matrix/matrix-ops
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Setup new prod deployment

Browse source
This commit is contained in:
Magnus Andersson 2024-11-07 22:55:21 +01:00
parent 1c72cff364
commit c27a2195cc
Signed by: mandersson
GPG key ID: 1F7C896B34B28164
19 changed files with 1489 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
IaC-prod/.dnsoutput.tf.swp Normal file
View file

Binary file not shown.

24
IaC-prod/images.tf Normal file
View file

@ -0,0 +1,24 @@
# Default os version
data "openstack_images_image_v2" "debian12image" {
name = "debian-12" # Name of image to be used
most_recent = true
}
data "openstack_images_image_v2" "debian12image-dco" {
name = "debian-12" # Name of image to be used
most_recent = true
provider = openstack.dco
}
data "openstack_images_image_v2" "debian12image-sto4" {
name = "debian-12" # Name of image to be used
most_recent = true
provider = openstack.sto4
}
data "openstack_images_image_v2" "debian12image-sto3" {
name = "debian-12" # Name of image to be used
most_recent = true
provider = openstack.sto3
}

138
IaC-prod/k8snodes-dco.tf Normal file
View file

@ -0,0 +1,138 @@
#
# Global DCO definitions
#
locals {
dcodc = "dco"
dconodenrbase = index(var.datacenters, "dco")
dcoindexjump = length(var.datacenters)
}
#
# Control node resources DCO
#
resource "openstack_networking_port_v2" "kubecport-dco" {
name = "${var.controller_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
# We create as many ports as there are instances created
count = var.controllerdcreplicas
network_id = data.openstack_networking_network_v2.public-dco.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
resource.openstack_networking_secgroup_v2.microk8s-dco.id,
resource.openstack_networking_secgroup_v2.k8s-external-control-dco.id
]
admin_state_up = "true"
provider = openstack.dco
}
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "kubecvolumeboot-dco" {
count = var.controllerdcreplicas # Replicas per datacenter
name = "${var.controller_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
description = "OS volume for kubernetes worker node ${count.index * local.dcoindexjump + 1 + local.dconodenrbase}"
size = 100
image_id = data.openstack_images_image_v2.debian12image-dco.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.dco
}
resource "openstack_compute_instance_v2" "controller-nodes-dco" {
count = var.controllerdcreplicas # Replicas per datacenter
name = "${var.controller_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}.${var.dns_suffix}"
flavor_name = "${var.controller_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.dco
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-dco.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
resource.openstack_networking_secgroup_v2.k8s-external-control-dco.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot-dco[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
scheduler_hints {
group = openstack_compute_servergroup_v2.controllers-dco.id
}
network {
port = resource.openstack_networking_port_v2.kubecport-dco[count.index].id
}
}
#
# Worker node resources DCO
#
resource "openstack_networking_port_v2" "kubewport-dco" {
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
# We create as many ports as there are instances created
count = var.workerdcreplicas
network_id = data.openstack_networking_network_v2.public-dco.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
resource.openstack_networking_secgroup_v2.microk8s-dco.id,
resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.id
]
admin_state_up = "true"
provider = openstack.dco
}
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "kubewvolumeboot-dco" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
description = "OS volume for kubernetes worker node ${count.index * local.dcoindexjump + 1 + local.dconodenrbase}"
size = 100
image_id = data.openstack_images_image_v2.debian12image-dco.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.dco
}
resource "openstack_blockstorage_volume_v3" "kubewvolumerook-dco" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}-${replace(var.dns_suffix,".","-")}-${local.dcodc}-rook-vol"
description = "Rook storage volume for kubernetes worker node ${count.index * local.dcoindexjump + 1 + local.dconodenrbase}"
size = 100
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.dco
}
resource "openstack_compute_instance_v2" "worker-nodes-dco" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.dcoindexjump + 1 + local.dconodenrbase}.${var.dns_suffix}"
flavor_name = "${var.worker_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.dco
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-dco.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
resource.openstack_networking_secgroup_v2.k8s-external-worker-dco.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot-dco[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumerook-dco[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 1
}
scheduler_hints {
group = openstack_compute_servergroup_v2.workers-dco.id
}
network {
port = resource.openstack_networking_port_v2.kubewport-dco[count.index].id
}
}

139
IaC-prod/k8snodes-sto3.tf Normal file
View file

@ -0,0 +1,139 @@
#
# Global definitions sto3
#
locals {
sto3dc = "sto3"
sto3nodenrbase = index(var.datacenters, "sto3")
sto3indexjump = length(var.datacenters)
}
#
# Control node resources STO3
#
resource "openstack_networking_port_v2" "kubecport-sto3" {
name = "${var.controller_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-port"
# We create as many ports as there are instances created
count = var.controllerdcreplicas
network_id = data.openstack_networking_network_v2.public-sto3.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
resource.openstack_networking_secgroup_v2.k8s-external-control-sto3.id
]
admin_state_up = "true"
provider = openstack.sto3
}
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "kubecvolumeboot-sto3" {
count = var.controllerdcreplicas # Replicas per datacenter
name = "${var.controller_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-vol"
description = "OS volume for kubernetes worker node ${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}"
size = 100
image_id = data.openstack_images_image_v2.debian12image-sto3.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.sto3
}
resource "openstack_compute_instance_v2" "controller-nodes-sto3" {
count = var.controllerdcreplicas # Replicas per datacenter
name = "${var.controller_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}.${var.dns_suffix}"
flavor_name = "${var.controller_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.sto3
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
resource.openstack_networking_secgroup_v2.k8s-external-control-sto3.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot-sto3[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
scheduler_hints {
group = openstack_compute_servergroup_v2.controllers-sto3.id
}
network {
port = resource.openstack_networking_port_v2.kubecport-sto3[count.index].id
}
}
#
# Worker node resources STO3
#
resource "openstack_networking_port_v2" "kubewport-sto3" {
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-port"
# We create as many ports as there are instances created
count = var.workerdcreplicas
network_id = data.openstack_networking_network_v2.public-sto3.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id,
resource.openstack_networking_secgroup_v2.microk8s-sto3.id,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
]
admin_state_up = "true"
provider = openstack.sto3
}
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "kubewvolumeboot-sto3" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-vol"
description = "OS volume for kubernetes worker node ${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}"
size = 100
image_id = data.openstack_images_image_v2.debian12image-sto3.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.sto3
}
resource "openstack_blockstorage_volume_v3" "kubewvolumerook-sto3" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto3dc}-rook-vol"
description = "Rook storage volume for kubernetes worker node ${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}"
size = 100
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.sto3
}
resource "openstack_compute_instance_v2" "worker-nodes-sto3" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.sto3indexjump + 1 + local.sto3nodenrbase}.${var.dns_suffix}"
flavor_name = "${var.worker_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.sto3
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-sto3.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.name,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto3.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot-sto3[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumerook-sto3[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 1
}
scheduler_hints {
group = openstack_compute_servergroup_v2.workers-sto3.id
}
network {
port = resource.openstack_networking_port_v2.kubewport-sto3[count.index].id
}
}

138
IaC-prod/k8snodes-sto4.tf Normal file
View file

@ -0,0 +1,138 @@
#
# Global definitions for sto4
#
locals {
sto4dc = "sto4"
sto4nodenrbase = index(var.datacenters, "sto4")
sto4indexjump = length(var.datacenters)
}
#
# Controller node resources
#
resource "openstack_networking_port_v2" "kubecport-sto4" {
name = "${var.controller_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-port"
# We create as many ports as there are instances created
count = var.controllerdcreplicas
network_id = data.openstack_networking_network_v2.public-sto4.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
resource.openstack_networking_secgroup_v2.k8s-external-control-sto4.id
]
admin_state_up = "true"
provider = openstack.sto4
}
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "kubecvolumeboot-sto4" {
count = var.controllerdcreplicas # Replicas per datacenter
name = "${var.controller_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-vol"
description = "OS volume for kubernetes worker node ${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}"
size = 100
image_id = data.openstack_images_image_v2.debian12image-sto4.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.sto4
}
resource "openstack_compute_instance_v2" "controller-nodes-sto4" {
count = var.controllerdcreplicas # Replicas per datacenter
name = "${var.controller_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}.${var.dns_suffix}"
flavor_name = "${var.controller_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.sto4
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
resource.openstack_networking_secgroup_v2.k8s-external-control-sto4.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubecvolumeboot-sto4[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
scheduler_hints {
group = openstack_compute_servergroup_v2.controllers-sto4.id
}
network {
port = resource.openstack_networking_port_v2.kubecport-sto4[count.index].id
}
}
#
# Worker node resources
#
resource "openstack_networking_port_v2" "kubewport-sto4" {
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-port"
# We create as many ports as there are instances created
count = var.workerdcreplicas
network_id = data.openstack_networking_network_v2.public-sto4.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
]
admin_state_up = "true"
provider = openstack.sto4
}
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "kubewvolumeboot-sto4" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-vol"
description = "OS volume for kubernetes worker node ${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}"
size = 100
image_id = data.openstack_images_image_v2.debian12image-sto4.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.sto4
}
resource "openstack_blockstorage_volume_v3" "kubewvolumerook-sto4" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}-${replace(var.dns_suffix,".","-")}-${local.sto4dc}-rook-vol"
description = "Rook storage volume for kubernetes worker node ${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}"
size = 100
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.sto4
}
resource "openstack_compute_instance_v2" "worker-nodes-sto4" {
count = var.workerdcreplicas # Replicas per datacenter
name = "${var.worker_name}${count.index * local.sto4indexjump + 1 + local.sto4nodenrbase}.${var.dns_suffix}"
flavor_name = "${var.worker_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.sto4
security_groups = [
resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name,
resource.openstack_networking_secgroup_v2.k8s-external-worker-sto4.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumeboot-sto4[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
block_device {
uuid = resource.openstack_blockstorage_volume_v3.kubewvolumerook-sto4[count.index].id
source_type = "volume"
destination_type = "volume"
boot_index = 1
}
scheduler_hints {
group = openstack_compute_servergroup_v2.workers-sto4.id
}
network {
port = resource.openstack_networking_port_v2.kubewport-sto4[count.index].id
}
}

48
IaC-prod/lb.tf Normal file
View file

@ -0,0 +1,48 @@
# Netowrk port
resource "openstack_networking_port_v2" "lb1-port-dco" {
name = "lb1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
network_id = data.openstack_networking_network_v2.public-dco.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
resource.openstack_networking_secgroup_v2.lb-dco.id
]
admin_state_up = "true"
provider = openstack.dco
}
# Boot volume
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "lb1volumeboot-dco" {
name = "lb1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
description = "OS volume for lb1.matrix.test.sunet.se"
size = 50
image_id = data.openstack_images_image_v2.debian12image-dco.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.dco
}
resource "openstack_compute_instance_v2" "lb1-node-dco" {
name = "lb1.${var.dns_suffix}"
flavor_name = "${var.lb_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.dco
security_groups = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
resource.openstack_networking_secgroup_v2.lb-dco.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.lb1volumeboot-dco.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
network {
port = resource.openstack_networking_port_v2.lb1-port-dco.id
}
}

33
IaC-prod/main.tf Normal file
View file

@ -0,0 +1,33 @@
# Define required providers
terraform {
required_version = ">= 0.14.0"
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
version = "~> 1.53.0"
}
}
}
# Configure the OpenStack Provider
provider "openstack" {
cloud = "${var.clouddco_name}"
}
# DCO Matrix Test
provider "openstack" {
cloud = "${var.clouddco_name}"
alias = "dco"
}
# STO3 Matrix test
provider "openstack" {
cloud = "${var.cloudsto3_name}"
alias = "sto3"
}
# STO4 Matrix test
provider "openstack" {
cloud = "${var.cloudsto4_name}"
alias = "sto4"
}

46
IaC-prod/mgmt.tf Normal file
View file

@ -0,0 +1,46 @@
# Netowrk port
resource "openstack_networking_port_v2" "mgmt1-port-dco" {
name = "mgmt1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-port"
network_id = data.openstack_networking_network_v2.public-dco.id
# A list of security group ID
security_group_ids = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
]
admin_state_up = "true"
provider = openstack.dco
}
# Boot volume
# Boot volume for node
resource "openstack_blockstorage_volume_v3" "mgmt1volumeboot-dco" {
name = "mgmt1-${replace(var.dns_suffix,".","-")}-${local.dcodc}-vol"
description = "OS volume for mgmt1.matrix.test.sunet.se"
size = 50
image_id = data.openstack_images_image_v2.debian12image-dco.id
enable_online_resize = true # Allow us to resize volume while attached.
provider = openstack.dco
}
resource "openstack_compute_instance_v2" "mgmt1-node-dco" {
name = "mgmt1.${var.dns_suffix}"
flavor_name = "${var.lb_instance_type}"
key_pair = "${var.keynameworkers}"
provider = openstack.dco
security_groups = [
resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name
]
block_device {
uuid = resource.openstack_blockstorage_volume_v3.mgmt1volumeboot-dco.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
network {
port = resource.openstack_networking_port_v2.mgmt1-port-dco.id
}
}

18
IaC-prod/network.tf Normal file
View file

@ -0,0 +1,18 @@
data "openstack_networking_network_v2" "public" {
name = "public" # Name of network to use.
}
data "openstack_networking_network_v2" "public-dco" {
name = "public" # Name of network to use.
provider = openstack.dco
}
data "openstack_networking_network_v2" "public-sto4" {
name = "public" # Name of network to use.
provider = openstack.sto4
}
data "openstack_networking_network_v2" "public-sto3" {
name = "public" # Name of network to use.
provider = openstack.sto3
}

177
IaC-prod/securitygroups-k8s-dco.tf Normal file
View file

@ -0,0 +1,177 @@
# Security groups dco
resource "openstack_networking_secgroup_v2" "microk8s-dco" {
name = "microk8s"
description = "Traffic to allow between microk8s hosts"
provider=openstack.dco
}
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-dco" {
name = "ssh-from-jumphosts"
description = "Allow ssh traffic from sunet jumphosts."
provider=openstack.dco
}
#
# Security group rules for microk8s
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_dco" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.dco
remote_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_dco" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.dco
remote_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
#
# From STO3 to DCO
#
# Control nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto3_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
provider = openstack.dco
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto3_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
provider = openstack.dco
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
# Worker nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
provider = openstack.dco
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
provider = openstack.dco
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
#
# From STO4 to DCO
#
#Controllers
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
provider = openstack.dco
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
provider = openstack.dco
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
# Workers
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
provider = openstack.dco
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_dco" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
provider = openstack.dco
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}
#
# Security group rules for ssh-from-jump-hosts
#
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-dco" {
count = length(var.jumphostv4-ips)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.dco
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-dco" {
count = length(var.jumphostv6-ips)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.dco
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
}

125
IaC-prod/securitygroups-k8s-external.tf Normal file
View file

@ -0,0 +1,125 @@
# Security groups for external acccess k8s control nodes in dco.
resource "openstack_networking_secgroup_v2" "k8s-external-control-dco" {
name = "k8s-external"
description = "External ingress traffic to k8s control nodes."
provider=openstack.dco
}
# Security groups for external acccess k8s control nodes in sto3.
resource "openstack_networking_secgroup_v2" "k8s-external-control-sto3" {
name = "k8s-external"
description = "External ingress traffic to k8s control nodes."
provider=openstack.sto3
}
# Security groups for external acccess k8s control nodes in sto4.
resource "openstack_networking_secgroup_v2" "k8s-external-control-sto4" {
name = "k8s-external"
description = "External ingress traffic to k8s control nodes."
provider=openstack.sto4
}
# Rules dco
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.dco
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-dco.id
}
# Rules sto3
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto3" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.sto3
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto3.id
}
# Rules sto4
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_control_rule1_v4_sto4" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.sto4
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-control-sto4.id
}
# Security groups for external acccess k8s worker nodes in dco.
resource "openstack_networking_secgroup_v2" "k8s-external-worker-dco" {
name = "k8s-external-worker"
description = "External ingress traffic to k8s worker nodes."
provider=openstack.dco
}
# Security groups for external acccess k8s worker nodes in sto3.
resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto3" {
name = "k8s-external-worker"
description = "External ingress traffic to k8s worker nodes."
provider=openstack.sto3
}
# Security groups for external acccess k8s worker nodes in sto4.
resource "openstack_networking_secgroup_v2" "k8s-external-worker-sto4" {
name = "k8s-external-worker"
description = "External ingress traffic to k8s worker nodes."
provider=openstack.sto4
}
# Rules dco
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.dco
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
}
# Rules sto3
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto3" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.sto3
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto3.id
}
# Rules sto4
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule1_v4_sto4" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.sto4
remote_ip_prefix = "89.47.191.43/32"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-sto4.id
}
# Rules sto4
resource "openstack_networking_secgroup_rule_v2" "k8s_external_ingress_worker_rule2_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.dco
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.k8s-external-worker-dco.id
}

177
IaC-prod/securitygroups-k8s-sto3.tf Normal file
View file

@ -0,0 +1,177 @@
# Security groups sto3
resource "openstack_networking_secgroup_v2" "microk8s-sto3" {
name = "microk8s"
description = "Traffic to allow between microk8s hosts"
provider=openstack.sto3
}
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto3" {
name = "ssh-from-jumphosts"
description = "Allow ssh traffic from sunet jumphosts."
provider=openstack.sto3
}
#
# Security group rules for microk8s
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto3" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.sto3
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto3" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.sto3
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
#
# From DCO to STO3
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
# Worker nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
#
# From STO4 to STO3
#
# Controllers
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
# Workers
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_sto3" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
provider = openstack.sto3
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
}
#
# Security group rules for ssh-from-jump-hosts
#
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto3" {
count = length(var.jumphostv4-ips)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.sto3
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto3" {
count = length(var.jumphostv6-ips)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.sto3
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id
}

177
IaC-prod/securitygroups-k8s-sto4.tf Normal file
View file

@ -0,0 +1,177 @@
# Security groups sto4
resource "openstack_networking_secgroup_v2" "microk8s-sto4" {
name = "microk8s"
description = "Traffic to allow between microk8s hosts"
provider=openstack.sto4
}
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto4" {
name = "ssh-from-jumphosts"
description = "Allow ssh traffic from sunet jumphosts."
provider=openstack.sto4
}
#
# Security group rules for microk8s
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto4" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.sto4
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto4" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.sto4
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
#
# DCO to STO4
#
# Controllers
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
# Workers
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
#
# From STO3 to STO4
#
# Control nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto3_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto3_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
# Worker nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
#
# Security group rules for ssh-from-jump-hosts
#
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto4" {
count = length(var.jumphostv4-ips)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.sto4
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto4" {
count = length(var.jumphostv6-ips)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.sto4
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
}

109
IaC-prod/securitygroups-lb.tf Normal file
View file

@ -0,0 +1,109 @@
# Security groups lb-frontend
resource "openstack_networking_secgroup_v2" "lb-dco" {
name = "lb-frontend"
description = "Ingress lb traffic to allow."
provider=openstack.dco
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "8443"
port_range_max = "8443"
provider = openstack.dco
remote_ip_prefix = "87.251.31.118/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule2_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.dco
remote_ip_prefix = "87.251.31.118/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
# From mgmt1
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule3_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.dco
remote_ip_prefix = "89.47.191.66/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule4_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "80"
port_range_max = "80"
provider = openstack.dco
remote_ip_prefix = "89.47.191.66/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule5_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "443"
port_range_max = "443"
provider = openstack.dco
remote_ip_prefix = "89.47.191.66/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule6_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "8443"
port_range_max = "8443"
provider = openstack.dco
remote_ip_prefix = "89.47.191.66/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule7_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "8080"
port_range_max = "8080"
provider = openstack.dco
remote_ip_prefix = "89.47.191.66/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule8_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.dco
remote_ip_prefix = "89.47.184.88/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}
resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule9_v4_dco" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "16443"
port_range_max = "16443"
provider = openstack.dco
remote_ip_prefix = "130.242.121.23/32"
security_group_id = openstack_networking_secgroup_v2.lb-dco.id
}

11
IaC-prod/servergroups-dco.tf Normal file
View file

@ -0,0 +1,11 @@
resource "openstack_compute_servergroup_v2" "workers-dco" {
name = "workers"
policies = ["anti-affinity"]
provider = openstack.dco
}
resource "openstack_compute_servergroup_v2" "controllers-dco" {
name = "controllers"
policies = ["anti-affinity"]
provider = openstack.dco
}

11
IaC-prod/servergroups-sto3.tf Normal file
View file

@ -0,0 +1,11 @@
resource "openstack_compute_servergroup_v2" "workers-sto3" {
name = "workers"
policies = ["anti-affinity"]
provider = openstack.sto3
}
resource "openstack_compute_servergroup_v2" "controllers-sto3" {
name = "controllers"
policies = ["anti-affinity"]
provider = openstack.sto3
}

11
IaC-prod/servergroups-sto4.tf Normal file
View file

@ -0,0 +1,11 @@
resource "openstack_compute_servergroup_v2" "workers-sto4" {
name = "workers"
policies = ["anti-affinity"]
provider = openstack.sto4
}
resource "openstack_compute_servergroup_v2" "controllers-sto4" {
name = "controllers"
policies = ["anti-affinity"]
provider = openstack.sto4
}

9
IaC-prod/servergroups.tf Normal file
View file

@ -0,0 +1,9 @@
resource "openstack_compute_servergroup_v2" "workers" {
name = "workers"
policies = ["anti-affinity"]
}
resource "openstack_compute_servergroup_v2" "controllers" {
name = "controllers"
policies = ["anti-affinity"]
}

98
IaC-prod/vars.tf Normal file
View file

@ -0,0 +1,98 @@
variable "datacenter_name" {
type = string
default = "dco"
}
variable "datacenters" {
type = list(string)
default = [ "dco", "sto3", "sto4" ]
}
# Cloud names in clouds.yaml file
variable "clouddco_name" {
type = string
default = "dco-matrixprod"
}
variable "cloudsto3_name" {
type = string
default = "sto3-matrixprod"
}
variable "cloudsto4_name" {
type = string
default = "sto4-matrixprod"
}
variable "keyname" {
type = string
default = "manderssonpub3"
}
variable "keynameworkers" {
type = string
default = "manderssonpub3"
}
# Replicas per datacenter
variable "workerdcreplicas" {
default = "2"
}
# Replicas per datacenter
variable "controllerdcreplicas" {
default = "1"
}
variable "controller_instance_type" {
default = "b2.c2r4"
}
variable "worker_instance_type" {
default = "b2.c4r16"
}
variable "lb_instance_type" {
default = "b2.c2r4"
}
variable "mgmt_instance_type" {
default = "b2.c2r4"
}
variable "worker_name" {
default = "k8sw"
}
variable "controller_name" {
default = "k8sc"
}
variable "dns_suffix" {
default = "matrix.sunet.se"
}
variable "k8sports" {
default=[
{"16443" = "tcp"},
{"10250" = "tcp"},
{"10255" = "tcp"},
{"25000" = "tcp"},
{"12379" = "tcp"},
{"10257" = "tcp"},
{"10259" = "tcp"},
{"19001" = "tcp"},
{"4789" = "udp"},
{"51820" = "udp"}
]
}
variable jumphostv4-ips {
type = list(string)
default = []
}
variable jumphostv6-ips {
type = list(string)
default = []
}