okd/playbooks/openstack/openshift-cluster/files/heat_stack.yml

heat_template_version: 2014-10-16

description: OpenShift cluster

parameters:
  cluster-id:
    type: string
    label: Cluster ID
    description: Identifier of the cluster

  network-prefix:
    type: string
    label: Network prefix
    description: Prefix of the network objects

  cidr:
    type: string
    label: CIDR
    description: CIDR of the network of the cluster

  dns-nameservers:
    type: comma_delimited_list
    label: DNS nameservers list
    description: List of DNS nameservers

  external-net:
    type: string
    label: External network
    description: Name of the external network
    default: external

  ssh-incoming:
    type: string
    label: Source of ssh connections
    description: Source of legitimate ssh connections

resources:
  net:
    type: OS::Neutron::Net
    properties:
      name:
        str_replace:
          template: network-prefix-net
          params:
            network-prefix: { get_param: network-prefix }

  subnet:
    type: OS::Neutron::Subnet
    properties:
      name:
        str_replace:
          template: network-prefix-subnet
          params:
            network-prefix: { get_param: network-prefix }
      network: { get_resource: net }
      cidr: { get_param: cidr }
      dns_nameservers: { get_param: dns-nameservers }

  router:
    type: OS::Neutron::Router
    properties:
      name:
        str_replace:
          template: network-prefix-router
          params:
            network-prefix: { get_param: network-prefix }
      external_gateway_info:
        network: { get_param: external-net }

  interface:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: { get_resource: router }
      subnet_id: { get_resource: subnet }

  node-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: network-prefix-node-secgrp
          params:
            network-prefix: { get_param: network-prefix }
      description:
        str_replace:
          template: Security group for cluster-id OpenShift cluster nodes
          params:
            cluster-id: { get_param: cluster-id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: { get_param: ssh-incoming }
        - direction: ingress
          protocol: udp
          port_range_min: 4789
          port_range_max: 4789
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
          remote_group_id: { get_resource: master-secgrp }

  master-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: network-prefix-master-secgrp
          params:
            network-prefix: { get_param: network-prefix }
      description:
        str_replace:
          template: Security group for cluster-id OpenShift cluster master
          params:
            cluster-id: { get_param: cluster-id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: { get_param: ssh-incoming }
        - direction: ingress
          protocol: tcp
          port_range_min: 4001
          port_range_max: 4001
        - direction: ingress
          protocol: tcp
          port_range_min: 8443
          port_range_max: 8443
        - direction: ingress
          protocol: tcp
          port_range_min: 53
          port_range_max: 53
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
        - direction: ingress
          protocol: tcp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: udp
          port_range_min: 24224
          port_range_max: 24224