diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index c19819f459bffb95ac4ec09874cca4903cf068a8..bf85feb7ac312e735188bcf7780d75700e0f8c47 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -8,78 +8,78 @@ resource "hcloud_firewall" "k8s-node" {
#
# Network reachability tests
rule {
- description = "ICMP"
- direction = "in"
- protocol = "icmp"
- source_ips = [
- "0.0.0.0/0",
- "::/0"
- ]
+ description = "ICMP"
+ direction = "in"
+ protocol = "icmp"
+ source_ips = [
+ "0.0.0.0/0",
+ "::/0"
+ ]
}
rule {
- description = "Kublet"
- direction = "in"
- protocol = "tcp"
- port = "10250"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Kublet"
+ direction = "in"
+ protocol = "tcp"
+ port = "10250"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "Kubernetes NodePort"
- direction = "in"
- protocol = "tcp"
- port = "30000-32767"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Kubernetes NodePort"
+ direction = "in"
+ protocol = "tcp"
+ port = "30000-32767"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "Kubernetes NodePort"
- direction = "in"
- protocol = "udp"
- port = "30000-32767"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Kubernetes NodePort"
+ direction = "in"
+ protocol = "udp"
+ port = "30000-32767"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "Calico BGP"
- direction = "in"
- protocol = "tcp"
- port = "179"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Calico BGP"
+ direction = "in"
+ protocol = "tcp"
+ port = "179"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "Calico VXLAN"
- direction = "in"
- protocol = "udp"
- port = "4789"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Calico VXLAN"
+ direction = "in"
+ protocol = "udp"
+ port = "4789"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "Calico Typha"
- direction = "in"
- protocol = "tcp"
- port = "5473"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Calico Typha"
+ direction = "in"
+ protocol = "tcp"
+ port = "5473"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "Calico Wireguard"
- direction = "in"
- protocol = "udp"
- port = "51820"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Calico Wireguard"
+ direction = "in"
+ protocol = "udp"
+ port = "51820"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
# Host level services, including the node exporter on ports 9100-9101.
rule {
- description = "Host level services"
- direction = "in"
- protocol = "tcp"
- port = "9000-9999"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Host level services"
+ direction = "in"
+ protocol = "tcp"
+ port = "9000-9999"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
# Host level services, including the node exporter on ports 9100-9101.
rule {
- description = "Host level services"
- direction = "in"
- protocol = "udp"
- port = "9000-9999"
- source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Host level services"
+ direction = "in"
+ protocol = "udp"
+ port = "9000-9999"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
}
@@ -94,41 +94,41 @@ resource "hcloud_firewall" "k8s-master" {
#
# Network reachability tests
rule {
- description = "ICMP"
- direction = "in"
- protocol = "icmp"
- source_ips = [
- "0.0.0.0/0",
- "::/0"
- ]
+ description = "ICMP"
+ direction = "in"
+ protocol = "icmp"
+ source_ips = [
+ "0.0.0.0/0",
+ "::/0"
+ ]
}
rule {
- description = "Kubernetes API"
- direction = "in"
- protocol = "tcp"
- port = "6443"
- source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4],module.nodes.ipv4_addresses) : "${s}/32"]
+ description = "Kubernetes API"
+ direction = "in"
+ protocol = "tcp"
+ port = "6443"
+ source_ips = [for s in concat([hcloud_load_balancer.lb.ipv4], module.nodes.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "etcd"
- direction = "in"
- protocol = "tcp"
- port = "2379-2381"
- source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
+ description = "etcd"
+ direction = "in"
+ protocol = "tcp"
+ port = "2379-2381"
+ source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
}
rule {
- description = "kube-scheduler"
- direction = "in"
- protocol = "tcp"
- port = "10251"
- source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
+ description = "kube-scheduler"
+ direction = "in"
+ protocol = "tcp"
+ port = "10251"
+ source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
}
rule {
- description = "kube-controller-manager"
- direction = "in"
- protocol = "tcp"
- port = "10252"
- source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
+ description = "kube-controller-manager"
+ direction = "in"
+ protocol = "tcp"
+ port = "10252"
+ source_ips = [for s in module.nodes.ipv4_addresses : "${s}/32"]
}
}
@@ -142,26 +142,26 @@ resource "hcloud_firewall" "k8s-ingress" {
#
# Network reachability tests
rule {
- description = "ICMP"
- direction = "in"
- protocol = "icmp"
- source_ips = [
- "0.0.0.0/0",
- "::/0"
- ]
+ description = "ICMP"
+ direction = "in"
+ protocol = "icmp"
+ source_ips = [
+ "0.0.0.0/0",
+ "::/0"
+ ]
}
rule {
- description = "Public HTTP"
- direction = "in"
- protocol = "tcp"
- port = "32080"
- source_ips = [for s in [hcloud_load_balancer.lb.ipv4] : "${s}/32"]
+ description = "Public HTTP"
+ direction = "in"
+ protocol = "tcp"
+ port = "32080"
+ source_ips = [for s in [hcloud_load_balancer.lb.ipv4] : "${s}/32"]
}
rule {
- description = "Public HTTPS"
- direction = "in"
- protocol = "tcp"
- port = "32443"
- source_ips = [for s in [hcloud_load_balancer.lb.ipv4] : "${s}/32"]
+ description = "Public HTTPS"
+ direction = "in"
+ protocol = "tcp"
+ port = "32443"
+ source_ips = [for s in [hcloud_load_balancer.lb.ipv4] : "${s}/32"]
}
}
diff --git a/terraform/main.tf b/terraform/main.tf
index 40685a3f0dde1314e3044f138497db76279de5a0..cd1dd2a206c5869a571559e29d96970324b9b128 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -14,16 +14,16 @@ module "nodes" {
dns_domain = var.dns_domain
dns_zone_id = var.dns_zone_id
image = var.image
- labels = {
- "k8s.io/node" = "true",
- "k8s.io/master" = "true",
+ labels = {
+ "k8s.io/node" = "true",
+ "k8s.io/master" = "true",
"k8s.io/ingress" = "true",
}
placement_group_id = hcloud_placement_group.k8s.id
- ssh_keys = data.hcloud_ssh_keys.all_keys.ssh_keys.*.name
- server_type = "cx21"
- user_data = file("templates/cloud-init.tpl")
- enable_IPv6 = false
+ ssh_keys = data.hcloud_ssh_keys.all_keys.ssh_keys.*.name
+ server_type = "cx21"
+ user_data = file("templates/cloud-init.tpl")
+ enable_IPv6 = false
}
module "workers" {
@@ -34,12 +34,12 @@ module "workers" {
dns_domain = var.dns_domain
dns_zone_id = var.dns_zone_id
image = var.image
- labels = {
- "k8s.io/node" = "true",
+ labels = {
+ "k8s.io/node" = "true",
"k8s.io/worker" = "true"
}
placement_group_id = hcloud_placement_group.k8s.id
- ssh_keys = data.hcloud_ssh_keys.all_keys.ssh_keys.*.name
- server_type = "cx21"
- user_data = file("templates/cloud-init.tpl")
+ ssh_keys = data.hcloud_ssh_keys.all_keys.ssh_keys.*.name
+ server_type = "cx21"
+ user_data = file("templates/cloud-init.tpl")
}
diff --git a/terraform/ssh.tf b/terraform/ssh.tf
index e99707ebb9900a7f1c77819d7407daa7e1e44e2a..15ac889188ae2a562a2ca2f89ed377e8c9167e2b 100644
--- a/terraform/ssh.tf
+++ b/terraform/ssh.tf
@@ -19,22 +19,22 @@ resource "hcloud_firewall" "k8s-ssh" {
#
# Network reachability tests
rule {
- description = "ICMP"
- direction = "in"
- protocol = "icmp"
- source_ips = [
- "0.0.0.0/0",
- "::/0"
- ]
+ description = "ICMP"
+ direction = "in"
+ protocol = "icmp"
+ source_ips = [
+ "0.0.0.0/0",
+ "::/0"
+ ]
}
rule {
- description = "SSH access"
- direction = "in"
- protocol = "tcp"
- port = "22"
- source_ips = [
- "${chomp(data.http.myipv4.body)}/32",
- "${replace(chomp(data.http.myipv6.body), "/^([0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+):.*/", "$1")}::/64",
- ]
+ description = "SSH access"
+ direction = "in"
+ protocol = "tcp"
+ port = "22"
+ source_ips = [
+ "${chomp(data.http.myipv4.body)}/32",
+ "${replace(chomp(data.http.myipv6.body), "/^([0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+):.*/", "$1")}::/64",
+ ]
}
}