Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets #5308

Closed
wants to merge 2 commits into from
Closed

[WIP] Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets #5308

wants to merge 2 commits into from

Conversation

ewolinetz
Copy link
Contributor

@ewolinetz ewolinetz commented Oct 4, 2019
edited
Loading

This updates the VPC for the proxy case such that we remove the public subnet NATs that allow the private subnets to have external internet access and instead route all non-cluster traffic through the proxy.

We are also restricting port 3128 and 3130 access to the proxy node to just the MACHINE_CIDR.

Also since the ingress operator will not have direct access to the amazon route53 endpoint we remove DNS zones [1] and manually create route entries [2].

This PR depends on #4719

[1] https://github.com/openshift/installer/blob/master/docs/user/aws/install_upi.md#remove-dns-zones
[2] https://github.com/openshift/installer/blob/master/docs/user/aws/install_upi.md#add-the-ingress-dns-records

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 4, 2019
@openshift-ci-robot openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 4, 2019
@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

1 similar comment
@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

@ewolinetz ewolinetz force-pushed the blackhole_upi branch 4 times, most recently from 24bfe7c to 49f4e99 Compare October 8, 2019 17:14
@danehans danehans mentioned this pull request Oct 8, 2019
Merged
@ewolinetz ewolinetz force-pushed the blackhole_upi branch 3 times, most recently from 44207da to 0ea5bc7 Compare October 9, 2019 20:02
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 9, 2019
@ewolinetz ewolinetz force-pushed the blackhole_upi branch 2 times, most recently from 30d5512 to 4452c7a Compare October 9, 2019 20:07
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 9, 2019
@ewolinetz ewolinetz force-pushed the blackhole_upi branch 7 times, most recently from 30dd18f to 2c7b378 Compare October 9, 2019 22:52
@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

1 similar comment
@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

@ewolinetz ewolinetz force-pushed the blackhole_upi branch 2 times, most recently from ba92992 to b2f197b Compare October 10, 2019 16:08
@ewolinetz
Copy link
Contributor Author

/retest

@ewolinetz
Copy link
Contributor Author

@wking @danehans we see the aws-upi proxy rehearse job passing.. we don't do anything with the vsphere or gcp setup as part of this pr, thoughts on moving forward with this bad boy?

@danehans
Copy link

I'm for proceeding so we can improve our aws proxy coverage. Can you link an issue for adding support for other providers? Maybe update the title of this PR to reflect AWS support.

@ewolinetz
Copy link
Contributor Author

/hold

@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ewolinetz
To complete the pull request process, please assign crawford
You can assign the PR to them by writing /assign @crawford in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

@ewolinetz ewolinetz changed the title Updating UPI proxy to blackhole the private subnets Updating AWS UPI proxy to blackhole the private subnets Feb 19, 2020
@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

@wking wking mentioned this pull request Mar 12, 2020
Closed
@ewolinetz
Copy link
Contributor Author

/test pj-rehearse

@ewolinetz
Copy link
Contributor Author

/retest

@danehans
Copy link

/retitle Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets

@openshift-ci-robot openshift-ci-robot changed the title Updating AWS UPI proxy to blackhole the private subnets Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets Apr 29, 2020
@openshift-ci-robot openshift-ci-robot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Apr 29, 2020
@openshift-ci-robot
Copy link
Contributor

@ewolinetz: This pull request references Bugzilla bug 1829475, which is invalid:

  • expected the bug to target the "4.5.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Apr 29, 2020
@ewolinetz
Copy link
Contributor Author

/bugzilla refresh

@openshift-ci-robot
Copy link
Contributor

@ewolinetz: This pull request references Bugzilla bug 1829475, which is invalid:

  • expected the bug to target the "4.5.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link
Contributor

@ewolinetz: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/rehearse/openshift/installer/master/e2e-vsphere 80721f68f6bf6aad5a4672144d4a0a1110837ffb link /test pj-rehearse
ci/rehearse/openshift-priv/ci-experiment-origin/master/e2e-vsphere 3fc435d846748fafab23ce0f41408ad39a1c43da link /test pj-rehearse
ci/rehearse/openshift/installer/fcos/e2e-vsphere a08460b307f3377b08eea82d6d6dc20c50136df8 link /test pj-rehearse
ci/rehearse/openshift/installer/master/e2e-gcp-upi c28df649c13e3cb9550d6e15ec06f38335f79ec5 link /test pj-rehearse
ci/rehearse/openshift/installer/master/e2e-aws-proxy e6b2ae2 link /test pj-rehearse
ci/rehearse/openshift/installer/master/e2e-azure-upi e6b2ae2 link /test pj-rehearse
ci/prow/pj-rehearse e6b2ae2 link /test pj-rehearse
ci/prow/release-controller-config e6b2ae2 link /test release-controller-config

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ewolinetz ewolinetz changed the title Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets [WIP] Bug 1829475: Updating AWS UPI proxy to blackhole the private subnets Jul 20, 2020
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 20, 2020
@ewolinetz
Copy link
Contributor Author

going to investigate moving this into the multi-step registry instead similar to #9904

@ewolinetz ewolinetz mentioned this pull request Jul 20, 2020
Merged
@ewolinetz
Copy link
Contributor Author

closing in favor of #10355

@ewolinetz ewolinetz closed this Jul 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcpowermac jcpowermac Awaiting requested review from jcpowermac

@mtnbikenc mtnbikenc Awaiting requested review from mtnbikenc

Assignees
No one assigned
Labels
bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ewolinetz @eparis @danehans @openshift-ci-robot