Add bastion host (openshift#155)

Signed-off-by: Vince Prignano <[email protected]>

Author: vincepri

cloud/aws/actuators/cluster/actuator.go

@@ -96,6 +96,10 @@ func (a *Actuator) Reconcile(cluster *clusterv1.Cluster) (reterr error) {
 		return errors.Errorf("unable to reconcile network: %v", err)
 	}
 
+	if err := svc.ReconcileBastion(cluster.Name, status); err != nil {
+		return errors.Errorf("unable to reconcile network: %v", err)
+	}
+
 	return nil
 }
 

cloud/aws/actuators/cluster/actuator_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
 	"github.com/golang/mock/gomock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	providerconfig "sigs.k8s.io/cluster-api-provider-aws/cloud/aws/providerconfig/v1alpha1"
 	clusterv1 "sigs.k8s.io/cluster-api/pkg/apis/cluster/v1alpha1"
 	clientv1 "sigs.k8s.io/cluster-api/pkg/client/clientset_generated/clientset/typed/cluster/v1alpha1"
@@ -251,7 +252,7 @@ func TestReconcile(t *testing.T) {
 			Return(&ec2.DescribeSecurityGroupsOutput{
 				SecurityGroups: []*ec2.SecurityGroup{
 					&ec2.SecurityGroup{
-						GroupId:   aws.String("sg-cp1"),
+						GroupId:   aws.String("sg-bastion1"),
 						GroupName: aws.String("test-bastion"),
 						IpPermissions: []*ec2.IpPermission{
 							&ec2.IpPermission{
@@ -275,9 +276,9 @@ func TestReconcile(t *testing.T) {
 								FromPort:   aws.Int64(22),
 								ToPort:     aws.Int64(22),
 								IpProtocol: aws.String("tcp"),
-								IpRanges: []*ec2.IpRange{
-									&ec2.IpRange{
-										CidrIp:      aws.String("0.0.0.0/0"),
+								UserIdGroupPairs: []*ec2.UserIdGroupPair{
+									&ec2.UserIdGroupPair{
+										GroupId:     aws.String("sg-bastion1"),
 										Description: aws.String("SSH"),
 									},
 								},
@@ -325,9 +326,9 @@ func TestReconcile(t *testing.T) {
 								FromPort:   aws.Int64(22),
 								ToPort:     aws.Int64(22),
 								IpProtocol: aws.String("tcp"),
-								IpRanges: []*ec2.IpRange{
-									&ec2.IpRange{
-										CidrIp:      aws.String("0.0.0.0/0"),
+								UserIdGroupPairs: []*ec2.UserIdGroupPair{
+									&ec2.UserIdGroupPair{
+										GroupId:     aws.String("sg-bastion1"),
 										Description: aws.String("SSH"),
 									},
 								},
@@ -358,6 +359,63 @@ func TestReconcile(t *testing.T) {
 					},
 				},
 			}, nil),
+
+		// Reconcile bastion.
+		me.EXPECT().
+			DescribeInstances(gomock.Eq(&ec2.DescribeInstancesInput{
+				Filters: []*ec2.Filter{
+					&ec2.Filter{
+						Name:   aws.String("tag:sigs.k8s.io/cluster-api-provider-aws/role"),
+						Values: []*string{aws.String("bastion")},
+					},
+					&ec2.Filter{
+						Name:   aws.String("tag-key"),
+						Values: []*string{aws.String("kubernetes.io/cluster/test")},
+					},
+				},
+			})).
+			Return(&ec2.DescribeInstancesOutput{}, nil),
+		me.EXPECT().
+			RunInstances(gomock.AssignableToTypeOf(&ec2.RunInstancesInput{})).
+			DoAndReturn(func(input *ec2.RunInstancesInput) (*ec2.Reservation, error) {
+				if len(input.TagSpecifications) == 0 {
+					t.Fatalf("expected tags to be applied on bootstrap, got none")
+				}
+
+				if input.TagSpecifications[0].ResourceType == nil || *input.TagSpecifications[0].ResourceType != ec2.ResourceTypeInstance {
+					t.Fatalf("expected tag specification to be instance, got %v", input.TagSpecifications[0].ResourceType)
+				}
+
+				if len(input.TagSpecifications[0].Tags) < 2 {
+					t.Fatalf("was expecting at least 2 tags for bastion host got: %v", input.TagSpecifications[0].Tags)
+				}
+
+				for _, key := range []string{"sigs.k8s.io/cluster-api-provider-aws/role", "kubernetes.io/cluster/test"} {
+					found := false
+					for _, x := range input.TagSpecifications[0].Tags {
+						if *x.Key == key {
+							found = true
+							break
+						}
+					}
+
+					if !found {
+						t.Fatalf("couldn't find tag for bastion host: %s", key)
+					}
+				}
+
+				return &ec2.Reservation{
+					Instances: []*ec2.Instance{
+						&ec2.Instance{
+							State:        &ec2.InstanceState{Code: aws.Int64(0), Name: aws.String("pending")},
+							InstanceId:   aws.String("bastion-1"),
+							InstanceType: input.InstanceType,
+							ImageId:      input.ImageId,
+							SubnetId:     input.SubnetId,
+						},
+					},
+				}, nil
+			}),
 	)
 
 	c, err := providerconfig.NewCodec()
@@ -377,6 +435,13 @@ func TestReconcile(t *testing.T) {
 
 	cluster := &clusterv1.Cluster{
 		ObjectMeta: metav1.ObjectMeta{Name: "test", ClusterName: "test"},
+		Spec: clusterv1.ClusterSpec{
+			ProviderConfig: clusterv1.ProviderConfig{
+				Value: &runtime.RawExtension{
+					Raw: []byte(`{"kind":"AWSClusterProviderConfig","apiVersion":"awsproviderconfig/v1alpha1","region":"us-east-1"}`),
+				},
+			},
+		},
 	}
 
 	if err := a.Reconcile(cluster); err != nil {

cloud/aws/actuators/cluster/interfaces.go

@@ -27,6 +27,7 @@ type EC2Getter interface {
 
 type ec2SvcIface interface {
 	ReconcileNetwork(string, *providerconfigv1.Network) error
+	ReconcileBastion(string, *providerconfigv1.AWSClusterProviderStatus) error
 }
 
 type codec interface {

cloud/aws/providerconfig/v1alpha1/types.go

@@ -161,8 +161,9 @@ type AWSMachineProviderCondition struct {
 type AWSClusterProviderStatus struct {
 	metav1.TypeMeta `json:",inline"`
 
-	Region  string  `json:"region"`
-	Network Network `json:"network"`
+	Region  string   `json:"region"`
+	Network Network  `json:"network"`
+	Bastion Instance `json:"bastion"`
 }
 
 // Network encapsulates AWS networking resources.
@@ -341,6 +342,13 @@ type Instance struct {
 	// The name of the SSH key pair.
 	KeyName *string `json:"keyName"`
 
+	// SecurityGroupIDs are one or more security group IDs this instance belongs to.
+	SecurityGroupIDs []string `json:"securityGroupIds"`
+
+	// UserData is the raw data script passed to the instance which is run upon bootstrap.
+	// This field must not be base64 encoded and should only be used when running a new instance.
+	UserData *string `json:"userData"`
+
 	// The ARN of the IAM instance profile associated with the instance, if applicable.
 	IAMProfile *AWSResourceReference `json:"iamProfile"`
 
@@ -356,9 +364,6 @@ type Instance struct {
 	// Indicates whether the instance is optimized for Amazon EBS I/O.
 	EBSOptimized *bool `json:"ebsOptimized"`
 
-	// UserData defines the Base64-encoded user data to make available to the instance.
-	UserData *string
-
-	// SecurityGroupIDs are one or more security group IDs this instance belongs to.
-	SecurityGroupIDs []*string
+	// The tags associated with the instance.
+	Tags map[string]string `json:"tag"`
 }

cloud/aws/providerconfig/v1alpha1/zz_generated.deepcopy.go

@@ -54,3 +54,40 @@ func (s *Service) defaultAMILookup(region string) string {
 		return "unknown region"
 	}
 }
+
+func (s *Service) defaultBastionAMILookup(region string) string {
+	switch region {
+	case "ap-northeast-1":
+		return "ami-d39a02b5"
+	case "ap-northeast-2":
+		return "ami-67973709"
+	case "ap-south-1":
+		return "ami-5d055232"
+	case "ap-southeast-1":
+		return "ami-325d2e4e"
+	case "ap-southeast-2":
+		return "ami-37df2255"
+	case "ca-central-1":
+		return "ami-f0870294"
+	case "eu-central-1":
+		return "ami-af79ebc0"
+	case "eu-west-1":
+		return "ami-4d46d534"
+	case "eu-west-2":
+		return "ami-d7aab2b3"
+	case "eu-west-3":
+		return "ami-5e0eb923"
+	case "sa-east-1":
+		return "ami-1157157d"
+	case "us-east-1":
+		return "ami-41e0b93b"
+	case "us-east-2":
+		return "ami-2581aa40"
+	case "us-west-1":
+		return "ami-79aeae19"
+	case "us-west-2":
+		return "ami-1ee65166"
+	default:
+		return "unknown region"
+	}
+}