Merge pull request #8374 from bfournie/gcp-bootstrap-firewall-ssh

CORS-3297: Add GCP firewall rule to access bootstrap node via ssh

Author: openshift-merge-bot[bot]

pkg/infrastructure/gcp/clusterapi/clusterapi.go

@@ -144,6 +144,10 @@ func (p Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput)
 		logrus.Debugf("publish strategy is set to external but api address is empty")
 	}
 
+	if err := createBootstrapFirewallRules(ctx, in, *gcpCluster.Status.Network.SelfLink); err != nil {
+		return fmt.Errorf("failed to add bootstrap firewall rule: %w", err)
+	}
+
 	client, err := icgcp.NewClient(context.TODO())
 	if err != nil {
 		return err
@@ -222,7 +226,6 @@ func (p Provider) DestroyBootstrap(dir string) error {
 	if err != nil {
 		return err
 	}
-
 	if err := gcp.DestroyStorage(context.Background(), metadata.ClusterID); err != nil {
 		return fmt.Errorf("failed to destroy storage")
 	}

pkg/infrastructure/gcp/clusterapi/firewallrules.go

@@ -8,6 +8,7 @@ import (
 	"google.golang.org/api/compute/v1"
 
 	"github.com/openshift/installer/pkg/infrastructure/clusterapi"
+	"github.com/openshift/installer/pkg/types"
 )
 
 func getControlPlanePorts() []*compute.FirewallAllowed {
@@ -108,6 +109,20 @@ func getInternalNetworkPorts() []*compute.FirewallAllowed {
 	}
 }
 
+func getBootstrapSSHPorts() []*compute.FirewallAllowed {
+	return []*compute.FirewallAllowed{
+		{
+			IPProtocol: "tcp",
+			Ports: []string{
+				"22", // SSH
+			},
+		},
+		{
+			IPProtocol: "icmp",
+		},
+	}
+}
+
 // addFirewallRule creates the firewall rule and adds it the compute's firewalls.
 func addFirewallRule(ctx context.Context, name, network, projectID string, ports []*compute.FirewallAllowed, srcTags, targetTags, srcRanges []string) error {
 	service, err := NewComputeService()
@@ -146,7 +161,7 @@ func addFirewallRule(ctx context.Context, name, network, projectID string, ports
 	return nil
 }
 
-// createFirewallRules creates the rules needed between tthe worker and master nodes.
+// createFirewallRules creates the rules needed between the worker and master nodes.
 func createFirewallRules(ctx context.Context, in clusterapi.InfraReadyInput, network string) error {
 	projectID := in.InstallConfig.Config.Platform.GCP.ProjectID
 	workerTag := fmt.Sprintf("%s-worker", in.InfraID)
@@ -189,3 +204,20 @@ func createFirewallRules(ctx context.Context, in clusterapi.InfraReadyInput, net
 
 	return err
 }
+
+// createBootstrapFirewallRules creates the rules needed for the bootstrap node.
+func createBootstrapFirewallRules(ctx context.Context, in clusterapi.InfraReadyInput, network string) error {
+	projectID := in.InstallConfig.Config.Platform.GCP.ProjectID
+	firewallName := fmt.Sprintf("%s-bootstrap-in-ssh", in.InfraID)
+	srcTags := []string{}
+	bootstrapTag := fmt.Sprintf("%s-control-plane", in.InfraID)
+	targetTags := []string{bootstrapTag}
+	var srcRanges []string
+	if in.InstallConfig.Config.Publish == types.ExternalPublishingStrategy {
+		srcRanges = []string{"0.0.0.0/0"}
+	} else {
+		machineCIDR := in.InstallConfig.Config.Networking.MachineNetwork[0].CIDR.String()
+		srcRanges = []string{machineCIDR}
+	}
+	return addFirewallRule(ctx, firewallName, network, projectID, getBootstrapSSHPorts(), srcTags, targetTags, srcRanges)
+}