From 964ddc523bd81e2170c537de3875cc9cc782c18b Mon Sep 17 00:00:00 2001
From: Mikael Frykholm <mifr@sunet.se>
Date: Fri, 27 Sep 2024 11:21:29 +0200
Subject: [PATCH] add more people from RUT.

---
 global/overlay/etc/puppet/cosmos-rules.yaml |   3 +
 pgcluster.tf                                | 217 ++++++++++++++++++++
 2 files changed, 220 insertions(+)
 create mode 100644 pgcluster.tf

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 9f92932..1129877 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -43,6 +43,9 @@
       - jocar@sunet.se
       - mifr@sunet.se
       - thorslund@sunet.se
+      - jofl@vr.se
+      - guce@vr.se
+      - joma@vr.se
     thruk_users:
       - riwe@vr.se
       - mifr@vr.se
diff --git a/pgcluster.tf b/pgcluster.tf
new file mode 100644
index 0000000..c562810
--- /dev/null
+++ b/pgcluster.tf
@@ -0,0 +1,217 @@
+resource "openstack_compute_servergroup_v2" "controllers" {
+  name     = "controllers"
+  policies = ["anti-affinity"]
+}
+
+resource "openstack_networking_secgroup_v2" "microk8s" {
+  name        = "microk8s"
+  description = "Traffic to allow between microk8s hosts"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" {
+  #We never know where Richard is, so allow from all of the known internet
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 16443
+  port_range_max    = 16443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" {
+  #We never know where Richard is, so allow from all of the known internet
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 16443
+  port_range_max    = 16443
+  remote_ip_prefix  = "::/0"
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10250
+  port_range_max    = 10250
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10250
+  port_range_max    = 10250
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10255
+  port_range_max    = 10255
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10255
+  port_range_max    = 10255
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 25000
+  port_range_max    = 25000
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 25000
+  port_range_max    = 25000
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 12379
+  port_range_max    = 12379
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 12379
+  port_range_max    = 12379
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10257
+  port_range_max    = 10257
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10257
+  port_range_max    = 10257
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10259
+  port_range_max    = 10259
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10259
+  port_range_max    = 10259
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 19001
+  port_range_max    = 19001
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 19001
+  port_range_max    = 19001
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "udp"
+  port_range_min    = 4789
+  port_range_max    = 4789
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "udp"
+  port_range_min    = 4789
+  port_range_max    = 4789
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule19" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 16443
+  port_range_max    = 16443
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule20" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 16443
+  port_range_max    = 16443
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+
+resource "openstack_compute_instance_v2" "controller-nodes" {
+  count           = var.pgcluster_instance_count
+  name            = "${var.pgcluster_name}-${count.index}.${var.dns_suffix}"
+  flavor_name     = "${var.pgcluster_instance_type}"
+  key_pair        = "mifr-yubi"
+  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  
+
+  block_device {
+    uuid                  = "5d24aca9-11be-4de1-9770-4a097d68f361"
+    source_type           = "image"
+    volume_size           = 20
+    boot_index            = 0
+    destination_type      = "volume"
+    delete_on_termination = true
+  }
+  scheduler_hints {
+    group = openstack_compute_servergroup_v2.controllers.id
+  }
+  network {
+    name = "public"
+  }
+}