From 78540e8429b2f0570c904ced1bdc889483c063ec Mon Sep 17 00:00:00 2001 From: denis-tingaikin Date: Wed, 3 Aug 2022 16:35:26 +0300 Subject: [PATCH] add vxlan/wireguard aws acl rules Signed-off-by: denis-tingaikin --- .github/workflows/ci.yaml | 1 + aws/aws.yaml | 1 + scripts/aws/aws-start.sh | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 66b0610..896d57a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -117,6 +117,7 @@ jobs: AZURE_TENANT: ${{ secrets.AZURE_TENANT }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: "us-west-2" PACKET_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }} PACKET_PROJECT_ID: ${{ secrets.PACKET_PROJECT_ID }} KUBERNETES_VERSION: ${{ secrets.NSM_KUBERNETES_VERSION }} diff --git a/aws/aws.yaml b/aws/aws.yaml index 2e98de8..ccc9840 100644 --- a/aws/aws.yaml +++ b/aws/aws.yaml @@ -16,6 +16,7 @@ providers: - AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY - GITHUB_RUN_NUMBER + - AWS_REGION scripts: start: | scripts/aws/aws-start.sh diff --git a/scripts/aws/aws-start.sh b/scripts/aws/aws-start.sh index a6500c2..8d24ced 100755 --- a/scripts/aws/aws-start.sh +++ b/scripts/aws/aws-start.sh @@ -1,5 +1,7 @@ #!/bin/bash +echo "aws region is $AWS_REGION" + apt-get update && apt-get -y install curl dnsutils curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl @@ -23,4 +25,38 @@ eksctl create cluster \ --node-type t3.xlarge \ --nodes 1 +sg=$(aws ec2 describe-security-groups --filter Name=tag:aws:eks:cluster-name,Values="${AWS_CLUSTER_NAME}" --query 'SecurityGroups[0].GroupId' --output text) + +echo "security group is $sg" + +## Setup security group rules +for i in {1..25} +do + if [[ -n $sg ]]; then + break + fi + sleep 30 + echo attempt "$i" has failed + sg=$(aws ec2 describe-security-groups --filter Name=tag:aws:eks:cluster-name,Values="${AWS_CLUSTER_NAME}" --query 'SecurityGroups[0].GroupId' --output text) +done + +if [[ -z $sg ]]; then + echo "Security group is not found" + exit 1 +fi + +### authorize wireguard +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 51820 --cidr 0.0.0.0/0 +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol udp --port 51820 --cidr 0.0.0.0/0 +### authorize vxlan +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 4789 --cidr 0.0.0.0/0 +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol udp --port 4789 --cidr 0.0.0.0/0 +### authorize nsmgr-proxy +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 5004 --cidr 0.0.0.0/0 +### authorize registry +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 5002 --cidr 0.0.0.0/0 +### authorize vl3-ipam +aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 5006 --cidr 0.0.0.0/0 + + kubectl version --client \ No newline at end of file