okd/playbooks/openstack/openshift-cluster/files/heat_stack.yaml

heat_template_version: 2014-10-16

description: OpenShift cluster

parameters:

  cluster_env:
    type: string
    label: Cluster environment
    description: Environment of the cluster

  cluster_id:
    type: string
    label: Cluster ID
    description: Identifier of the cluster

  subnet_24_prefix:
    type: string
    label: subnet /24 prefix
    description: /24 subnet prefix of the network of the cluster (dot separated number triplet)

  dns_nameservers:
    type: comma_delimited_list
    label: DNS nameservers list
    description: List of DNS nameservers

  external_net:
    type: string
    label: External network
    description: Name of the external network
    default: external

  ssh_public_key:
    type: string
    label: SSH public key
    description: SSH public key
    hidden: true

  ssh_incoming:
    type: string
    label: Source of ssh connections
    description: Source of legitimate ssh connections
    default: 0.0.0.0/0

  node_port_incoming:
    type: string
    label: Source of node port connections
    description: Authorized sources targetting node ports
    default: 0.0.0.0/0

  num_etcd:
    type: number
    label: Number of etcd nodes
    description: Number of etcd nodes

  num_masters:
    type: number
    label: Number of masters
    description: Number of masters

  num_nodes:
    type: number
    label: Number of compute nodes
    description: Number of compute nodes

  num_infra:
    type: number
    label: Number of infrastructure nodes
    description: Number of infrastructure nodes

  etcd_image:
    type: string
    label: Etcd image
    description: Name of the image for the etcd servers

  master_image:
    type: string
    label: Master image
    description: Name of the image for the master servers

  node_image:
    type: string
    label: Node image
    description: Name of the image for the compute node servers

  infra_image:
    type: string
    label: Infra image
    description: Name of the image for the infra node servers

  dns_image:
    type: string
    label: DNS image
    description: Name of the image for the DNS server

  etcd_flavor:
    type: string
    label: Etcd flavor
    description: Flavor of the etcd servers

  master_flavor:
    type: string
    label: Master flavor
    description: Flavor of the master servers

  node_flavor:
    type: string
    label: Node flavor
    description: Flavor of the compute node servers

  infra_flavor:
    type: string
    label: Infra flavor
    description: Flavor of the infra node servers

  dns_flavor:
    type: string
    label: DNS flavor
    description: Flavor of the DNS server

outputs:

  etcd_names:
    description: Name of the etcds
    value: { get_attr: [ etcd, name ] }

  etcd_ips:
    description: IPs of the etcds
    value: { get_attr: [ etcd, private_ip ] }

  etcd_floating_ips:
    description: Floating IPs of the etcds
    value: { get_attr: [ etcd, floating_ip ] }

  master_names:
    description: Name of the masters
    value: { get_attr: [ masters, name ] }

  master_ips:
    description: IPs of the masters
    value: { get_attr: [ masters, private_ip ] }

  master_floating_ips:
    description: Floating IPs of the masters
    value: { get_attr: [ masters, floating_ip ] }

  node_names:
    description: Name of the nodes
    value: { get_attr: [ compute_nodes, name ] }

  node_ips:
    description: IPs of the nodes
    value: { get_attr: [ compute_nodes, private_ip ] }

  node_floating_ips:
    description: Floating IPs of the nodes
    value: { get_attr: [ compute_nodes, floating_ip ] }

  infra_names:
    description: Name of the nodes
    value: { get_attr: [ infra_nodes, name ] }

  infra_ips:
    description: IPs of the nodes
    value: { get_attr: [ infra_nodes, private_ip ] }

  infra_floating_ips:
    description: Floating IPs of the nodes
    value: { get_attr: [ infra_nodes, floating_ip ] }

  dns_name:
    description: Name of the DNS
    value:
      get_attr:
        - dns
        - name

  dns_floating_ip:
    description: Floating IP of the DNS
    value:
      get_attr:
        - dns
        - addresses
        - str_replace:
            template: openshift-ansible-cluster_id-net
            params:
              cluster_id: { get_param: cluster_id }
        - 1
        - addr

resources:

  net:
    type: OS::Neutron::Net
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-net
          params:
            cluster_id: { get_param: cluster_id }

  subnet:
    type: OS::Neutron::Subnet
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-subnet
          params:
            cluster_id: { get_param: cluster_id }
      network: { get_resource: net }
      cidr:
        str_replace:
          template: subnet_24_prefix.0/24
          params:
            subnet_24_prefix: { get_param: subnet_24_prefix }
      allocation_pools:
        - start:
            str_replace:
              template: subnet_24_prefix.3
              params:
                subnet_24_prefix: { get_param: subnet_24_prefix }
          end:
            str_replace:
              template: subnet_24_prefix.254
              params:
                subnet_24_prefix: { get_param: subnet_24_prefix }
      dns_nameservers:
        - str_replace:
            template: subnet_24_prefix.2
            params:
              subnet_24_prefix: { get_param: subnet_24_prefix }

  router:
    type: OS::Neutron::Router
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-router
          params:
            cluster_id: { get_param: cluster_id }
      external_gateway_info:
        network: { get_param: external_net }

  interface:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: { get_resource: router }
      subnet_id: { get_resource: subnet }

  keypair:
    type: OS::Nova::KeyPair
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-keypair
          params:
            cluster_id: { get_param: cluster_id }
      public_key: { get_param: ssh_public_key }

  master-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-master-secgrp
          params:
            cluster_id: { get_param: cluster_id }
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster master
          params:
            cluster_id: { get_param: cluster_id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: { get_param: ssh_incoming }
        - direction: ingress
          protocol: tcp
          port_range_min: 4001
          port_range_max: 4001
        - direction: ingress
          protocol: tcp
          port_range_min: 8443
          port_range_max: 8443
        - direction: ingress
          protocol: tcp
          port_range_min: 8444
          port_range_max: 8444
        - direction: ingress
          protocol: tcp
          port_range_min: 53
          port_range_max: 53
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
        - direction: ingress
          protocol: tcp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: udp
          port_range_min: 8053
          port_range_max: 8053
        - direction: ingress
          protocol: tcp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: udp
          port_range_min: 24224
          port_range_max: 24224
        - direction: ingress
          protocol: tcp
          port_range_min: 2224
          port_range_max: 2224
        - direction: ingress
          protocol: udp
          port_range_min: 5404
          port_range_max: 5404
        - direction: ingress
          protocol: udp
          port_range_min: 5405
          port_range_max: 5405
        - direction: ingress
          protocol: tcp
          port_range_min: 9090
          port_range_max: 9090

  etcd-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-etcd-secgrp
          params:
            cluster_id: { get_param: cluster_id }
      description:
        str_replace:
          template: Security group for cluster_id etcd cluster
          params:
            cluster_id: { get_param: cluster_id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: { get_param: ssh_incoming }
        - direction: ingress
          protocol: tcp
          port_range_min: 2379
          port_range_max: 2379
          remote_mode: remote_group_id
          remote_group_id: { get_resource: master-secgrp }
        - direction: ingress
          protocol: tcp
          port_range_min: 2380
          port_range_max: 2380
          remote_mode: remote_group_id

  node-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-node-secgrp
          params:
            cluster_id: { get_param: cluster_id }
      description:
        str_replace:
          template: Security group for cluster_id OpenShift cluster nodes
          params:
            cluster_id: { get_param: cluster_id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: { get_param: ssh_incoming }
        - direction: ingress
          protocol: tcp
          port_range_min: 10250
          port_range_max: 10250
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 10255
          port_range_max: 10255
          remote_mode: remote_group_id
        - direction: ingress
          protocol: udp
          port_range_min: 4789
          port_range_max: 4789
          remote_mode: remote_group_id
        - direction: ingress
          protocol: tcp
          port_range_min: 30000
          port_range_max: 32767
          remote_ip_prefix: { get_param: node_port_incoming }

  infra-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-infra-secgrp
          params:
            cluster_id: { get_param: cluster_id }
      description:
        str_replace:
          template: Security group for cluster_id OpenShift infrastructure cluster nodes
          params:
            cluster_id: { get_param: cluster_id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 80
          port_range_max: 80
        - direction: ingress
          protocol: tcp
          port_range_min: 443
          port_range_max: 443

  dns-secgrp:
    type: OS::Neutron::SecurityGroup
    properties:
      name:
        str_replace:
          template: openshift-ansible-cluster_id-dns-secgrp
          params:
            cluster_id: { get_param: cluster_id }
      description:
        str_replace:
          template: Security group for cluster_id cluster DNS
          params:
            cluster_id: { get_param: cluster_id }
      rules:
        - direction: ingress
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
          remote_ip_prefix: { get_param: ssh_incoming }
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
          remote_mode: remote_group_id
          remote_group_id: { get_resource: etcd-secgrp }
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
          remote_mode: remote_group_id
          remote_group_id: { get_resource: master-secgrp }
        - direction: ingress
          protocol: udp
          port_range_min: 53
          port_range_max: 53
          remote_mode: remote_group_id
          remote_group_id: { get_resource: node-secgrp }

  etcd:
    type: OS::Heat::ResourceGroup
    properties:
      count: { get_param: num_etcd }
      resource_def:
        type: heat_stack_server.yaml
        properties:
          name:
            str_replace:
              template: cluster_id-k8s_type-%index%
              params:
                cluster_id: { get_param: cluster_id }
                k8s_type: etcd
          cluster_env: { get_param: cluster_env }
          cluster_id:  { get_param: cluster_id }
          type:        etcd
          image:       { get_param: etcd_image }
          flavor:      { get_param: etcd_flavor }
          key_name:    { get_resource: keypair }
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: etcd-secgrp }
          floating_network: { get_param: external_net }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: { get_param: cluster_id }
    depends_on:
      - interface

  masters:
    type: OS::Heat::ResourceGroup
    properties:
      count: { get_param: num_masters }
      resource_def:
        type: heat_stack_server.yaml
        properties:
          name:
            str_replace:
              template: cluster_id-k8s_type-%index%
              params:
                cluster_id: { get_param: cluster_id }
                k8s_type: master
          cluster_env: { get_param: cluster_env }
          cluster_id:  { get_param: cluster_id }
          type:        master
          image:       { get_param: master_image }
          flavor:      { get_param: master_flavor }
          key_name:    { get_resource: keypair }
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: master-secgrp }
            - { get_resource: node-secgrp }
          floating_network: { get_param: external_net }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: { get_param: cluster_id }
    depends_on:
      - interface

  compute_nodes:
    type: OS::Heat::ResourceGroup
    properties:
      count: { get_param: num_nodes }
      resource_def:
        type: heat_stack_server.yaml
        properties:
          name:
            str_replace:
              template: cluster_id-k8s_type-sub_host_type-%index%
              params:
                cluster_id: { get_param: cluster_id }
                k8s_type: node
                sub_host_type: compute
          cluster_env: { get_param: cluster_env }
          cluster_id:  { get_param: cluster_id }
          type:        node
          subtype:     compute
          image:       { get_param: node_image }
          flavor:      { get_param: node_flavor }
          key_name:    { get_resource: keypair }
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: node-secgrp }
          floating_network: { get_param: external_net }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: { get_param: cluster_id }
    depends_on:
      - interface

  infra_nodes:
    type: OS::Heat::ResourceGroup
    properties:
      count: { get_param: num_infra }
      resource_def:
        type: heat_stack_server.yaml
        properties:
          name:
            str_replace:
              template: cluster_id-k8s_type-sub_host_type-%index%
              params:
                cluster_id: { get_param: cluster_id }
                k8s_type: node
                sub_host_type: infra
          cluster_env: { get_param: cluster_env }
          cluster_id:  { get_param: cluster_id }
          type:        node
          subtype:     infra
          image:       { get_param: infra_image }
          flavor:      { get_param: infra_flavor }
          key_name:    { get_resource: keypair }
          net:         { get_resource: net }
          subnet:      { get_resource: subnet }
          secgrp:
            - { get_resource: node-secgrp }
            - { get_resource: infra-secgrp }
          floating_network: { get_param: external_net }
          net_name:
            str_replace:
              template: openshift-ansible-cluster_id-net
              params:
                cluster_id: { get_param: cluster_id }
    depends_on:
      - interface

  dns:
    type: OS::Nova::Server
    properties:
      name:
        str_replace:
          template: cluster_id-dns
          params:
            cluster_id: { get_param: cluster_id }
      key_name: { get_resource: keypair }
      image:    { get_param: dns_image }
      flavor:   { get_param: dns_flavor }
      networks:
        - port: { get_resource: dns-port }
      user_data: { get_resource: dns-config }
      user_data_format: RAW

  dns-port:
    type: OS::Neutron::Port
    properties:
      network: { get_resource: net }
      fixed_ips:
        - subnet: { get_resource: subnet }
          ip_address:
            str_replace:
              template: subnet_24_prefix.2
              params:
                subnet_24_prefix: { get_param: subnet_24_prefix }
      security_groups:
        - { get_resource: dns-secgrp }

  dns-floating-ip:
    type: OS::Neutron::FloatingIP
    properties:
      floating_network: { get_param: external_net }
      port_id: { get_resource: dns-port }

  dns-config:
    type: OS::Heat::CloudConfig
    properties:
      cloud_config:
        disable_root: true

        hostname:
          str_replace:
            template: cluster_id-dns
            params:
              cluster_id: { get_param: cluster_id }
        fqdn:
          str_replace:
            template: cluster_id-dns.example.com
            params:
              cluster_id: { get_param: cluster_id }

        system_info:
          default_user:
            name: openshift
            sudo: ["ALL=(ALL) NOPASSWD: ALL"]

        write_files:
          - path: /etc/sudoers.d/00-openshift-no-requiretty
            permissions: 440
            # content: Defaults:openshift !requiretty
            # Encoded in base64 to be sure that we do not forget the trailing newline or
            # sudo will not be able to parse that file
            encoding: b64
            content: RGVmYXVsdHM6b3BlbnNoaWZ0ICFyZXF1aXJldHR5Cg==
          - path: /etc/sysconfig/network-scripts/ifcfg-eth0
            content:
              str_replace:
                template: |
                  DEVICE="eth0"
                  BOOTPROTO="dhcp"
                  DNS1="$dns1"
                  DNS2="$dns2"
                  PEERDNS="no"
                  ONBOOT="yes"
                params:
                  $dns1:
                    get_param:
                      - dns_nameservers
                      - 0
                  $dns2:
                    get_param:
                      - dns_nameservers
                      - 1

        runcmd:
          - [ "/usr/bin/systemctl", "restart", "network" ]