okd/roles/openshift_openstack/templates/heat_stack.yaml.j2

heat_template_version: 2016-10-14

description: OpenShift cluster

parameters:

outputs:

  etcd_names:
    description: Name of the etcds
    value: { get_attr: [ etcd, name ] }

  etcd_ips:
    description: IPs of the etcds
    value: { get_attr: [ etcd, private_ip ] }

  etcd_floating_ips:
    description: Floating IPs of the etcds
    value: { get_attr: [ etcd, floating_ip ] }

  master_names:
    description: Name of the masters
    value: { get_attr: [ masters, name ] }

  master_ips:
    description: IPs of the masters
    value: { get_attr: [ masters, private_ip ] }

  master_floating_ips:
    description: Floating IPs of the masters
    value: { get_attr: [ masters, floating_ip ] }

  node_names:
    description: Name of the nodes
    value: { get_attr: [ compute_nodes, name ] }

  node_ips:
    description: IPs of the nodes
    value: { get_attr: [ compute_nodes, private_ip ] }

  node_floating_ips:
    description: Floating IPs of the nodes
    value: { get_attr: [ compute_nodes, floating_ip ] }

  infra_names:
    description: Name of the nodes
    value: { get_attr: [ infra_nodes, name ] }

  infra_ips:
    description: IPs of the nodes
    value: { get_attr: [ infra_nodes, private_ip ] }

  infra_floating_ips:
    description: Floating IPs of the nodes
    value: { get_attr: [ infra_nodes, floating_ip ] }

conditions:
  no_floating: {% if openshift_openstack_provider_network_name %}true{% else %}false{% endif %}

resources:

{% if not openshift_openstack_provider_network_name %}
  net:
    type: OS::Neutron::Net
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-net
          params:
            cluster_id: {{ openshift_openstack_stack_name }}

  subnet:
    type: OS::Neutron::Subnet
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-subnet
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      network: { get_resource: net }
      cidr:
        str_replace:
          template: subnet_24_prefix.0/24
          params:
            subnet_24_prefix: {{ openshift_openstack_subnet_prefix }}
      allocation_pools:
        - start:
            str_replace:
              template: subnet_24_prefix.3
              params:
                subnet_24_prefix: {{ openshift_openstack_subnet_prefix }}
          end:
            str_replace:
              template: subnet_24_prefix.254
              params:
                subnet_24_prefix: {{ openshift_openstack_subnet_prefix }}
      dns_nameservers:
{% for nameserver in openshift_openstack_dns_nameservers %}
        - {{ nameserver }}
{% endfor %}

{% if openshift_use_flannel|default(False)|bool %}
  data_net:
    type: OS::Neutron::Net
    properties:
      name: openshift-ansible-{{ openshift_openstack_stack_name }}-data-net
      port_security_enabled: false

  data_subnet:
    type: OS::Neutron::Subnet
    properties:
      name: openshift-ansible-{{ openshift_openstack_stack_name }}-data-subnet
      network: { get_resource: data_net }
      cidr: {{ osm_cluster_network_cidr|default('10.128.0.0/14') }}
      gateway_ip: null
{% endif %}

  router:
    type: OS::Neutron::Router
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-router
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      external_gateway_info:
        network: {{ openshift_openstack_external_network_name }}

  interface:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: { get_resource: router }
      subnet_id: { get_resource: subnet }

{% endif %}

#  keypair:
#    type: OS::Nova::KeyPair
#    properties:
#      name:
#        str_replace:
#          template: openshift-ansible-cluster_id-keypair
#          params:
#            cluster_id: {{ openshift_openstack_stack_name }}
#      public_key: {{ openshift_openstack_keypair_name }}

  common-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-common-secgrp
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      description:
        str_replace:
          template: Basic ssh/icmp security group for cluster_id OpenShift cluster
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }}
        - direction: ingress
          protocol: icmp
          remote_ip_prefix: {{ openshift_openstack_ssh_ingress_cidr }}

{% if openshift_openstack_flat_secgrp|default(False)|bool %}
  flat-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-flat-secgrp
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 4001
          port_range_max: 4001
        - direction: ingress
          protocol: tcp
          port_range_min: {{ openshift_master_api_port|default(8443) }}
          port_range_max: {{ openshift_master_api_port|default(8443) }}
        - direction: ingress
          protocol: tcp
          port_range_min: {{ openshift_master_console_port|default(8443) }}
          port_range_max: {{ openshift_master_console_port|default(8443) }}
        - direction: ingress
          protocol: tcp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: udp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: tcp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: udp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: tcp
          port_range_min: 2224
          port_range_max: 2224
        - direction: ingress
          protocol: udp
          port_range_min: 5404
          port_range_max: 5405
        - direction: ingress
          protocol: tcp
          port_range_min: 9090
          port_range_max: 9090
        - direction: ingress
          protocol: tcp
          port_range_min: 2379
          port_range_max: 2380
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 4789
          port_range_max: 4789
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: {{ openshift_openstack_node_ingress_cidr }}
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24"
{% else %}
  master-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-master-secgrp
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster master
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 4001
          port_range_max: 4001
        - direction: ingress
          protocol: tcp
          port_range_min: {{ openshift_master_api_port|default(8443) }}
          port_range_max: {{ openshift_master_api_port|default(8443) }}
        - direction: ingress
          protocol: tcp
          port_range_min: {{ openshift_master_console_port|default(8443) }}
          port_range_max: {{ openshift_master_console_port|default(8443) }}
        - direction: ingress
          protocol: tcp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: udp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: tcp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: udp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: tcp
          port_range_min: 2224
          port_range_max: 2224
        - direction: ingress
          protocol: udp
          port_range_min: 5404
          port_range_max: 5405
        - direction: ingress
          protocol: tcp
          port_range_min: 9090
          port_range_max: 9090
{% if openshift_use_flannel|default(False)|bool %}
        - direction: ingress
          protocol: tcp
          port_range_min: 2379
          port_range_max: 2379
{% endif %}

  etcd-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-etcd-secgrp
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id etcd cluster
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 2379
          port_range_max: 2379
          remote_mode: remote_group_id
          remote_group_id: { get_resource: master-secgrp }
        - direction: ingress
          protocol: tcp
          port_range_min: 2380
          port_range_max: 2380
          remote_mode: remote_group_id

  node-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-node-secgrp
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster nodes
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 4789
          port_range_max: 4789
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: {{ openshift_openstack_node_ingress_cidr }}
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: "{{ openshift_openstack_subnet_prefix }}.0/24"
{% endif %}

  infra-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-infra-secgrp
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift infrastructure cluster nodes
          params:
            cluster_id: {{ openshift_openstack_stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 80
          port_range_max: 80
        - direction: ingress
          protocol: tcp
          port_range_min: 443
          port_range_max: 443

{% if openshift_openstack_num_masters|int > 1 %}
  lb-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name: openshift-ansible-{{ openshift_openstack_stack_name }}-lb-secgrp
      description: Security group for {{ openshift_openstack_stack_name }} cluster Load Balancer
      rules:
      - direction: ingress
        protocol: tcp
        port_range_min: {{ openshift_master_api_port | default(8443) }}
        port_range_max: {{ openshift_master_api_port | default(8443) }}
        remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }}
{% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %}
      - direction: ingress
        protocol: tcp
        port_range_min: {{ openshift_master_console_port | default(8443) }}
        port_range_max: {{ openshift_master_console_port | default(8443) }}
        remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }}
{% endif %}
{% endif %}

  etcd:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ openshift_openstack_num_etcd }}
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
                k8s_type: {{ openshift_openstack_etcd_hostname }}
          cluster_env: {{ openshift_openstack_public_dns_domain }}
          cluster_id:  {{ openshift_openstack_stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: etcds
                cluster_id: {{ openshift_openstack_stack_name }}
          type:        etcd
          image:       {{ openshift_openstack_etcd_image }}
          flavor:      {{ openshift_openstack_etcd_flavor }}
          key_name:    {{ openshift_openstack_keypair_name }}
{% if openshift_openstack_provider_network_name %}
          net:         {{ openshift_openstack_provider_network_name }}
          net_name:         {{ openshift_openstack_provider_network_name }}
{% else %}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
{% endif %}
          secgrp:
            - { get_resource: {% if openshift_openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} }
            - { get_resource: common-secgrp }
          floating_network:
            if:
              - no_floating
              - null
              - {{ openshift_openstack_external_network_name }}
{% if openshift_openstack_provider_network_name %}
          attach_float_net: false
{% endif %}
          volume_size: {{ openshift_openstack_etcd_volume_size }}
{% if not openshift_openstack_provider_network_name %}
    depends_on:
      - interface
{% endif %}

{% if openshift_openstack_master_server_group_policies|length > 0 %}
  master_server_group:
    type: OS::Nova::ServerGroup
    properties:
      name: master_server_group
      policies: {{ openshift_openstack_master_server_group_policies }}
{% endif %}
{% if openshift_openstack_infra_server_group_policies|length > 0 %}
  infra_server_group:
    type: OS::Nova::ServerGroup
    properties:
      name: infra_server_group
      policies: {{ openshift_openstack_infra_server_group_policies }}
{% endif %}
{% if openshift_openstack_num_masters|int > 1 %}
  loadbalancer:
    type: OS::Heat::ResourceGroup
    properties:
      count: 1
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
                k8s_type: {{ openshift_openstack_lb_hostname }}
          cluster_env: {{ openshift_openstack_public_dns_domain }}
          cluster_id:  {{ openshift_openstack_stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: lb
                cluster_id: {{ openshift_openstack_stack_name }}
          type:        lb
          image:       {{ openshift_openstack_lb_image }}
          flavor:      {{ openshift_openstack_lb_flavor }}
          key_name:    {{ openshift_openstack_keypair_name }}
{% if openshift_openstack_provider_network_name %}
          net:         {{ openshift_openstack_provider_network_name }}
          net_name:         {{ openshift_openstack_provider_network_name }}
{% else %}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
{% endif %}
          secgrp:
            - { get_resource: lb-secgrp }
            - { get_resource: common-secgrp }
{% if not openshift_openstack_provider_network_name %}
          floating_network: {{ openshift_openstack_external_network_name }}
{% endif %}
          volume_size: {{ openshift_openstack_lb_volume_size }}
{% if not openshift_openstack_provider_network_name %}
    depends_on:
      - interface
{% endif %}
{% endif %}

  masters:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ openshift_openstack_num_masters }}
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
                k8s_type: {{ openshift_openstack_master_hostname }}
          cluster_env: {{ openshift_openstack_public_dns_domain }}
          cluster_id:  {{ openshift_openstack_stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: masters
                cluster_id: {{ openshift_openstack_stack_name }}
          type:        master
          image:       {{ openshift_openstack_master_image }}
          flavor:      {{ openshift_openstack_master_flavor }}
          key_name:    {{ openshift_openstack_keypair_name }}
{% if openshift_openstack_provider_network_name %}
          net:         {{ openshift_openstack_provider_network_name }}
          net_name:         {{ openshift_openstack_provider_network_name }}
{% else %}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
{% if openshift_use_flannel|default(False)|bool %}
          attach_data_net: true
          data_net:    { get_resource: data_net }
          data_subnet: { get_resource: data_subnet }
{% endif %}
{% endif %}
          secgrp:
{% if openshift_openstack_flat_secgrp|default(False)|bool %}
            - { get_resource: flat-secgrp }
{% else %}
            - { get_resource: master-secgrp }
            - { get_resource: node-secgrp }
{% if openshift_openstack_num_etcd|int == 0 %}
            - { get_resource: etcd-secgrp }
{% endif %}
{% endif %}
            - { get_resource: common-secgrp }
          floating_network:
            if:
              - no_floating
              - null
              - {{ openshift_openstack_external_network_name }}
{% if openshift_openstack_provider_network_name %}
          attach_float_net: false
{% endif %}
          volume_size: {{ openshift_openstack_master_volume_size }}
{% if openshift_openstack_master_server_group_policies|length > 0 %}
          scheduler_hints:
            group: { get_resource: master_server_group }
{% endif %}
{% if not openshift_openstack_provider_network_name %}
    depends_on:
      - interface
{% endif %}

  compute_nodes:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ openshift_openstack_num_nodes }}
      removal_policies:
      - resource_list: {{ openshift_openstack_nodes_to_remove }}
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: sub_type_k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
                sub_type_k8s_type: {{ openshift_openstack_node_hostname }}
          cluster_env: {{ openshift_openstack_public_dns_domain }}
          cluster_id:  {{ openshift_openstack_stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: nodes
                cluster_id: {{ openshift_openstack_stack_name }}
          type:        node
          subtype:     app
          node_labels:
{% for k, v in openshift_openstack_cluster_node_labels.app.items() %}
            {{ k|e }}: {{ v|e }}
{% endfor %}
          image:       {{ openshift_openstack_node_image }}
          flavor:      {{ openshift_openstack_node_flavor }}
          key_name:    {{ openshift_openstack_keypair_name }}
{% if openshift_openstack_provider_network_name %}
          net:         {{ openshift_openstack_provider_network_name }}
          net_name:         {{ openshift_openstack_provider_network_name }}
{% else %}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
{% if openshift_use_flannel|default(False)|bool %}
          attach_data_net: true
          data_net:    { get_resource: data_net }
          data_subnet: { get_resource: data_subnet }
{% endif %}
{% endif %}
          secgrp:
            - { get_resource: {% if openshift_openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}node-secgrp{% endif %} }
            - { get_resource: common-secgrp }
          floating_network:
            if:
              - no_floating
              - null
              - {{ openshift_openstack_external_network_name }}
{% if openshift_openstack_provider_network_name %}
          attach_float_net: false
{% endif %}
          volume_size: {{ openshift_openstack_node_volume_size }}
{% if not openshift_openstack_provider_network_name %}
    depends_on:
      - interface
{% endif %}

  infra_nodes:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ openshift_openstack_num_infra }}
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: sub_type_k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
                sub_type_k8s_type: {{ openshift_openstack_infra_hostname }}
          cluster_env: {{ openshift_openstack_public_dns_domain }}
          cluster_id:  {{ openshift_openstack_stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: infra
                cluster_id: {{ openshift_openstack_stack_name }}
          type:        node
          subtype:     infra
          node_labels:
{% for k, v in openshift_openstack_cluster_node_labels.infra.items() %}
            {{ k|e }}: {{ v|e }}
{% endfor %}
          image:       {{ openshift_openstack_infra_image }}
          flavor:      {{ openshift_openstack_infra_flavor }}
          key_name:    {{ openshift_openstack_keypair_name }}
{% if openshift_openstack_provider_network_name %}
          net:         {{ openshift_openstack_provider_network_name }}
          net_name:         {{ openshift_openstack_provider_network_name }}
{% else %}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ openshift_openstack_stack_name }}
{% if openshift_use_flannel|default(False)|bool %}
          attach_data_net: true
          data_net:    { get_resource: data_net }
          data_subnet: { get_resource: data_subnet }
{% endif %}
{% endif %}
          secgrp:
# TODO(bogdando) filter only required node rules into infra-secgrp
{% if openshift_openstack_flat_secgrp|default(False)|bool %}
            - { get_resource: flat-secgrp }
{% else %}
            - { get_resource: node-secgrp }
{% endif %}
            - { get_resource: infra-secgrp }
            - { get_resource: common-secgrp }
{% if not openshift_openstack_provider_network_name %}
          floating_network: {{ openshift_openstack_external_network_name }}
{% endif %}
          volume_size: {{ openshift_openstack_infra_volume_size }}
{% if openshift_openstack_infra_server_group_policies|length > 0 %}
          scheduler_hints:
            group: { get_resource: infra_server_group }
{% endif %}
{% if not openshift_openstack_provider_network_name %}
    depends_on:
      - interface
{% endif %}