feat: add iac code

iac/cloud/openstack/lib/ansible-inventory/inventory.tpl

@@ -0,0 +1,37 @@
+[bastion]
+${address_bastion}
+
+[masters]
+%{ for master in master_nodes ~}
+${master.access_ip_v4}
+%{endfor ~}
+
+[workers]
+%{ for worker in worker_nodes ~}
+${worker.access_ip_v4}
+%{endfor ~}
+
+%{if address_bastion == ""~}
+[masters:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no -o IdentityFile=./id_rsa -o UserKnownHostsFile=/dev/null'
+
+[workers:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no -o IdentityFile=./id_rsa -o UserKnownHostsFile=/dev/null'
+%{endif~}
+
+%{if address_bastion != ""~}
+[masters:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no -o IdentityFile=./id_rsa -o UserKnownHostsFile=/dev/null -o ProxyCommand="ssh -o IdentityFile=./id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q ${ssh_user}@${address_bastion}"'
+
+[workers:vars]
+ansible_ssh_common_args='-o StrictHostKeyChecking=no -o IdentityFile=./id_rsa -o UserKnownHostsFile=/dev/null -o ProxyCommand="ssh -o IdentityFile=./id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q ${ssh_user}@${address_bastion}"'
+%{endif~}
+
+
+
+
+[all:vars]
+ansible_user="${ssh_user}"
+ansible_python_interpreter=/usr/bin/python3
+ansible_ssh_private_key_file=./id_rsa
+ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

iac/cloud/openstack/lib/ansible-inventory/main.tf

@@ -0,0 +1,13 @@
+
+resource "local_file" "ansible_inventory" {
+  content = templatefile("${path.module}/inventory.tpl",
+    {
+      address_bastion = var.address_bastion
+      worker_nodes    = var.worker_nodes
+      master_nodes    = var.master_nodes
+      ssh_user        = var.ssh_user
+  })
+  filename   = "infra-inventory"
+
+    depends_on = [ var.master_nodes, var.worker_nodes ]
+}

iac/cloud/openstack/lib/ansible-inventory/variables.tf

@@ -0,0 +1,27 @@
+variable "address_bastion" {
+  type = string
+  default = ""
+}
+
+variable "master_nodes" {
+  type = list(object({
+    id           = string
+    name         = string
+    access_ip_v4 = string
+  }))
+}
+
+variable "ssh_user" {
+  type    = string
+  default = "ubuntu"
+}
+
+variable "worker_nodes" {
+  type = list(object({
+    id           = string
+    name         = string
+    access_ip_v4 = string
+  }))
+}
+
+

iac/cloud/openstack/lib/ca/main.tf

@@ -0,0 +1,37 @@
+resource "local_file" "ca-certificate" {
+  filename        = "${path.root}/ca.crt"
+  content         = var.services_ca_crt != "" ? var.services_ca_crt : tls_self_signed_cert.ca[0].cert_pem
+  file_permission = "0644"
+}
+
+resource "local_file" "ca-certificate-key" {
+  filename        = "${path.root}/ca.key"
+  content         = var.services_ca_key != "" ? var.services_ca_key : tls_private_key.ca[0].private_key_pem
+  file_permission = "0600"
+}
+
+resource "tls_private_key" "ca" {
+  count     = var.services_ca_key != "" ? 0 : 1
+  algorithm = "RSA"
+}
+
+resource "tls_self_signed_cert" "ca" {
+  count = var.services_ca_crt != "" ? 0 : 1
+  #key_algorithm     = "RSA"
+  private_key_pem   = tls_private_key.ca[0].private_key_pem
+  is_ca_certificate = true
+
+  subject {
+    organization = "Rackspace Kubernetes Managed Services CA"
+  }
+
+  validity_period_hours = 87600
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "client_auth",
+    "cert_signing",
+  ]
+}

iac/cloud/openstack/lib/ca/output.tf

@@ -0,0 +1,3 @@
+output "certificate" {
+  value = local_file.ca-certificate.content
+}

iac/cloud/openstack/lib/ca/variables.tf

@@ -0,0 +1,9 @@
+variable "services_ca_crt" {
+  type    = string
+  default = ""
+}
+
+variable "services_ca_key" {
+  type    = string
+  default = ""
+}

iac/cloud/openstack/lib/floating-vip/main.tf

@@ -0,0 +1,24 @@
+
+
+resource "openstack_networking_port_v2" "vrrp" {
+  name               = "${var.naming_prefix}vrrp"
+  network_id         = var.network_id
+  security_group_ids = var.security_group_ids
+  admin_state_up     = "true"
+  fixed_ip {
+    ip_address = var.vrrp_ip
+    subnet_id  = var.subnet_id
+  }
+}
+
+resource "openstack_compute_floatingip_v2" "k8s_api_ip" {
+  count = var.floatingip_pool == "" ? 0 : 1
+  pool  = var.floatingip_pool
+
+}
+
+resource "openstack_networking_floatingip_associate_v2" "fip_1" {
+  count       = var.floatingip_pool == "" ? 0 : 1
+  floating_ip = openstack_compute_floatingip_v2.k8s_api_ip[0].address
+  port_id     = openstack_networking_port_v2.vrrp.id
+}

iac/cloud/openstack/lib/floating-vip/output.tf

@@ -0,0 +1,3 @@
+output "ip" {
+ value = var.floatingip_pool == "" ? var.vrrp_ip : openstack_compute_floatingip_v2.k8s_api_ip[0].address
+}

iac/cloud/openstack/lib/floating-vip/variables.tf

@@ -0,0 +1,32 @@
+variable "floatingip_pool" {
+  type    = string
+  default = ""
+}
+
+variable "naming_prefix" {
+  type = string
+}
+
+variable "network_id" {
+  type = string
+}
+variable "vrrp_ip" {
+  type = string
+}
+
+variable "subnet_id" {
+  type = string
+}
+
+variable "use_octavia" {
+  type = bool
+}
+variable "security_group_ids" {
+  type    = list(string)
+  default = []
+}
+
+variable "vlan_id" {
+  type    = string
+  default = ""
+}

iac/cloud/openstack/lib/floating-vip/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    openstack = {
+      source  = "terraform-provider-openstack/openstack",
+      version = "~> 1.53.0"
+    }
+  }
+  required_version = ">= 0.13"
+}

iac/cloud/openstack/lib/metallb/bgp.tf

@@ -0,0 +1,28 @@
+locals {
+  bgp_config = <<EOT
+peers:
+%{for peer in keys(var.metallb_bgp_peers)~}
+- peer-address: ${peer}
+  peer-asn: ${var.metallb_bgp_peers[peer]["peer_asn"]}
+  my-asn: ${var.metallb_bgp_peers[peer]["my_asn"]}
+%{endfor~}
+address-pools:
+%{for pool_name in keys(var.metallb_bgp_address_pools)~}
+- name: ${pool_name}
+  protocol: bgp
+  addresses:
+  - ${var.metallb_bgp_address_pools[pool_name]["address_pool"]}
+%{if contains(keys(var.metallb_bgp_address_pools[pool_name]), "auto_assign")~}
+  auto-assign: ${var.metallb_bgp_address_pools[pool_name]["auto_assign"]}
+%{endif~}
+  bgp-advertisements:
+  - aggregation-length: ${var.metallb_bgp_address_pools[pool_name]["bgp_advertisements_aggregation_length_local"]}
+    localpref: ${var.metallb_bgp_address_pools[pool_name]["bgp_advertisements_localpref"]}
+    communities:
+    - no-advertise
+  - aggregation-length: ${var.metallb_bgp_address_pools[pool_name]["bgp_advertisements_aggregation_length_generate"]}
+%{endfor~}
+bgp-communities:
+  no-advertise: 65535:65282
+EOT
+}

iac/cloud/openstack/lib/metallb/layer2.tf

@@ -0,0 +1,11 @@
+locals {
+  layer2_config = <<EOT
+address-pools:
+- name: default
+  protocol: layer2
+  addresses:
+%{if var.metallb_cidr_prefix != ""~}
+  - ${cidrhost(var.metallb_cidr_prefix, var.metallb_host_start)}-${cidrhost(var.metallb_cidr_prefix, var.metallb_host_start + var.metallb_host_count - 1)}
+%{endif~}
+EOT
+}

iac/cloud/openstack/lib/metallb/main.tf

@@ -0,0 +1,64 @@
+provider "helm" {
+  kubernetes {
+    config_path = "${path.root}/kube_config_cluster.yml"
+  }
+}
+
+provider "kubernetes" {
+  config_path = "${path.root}/kube_config_cluster.yml"
+}
+
+resource "kubernetes_namespace" "metallb" {
+  metadata {
+    name = "metallb-system"
+  }
+  depends_on = [var.module_depends_on]
+}
+
+
+resource "helm_release" "metallb" {
+  name       = "metallb"
+  repository = var.metallb_helm_repo
+  chart      = "metallb"
+  version    = var.metallb_helmchart_version
+  namespace  = var.metallb_namespace
+
+  dynamic "set" {
+    for_each = var.metallb_helmchart_vals
+    content {
+      name  = set.value.name
+      value = set.value.val
+    }
+  }
+
+  depends_on = [var.module_depends_on]
+}
+
+resource "kubernetes_config_map" "config" {
+  metadata {
+    name      = "metallb-config"
+    namespace = "metallb-system"
+  }
+
+  data = {
+    config = var.metallb_protocol == "bgp" ? local.bgp_config : local.layer2_config
+  }
+  depends_on = [helm_release.metallb, kubernetes_namespace.metallb]
+}
+
+resource "openstack_networking_port_v2" "metallb" {
+  name       = "k8s-metallb"
+  count      = var.metallb_reserve_range ? 1 : 0
+  network_id = var.network_id
+
+  # Currently blocked due to OpenStack policy violation
+
+  dynamic "fixed_ip" {
+    for_each = range(var.metallb_host_count)
+
+    content {
+      subnet_id  = var.subnet_id
+      ip_address = cidrhost(var.metallb_cidr_prefix, var.metallb_host_start + fixed_ip.value)
+    }
+  }
+}

iac/cloud/openstack/lib/metallb/variables.tf

@@ -0,0 +1,77 @@
+variable "module_depends_on" {
+  type    = any
+  default = null
+}
+
+variable "metallb_helm_repo" {
+  type = string
+  // This default is set to allow current code that uses this module
+  // to continue working, but this chart has been deprecated in this repo.
+  // The new location is: https://charts.bitnami.com/bitnami
+  default = "https://charts.helm.sh/stable"
+}
+
+variable "metallb_helmchart_version" {
+  type = string
+  // This default is set to allow current code that uses this module
+  // to continue working, but users should set this to variable something
+  // more recent.
+  default = "0.8.1"
+}
+
+// Overrides to set in the metallb helm chart.
+variable "metallb_helmchart_vals" {
+  type = list(object({
+    name = string
+    val  = string
+  }))
+  default = []
+}
+
+variable "metallb_namespace" {
+  type = string
+  // This default is set to allow current code that uses this module
+  // to continue working.
+  default = "metallb-system"
+}
+
+variable "metallb_cidr_prefix" {
+  type    = string
+  default = ""
+}
+
+variable "metallb_host_start" {
+  type = number
+}
+
+variable "metallb_host_count" {
+  type = number
+}
+
+variable "metallb_reserve_range" {
+  type    = bool
+  default = false
+}
+
+variable "metallb_protocol" {
+  type    = string
+  default = ""
+}
+
+variable "metallb_bgp_peers" {
+  type    = map(any)
+  default = {}
+}
+
+variable "metallb_bgp_address_pools" {
+  type    = map(any)
+  default = {}
+}
+
+variable "network_id" {
+  type = string
+}
+
+variable "subnet_id" {
+  type = string
+}