From 49500282ceebb09f89c7b8c81420705829d8d5b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Thu, 29 Feb 2024 18:03:00 +0000
Subject: [PATCH] Enable remote access for k8s API server 3rd-party sites

---
 cesnet-mcc/terraform/vms.tf | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/cesnet-mcc/terraform/vms.tf b/cesnet-mcc/terraform/vms.tf
index 2f8d2e9..00ddae5 100644
--- a/cesnet-mcc/terraform/vms.tf
+++ b/cesnet-mcc/terraform/vms.tf
@@ -51,6 +51,36 @@ resource "openstack_compute_secgroup_v2" "ssh" {
   }
 }
 
+resource "openstack_compute_secgroup_v2" "admin_http" {
+  name        = "admin http"
+  description = "admin http/https"
+
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "78.128.128.0/17"
+  }
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "2001:718:ff05::/48"
+  }
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "147.228.0.0/16"
+  }
+  rule {
+    from_port   = 6443
+    to_port     = 6443
+    ip_protocol = "tcp"
+    cidr        = "2001:718:1801::/48"
+  }
+}
+
 resource "openstack_compute_secgroup_v2" "http" {
   name        = "http"
   description = "http/https"
@@ -134,7 +164,7 @@ resource "openstack_compute_instance_v2" "ingress" {
   name            = "k8s-${var.site_name}-w-ingress"
   image_id        = data.openstack_images_image_v2.ubuntu.id
   flavor_id       = data.openstack_compute_flavor_v2.worker-flavor.id
-  security_groups = ["default", openstack_compute_secgroup_v2.ping.name, openstack_compute_secgroup_v2.ssh.name, openstack_compute_secgroup_v2.http.name]
+  security_groups = ["default", openstack_compute_secgroup_v2.ping.name, openstack_compute_secgroup_v2.ssh.name, openstack_compute_secgroup_v2.admin_http.name, openstack_compute_secgroup_v2.http.name]
   user_data       = file("cloud-init.yaml")
   tags            = ["worker"]
   network {
-- 
GitLab