From ea44d64511b4a6aafb741cbbe412dab8425462ad Mon Sep 17 00:00:00 2001
From: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
Date: Fri, 14 Jan 2022 22:58:32 +0200
Subject: [PATCH] [contrib] terraform openstack: allow disabling port security
 (#8410)

---
 contrib/terraform/openstack/README.md         |  7 +++--
 contrib/terraform/openstack/kubespray.tf      | 18 ++++++-----
 .../openstack/modules/compute/main.tf         | 31 ++++++++++++-------
 .../openstack/modules/compute/variables.tf    |  4 +++
 .../openstack/modules/network/main.tf         |  9 +++---
 .../openstack/modules/network/variables.tf    |  4 +++
 contrib/terraform/openstack/variables.tf      |  6 ++++
 7 files changed, 52 insertions(+), 27 deletions(-)

diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md
index 2b7ca0ef0..62f57db3b 100644
--- a/contrib/terraform/openstack/README.md
+++ b/contrib/terraform/openstack/README.md
@@ -283,6 +283,7 @@ For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
 |`node_server_group_policy` | Enable and use openstack nova servergroups for nodes with set policy, default: "" (disabled) |
 |`etcd_server_group_policy` | Enable and use openstack nova servergroups for etcd with set policy, default: "" (disabled) |
 |`use_access_ip` | If 1, nodes with floating IPs will transmit internal cluster traffic via floating IPs; if 0 private IPs will be used instead. Default value is 1. |
+|`port_security_enabled` | Allow to disable port security by setting this to `false`. `true` by default |
 |`k8s_nodes` | Map containing worker node definition, see explanation below |
 
 ##### k8s_nodes
@@ -411,7 +412,7 @@ plugins. This is accomplished as follows:
 
 ```ShellSession
 cd inventory/$CLUSTER
-terraform init ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" init
 ```
 
 This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
@@ -443,7 +444,7 @@ You can apply the Terraform configuration to your cluster with the following com
 issued from your cluster's inventory directory (`inventory/$CLUSTER`):
 
 ```ShellSession
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" apply -var-file=cluster.tfvars
 ```
 
 if you chose to create a bastion host, this script will create
@@ -458,7 +459,7 @@ pick it up automatically.
 You can destroy your new cluster with the following command issued from the cluster's inventory directory:
 
 ```ShellSession
-terraform destroy -var-file=cluster.tfvars ../../contrib/terraform/openstack
+terraform -chdir="../../contrib/terraform/openstack" destroy -var-file=cluster.tfvars
 ```
 
 If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index aadb001b3..583a213d8 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -1,14 +1,15 @@
 module "network" {
   source = "./modules/network"
 
-  external_net       = var.external_net
-  network_name       = var.network_name
-  subnet_cidr        = var.subnet_cidr
-  cluster_name       = var.cluster_name
-  dns_nameservers    = var.dns_nameservers
-  network_dns_domain = var.network_dns_domain
-  use_neutron        = var.use_neutron
-  router_id          = var.router_id
+  external_net          = var.external_net
+  network_name          = var.network_name
+  subnet_cidr           = var.subnet_cidr
+  cluster_name          = var.cluster_name
+  dns_nameservers       = var.dns_nameservers
+  network_dns_domain    = var.network_dns_domain
+  use_neutron           = var.use_neutron
+  port_security_enabled = var.port_security_enabled
+  router_id             = var.router_id
 }
 
 module "ips" {
@@ -88,6 +89,7 @@ module "compute" {
   extra_sec_groups                             = var.extra_sec_groups
   extra_sec_groups_name                        = var.extra_sec_groups_name
   group_vars_path                              = var.group_vars_path
+  port_security_enabled                        = var.port_security_enabled
 
   network_id = module.network.router_id
 }
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index 5e0ba546a..03a3edaeb 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -164,6 +164,15 @@ locals {
     openstack_networking_secgroup_v2.worker.name,
     var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].name : "",
   ])
+# bastion groups
+  bastion_sec_groups = compact(concat([
+    openstack_networking_secgroup_v2.k8s.name,
+    openstack_networking_secgroup_v2.bastion[0].name,
+  ]))
+# etcd groups
+  etcd_sec_groups = compact([openstack_networking_secgroup_v2.k8s.name])
+# glusterfs groups
+  gfs_sec_groups = compact([openstack_networking_secgroup_v2.k8s.name])
 
 # Image uuid
   image_to_use_node = var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.vm_image[0].id
@@ -197,9 +206,7 @@ resource "openstack_compute_instance_v2" "bastion" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    element(openstack_networking_secgroup_v2.bastion.*.name, count.index),
-  ]
+  security_groups = var.port_security_enabled ? local.bastion_sec_groups : null
 
   metadata = {
     ssh_user         = var.ssh_user
@@ -240,7 +247,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
     name = var.network_name
   }
 
-  security_groups = local.master_sec_groups
+  security_groups = var.port_security_enabled ? local.master_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -288,7 +295,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = local.master_sec_groups
+  security_groups = var.port_security_enabled ? local.master_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -334,7 +341,7 @@ resource "openstack_compute_instance_v2" "etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name]
+  security_groups = var.port_security_enabled ? local.etcd_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.etcd_server_group_policy ? [openstack_compute_servergroup_v2.k8s_etcd[0]] : []
@@ -376,7 +383,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = local.master_sec_groups
+  security_groups = var.port_security_enabled ? local.master_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -419,7 +426,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = local.master_sec_groups
+  security_groups = var.port_security_enabled ? local.master_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.master_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -462,7 +469,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
     name = var.network_name
   }
 
-  security_groups = local.worker_sec_groups
+  security_groups = var.port_security_enabled ? local.worker_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -509,7 +516,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = local.worker_sec_groups
+  security_groups = var.port_security_enabled ? local.worker_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -552,7 +559,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
     name = var.network_name
   }
 
-  security_groups = local.worker_sec_groups
+  security_groups = var.port_security_enabled ? local.worker_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -597,7 +604,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name]
+  security_groups = var.port_security_enabled ? local.gfs_sec_groups : null
 
   dynamic "scheduler_hints" {
     for_each = var.node_server_group_policy != "" ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 378345495..61a614e86 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -165,3 +165,7 @@ variable "image_master_uuid" {
 variable "group_vars_path" {
   type = string
 }
+
+variable "port_security_enabled" {
+  type = bool
+}
diff --git a/contrib/terraform/openstack/modules/network/main.tf b/contrib/terraform/openstack/modules/network/main.tf
index ec97322f8..a6324d7ed 100644
--- a/contrib/terraform/openstack/modules/network/main.tf
+++ b/contrib/terraform/openstack/modules/network/main.tf
@@ -11,10 +11,11 @@ data "openstack_networking_router_v2" "k8s" {
 }
 
 resource "openstack_networking_network_v2" "k8s" {
-  name           = var.network_name
-  count          = var.use_neutron
-  dns_domain     = var.network_dns_domain != null ? var.network_dns_domain : null
-  admin_state_up = "true"
+  name                  = var.network_name
+  count                 = var.use_neutron
+  dns_domain            = var.network_dns_domain != null ? var.network_dns_domain : null
+  admin_state_up        = "true"
+  port_security_enabled = var.port_security_enabled
 }
 
 resource "openstack_networking_subnet_v2" "k8s" {
diff --git a/contrib/terraform/openstack/modules/network/variables.tf b/contrib/terraform/openstack/modules/network/variables.tf
index f8eb64884..6cd7ff72e 100644
--- a/contrib/terraform/openstack/modules/network/variables.tf
+++ b/contrib/terraform/openstack/modules/network/variables.tf
@@ -10,6 +10,10 @@ variable "dns_nameservers" {
   type = list
 }
 
+variable "port_security_enabled" {
+  type = bool
+}
+
 variable "subnet_cidr" {}
 
 variable "use_neutron" {}
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index fe66b3709..350e5bcae 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -148,6 +148,12 @@ variable "use_neutron" {
   default     = 1
 }
 
+variable "port_security_enabled" {
+  description = "Enable port security on the internal network"
+  type        = bool
+  default     = "true"
+}
+
 variable "subnet_cidr" {
   description = "Subnet CIDR block."
   type        = string