Use only internal network and skip assigning fips

[darmach]

Added new variable infra_use_floatingip allowing to skip allocation of floating IPs using only infra network for deployment and Magnum communication.

• infra_use_floatingip defaults to True to retain current defaults
• abovementioned parameter set to False should be used along with infra_network_id pointing to internal provider network accessible from controllers that is used both for nodes and Magnum internal connectivity. capi_cluster_apiserver_floating_ip might also be set to False in the environment.

[sd109]

Is there a reason we can't just use the 'infra provisioning network' here instead? Doesn't that achieve the same thing?

The existing templating based on infra_provisioning_network_id looks like it already skips FIP assignment if a provisioning network ID is set:

ansible-collection-azimuth-ops/roles/infra/templates/resources.tf.j2

Lines 143 to 168 in e85686d

	{% if not infra_provisioning_network_id %}
	{% if not infra_fixed_floatingip %}
	{% if not infra_floatingip_pool %}
	data "openstack_networking_network_v2" "external_net" {
	network_id = "{{ infra_external_network_id }}"
	}
	{% endif %}
	resource "openstack_networking_floatingip_v2" "fip" {
	{% if infra_floatingip_pool %}
	pool = "{{ infra_floatingip_pool }}"
	{% else %}
	pool = data.openstack_networking_network_v2.external_net.name
	{% endif %}
	}
	{% endif %}
	resource "openstack_compute_floatingip_associate_v2" "fip_associate" {
	{% if infra_fixed_floatingip %}
	floating_ip = "{{ infra_fixed_floatingip }}"
	{% else %}
	floating_ip = openstack_networking_floatingip_v2.fip.address
	{% endif %}
	instance_id = openstack_compute_instance_v2.node.id
	}
	{% endif %}

[sd109]

Ignore that, I had misunderstood how the provisioning network was used in the default terraform. I've tested this patch on a different site and it works so LGTM.

[sd109]

@mkjpryor CI is failing because the CI env isn't getting set for some reason (see job step output here compared to a different successful CI run here). It looks like I don't have access to the required repo settings to debug further.

[mkjpryor]

@sd109 It fails CI because the branch is in a fork and forks don't have access to any of the secrets for the main repository.

We should look at moving to pull_request_target potentially, so we can safely run against forks.

@darmach For now, can you rebase and move the branch into the main repo? I will grant you the required permissions.

[darmach]

@mkjpryor Let's close this on and continue in #619 ?