Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] update suggestions for add features in aws mutlti zone support #1325

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

cclhsu
Copy link
Contributor

@cclhsu cclhsu commented Aug 17, 2020

update suggestions from code review for add features in aws mutlti zone support

Signed-off-by: cclhsu [email protected]

Why is this PR needed?

Does it fix an issue? addresses a business case?

add a description and link to the issue if one exists.

Fixes #

Reminder: Add the "fixes bsc#XXXX" to the title of the commit so that it will
appear in the changelog.

What does this PR do?

please include a brief "management" technical overview (details are in the code)

Anything else a reviewer needs to know?

Special test cases, manual steps, links to resources or anything else that could be helpful to the reviewer.

Info for QA

This is info for QA so that they can validate this. This is mandatory if this PR fixes a bug.
If this is a new feature, a good description in "What does this PR do" may be enough.

Related info

Info that can be relevant for QA:

  • link to other PRs that should be merged together
  • link to packages that should be released together
  • upstream issues

Status BEFORE applying the patch

How can we reproduce the issue? How can we see this issue? Please provide the steps and the prove
this issue is not fixed.

Status AFTER applying the patch

How can we validate this issue is fixed? Please provide the steps and the prove this issue is fixed.

Docs

If docs need to be updated, please add a link to a PR to https://github.com/SUSE/doc-caasp.
At the time of creating the issue, this PR can be work in progress (set its title to [WIP]),
but the documentation needs to be finalized before the PR can be merged.

Merge restrictions

(Please do not edit this)

We are in v4-maintenance phase, so we will restrict what can be merged to prevent unexpected surprises:

What can be merged (merge criteria):
    2 approvals:
        1 developer: code is fine
        1 QA: QA is fine
    there is a PR for updating documentation (or a statement that this is not needed)

update suggestions from code review for add features in aws mutlti zone support

Signed-off-by: cclhsu <[email protected]>
@cclhsu cclhsu self-assigned this Aug 17, 2020
Copy link

@Klaven Klaven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, Looked over the PR a little bit this morning, had a few quick questions regarding it.

  1. could you fill out the PR template a bit more? While i'm a bit fan of "the code should speak for itself" a lot of the time the code does not give a good "why" and that would be helpful!

  2. the PR is quite large :D anything you could do to slim it down would make it easier to review

  3. generally, I don't think the API server should be exposed externally unless someone absolutely needs it... and lets be honest, no one actually needs it. A large part of the security CVE's can be mitigated by keeping the control plane safe.

description = "etcd"
}

# api-server - everywhere
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, Api server should be internal only as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

var.cidr_block is internal.

cidr_blocks = ["0.0.0.0/0"]
}

ingress {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dannysauer Correct me if i'm wrong but I don't think we should expose the API server too the web. this is an easy first step to securing them, making it so that only inside the cluster can directly hit the api server. I would be for removing this block.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not completely clear why we open 80/443 to begin with; nothing listens on those ports by default, right? Was that just a copy-paste from an example that was left behind all along?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, yes, exposing the api server seems undesirable. I guess it's possible to control access to the whole vpc and that might be an acceptable control, but I honestly haven't read the entire config to see if that's being done. It still seems like it'd be preferable to elect a source IP as "management node" or identify a management network.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is from original code. I just try to rearrange code by function. I will test to remove 80/443 to see if any side effect

@cclhsu cclhsu changed the title update suggestions for add features in aws mutlti zone support [WIP] update suggestions for add features in aws mutlti zone support Aug 17, 2020
@cclhsu
Copy link
Contributor Author

cclhsu commented Aug 17, 2020

Hey, Looked over the PR a little bit this morning, had a few quick questions regarding it.

  1. could you fill out the PR template a bit more? While i'm a bit fan of "the code should speak for itself" a lot of the time the code does not give a good "why" and that would be helpful!
  2. the PR is quite large :D anything you could do to slim it down would make it easier to review
  3. generally, I don't think the API server should be exposed externally unless someone absolutely needs it... and lets be honest, no one actually needs it. A large part of the security CVE's can be mitigated by keeping the control plane safe.

Ok, I will slim PR down to focus just multiple zone. I am add too many formatting change and little customized improvemnt here and there.

Copy link

@Klaven Klaven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my point of view this looks fine. I don't know enough about our AWS deployment to say though. @flavio would be a good reviewer.

@Klaven Klaven requested a review from flavio August 26, 2020 14:47
Copy link
Contributor

@dannysauer dannysauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in the same boat as @Klaven ; this looks fine to me as a cleanup, but I don't have enough "AWS via Terraform" background to say it's good to go.

ci/infra/aws/output.tf Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants