You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
500 lines
16 KiB
500 lines
16 KiB
# Define IntServ group number
|
|
# TODO: change to use OS env vars etc.
|
|
variable "group_number" {
|
|
type = string
|
|
default = "19"
|
|
}
|
|
|
|
## OpenStack credentials can be used in a more secure way by using
|
|
## cloud.yaml from https://private-cloud.informatik.hs-fulda.de/project/api_access/clouds.yaml/
|
|
|
|
# Define OpenStack credentials, project config etc.
|
|
locals {
|
|
auth_url = "https://private-cloud.informatik.hs-fulda.de:5000/v3"
|
|
user_name = "IntServ${var.group_number}"
|
|
user_password = "<password of your group here, private-cloud is only reachable via vpn>"
|
|
tenant_name = "IntServ${var.group_number}"
|
|
#network_name = "IntServ${var.group_number}-net"
|
|
router_name = "IntServ${var.group_number}-router"
|
|
image_name = "Ubuntu 20.04 - Focal Fossa - 64-bit - Cloud Based Image"
|
|
flavor_name = "m1.medium"
|
|
region_name = "RegionOne"
|
|
rke_flavor_name = "m1.medium"
|
|
availability_zone = "nova"
|
|
domain_name = "Default"
|
|
# possibly set floating_ip_pool = "" to avoid assigning floating ips to
|
|
# every created node and use only load balancer as frontend, however needed
|
|
# for node port forwarding etc. using kube proxy
|
|
floating_ip_pool = "public1"
|
|
ssh_user = "ubuntu"
|
|
}
|
|
|
|
# Define OpenStack provider
|
|
terraform {
|
|
required_version = ">= 0.14.0"
|
|
required_providers {
|
|
openstack = {
|
|
source = "terraform-provider-openstack/openstack"
|
|
version = ">= 1.46.0"
|
|
}
|
|
rancher2 = {
|
|
source = "rancher/rancher2"
|
|
version = ">= 1.22.2"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Configure the OpenStack Provider
|
|
provider "openstack" {
|
|
user_name = local.user_name
|
|
tenant_name = local.tenant_name
|
|
password = local.user_password
|
|
auth_url = local.auth_url
|
|
region = local.region_name
|
|
use_octavia = true
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create keypair
|
|
#
|
|
###########################################################################
|
|
|
|
# import keypair, if public_key is not specified, create new keypair to use
|
|
resource "openstack_compute_keypair_v2" "terraform-rancher-keypair" {
|
|
name = "my-terraform-rancher-pubkey"
|
|
# public_key = file("~/srieger_rsa.pub")
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create security group
|
|
#
|
|
###########################################################################
|
|
|
|
resource "openstack_networking_secgroup_v2" "terraform-rancher-secgroup" {
|
|
name = "my-terraform-rancher-secgroup"
|
|
description = "for terraform rancher instances"
|
|
}
|
|
|
|
# TODO: possibly cleanup unnecessary ports?
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-ssh" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 22
|
|
port_range_max = 22
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-http" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 80
|
|
port_range_max = 80
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-https" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 443
|
|
port_range_max = 443
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-2376" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 2376
|
|
port_range_max = 2376
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-2379" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 2379
|
|
port_range_max = 2379
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-2380" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 2380
|
|
port_range_max = 2380
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-6443" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 6443
|
|
port_range_max = 6443
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-9099" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 9099
|
|
port_range_max = 9099
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-10250" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 10250
|
|
port_range_max = 10250
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-10254" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 10254
|
|
port_range_max = 10254
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "terraform-secgroup-rule-8472" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "udp"
|
|
port_range_min = 8472
|
|
port_range_max = 8472
|
|
#remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.terraform-rancher-secgroup.id
|
|
}
|
|
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create network
|
|
#
|
|
###########################################################################
|
|
|
|
resource "openstack_networking_network_v2" "terraform-rancher-network-1" {
|
|
name = "my-terraform-rancher-network-1"
|
|
admin_state_up = "true"
|
|
}
|
|
|
|
resource "openstack_networking_subnet_v2" "terraform-rancher-subnet-1" {
|
|
name = "my-terraform-rancher-subnet-1"
|
|
network_id = openstack_networking_network_v2.terraform-rancher-network-1.id
|
|
cidr = "192.168.254.0/24"
|
|
dns_nameservers = [ "192.168.76.253" ]
|
|
ip_version = 4
|
|
}
|
|
|
|
data "openstack_networking_router_v2" "router-1" {
|
|
name = local.router_name
|
|
}
|
|
|
|
resource "openstack_networking_router_interface_v2" "router_interface_1" {
|
|
router_id = data.openstack_networking_router_v2.router-1.id
|
|
subnet_id = openstack_networking_subnet_v2.terraform-rancher-subnet-1.id
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create instances
|
|
#
|
|
###########################################################################
|
|
|
|
resource "openstack_compute_instance_v2" "terraform-rancher-instance-1" {
|
|
name = "my-terraform-rancher-instance-1"
|
|
image_name = local.image_name
|
|
flavor_name = local.flavor_name
|
|
key_pair = openstack_compute_keypair_v2.terraform-rancher-keypair.name
|
|
security_groups = [openstack_networking_secgroup_v2.terraform-rancher-secgroup.name]
|
|
|
|
network {
|
|
uuid = openstack_networking_network_v2.terraform-rancher-network-1.id
|
|
}
|
|
|
|
user_data = <<-EOF
|
|
#!/bin/bash
|
|
apt-get update
|
|
apt-get -y upgrade
|
|
curl https://releases.rancher.com/install-docker/20.10.sh | sh
|
|
sudo docker run --privileged -d --restart=unless-stopped -p 80:80 -p 443:443 --env CATTLE_BOOTSTRAP_PASSWORD=this-is-not-a-secure-bootstrap-pw rancher/rancher
|
|
#sudo docker ps
|
|
#sudo docker logs $(sudo docker ps | grep rancher | cut -d " " -f 1) 2>&1 | grep "Bootstrap Password:"
|
|
EOF
|
|
|
|
depends_on = [
|
|
openstack_networking_subnet_v2.terraform-rancher-subnet-1
|
|
]
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# assign floating ip to rancher instance
|
|
#
|
|
###########################################################################
|
|
resource "openstack_networking_floatingip_v2" "fip_1" {
|
|
pool = "public1"
|
|
}
|
|
|
|
resource "openstack_compute_floatingip_associate_v2" "fip_1" {
|
|
floating_ip = "${openstack_networking_floatingip_v2.fip_1.address}"
|
|
instance_id = "${openstack_compute_instance_v2.terraform-rancher-instance-1.id}"
|
|
}
|
|
|
|
output "floating_ip" {
|
|
value = openstack_networking_floatingip_v2.fip_1
|
|
}
|
|
|
|
###########################################################################
|
|
#
|
|
# bootstrap rancher
|
|
#
|
|
###########################################################################
|
|
|
|
# Provider bootstrap config
|
|
provider "rancher2" {
|
|
alias = "bootstrap"
|
|
|
|
api_url = "https://${openstack_networking_floatingip_v2.fip_1.address}"
|
|
bootstrap = true
|
|
insecure = true
|
|
# takes roughly ~7 minutes currently
|
|
timeout = "600s"
|
|
}
|
|
|
|
# Create a new rancher2_bootstrap for Rancher v2.6.0 and above
|
|
resource "rancher2_bootstrap" "admin" {
|
|
provider = rancher2.bootstrap
|
|
initial_password = "this-is-not-a-secure-bootstrap-pw"
|
|
password = "this-is-not-a-secure-admin-pw"
|
|
telemetry = true
|
|
token_update=true
|
|
}
|
|
|
|
# Rancher2 administration provider
|
|
provider "rancher2" {
|
|
alias = "admin"
|
|
|
|
api_url = "https://${openstack_networking_floatingip_v2.fip_1.address}"
|
|
insecure = true
|
|
# ca_certs = data.kubernetes_secret.rancher_cert.data["ca.crt"]
|
|
token_key = rancher2_bootstrap.admin.token
|
|
}
|
|
|
|
###########################################################################
|
|
#
|
|
# enable rancher node driver openstack
|
|
#
|
|
###########################################################################
|
|
|
|
#data "rancher2_node_driver" "OpenStack" {
|
|
# provider = rancher2.admin
|
|
# name = "openstack"
|
|
#}
|
|
|
|
# Create a new rancher2 Node Driver
|
|
# TODO: creates a new builtin driver, maybe better to change existing one
|
|
resource "rancher2_node_driver" "OpenStack" {
|
|
provider = rancher2.admin
|
|
name = "openstack"
|
|
active = true
|
|
builtin = true
|
|
url = "local://"
|
|
# external_id = data.rancher2_node_driver.OpenStack
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create rancher node template for hsfd openstack
|
|
#
|
|
###########################################################################
|
|
|
|
resource "rancher2_node_template" "hsfd-rancher-openstack" {
|
|
provider = rancher2.admin
|
|
name = "hsfd-rancher-openstack"
|
|
driver_id = rancher2_node_driver.OpenStack.id
|
|
openstack_config {
|
|
auth_url = local.auth_url
|
|
availability_zone = local.availability_zone
|
|
region = local.region_name
|
|
username = local.user_name
|
|
# TODO: (Optional/Sensitive) OpenStack password. Mandatory on Rancher v2.0.x and v2.1.x. Use rancher2_cloud_credential from Rancher v2.2.x (string)
|
|
password = local.user_password
|
|
active_timeout = "200"
|
|
domain_name = local.domain_name
|
|
boot_from_volume = false
|
|
flavor_name = local.rke_flavor_name
|
|
floating_ip_pool = local.floating_ip_pool
|
|
image_name = local.image_name
|
|
ip_version = "4"
|
|
keypair_name = openstack_compute_keypair_v2.terraform-rancher-keypair.name
|
|
net_id = openstack_networking_network_v2.terraform-rancher-network-1.id
|
|
sec_groups = openstack_networking_secgroup_v2.terraform-rancher-secgroup.name
|
|
ssh_user = local.ssh_user
|
|
private_key_file = openstack_compute_keypair_v2.terraform-rancher-keypair.private_key
|
|
tenant_name = local.tenant_name
|
|
}
|
|
# TODO: get latest recommended string possible?
|
|
engine_install_url = "https://releases.rancher.com/install-docker/20.10.sh"
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create rke template for hsfd openstack
|
|
#
|
|
###########################################################################
|
|
|
|
data "openstack_identity_project_v3" "my-project" {
|
|
name = local.tenant_name
|
|
}
|
|
|
|
data "openstack_networking_network_v2" "public1" {
|
|
name = local.floating_ip_pool
|
|
}
|
|
|
|
# Create a new rancher2 Cluster Template
|
|
resource "rancher2_cluster_template" "hsfd-rke-openstack" {
|
|
provider = rancher2.admin
|
|
name = "hsfd-rke-openstack"
|
|
template_revisions {
|
|
name = "V1"
|
|
cluster_config {
|
|
rke_config {
|
|
cloud_provider {
|
|
name = "openstack"
|
|
openstack_cloud_provider {
|
|
block_storage {
|
|
ignore_volume_az = true
|
|
trust_device_path = false
|
|
}
|
|
global {
|
|
auth_url = local.auth_url
|
|
domain_name = local.domain_name
|
|
tenant_id = data.openstack_identity_project_v3.my-project.id
|
|
username = local.user_name
|
|
password = local.user_password
|
|
}
|
|
load_balancer {
|
|
create_monitor = false
|
|
floating_network_id = data.openstack_networking_network_v2.public1.id
|
|
lb_version = "v2"
|
|
manage_security_groups = true
|
|
monitor_max_retries = 0
|
|
subnet_id = openstack_networking_subnet_v2.terraform-rancher-subnet-1.id
|
|
use_octavia = true
|
|
}
|
|
metadata {
|
|
request_timeout = 0
|
|
}
|
|
route {
|
|
router_id = data.openstack_networking_router_v2.router-1.id
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
default = true
|
|
}
|
|
description = "Terraform RKE template for HSFD OpenStack"
|
|
}
|
|
|
|
|
|
|
|
###########################################################################
|
|
#
|
|
# create rke demo cluster
|
|
#
|
|
###########################################################################
|
|
|
|
resource "rancher2_cluster" "hsfd-rke-demo" {
|
|
provider = rancher2.admin
|
|
name = "hsfd-rke-demo"
|
|
cluster_template_id = rancher2_cluster_template.hsfd-rke-openstack.id
|
|
cluster_template_revision_id = rancher2_cluster_template.hsfd-rke-openstack.template_revisions.0.id
|
|
|
|
# if instance is gone before deleting the cluster, we'll not be able to
|
|
# reach rke anymore
|
|
depends_on = [
|
|
openstack_compute_instance_v2.terraform-rancher-instance-1,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-ssh,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-http,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-https,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2376,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2379,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2380,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-6443,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-9099,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10250,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10254,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-8472,
|
|
openstack_compute_floatingip_associate_v2.fip_1
|
|
]
|
|
}
|
|
|
|
# Create a new rancher2 Node Pool
|
|
resource "rancher2_node_pool" "pool1" {
|
|
provider = rancher2.admin
|
|
cluster_id = rancher2_cluster.hsfd-rke-demo.id
|
|
name = "ctrl-etcd-work"
|
|
hostname_prefix = "ctrl-etcd-work"
|
|
node_template_id = rancher2_node_template.hsfd-rancher-openstack.id
|
|
quantity = 1
|
|
control_plane = true
|
|
etcd = true
|
|
worker = true
|
|
|
|
# if instance is gone before deleting the cluster, we'll not be able to
|
|
# reach rke anymore
|
|
depends_on = [
|
|
openstack_compute_instance_v2.terraform-rancher-instance-1,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-ssh,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-http,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-https,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2376,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2379,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-2380,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-6443,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-9099,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10250,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-10254,
|
|
openstack_networking_secgroup_rule_v2.terraform-secgroup-rule-8472,
|
|
openstack_compute_floatingip_associate_v2.fip_1
|
|
]
|
|
}
|