add in-cluster endpoint to terraform output

edgelesssys · Oct 10, 2023 · 8d5ea24 · 8d5ea24
1 parent 4933ac3
commit 8d5ea24
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 35 deletions.
diff --git a/cli/internal/helm/overrides.go b/cli/internal/helm/overrides.go
@@ -42,7 +42,7 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 		}
 	}
 
-	extraVals["k8sServiceHost"] = output.ClusterEndpoint
+	extraVals["k8sServiceHost"] = output.InClusterEndpoint
 	extraVals["k8sServicePort"] = constants.KubernetesPort
 	if provider == cloudprovider.GCP {
 		extraVals["ipv4NativeRoutingCIDR"] = output.GCP.IPCidrPod

diff --git a/cli/internal/state/state.go b/cli/internal/state/state.go
@@ -30,6 +30,7 @@ func NewState(Infrastructure Infrastructure) State {
 type Infrastructure struct {
 	UID               string   `yaml:"uid"`
 	ClusterEndpoint   string   `yaml:"clusterEndpoint"`
+	InClusterEndpoint string   `yaml:"inClusterEndpoint"`
 	InitSecret        string   `yaml:"initSecret"`
 	APIServerCertSANs []string `yaml:"apiServerCertSANs"`
 	Azure             *Azure   `yaml:"azure,omitempty"`

diff --git a/cli/internal/terraform/terraform.go b/cli/internal/terraform/terraform.go
@@ -181,11 +181,20 @@ func (c *Client) ShowInfrastructure(ctx context.Context, provider cloudprovider.
 		return state.Infrastructure{}, errors.New("terraform show: no values returned")
 	}
 
-	ipOutput, ok := tfState.Values.Outputs["ip"]
+	outOfClusterEndpointOutput, ok := tfState.Values.Outputs["out_of_cluster_endpoint"]
 	if !ok {
-		return state.Infrastructure{}, errors.New("no IP output found")
+		return state.Infrastructure{}, errors.New("no out_of_cluster_endpoint output found")
 	}
-	ip, ok := ipOutput.Value.(string)
+	outOfClusterEndpoint, ok := outOfClusterEndpointOutput.Value.(string)
+	if !ok {
+		return state.Infrastructure{}, errors.New("invalid type in IP output: not a string")
+	}
+
+	inClusterEndpointOutput, ok := tfState.Values.Outputs["in_cluster_endpoint"]
+	if !ok {
+		return state.Infrastructure{}, errors.New("no in_cluster_endpoint output found")
+	}
+	inClusterEndpoint, ok := inClusterEndpointOutput.Value.(string)
 	if !ok {
 		return state.Infrastructure{}, errors.New("invalid type in IP output: not a string")
 	}
@@ -222,7 +231,8 @@ func (c *Client) ShowInfrastructure(ctx context.Context, provider cloudprovider.
 	}
 
 	res := state.Infrastructure{
-		ClusterEndpoint:   ip,
+		ClusterEndpoint:   outOfClusterEndpoint,
+		InClusterEndpoint: inClusterEndpoint,
 		APIServerCertSANs: apiServerCertSANs,
 		InitSecret:        secret,
 		UID:               uid,

diff --git a/cli/internal/terraform/terraform/aws/main.tf b/cli/internal/terraform/terraform/aws/main.tf
@@ -51,6 +51,9 @@ locals {
   tags = {
     constellation-uid = local.uid,
   }
+
+  in_cluster_endpoint     = aws_lb.front_end.dns_name
+  out_of_cluster_endpoint = var.internal_load_balancer && var.debug ? module.jump_host[0].ip : local.in_cluster_endpoint
 }
 
 resource "random_id" "uid" {

diff --git a/cli/internal/terraform/terraform/aws/outputs.tf b/cli/internal/terraform/terraform/aws/outputs.tf
@@ -1,15 +1,22 @@
-output "ip" {
-  value = var.internal_load_balancer && var.debug ? module.jump_host[0].ip : aws_lb.front_end.dns_name
+output "out_of_cluster_endpoint" {
+  value = local.out_of_cluster_endpoint
 }
 
+output "in_cluster_endpoint" {
+  value = local.in_cluster_endpoint
+}
 output "api_server_cert_sans" {
   value = sort(
-    concat(
-      [
-        var.internal_load_balancer ? module.jump_host[0].ip : aws_eip.lb[var.zone].public_ip,
-        local.wildcard_lb_dns_name
-      ],
-  var.custom_endpoint == "" ? [] : [var.custom_endpoint]))
+    distinct(
+      concat(
+        [
+          local.in_cluster_endpoint,
+          local.out_of_cluster_endpoint,
+        ],
+        var.custom_endpoint == "" ? [] : [var.custom_endpoint],
+      )
+    )
+  )
 }
 
 output "uid" {

diff --git a/cli/internal/terraform/terraform/azure/main.tf b/cli/internal/terraform/terraform/azure/main.tf
@@ -47,8 +47,8 @@ locals {
   // deduce as above
   uai_name = element(split("/", var.user_assigned_identity), length(split("/", var.user_assigned_identity)) - 1)
 
-  internal_ip = var.debug && var.internal_load_balancer ? module.jump_host[0].ip : azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address
-  output_ip   = var.internal_load_balancer ? local.internal_ip : azurerm_public_ip.loadbalancer_ip[0].ip_address
+  in_cluster_endpoint     = var.internal_load_balancer ? azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address : azurerm_public_ip.loadbalancer_ip[0].ip_address
+  out_of_cluster_endpoint = var.debug && var.internal_load_balancer ? module.jump_host[0].ip : local.in_cluster_endpoint
 }
 
 resource "random_id" "uid" {

diff --git a/cli/internal/terraform/terraform/azure/outputs.tf b/cli/internal/terraform/terraform/azure/outputs.tf
@@ -1,15 +1,23 @@
-output "ip" {
-  value = local.output_ip
+output "out_of_cluster_endpoint" {
+  value = local.out_of_cluster_endpoint
+}
+
+output "in_cluster_endpoint" {
+  value = local.in_cluster_endpoint
 }
 
 output "api_server_cert_sans" {
   value = sort(
-    concat(
-      [
-        local.output_ip,
-        var.internal_load_balancer ? "" : local.wildcard_lb_dns_name
-      ],
-    var.custom_endpoint == "" ? [] : [var.custom_endpoint])
+    distinct(
+      concat(
+        [
+          local.in_cluster_endpoint,
+          local.out_of_cluster_endpoint,
+        ],
+        var.custom_endpoint == "" ? [] : [var.custom_endpoint],
+        var.internal_load_balancer ? [] : [local.wildcard_lb_dns_name],
+      )
+    )
   )
 }
 

diff --git a/cli/internal/terraform/terraform/gcp/main.tf b/cli/internal/terraform/terraform/gcp/main.tf
@@ -57,8 +57,8 @@ locals {
   control_plane_instance_groups = [
     for control_plane in local.node_groups_by_role["control-plane"] : module.instance_group[control_plane].instance_group
   ]
-  internal_ip = var.debug && var.internal_load_balancer ? module.jump_host[0].ip : google_compute_address.loadbalancer_ip_internal[0].address
-  output_ip   = var.internal_load_balancer ? local.internal_ip : google_compute_global_address.loadbalancer_ip[0].address
+  in_cluster_endpoint     = var.internal_load_balancer ? google_compute_address.loadbalancer_ip_internal[0].address : google_compute_global_address.loadbalancer_ip[0].address
+  out_of_cluster_endpoint = var.debug && var.internal_load_balancer ? module.jump_host[0].ip : local.in_cluster_endpoint
 }
 
 resource "random_id" "uid" {
@@ -215,6 +215,7 @@ module "loadbalancer_public" {
   health_check            = each.value.health_check
   backend_instance_groups = local.control_plane_instance_groups
   ip_address              = google_compute_global_address.loadbalancer_ip[0].self_link
+  frontend_labels         = merge(local.labels, { constellation-use = each.value.name })
 }
 
 module "loadbalancer_internal" {

diff --git a/cli/internal/terraform/terraform/gcp/outputs.tf b/cli/internal/terraform/terraform/gcp/outputs.tf
@@ -1,16 +1,22 @@
-output "ip" {
-  value = local.output_ip
+output "out_of_cluster_endpoint" {
+  value = local.out_of_cluster_endpoint
 }
 
-output "api_server_cert_sans" {
-  value = sort(concat([
-    local.output_ip,
-    ],
-  var.custom_endpoint == "" ? [] : [var.custom_endpoint]))
+output "in_cluster_endpoint" {
+  value = local.in_cluster_endpoint
 }
-
-output "fallback_endpoint" {
-  value = local.output_ip
+output "api_server_cert_sans" {
+  value = sort(
+    distinct(
+      concat(
+        [
+          local.in_cluster_endpoint,
+          local.out_of_cluster_endpoint,
+        ],
+        var.custom_endpoint == "" ? [] : [var.custom_endpoint],
+      )
+    )
+  )
 }
 
 output "uid" {