Merge pull request #2033 from ArchiFleKs/terraform-fix-cred

Update Terraform docs and authentication method
This commit is contained in:
Aivars Sterns 2018-02-21 12:16:24 +02:00 committed by GitHub
commit bfe196236f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 485 additions and 393 deletions

View file

@ -0,0 +1,4 @@
.terraform
*.tfvars
*.tfstate
*.tfstate.backup

View file

@ -82,23 +82,102 @@ used to deploy and provision the software requirements.
#### OpenStack
Ensure your OpenStack **Identity v2** credentials are loaded in environment
variables. This can be done by downloading a credentials .rc file from your
OpenStack dashboard and sourcing it:
No provider variables are hard coded inside `variables.tf` because Terraform
supports various authentication method for OpenStack, between identity v2 and
v3 API, `openrc` or `clouds.yaml`.
These are examples and may vary depending on your OpenStack cloud provider,
for an exhaustive list on how to authenticate on OpenStack with Terraform
please read the [OpenStack provider documentation](https://www.terraform.io/docs/providers/openstack/).
##### Recommended method : clouds.yaml
Newer recommended authentication method is to use a `clouds.yaml` file that can be store in :
* `Current Directory`
* `~/.config/openstack`
* `/etc/openstack`
`clouds.yaml` :
```
$ source ~/.stackrc
clouds:
mycloud:
auth:
auth_url: https://openstack:5000/v3
username: "username"
project_name: "projectname"
project_id: projectid
user_domain_name: "Default"
password: "password"
region_name: "RegionOne"
interface: "public"
identity_api_version: 3
```
Ensure that you have your Openstack credentials loaded into Terraform
environment variables. Likely via a command similar to:
If you have multiple clouds defined in your `clouds.yaml` file you can choose
the one you want to use with the environment variable `OS_CLOUD` :
```
$ echo Setting up Terraform creds && \
export TF_VAR_username=${OS_USERNAME} && \
export TF_VAR_password=${OS_PASSWORD} && \
export TF_VAR_tenant=${OS_TENANT_NAME} && \
export TF_VAR_auth_url=${OS_AUTH_URL}
export OS_CLOUD=mycloud
```
##### Deprecated method : openrc
When using classic environment variables, Terraform uses default `OS_*`
environment variables :
With identity v2 :
```
source openrc
env | grep OS
OS_AUTH_URL=https://openstack:5000/v2.0
OS_PROJECT_ID=projectid
OS_PROJECT_NAME=projectname
OS_USERNAME=username
OS_PASSWORD=password
OS_REGION_NAME=RegionOne
OS_INTERFACE=public
OS_IDENTITY_API_VERSION=2
```
With identity v3 :
```
source openrc
env | grep OS
OS_AUTH_URL=https://openstack:5000/v3
OS_PROJECT_ID=projectid
OS_PROJECT_NAME=username
OS_PROJECT_DOMAIN_ID=default
OS_USERNAME=username
OS_PASSWORD=password
OS_REGION_NAME=RegionOne
OS_INTERFACE=public
OS_IDENTITY_API_VERSION=3
OS_USER_DOMAIN_NAME=Default
```
Terraform does not support a mix of DomainName and DomainID, choose one or the
other :
```
* provider.openstack: You must provide exactly one of DomainID or DomainName to authenticate by Username
```
```
unset OS_USER_DOMAIN_NAME
export OS_USER_DOMAIN_ID=default
or
unset OS_PROJECT_DOMAIN_ID
set OS_PROJECT_DOMAIN_NAME=Default
```
### Terraform Variables
@ -129,7 +208,21 @@ ones:
|`number_of_gfs_nodes_no_floating_ip` | Number of gluster servers to provision. |
| `gfs_volume_size_in_gb` | Size of the non-ephemeral volumes to be attached to store the GlusterFS bricks |
### Terraform files
In the root folder, the following files might be created (either by Terraform
or manually), to prevent you from pushing them accidentally they are in a
`.gitignore` file in the `terraform/openstack` directory :
* `.terraform`
* `.tfvars`
* `.tfstate`
* `.tfstate.backup`
You can still add them manually if you want to.
## Initializing Terraform
Before Terraform can operate on your cluster you need to install required
plugins. This is accomplished with the command
@ -163,6 +256,12 @@ $ terraform destroy -state=contrib/terraform/openstack/terraform.tfstate -var-fi
You can enable debugging output from Terraform by setting
`OS_DEBUG` to 1 and`TF_LOG` to`DEBUG` before runing the terraform command
## Terraform output
Terraform can output useful values that need to be reused if you want to use Kubernetes OpenStack cloud provider with Neutron/Octavia LBaaS or Cinder persistent Volume provisioning:
- `private_subnet_id`: the subnet where your instances are running, maps to `openstack_lbaas_subnet_id`
- `floating_network_id`: the network_id where the floating IP are provisioned, maps to `openstack_lbaas_floating_network_id`
# Running the Ansible Script
Ensure your local ssh-agent is running and your ssh key has been added. This

View file

@ -1,4 +1,3 @@
module "network" {
source = "modules/network"
@ -8,7 +7,6 @@ module "network" {
dns_nameservers = "${var.dns_nameservers}"
}
module "ips" {
source = "modules/ips"
@ -53,3 +51,27 @@ module "compute" {
network_id = "${module.network.router_id}"
}
output "private_subnet_id" {
value = "${module.network.subnet_id}"
}
output "floating_network_id" {
value = "${var.external_net}"
}
output "router_id" {
value = "${module.network.router_id}"
}
output "k8s_master_fips" {
value = "${module.ips.k8s_master_fips}"
}
output "k8s_node_fips" {
value = "${module.ips.k8s_node_fips}"
}
output "bastion_fips" {
value = "${module.ips.bastion_fips}"
}

View file

@ -1,14 +1,3 @@
variable user_data {
type = "string"
default = <<EOF
#cloud-config
manage_etc_hosts: localhost
package_update: true
package_upgrade: true
EOF
}
resource "openstack_compute_keypair_v2" "k8s" {
name = "kubernetes-${var.cluster_name}"
public_key = "${chomp(file(var.public_key_path))}"
@ -17,6 +6,7 @@ resource "openstack_compute_keypair_v2" "k8s" {
resource "openstack_compute_secgroup_v2" "k8s_master" {
name = "${var.cluster_name}-k8s-master"
description = "${var.cluster_name} - Kubernetes Master"
rule {
ip_protocol = "tcp"
from_port = "6443"
@ -28,6 +18,7 @@ resource "openstack_compute_secgroup_v2" "k8s_master" {
resource "openstack_compute_secgroup_v2" "bastion" {
name = "${var.cluster_name}-bastion"
description = "${var.cluster_name} - Bastion Server"
rule {
ip_protocol = "tcp"
from_port = "22"
@ -39,24 +30,28 @@ resource "openstack_compute_secgroup_v2" "bastion" {
resource "openstack_compute_secgroup_v2" "k8s" {
name = "${var.cluster_name}-k8s"
description = "${var.cluster_name} - Kubernetes"
rule {
ip_protocol = "icmp"
from_port = "-1"
to_port = "-1"
cidr = "0.0.0.0/0"
}
rule {
ip_protocol = "tcp"
from_port = "1"
to_port = "65535"
self = true
}
rule {
ip_protocol = "udp"
from_port = "1"
to_port = "65535"
self = true
}
rule {
ip_protocol = "icmp"
from_port = "-1"
@ -71,12 +66,16 @@ resource "openstack_compute_instance_v2" "bastion" {
image_name = "${var.image}"
flavor_id = "${var.flavor_bastion}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
"${openstack_compute_secgroup_v2.bastion.name}",
"default" ]
"default",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "bastion"
@ -87,7 +86,6 @@ resource "openstack_compute_instance_v2" "bastion" {
command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${var.bastion_fips[0]}/ > contrib/terraform/openstack/group_vars/no-floating.yml"
}
user_data = "${var.user_data}"
}
resource "openstack_compute_instance_v2" "k8s_master" {
@ -96,19 +94,23 @@ resource "openstack_compute_instance_v2" "k8s_master" {
image_name = "${var.image}"
flavor_id = "${var.flavor_k8s_master}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
"${openstack_compute_secgroup_v2.bastion.name}",
"${openstack_compute_secgroup_v2.k8s.name}",
"default" ]
"default",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault"
kubespray_groups = "etcd,kube-master,k8s-cluster,vault"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
@ -117,17 +119,21 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
image_name = "${var.image}"
flavor_id = "${var.flavor_k8s_master}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
"${openstack_compute_secgroup_v2.k8s.name}" ]
"${openstack_compute_secgroup_v2.k8s.name}",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "kube-master,kube-node,k8s-cluster,vault"
kubespray_groups = "kube-master,k8s-cluster,vault"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
resource "openstack_compute_instance_v2" "etcd" {
@ -136,18 +142,20 @@ resource "openstack_compute_instance_v2" "etcd" {
image_name = "${var.image}"
flavor_id = "${var.flavor_etcd}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s.name}"]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "etcd,vault,no-floating"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
}
resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
name = "${var.cluster_name}-k8s-master-nf-${count.index+1}"
@ -155,18 +163,22 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
image_name = "${var.image}"
flavor_id = "${var.flavor_k8s_master}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
"${openstack_compute_secgroup_v2.k8s.name}",
"default" ]
"default",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "etcd,kube-master,kube-node,k8s-cluster,vault,no-floating"
kubespray_groups = "etcd,kube-master,k8s-cluster,vault,no-floating"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
@ -175,19 +187,22 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
image_name = "${var.image}"
flavor_id = "${var.flavor_k8s_master}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s_master.name}",
"${openstack_compute_secgroup_v2.k8s.name}" ]
"${openstack_compute_secgroup_v2.k8s.name}",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "kube-master,kube-node,k8s-cluster,vault,no-floating"
kubespray_groups = "kube-master,k8s-cluster,vault,no-floating"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
}
resource "openstack_compute_instance_v2" "k8s_node" {
name = "${var.cluster_name}-k8s-node-${count.index+1}"
@ -195,18 +210,22 @@ resource "openstack_compute_instance_v2" "k8s_node" {
image_name = "${var.image}"
flavor_id = "${var.flavor_k8s_node}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
"${openstack_compute_secgroup_v2.bastion.name}",
"default" ]
"default",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "kube-node,k8s-cluster"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
@ -215,17 +234,21 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
image_name = "${var.image}"
flavor_id = "${var.flavor_k8s_node}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
"default" ]
"default",
]
metadata = {
ssh_user = "${var.ssh_user}"
kubespray_groups = "kube-node,k8s-cluster,no-floating"
depends_on = "${var.network_id}"
}
user_data = "${var.user_data}"
}
resource "openstack_compute_floatingip_associate_v2" "bastion" {
@ -246,7 +269,6 @@ resource "openstack_compute_floatingip_associate_v2" "k8s_node" {
instance_id = "${element(openstack_compute_instance_v2.k8s_node.*.id, count.index)}"
}
resource "openstack_blockstorage_volume_v2" "glusterfs_volume" {
name = "${var.cluster_name}-glusterfs_volume-${count.index+1}"
count = "${var.number_of_gfs_nodes_no_floating_ip}"
@ -260,17 +282,21 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
image_name = "${var.image_gfs}"
flavor_id = "${var.flavor_gfs_node}"
key_pair = "${openstack_compute_keypair_v2.k8s.name}"
network {
name = "${var.network_name}"
}
security_groups = ["${openstack_compute_secgroup_v2.k8s.name}",
"default" ]
"default",
]
metadata = {
ssh_user = "${var.ssh_user_gfs}"
kubespray_groups = "gfs-cluster,network-storage,no-floating"
depends_on = "${var.network_id}"
}
user_data = "#cloud-config\nmanage_etc_hosts: localhost\npackage_update: true\npackage_upgrade: true"
}
resource "openstack_compute_volume_attach_v2" "glusterfs_volume" {

View file

@ -1,74 +1,48 @@
variable "cluster_name" {
}
variable "cluster_name" {}
variable "number_of_k8s_masters" {
}
variable "number_of_k8s_masters" {}
variable "number_of_k8s_masters_no_etcd" {
}
variable "number_of_k8s_masters_no_etcd" {}
variable "number_of_etcd" {
}
variable "number_of_etcd" {}
variable "number_of_k8s_masters_no_floating_ip" {
}
variable "number_of_k8s_masters_no_floating_ip" {}
variable "number_of_k8s_masters_no_floating_ip_no_etcd" {
}
variable "number_of_k8s_masters_no_floating_ip_no_etcd" {}
variable "number_of_k8s_nodes" {
}
variable "number_of_k8s_nodes" {}
variable "number_of_k8s_nodes_no_floating_ip" {
}
variable "number_of_k8s_nodes_no_floating_ip" {}
variable "number_of_bastions" {
}
variable "number_of_bastions" {}
variable "number_of_gfs_nodes_no_floating_ip" {
}
variable "number_of_gfs_nodes_no_floating_ip" {}
variable "gfs_volume_size_in_gb" {
}
variable "gfs_volume_size_in_gb" {}
variable "public_key_path" {
}
variable "public_key_path" {}
variable "image" {
}
variable "image" {}
variable "image_gfs" {
}
variable "image_gfs" {}
variable "ssh_user" {
}
variable "ssh_user" {}
variable "ssh_user_gfs" {
}
variable "ssh_user_gfs" {}
variable "flavor_k8s_master" {
}
variable "flavor_k8s_master" {}
variable "flavor_k8s_node" {
}
variable "flavor_k8s_node" {}
variable "flavor_etcd" {
}
variable "flavor_etcd" {}
variable "flavor_gfs_node" {
}
variable "flavor_gfs_node" {}
variable "network_name" {
}
variable "network_name" {}
variable "flavor_bastion" {
}
variable "network_id"{
}
variable "flavor_bastion" {}
variable "network_id" {}
variable "k8s_master_fips" {
type = "list"

View file

@ -1,4 +1,3 @@
resource "null_resource" "dummy_dependency" {
triggers {
dependency_id = "${var.router_id}"

View file

@ -1,26 +1,15 @@
variable "number_of_k8s_masters" {
}
variable "number_of_k8s_masters" {}
variable "number_of_k8s_masters_no_etcd" {
}
variable "number_of_k8s_masters_no_etcd" {}
variable "number_of_k8s_nodes" {
}
variable "number_of_k8s_nodes" {}
variable "floatingip_pool" {
}
variable "floatingip_pool" {}
variable "number_of_bastions" {
variable "number_of_bastions" {}
}
variable "external_net" {}
variable "external_net" {
variable "network_name" {}
}
variable "network_name" {
}
variable "router_id"{
}
variable "router_id" {}

View file

@ -1,4 +1,3 @@
resource "openstack_networking_router_v2" "k8s" {
name = "${var.cluster_name}-router"
admin_state_up = "true"

View file

@ -1,12 +1,8 @@
variable "external_net" {
variable "external_net" {}
}
variable "network_name" {}
variable "network_name" {
}
variable "cluster_name" {
}
variable "cluster_name" {}
variable "dns_nameservers" {
type = "list"

View file

@ -111,19 +111,3 @@ variable "floatingip_pool" {
variable "external_net" {
description = "uuid of the external/public network"
}
variable "username" {
description = "Your openstack username"
}
variable "password" {
description = "Your openstack password"
}
variable "tenant" {
description = "Your openstack tenant/project"
}
variable "auth_url" {
description = "Your openstack auth URL"
}