[openstack] fix for new network modules

kubernetes-sigs · Apr 13, 2022 · 24c7634 · 24c7634
1 parent 3d4baea
commit 24c7634
Show file tree

Hide file tree

Showing 7 changed files with 129 additions and 51 deletions.
diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
@@ -89,8 +89,10 @@ module "compute" {
   extra_sec_groups_name                        = var.extra_sec_groups_name
   group_vars_path                              = var.group_vars_path
   port_security_enabled                        = var.port_security_enabled
-
-  network_id = module.network.router_id
+  force_null_port_security                     = var.force_null_port_security
+  network_router_id                            = module.network.router_id
+  network_id                                   = module.network.network_id
+  use_existing_network                         = var.use_existing_network
 }
 
 output "private_subnet_id" {

diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
@@ -20,7 +20,8 @@ data "template_file" "cloudinit" {
 }
 
 data "openstack_networking_network_v2" "k8s_network" {
-  name = var.network_name
+  count = var.use_existing_network ? 1 : 0
+  name  = var.network_name
 }
 
 resource "openstack_compute_keypair_v2" "k8s" {
@@ -158,25 +159,25 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
 locals {
 # master groups
   master_sec_groups = compact([
-    openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+    openstack_networking_secgroup_v2.k8s_master.id,
+    openstack_networking_secgroup_v2.k8s.id,
+    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].id : "",
   ])
 # worker groups
   worker_sec_groups = compact([
-    openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-    var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].name : "",
+    openstack_networking_secgroup_v2.k8s.id,
+    openstack_networking_secgroup_v2.worker.id,
+    var.extra_sec_groups ? openstack_networking_secgroup_v2.worker_extra[0].id : "",
   ])
 # bastion groups
   bastion_sec_groups = compact(concat([
-    openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.bastion[0].name,
+    openstack_networking_secgroup_v2.k8s.id,
+    openstack_networking_secgroup_v2.bastion[0].id,
   ]))
 # etcd groups
-  etcd_sec_groups = compact([openstack_networking_secgroup_v2.k8s.name])
+  etcd_sec_groups = compact([openstack_networking_secgroup_v2.k8s.id])
 # glusterfs groups
-  gfs_sec_groups = compact([openstack_networking_secgroup_v2.k8s.name])
+  gfs_sec_groups = compact([openstack_networking_secgroup_v2.k8s.id])
 
 # Image uuid
   image_to_use_node = var.image_uuid != "" ? var.image_uuid : data.openstack_images_image_v2.vm_image[0].id
@@ -189,11 +190,15 @@ locals {
 resource "openstack_networking_port_v2" "bastion_port" {
   count                 = var.number_of_bastions
   name                  = "${var.cluster_name}-bastion-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.bastion_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "bastion" {
@@ -223,7 +228,7 @@ resource "openstack_compute_instance_v2" "bastion" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "bastion"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
@@ -235,11 +240,15 @@ resource "openstack_compute_instance_v2" "bastion" {
 resource "openstack_networking_port_v2" "k8s_master_port" {
   count                 = var.number_of_k8s_masters
   name                  = "${var.cluster_name}-k8s-master-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_master" {
@@ -279,7 +288,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "etcd,kube_control_plane,${var.supplementary_master_groups},k8s_cluster"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
@@ -291,11 +300,15 @@ resource "openstack_compute_instance_v2" "k8s_master" {
 resource "openstack_networking_port_v2" "k8s_master_no_etcd_port" {
   count                 = var.number_of_k8s_masters_no_etcd
   name                  = "${var.cluster_name}-k8s-master-ne-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
@@ -335,7 +348,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_control_plane,${var.supplementary_master_groups},k8s_cluster"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
@@ -347,11 +360,15 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
 resource "openstack_networking_port_v2" "etcd_port" {
   count                 = var.number_of_etcd
   name                  = "${var.cluster_name}-etcd-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.etcd_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "etcd" {
@@ -389,19 +406,23 @@ resource "openstack_compute_instance_v2" "etcd" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "etcd,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
 resource "openstack_networking_port_v2" "k8s_master_no_floating_ip_port" {
   count                 = var.number_of_k8s_masters_no_floating_ip
   name                  = "${var.cluster_name}-k8s-master-nf-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
@@ -439,19 +460,23 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "etcd,kube_control_plane,${var.supplementary_master_groups},k8s_cluster,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
 resource "openstack_networking_port_v2" "k8s_master_no_floating_ip_no_etcd_port" {
   count                 = var.number_of_k8s_masters_no_floating_ip_no_etcd
   name                  = "${var.cluster_name}-k8s-master-ne-nf-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.master_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
@@ -490,19 +515,23 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_control_plane,${var.supplementary_master_groups},k8s_cluster,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
 resource "openstack_networking_port_v2" "k8s_node_port" {
   count                 = var.number_of_k8s_nodes
   name                  = "${var.cluster_name}-k8s-node-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_node" {
@@ -542,7 +571,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_node,k8s_cluster,${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
@@ -554,11 +583,15 @@ resource "openstack_compute_instance_v2" "k8s_node" {
 resource "openstack_networking_port_v2" "k8s_node_no_floating_ip_port" {
   count                 = var.number_of_k8s_nodes_no_floating_ip
   name                  = "${var.cluster_name}-k8s-node-nf-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
@@ -597,19 +630,23 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_node,k8s_cluster,no_floating,${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }
 
 resource "openstack_networking_port_v2" "k8s_nodes_port" {
   for_each              = var.number_of_k8s_nodes == 0 && var.number_of_k8s_nodes_no_floating_ip == 0 ? var.k8s_nodes : {}
   name                  = "${var.cluster_name}-k8s-node-${each.key}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
   security_group_ids    = var.port_security_enabled ? local.worker_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "k8s_nodes" {
@@ -648,7 +685,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
   metadata = {
     ssh_user         = var.ssh_user
     kubespray_groups = "kube_node,k8s_cluster,%{if each.value.floating_ip == false}no_floating,%{endif}${var.supplementary_node_groups}"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 
@@ -660,11 +697,15 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
 resource "openstack_networking_port_v2" "glusterfs_node_no_floating_ip_port" {
   count                 = var.number_of_gfs_nodes_no_floating_ip
   name                  = "${var.cluster_name}-gfs-node-nf-${count.index + 1}"
-  network_id            = "${data.openstack_networking_network_v2.k8s_network.id}"
+  network_id            = var.use_existing_network ? data.openstack_networking_network_v2.k8s_network[0].id : var.network_id
   admin_state_up        = "true"
-  port_security_enabled = var.port_security_enabled
-  security_group_ids   = var.port_security_enabled ? local.gfs_sec_groups : null
+  port_security_enabled = var.force_null_port_security ? null : var.port_security_enabled
+  security_group_ids    = var.port_security_enabled ? local.gfs_sec_groups : null
   no_security_groups    = var.port_security_enabled ? null : false
+
+  depends_on = [
+    var.network_router_id
+  ]
 }
 
 resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
@@ -701,7 +742,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
   metadata = {
     ssh_user         = var.ssh_user_gfs
     kubespray_groups = "gfs-cluster,network-storage,no_floating"
-    depends_on       = var.network_id
+    depends_on       = var.network_router_id
     use_access_ip    = var.use_access_ip
   }
 }

diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -68,6 +68,14 @@ variable "network_id" {
   default = ""
 }
 
+variable "use_existing_network" {
+  type = bool
+}
+
+variable "network_router_id" {
+  default = ""
+}
+
 variable "k8s_master_fips" {
   type = list
 }
@@ -167,3 +175,7 @@ variable "group_vars_path" {
 variable "port_security_enabled" {
   type = bool
 }
+
+variable "force_null_port_security" {
+  type = bool
+}
diff --git a/contrib/terraform/openstack/modules/network/outputs.tf b/contrib/terraform/openstack/modules/network/outputs.tf
@@ -2,6 +2,10 @@ output "router_id" {
   value = "%{if var.use_neutron == 1} ${var.router_id == null ? element(concat(openstack_networking_router_v2.k8s.*.id, [""]), 0) : var.router_id} %{else} %{endif}"
 }
 
+output "network_id" {
+  value = element(concat(openstack_networking_network_v2.k8s.*.id, [""]),0)
+}
+
 output "router_internal_port_id" {
   value = element(concat(openstack_networking_router_interface_v2.k8s.*.id, [""]), 0)
 }

diff --git a/contrib/terraform/openstack/sample-inventory/cluster.tfvars b/contrib/terraform/openstack/sample-inventory/cluster.tfvars
@@ -52,10 +52,16 @@ number_of_k8s_nodes_no_floating_ip = 4
 # networking
 network_name = "<network>"
 
+# Use a existing network with the name of network_name. Set to false to create a network with name of network_name.
+# use_existing_network = true
+
 external_net = "<UUID>"
 
 subnet_cidr = "<cidr>"
 
 floatingip_pool = "<pool>"
 
 bastion_allowed_remote_ips = ["0.0.0.0/0"]
+
+# Force port security to be null. Some cloud providers do not allow to set port security.
+# force_null_port_security = false