Setup new prod deployment
This commit is contained in:
parent
1c72cff364
commit
c27a2195cc
BIN
IaC-prod/.dnsoutput.tf.swp
Normal file
BIN
IaC-prod/.dnsoutput.tf.swp
Normal file
Binary file not shown.
24
IaC-prod/images.tf
Normal file
24
IaC-prod/images.tf
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# Default os version
|
||||||
|
data "openstack_images_image_v2" "debian12image" {
|
||||||
|
name = "debian-12" # Name of image to be used
|
||||||
|
most_recent = true
|
||||||
|
}
|
||||||
|
|
||||||
|
data "openstack_images_image_v2" "debian12image-dco" {
|
||||||
|
name = "debian-12" # Name of image to be used
|
||||||
|
most_recent = true
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
data "openstack_images_image_v2" "debian12image-sto4" {
|
||||||
|
name = "debian-12" # Name of image to be used
|
||||||
|
most_recent = true
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
data "openstack_images_image_v2" "debian12image-sto3" {
|
||||||
|
name = "debian-12" # Name of image to be used
|
||||||
|
most_recent = true
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
138
IaC-prod/k8snodes-dco.tf
Normal file
138
IaC-prod/k8snodes-dco.tf
Normal file
|
@ -0,0 +1,138 @@
|
||||||
|
#
|
||||||
|
# Global DCO definitions
|
||||||
|
#
|
||||||
|
|
||||||
|
locals {
|
||||||
|
dcodc = "dco"
|
||||||
|
dconodenrbase = index(var.datacenters, "dco")
|
||||||
|
dcoindexjump = length(var.datacenters)
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Control node resources DCO
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_port_v2" "kubecport-dco" {
|
||||||
|
name = "${var.controller_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
|
||||||
|
# We create as many ports as there are instances created
|
||||||
|
count = var.controllerdcreplicas
|
||||||
|
network_id = data.openstack_networking_network_v2.public-dco.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-dco.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-control-dco.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubecvolumeboot-dco" {
|
||||||
|
count = var.controllerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.controller_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
|
||||||
|
description = "OS volume for kubernetes worker node ${count.index * local.dcoindexjump + 1 + local.dconodenrbase}"
|
||||||
|
size = 100
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-dco.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "controller-nodes-dco" {
|
||||||
|
count = var.controllerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.controller_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.controller_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.dco
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-dco.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-control-dco.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot-dco[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
scheduler_hints {
|
||||||
|
group = openstack_compute_servergroup_v2.controllers-dco.id
|
||||||
|
}
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.kubecport-dco[count.index].id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Worker node resources DCO
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_port_v2" "kubewport-dco" {
|
||||||
|
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
|
||||||
|
# We create as many ports as there are instances created
|
||||||
|
count = var.workerdcreplicas
|
||||||
|
network_id = data.openstack_networking_network_v2.public-dco.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-dco.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubewvolumeboot-dco" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
|
||||||
|
description = "OS volume for kubernetes worker node ${count.index * local.dcoindexjump + 1 + local.dconodenrbase}"
|
||||||
|
size = 100
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-dco.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubewvolumerook-dco" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-rook-vol"
|
||||||
|
description = "Rook storage volume for kubernetes worker node ${count.index * local.dcoindexjump + 1 + local.dconodenrbase}"
|
||||||
|
size = 100
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "worker-nodes-dco" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.worker_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.dco
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-dco.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot-dco[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumerook-dco[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
scheduler_hints {
|
||||||
|
group = openstack_compute_servergroup_v2.workers-dco.id
|
||||||
|
}
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.kubewport-dco[count.index].id
|
||||||
|
}
|
||||||
|
}
|
139
IaC-prod/k8snodes-sto3.tf
Normal file
139
IaC-prod/k8snodes-sto3.tf
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
#
|
||||||
|
# Global definitions sto3
|
||||||
|
#
|
||||||
|
|
||||||
|
locals {
|
||||||
|
sto3dc = "sto3"
|
||||||
|
sto3nodenrbase = index(var.datacenters, "sto3")
|
||||||
|
sto3indexjump = length(var.datacenters)
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Control node resources STO3
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_port_v2" "kubecport-sto3" {
|
||||||
|
name = "${var.controller_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-port"
|
||||||
|
# We create as many ports as there are instances created
|
||||||
|
count = var.controllerdcreplicas
|
||||||
|
network_id = data.openstack_networking_network_v2.public-sto3.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-control-sto3.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubecvolumeboot-sto3" {
|
||||||
|
count = var.controllerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.controller_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-vol"
|
||||||
|
description = "OS volume for kubernetes worker node ${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}"
|
||||||
|
size = 100
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-sto3.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "controller-nodes-sto3" {
|
||||||
|
count = var.controllerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.controller_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.controller_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.sto3
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-control-sto3.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot-sto3[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
scheduler_hints {
|
||||||
|
group = openstack_compute_servergroup_v2.controllers-sto3.id
|
||||||
|
}
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.kubecport-sto3[count.index].id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Worker node resources STO3
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_port_v2" "kubewport-sto3" {
|
||||||
|
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-port"
|
||||||
|
# We create as many ports as there are instances created
|
||||||
|
count = var.workerdcreplicas
|
||||||
|
network_id = data.openstack_networking_network_v2.public-sto3.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubewvolumeboot-sto3" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-vol"
|
||||||
|
description = "OS volume for kubernetes worker node ${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}"
|
||||||
|
size = 100
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-sto3.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubewvolumerook-sto3" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-rook-vol"
|
||||||
|
description = "Rook storage volume for kubernetes worker node ${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}"
|
||||||
|
size = 100
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "worker-nodes-sto3" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.worker_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.sto3
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot-sto3[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumerook-sto3[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
scheduler_hints {
|
||||||
|
group = openstack_compute_servergroup_v2.workers-sto3.id
|
||||||
|
}
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.kubewport-sto3[count.index].id
|
||||||
|
}
|
||||||
|
}
|
138
IaC-prod/k8snodes-sto4.tf
Normal file
138
IaC-prod/k8snodes-sto4.tf
Normal file
|
@ -0,0 +1,138 @@
|
||||||
|
#
|
||||||
|
# Global definitions for sto4
|
||||||
|
#
|
||||||
|
locals {
|
||||||
|
sto4dc = "sto4"
|
||||||
|
sto4nodenrbase = index(var.datacenters, "sto4")
|
||||||
|
sto4indexjump = length(var.datacenters)
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Controller node resources
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_port_v2" "kubecport-sto4" {
|
||||||
|
name = "${var.controller_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-port"
|
||||||
|
# We create as many ports as there are instances created
|
||||||
|
count = var.controllerdcreplicas
|
||||||
|
network_id = data.openstack_networking_network_v2.public-sto4.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-control-sto4.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubecvolumeboot-sto4" {
|
||||||
|
count = var.controllerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.controller_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-vol"
|
||||||
|
description = "OS volume for kubernetes worker node ${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}"
|
||||||
|
size = 100
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-sto4.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "controller-nodes-sto4" {
|
||||||
|
count = var.controllerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.controller_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.controller_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.sto4
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-control-sto4.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot-sto4[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
scheduler_hints {
|
||||||
|
group = openstack_compute_servergroup_v2.controllers-sto4.id
|
||||||
|
}
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.kubecport-sto4[count.index].id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Worker node resources
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_port_v2" "kubewport-sto4" {
|
||||||
|
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-port"
|
||||||
|
# We create as many ports as there are instances created
|
||||||
|
count = var.workerdcreplicas
|
||||||
|
network_id = data.openstack_networking_network_v2.public-sto4.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubewvolumeboot-sto4" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-vol"
|
||||||
|
description = "OS volume for kubernetes worker node ${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}"
|
||||||
|
size = 100
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-sto4.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_blockstorage_volume_v3" "kubewvolumerook-sto4" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-rook-vol"
|
||||||
|
description = "Rook storage volume for kubernetes worker node ${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}"
|
||||||
|
size = 100
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "worker-nodes-sto4" {
|
||||||
|
count = var.workerdcreplicas # Replicas per datacenter
|
||||||
|
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.worker_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.sto4
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot-sto4[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumerook-sto4[count.index].id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
scheduler_hints {
|
||||||
|
group = openstack_compute_servergroup_v2.workers-sto4.id
|
||||||
|
}
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.kubewport-sto4[count.index].id
|
||||||
|
}
|
||||||
|
}
|
48
IaC-prod/lb.tf
Normal file
48
IaC-prod/lb.tf
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
|
||||||
|
# Netowrk port
|
||||||
|
resource "openstack_networking_port_v2" "lb1-port-dco" {
|
||||||
|
name = "lb1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
|
||||||
|
network_id = data.openstack_networking_network_v2.public-dco.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
|
||||||
|
resource.openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "lb1volumeboot-dco" {
|
||||||
|
name = "lb1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
|
||||||
|
description = "OS volume for lb1.matrix.test.sunet.se"
|
||||||
|
size = 50
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-dco.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "lb1-node-dco" {
|
||||||
|
name = "lb1.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.lb_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.dco
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
|
||||||
|
resource.openstack_networking_secgroup_v2.lb-dco.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.lb1volumeboot-dco.id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.lb1-port-dco.id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
33
IaC-prod/main.tf
Normal file
33
IaC-prod/main.tf
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
# Define required providers
|
||||||
|
terraform {
|
||||||
|
required_version = ">= 0.14.0"
|
||||||
|
required_providers {
|
||||||
|
openstack = {
|
||||||
|
source = "terraform-provider-openstack/openstack"
|
||||||
|
version = "~> 1.53.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configure the OpenStack Provider
|
||||||
|
provider "openstack" {
|
||||||
|
cloud = "${var.clouddco_name}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# DCO Matrix Test
|
||||||
|
provider "openstack" {
|
||||||
|
cloud = "${var.clouddco_name}"
|
||||||
|
alias = "dco"
|
||||||
|
}
|
||||||
|
|
||||||
|
# STO3 Matrix test
|
||||||
|
provider "openstack" {
|
||||||
|
cloud = "${var.cloudsto3_name}"
|
||||||
|
alias = "sto3"
|
||||||
|
}
|
||||||
|
|
||||||
|
# STO4 Matrix test
|
||||||
|
provider "openstack" {
|
||||||
|
cloud = "${var.cloudsto4_name}"
|
||||||
|
alias = "sto4"
|
||||||
|
}
|
46
IaC-prod/mgmt.tf
Normal file
46
IaC-prod/mgmt.tf
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
|
||||||
|
# Netowrk port
|
||||||
|
resource "openstack_networking_port_v2" "mgmt1-port-dco" {
|
||||||
|
name = "mgmt1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
|
||||||
|
network_id = data.openstack_networking_network_v2.public-dco.id
|
||||||
|
# A list of security group ID
|
||||||
|
security_group_ids = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
|
||||||
|
]
|
||||||
|
admin_state_up = "true"
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
# Boot volume
|
||||||
|
# Boot volume for node
|
||||||
|
resource "openstack_blockstorage_volume_v3" "mgmt1volumeboot-dco" {
|
||||||
|
name = "mgmt1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
|
||||||
|
description = "OS volume for mgmt1.matrix.test.sunet.se"
|
||||||
|
size = 50
|
||||||
|
image_id = data.openstack_images_image_v2.debian12image-dco.id
|
||||||
|
enable_online_resize = true # Allow us to resize volume while attached.
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_compute_instance_v2" "mgmt1-node-dco" {
|
||||||
|
name = "mgmt1.${var.dns_suffix}"
|
||||||
|
flavor_name = "${var.lb_instance_type}"
|
||||||
|
key_pair = "${var.keynameworkers}"
|
||||||
|
provider = openstack.dco
|
||||||
|
security_groups = [
|
||||||
|
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name
|
||||||
|
]
|
||||||
|
|
||||||
|
block_device {
|
||||||
|
uuid = resource.openstack_blockstorage_volume_v3.mgmt1volumeboot-dco.id
|
||||||
|
source_type = "volume"
|
||||||
|
destination_type = "volume"
|
||||||
|
boot_index = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
network {
|
||||||
|
port = resource.openstack_networking_port_v2.mgmt1-port-dco.id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
18
IaC-prod/network.tf
Normal file
18
IaC-prod/network.tf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
data "openstack_networking_network_v2" "public" {
|
||||||
|
name = "public" # Name of network to use.
|
||||||
|
}
|
||||||
|
|
||||||
|
data "openstack_networking_network_v2" "public-dco" {
|
||||||
|
name = "public" # Name of network to use.
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
data "openstack_networking_network_v2" "public-sto4" {
|
||||||
|
name = "public" # Name of network to use.
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
data "openstack_networking_network_v2" "public-sto3" {
|
||||||
|
name = "public" # Name of network to use.
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
177
IaC-prod/securitygroups-k8s-dco.tf
Normal file
177
IaC-prod/securitygroups-k8s-dco.tf
Normal file
|
@ -0,0 +1,177 @@
|
||||||
|
|
||||||
|
# Security groups dco
|
||||||
|
resource "openstack_networking_secgroup_v2" "microk8s-dco" {
|
||||||
|
name = "microk8s"
|
||||||
|
description = "Traffic to allow between microk8s hosts"
|
||||||
|
provider=openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-dco" {
|
||||||
|
name = "ssh-from-jumphosts"
|
||||||
|
description = "Allow ssh traffic from sunet jumphosts."
|
||||||
|
provider=openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security group rules for microk8s
|
||||||
|
#
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_dco" {
|
||||||
|
count = length(var.k8sports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[count.index])[0]
|
||||||
|
port_range_max = keys(var.k8sports[count.index])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_dco" {
|
||||||
|
count = length(var.k8sports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[count.index])[0]
|
||||||
|
port_range_max = keys(var.k8sports[count.index])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# From STO3 to DCO
|
||||||
|
#
|
||||||
|
|
||||||
|
# Control nodes
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto3_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto3_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Worker nodes
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# From STO4 to DCO
|
||||||
|
#
|
||||||
|
|
||||||
|
#Controllers
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Workers
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_dco" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security group rules for ssh-from-jump-hosts
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-dco" {
|
||||||
|
count = length(var.jumphostv4-ips)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-dco" {
|
||||||
|
count = length(var.jumphostv6-ips)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
|
||||||
|
}
|
125
IaC-prod/securitygroups-k8s-external.tf
Normal file
125
IaC-prod/securitygroups-k8s-external.tf
Normal file
|
@ -0,0 +1,125 @@
|
||||||
|
# Security groups for external acccess k8s control nodes in dco.
|
||||||
|
resource "openstack_networking_secgroup_v2" "k8s-external-control-dco" {
|
||||||
|
name = "k8s-external"
|
||||||
|
description = "External ingress traffic to k8s control nodes."
|
||||||
|
provider=openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
# Security groups for external acccess k8s control nodes in sto3.
|
||||||
|
resource "openstack_networking_secgroup_v2" "k8s-external-control-sto3" {
|
||||||
|
name = "k8s-external"
|
||||||
|
description = "External ingress traffic to k8s control nodes."
|
||||||
|
provider=openstack.sto3
|
||||||
|
}
|
||||||
|
# Security groups for external acccess k8s control nodes in sto4.
|
||||||
|
resource "openstack_networking_secgroup_v2" "k8s-external-control-sto4" {
|
||||||
|
name = "k8s-external"
|
||||||
|
description = "External ingress traffic to k8s control nodes."
|
||||||
|
provider=openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules dco
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.43/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules sto3
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto3" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = "89.47.191.43/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules sto4
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto4" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = "89.47.191.43/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Security groups for external acccess k8s worker nodes in dco.
|
||||||
|
resource "openstack_networking_secgroup_v2" "k8s-external-worker-dco" {
|
||||||
|
name = "k8s-external-worker"
|
||||||
|
description = "External ingress traffic to k8s worker nodes."
|
||||||
|
provider=openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
# Security groups for external acccess k8s worker nodes in sto3.
|
||||||
|
resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto3" {
|
||||||
|
name = "k8s-external-worker"
|
||||||
|
description = "External ingress traffic to k8s worker nodes."
|
||||||
|
provider=openstack.sto3
|
||||||
|
}
|
||||||
|
# Security groups for external acccess k8s worker nodes in sto4.
|
||||||
|
resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto4" {
|
||||||
|
name = "k8s-external-worker"
|
||||||
|
description = "External ingress traffic to k8s worker nodes."
|
||||||
|
provider=openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules dco
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "443"
|
||||||
|
port_range_max = "443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.43/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules sto3
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto3" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "443"
|
||||||
|
port_range_max = "443"
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = "89.47.191.43/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules sto4
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto4" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "443"
|
||||||
|
port_range_max = "443"
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = "89.47.191.43/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rules sto4
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule2_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "443"
|
||||||
|
port_range_max = "443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "0.0.0.0/0"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
|
||||||
|
}
|
||||||
|
|
177
IaC-prod/securitygroups-k8s-sto3.tf
Normal file
177
IaC-prod/securitygroups-k8s-sto3.tf
Normal file
|
@ -0,0 +1,177 @@
|
||||||
|
|
||||||
|
# Security groups sto3
|
||||||
|
resource "openstack_networking_secgroup_v2" "microk8s-sto3" {
|
||||||
|
name = "microk8s"
|
||||||
|
description = "Traffic to allow between microk8s hosts"
|
||||||
|
provider=openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto3" {
|
||||||
|
name = "ssh-from-jumphosts"
|
||||||
|
description = "Allow ssh traffic from sunet jumphosts."
|
||||||
|
provider=openstack.sto3
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security group rules for microk8s
|
||||||
|
#
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto3" {
|
||||||
|
count = length(var.k8sports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[count.index])[0]
|
||||||
|
port_range_max = keys(var.k8sports[count.index])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto3" {
|
||||||
|
count = length(var.k8sports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[count.index])[0]
|
||||||
|
port_range_max = keys(var.k8sports[count.index])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# From DCO to STO3
|
||||||
|
#
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Worker nodes
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# From STO4 to STO3
|
||||||
|
#
|
||||||
|
|
||||||
|
# Controllers
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Workers
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_sto3" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security group rules for ssh-from-jump-hosts
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto3" {
|
||||||
|
count = length(var.jumphostv4-ips)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto3" {
|
||||||
|
count = length(var.jumphostv6-ips)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
provider = openstack.sto3
|
||||||
|
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id
|
||||||
|
}
|
177
IaC-prod/securitygroups-k8s-sto4.tf
Normal file
177
IaC-prod/securitygroups-k8s-sto4.tf
Normal file
|
@ -0,0 +1,177 @@
|
||||||
|
|
||||||
|
# Security groups sto4
|
||||||
|
resource "openstack_networking_secgroup_v2" "microk8s-sto4" {
|
||||||
|
name = "microk8s"
|
||||||
|
description = "Traffic to allow between microk8s hosts"
|
||||||
|
provider=openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto4" {
|
||||||
|
name = "ssh-from-jumphosts"
|
||||||
|
description = "Allow ssh traffic from sunet jumphosts."
|
||||||
|
provider=openstack.sto4
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security group rules for microk8s
|
||||||
|
#
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto4" {
|
||||||
|
count = length(var.k8sports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[count.index])[0]
|
||||||
|
port_range_max = keys(var.k8sports[count.index])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto4" {
|
||||||
|
count = length(var.k8sports)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[count.index])[0]
|
||||||
|
port_range_max = keys(var.k8sports[count.index])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# DCO to STO4
|
||||||
|
#
|
||||||
|
|
||||||
|
# Controllers
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Workers
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# From STO3 to STO4
|
||||||
|
#
|
||||||
|
|
||||||
|
# Control nodes
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto3_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto3_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Worker nodes
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_sto4" {
|
||||||
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
|
||||||
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Security group rules for ssh-from-jump-hosts
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto4" {
|
||||||
|
count = length(var.jumphostv4-ips)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto4" {
|
||||||
|
count = length(var.jumphostv6-ips)
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv6"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "22"
|
||||||
|
port_range_max = "22"
|
||||||
|
provider = openstack.sto4
|
||||||
|
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
|
||||||
|
}
|
109
IaC-prod/securitygroups-lb.tf
Normal file
109
IaC-prod/securitygroups-lb.tf
Normal file
|
@ -0,0 +1,109 @@
|
||||||
|
# Security groups lb-frontend
|
||||||
|
resource "openstack_networking_secgroup_v2" "lb-dco" {
|
||||||
|
name = "lb-frontend"
|
||||||
|
description = "Ingress lb traffic to allow."
|
||||||
|
provider=openstack.dco
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "8443"
|
||||||
|
port_range_max = "8443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "87.251.31.118/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule2_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "87.251.31.118/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# From mgmt1
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule3_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.66/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule4_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "80"
|
||||||
|
port_range_max = "80"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.66/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule5_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "443"
|
||||||
|
port_range_max = "443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.66/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule6_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "8443"
|
||||||
|
port_range_max = "8443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.66/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule7_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "8080"
|
||||||
|
port_range_max = "8080"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.191.66/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule8_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "89.47.184.88/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule9_v4_dco" {
|
||||||
|
direction = "ingress"
|
||||||
|
ethertype = "IPv4"
|
||||||
|
protocol = "tcp"
|
||||||
|
port_range_min = "16443"
|
||||||
|
port_range_max = "16443"
|
||||||
|
provider = openstack.dco
|
||||||
|
remote_ip_prefix = "130.242.121.23/32"
|
||||||
|
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
|
||||||
|
}
|
11
IaC-prod/servergroups-dco.tf
Normal file
11
IaC-prod/servergroups-dco.tf
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
resource "openstack_compute_servergroup_v2" "workers-dco" {
|
||||||
|
name = "workers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
resource "openstack_compute_servergroup_v2" "controllers-dco" {
|
||||||
|
name = "controllers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
provider = openstack.dco
|
||||||
|
}
|
||||||
|
|
11
IaC-prod/servergroups-sto3.tf
Normal file
11
IaC-prod/servergroups-sto3.tf
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
resource "openstack_compute_servergroup_v2" "workers-sto3" {
|
||||||
|
name = "workers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
resource "openstack_compute_servergroup_v2" "controllers-sto3" {
|
||||||
|
name = "controllers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
provider = openstack.sto3
|
||||||
|
}
|
||||||
|
|
11
IaC-prod/servergroups-sto4.tf
Normal file
11
IaC-prod/servergroups-sto4.tf
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
resource "openstack_compute_servergroup_v2" "workers-sto4" {
|
||||||
|
name = "workers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
resource "openstack_compute_servergroup_v2" "controllers-sto4" {
|
||||||
|
name = "controllers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
provider = openstack.sto4
|
||||||
|
}
|
||||||
|
|
9
IaC-prod/servergroups.tf
Normal file
9
IaC-prod/servergroups.tf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
resource "openstack_compute_servergroup_v2" "workers" {
|
||||||
|
name = "workers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
}
|
||||||
|
resource "openstack_compute_servergroup_v2" "controllers" {
|
||||||
|
name = "controllers"
|
||||||
|
policies = ["anti-affinity"]
|
||||||
|
}
|
||||||
|
|
98
IaC-prod/vars.tf
Normal file
98
IaC-prod/vars.tf
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
variable "datacenter_name" {
|
||||||
|
type = string
|
||||||
|
default = "dco"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "datacenters" {
|
||||||
|
type = list(string)
|
||||||
|
default = [ "dco", "sto3", "sto4" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Cloud names in clouds.yaml file
|
||||||
|
variable "clouddco_name" {
|
||||||
|
type = string
|
||||||
|
default = "dco-matrixprod"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cloudsto3_name" {
|
||||||
|
type = string
|
||||||
|
default = "sto3-matrixprod"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cloudsto4_name" {
|
||||||
|
type = string
|
||||||
|
default = "sto4-matrixprod"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "keyname" {
|
||||||
|
type = string
|
||||||
|
default = "manderssonpub3"
|
||||||
|
}
|
||||||
|
variable "keynameworkers" {
|
||||||
|
type = string
|
||||||
|
default = "manderssonpub3"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Replicas per datacenter
|
||||||
|
variable "workerdcreplicas" {
|
||||||
|
default = "2"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Replicas per datacenter
|
||||||
|
variable "controllerdcreplicas" {
|
||||||
|
default = "1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "controller_instance_type" {
|
||||||
|
default = "b2.c2r4"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "worker_instance_type" {
|
||||||
|
default = "b2.c4r16"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "lb_instance_type" {
|
||||||
|
default = "b2.c2r4"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "mgmt_instance_type" {
|
||||||
|
default = "b2.c2r4"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "worker_name" {
|
||||||
|
default = "k8sw"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "controller_name" {
|
||||||
|
default = "k8sc"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "dns_suffix" {
|
||||||
|
default = "matrix.sunet.se"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "k8sports" {
|
||||||
|
default=[
|
||||||
|
{"16443" = "tcp"},
|
||||||
|
{"10250" = "tcp"},
|
||||||
|
{"10255" = "tcp"},
|
||||||
|
{"25000" = "tcp"},
|
||||||
|
{"12379" = "tcp"},
|
||||||
|
{"10257" = "tcp"},
|
||||||
|
{"10259" = "tcp"},
|
||||||
|
{"19001" = "tcp"},
|
||||||
|
{"4789" = "udp"},
|
||||||
|
{"51820" = "udp"}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable jumphostv4-ips {
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable jumphostv6-ips {
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
Loading…
Reference in a new issue