network: move etcd and worker nodes to a private subnet

Currently all nodes are exposed on the default public network. This fixes it by only exposing the master nodes on the public network and restricts etcd and worker nodes on a private subnet.
2026-02-05 15:47:14 +01:00 · 2017-02-22 16:57:11 +01:00
parent 4a4f24a083
commit 48922dc6e3
8 changed files with 60 additions and 25 deletions
--- a/openstack/config.tf
+++ b/openstack/config.tf
@@ -5,7 +5,7 @@ variable "flavor_id" {

 variable "image_id" {
  type    = "string"
-  default = "3a0c0bac-fa91-4c96-bfcb-ee215ba1cd4d"
+  default = "3acad946-7dd9-487d-b76f-75c79b8d550b"
 }

 variable "tectonic_version" {
@@ -37,3 +37,13 @@ variable "cluster_name" {
  type    = "string"
  default = "demo"
 }
+
+variable "public_network_name" {
+  type    = "string"
+  default = "public"
+}
+
+variable "external_gateway_id" {
+  type    = "string"
+  default = "6d6357ac-0f70-4afa-8bd7-c274cc4ea235"
+}
--- a/openstack/controller.tf
+++ b/openstack/controller.tf
@@ -1,6 +1,6 @@
 resource "openstack_compute_instance_v2" "control_node" {
  count           = "${var.controller_count}"
-  name            = "control_node_${count.index}"
+  name            = "${var.cluster_name}_control_node_${count.index}"
  image_id        = "${var.image_id}"
  flavor_id       = "${var.flavor_id}"
  key_pair        = "${openstack_compute_keypair_v2.k8s_keypair.name}"
@@ -12,10 +12,19 @@ resource "openstack_compute_instance_v2" "control_node" {

  user_data    = "${data.template_file.userdata-master.*.rendered[count.index]}"
  config_drive = false
+
+  network {
+    uuid = "${openstack_networking_network_v2.network.id}"
+  }
+
+  network {
+    name           = "${var.public_network_name}"
+    access_network = true
+  }
 }

 resource "openstack_compute_secgroup_v2" "k8s_control_group" {
-  name        = "k8s_control_group"
+  name        = "${var.cluster_name}_control_group"
  description = "security group for k8s controllers: SSH and https"

  rule {
--- a/openstack/dns.tf
+++ b/openstack/dns.tf
@@ -18,14 +18,6 @@ resource "aws_route53_record" "tectonic-console" {
  records = ["${openstack_compute_instance_v2.worker_node.*.access_ip_v4}"]
 }

-resource "aws_route53_record" "etcd" {
-  zone_id = "${data.aws_route53_zone.tectonic.zone_id}"
-  name    = "${var.cluster_name}-etc"
-  type    = "A"
-  ttl     = "60"
-  records = ["${openstack_compute_instance_v2.etcd_node.*.access_ip_v4}"]
-}
-
 resource "aws_route53_record" "controller_nodes" {
  count   = "${var.controller_count}"
  zone_id = "${data.aws_route53_zone.tectonic.zone_id}"
@@ -34,12 +26,3 @@ resource "aws_route53_record" "controller_nodes" {
  ttl     = "60"
  records = ["${openstack_compute_instance_v2.control_node.*.access_ip_v4[count.index]}"]
 }
-
-resource "aws_route53_record" "worker_nodes" {
-  count   = "${var.worker_count}"
-  zone_id = "${data.aws_route53_zone.tectonic.zone_id}"
-  name    = "${var.cluster_name}-worker-${count.index}"
-  type    = "A"
-  ttl     = "60"
-  records = ["${openstack_compute_instance_v2.worker_node.*.access_ip_v4[count.index]}"]
-}
--- a/openstack/etcd.tf
+++ b/openstack/etcd.tf
@@ -1,6 +1,6 @@
 resource "openstack_compute_instance_v2" "etcd_node" {
  count           = "${var.etcd_count}"
-  name            = "etcd_node_${count.index}"
+  name            = "${var.cluster_name}_etcd_node_${count.index}"
  image_id        = "${var.image_id}"
  flavor_id       = "${var.flavor_id}"
  key_pair        = "${openstack_compute_keypair_v2.k8s_keypair.name}"
@@ -12,10 +12,14 @@ resource "openstack_compute_instance_v2" "etcd_node" {

  user_data    = "${file("${path.module}/userdata-etcd.yml")}"
  config_drive = false
+
+  network {
+    uuid = "${openstack_networking_network_v2.network.id}"
+  }
 }

 resource "openstack_compute_secgroup_v2" "etcd_group" {
-  name        = "etcd_group"
+  name        = "${var.cluster_name}_etcd_group"
  description = "security group for etcd: SSH and etcd client / cluster"

  rule {
--- a/openstack/network.tf
+++ b/openstack/network.tf
@@ -0,0 +1,25 @@
+resource "openstack_networking_router_v2" "router" {
+  name = "${var.cluster_name}_router"
+  admin_state_up   = "true"
+  external_gateway = "${var.external_gateway_id}"
+}
+
+resource "openstack_networking_network_v2" "network" {
+  name           = "${var.cluster_name}_network"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "subnet" {
+  name       = "${var.cluster_name}_subnet"
+  network_id = "${openstack_networking_network_v2.network.id}"
+  cidr       = "192.168.1.0/24"
+  ip_version = 4
+
+  # TOOD make this configurable
+  dns_nameservers = [ "8.8.8.8", "8.8.4.4" ]
+}
+
+resource "openstack_networking_router_interface_v2" "interface" {
+  router_id = "${openstack_networking_router_v2.router.id}"
+  subnet_id = "${openstack_networking_subnet_v2.subnet.id}"
+}
--- a/openstack/userdata-master.tf
+++ b/openstack/userdata-master.tf
@@ -5,7 +5,7 @@ data "template_file" "userdata-master" {
  vars {
    kube_config      = "${base64encode(file("${path.root}/../assets/auth/kubeconfig"))}"
    tectonic_version = "${var.tectonic_version}"
-    etcd_fqdn        = "${aws_route53_record.etcd.fqdn}"
+    etcd_fqdn        = "${element(openstack_compute_instance_v2.etcd_node.*.access_ip_v4, 0)}"
    ca               = "${base64encode(file("${path.root}/../assets/tls/ca.crt"))}"
    client_crt       = "${base64encode(file("${path.root}/../assets/tls/kubelet.crt"))}"
    client_crt_key   = "${base64encode(file("${path.root}/../assets/tls/kubelet.key"))}"
--- a/openstack/userdata-worker.tf
+++ b/openstack/userdata-worker.tf
@@ -5,7 +5,7 @@ data "template_file" "userdata-worker" {
  vars {
    kube_config      = "${base64encode(file("${path.root}/../assets/auth/kubeconfig"))}"
    tectonic_version = "${var.tectonic_version}"
-    etcd_fqdn        = "${aws_route53_record.etcd.fqdn}"
+    etcd_fqdn        = "${element(openstack_compute_instance_v2.etcd_node.*.access_ip_v4, 0)}"
    ca               = "${base64encode(file("${path.root}/../assets/tls/ca.crt"))}"
    client_crt       = "${base64encode(file("${path.root}/../assets/tls/kubelet.crt"))}"
    client_crt_key   = "${base64encode(file("${path.root}/../assets/tls/kubelet.key"))}"
--- a/openstack/workers.tf
+++ b/openstack/workers.tf
@@ -1,6 +1,6 @@
 resource "openstack_compute_instance_v2" "worker_node" {
  count     = "${var.worker_count}"
-  name      = "worker_node_${count.index}"
+  name      = "${var.cluster_name}_worker_node_${count.index}"
  image_id  = "${var.image_id}"
  flavor_id = "${var.flavor_id}"
  key_pair  = "${openstack_compute_keypair_v2.k8s_keypair.name}"
@@ -9,6 +9,10 @@ resource "openstack_compute_instance_v2" "worker_node" {
    role = "worker"
  }

+  network {
+    uuid = "${openstack_networking_network_v2.network.id}"
+  }
+
  user_data    = "${data.template_file.userdata-worker.*.rendered[count.index]}"
  config_drive = false
 }