okd/roles/openstack-stack/templates/heat_stack.yaml.j2

heat_template_version: 2016-10-14

description: OpenShift cluster

parameters:

outputs:

  etcd_names:
    description: Name of the etcds
    value: { get_attr: [ etcd, name ] }

  etcd_ips:
    description: IPs of the etcds
    value: { get_attr: [ etcd, private_ip ] }

  etcd_floating_ips:
    description: Floating IPs of the etcds
    value: { get_attr: [ etcd, floating_ip ] }

  master_names:
    description: Name of the masters
    value: { get_attr: [ masters, name ] }

  master_ips:
    description: IPs of the masters
    value: { get_attr: [ masters, private_ip ] }

  master_floating_ips:
    description: Floating IPs of the masters
    value: { get_attr: [ masters, floating_ip ] }

  node_names:
    description: Name of the nodes
    value: { get_attr: [ compute_nodes, name ] }

  node_ips:
    description: IPs of the nodes
    value: { get_attr: [ compute_nodes, private_ip ] }

  node_floating_ips:
    description: Floating IPs of the nodes
    value: { get_attr: [ compute_nodes, floating_ip ] }

  infra_names:
    description: Name of the nodes
    value: { get_attr: [ infra_nodes, name ] }

  infra_ips:
    description: IPs of the nodes
    value: { get_attr: [ infra_nodes, private_ip ] }

  infra_floating_ips:
    description: Floating IPs of the nodes
    value: { get_attr: [ infra_nodes, floating_ip ] }

  dns_name:
    description: Name of the DNS
    value:
      get_attr:
        - dns
        - name

  dns_floating_ips:
    description: Floating IPs of the DNS
    value: { get_attr: [ dns, floating_ip ] }

  dns_private_ips:
    description: Private IPs of the DNS
    value: { get_attr: [ dns, private_ip ] }

resources:

  net:
    type: OS::Neutron::Net
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-net
          params:
            cluster_id: {{ stack_name }}

  subnet:
    type: OS::Neutron::Subnet
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-subnet
          params:
            cluster_id: {{ stack_name }}
      network: { get_resource: net }
      cidr:
        str_replace:
          template: subnet_24_prefix.0/24
          params:
            subnet_24_prefix: {{ subnet_prefix }}
      allocation_pools:
        - start:
            str_replace:
              template: subnet_24_prefix.3
              params:
                subnet_24_prefix: {{ subnet_prefix }}
          end:
            str_replace:
              template: subnet_24_prefix.254
              params:
                subnet_24_prefix: {{ subnet_prefix }}
      dns_nameservers:
{% for nameserver in dns_nameservers %}
        - {{ nameserver }}
{% endfor %}

  router:
    type: OS::Neutron::Router
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-router
          params:
            cluster_id: {{ stack_name }}
      external_gateway_info:
        network: {{ external_network }}

  interface:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: { get_resource: router }
      subnet_id: { get_resource: subnet }

#  keypair:
#    type: OS::Nova::KeyPair
#    properties:
#      name:
#        str_replace:
#          template: openshift-ansible-cluster_id-keypair
#          params:
#            cluster_id: {{ stack_name }}
#      public_key: {{ ssh_public_key }}

  common-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-common-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Basic ssh/icmp security group for cluster_id OpenShift cluster
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: {{ ssh_ingress_cidr }}
{% if use_bastion|bool %}
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: {{ bastion_ingress_cidr }}
{% endif %}
        - direction: ingress
          protocol: icmp
          remote_ip_prefix: {{ ssh_ingress_cidr }}

{% if openstack_flat_secgrp|default(False)|bool %}
  flat-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-flat-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 4001
          port_range_max: 4001
        - direction: ingress
          protocol: tcp
          port_range_min: 8443
          port_range_max: 8444
        - direction: ingress
          protocol: tcp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: udp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: tcp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: udp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: tcp
          port_range_min: 2224
          port_range_max: 2224
        - direction: ingress
          protocol: udp
          port_range_min: 5404
          port_range_max: 5405
        - direction: ingress
          protocol: tcp
          port_range_min: 9090
          port_range_max: 9090
        - direction: ingress
          protocol: tcp
          port_range_min: 2379
          port_range_max: 2380
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 4789
          port_range_max: 4789
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: {{ node_ingress_cidr }}
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
{% else %}
  master-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-master-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster master
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 4001
          port_range_max: 4001
        - direction: ingress
          protocol: tcp
          port_range_min: 8443
          port_range_max: 8444
        - direction: ingress
          protocol: tcp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: udp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: tcp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: udp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: tcp
          port_range_min: 2224
          port_range_max: 2224
        - direction: ingress
          protocol: udp
          port_range_min: 5404
          port_range_max: 5405
        - direction: ingress
          protocol: tcp
          port_range_min: 9090
          port_range_max: 9090

  etcd-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-etcd-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id etcd cluster
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 2379
          port_range_max: 2379
          remote_mode: remote_group_id
          remote_group_id: { get_resource: master-secgrp }
        - direction: ingress
          protocol: tcp
          port_range_min: 2380
          port_range_max: 2380
          remote_mode: remote_group_id

  node-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-node-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster nodes
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 4789
          port_range_max: 4789
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: {{ node_ingress_cidr }}
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
{% endif %}

  infra-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-infra-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id OpenShift infrastructure cluster nodes
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 80
          port_range_max: 80
        - direction: ingress
          protocol: tcp
          port_range_min: 443
          port_range_max: 443

  dns-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-dns-secgrp
          params:
            cluster_id: {{ stack_name }}
      description:
        str_replace:
          template: Security group for cluster_id cluster DNS
          params:
            cluster_id: {{ stack_name }}
      rules:
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
          remote_ip_prefix: {{ node_ingress_cidr }}
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
        - direction: ingress
          protocol: tcp
          port_range_min: 53
          port_range_max: 53
          remote_ip_prefix: {{ node_ingress_cidr }}
        - direction: ingress
          protocol: tcp
          port_range_min: 53
          port_range_max: 53
          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
{% if num_masters > 1 %}
  lb-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name: openshift-ansible-{{ stack_name }}-lb-secgrp
      description: Security group for {{ stack_name }} cluster Load Balancer
      rules:
      - direction: ingress
        protocol: tcp
        port_range_min: {{ openshift_master_api_port | default(8443) }}
        port_range_max: {{ openshift_master_api_port | default(8443) }}
        remote_ip_prefix: {{ lb_ingress_cidr }}
  {% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %}
      - direction: ingress
        protocol: tcp
        port_range_min: {{ openshift_master_console_port | default(8443) }}
        port_range_max: {{ openshift_master_console_port | default(8443) }}
        remote_ip_prefix: {{ lb_ingress_cidr }}
  {% endif %}
{% endif %}

  etcd:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ num_etcd }}
      resource_def:
{% if use_bastion|bool %}
        type: server_nofloating.yaml
{% else %}
        type: server.yaml
{% endif %}
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ stack_name }}
                k8s_type: etcd
          cluster_env: {{ public_dns_domain }}
          cluster_id:  {{ stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: etcds
                cluster_id: {{ stack_name }}
          type:        etcd
          image:       {{ openstack_image }}
          flavor:      {{ etcd_flavor }}
          key_name:    {{ ssh_public_key }}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} }
            - { get_resource: common-secgrp }
{% if not use_bastion|bool %}
          floating_network: {{ external_network }}
{% endif %}
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ stack_name }}
          volume_size: {{ etcd_volume_size }}
    depends_on:
      - interface

{% if num_masters > 1 %}
  loadbalancer:
    type: OS::Heat::ResourceGroup
    properties:
      count: 1
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ stack_name }}
                k8s_type: lb
          cluster_env: {{ public_dns_domain }}
          cluster_id:  {{ stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: lb
                cluster_id: {{ stack_name }}
          type:        lb
          image:       {{ openstack_image }}
          flavor:      {{ lb_flavor }}
          key_name:    {{ ssh_public_key }}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: lb-secgrp }
            - { get_resource: common-secgrp }
          floating_network: {{ external_network }}
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ stack_name }}
          volume_size: 5
    depends_on:
      - interface
{% endif %}

  masters:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ num_masters }}
      resource_def:
{% if use_bastion|bool %}
        type: server_nofloating.yaml
{% else %}
        type: server.yaml
{% endif %}
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ stack_name }}
                k8s_type: master
          cluster_env: {{ public_dns_domain }}
          cluster_id:  {{ stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: masters
                cluster_id: {{ stack_name }}
          type:        master
          image:       {{ openstack_image }}
          flavor:      {{ master_flavor }}
          key_name:    {{ ssh_public_key }}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
{% if openstack_flat_secgrp|default(False)|bool %}
            - { get_resource: flat-secgrp }
{% else %}
            - { get_resource: master-secgrp }
            - { get_resource: node-secgrp }
{% if num_etcd == 0 %}
            - { get_resource: etcd-secgrp }
{% endif %}
{% endif %}
            - { get_resource: common-secgrp }
{% if not use_bastion|bool %}
          floating_network: {{ external_network }}
{% endif %}
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ stack_name }}
          volume_size: {{ master_volume_size }}
    depends_on:
      - interface

  compute_nodes:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ num_nodes }}
      removal_policies:
      - resource_list: {{ nodes_to_remove }}
      resource_def:
{% if use_bastion|bool %}
        type: server_nofloating.yaml
{% else %}
        type: server.yaml
{% endif %}
        properties:
          name:
            str_replace:
              template: subtype-k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ stack_name }}
                k8s_type: node
                subtype: app
          cluster_env: {{ public_dns_domain }}
          cluster_id:  {{ stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: nodes
                cluster_id: {{ stack_name }}
          type:        node
          subtype:     app
          node_labels:
{% for k, v in openshift_cluster_node_labels.app.iteritems() %}
            {{ k|e }}: {{ v|e }}
{% endfor %}
          image:       {{ openstack_image }}
          flavor:      {{ node_flavor }}
          key_name:    {{ ssh_public_key }}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}node-secgrp{% endif %} }
            - { get_resource: common-secgrp }
{% if not use_bastion|bool %}
          floating_network: {{ external_network }}
{% endif %}
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ stack_name }}
          volume_size: {{ app_volume_size }}
    depends_on:
      - interface

  infra_nodes:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ num_infra }}
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: subtypek8s_type-%index%.cluster_id
              params:
                cluster_id: {{ stack_name }}
                k8s_type: node
                subtype: infra
          cluster_env: {{ public_dns_domain }}
          cluster_id:  {{ stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: infra
                cluster_id: {{ stack_name }}
          type:        node
          subtype:     infra
          node_labels:
{% for k, v in openshift_cluster_node_labels.infra.iteritems() %}
            {{ k|e }}: {{ v|e }}
{% endfor %}
          image:       {{ openstack_image }}
          flavor:      {{ infra_flavor }}
          key_name:    {{ ssh_public_key }}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
# TODO(bogdando) filter only required node rules into infra-secgrp
{% if openstack_flat_secgrp|default(False)|bool %}
            - { get_resource: flat-secgrp }
{% else %}
            - { get_resource: node-secgrp }
{% endif %}
            - { get_resource: infra-secgrp }
            - { get_resource: common-secgrp }
          floating_network: {{ external_network }}
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ stack_name }}
          volume_size: {{ infra_volume_size }}
    depends_on:
      - interface

  dns:
    type: OS::Heat::ResourceGroup
    properties:
      count: {{ num_dns }}
      resource_def:
        type: server.yaml
        properties:
          name:
            str_replace:
              template: k8s_type-%index%.cluster_id
              params:
                cluster_id: {{ stack_name }}
                k8s_type: dns
          cluster_env: {{ public_dns_domain }}
          cluster_id:  {{ stack_name }}
          group:
            str_replace:
              template: k8s_type.cluster_id
              params:
                k8s_type: dns
                cluster_id: {{ stack_name }}
          type:        dns
          image:       {{ openstack_image }}
          flavor:      {{ dns_flavor }}
          key_name:    {{ ssh_public_key }}
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: dns-secgrp }
            - { get_resource: common-secgrp }
          floating_network: {{ external_network }}
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: {{ stack_name }}
          volume_size: {{ dns_volume_size }}
    depends_on:
      - interface