Merge pull request #188 from SUNET/mifr-nft-fixes2

microk8s fixes

facts.d/has_microk8s.sh

@@ -1,6 +1,10 @@
 #!/bin/sh
-
-if [ -f /snap/bin/microk8s ]; then
+if [ -e /var/snap/microk8s/current/var/lock/clustered.lock ]; then
+  echo 'microk8s_role=worker'
+  echo 'microk8s=yes'
+  echo 'microk8s_peers=unknown'
+elif [ -f /snap/bin/microk8s ]; then
+  echo 'microk8s_role=controller'
   echo 'microk8s=yes'
   modules=$(/snap/bin/microk8s status --format short)
   for module in dns ha-cluster openebs traefik; do
@@ -32,4 +36,5 @@ else
   echo 'microk8s_peers=unknown'
   echo 'microk8s_rbac=no'
   echo 'microk8s_traefik=no'
+  echo 'microk8s_role=none'
 fi

manifests/microk8s/node.pp

@@ -10,7 +10,7 @@
   include sunet::packages::snapd
 
   $hiera_peers =  lookup('microk8s_peers', undef, undef, [])
-  if $facts['hostname'] =~ /(^kubew|k8sw-)[0-9]/ {
+  if $facts['microk8s_role'] == 'worker' {
     $type = 'worker'
   } else {
     $type = 'controller'
@@ -20,35 +20,33 @@
     $final_peers = $peers
   } elsif $hiera_peers != [] {
     $final_peers = $hiera_peers
+  }
+  elsif $facts['configured_hosts_in_cosmos']['sunet::microk8s::node'] != [] {
+    $final_peers = $facts['configured_hosts_in_cosmos']['sunet::microk8s::node']
   } else {
-    $final_peers = map(split($facts['microk8s_peers'], ',')) | String $peer| {
-      $peer_ip = $facts[join(['microk8s_peer_', $peer])]
-      "${peer_ip} ${peer}"
-    }
+    warning('Unable to figure out our peers, leaving BROKEN firewalls')
   }
-    # Loop through peers and do things that require their ip:s
-  $final_peers.each | String $peer_tuple| {
-    $peer_ip = split($peer_tuple, ' ')[0]
-    $peer = split($peer_tuple, ' ')[1]
-    unless $peer == 'unknown' or $peer_ip == $facts['ipaddress'] {
-      file_line { "hosts_${peer}":
-        path => '/etc/hosts',
-        line => "${peer_ip} ${peer}",
+  notice('microk8s peers: ',$final_peers)
+  $public_controller_ports = [8080, 8443, 16443]
+  $private_controller_ports = [10250, 10255, 25000, 12379, 10257, 10259, 19001]
+  $private_worker_ports = [10250, 10255, 16443, 25000, 12379, 10257, 10259, 19001]
+  # Loop through peers and do things that require their ip:s
+  $final_peers.each | String $peer| {
+    $peer_ip = dns_lookup($peer)
+    unless $peer == 'unknown' or $facts['ipaddress'] in $peer_ip {
+      $peer_ip.each | String $ip | {
+        file_line { "hosts_${peer}_${ip}":
+          path => '/etc/hosts',
+          line => "${ip} ${peer}",
+        }
       }
     }
-    $public_controller_ports = [8080, 8443, 16443]
-    $private_controller_ports = [10250, 10255, 25000, 12379, 10257, 10259, 19001]
-    $private_worker_ports = [10250, 10255, 16443, 25000, 12379, 10257, 10259, 19001]
     if $::facts['sunet_nftables_enabled'] == 'yes' {
       if $type == 'controller' {
         sunet::nftables::allow { "nft_${peer}_private":
           port => $private_controller_ports,
           from => $peer_ip,
         }
-        sunet::nftables::allow { "nft_${peer}_public":
-          port => $public_controller_ports,
-          from => 'any',
-        }
       } else {
         sunet::nftables::allow { "nft_${peer}_private":
           port => $private_worker_ports,
@@ -62,14 +60,10 @@
       }
     } else {
       if $type == 'controller' {
-        sunet::misc::ufw_allow {"nft_${peer}_private":
+        sunet::misc::ufw_allow { "nft_${peer}_private":
           port => $private_controller_ports,
           from => $peer_ip,
         }
-        sunet::misc::ufw_allow { "nft_${peer}_public":
-          port => $public_controller_ports,
-          from => 'any',
-        }
       } else {
         sunet::misc::ufw_allow { "nft_${peer}_private":
           port => $private_worker_ports,
@@ -83,6 +77,22 @@
       }
     }
   }
+  if $::facts['sunet_nftables_enabled'] == 'yes' {
+    if $type == 'controller' {
+      sunet::nftables::allow { 'nft_public':
+        port => $public_controller_ports,
+        from => 'any',
+      }
+    }
+  }
+  else {
+    if $type == 'controller' {
+      sunet::misc::ufw_allow { 'nft_public':
+        port => $public_controller_ports,
+        from => 'any',
+      }
+    }
+  }
   if $::facts['sunet_nftables_enabled'] == 'yes' {
     file { '/etc/nftables/conf.d/500-microk8s-rules.nft':
       ensure  => file,
@@ -161,8 +171,8 @@
   }
   $namespaces = lookup('microk8s_secrets', undef, undef, {})
   $namespaces.each |String $namespace, Hash $secrets| {
-      $secrets.each |String $name, Array $secret| {
-        set_microk8s_secret($namespace, $name, $secret)
+    $secrets.each |String $name, Array $secret| {
+      set_microk8s_secret($namespace, $name, $secret)
     }
   }
 }

templates/microk8s/500-microk8s-rules.nft.erb

@@ -1,22 +1,6 @@
-table ip filter {
-  chain OUTPUT {
-    oifname "vxlan.calico" counter packets 0 bytes 0 accept
-  }
-  chain INPUT {
-    iifname "vxlan.calico" counter packets 0 bytes 0 accept
-  }
-  chain FORWARD {
-     type filter hook forward priority filter; policy accept;
-  }
-}
-table ip6 filter {
-  chain OUTPUT {
-    oifname "vxlan.calico" counter packets 0 bytes 0 accept
-  }
-  chain INPUT {
-    iifname "vxlan.calico" counter packets 0 bytes 0 accept
-  }
-  chain FORWARD {
-     type filter hook forward priority filter; policy accept;
-  }
-}
+add rule inet filter input iifname "vxlan.calico" counter accept
+add rule inet filter forward iifname "vxlan.calico" counter accept
+add rule inet filter forward iifname "cali*" counter accept
+add rule inet filter forward oifname "cali*" counter accept
+add rule inet filter forward ip saddr 10.1.0.0/16 counter accept
+add rule inet filter forward ip daddr 10.1.0.0/16 counter accept