diff --git a/kubernetes.tf b/kubernetes.tf new file mode 100644 index 0000000..318a418 --- /dev/null +++ b/kubernetes.tf @@ -0,0 +1,245 @@ + + +resource "openstack_compute_servergroup_v2" "workers" { + name = "workers" + policies = ["anti-affinity"] +} +resource "openstack_compute_servergroup_v2" "controllers" { + name = "controllers" + policies = ["anti-affinity"] +} + +resource "openstack_networking_secgroup_v2" "microk8s" { + name = "microk8s" + description = "Traffic to allow between microk8s hosts" +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" { + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { + direction = "ingress" + ethertype = "IPv6" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} + +resource "openstack_compute_instance_v2" "controller-nodes" { + count = var.controller_instance_count + name = "${var.controller_name}-${count.index}.${var.dns_suffix}" + flavor_name = "${var.controller_instance_type}" + key_pair = "thorslund" + security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts"] + + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = true + } + scheduler_hints { + group = openstack_compute_servergroup_v2.controllers.id + } + network { + name = "public" + } +} +resource "openstack_compute_instance_v2" "worker-nodes" { + count = var.worker_instance_count + name = "${var.worker_name}-${count.index}.${var.dns_suffix}" + flavor_name = "${var.worker_instance_type}" + key_pair = "thorslund" + security_groups = ["microk8s", "Allow SSH from SUNET jumphosts"] + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = true + } + scheduler_hints { + group = openstack_compute_servergroup_v2.workers.id + } + network { + name = "public" + } +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..209710e --- /dev/null +++ b/main.tf @@ -0,0 +1,141 @@ +# Define required providers +terraform { +required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.53.0" + } + } +} + +# Configure the OpenStack Provider +provider "openstack" { + cloud = "sto4-rut" +} +resource "openstack_networking_secgroup_v2" "https" { + name = "https" + description = "Traffic to allow between microk8s hosts" +} +resource "openstack_networking_secgroup_rule_v2" "https_rule1" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.https.id +} +resource "openstack_networking_secgroup_rule_v2" "https_rule2" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.https.id +} +resource "openstack_networking_secgroup_rule_v2" "https_rule3" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.https.id +} +resource "openstack_networking_secgroup_rule_v2" "https_rule4" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.https.id +} +resource "openstack_networking_secgroup_v2" "jumphosts" { + name = "Allow SSH from SUNET jumphosts" + description = "Traffic to allow ssh access from jumphosts" +} +resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule1" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "130.242.125.68/32" + security_group_id = openstack_networking_secgroup_v2.jumphosts.id +} +resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule2" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "130.242.121.73/32" + security_group_id = openstack_networking_secgroup_v2.jumphosts.id +} +resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule3" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "2001:6b0:8:4::68/128" + security_group_id = openstack_networking_secgroup_v2.jumphosts.id +} +resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule4" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "2001:6b0:7:6::73/128" + security_group_id = openstack_networking_secgroup_v2.jumphosts.id +} +resource "openstack_compute_instance_v2" "monitor-node" { + name = "internal-sto4-prod-monitor-1.${var.dns_suffix}" + flavor_name = "${var.monitor_instance_type}" + key_pair = "thorslund" + security_groups = ["https", "Allow SSH from SUNET jumphosts",] + + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" #debian 12 + source_type = "image" + volume_size = 200 + boot_index = 0 + destination_type = "volume" + delete_on_termination = false + } + network { + name = "public" + } + scheduler_hints { + #We want this server on another host than the controllers. We don't want to loose a controller and the monitoring at the same time. + group = openstack_compute_servergroup_v2.controllers.id + } +} +resource "openstack_compute_instance_v2" "satosa-node" { + name = "internal-sto4-prod-satosa-1.${var.dns_suffix}" + flavor_name = "${var.monitor_instance_type}" + key_pair = "thorslund" + security_groups = ["https", "Allow SSH from SUNET jumphosts",] + + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" #debian 12 + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = false + } + network { + name = "public" + } + scheduler_hints { + #We want this server on another host than the controllers. We don't want to loose a controller and the monitoring at the same time. + group = openstack_compute_servergroup_v2.controllers.id + } +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..114d070 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,6 @@ +output "monitor_ip4_addr" { + value = openstack_compute_instance_v2.monitor-node.access_ip_v4 +} +output "monitor_ip6_addr" { + value = openstack_compute_instance_v2.monitor-node.access_ip_v6 +} \ No newline at end of file diff --git a/vars.tf b/vars.tf new file mode 100644 index 0000000..e493aa0 --- /dev/null +++ b/vars.tf @@ -0,0 +1,25 @@ +variable "worker_instance_count" { + default = "6" +} +variable "controller_instance_count" { + default = "3" +} + +variable "controller_instance_type" { + default = "b2.c2r4" +} +variable "monitor_instance_type" { + default = "b2.c2r4" +} +variable "worker_instance_type" { + default = "b2.c4r16" +} +variable "worker_name" { + default = "internal-sto4-prod-k8sw" +} +variable "controller_name" { + default = "internal-sto4-prod-k8sc" +} +variable "dns_suffix" { + default = "rut.sunet.se" +}