Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: firewall rules for autopilot clusters are ineffective. add cluster_network_tag to autopilot cluster network_tags if firewalls are toggled on #1817

Merged
merged 71 commits into from
Jun 20, 2024
Merged

fix: firewall rules for autopilot clusters are ineffective. add cluster_network_tag to autopilot cluster network_tags if firewalls are toggled on #1817

merged 71 commits into from
Jun 20, 2024

Conversation

GorginZ
Copy link
Contributor

@GorginZ GorginZ commented Dec 14, 2023

GorginZ and others added 28 commits May 12, 2023 08:53
@GorginZ
use var network_tags for egress firewal rules
2a36867
@GorginZ
include service ranges in intra-egress rule
70b461b
@GorginZ
get the cidr service range, not the name of the secondary range
4a103be
@GorginZ
add cluster_network_tag to node_pool_auto_config.network_tags if any …
b70cfff 
…firewall rules toggled on
@GorginZ
add example test for autopilot private with firewall rules
c05ff1b
@GorginZ
tf fmt
b81943a
@GorginZ
readme
2982500
@GorginZ
clusterNetworkTag var to assert cluster network tags are same value a…
82fb83a 
…s a fw's target tag
@GorginZ
readme notes
28071b1
@GorginZ
rm some json tests, mostly interested in FW rules and private
c07eb65
@GorginZ
test data
993f750
@GorginZ
mm dont think I need kitchen
27a45e3
@GorginZ
readme
3810721
@GorginZ
tidy up comments on fw rules and tf-example foundation
8376ea2
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
8aeb962
@GorginZ
fw rules in base shared vpc not heirarchical just normal fw rules, co…
d43348a 
…rrection to readme
@GorginZ
test all expected fw rules created and target tag is cluster_network_…
a7af50c 
…tag value
@GorginZ
.kitchen.yml
416484b
@GorginZ
linter
6c09110
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
66772d4
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
e25121d
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
34e50bd
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
7987177
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
8684a25
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
5b8456f
@GorginZ
Merge branch 'master' into gke-autopilot-network-tags
d5f3ae8
@GorginZ
Merge branch 'terraform-google-modules:master' into gke-autopilot-net…
51cb7d6 
…work-tags
@GorginZ
Merge branch 'terraform-google-modules:master' into gke-autopilot-net…
505c774 
…work-tags
@GorginZ GorginZ requested review from ericyz and a team as code owners December 14, 2023 06:13
@apeabody
Copy link
Contributor

This is almost certainly unrelated to this change, perhaps recent change in the API. We'll address in a seperate PR.

        	Error:      	Not equal: 
        	            	expected: "{\n    \"state\": \"DECRYPTED\"\n  }"
        	            	actual  : "{\n    \"currentState\": \"CURRENT_STATE_DECRYPTED\",\n    \"state\": \"DECRYPTED\"\n  }"
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,2 +1,3 @@
        	            	 {
        	            	+    "currentState": "CURRENT_STATE_DECRYPTED",
        	            	     "state": "DECRYPTED"
        	Test:       	TestSimpleRegional
        	Messages:   	expected databaseEncryption to match fixture {
        	            	    "state": "DECRYPTED"
        	            	  }

@apeabody
Copy link
Contributor

apeabody commented Jun 11, 2024
edited
Loading

/gcbrun

(#1974)

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 11, 2024

/gcbrun

still red I see.

@apeabody
Copy link
Contributor

OK, these finding appear to be relevant:

Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:45Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:45Z command.go:100: Running command gcloud with args [compute firewall-rules --project ci-gke-19fdc5db-f0aj describe gke-autopilot-private-firewal-intra-cluster-egress --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:46Z command.go:185: ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:46Z command.go:185:  - The resource 'projects/ci-gke-19fdc5db-f0aj/global/firewalls/gke-autopilot-private-firewal-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:46Z command.go:185: 
Step #90 - "verify autopilot-private-firewalls":     gcloud.go:84: error while running command: exit status 1; ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls":

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 12, 2024

OK, these finding appear to be relevant:

Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:45Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:45Z command.go:100: Running command gcloud with args [compute firewall-rules --project ci-gke-19fdc5db-f0aj describe gke-autopilot-private-firewal-intra-cluster-egress --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:46Z command.go:185: ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:46Z command.go:185:  - The resource 'projects/ci-gke-19fdc5db-f0aj/global/firewalls/gke-autopilot-private-firewal-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-11T20:59:46Z command.go:185: 
Step #90 - "verify autopilot-private-firewalls":     gcloud.go:84: error while running command: exit status 1; ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls":

Well I wouldn't expect a fw named gke-autopilot-private-firewal-intra-cluster-egress but I would expect one named gke-autopilot-private-firewalls-intra-cluster-egress

Hmm will look now. All tests did used to be green, I did the whole deployment in my org.
https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/modules/beta-autopilot-private-cluster/firewall.tf#L29

But... it should fail given this:

terraform-google-kubernetes-engine/test/integration/autopilot_private_firewalls/autopilot_private_firewalls_test.go

Line 39 in a4a56ff

n := fmt.Sprintf(fw, clusterName[:25])

Anyway that'll be it and I'll have to fix it regardless of what I may or may not remember. Maybe I renamed something.

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 13, 2024

@apeabody can we try once more :)

@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor 

Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:100: Running command gcloud with args [compute firewall-rules --project ci-gke-b70466df-s4fn describe gke-autopilot-private-firewalls-intra-cluster-egress --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185:  - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: 
Step #90 - "verify autopilot-private-firewalls":     gcloud.go:84: error while running command: exit status 1; ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls":          - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls":         
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 RUN_STAGE env var set to verify
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 Skipping stage teardown
Step #90 - "verify autopilot-private-firewalls": --- FAIL: TestAutopilotPrivateFirewalls (11.34s)

I do see a gke-autopilot-private-firewalls-cluster-intra-cluster-egress firewall

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 15, 2024
edited
Loading 

Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:34Z command.go:100: Running command gcloud with args [config get-value project --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:185: "cloud-foundation-cicd"
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:35Z command.go:100: Running command gcloud with args [compute firewall-rules --project ci-gke-b70466df-s4fn describe gke-autopilot-private-firewalls-intra-cluster-egress --format json]
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185:  - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls": TestAutopilotPrivateFirewalls 2024-06-13T16:33:36Z command.go:185: 
Step #90 - "verify autopilot-private-firewalls":     gcloud.go:84: error while running command: exit status 1; ERROR: (gcloud.compute.firewall-rules.describe) Could not fetch resource:
Step #90 - "verify autopilot-private-firewalls":          - The resource 'projects/ci-gke-b70466df-s4fn/global/firewalls/gke-autopilot-private-firewalls-intra-cluster-egress' was not found
Step #90 - "verify autopilot-private-firewalls":         
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 RUN_STAGE env var set to verify
Step #90 - "verify autopilot-private-firewalls": 2024/06/13 16:33:36 Skipping stage teardown
Step #90 - "verify autopilot-private-firewalls": --- FAIL: TestAutopilotPrivateFirewalls (11.34s)

I do see a gke-autopilot-private-firewalls-cluster-intra-cluster-egress firewall

Ah thanks @apeabody for posting this, lead me to notice my test code was trimming the -cluster suffix from the clusterName, no idea why I did that. Have pushed fix.

@GorginZ GorginZ requested a review from apeabody June 15, 2024 22:40
@apeabody
Copy link
Contributor

/gcbrun

@apeabody
Copy link
Contributor 

Step #91 - "destroy autopilot-private-firewalls":         	Error:      	Received unexpected error:
Step #91 - "destroy autopilot-private-firewalls":         	            	FatalError{Underlying: error while running command: exit status 1; 
Step #91 - "destroy autopilot-private-firewalls":         	            	Error: Cannot destroy cluster because deletion_protection is set to true. Set it to false to proceed with cluster deletion.
Step #91 - "destroy autopilot-private-firewalls":         	            	}
Step #91 - "destroy autopilot-private-firewalls":         	Test:       	TestAutopilotPrivateFirewalls

GorginZ and others added 2 commits June 18, 2024 08:37
@GorginZ @apeabody
Update examples/autopilot_private_firewalls/main.tf
bc77424 
set deletion_protection to false

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>
@GorginZ
terraform fmt
f836567
@GorginZ GorginZ requested a review from apeabody June 17, 2024 22:40
@apeabody
Copy link
Contributor

/gcbrun

@GorginZ
Copy link
Contributor Author

GorginZ commented Jun 19, 2024

@apeabody need anything else from my end?

apeabody
apeabody approved these changes Jun 20, 2024
View reviewed changes
Copy link
Contributor

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @GorginZ!

@apeabody apeabody merged commit e7b20cd into terraform-google-modules:master Jun 20, 2024
4 checks passed
@release-please release-please bot mentioned this pull request Jun 20, 2024
Merged
CPL-markus pushed a commit to WALTER-GROUP/terraform-google-kubernetes-engine that referenced this pull request Jul 15, 2024
@GorginZ @apeabody
fix: firewall rules for autopilot clusters are ineffective. add clust…
56540ab 
…er_network_tag to autopilot cluster network_tags if firewalls are toggled on (terraform-google-modules#1817)

Co-authored-by: Andrew Peabody <andrewpeabody@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apeabody apeabody apeabody approved these changes

@ericyz ericyz Awaiting requested review from ericyz ericyz is a code owner

@gtsorbo gtsorbo Awaiting requested review from gtsorbo gtsorbo is a code owner

Assignees

@apeabody apeabody

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Firewall rules for Autopilot clusters are ineffective
2 participants
@GorginZ @apeabody