k8s.io/controlplane" = "true",
"k8s.io/ingress" = "true",
}
placement_group_id = hcloud_placement_group.k8s.id