Feature/nonhttp (#90)

k8soneill · stevemul · commit 6e1f2231dca5 · 2019-02-26T15:52:46.000Z
* adding configuration for non-http connectivity
* adding readme
diff --git a/bastion-template.yaml b/bastion-template.yaml
@@ -156,6 +156,9 @@ parameters:
     type: json
     description: Configuration needed for SSO integration
     hidden: true
+  external_service_subnet:
+   type: string
+   description: Internal subnet reserved for external service IPs
   registry_details:
     type: json
     description: Configuration needed for authenticated container registry
@@ -276,7 +279,8 @@ resources:
             __bastion_ip__ : { get_param: bastion_fixed_ip }
             __sso_client_id__ : { get_param: [ sso_config, client_id ] }
             __sso_client_secret__: { get_param: [ sso_config, client_secret ] }
-            __sso_urls__ : { get_param: [ sso_config, urls ] }
+            __sso_urls__: { get_param: [ sso_config, urls ] }
+            __external_service_subnet__: { get_param: external_service_subnet }
             __registry_url__ : { get_param: [ registry_details, registry_url ] }
             __registry_user__: { get_param: [ registry_details, registry_user ] }
             __registry_password__ : { get_param: [ registry_details, registry_password ] }
diff --git a/environment_example.yaml b/environment_example.yaml
@@ -58,6 +58,13 @@ parameter_defaults:
   #  dns: [ "8.8.4.4" ]
   #  gateway: "10.3.1.102"
   #  bastion_ip: "10.3.1.101"
+  #  service_subnet: This should be a /29 starting at .240 unless more addresses are required. .249-.254 will be left for routers "10.3.1.240/29"
+  #external_services_config:
+  #  - service_ip: Neutron network IP for service. Must be within the external_service_subnet.
+  #    floating_network: External network to expose the service on e.g. [ "Internet" ], must be a comma delimited list
+  #    proto: tcp or udp
+  #    port: port to expose e.g. 3306
+  #    allowed_sources: sources allowed to hit service e.g. 0.0.0.0/0
   # Example of passing in configuration for SSO
   #sso_config:
   #  client_id: <client ID>
diff --git a/external_services/external_services.yaml b/external_services/external_services.yaml
@@ -0,0 +1,69 @@
+heat_template_version: 2016-10-14
+
+parameters:
+  external_services_json:
+    type: json
+    description: Configuration values for external services in a json array
+  index:
+    type: string
+  internal_network:
+    type: string
+    description: neutron network name to attach port on
+
+resources:
+  external_service_security_group_rule:
+    type: OS::Neutron::SecurityGroupRule
+    condition: sec_rule_create
+    properties:
+      security_group: external_service_sg
+      protocol: { get_param: [ external_services_json, { get_param: index}, proto ]}
+      remote_ip_prefix: { get_param: [ external_services_json, { get_param: index}, allowed_sources ] }
+      ethertype: IPv4
+      direction: ingress
+      port_range_max: { get_param: [ external_services_json, { get_param: index}, port ] }
+      port_range_min: { get_param: [ external_services_json, { get_param: index}, port ] }
+
+  service_floating_ip:
+    type: OS::Neutron::FloatingIP
+    condition: port_ip_create
+    properties:
+      floating_network: { get_param: [ external_services_json, { get_param: index }, floating_network ] }
+
+  service_port:
+    type: OS::Neutron::Port
+    condition: port_ip_create
+    properties:
+      name:
+        str_replace:
+          template: external_service_port_index
+          params:
+            index: { get_param: index }
+      network: { get_param: internal_network }
+      fixed_ips:
+        [ip_address: { get_param: [ external_services_json, { get_param: index }, service_ip ] }]
+
+  service_floating_ip_association:
+    type: OS::Neutron::FloatingIPAssociation
+    condition: port_ip_create
+    depends_on: [ service_floating_ip, service_port ]
+    properties:
+      floatingip_id: { get_resource: service_floating_ip }
+      port_id: { get_resource: service_port }
+
+conditions:
+  port_ip_create:
+    not:
+      equals:
+      - get_param: [ external_services_json, { get_param: index }, port_ip_deploy ]
+      - false
+
+  sec_rule_create:
+    not:
+      equals:
+      - get_param: [ external_services_json, { get_param: index }, sec_rule_deploy ]
+      - false
+
+outputs:
+  external_service_ip_pair:
+    condition: port_ip_create
+    value: [{ get_attr: [ service_floating_ip, floating_ip_address ] }, { get_attr: [ service_port, fixed_ips, 0, ip_address ] }]
diff --git a/external_services/readme.md b/external_services/readme.md
@@ -0,0 +1,114 @@
+### Exposing External Services
+
+This readme intends to give you the information required to run stack updates that deploy the necessary infrastructure to allow non-http services to be exposed outside our clusters. The following parameter addition is required to deploy even if you are not exposing any services:
+
+```
+ network_config:
+    allocation_pool: [{"start": "10.3.1.2", "end": "10.3.1.100"}]
+    cidr: "10.3.1.0/24"
+    dns: [ "8.8.4.4" ]
+    gateway: "10.3.1.102"
+    bastion_ip: "10.3.1.101"
+    service_subnet: "10.3.1.240/29" # This is the new addition. It's the subnet to be used for service_ip on services. Must be within internal network range and not conflict with allocation pool.
+```
+
+The parameter used to deploy the actual external_services infrastructure is ```external_services_config``` this can be hashed out if not required and it will not try to create the external services resource at the top level. If you do want to use an external service then the following block is an example:
+
+```
+ external_services_config:
+    - service_ip: 10.3.1.240 # Sets the internal IP of the port that a floating IP will be associated to  
+      floating_network: "Internet" # Will create a floating IP on the specified network and associate it to the service_ip port.
+      proto: tcp or udp # Used in the security rule thats created to allow access. Should match the service protocol.
+      port: 3306 # Used in the security rule thats created to allow access. Should match the service port.
+      allowed_sources: sources allowed to hit service e.g. 0.0.0.0/0 # Used in the security rule thats created to allow access
+```
+> [!WARNING]
+> Always do a stack show before attempting to update the external_services to ensure you pass in all of the existing json blocks.
+
+
+It's important to note that the blocks are a list of json objects. The order of them matters, if you are updating a cluster to add extra services you MUST keep them in the correct order otherwise the already exposed services will be destroyed. An example of deploying two external services would be:
+
+```
+ external_services_config:
+    - service_ip: 10.3.1.240 
+      floating_network: "Internet"
+      proto: tcp
+      port: 3306
+      allowed_sources: 0.0.0.0/0
+    - service_ip: 10.3.1.241
+      floating_network: "Internet"
+      proto: tcp
+      port: 3307
+      allowed_sources: 0.0.0.0/0
+```
+
+The above will deploy two floating IPs on the internet, one mapped to the internal IP of 10.3.1.240 and the other mapped to the internal IP of 10.3.1.241. It will also add two security rules to all nodes allowing access to 3307 and 3306 from all sources. While this may seem insecure IPtables rules within the cluster will ensure you can only hit the relevant service on the relevant IP once they have been exposed.
+
+What if a customer wants to expose multiple services on a single IP? Well let's say the customer wants one internet IP and would like to expose tcp 3306 and udp 53 on it. The way this would be done is:
+
+```
+ external_services_config:
+    - service_ip: 10.3.1.240 
+      floating_network: "Internet"
+      proto: tcp
+      port: 3306
+      allowed_sources: 0.0.0.0/0
+    - port_ip_deploy: false
+      proto: udp
+      port: 53
+      allowed_sources: 0.0.0.0/0
+```
+
+In the above ```port_ip_deploy: false``` specifies to not create a floating IP or internal IP so the second block is only creating a security rule allowing access to the nodes on port 53 from all sources. You could then expose two services on 10.3.1.240 from inside the cluster and each would be reachable on the same floating IP.
+
+To remove a resource you would simply change the block it exists in to the following:
+
+```
+ external_services_config:
+    - port_ip_deploy: false
+      sec_rule_deploy: false
+    - port_ip_deploy: false
+      proto: udp
+      port: 53
+      allowed_sources: 0.0.0.0/0
+```
+
+In the above the first block used to create an internal IP of 10.3.1.240, map a floating IP from the internet to it and create a security rule allowing access on 3306. ```port_ip_deploy: false``` and ```sec_rule_deploy: false``` will ensure that when you update the stack this resource block will be evaluated and all resources previously related to it will be destroyed.
+
+If you wanted to change a floating IP to a different network you cannot simply overwrite the ```floating_network``` parameter and update. You first need to destroy the resources from the block in an update and then specify a new network and update. The stages would be:
+
+```
+ external_services_config:
+    - service_ip: 10.3.1.240 
+      floating_network: "Internet"
+      proto: tcp
+      port: 3306
+      allowed_sources: 0.0.0.0/0
+```
+
+Original deployment config. Customer then asks for the 10.3.1.240 to be accessible on HSCN rather than the internet:
+
+```
+ external_services_config:
+    - port_ip_deploy: false
+      sec_rule_deploy: false
+```
+
+Update is run, destroying the resources.
+
+```
+ external_services_config:
+    - service_ip: 10.3.1.240 
+      floating_network: "HSCN"
+      proto: tcp
+      port: 3306
+      allowed_sources: 0.0.0.0/0
+```
+
+Final update is run re-creating the resources.
+
+Finally, the best way to go about updating these parameters is to create your own yaml file containing the block (in this example it's service-update.yml) and running the following:
+
+```
+openstack stack update <stack> --existing -e service-update.yml
+```
diff --git a/files/setup_bastion.yaml b/files/setup_bastion.yaml
@@ -50,11 +50,12 @@
     ssoClientId: __sso_client_id__
     ssoClientSecret: __sso_client_secret__
     ssoUrls: __sso_urls__
+    externalServiceSubnet: __external_service_subnet__
     registryUrl: __registry_url__
     registryUser: __registry_user__
     registryPassword: __registry_password__
-  tasks:
 
+  tasks:
     - name: Check if stack update or create and register variable
       shell: if [[ $(openstack stack show "openshift-{{ osTenantName }}" -f value -c stack_status \
                 --os-auth-url "{{ osAuthUrl }}" \
@@ -253,6 +254,7 @@
           sso_client_id: {{ ssoClientId }}
           sso_client_secret: {{ ssoClientSecret }}
           sso_urls: '{{ ssoUrls | to_json }}'
+          external_service_subnet: {{ externalServiceSubnet }}
           registryUrl: {{ registryUrl }}
           registryUser: {{ registryUser }}
           registryPassword: {{ registryPassword }}
@@ -293,4 +295,4 @@
         owner: cloud-user
         group: cloud-user
         recurse: yes
-      when: stack_create
+      when: stack_create 
diff --git a/node_group.yaml b/node_group.yaml
@@ -56,6 +56,9 @@ parameters:
   cluster_security_groups:
     type: comma_delimited_list
     description: Security groups for cluster
+  external_service_subnet:
+    type: string
+    description: subnet to be used when deploying external services
   server_group:
     type: string
     description: server group to associate nodes with
@@ -92,6 +95,7 @@ resources:
           port_network: { get_param: internal_network }
           sec_groups: { get_param: cluster_security_groups }
           storage_setup: { get_param: storage_setup }
+          external_service_subnet: { get_param: external_service_subnet }
           server_group: { get_param: server_group }
 
 outputs:
diff --git a/security_groups.yaml b/security_groups.yaml
@@ -33,6 +33,11 @@ parameters:
     default: [ "0.0.0.0/0" ]
 
 resources:
+  external_service_secgroup:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name: external_service_sg
+
   bastion_egress_secgroup:
     type: OS::Neutron::SecurityGroup
     properties:
@@ -354,6 +359,16 @@ resources:
           port_range_min: 443
           port_range_max: 443
 
+  vrrp_nodes_secgroup:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name: vrrp_nodes_sg
+      rules:
+        - direction: ingress
+          ethertype: IPv4
+          remote_mode: remote_group_id
+          protocol: vrrp
+
   dns_internet_secgroup:
     type: OS::Neutron::SecurityGroup
     properties:
@@ -468,6 +483,9 @@ resources:
           remote_group_id: { get_resource: all_net2_egress_secgroup }
 
 outputs:
+  external_service_security_group:
+    description: Externally exposed service security group
+    value: { get_resource: external_service_secgroup }
   bastion_egress_security_group:
     description: Bastion egress security group
     value: { get_resource: bastion_egress_secgroup }
@@ -501,6 +519,9 @@ outputs:
   all_internet_egress_security_group:
     description: All internet facing servers egress security group
     value: { get_resource: all_internet_egress_secgroup }
+  vrrp_nodes_security_group:
+    description: VRRP access between tenant and net2 nodes
+    value: { get_resource: vrrp_nodes_secgroup }
 
   bastion_external_security_group:
     description: Bastion external security group
diff --git a/server_atomic.yaml b/server_atomic.yaml
@@ -47,6 +47,9 @@ parameters:
   server_group:
     type: string
     label: group server belongs to
+  external_service_subnet:
+    type: string
+    description: Subnet to be used for external services
 
 resources:
   resize_lv:
@@ -114,6 +117,7 @@ resources:
             servername: { get_param: server_name }
       network: { get_param: port_network }
       security_groups: { get_param: sec_groups }
+      allowed_address_pairs: [ ip_address: { get_param: external_service_subnet } ]
 
 outputs:
   server_ip:
diff --git a/setup-heat-templates.yaml b/setup-heat-templates.yaml
@@ -148,6 +148,7 @@
                 local_domain_suffix: { get_param: local_domain_suffix }
                 internal_network: { get_attr: [internal_network, outputs, network] }
                 internal_network_subnet: { get_attr: [internal_network, outputs, subnet] }
+                external_service_subnet: { get_param: [ network_config, service_subnet ] }
                 server_group: { get_attr: [server_groups, outputs, nodes-servergroup] }
                 cluster_security_groups:
                   - { get_attr: [ security_groups, outputs, net2_nodes_egress_security_group ] }
@@ -156,6 +157,8 @@
                   - { get_attr: [ security_groups, outputs, bastion_internal_ssh_security_group ] }
                   - { get_attr: [ security_groups, outputs, all_nodes_security_group ] }
                   - { get_attr: [ security_groups, outputs, net2_nodes_security_group ] }
+                  - { get_attr: [ security_groups, outputs, external_service_security_group ] }
+                  - { get_attr: [ security_groups, outputs, vrrp_nodes_security_group ] }
 
           net2_nodes_medium_deployment:
             type: OS::Heat::Stack
@@ -171,6 +174,7 @@
                 local_domain_suffix: { get_param: local_domain_suffix }
                 internal_network: { get_attr: [internal_network, outputs, network] }
                 internal_network_subnet: { get_attr: [internal_network, outputs, subnet] }
+                external_service_subnet: { get_param: [ network_config, service_subnet ] }
                 server_group: { get_attr: [server_groups, outputs, nodes-servergroup] }
                 cluster_security_groups:
                   - { get_attr: [ security_groups, outputs, net2_nodes_egress_security_group ] }
@@ -179,6 +183,8 @@
                   - { get_attr: [ security_groups, outputs, bastion_internal_ssh_security_group ] }
                   - { get_attr: [ security_groups, outputs, all_nodes_security_group ] }
                   - { get_attr: [ security_groups, outputs, net2_nodes_security_group ] }
+                  - { get_attr: [ security_groups, outputs, external_service_security_group ] }
+                  - { get_attr: [ security_groups, outputs, vrrp_nodes_security_group ] }
 
           net2_nodes_large_deployment:
             type: OS::Heat::Stack
@@ -194,6 +200,7 @@
                 local_domain_suffix: { get_param: local_domain_suffix }
                 internal_network: { get_attr: [internal_network, outputs, network] }
                 internal_network_subnet: { get_attr: [internal_network, outputs, subnet] }
+                external_service_subnet: { get_param: [ network_config, service_subnet ] }
                 server_group: { get_attr: [server_groups, outputs, nodes-servergroup] }
                 cluster_security_groups:
                   - { get_attr: [ security_groups, outputs, net2_nodes_egress_security_group ] }
@@ -202,6 +209,8 @@
                   - { get_attr: [ security_groups, outputs, bastion_internal_ssh_security_group ] }
                   - { get_attr: [ security_groups, outputs, all_nodes_security_group ] }
                   - { get_attr: [ security_groups, outputs, net2_nodes_security_group ] }
+                  - { get_attr: [ security_groups, outputs, external_service_security_group ] }
+                  - { get_attr: [ security_groups, outputs, vrrp_nodes_security_group ] }
 
           data_plane_net2_lb:
             type: OS::Heat::Stack
diff --git a/top-level-template.yaml b/top-level-template.yaml
