Merge pull request #7727 from shiftstack/add-support-byon-dualstack-upi

OSASINFRA-3261: OpenStack: support dualstack in UPI

upi/openstack/bootstrap.yaml

@@ -19,6 +19,18 @@
       - "{{ os_sg_master }}"
       allowed_address_pairs:
       - ip_address: "{{ os_apiVIP }}"
+    when: os_subnet6 is not defined
+
+  - name: 'Create the bootstrap dualstack server port'
+    os_port:
+      name: "{{ os_port_bootstrap }}"
+      network: "{{ os_network }}"
+      security_groups:
+      - "{{ os_sg_master }}"
+      allowed_address_pairs:
+      - ip_address: "{{ os_apiVIP }}"
+      - ip_address: "{{ os_apiVIP6 }}"
+    when: os_subnet6 is defined
 
   - name: 'Set bootstrap port tag'
     command:

upi/openstack/common.yaml

@@ -10,12 +10,6 @@
       cluster_id_tag: "openshiftClusterID={{ infraID }}"
       primary_cluster_network_tag: "{{ infraID }}-primaryClusterNetwork"
       os_infra_id: "{{ infraID }}"
-      os_network: "{{ infraID }}-network"
-      os_subnet: "{{ infraID }}-nodes"
-      os_router: "{{ infraID }}-external-router"
-      # Port names
-      os_port_api: "{{ infraID }}-api-port"
-      os_port_ingress: "{{ infraID }}-ingress-port"
       os_port_bootstrap: "{{ infraID }}-bootstrap-port"
       os_port_master: "{{ infraID }}-master-port"
       os_port_worker: "{{ infraID }}-worker-port"

upi/openstack/compute-nodes.yaml

@@ -21,6 +21,20 @@
       - ip_address: "{{ os_ingressVIP }}"
     with_indexed_items: "{{ [os_port_worker] * os_compute_nodes_number }}"
     register: ports
+    when: os_subnet6 is not defined
+
+  - name: 'Create the dualstack Compute ports'
+    openstack.cloud.port:
+      name: "{{ item.1 }}-{{ item.0 }}"
+      network: "{{ os_network }}"
+      security_groups:
+      - "{{ os_sg_worker }}"
+      allowed_address_pairs:
+      - ip_address: "{{ os_ingressVIP }}"
+      - ip_address: "{{ os_ingressVIP6 }}"
+    with_indexed_items: "{{ [os_port_worker] * os_compute_nodes_number }}"
+    register: ports
+    when: os_subnet6 is defined
 
   - name: 'Set Compute ports tag'
     ansible.builtin.command:

upi/openstack/control-plane.yaml

@@ -22,6 +22,22 @@
       - ip_address: "{{ os_ingressVIP }}"
     with_indexed_items: "{{ [os_port_master] * os_cp_nodes_number }}"
     register: ports
+    when: os_subnet6 is not defined
+
+  - name: 'Create the dualstack Control Plane ports'
+    openstack.cloud.port:
+      name: "{{ item.1 }}-{{ item.0 }}"
+      network: "{{ os_network }}"
+      security_groups:
+      - "{{ os_sg_master }}"
+      allowed_address_pairs:
+      - ip_address: "{{ os_apiVIP }}"
+      - ip_address: "{{ os_apiVIP6 }}"
+      - ip_address: "{{ os_ingressVIP }}"
+      - ip_address: "{{ os_ingressVIP6 }}"
+    with_indexed_items: "{{ [os_port_master] * os_cp_nodes_number }}"
+    register: ports
+    when: os_subnet6 is defined
 
   - name: 'Set Control Plane ports tag'
     ansible.builtin.command:

upi/openstack/inventory.yaml

@@ -4,10 +4,15 @@ all:
       ansible_connection: local
       ansible_python_interpreter: "{{ansible_playbook_python}}"
 
+      # Network resource names
+      os_network: ocp-network
+      os_port_api: ocp-api-port
+      os_port_ingress: ocp-ingress-port
+      os_router: ocp-external-router
+      os_subnet: ocp-subnet-v4
+
       # User-provided values
       os_subnet_range: '10.0.0.0/16'
-      # uncomment for dual stack
-      # os_subnet6_range: 'd2e:6f44:5dd8:c956::/64'
       os_flavor_master: 'm1.xlarge'
       os_flavor_worker: 'm1.large'
       os_image_rhcos: 'rhcos'
@@ -52,15 +57,43 @@ all:
       # in case of install failure.
       os_bootstrap_fip: '203.0.113.20'
 
-      # An IP address that will be assigned to the API VIP.
+      # An IPv4 address that will be assigned to the API VIP.
       # Be aware that the 10 and 11 of the machineNetwork will
       # be taken by neutron dhcp by default, and wont be available.
+      # This value will be overwritten by the network.yaml playbook.
       os_apiVIP: "{{ os_subnet_range | ansible.utils.next_nth_usable(5) }}"
 
-      # An IP address that will be assigned to the ingress VIP.
+      # An IPv4 address that will be assigned to the ingress VIP.
       # Be aware that the 10 and 11 of the machineNetwork will
       # be taken by neutron dhcp by default, and wont be available.
+      # This value will be overwritten by the network.yaml playbook.
       os_ingressVIP: "{{ os_subnet_range | ansible.utils.next_nth_usable(7) }}"
 
-      # Set control-plane nodes to schedule workloads when number of compute nodes is zero
+      # Set control-plane nodes to schedule workloads when number of compute
+      # nodes is zero
       os_master_schedulable: "{{ os_compute_nodes_number | int == 0 }}"
+
+      # Name of the IPv6 subnet. Uncomment to enable dual-stack support
+      #os_subnet6: ocp-subnet-v6
+
+      # IPv6 subnet CIDR
+      os_subnet6_range: 'fd2e:6f44:5dd8:c956::/64'
+
+      # Modes are one of: slaac, dhcpv6-stateful or dhcpv6-stateless
+      os_subnet6_address_mode: slaac
+      os_subnet6_router_advertisements_mode: slaac
+
+      # IPv6 service subnet cidr
+      service_subnet6_range: 'fd02::/112'
+
+      # IPv6 cluster network details
+      cluster_network6_cidr: 'fd01::/48'
+      cluster_network6_prefix: 64
+
+      # An IPv6 address that will be assigned to the API VIP.
+      # This value will be overwritten by the network.yaml playbook.
+      os_apiVIP6: ""
+
+      # An IPv6 address that will be assigned to the ingress VIP.
+      # This value will be overwritten by the network.yaml playbook.
+      os_ingressVIP6: ""

upi/openstack/network.yaml

@@ -5,21 +5,15 @@
 # openstacksdk
 # netaddr
 
-- ansible.builtin.import_playbook: common.yaml
-
 - hosts: all
   gather_facts: no
 
   tasks:
-  - name: 'Create the primary cluster network'
+  - name: 'Create the cluster network'
     openstack.cloud.network:
       name: "{{ os_network }}"
 
-  - name: 'Set tags on the  primary cluster network'
-    ansible.builtin.command:
-      cmd: "openstack network set --tag {{ primary_cluster_network_tag }} --tag {{ cluster_id_tag }} {{ os_network }}"
-
-  - name: 'Create the primary cluster subnet'
+  - name: 'Create the cluster IPv4 subnet'
     openstack.cloud.subnet:
       name: "{{ os_subnet }}"
       network_name: "{{ os_network }}"
@@ -28,9 +22,15 @@
       allocation_pool_end: "{{ os_subnet_range | ansible.utils.ipaddr('last_usable') }}"
       dns_nameservers: "{{ os_external_dns }}"
 
-  - name: 'Set tags on  primary cluster subnet'
-    ansible.builtin.command:
-      cmd: "openstack subnet set --tag {{ cluster_id_tag }} {{ os_subnet }}"
+  - name: 'Create the cluster IPv6 subnet'
+    openstack.cloud.subnet:
+      name: "{{ os_subnet6 }}"
+      network_name: "{{ os_network }}"
+      cidr: "{{ os_subnet6_range }}"
+      ip_version: 6
+      ipv6_address_mode: "{{ os_subnet6_address_mode }}"
+      ipv6_ra_mode: "{{ os_subnet6_router_advertisements_mode }}"
+    when: os_subnet6 is defined
 
   - name: 'Create external router'
     openstack.cloud.router:
@@ -40,49 +40,100 @@
       - "{{ os_subnet }}"
     when: os_external_network is defined and os_external_network|length>0
 
-  - name: 'Set external router tag'
-    ansible.builtin.command:
-      cmd: "openstack router set --tag {{ cluster_id_tag }} {{ os_router }}"
-    when: os_external_network is defined and os_external_network|length>0
+  - name: 'Add IPv6 subnet to the external router'
+    openstack.cloud.router:
+      name: "{{ os_router }}"
+      interfaces:
+      - "{{ os_subnet }}"
+      - "{{ os_subnet6 }}"
+    when:
+    - os_subnet6 is defined
+    - os_external_network is defined and os_external_network|length>0
 
   - name: 'Create the API port'
     openstack.cloud.port:
       name: "{{ os_port_api }}"
       network: "{{ os_network }}"
-      security_groups:
-      - "{{ os_sg_master }}"
       fixed_ips:
       - subnet: "{{ os_subnet }}"
         ip_address: "{{ os_apiVIP }}"
+    register: _api_ports
+    when: os_subnet6 is not defined
 
-  - name: 'Set API port tag'
-    ansible.builtin.command:
-      cmd: "openstack port set --tag {{ cluster_id_tag }} {{ os_port_api }}"
+  - set_fact:
+      api_ports: "{{ _api_ports }}"
+    when: _api_ports.changed
+
+  - name: 'Create the dualstack API port'
+    openstack.cloud.port:
+      name: "{{ os_port_api }}"
+      network: "{{ os_network }}"
+    register: _api_ports
+    when: os_subnet6 is defined
+
+  - set_fact:
+      api_ports: "{{ _api_ports }}"
+    when: _api_ports.changed
 
   - name: 'Create the Ingress port'
     openstack.cloud.port:
       name: "{{ os_port_ingress }}"
       network: "{{ os_network }}"
-      security_groups:
-      - "{{ os_sg_worker }}"
       fixed_ips:
       - subnet: "{{ os_subnet }}"
         ip_address: "{{ os_ingressVIP }}"
+    register: _ingress_ports
+    when: os_subnet6 is not defined
 
-  - name: 'Set the Ingress port tag'
-    ansible.builtin.command:
-      cmd: "openstack port set --tag {{ cluster_id_tag }} {{ os_port_ingress }}"
+  - set_fact:
+      ingress_ports: "{{ _ingress_ports }}"
+    when: _ingress_ports.changed
 
-  # NOTE: openstack ansible module doesn't allow attaching Floating IPs to
-  # ports, let's use the CLI instead
-  - name: 'Attach the API floating IP to API port'
-    ansible.builtin.command:
-      cmd: "openstack floating ip set --port {{ os_port_api }} {{ os_api_fip }}"
-    when: os_api_fip is defined and os_api_fip|length>0
+  - name: 'Create the dualstack Ingress port'
+    openstack.cloud.port:
+      name: "{{ os_port_ingress }}"
+      network: "{{ os_network }}"
+    register: _ingress_ports
+    when: os_subnet6 is defined
 
-  # NOTE: openstack ansible module doesn't allow attaching Floating IPs to
-  # ports, let's use the CLI instead
-  - name: 'Attach the Ingress floating IP to Ingress port'
-    ansible.builtin.command:
-      cmd: "openstack floating ip set --port {{ os_port_ingress }} {{ os_ingress_fip }}"
-    when: os_ingress_fip is defined and os_ingress_fip|length>0
+  - set_fact:
+      ingress_ports: "{{ _ingress_ports }}"
+    when: _ingress_ports.changed
+
+  - name: 'Populate inventory with API addresses'
+    shell: |
+      python -c 'import yaml
+      path = "inventory.yaml"
+      ipv4 = "{{ item.ip_address|ansible.utils.ipv4 }}"
+      ipv6 = "{{ item.ip_address|ansible.utils.ipv6 }}"
+      if ipv4 != "False":
+        key = "os_apiVIP"
+        ip = ipv4
+      else:
+        key = "os_apiVIP6"
+        ip = ipv6
+      data = yaml.safe_load(open(path))
+      data["all"]["hosts"]["localhost"][key] = ip
+      open(path, "w").write(yaml.dump(data, default_flow_style=False))'
+    when:
+    - api_ports.port is defined
+    loop: "{{ api_ports.port.fixed_ips }}"
+
+  - name: 'Populate inventory with Ingress addresses'
+    shell: |
+      python -c 'import yaml
+      path = "inventory.yaml"
+      ipv4 = "{{ item.ip_address|ansible.utils.ipv4 }}"
+      ipv6 = "{{ item.ip_address|ansible.utils.ipv6 }}"
+      if ipv4 != "False":
+        key = "os_ingressVIP"
+        ip = ipv4
+      else:
+        key = "os_ingressVIP6"
+        ip = ipv6
+      data = yaml.safe_load(open(path))
+      data["all"]["hosts"]["localhost"][key] = ip
+      open(path, "w").write(yaml.dump(data, default_flow_style=False))'
+    when:
+    - ingress_ports.port is defined
+    loop: "{{ ingress_ports.port.fixed_ips }}"

upi/openstack/security-groups.yaml

@@ -70,17 +70,6 @@
       port_range_min: 6443
       port_range_max: 6443
 
-  - name: 'Create master-sg IPv6 rule "OpenShift API"'
-    openstack.cloud.security_group_rule:
-      security_group: "{{ os_sg_master }}"
-      ether_type: IPv6
-      protocol: tcp
-      port_range_min: 6443
-      port_range_max: 6443
-    when:
-    - os_subnet6_range is defined
-    - "{{ os_subnet6_range|ansible.utils.ipv6 }}"
-
   - name: 'Create master-sg rule "VXLAN"'
     openstack.cloud.security_group_rule:
       security_group: "{{ os_sg_master }}"
@@ -236,17 +225,6 @@
       port_range_min: 80
       port_range_max: 80
 
-  - name: 'Create worker-sg IPv6 rule "Ingress HTTP"'
-    openstack.cloud.security_group_rule:
-      security_group: "{{ os_sg_worker }}"
-      ether_type: IPv6
-      protocol: tcp
-      port_range_min: 80
-      port_range_max: 80
-    when:
-    - os_subnet6_range is defined
-    - "{{ os_subnet6_range|ansible.utils.ipv6 }}"
-
   - name: 'Create worker-sg rule "Ingress HTTPS"'
     openstack.cloud.security_group_rule:
       security_group: "{{ os_sg_worker }}"
@@ -254,17 +232,6 @@
       port_range_min: 443
       port_range_max: 443
 
-  - name: 'Create worker-sg IPv6 rule "Ingress HTTPS"'
-    openstack.cloud.security_group_rule:
-      security_group: "{{ os_sg_worker }}"
-      ether_type: IPv6
-      protocol: tcp
-      port_range_min: 443
-      port_range_max: 443
-    when:
-    - os_subnet6_range is defined
-    - "{{ os_subnet6_range|ansible.utils.ipv6 }}"
-
   - name: 'Create worker-sg rule "router"'
     openstack.cloud.security_group_rule:
       security_group: "{{ os_sg_worker }}"
@@ -350,3 +317,60 @@
       security_group: "{{ os_sg_worker }}"
       protocol: '112'
       remote_ip_prefix: "{{ os_subnet_range }}"
+
+  - name: 'Create security groups for IPv6'
+    block:
+    - name: 'Create master-sg IPv6 rule "OpenShift API"'
+      openstack.cloud.security_group_rule:
+        security_group: "{{ os_sg_master }}"
+        ether_type: IPv6
+        protocol: tcp
+        port_range_min: 6443
+        port_range_max: 6443
+
+    - name: 'Create worker-sg IPv6 rule "Ingress HTTP"'
+      openstack.cloud.security_group_rule:
+        security_group: "{{ os_sg_worker }}"
+        ether_type: IPv6
+        protocol: tcp
+        port_range_min: 80
+        port_range_max: 80
+
+    - name: 'Create worker-sg IPv6 rule "Ingress HTTPS"'
+      openstack.cloud.security_group_rule:
+        security_group: "{{ os_sg_worker }}"
+        ether_type: IPv6
+        protocol: tcp
+        port_range_min: 443
+        port_range_max: 443
+
+    - name: 'Create master-sg rule "master ingress HTTP (TCP)"'
+      openstack.cloud.security_group_rule:
+        security_group: "{{ os_sg_master }}"
+        ether_type: IPv6
+        protocol: tcp
+        port_range_min: 80
+        port_range_max: 80
+      when: os_master_schedulable is defined and os_master_schedulable
+
+    - name: 'Create master-sg rule "master ingress HTTPS (TCP)"'
+      openstack.cloud.security_group_rule:
+        security_group: "{{ os_sg_master }}"
+        ether_type: IPv6
+        protocol: tcp
+        port_range_min: 443
+        port_range_max: 443
+      when: os_master_schedulable is defined and os_master_schedulable
+
+    - name: 'Create master-sg rule "router"'
+      openstack.cloud.security_group_rule:
+        security_group: "{{ os_sg_master }}"
+        ether_type: IPv6
+        protocol: tcp
+        remote_ip_prefix: "{{ os_subnet_range }}"
+        port_range_min: 1936
+        port_range_max: 1936
+      when: os_master_schedulable is defined and os_master_schedulable
+
+    when:
+      when: os_subnet6 is defined

upi/openstack/update-network-resources.yaml

@@ -0,0 +1,60 @@
+# Required Python packages:
+#
+# ansible
+# openstackclient
+# openstacksdk
+# netaddr
+
+- ansible.builtin.import_playbook: common.yaml
+
+- hosts: all
+  gather_facts: no
+
+  tasks:
+  - name: 'Set tags on the primary cluster network'
+    ansible.builtin.command:
+      cmd: "openstack network set --tag {{ primary_cluster_network_tag }} --tag {{ cluster_id_tag }} {{ os_network }}"
+
+  - name: 'Set tags on primary cluster subnet IPv4'
+    ansible.builtin.command:
+      cmd: "openstack subnet set --tag {{ cluster_id_tag }} {{ os_subnet }}"
+
+  - name: 'Set tags on primary cluster subnet IPv6'
+    ansible.builtin.command:
+      cmd: "openstack subnet set --tag {{ cluster_id_tag }} {{ os_subnet6 }}"
+    when: os_subnet6 is defined
+
+  - name: 'Set tags on the API VIP port'
+    ansible.builtin.command:
+      cmd: "openstack port set --tag {{ cluster_id_tag }} {{ os_port_api }}"
+
+  - name: 'Set tags on the Ingress VIP port'
+    ansible.builtin.command:
+      cmd: "openstack port set --tag {{ cluster_id_tag }} {{ os_port_ingress }}"
+
+  - name: 'Set external router tag'
+    ansible.builtin.command:
+      cmd: "openstack router set --tag {{ cluster_id_tag }} {{ os_router }}"
+    when: os_external_network is defined and os_external_network|length>0
+
+  # NOTE: openstack ansible module doesn't allow attaching Floating IPs to
+  # ports, let's use the CLI instead
+  - name: 'Attach the API floating IP to API port'
+    ansible.builtin.command:
+      cmd: "openstack floating ip set --port {{ os_port_api }} {{ os_api_fip }}"
+    when: os_api_fip is defined and os_api_fip|length>0
+
+  # NOTE: openstack ansible module doesn't allow attaching Floating IPs to
+  # ports, let's use the CLI instead
+  - name: 'Attach the Ingress floating IP to Ingress port'
+    ansible.builtin.command:
+      cmd: "openstack floating ip set --port {{ os_port_ingress }} {{ os_ingress_fip }}"
+    when: os_ingress_fip is defined and os_ingress_fip|length>0
+
+  - name: 'Set security group to api port'
+    ansible.builtin.command:
+      cmd: "openstack port set --security-group {{ os_sg_master }} {{ os_port_api }}"
+
+  - name: 'Set security group to ingress port'
+    ansible.builtin.command:
+      cmd: "openstack port set --security-group {{ os_sg_worker }} {{ os_port_ingress }}"