feat: implement RFC 16 to allow emergency node access (#3557)

2025-07-23 15:30:44 -04:00 · 2025-03-25 11:28:48 +00:00 · 2025-03-25 11:28:48 +00:00 · 3cc930fa97
commit 3cc930fa97
parent c7369fa2a7
27 changed files with 256 additions and 69 deletions
--- a/terraform/infrastructure/aws/main.tf
+++ b/terraform/infrastructure/aws/main.tf
@ -29,6 +29,7 @@ locals {
    { name = "recovery", port = "9999", health_check = "TCP" },
    { name = "join", port = "30090", health_check = "TCP" },
    var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [],
  ])
  target_group_arns = {
    control-plane : [
--- a/terraform/infrastructure/aws/outputs.tf
+++ b/terraform/infrastructure/aws/outputs.tf
@ -45,3 +45,8 @@ output "ip_cidr_node" {
  value       = local.cidr_vpc_subnet_nodes
  description = "CIDR block of the node network."
 }
+
+output "loadbalancer_address" {
+  value       = aws_lb.front_end.dns_name
+  description = "Public loadbalancer address."
+}
--- a/terraform/infrastructure/aws/variables.tf
+++ b/terraform/infrastructure/aws/variables.tf
@ -85,3 +85,9 @@ variable "additional_tags" {
  default     = {}
  description = "Additional tags that should be applied to created resources."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to expose the SSH port through the public load balancer."
+}
--- a/terraform/infrastructure/azure/main.tf
+++ b/terraform/infrastructure/azure/main.tf
@ -40,6 +40,7 @@ locals {
    { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 },
    { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 },
    var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check_protocol = "Tcp", path = null, priority = 107 }] : [],
  ])
  // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name.
  // example: given "name-1234567890.location.cloudapp.azure.com" it will return "*.location.cloudapp.azure.com"
--- a/terraform/infrastructure/azure/outputs.tf
+++ b/terraform/infrastructure/azure/outputs.tf
@ -47,6 +47,11 @@ output "ip_cidr_node" {
  description = "CIDR block of the node network."
 }

+output "loadbalancer_address" {
+  value       = azurerm_public_ip.loadbalancer_ip[0].fqdn
+  description = "Public loadbalancer address."
+}
+
 # Azure-specific outputs

 output "attestation_url" {
--- a/terraform/infrastructure/azure/variables.tf
+++ b/terraform/infrastructure/azure/variables.tf
@ -101,3 +101,9 @@ variable "additional_tags" {
  default     = {}
  description = "Additional tags that should be applied to created resources."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to expose the SSH port through the public load balancer."
+}
--- a/terraform/infrastructure/gcp/main.tf
+++ b/terraform/infrastructure/gcp/main.tf
@ -40,6 +40,7 @@ locals {
    { name = "recovery", port = "9999", health_check = "TCP" },
    { name = "join", port = "30090", health_check = "TCP" },
    var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [],
  ])
  node_groups_by_role = {
    for name, node_group in var.node_groups : node_group.role => name...
--- a/terraform/infrastructure/gcp/outputs.tf
+++ b/terraform/infrastructure/gcp/outputs.tf
@ -45,6 +45,11 @@ output "ip_cidr_node" {
  description = "CIDR block of the node network."
 }

+output "loadbalancer_address" {
+  value       = var.internal_load_balancer ? google_compute_address.loadbalancer_ip_internal[0].address : google_compute_global_address.loadbalancer_ip[0].address
+  description = "Public loadbalancer address."
+}
+
 # GCP-specific outputs

 output "project" {
--- a/terraform/infrastructure/gcp/variables.tf
+++ b/terraform/infrastructure/gcp/variables.tf
@ -75,3 +75,9 @@ variable "additional_labels" {
  default     = {}
  description = "Additional labels that should be given to created recources."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to expose the SSH port through the public load balancer."
+}
--- a/terraform/infrastructure/openstack/main.tf
+++ b/terraform/infrastructure/openstack/main.tf
@ -43,6 +43,7 @@ locals {
    { name = "recovery", port = "9999", health_check = "TCP" },
    { name = "join", port = "30090", health_check = "TCP" },
    var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
+    var.emergency_ssh ? [{ name = "ssh", port = "22", health_check = "TCP" }] : [],
  ])
  cidr_vpc_subnet_nodes = "192.168.178.0/24"
  cidr_vpc_subnet_lbs   = "192.168.177.0/24"
--- a/terraform/infrastructure/openstack/outputs.tf
+++ b/terraform/infrastructure/openstack/outputs.tf
@ -36,6 +36,11 @@ output "ip_cidr_node" {
  description = "CIDR block of the node network."
 }

+output "loadbalancer_address" {
+  value       = openstack_networking_floatingip_v2.public_ip.address
+  description = "Public loadbalancer address."
+}
+
 # OpenStack-specific outputs

 output "network_id" {
--- a/terraform/infrastructure/openstack/variables.tf
+++ b/terraform/infrastructure/openstack/variables.tf
@ -71,3 +71,9 @@ variable "stackit_project_id" {
  type        = string
  description = "STACKIT project ID."
 }
+
+variable "emergency_ssh" {
+  type        = bool
+  default     = false
+  description = "Wether to expose the SSH port through the public load balancer."
+}