From 48922dc6e31e751b74c50cf76a802395f14ea25c Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Wed, 22 Feb 2017 16:57:11 +0100 Subject: [PATCH] network: move etcd and worker nodes to a private subnet Currently all nodes are exposed on the default public network. This fixes it by only exposing the master nodes on the public network and restricts etcd and worker nodes on a private subnet. --- openstack/config.tf | 12 +++++++++++- openstack/controller.tf | 13 +++++++++++-- openstack/dns.tf | 17 ----------------- openstack/etcd.tf | 8 ++++++-- openstack/network.tf | 25 +++++++++++++++++++++++++ openstack/userdata-master.tf | 2 +- openstack/userdata-worker.tf | 2 +- openstack/workers.tf | 6 +++++- 8 files changed, 60 insertions(+), 25 deletions(-) create mode 100644 openstack/network.tf diff --git a/openstack/config.tf b/openstack/config.tf index d1148d86cb..d260dae22d 100644 --- a/openstack/config.tf +++ b/openstack/config.tf @@ -5,7 +5,7 @@ variable "flavor_id" { variable "image_id" { type = "string" - default = "3a0c0bac-fa91-4c96-bfcb-ee215ba1cd4d" + default = "3acad946-7dd9-487d-b76f-75c79b8d550b" } variable "tectonic_version" { @@ -37,3 +37,13 @@ variable "cluster_name" { type = "string" default = "demo" } + +variable "public_network_name" { + type = "string" + default = "public" +} + +variable "external_gateway_id" { + type = "string" + default = "6d6357ac-0f70-4afa-8bd7-c274cc4ea235" +} diff --git a/openstack/controller.tf b/openstack/controller.tf index b0ca794665..9008996472 100644 --- a/openstack/controller.tf +++ b/openstack/controller.tf @@ -1,6 +1,6 @@ resource "openstack_compute_instance_v2" "control_node" { count = "${var.controller_count}" - name = "control_node_${count.index}" + name = "${var.cluster_name}_control_node_${count.index}" image_id = "${var.image_id}" flavor_id = "${var.flavor_id}" key_pair = "${openstack_compute_keypair_v2.k8s_keypair.name}" @@ -12,10 +12,19 @@ resource "openstack_compute_instance_v2" "control_node" { user_data = "${data.template_file.userdata-master.*.rendered[count.index]}" config_drive = false + + network { + uuid = "${openstack_networking_network_v2.network.id}" + } + + network { + name = "${var.public_network_name}" + access_network = true + } } resource "openstack_compute_secgroup_v2" "k8s_control_group" { - name = "k8s_control_group" + name = "${var.cluster_name}_control_group" description = "security group for k8s controllers: SSH and https" rule { diff --git a/openstack/dns.tf b/openstack/dns.tf index 804bbffef0..5810032736 100644 --- a/openstack/dns.tf +++ b/openstack/dns.tf @@ -18,14 +18,6 @@ resource "aws_route53_record" "tectonic-console" { records = ["${openstack_compute_instance_v2.worker_node.*.access_ip_v4}"] } -resource "aws_route53_record" "etcd" { - zone_id = "${data.aws_route53_zone.tectonic.zone_id}" - name = "${var.cluster_name}-etc" - type = "A" - ttl = "60" - records = ["${openstack_compute_instance_v2.etcd_node.*.access_ip_v4}"] -} - resource "aws_route53_record" "controller_nodes" { count = "${var.controller_count}" zone_id = "${data.aws_route53_zone.tectonic.zone_id}" @@ -34,12 +26,3 @@ resource "aws_route53_record" "controller_nodes" { ttl = "60" records = ["${openstack_compute_instance_v2.control_node.*.access_ip_v4[count.index]}"] } - -resource "aws_route53_record" "worker_nodes" { - count = "${var.worker_count}" - zone_id = "${data.aws_route53_zone.tectonic.zone_id}" - name = "${var.cluster_name}-worker-${count.index}" - type = "A" - ttl = "60" - records = ["${openstack_compute_instance_v2.worker_node.*.access_ip_v4[count.index]}"] -} diff --git a/openstack/etcd.tf b/openstack/etcd.tf index 7e6898a950..09451875c6 100644 --- a/openstack/etcd.tf +++ b/openstack/etcd.tf @@ -1,6 +1,6 @@ resource "openstack_compute_instance_v2" "etcd_node" { count = "${var.etcd_count}" - name = "etcd_node_${count.index}" + name = "${var.cluster_name}_etcd_node_${count.index}" image_id = "${var.image_id}" flavor_id = "${var.flavor_id}" key_pair = "${openstack_compute_keypair_v2.k8s_keypair.name}" @@ -12,10 +12,14 @@ resource "openstack_compute_instance_v2" "etcd_node" { user_data = "${file("${path.module}/userdata-etcd.yml")}" config_drive = false + + network { + uuid = "${openstack_networking_network_v2.network.id}" + } } resource "openstack_compute_secgroup_v2" "etcd_group" { - name = "etcd_group" + name = "${var.cluster_name}_etcd_group" description = "security group for etcd: SSH and etcd client / cluster" rule { diff --git a/openstack/network.tf b/openstack/network.tf new file mode 100644 index 0000000000..9e5838d1c3 --- /dev/null +++ b/openstack/network.tf @@ -0,0 +1,25 @@ +resource "openstack_networking_router_v2" "router" { + name = "${var.cluster_name}_router" + admin_state_up = "true" + external_gateway = "${var.external_gateway_id}" +} + +resource "openstack_networking_network_v2" "network" { + name = "${var.cluster_name}_network" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "subnet" { + name = "${var.cluster_name}_subnet" + network_id = "${openstack_networking_network_v2.network.id}" + cidr = "192.168.1.0/24" + ip_version = 4 + + # TOOD make this configurable + dns_nameservers = [ "8.8.8.8", "8.8.4.4" ] +} + +resource "openstack_networking_router_interface_v2" "interface" { + router_id = "${openstack_networking_router_v2.router.id}" + subnet_id = "${openstack_networking_subnet_v2.subnet.id}" +} diff --git a/openstack/userdata-master.tf b/openstack/userdata-master.tf index c7a663bd71..6d543473c0 100644 --- a/openstack/userdata-master.tf +++ b/openstack/userdata-master.tf @@ -5,7 +5,7 @@ data "template_file" "userdata-master" { vars { kube_config = "${base64encode(file("${path.root}/../assets/auth/kubeconfig"))}" tectonic_version = "${var.tectonic_version}" - etcd_fqdn = "${aws_route53_record.etcd.fqdn}" + etcd_fqdn = "${element(openstack_compute_instance_v2.etcd_node.*.access_ip_v4, 0)}" ca = "${base64encode(file("${path.root}/../assets/tls/ca.crt"))}" client_crt = "${base64encode(file("${path.root}/../assets/tls/kubelet.crt"))}" client_crt_key = "${base64encode(file("${path.root}/../assets/tls/kubelet.key"))}" diff --git a/openstack/userdata-worker.tf b/openstack/userdata-worker.tf index 057a164ba1..4990c29ba6 100644 --- a/openstack/userdata-worker.tf +++ b/openstack/userdata-worker.tf @@ -5,7 +5,7 @@ data "template_file" "userdata-worker" { vars { kube_config = "${base64encode(file("${path.root}/../assets/auth/kubeconfig"))}" tectonic_version = "${var.tectonic_version}" - etcd_fqdn = "${aws_route53_record.etcd.fqdn}" + etcd_fqdn = "${element(openstack_compute_instance_v2.etcd_node.*.access_ip_v4, 0)}" ca = "${base64encode(file("${path.root}/../assets/tls/ca.crt"))}" client_crt = "${base64encode(file("${path.root}/../assets/tls/kubelet.crt"))}" client_crt_key = "${base64encode(file("${path.root}/../assets/tls/kubelet.key"))}" diff --git a/openstack/workers.tf b/openstack/workers.tf index dc6a80d5f2..aefcb1f4ea 100644 --- a/openstack/workers.tf +++ b/openstack/workers.tf @@ -1,6 +1,6 @@ resource "openstack_compute_instance_v2" "worker_node" { count = "${var.worker_count}" - name = "worker_node_${count.index}" + name = "${var.cluster_name}_worker_node_${count.index}" image_id = "${var.image_id}" flavor_id = "${var.flavor_id}" key_pair = "${openstack_compute_keypair_v2.k8s_keypair.name}" @@ -9,6 +9,10 @@ resource "openstack_compute_instance_v2" "worker_node" { role = "worker" } + network { + uuid = "${openstack_networking_network_v2.network.id}" + } + user_data = "${data.template_file.userdata-worker.*.rendered[count.index]}" config_drive = false }