Move security group setting to kubecluster.yaml

Currently security group is created for each kube masters and kube minions. It's very redundant. This patch moves security group setting to kubecluster.yaml to share. Change-Id: Idb6cdb5c5c6015b29331238f7fbbcd92e1a70d83 Closes-Bug: #1499184
2015-09-24 15:50:00 +09:00 · 2015-09-24 15:50:00 +09:00 · 6742074286
parent 115a8a3405
commit 6742074286
3 changed files with 56 additions and 43 deletions
--- a/magnum/templates/heat-kubernetes/kubecluster.yaml
+++ b/magnum/templates/heat-kubernetes/kubecluster.yaml
@ -266,6 +266,46 @@ resources:
      router_id: {get_resource: extrouter}
      subnet: {get_resource: fixed_subnet}

+  ######################################################################
+  #
+  # security groups.  we need to permit network traffic of various
+  # sorts.
+  #
+
+  secgroup_base:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      rules:
+        - protocol: icmp
+        - protocol: tcp
+          port_range_min: 22
+          port_range_max: 22
+
+  secgroup_kube_master:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      rules:
+        - protocol: tcp
+          port_range_min: 7080
+          port_range_max: 7080
+        - protocol: tcp
+          port_range_min: 8080
+          port_range_max: 8080
+        - protocol: tcp
+          port_range_min: 2379
+          port_range_max: 2379
+        - protocol: tcp
+          port_range_min: 2380
+          port_range_max: 2380
+
+  secgroup_kube_minion:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      rules:
+        - protocol: icmp
+        - protocol: tcp
+        - protocol: udp
+
  ######################################################################
  #
  # load balancers.
@ -357,6 +397,8 @@ resources:
          tenant_name: {get_param: tenant_name}
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
+          secgroup_base_id: {get_resource: secgroup_base}
+          secgroup_kube_master_id: {get_resource: secgroup_kube_master}

  ######################################################################
  #
@ -403,6 +445,7 @@ resources:
          magnum_url: {get_param: magnum_url}
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
+          secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}

 outputs:

--- a/magnum/templates/heat-kubernetes/kubemaster.yaml
+++ b/magnum/templates/heat-kubernetes/kubemaster.yaml
@ -107,6 +107,12 @@ parameters:
    type: number
    description : >
      timeout for the Wait Conditions
+  secgroup_base_id:
+    type: string
+    description: ID of the security group for base.
+  secgroup_kube_master_id:
+    type: string
+    description: ID of the security group for kubernetes master.
  api_pool_id:
    type: string
    description: ID of the load balancer pool of k8s API server.
@ -142,38 +148,6 @@ resources:
      handle: {get_resource: master_wait_handle}
      timeout: {get_param: wait_condition_timeout}

-  ######################################################################
-  #
-  # security groups.  we need to permit network traffic of various
-  # sorts.
-  #
-
-  secgroup_base:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: icmp
-        - protocol: tcp
-          port_range_min: 22
-          port_range_max: 22
-
-  secgroup_kubernetes:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: tcp
-          port_range_min: 7080
-          port_range_max: 7080
-        - protocol: tcp
-          port_range_min: {get_param: kubernetes_port}
-          port_range_max: {get_param: kubernetes_port}
-        - protocol: tcp
-          port_range_min: 2379
-          port_range_max: 2379
-        - protocol: tcp
-          port_range_min: 2380
-          port_range_max: 2380
-
  ######################################################################
  #
  # software configs.  these are components that are combined into
@ -318,8 +292,8 @@ resources:
    properties:
      network: {get_param: fixed_network}
      security_groups:
-        - {get_resource: secgroup_base}
-        - {get_resource: secgroup_kubernetes}
+        - {get_param: secgroup_base_id}
+        - {get_param: secgroup_kube_master_id}
      fixed_ips:
        - subnet: {get_param: fixed_subnet}
      replacement_policy: AUTO
--- a/magnum/templates/heat-kubernetes/kubeminion.yaml
+++ b/magnum/templates/heat-kubernetes/kubeminion.yaml
@ -145,6 +145,10 @@ parameters:
      size fo the data segments for the swift dynamic large objects
    default: 5242880

+  secgroup_kube_minion_id:
+    type: string
+    description: ID of the security group for kubernetes minion.
+
 resources:

  minion_wait_handle:
@ -157,14 +161,6 @@ resources:
      handle: {get_resource: minion_wait_handle}
      timeout: {get_param: wait_condition_timeout}

-  secgroup_all_open:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: icmp
-        - protocol: tcp
-        - protocol: udp
-
  ######################################################################
  #
  # software configs.  these are components that are combined into
@ -329,7 +325,7 @@ resources:
    properties:
      network: {get_param: fixed_network}
      security_groups:
-        - get_resource: secgroup_all_open
+        - get_param: secgroup_kube_minion_id
      fixed_ips:
        - subnet: {get_param: fixed_subnet}
      replacement_policy: AUTO