From 19b673883386041e19365e1ec12c8c3db5d52dff Mon Sep 17 00:00:00 2001 From: Prateek-Sharma13 Date: Mon, 2 Sep 2024 13:56:49 +0530 Subject: [PATCH 1/4] doc: updated outbound traffic information for operator hub access. --- examples/basic/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/basic/README.md b/examples/basic/README.md index ee3f7a6e..69929229 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -6,3 +6,5 @@ The following resources are provisioned by this example: - A new resource group, if an existing one is not passed in. - A basic VPC and subnet with public gateway enabled. - A single zone OCP VPC cluster. + +**Note:** Operator Hub may not be accessible if the variable `disable_outbound_traffic_protection` is set to `false` which is the defalult value. If you want to have this, you can open up the outbound traffic by setting the variable value as `true`. From 07c0520904f4e915a37f4a97ca7daf8733865d2f Mon Sep 17 00:00:00 2001 From: Prateek-Sharma13 Date: Thu, 5 Sep 2024 13:53:37 +0530 Subject: [PATCH 2/4] doc: updated readme file --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 8ae5be66..8068fcc3 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,12 @@ module "ocp_base" { } ``` +### Secure by default cluster settings + +In OCP version 4.15, outbound traffic is disabled by default. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-security-group-reference). + +There is a provision to toggle outbound traffic by using the modules' `disable_outbound_traffic_protection` input. Refer [Managing outbound traffic protection in VPC clusters](https://cloud.ibm.com/docs/openshift?topic=openshift-sbd-allow-outbound#sbd-example-oh). + ### Advanced security group options The Terraform module provides options to attach additional security groups to the worker nodes, VPE, and load balancer associated with the cluster. From f2dc0ca16b47ef422466f3802d87f42a6d5ce3f1 Mon Sep 17 00:00:00 2001 From: Prateek-Sharma13 Date: Tue, 10 Sep 2024 06:55:20 +0530 Subject: [PATCH 3/4] fix: enable outbound traffic --- README.md | 3 ++- examples/basic/README.md | 7 +++---- examples/basic/main.tf | 25 +++++++++++++------------ 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 87d98234..a029045b 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Optionally, the module supports advanced security group management for the worke * [2 MZR clusters in same VPC example](./examples/multiple_mzr_clusters) * [Advanced example (mzr, auto-scale, kms, taints)](./examples/advanced) * [Attaching custom security groups](./examples/custom_sg) - * [Basic single zone example](./examples/basic) + * [Basic single zone cluster with allowed outbound traffic](./examples/basic) * [Cluster security group rules example](./examples/add_rules_to_sg) * [Cross account KMS encryption example](./examples/cross_kms_support) * [Financial Services compliant example](./examples/fscloud) @@ -121,6 +121,7 @@ module "ocp_base" { In OCP version 4.15, outbound traffic is disabled by default. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-security-group-reference). There is a provision to toggle outbound traffic by using the modules' `disable_outbound_traffic_protection` input. Refer [Managing outbound traffic protection in VPC clusters](https://cloud.ibm.com/docs/openshift?topic=openshift-sbd-allow-outbound#sbd-example-oh). + ### Default Worker Pool management You can manage the default worker pool using Terraform, and make changes to it through this module. This option is enabled by default. Under the hood, the default worker pool is imported as a `ibm_container_vpc_worker_pool` resource. Advanced users may opt-out of this option by setting `import_default_worker_pool_on_create` parameter to `false`. For most use cases it is recommended to keep this variable to `true`. diff --git a/examples/basic/README.md b/examples/basic/README.md index 69929229..e8ee30ed 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -1,10 +1,9 @@ -# Basic single zone example +# Basic single zone cluster with allowed outbound traffic -A simple example that shows how to provision a basic single zone OCP VPC cluster. +A simple example that shows how to provision a basic single zone OCP VPC cluster. Also the outbound traffic is allowed, which is required for accessing the Operator Hub. The following resources are provisioned by this example: + - A new resource group, if an existing one is not passed in. - A basic VPC and subnet with public gateway enabled. - A single zone OCP VPC cluster. - -**Note:** Operator Hub may not be accessible if the variable `disable_outbound_traffic_protection` is set to `false` which is the defalult value. If you want to have this, you can open up the outbound traffic by setting the variable value as `true`. diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 6538e3d5..9831d21c 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -68,16 +68,17 @@ locals { } module "ocp_base" { - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - tags = var.resource_tags - cluster_name = var.prefix - force_delete_storage = true - vpc_id = ibm_is_vpc.vpc.id - vpc_subnets = local.cluster_vpc_subnets - ocp_version = var.ocp_version - worker_pools = local.worker_pools - access_tags = var.access_tags - ocp_entitlement = var.ocp_entitlement + source = "../.." + resource_group_id = module.resource_group.resource_group_id + region = var.region + tags = var.resource_tags + cluster_name = var.prefix + force_delete_storage = true + vpc_id = ibm_is_vpc.vpc.id + vpc_subnets = local.cluster_vpc_subnets + ocp_version = var.ocp_version + worker_pools = local.worker_pools + access_tags = var.access_tags + ocp_entitlement = var.ocp_entitlement + disable_outbound_traffic_protection = true # set as True to enable outbound traffic; required for accessing Operator Hub in the OpenShift console. } From 98284df34c7b26800a36a03694fd452f1ad77227 Mon Sep 17 00:00:00 2001 From: Prateek-Sharma13 Date: Tue, 10 Sep 2024 12:02:33 +0530 Subject: [PATCH 4/4] fix: added default worker pool condition for default pool --- examples/basic/main.tf | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 9831d21c..536129c6 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -68,17 +68,18 @@ locals { } module "ocp_base" { - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - tags = var.resource_tags - cluster_name = var.prefix - force_delete_storage = true - vpc_id = ibm_is_vpc.vpc.id - vpc_subnets = local.cluster_vpc_subnets - ocp_version = var.ocp_version - worker_pools = local.worker_pools - access_tags = var.access_tags - ocp_entitlement = var.ocp_entitlement - disable_outbound_traffic_protection = true # set as True to enable outbound traffic; required for accessing Operator Hub in the OpenShift console. + source = "../.." + resource_group_id = module.resource_group.resource_group_id + region = var.region + tags = var.resource_tags + cluster_name = var.prefix + force_delete_storage = true + vpc_id = ibm_is_vpc.vpc.id + vpc_subnets = local.cluster_vpc_subnets + ocp_version = var.ocp_version + worker_pools = local.worker_pools + access_tags = var.access_tags + ocp_entitlement = var.ocp_entitlement + disable_outbound_traffic_protection = true # set as True to enable outbound traffic; required for accessing Operator Hub in the OpenShift console. + import_default_worker_pool_on_create = false }