We experienced issues caused by network resources created with the same
name, which makes ansible playbooks to behave differently.
Due to fact, that there is not yet OpenShift infraID accessible on the
stage of creating network resources, there is a need to create
deployment unique identifier in some other way. This patch implements
generating such identifier independent from OpenShift deployment id.
Co-authored-by: Maysa De Macedo Souza <maysa.macedo95@gmail.com>
This commit changes `ether_type` field to `ethertype` so it will not
break on older ansible openstack collections.
Also, fixed condition for IPv6 block.
All the IPv6 security group related tasks has been moved to dedicated
block. There was added IPv6 rules for the master security groups in case
masters are set to be scheduable. And finally, fixed conditions for IPv6
tasks.
Compact clusters have been supported for a while in IPI.
To also allow compact clusters on UPI, the security group rules
for UPI should be adapted enabling the same ingress traffic
that is enabled for workers.
With openshift/cluster-cloud-controller-manager-operator#264 we should
no longer need the SG rules opening whole NodePorts range by default.
cloud-provider-openstack will manage this on its own now.
We still need to keep the rules opening the traffic inside the cluster
to make sure traffic redirections and regular NodePort services work.
Bootstrapping no longer uses mdns for node resolution, we can remove the
security group rules for mdns.
These rules where only defined for OpenStack plaform. This commit
removes the rules for both UPI and IPI.
TL;DR: SSH shouldn't be exposed to the public by default and if an
operator explicitly wants it, they should do it by modifying the
security group on day 2.
Reasons to not open SSH to all networks:
* SSH to an OCP cluster should be done only by advanced operators and
shouldn't be encouraged, therefore not open by default that easily. Instead, an experienced operator should make configuration changes via `machineconfig` objects.
* Operators who know what they do should reach the nodes from a secure
network (e.g. provider network or tenant network, ie internal). Not
from a public network (e.g. Internet or any public faced networked).
* Other cloud providers don't allow SSH from 0.0.0.0/0, we shouldn't be
the one doing it.
* Running `oc debug` doesn't require SSH to be open from the client.
Signed-off-by: Emilien Macchi <emilien@redhat.com>
OpenStack with OVS has an issue where security groups using
remote_group_id can be very slow, leading to OVS dropping packets.
https://bugzilla.redhat.com/show_bug.cgi?id=1703947
Use remote_ip_prefix instead to work around the issue.
