You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

500 lines
16 KiB

  1. # Define IntServ group number
  2. # TODO: change to use OS env vars etc.
  3. variable "group_number" {
  4. type = string
  5. default = "19"
  6. }
  7. ## OpenStack credentials can be used in a more secure way by using
  8. ## cloud.yaml from https://private-cloud.informatik.hs-fulda.de/project/api_access/clouds.yaml/
  9. # Define OpenStack credentials, project config etc.
  10. locals {
  11. auth_url = "https://private-cloud.informatik.hs-fulda.de:5000/v3"
  12. user_name = "IntServ${var.group_number}"
  13. user_password = "<password of your group here, private-cloud is only reachable via vpn>"
  14. tenant_name = "IntServ${var.group_number}"
  15. #network_name = "IntServ${var.group_number}-net"
  16. router_name = "IntServ${var.group_number}-router"
  17. image_name = "Ubuntu 20.04 - Focal Fossa - 64-bit - Cloud Based Image"
  18. flavor_name = "m1.medium"
  19. region_name = "RegionOne"
  20. rke_flavor_name = "m1.medium"
  21. availability_zone = "nova"
  22. domain_name = "Default"
  23. # possibly set floating_ip_pool = "" to avoid assigning floating ips to
  24. # every created node and use only load balancer as frontend, however needed
  25. # for node port forwarding etc. using kube proxy
  26. floating_ip_pool = "public1"
  27. ssh_user = "ubuntu"
  28. }
  29. # Define OpenStack provider
  30. terraform {
  31. required_version = ">= 0.14.0"
  32. required_providers {
  33. openstack = {
  34. source = "terraform-provider-openstack/openstack"
  35. version = ">= 1.46.0"
  36. }
  37. rancher2 = {
  38. source = "rancher/rancher2"
  39. version = ">= 1.22.2"
  40. }
  41. }
  42. }
  43. # Configure the OpenStack Provider
  44. provider "openstack" {
  45. user_name = local.user_name
  46. tenant_name = local.tenant_name
  47. password = local.user_password
  48. auth_url = local.auth_url
  49. region = local.region_name
  50. use_octavia = true
  51. }
  52. ###########################################################################
  53. #
  54. # create keypair
  55. #
  56. ###########################################################################
  57. # import keypair, if public_key is not specified, create new keypair to use
  58. resource "openstack_compute_keypair_v2" "terraform-rancher-keypair" {
  59. name = "my-terraform-rancher-pubkey"
  60. # public_key = file("~/srieger_rsa.pub")
  61. }
  62. ###########################################################################
  63. #
  64. # create security group
  65. #
  66. ###########################################################################
  67. resource "openstack_networking_secgroup_v2" "terraform-rancher-secgroup" {
  68. name = "my-terraform-rancher-secgroup"
  69. description = "for terraform rancher instances"
  70. }
  71. # TODO: possibly cleanup unnecessary ports?
  72. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-ssh" {
  73. direction = "ingress"
  74. ethertype = "IPv4"
  75. protocol = "tcp"
  76. port_range_min = 22
  77. port_range_max = 22
  78. #remote_ip_prefix = "0.0.0.0/0"
  79. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  80. }
  81. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-http" {
  82. direction = "ingress"
  83. ethertype = "IPv4"
  84. protocol = "tcp"
  85. port_range_min = 80
  86. port_range_max = 80
  87. #remote_ip_prefix = "0.0.0.0/0"
  88. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  89. }
  90. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-https" {
  91. direction = "ingress"
  92. ethertype = "IPv4"
  93. protocol = "tcp"
  94. port_range_min = 443
  95. port_range_max = 443
  96. #remote_ip_prefix = "0.0.0.0/0"
  97. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  98. }
  99. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-2376" {
  100. direction = "ingress"
  101. ethertype = "IPv4"
  102. protocol = "tcp"
  103. port_range_min = 2376
  104. port_range_max = 2376
  105. #remote_ip_prefix = "0.0.0.0/0"
  106. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  107. }
  108. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-2379" {
  109. direction = "ingress"
  110. ethertype = "IPv4"
  111. protocol = "tcp"
  112. port_range_min = 2379
  113. port_range_max = 2379
  114. #remote_ip_prefix = "0.0.0.0/0"
  115. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  116. }
  117. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-2380" {
  118. direction = "ingress"
  119. ethertype = "IPv4"
  120. protocol = "tcp"
  121. port_range_min = 2380
  122. port_range_max = 2380
  123. #remote_ip_prefix = "0.0.0.0/0"
  124. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  125. }
  126. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-6443" {
  127. direction = "ingress"
  128. ethertype = "IPv4"
  129. protocol = "tcp"
  130. port_range_min = 6443
  131. port_range_max = 6443
  132. #remote_ip_prefix = "0.0.0.0/0"
  133. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  134. }
  135. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-9099" {
  136. direction = "ingress"
  137. ethertype = "IPv4"
  138. protocol = "tcp"
  139. port_range_min = 9099
  140. port_range_max = 9099
  141. #remote_ip_prefix = "0.0.0.0/0"
  142. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  143. }
  144. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-10250" {
  145. direction = "ingress"
  146. ethertype = "IPv4"
  147. protocol = "tcp"
  148. port_range_min = 10250
  149. port_range_max = 10250
  150. #remote_ip_prefix = "0.0.0.0/0"
  151. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  152. }
  153. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-10254" {
  154. direction = "ingress"
  155. ethertype = "IPv4"
  156. protocol = "tcp"
  157. port_range_min = 10254
  158. port_range_max = 10254
  159. #remote_ip_prefix = "0.0.0.0/0"
  160. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  161. }
  162. resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-8472" {
  163. direction = "ingress"
  164. ethertype = "IPv4"
  165. protocol = "udp"
  166. port_range_min = 8472
  167. port_range_max = 8472
  168. #remote_ip_prefix = "0.0.0.0/0"
  169. security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
  170. }
  171. ###########################################################################
  172. #
  173. # create network
  174. #
  175. ###########################################################################
  176. resource "openstack_networking_network_v2" "terraform-rancher-network-1" {
  177. name = "my-terraform-rancher-network-1"
  178. admin_state_up = "true"
  179. }
  180. resource "openstack_networking_subnet_v2" "terraform-rancher-subnet-1" {
  181. name = "my-terraform-rancher-subnet-1"
  182. network_id = openstack_networking_network_v2.terraform-rancher-network-1.id
  183. cidr = "192.168.254.0/24"
  184. dns_nameservers = [ "192.168.76.253" ]
  185. ip_version = 4
  186. }
  187. data "openstack_networking_router_v2" "router-1" {
  188. name = local.router_name
  189. }
  190. resource "openstack_networking_router_interface_v2" "router_interface_1" {
  191. router_id = data.openstack_networking_router_v2.router-1.id
  192. subnet_id = openstack_networking_subnet_v2.terraform-rancher-subnet-1.id
  193. }
  194. ###########################################################################
  195. #
  196. # create instances
  197. #
  198. ###########################################################################
  199. resource "openstack_compute_instance_v2" "terraform-rancher-instance-1" {
  200. name = "my-terraform-rancher-instance-1"
  201. image_name = local.image_name
  202. flavor_name = local.flavor_name
  203. key_pair = openstack_compute_keypair_v2.terraform-rancher-keypair.name
  204. security_groups = [openstack_networking_secgroup_v2.terraform-rancher-secgroup.name]
  205. network {
  206. uuid = openstack_networking_network_v2.terraform-rancher-network-1.id
  207. }
  208. user_data = <<-EOF
  209. #!/bin/bash
  210. apt-get update
  211. apt-get -y upgrade
  212. curl https://releases.rancher.com/install-docker/20.10.sh | sh
  213. sudo docker run --privileged -d --restart=unless-stopped -p 80:80 -p 443:443 --env CATTLE_BOOTSTRAP_PASSWORD=this-is-not-a-secure-bootstrap-pw rancher/rancher
  214. #sudo docker ps
  215. #sudo docker logs $(sudo docker ps | grep rancher | cut -d " " -f 1) 2>&1 | grep "Bootstrap Password:"
  216. EOF
  217. depends_on = [
  218. openstack_networking_subnet_v2.terraform-rancher-subnet-1
  219. ]
  220. }
  221. ###########################################################################
  222. #
  223. # assign floating ip to rancher instance
  224. #
  225. ###########################################################################
  226. resource "openstack_networking_floatingip_v2" "fip_1" {
  227. pool = "public1"
  228. }
  229. resource "openstack_compute_floatingip_associate_v2" "fip_1" {
  230. floating_ip = "${openstack_networking_floatingip_v2.fip_1.address}"
  231. instance_id = "${openstack_compute_instance_v2.terraform-rancher-instance-1.id}"
  232. }
  233. output "floating_ip" {
  234. value = openstack_networking_floatingip_v2.fip_1
  235. }
  236. ###########################################################################
  237. #
  238. # bootstrap rancher
  239. #
  240. ###########################################################################
  241. # Provider bootstrap config
  242. provider "rancher2" {
  243. alias = "bootstrap"
  244. api_url = "https://${openstack_networking_floatingip_v2.fip_1.address}"
  245. bootstrap = true
  246. insecure = true
  247. # takes roughly ~7 minutes currently
  248. timeout = "600s"
  249. }
  250. # Create a new rancher2_bootstrap for Rancher v2.6.0 and above
  251. resource "rancher2_bootstrap" "admin" {
  252. provider = rancher2.bootstrap
  253. initial_password = "this-is-not-a-secure-bootstrap-pw"
  254. password = "this-is-not-a-secure-admin-pw"
  255. telemetry = true
  256. token_update=true
  257. }
  258. # Rancher2 administration provider
  259. provider "rancher2" {
  260. alias = "admin"
  261. api_url = "https://${openstack_networking_floatingip_v2.fip_1.address}"
  262. insecure = true
  263. # ca_certs = data.kubernetes_secret.rancher_cert.data["ca.crt"]
  264. token_key = rancher2_bootstrap.admin.token
  265. }
  266. ###########################################################################
  267. #
  268. # enable rancher node driver openstack
  269. #
  270. ###########################################################################
  271. #data "rancher2_node_driver" "OpenStack" {
  272. # provider = rancher2.admin
  273. # name = "openstack"
  274. #}
  275. # Create a new rancher2 Node Driver
  276. # TODO: creates a new builtin driver, maybe better to change existing one
  277. resource "rancher2_node_driver" "OpenStack" {
  278. provider = rancher2.admin
  279. name = "openstack"
  280. active = true
  281. builtin = true
  282. url = "local://"
  283. # external_id = data.rancher2_node_driver.OpenStack
  284. }
  285. ###########################################################################
  286. #
  287. # create rancher node template for hsfd openstack
  288. #
  289. ###########################################################################
  290. resource "rancher2_node_template" "hsfd-rancher-openstack" {
  291. provider = rancher2.admin
  292. name = "hsfd-rancher-openstack"
  293. driver_id = rancher2_node_driver.OpenStack.id
  294. openstack_config {
  295. auth_url = local.auth_url
  296. availability_zone = local.availability_zone
  297. region = local.region_name
  298. username = local.user_name
  299. # TODO: (Optional/Sensitive) OpenStack password. Mandatory on Rancher v2.0.x and v2.1.x. Use rancher2_cloud_credential from Rancher v2.2.x (string)
  300. password = local.user_password
  301. active_timeout = "200"
  302. domain_name = local.domain_name
  303. boot_from_volume = false
  304. flavor_name = local.rke_flavor_name
  305. floating_ip_pool = local.floating_ip_pool
  306. image_name = local.image_name
  307. ip_version = "4"
  308. keypair_name = openstack_compute_keypair_v2.terraform-rancher-keypair.name
  309. net_id = openstack_networking_network_v2.terraform-rancher-network-1.id
  310. sec_groups = openstack_networking_secgroup_v2.terraform-rancher-secgroup.name
  311. ssh_user = local.ssh_user
  312. private_key_file = openstack_compute_keypair_v2.terraform-rancher-keypair.private_key
  313. tenant_name = local.tenant_name
  314. }
  315. # TODO: get latest recommended string possible?
  316. engine_install_url = "https://releases.rancher.com/install-docker/20.10.sh"
  317. }
  318. ###########################################################################
  319. #
  320. # create rke template for hsfd openstack
  321. #
  322. ###########################################################################
  323. data "openstack_identity_project_v3" "my-project" {
  324. name = local.tenant_name
  325. }
  326. data "openstack_networking_network_v2" "public1" {
  327. name = local.floating_ip_pool
  328. }
  329. # Create a new rancher2 Cluster Template
  330. resource "rancher2_cluster_template" "hsfd-rke-openstack" {
  331. provider = rancher2.admin
  332. name = "hsfd-rke-openstack"
  333. template_revisions {
  334. name = "V1"
  335. cluster_config {
  336. rke_config {
  337. cloud_provider {
  338. name = "openstack"
  339. openstack_cloud_provider {
  340. block_storage {
  341. ignore_volume_az = true
  342. trust_device_path = false
  343. }
  344. global {
  345. auth_url = local.auth_url
  346. domain_name = local.domain_name
  347. tenant_id = data.openstack_identity_project_v3.my-project.id
  348. username = local.user_name
  349. password = local.user_password
  350. }
  351. load_balancer {
  352. create_monitor = false
  353. floating_network_id = data.openstack_networking_network_v2.public1.id
  354. lb_version = "v2"
  355. manage_security_groups = true
  356. monitor_max_retries = 0
  357. subnet_id = openstack_networking_subnet_v2.terraform-rancher-subnet-1.id
  358. use_octavia = true
  359. }
  360. metadata {
  361. request_timeout = 0
  362. }
  363. route {
  364. router_id = data.openstack_networking_router_v2.router-1.id
  365. }
  366. }
  367. }
  368. }
  369. }
  370. default = true
  371. }
  372. description = "Terraform RKE template for HSFD OpenStack"
  373. }
  374. ###########################################################################
  375. #
  376. # create rke demo cluster
  377. #
  378. ###########################################################################
  379. resource "rancher2_cluster" "hsfd-rke-demo" {
  380. provider = rancher2.admin
  381. name = "hsfd-rke-demo"
  382. cluster_template_id = rancher2_cluster_template.hsfd-rke-openstack.id
  383. cluster_template_revision_id = rancher2_cluster_template.hsfd-rke-openstack.template_revisions.0.id
  384. # if instance is gone before deleting the cluster, we'll not be able to
  385. # reach rke anymore
  386. depends_on = [
  387. openstack_compute_instance_v2.terraform-rancher-instance-1,
  388. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-ssh,
  389. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-http,
  390. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-https,
  391. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2376,
  392. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2379,
  393. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2380,
  394. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-6443,
  395. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-9099,
  396. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10250,
  397. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10254,
  398. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-8472,
  399. openstack_compute_floatingip_associate_v2.fip_1
  400. ]
  401. }
  402. # Create a new rancher2 Node Pool
  403. resource "rancher2_node_pool" "pool1" {
  404. provider = rancher2.admin
  405. cluster_id = rancher2_cluster.hsfd-rke-demo.id
  406. name = "ctrl-etcd-work"
  407. hostname_prefix = "ctrl-etcd-work"
  408. node_template_id = rancher2_node_template.hsfd-rancher-openstack.id
  409. quantity = 1
  410. control_plane = true
  411. etcd = true
  412. worker = true
  413. # if instance is gone before deleting the cluster, we'll not be able to
  414. # reach rke anymore
  415. depends_on = [
  416. openstack_compute_instance_v2.terraform-rancher-instance-1,
  417. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-ssh,
  418. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-http,
  419. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-https,
  420. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2376,
  421. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2379,
  422. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2380,
  423. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-6443,
  424. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-9099,
  425. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10250,
  426. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10254,
  427. openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-8472,
  428. openstack_compute_floatingip_associate_v2.fip_1
  429. ]
  430. }