Skip to content

feat(login): Add internal load balancer to access login nodes from VPC

German Felipe Giraldo Villarequested to merge
feat/login-ilb into main

Context

After we fixed firewall rules in !87 (merged), vs-firecrest stopped being able to access login nodes through SSH.

In order to fix this, we are adding an internal load balancer for the login nodes, which allows kubernetes pods and services to ssh into login nodes without leaving the VPC.

Impact

Login nodes are now accessible from the VPC.

Note: To achieve this, it adds secondary IP ranges to the internal ssh firewall rule. This is needed as we don't use IP masking in our k8s cluster. As an alternative, we could enable IP masking instead.

Test(s)

Deploy examples/login. As output you should get both internal and external IPs to access the login node.

For a full test: deploy a vcluster, open a terminal in any of the k8s pods and run:

$ curl <internal_ip_addres>:22

You should get an error message similar to curl: (1) Received HTTP/0.9 when not allowed, meaning curl can connect to port 22. A conecction timeout would mean that the ILB is not properly set.

Edited by German Felipe Giraldo Villa

Merge request reports