From 6eb6e806e749f8bcab707e90fad9a8d6eb580d28 Mon Sep 17 00:00:00 2001 From: ArchiFleKs Date: Wed, 6 Dec 2017 15:58:40 +0100 Subject: [PATCH] Update Terraform docs and authentication method Hardcoded variables are removed from variables.tf file because it might not be suitable for all OpenStack Cloud depending on Identity API version available (between v2 or v3) and preferred authentication method. --- contrib/terraform/openstack/.gitignore | 4 + contrib/terraform/openstack/README.md | 123 ++++++++++++++++++++--- contrib/terraform/openstack/kubespray.tf | 24 +++++ contrib/terraform/openstack/variables.tf | 16 --- 4 files changed, 139 insertions(+), 28 deletions(-) create mode 100644 contrib/terraform/openstack/.gitignore diff --git a/contrib/terraform/openstack/.gitignore b/contrib/terraform/openstack/.gitignore new file mode 100644 index 000000000..0e3980cbd --- /dev/null +++ b/contrib/terraform/openstack/.gitignore @@ -0,0 +1,4 @@ +.terraform +*.tfvars +*.tfstate +*.tfstate.backup diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md index d83952949..efdd56663 100644 --- a/contrib/terraform/openstack/README.md +++ b/contrib/terraform/openstack/README.md @@ -82,23 +82,102 @@ used to deploy and provision the software requirements. #### OpenStack -Ensure your OpenStack **Identity v2** credentials are loaded in environment -variables. This can be done by downloading a credentials .rc file from your -OpenStack dashboard and sourcing it: +No provider variables are hard coded inside `variables.tf` because Terraform +supports various authentication method for OpenStack, between identity v2 and +v3 API, `openrc` or `clouds.yaml`. + +These are examples and may vary depending on your OpenStack cloud provider, +for an exhaustive list on how to authenticate on OpenStack with Terraform +please read the [OpenStack provider documentation](https://www.terraform.io/docs/providers/openstack/). + +##### Recommended method : clouds.yaml + +Newer recommended authentication method is to use a `clouds.yaml` file that can be store in : + +* `Current Directory` +* `~/.config/openstack` +* `/etc/openstack` + +`clouds.yaml` : ``` -$ source ~/.stackrc +clouds: + mycloud: + auth: + auth_url: https://openstack:5000/v3 + username: "username" + project_name: "projectname" + project_id: projectid + user_domain_name: "Default" + password: "password" + region_name: "RegionOne" + interface: "public" + identity_api_version: 3 ``` -Ensure that you have your Openstack credentials loaded into Terraform -environment variables. Likely via a command similar to: +If you have multiple clouds defined in your `clouds.yaml` file you can choose +the one you want to use with the environment variable `OS_CLOUD` : ``` -$ echo Setting up Terraform creds && \ - export TF_VAR_username=${OS_USERNAME} && \ - export TF_VAR_password=${OS_PASSWORD} && \ - export TF_VAR_tenant=${OS_TENANT_NAME} && \ - export TF_VAR_auth_url=${OS_AUTH_URL} +export OS_CLOUD=mycloud +``` + +##### Deprecated method : openrc + +When using classic environment variables, Terraform uses default `OS_*` +environment variables : + +With identity v2 : + +``` +source openrc + +env | grep OS + +OS_AUTH_URL=https://openstack:5000/v2.0 +OS_PROJECT_ID=projectid +OS_PROJECT_NAME=projectname +OS_USERNAME=username +OS_PASSWORD=password +OS_REGION_NAME=RegionOne +OS_INTERFACE=public +OS_IDENTITY_API_VERSION=2 +``` + +With identity v3 : + +``` +source openrc + +env | grep OS + +OS_AUTH_URL=https://openstack:5000/v3 +OS_PROJECT_ID=projectid +OS_PROJECT_NAME=username +OS_PROJECT_DOMAIN_ID=default +OS_USERNAME=username +OS_PASSWORD=password +OS_REGION_NAME=RegionOne +OS_INTERFACE=public +OS_IDENTITY_API_VERSION=3 +OS_USER_DOMAIN_NAME=Default +``` + +Terraform does not support a mix of DomainName and DomainID, choose one or the +other : + +``` +* provider.openstack: You must provide exactly one of DomainID or DomainName to authenticate by Username +``` + +``` +unset OS_USER_DOMAIN_NAME +export OS_USER_DOMAIN_ID=default + +or + +unset OS_PROJECT_DOMAIN_ID +set OS_PROJECT_DOMAIN_NAME=Default ``` ### Terraform Variables @@ -114,7 +193,7 @@ ones: |---------|-------------| |`cluster_name` | All OpenStack resources will use the Terraform variable`cluster_name` (default`example`) in their name to make it easier to track. For example the first compute resource will be named`example-kubernetes-1`. | |`network_name` | The name to be given to the internal network that will be generated | -|`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. | +|`dns_nameservers`| An array of DNS name server names to be used by hosts in the internal subnet. | |`floatingip_pool` | Name of the pool from which floating IPs will be allocated | |`external_net` | UUID of the external network that will be routed to | |`flavor_k8s_master`,`flavor_k8s_node`,`flavor_etcd`, `flavor_bastion`,`flavor_gfs_node` | Flavor depends on your openstack installation, you can get available flavor IDs through`nova flavor-list` | @@ -129,7 +208,21 @@ ones: |`number_of_gfs_nodes_no_floating_ip` | Number of gluster servers to provision. | | `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks | +### Terraform files + +In the root folder, the following files might be created (either by Terraform +or manually), to prevent you from pushing them accidentally they are in a +`.gitignore` file in the `terraform/openstack` directory : + +* `.terraform` +* `.tfvars` +* `.tfstate` +* `.tfstate.backup` + +You can still add them manually if you want to. + ## Initializing Terraform + Before Terraform can operate on your cluster you need to install required plugins. This is accomplished with the command @@ -163,6 +256,12 @@ $ terraform destroy -state=contrib/terraform/openstack/terraform.tfstate -var-fi You can enable debugging output from Terraform by setting `OS_DEBUG` to 1 and`TF_LOG` to`DEBUG` before runing the terraform command +## Terraform output + +Terraform can output useful values that need to be reused if you want to use Kubernetes OpenStack cloud provider with Neutron/Octavia LBaaS or Cinder persistent Volume provisioning: + + - `private_subnet_id`: the subnet where your instances are running, maps to `openstack_lbaas_subnet_id` + - `floating_network_id`: the network_id where the floating IP are provisioned, maps to `openstack_lbaas_floating_network_id` # Running the Ansible Script Ensure your local ssh-agent is running and your ssh key has been added. This diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf index c09ad9527..a64eb224c 100644 --- a/contrib/terraform/openstack/kubespray.tf +++ b/contrib/terraform/openstack/kubespray.tf @@ -53,3 +53,27 @@ module "compute" { network_id = "${module.network.router_id}" } + +output "private_subnet_id" { + value = "${module.network.subnet_id}" +} + +output "floating_network_id" { + value = "${var.external_net}" +} + +output "router_id" { + value = "${module.network.router_id}" +} + +output "k8s_master_fips" { + value = "${module.ips.k8s_master_fips}" +} + +output "k8s_node_fips" { + value = "${module.ips.k8s_node_fips}" +} + +output "bastion_fips" { + value = "${module.ips.bastion_fips}" +} diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf index 146e2b91f..551fa193f 100644 --- a/contrib/terraform/openstack/variables.tf +++ b/contrib/terraform/openstack/variables.tf @@ -111,19 +111,3 @@ variable "floatingip_pool" { variable "external_net" { description = "uuid of the external/public network" } - -variable "username" { - description = "Your openstack username" -} - -variable "password" { - description = "Your openstack password" -} - -variable "tenant" { - description = "Your openstack tenant/project" -} - -variable "auth_url" { - description = "Your openstack auth URL" -}