Enable authN (port 22) to the VM from the IP of the person running the code only

[rajeshkio]

I have added changes for aws and DigitalOcean. I haven't set up Azure and GCP clouds.

[JavierLagosChanclon]

Do you need help with Azure and GCP @rajeshkio ? I can take a look at it and make the changes for you if you don't have access.

I have checked the code and it looks fine. However. I think that we would appreciate the following changes.

1 - Only port 22 is being restricted. I would say that you can proceed with port 6443 as well or directly to all the ports.
2 - It would be also great to have Rancher URL as an exclusion if variable has been defined!
3 - Please resolve conflicts on the Branch so we can merge it once it's ready

Have I missed something @glovecchi0 ??

Thanks a lot for your work!

[glovecchi0]

The conflicts arise because the branch points to an older version of the code. Yesterday, we released the major release for use with openSUSE 16.0 and changed several lines of code.

[glovecchi0]

Do you need help with Azure and GCP @rajeshkio ? I can take a look at it and make the changes for you if you don't have access.

I have checked the code and it looks fine. However. I think that we would appreciate the following changes.

1 - Only port 22 is being restricted. I would say that you can proceed with port 6443 as well or directly to all the ports. 2 - It would be also great to have Rancher URL as an exclusion if variable has been defined! 3 - Please resolve conflicts on the Branch so we can merge it once it's ready

Have I missed something @glovecchi0 ??

Thanks a lot for your work!

The logic used is correct, @rajeshkio. Thank you.

[rajeshkio]

6443 port has different challenges and testing effort, that's why I was thinking of doing that in another issue.

[JavierLagosChanclon]

6443 port has different challenges and testing effort, that's why I was thinking of doing that in another issue.

I think we only use external port 6443 for KubeConfig to access RKE2 API and to be able to execute kubectl commands which should be fine if we change that rule with our personal IP and Rancher URL. But, of course, let's confirm that as it is possible that there are more operations affected!

[dnoland1]

Why is UDP needed?

[glovecchi0]

Hey @dnoland1!
This: https://docs.harvesterhci.io/v1.7/install/requirements/#port-requirements-for-harvester-nodes

[glovecchi0]

It should be 8472 and 68.

[dnoland1]

@glovecchi0 I don't see port 22 UDP in the list for the link you provided. Also, I think many of those ports are only required between nodes and not inbound from the Internet.

[glovecchi0]

The issue has been fixed by pointing only to the necessary UDP ports 8472 and 68.
DigitalOcean does not provide implicit intra-network trust like AWS, Azure, or GCP...

[amolkharche13]

I ran terraform apply for my task and suddenly my internet got reconnected.
Earlier my IP was 106.215.x.96.
Now my IP is 106.215.183.128

[amolkharche13]

Can we get any bastion host from SUSE infra and add it to the allow list, so that we can access nodes from bastion host and don’t have to worry about IP address changes?

[glovecchi0]

I've submitted a few commits to bring the code more in line with the existing format and added a few bug fixes (such as excessive UDP permissiveness in DO).

LGTM now.

[glovecchi0]

I'm curious how it works with Rancher. I'll have to try it.

[glovecchi0]

I confirm once again that everything seems fine to me.

Great work!