join: join over lb if available (#2348)

* join: join over lb if available
2025-05-02 06:16:08 -04:00 · 2023-09-25 10:23:35 +02:00 · 2023-09-25 10:23:35 +02:00 · 2776e40df7
commit 2776e40df7
parent df77696620
12 changed files with 142 additions and 62 deletions
--- a/cli/internal/terraform/terraform/aws/main.tf
+++ b/cli/internal/terraform/terraform/aws/main.tf
@ -27,6 +27,7 @@ locals {
  ports_verify       = "30081"
  ports_recovery     = "9999"
  ports_debugd       = "4000"
+  ports_join         = "30090"
  target_group_arns = {
    control-plane : flatten([
      module.load_balancer_target_bootstrapper.target_group_arn,
@ -34,6 +35,7 @@ locals {
      module.load_balancer_target_verify.target_group_arn,
      module.load_balancer_target_recovery.target_group_arn,
      module.load_balancer_target_konnectivity.target_group_arn,
+      module.load_balancer_target_join.target_group_arn,
      var.debug ? [module.load_balancer_target_debugd[0].target_group_arn] : [],
    ])
    worker : []
@ -96,6 +98,7 @@ resource "aws_lb" "front_end" {
  internal           = false
  load_balancer_type = "network"
  tags               = local.tags
+  security_groups    = [aws_security_group.security_group.id]

  dynamic "subnet_mapping" {
    # TODO(malt3): use for_each = toset(module.public_private_subnet.all_zones)
@ -111,6 +114,10 @@ resource "aws_lb" "front_end" {
    }
  }
  enable_cross_zone_load_balancing = true
+
+  lifecycle {
+    ignore_changes = [security_groups]
+  }
 }

 resource "aws_security_group" "security_group" {
@ -255,6 +262,16 @@ module "load_balancer_target_konnectivity" {
  healthcheck_protocol = "TCP"
 }

+module "load_balancer_target_join" {
+  source               = "./modules/load_balancer_target"
+  name                 = "${local.name}-join"
+  vpc_id               = aws_vpc.vpc.id
+  lb_arn               = aws_lb.front_end.arn
+  port                 = local.ports_join
+  tags                 = local.tags
+  healthcheck_protocol = "TCP"
+}
+
 module "instance_group" {
  source               = "./modules/instance_group"
  for_each             = var.node_groups
--- a/cli/internal/terraform/terraform/azure/main.tf
+++ b/cli/internal/terraform/terraform/azure/main.tf
@ -32,6 +32,7 @@ locals {
  ports_konnectivity    = "8132"
  ports_verify          = "30081"
  ports_recovery        = "9999"
+  ports_join            = "30090"
  ports_debugd          = "4000"
  cidr_vpc_subnet_nodes = "192.168.178.0/24"
  cidr_vpc_subnet_pods  = "10.10.0.0/16"
@ -182,6 +183,12 @@ module "loadbalancer_backend_control_plane" {
      protocol = "Tcp",
      path     = null
    },
+    {
+      name     = "join",
+      port     = local.ports_join,
+      protocol = "Tcp",
+      path     = null
+    },
    var.debug ? [{
      name     = "debugd",
      port     = local.ports_debugd,
@ -231,8 +238,9 @@ resource "azurerm_network_security_group" "security_group" {
      { name = "kubernetes", priority = 101, dest_port_range = local.ports_kubernetes },
      { name = "bootstrapper", priority = 102, dest_port_range = local.ports_bootstrapper },
      { name = "konnectivity", priority = 103, dest_port_range = local.ports_konnectivity },
-      { name = "recovery", priority = 104, dest_port_range = local.ports_recovery },
-      var.debug ? [{ name = "debugd", priority = 105, dest_port_range = local.ports_debugd }] : [],
+      { name = "join", priority = 104, dest_port_range = local.ports_recovery },
+      { name = "recovery", priority = 105, dest_port_range = local.ports_join },
+      var.debug ? [{ name = "debugd", priority = 106, dest_port_range = local.ports_debugd }] : [],
    ])
    content {
      name                       = security_rule.value.name
--- a/cli/internal/terraform/terraform/gcp/main.tf
+++ b/cli/internal/terraform/terraform/gcp/main.tf
@ -42,6 +42,7 @@ locals {
  ports_konnectivity    = "8132"
  ports_verify          = "30081"
  ports_recovery        = "9999"
+  ports_join            = "30090"
  ports_debugd          = "4000"
  cidr_vpc_subnet_nodes = "192.168.178.0/24"
  cidr_vpc_subnet_pods  = "10.10.0.0/16"
@ -52,6 +53,7 @@ locals {
    { name = "verify", port = local.ports_verify },
    { name = "konnectivity", port = local.ports_konnectivity },
    { name = "recovery", port = local.ports_recovery },
+    { name = "join", port = local.ports_join },
    var.debug ? [{ name = "debugd", port = local.ports_debugd }] : [],
  ])
  node_groups_by_role = {
@ -120,6 +122,7 @@ resource "google_compute_firewall" "firewall_external" {
      local.ports_kubernetes,
      local.ports_konnectivity,
      local.ports_recovery,
+      local.ports_join,
      var.debug ? [local.ports_debugd] : [],
    ])
  }
@ -234,6 +237,17 @@ module "loadbalancer_recovery" {
  frontend_labels         = merge(local.labels, { constellation-use = "recovery" })
 }

+module "loadbalancer_join" {
+  source                  = "./modules/loadbalancer"
+  name                    = local.name
+  health_check            = "TCP"
+  backend_port_name       = "join"
+  backend_instance_groups = local.control_plane_instance_groups
+  ip_address              = google_compute_global_address.loadbalancer_ip.self_link
+  port                    = local.ports_join
+  frontend_labels         = merge(local.labels, { constellation-use = "join" })
+}
+
 module "loadbalancer_debugd" {
  count                   = var.debug ? 1 : 0 // only deploy debugd in debug mode
  source                  = "./modules/loadbalancer"