From 0295f4e2050571caebb06fe9f1536e8180e4213a Mon Sep 17 00:00:00 2001 From: Ciaran Roche Date: Mon, 12 Jan 2026 14:26:41 +0000 Subject: [PATCH 1/2] HYPERFLEET-439 - feat: add external API access via LoadBalancer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add optional LoadBalancer support for exposing HyperFleet API externally. Changes: - Add enable_external_api variable (default: false) - Add firewall rule for GCP health check IPs (35.191.0.0/16, 130.211.0.0/22) - Add external_api_enabled and external_api_note outputs The firewall rule targets port 8000 and is only created when enable_external_api=true and cloud_provider=gke. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- terraform/main.tf | 24 ++++++++++++++++++++++++ terraform/outputs.tf | 14 ++++++++++++++ terraform/variables.tf | 9 +++++++++ 3 files changed, 47 insertions(+) diff --git a/terraform/main.tf b/terraform/main.tf index f762a6b..ef5f4af 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -67,3 +67,27 @@ module "pubsub" { labels = local.common_labels } + +# ============================================================================= +# External API Access (optional firewall rule for LoadBalancer health checks) +# ============================================================================= +resource "google_compute_firewall" "allow_lb_health_checks" { + count = var.enable_external_api && var.cloud_provider == "gke" ? 1 : 0 + name = "${local.cluster_name}-allow-lb-health-checks" + network = var.gcp_network + project = var.gcp_project_id + + allow { + protocol = "tcp" + ports = ["8000"] # HyperFleet API port + } + + # GCP Load Balancer health check source ranges + # https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges + source_ranges = ["35.191.0.0/16", "130.211.0.0/22"] + + # Target GKE nodes + target_tags = ["gke-${local.cluster_name}"] + + description = "Allow GCP health checks for LoadBalancer services exposing HyperFleet API" +} diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 8cdbb8f..b63b502 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -67,3 +67,17 @@ output "helm_values_snippet" { description = "Snippet to add to Helm values for Workload Identity and Pub/Sub configuration" value = var.use_pubsub ? module.pubsub[0].helm_values_snippet : null } + +# ============================================================================= +# External API Access +# ============================================================================= + +output "external_api_enabled" { + description = "Whether external API access is enabled (LoadBalancer firewall rules)" + value = var.enable_external_api +} + +output "external_api_note" { + description = "Instructions for external API access" + value = var.enable_external_api ? "External API access is ENABLED. Deploy with: helm install hyperfleet charts/hyperfleet-gcp --set base.hyperfleet-api.service.type=LoadBalancer -n hyperfleet-system" : "External API access is DISABLED. Set enable_external_api=true to enable." +} diff --git a/terraform/variables.tf b/terraform/variables.tf index 32921be..08fbb6c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -162,3 +162,12 @@ variable "pubsub_topic_configs" { } } } + +# ============================================================================= +# External API Access +# ============================================================================= +variable "enable_external_api" { + description = "Enable external access to HyperFleet API via LoadBalancer service" + type = bool + default = false +} From e29bca7142c3061f4132faf30de28a3350c26aaf Mon Sep 17 00:00:00 2001 From: Ciaran Roche Date: Tue, 13 Jan 2026 10:07:16 +0000 Subject: [PATCH 2/2] fix: add network tag to GKE nodes for firewall rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The LoadBalancer health check firewall rule targets nodes with tag gke-${cluster_name}, but nodes didn't have that tag applied. Added tags = ["gke-${var.cluster_name}"] to node_config so the firewall rule correctly targets the GKE nodes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- terraform/modules/cluster/gke/main.tf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/terraform/modules/cluster/gke/main.tf b/terraform/modules/cluster/gke/main.tf index 6abfd54..9c11a3e 100644 --- a/terraform/modules/cluster/gke/main.tf +++ b/terraform/modules/cluster/gke/main.tf @@ -37,11 +37,14 @@ resource "google_container_node_pool" "primary" { node_count = var.node_count node_config { - machine_type = var.machine_type - disk_size_gb = var.disk_size_gb - spot = var.use_spot_vms + machine_type = var.machine_type + disk_size_gb = var.disk_size_gb + spot = var.use_spot_vms resource_labels = var.labels + # Network tags for firewall rules (e.g., LoadBalancer health checks) + tags = ["gke-${var.cluster_name}"] + oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform" ]