diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 48514a1..168c0a2 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -18,3 +18,27 @@ rut::infra_ca_rp: sunet::microk8s::node: channel: 1.28/stable +'^internal-sto4-test-monitor-[0-9].rut.sunet.se$': + sunet::dockerhost2: + sunet::naemon_monitor: + domain: monitor-test.rut.sunet.se + naemon_tag: latest + thruk_tag: latest + histou_tag: latest + nagflux_tag: latest + knot_tag: latest + resolvers: + - 89.46.20.75 + - 89.46.21.29 + - 89.32.32.32 + thruk_admins: + - jocar@sunet.se + - kano@sunet.se + - masv@sunet.se + - pettai@sunet.se + - mifr@sunet.se + thruk_users: + - '*@sunet.se' + nrpe_group: sunet::nagios::nrpe + modern_scriptherder: true + diff --git a/kubernetes.tf b/kubernetes.tf new file mode 100644 index 0000000..b4ee928 --- /dev/null +++ b/kubernetes.tf @@ -0,0 +1,245 @@ + + +resource "openstack_compute_servergroup_v2" "workers" { + name = "workers" + policies = ["anti-affinity"] +} +resource "openstack_compute_servergroup_v2" "controllers" { + name = "controllers" + policies = ["anti-affinity"] +} + +resource "openstack_networking_secgroup_v2" "microk8s" { + name = "microk8s" + description = "Traffic to allow between microk8s hosts" +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { + #We never know where Richard is, so allow from all of the known internet + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10250 + port_range_max = 10250 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} + +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10255 + port_range_max = 10255 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 25000 + port_range_max = 25000 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 12379 + port_range_max = 12379 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10257 + port_range_max = 10257 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 10259 + port_range_max = 10259 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 19001 + port_range_max = 19001 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" { + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { + direction = "ingress" + ethertype = "IPv6" + protocol = "udp" + port_range_min = 4789 + port_range_max = 4789 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} +resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = 16443 + port_range_max = 16443 + remote_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.microk8s.id +} + +resource "openstack_compute_instance_v2" "controller-nodes" { + count = var.controller_instance_count + name = "${var.controller_name}-${count.index}.${var.dns_suffix}" + flavor_name = "${var.controller_instance_type}" + key_pair = "mifr-yubi" + security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"] + + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = true + } + scheduler_hints { + group = openstack_compute_servergroup_v2.controllers.id + } + network { + name = "public" + } +} +resource "openstack_compute_instance_v2" "worker-nodes" { + count = var.worker_instance_count + name = "${var.worker_name}-${count.index}.${var.dns_suffix}" + flavor_name = "${var.worker_instance_type}" + key_pair = "mifr-yubi" + security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"] + + block_device { + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + source_type = "image" + volume_size = 20 + boot_index = 0 + destination_type = "volume" + delete_on_termination = true + } + scheduler_hints { + group = openstack_compute_servergroup_v2.workers.id + } + network { + name = "public" + } +} diff --git a/main.tf b/main.tf index f815c33..e5a0dd8 100644 --- a/main.tf +++ b/main.tf @@ -13,247 +13,66 @@ required_version = ">= 0.14.0" provider "openstack" { cloud = "sto4-rut" } -resource "openstack_compute_servergroup_v2" "workers" { - name = "workers" - policies = ["anti-affinity"] -} -resource "openstack_compute_servergroup_v2" "controllers" { - name = "controllers" - policies = ["anti-affinity"] -} - - -resource "openstack_networking_secgroup_v2" "microk8s" { +resource "openstack_networking_secgroup_v2" "https" { name = "microk8s" description = "Traffic to allow between microk8s hosts" } - -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" { - #We never know where Richard is, so allow from all of the known internet +resource "openstack_networking_secgroup_rule_v2" "https_rule1" { direction = "ingress" ethertype = "IPv4" protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 + port_range_min = 443 + port_range_max = 443 remote_ip_prefix = "0.0.0.0/0" - security_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.https.id } -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" { - #We never know where Richard is, so allow from all of the known internet +resource "openstack_networking_secgroup_rule_v2" "https_rule2" { direction = "ingress" ethertype = "IPv6" protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 + port_range_min = 443 + port_range_max = 443 remote_ip_prefix = "::/0" - security_group_id = openstack_networking_secgroup_v2.microk8s.id + security_group_id = openstack_networking_secgroup_v2.https.id } -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" { +resource "openstack_networking_secgroup_rule_v2" "https_rule3" { direction = "ingress" ethertype = "IPv4" protocol = "tcp" - port_range_min = 10250 - port_range_max = 10250 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = openstack_networking_secgroup_v2.https.id } -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" { +resource "openstack_networking_secgroup_rule_v2" "https_rule4" { direction = "ingress" ethertype = "IPv6" protocol = "tcp" - port_range_min = 10250 - port_range_max = 10250 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "::/0" + security_group_id = openstack_networking_secgroup_v2.https.id } - -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 10255 - port_range_max = 10255 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 10255 - port_range_max = 10255 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 25000 - port_range_max = 25000 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 25000 - port_range_max = 25000 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 12379 - port_range_max = 12379 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 12379 - port_range_max = 12379 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 10257 - port_range_max = 10257 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 10257 - port_range_max = 10257 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 10259 - port_range_max = 10259 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 10259 - port_range_max = 10259 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 19001 - port_range_max = 19001 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 19001 - port_range_max = 19001 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" { - direction = "ingress" - ethertype = "IPv4" - protocol = "udp" - port_range_min = 4789 - port_range_max = 4789 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" { - direction = "ingress" - ethertype = "IPv6" - protocol = "udp" - port_range_min = 4789 - port_range_max = 4789 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} -resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" { - direction = "ingress" - ethertype = "IPv6" - protocol = "tcp" - port_range_min = 16443 - port_range_max = 16443 - remote_group_id = openstack_networking_secgroup_v2.microk8s.id - security_group_id = openstack_networking_secgroup_v2.microk8s.id -} - -resource "openstack_compute_instance_v2" "controller-nodes" { - count = var.controller_instance_count - name = "${var.controller_name}-${count.index}.${var.dns_suffix}" - flavor_name = "${var.controller_instance_type}" +resource "openstack_compute_instance_v2" "monitor-node" { + name = "monitor-1.${var.dns_suffix}" + flavor_name = "${var.monitor_instance_type}" key_pair = "mifr-yubi" - security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"] + security_groups = ["https", "Allow SSH from SUNET jumphosts",] block_device { - uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" + uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" #debian 12 source_type = "image" - volume_size = 20 + volume_size = 200 boot_index = 0 destination_type = "volume" - delete_on_termination = true - } - scheduler_hints { - group = openstack_compute_servergroup_v2.controllers.id + delete_on_termination = false } network { name = "public" } -} -resource "openstack_compute_instance_v2" "worker-nodes" { - count = var.worker_instance_count - name = "${var.worker_name}-${count.index}.${var.dns_suffix}" - flavor_name = "${var.worker_instance_type}" - key_pair = "mifr-yubi" - security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"] - - block_device { - uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" - source_type = "image" - volume_size = 20 - boot_index = 0 - destination_type = "volume" - delete_on_termination = true + scheduler_hints { + #We want this server on another host than the controllers. We don't want to loose a controller and the monitoring at the same time. + group = openstack_compute_servergroup_v2.controllers.id } - scheduler_hints { - group = openstack_compute_servergroup_v2.workers.id - } - network { - name = "public" - } -} +} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..114d070 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,6 @@ +output "monitor_ip4_addr" { + value = openstack_compute_instance_v2.monitor-node.access_ip_v4 +} +output "monitor_ip6_addr" { + value = openstack_compute_instance_v2.monitor-node.access_ip_v6 +} \ No newline at end of file diff --git a/vars.tf b/vars.tf index b484701..079642d 100644 --- a/vars.tf +++ b/vars.tf @@ -8,6 +8,9 @@ variable "controller_instance_count" { variable "controller_instance_type" { default = "b2.c2r4" } +variable "monitor_instance_type" { + default = "b2.c2r4" +} variable "worker_instance_type" { default = "b2.c4r16" }