Merge pull request #5862 from justinsb/follow_on_5744

Follow on for #5744

cmd/kops/integration_test.go

@@ -88,6 +88,7 @@ func TestExistingIAMCloudformation(t *testing.T) {
 // TestExistingSG runs the test with existing Security Group, similar to kops create cluster minimal.example.com --zones us-west-1a
 func TestExistingSG(t *testing.T) {
 	lifecycleOverrides := []string{"SecurityGroup=ExistsAndWarnIfChanges", "SecurityGroupRule=ExistsAndWarnIfChanges"}
+	lifecycleOverrides = nil
 	runTestAWS(t, "existingsg.example.com", "existing_sg", "v1alpha2", false, 3, true, lifecycleOverrides)
 }
 

pkg/model/awsmodel/api_loadbalancer.go

@@ -236,13 +236,13 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	// Allow HTTPS to the master instances from the ELB
 	{
-		for masterGroupName, masterGroup := range masterGroups {
-			suffix := GetGroupSuffix(masterGroupName, masterGroups)
+		for _, masterGroup := range masterGroups {
+			suffix := masterGroup.Suffix
 			t := &awstasks.SecurityGroupRule{
 				Name:      s(fmt.Sprintf("https-elb-to-master%s", suffix)),
 				Lifecycle: b.SecurityLifecycle,
 
-				SecurityGroup: masterGroup,
+				SecurityGroup: masterGroup.Task,
 				SourceGroup:   lbSG,
 				FromPort:      i64(443),
 				ToPort:        i64(443),
@@ -343,13 +343,3 @@ func (b *APILoadBalancerBuilder) chooseBestSubnetForELB(zone string, subnets []*
 
 	return scoredSubnets[0].subnet
 }
-
-// GetGroupSuffix returns the name of the security groups suffix.
-func GetGroupSuffix(name string, groups map[string]*awstasks.SecurityGroup) string {
-	if len(groups) != 1 {
-		glog.V(8).Infof("adding group suffix: %q", name)
-		return "-" + name
-	}
-
-	return ""
-}

pkg/model/bastion.go

@@ -43,38 +43,42 @@ type BastionModelBuilder struct {
 var _ fi.ModelBuilder = &BastionModelBuilder{}
 
 func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
-	var bastionGroups []*kops.InstanceGroup
+	var bastionInstanceGroups []*kops.InstanceGroup
 	for _, ig := range b.InstanceGroups {
 		if ig.Spec.Role == kops.InstanceGroupRoleBastion {
-			bastionGroups = append(bastionGroups, ig)
+			bastionInstanceGroups = append(bastionInstanceGroups, ig)
 		}
 	}
 
-	if len(bastionGroups) == 0 {
+	if len(bastionInstanceGroups) == 0 {
 		return nil
 	}
 
-	// Create security group for bastion instances
-	{
-		t := &awstasks.SecurityGroup{
-			Name:      s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)),
-			Lifecycle: b.SecurityLifecycle,
+	bastionGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleBastion)
+	if err != nil {
+		return err
+	}
+	nodeGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleNode)
+	if err != nil {
+		return err
+	}
+	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster)
+	if err != nil {
+		return err
+	}
 
-			VPC:              b.LinkToVPC(),
-			Description:      s("Security group for bastion"),
-			RemoveExtraRules: []string{"port=22"},
-		}
-		t.Tags = b.CloudTags(*t.Name, false)
-		c.AddTask(t)
+	// Create security group for bastion instances
+	for _, bastionGroup := range bastionGroups {
+		bastionGroup.Task.Lifecycle = b.SecurityLifecycle
+		c.AddTask(bastionGroup.Task)
 	}
 
-	// Allow traffic from bastion instances to egress freely
-	{
+	for _, src := range bastionGroups {
+		// Allow traffic from bastion instances to egress freely
 		t := &awstasks.SecurityGroupRule{
-			Name:      s("bastion-egress"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
+			Name:          s("bastion-egress" + src.Suffix),
+			Lifecycle:     b.SecurityLifecycle,
+			SecurityGroup: src.Task,
 			Egress:        fi.Bool(true),
 			CIDR:          s("0.0.0.0/0"),
 		}
@@ -83,12 +87,11 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	// Allow incoming SSH traffic to bastions, through the ELB
 	// TODO: Could we get away without an ELB here?  Tricky to fix if dns-controller breaks though...
-	{
+	for _, dest := range bastionGroups {
 		t := &awstasks.SecurityGroupRule{
-			Name:      s("ssh-elb-to-bastion"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
+			Name:          s("ssh-elb-to-bastion" + dest.Suffix),
+			Lifecycle:     b.SecurityLifecycle,
+			SecurityGroup: dest.Task,
 			SourceGroup:   b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
 			Protocol:      s("tcp"),
 			FromPort:      i64(22),
@@ -98,33 +101,35 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	// Allow bastion nodes to SSH to masters
-	{
-		t := &awstasks.SecurityGroupRule{
-			Name:      s("bastion-to-master-ssh"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
-			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
-			Protocol:      s("tcp"),
-			FromPort:      i64(22),
-			ToPort:        i64(22),
+	for _, src := range bastionGroups {
+		for _, dest := range masterGroups {
+			t := &awstasks.SecurityGroupRule{
+				Name:          s("bastion-to-master-ssh" + JoinSuffixes(src, dest)),
+				Lifecycle:     b.SecurityLifecycle,
+				SecurityGroup: dest.Task,
+				SourceGroup:   src.Task,
+				Protocol:      s("tcp"),
+				FromPort:      i64(22),
+				ToPort:        i64(22),
+			}
+			c.AddTask(t)
 		}
-		c.AddTask(t)
 	}
 
 	// Allow bastion nodes to SSH to nodes
-	{
-		t := &awstasks.SecurityGroupRule{
-			Name:      s("bastion-to-node-ssh"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
-			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
-			Protocol:      s("tcp"),
-			FromPort:      i64(22),
-			ToPort:        i64(22),
+	for _, src := range bastionGroups {
+		for _, dest := range nodeGroups {
+			t := &awstasks.SecurityGroupRule{
+				Name:          s("bastion-to-node-ssh" + JoinSuffixes(src, dest)),
+				Lifecycle:     b.SecurityLifecycle,
+				SecurityGroup: dest.Task,
+				SourceGroup:   src.Task,
+				Protocol:      s("tcp"),
+				FromPort:      i64(22),
+				ToPort:        i64(22),
+			}
+			c.AddTask(t)
 		}
-		c.AddTask(t)
 	}
 
 	// Create security group for bastion ELB
@@ -173,7 +178,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	var elbSubnets []*awstasks.Subnet
 	{
 		zones := sets.NewString()
-		for _, ig := range bastionGroups {
+		for _, ig := range bastionInstanceGroups {
 			subnets, err := b.GatherSubnets(ig)
 			if err != nil {
 				return err
@@ -231,7 +236,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(elb)
 	}
 
-	for _, ig := range bastionGroups {
+	for _, ig := range bastionInstanceGroups {
 		// We build the ASG when we iterate over the instance groups
 
 		// Attach the ELB to the ASG

pkg/model/external_access.go

@@ -61,12 +61,12 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	} else {
 		for _, sshAccess := range b.Cluster.Spec.SSHAccess {
 
-			for masterGroupName, masterGroup := range masterGroups {
-				suffix := GetGroupSuffix(masterGroupName, masterGroups)
+			for _, masterGroup := range masterGroups {
+				suffix := masterGroup.Suffix
 				t := &awstasks.SecurityGroupRule{
 					Name:          s(fmt.Sprintf("ssh-external-to-master-%s%s", sshAccess, suffix)),
 					Lifecycle:     b.Lifecycle,
-					SecurityGroup: masterGroup,
+					SecurityGroup: masterGroup.Task,
 					Protocol:      s("tcp"),
 					FromPort:      i64(22),
 					ToPort:        i64(22),
@@ -75,12 +75,12 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 				c.AddTask(t)
 			}
 
-			for nodeGroupName, nodeGroup := range nodeGroups {
-				suffix := GetGroupSuffix(nodeGroupName, nodeGroups)
+			for _, nodeGroup := range nodeGroups {
+				suffix := nodeGroup.Suffix
 				t := &awstasks.SecurityGroupRule{
 					Name:          s(fmt.Sprintf("ssh-external-to-node-%s%s", sshAccess, suffix)),
 					Lifecycle:     b.Lifecycle,
-					SecurityGroup: nodeGroup,
+					SecurityGroup: nodeGroup.Task,
 					Protocol:      s("tcp"),
 					FromPort:      i64(22),
 					ToPort:        i64(22),
@@ -97,12 +97,12 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			return err
 		}
 
-		for nodeGroupName, nodeGroup := range nodeGroups {
-			suffix := GetGroupSuffix(nodeGroupName, nodeGroups)
+		for _, nodeGroup := range nodeGroups {
+			suffix := nodeGroup.Suffix
 			t1 := &awstasks.SecurityGroupRule{
 				Name:          s(fmt.Sprintf("nodeport-tcp-external-to-node-%s%s", nodePortAccess, suffix)),
 				Lifecycle:     b.Lifecycle,
-				SecurityGroup: nodeGroup,
+				SecurityGroup: nodeGroup.Task,
 				Protocol:      s("tcp"),
 				FromPort:      i64(int64(nodePortRange.Base)),
 				ToPort:        i64(int64(nodePortRange.Base + nodePortRange.Size - 1)),
@@ -113,7 +113,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			t2 := &awstasks.SecurityGroupRule{
 				Name:          s(fmt.Sprintf("nodeport-udp-external-to-node-%s%s", nodePortAccess, suffix)),
 				Lifecycle:     b.Lifecycle,
-				SecurityGroup: nodeGroup,
+				SecurityGroup: nodeGroup.Task,
 				Protocol:      s("udp"),
 				FromPort:      i64(int64(nodePortRange.Base)),
 				ToPort:        i64(int64(nodePortRange.Base + nodePortRange.Size - 1)),
@@ -130,12 +130,12 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error {
 
 		// HTTPS to the master is allowed (for API access)
 		for _, apiAccess := range b.Cluster.Spec.KubernetesAPIAccess {
-			for masterGroupName, masterGroup := range masterGroups {
-				suffix := GetGroupSuffix(masterGroupName, masterGroups)
+			for _, masterGroup := range masterGroups {
+				suffix := masterGroup.Suffix
 				t := &awstasks.SecurityGroupRule{
 					Name:          s(fmt.Sprintf("https-external-to-master-%s%s", apiAccess, suffix)),
 					Lifecycle:     b.Lifecycle,
-					SecurityGroup: masterGroup,
+					SecurityGroup: masterGroup.Task,
 					Protocol:      s("tcp"),
 					FromPort:      i64(443),
 					ToPort:        i64(443),