Simple toggle to stop the automatic assignment of public IP's for all

pieterlange · pieterlange · commit 10e4333d42aa · 2016-10-25T16:24:17.000+02:00
the nodes.

This toggle requires the operator to bootstrap the VPC with a NAT gateway.
diff --git a/config/config.go b/config/config.go
@@ -65,6 +65,7 @@ func newDefaultCluster() *Cluster {
 		CreateRecordSet:          false,
 		RecordSetTTL:             300,
 		Subnets:                  []*Subnet{},
+		MapPublicIPs:             true,
 		Experimental:             experimental,
 	}
 }
@@ -167,6 +168,7 @@ type Cluster struct {
 	StackTags                map[string]string `yaml:"stackTags,omitempty"`
 	UseCalico                bool              `yaml:"useCalico,omitempty"`
 	Subnets                  []*Subnet         `yaml:"subnets,omitempty"`
+	MapPublicIPs             bool              `yaml:"mapPublicIPs,omitempty"`
 	Experimental             Experimental      `yaml:"experimental"`
 	providedEncryptService   encryptService
 }
diff --git a/config/templates/cluster.yaml b/config/templates/cluster.yaml
@@ -125,6 +125,10 @@ kmsKeyArn: "{{.KMSKeyARN}}"
 # IP address of Kubernetes dns service (must be contained by serviceCIDR)
 # dnsServiceIP: 10.3.0.10
 
+# Uncomment to provision nodes without a public IP. This assumes your VPC route table is setup to route to the internet via a NAT gateway.
+# If you did not set vpcId and routeTableId the cluster will not bootstrap.
+# mapPublicIPs: false
+
 # Expiration in days from creation time of TLS assets. By default, the CA will
 # expire in 10 years and the server and client certificates will expire in 1
 # year.
diff --git a/config/templates/stack-template.json b/config/templates/stack-template.json
@@ -341,7 +341,7 @@
         "KeyName": "{{$.KeyName}}",
         "NetworkInterfaces": [
           {
-            "AssociatePublicIpAddress": true,
+            "AssociatePublicIpAddress": {{.MapPublicIPs}},
             "DeleteOnTermination": true,
             "DeviceIndex": "0",
             "GroupSet": [
@@ -452,6 +452,11 @@
 	    "Protocol" : "TCP"
 	  }
 	],
+	{{if .MapPublicIPs}}
+	"Scheme": "internet-facing",
+	{{else}}
+	"Scheme": "internal",
+	{{end}}
 	"SecurityGroups" : [
 	  { "Ref" : "SecurityGroupElbAPIServer" }
 	]
@@ -794,7 +799,7 @@
       "Properties": {
         "AvailabilityZone": "{{$subnet.AvailabilityZone}}",
         "CidrBlock": "{{$subnet.InstanceCIDR}}",
-        "MapPublicIpOnLaunch": true,
+        "MapPublicIpOnLaunch": {{.MapPublicIPs}},
         "Tags": [
           {
             "Key": "KubernetesCluster",

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ func newDefaultCluster() *Cluster {`
`65`	`65`	`CreateRecordSet: false,`
`66`	`66`	`RecordSetTTL: 300,`
`67`	`67`	`Subnets: []*Subnet{},`
	`68`	`+ MapPublicIPs: true,`
`68`	`69`	`Experimental: experimental,`
`69`	`70`	`}`
`70`	`71`	`}`
`@@ -167,6 +168,7 @@ type Cluster struct {`
`167`	`168`	StackTags map[string]string `yaml:"stackTags,omitempty"`
`168`	`169`	UseCalico bool `yaml:"useCalico,omitempty"`
`169`	`170`	Subnets []*Subnet `yaml:"subnets,omitempty"`
	`171`	+ MapPublicIPs bool `yaml:"mapPublicIPs,omitempty"`
`170`	`172`	Experimental Experimental `yaml:"experimental"`
`171`	`173`	`providedEncryptService encryptService`
`172`	`174`	`}`