From 0267546460187e0ff4439a6ee6f2340bcc185b50 Mon Sep 17 00:00:00 2001 From: ChengcongDu Date: Thu, 14 Nov 2024 23:35:07 +0000 Subject: [PATCH 1/2] add firewall to allow tcp traffic for parallelstore --- .../network/private-service-access/README.md | 1 + .../network/private-service-access/outputs.tf | 5 +++++ examples/gke-storage-parallelstore.yaml | 13 +++++++++++++ 3 files changed, 19 insertions(+) diff --git a/community/modules/network/private-service-access/README.md b/community/modules/network/private-service-access/README.md index dd86be80f2..82cb34a429 100644 --- a/community/modules/network/private-service-access/README.md +++ b/community/modules/network/private-service-access/README.md @@ -88,6 +88,7 @@ No modules. | Name | Description | |------|-------------| +| [cidr\_range](#output\_cidr\_range) | CIDR range of the created google\_compute\_global\_address | | [connect\_mode](#output\_connect\_mode) | Services that use Private Service Access typically specify connect\_mode
"PRIVATE\_SERVICE\_ACCESS". This output value sets connect\_mode and additionally
blocks terraform actions until the VPC connection has been created. | | [private\_vpc\_connection\_peering](#output\_private\_vpc\_connection\_peering) | The name of the VPC Network peering connection that was created by the service provider. | | [reserved\_ip\_range](#output\_reserved\_ip\_range) | Named IP range to be used by services connected with Private Service Access. | diff --git a/community/modules/network/private-service-access/outputs.tf b/community/modules/network/private-service-access/outputs.tf index 3f3cc0c66a..296f2e9140 100644 --- a/community/modules/network/private-service-access/outputs.tf +++ b/community/modules/network/private-service-access/outputs.tf @@ -36,3 +36,8 @@ output "reserved_ip_range" { description = "Named IP range to be used by services connected with Private Service Access." value = google_compute_global_address.private_ip_alloc.name } + +output "cidr_range" { + description = "CIDR range of the created google_compute_global_address" + value = "${google_compute_global_address.private_ip_alloc.address}/${google_compute_global_address.private_ip_alloc.prefix_length}" +} diff --git a/examples/gke-storage-parallelstore.yaml b/examples/gke-storage-parallelstore.yaml index 9ffe737e83..fc69b9cfc1 100644 --- a/examples/gke-storage-parallelstore.yaml +++ b/examples/gke-storage-parallelstore.yaml @@ -45,6 +45,19 @@ deployment_groups: - group: primary modules: + # allow parallelstore connection + - id: parallelstore_firewall_rule + source: modules/network/firewall-rules + use: [network] + settings: + ingress_rules: + - name: $(vars.deployment_name)-allow-parallelstore-traffic + description: Allow parallelstore traffic + source_ranges: + - $(private_service_access.cidr_range) + allow: + - protocol: tcp + - id: gke_cluster source: modules/scheduler/gke-cluster use: [network] From 26637012d8387ed1e59e091a9431ed062604939d Mon Sep 17 00:00:00 2001 From: ChengcongDu Date: Fri, 15 Nov 2024 00:01:20 +0000 Subject: [PATCH 2/2] fix pre-commit tests-metadata --- .../daily-tests/builds/gke-storage-parallelstore.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml b/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml index 1a6a5873cf..a51c8cebab 100644 --- a/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml +++ b/tools/cloud-build/daily-tests/builds/gke-storage-parallelstore.yaml @@ -14,6 +14,7 @@ --- tags: +- m.firewall-rules - m.gke-cluster - m.gke-job-template - m.gke-node-pool