Cloud config

openstack/Makefile

@@ -4,6 +4,10 @@ ENDPOINT:=${shell terraform output -raw controlplane_endpoint_public 2>/dev/null
 help:
 	@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
 
+create-lb: ## Create load balancer
+	terraform init
+	terraform apply -target=output.controlplane_endpoint_public --refresh -auto-approve
+
 create-config: ## Genereate talos configs
 	talosctl gen config --output-dir _cfgs --with-docs=false --with-examples=false talos-k8s-openstack https://${ENDPOINT}:6443
 	talosctl --talosconfig _cfgs/talosconfig config endpoint ${ENDPOINT}
@@ -27,7 +31,7 @@ create-templates:
 create-deployments:
 	helm template --namespace=kube-system   --version=1.11.5 -f deployments/cilium.yaml cilium \
 		cilium/cilium > deployments/cilium-result.yaml
-	helm template --namespace=ingress-nginx --version=4.1.1 -f deployments/ingress.yaml ingress-nginx \
+	helm template --namespace=ingress-nginx --version=4.1.4 -f deployments/ingress.yaml ingress-nginx \
 		ingress-nginx/ingress-nginx > deployments/ingress-result.yaml
 
 create-network: ## Create networks

openstack/README.md

@@ -77,7 +77,7 @@ make create-network
 Generate the default talos config
 
 ```shell
-make create-config create-templates
+make create-templates
 ```
 
 Create the config file **terraform.tfvars** and add params.
@@ -92,8 +92,8 @@ ccm_password = "openstack-password"
 # Number of kubernetes controlplane by zones
 controlplane = {
   "GRA9" = {
-    count         = 1,
-    instance_type = "d2-4",
+    count = 1,
+    type  = "d2-4",
   },
 }
 

openstack/auth.tf

@@ -1,4 +1,4 @@
 
 provider "openstack" {
-  cloud = "openstack"
+  cloud = var.clouds
 }

openstack/deployments/ingress-result.yaml

@@ -4,10 +4,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
@@ -20,10 +20,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
@@ -66,10 +66,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
@@ -135,10 +135,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
   name: ingress-nginx
@@ -156,10 +156,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
@@ -241,10 +241,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
@@ -265,10 +265,10 @@ kind: Service
 metadata:
   annotations:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
@@ -302,10 +302,10 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller
@@ -336,7 +336,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: controller
-          image: "k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185"
+          image: "registry.k8s.io/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8"
           imagePullPolicy: IfNotPresent
           lifecycle: 
             preStop:
@@ -349,12 +349,12 @@ spec:
             - --controller-class=k8s.io/ingress-nginx
             - --ingress-class=nginx
             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-          securityContext:
+          securityContext: 
             capabilities:
-                drop:
-                - ALL
-                add:
-                - NET_BIND_SERVICE
+              drop:
+              - ALL
+              add:
+              - NET_BIND_SERVICE
             runAsUser: 101
             allowPrivilegeEscalation: true
           env:
@@ -428,10 +428,10 @@ apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
-    helm.sh/chart: ingress-nginx-4.1.1
+    helm.sh/chart: ingress-nginx-4.1.4
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.2.0"
+    app.kubernetes.io/version: "1.2.1"
     app.kubernetes.io/part-of: ingress-nginx
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: controller

openstack/images/README.md

@@ -0,0 +1,17 @@
+# Upload images
+
+Create the config file **terraform.tfvars** and add params.
+
+```hcl
+# Body of terraform.tfvars
+
+# Regions to use
+regions          = ["GRA7", "GRA9"]
+```
+
+```shell
+wget https://github.com/siderolabs/talos/releases/download/v1.1.0-beta.2/openstack-amd64.tar.gz
+tar -xzf openstack-amd64.tar.gz
+
+terraform init && terraform apply -auto-approve
+```

openstack/images/auth.tf

@@ -1,4 +1,4 @@
 
 provider "openstack" {
-  cloud = "openstack"
+  cloud = var.clouds
 }

openstack/images/images.tf

@@ -7,7 +7,7 @@ resource "openstack_images_image_v2" "talos" {
   disk_format      = "raw"
   min_disk_gb      = 5
   min_ram_mb       = 1
-  tags             = ["talos-1.1.0-beta.0"]
+  tags             = ["talos-1.1.0-beta.2"]
 
   properties = {
     hw_firmware_type = "uefi"

openstack/images/variables.tf

@@ -1,4 +1,10 @@
 
+variable "clouds" {
+  type        = string
+  description = "The config section in clouds.yaml"
+  default     = "openstack"
+}
+
 variable "regions" {
   type        = list(string)
   description = "The id of the openstack region"

openstack/instances-controlplane.tf

@@ -13,7 +13,7 @@ module "controlplane" {
 
   instance_servergroup = openstack_compute_servergroup_v2.controlplane[each.key].id
   instance_count       = lookup(try(var.controlplane[each.key], {}), "count", 0)
-  instance_flavor      = lookup(try(var.controlplane[each.key], {}), "instance_type", "d2-2")
+  instance_flavor      = lookup(try(var.controlplane[each.key], {}), "type", "d2-2")
   instance_image       = data.openstack_images_image_v2.talos[each.key].id
   instance_tags        = concat(var.tags, ["infra"])
   instance_secgroups   = [local.network_secgroup[each.key].common, local.network_secgroup[each.key].controlplane]

openstack/outputs.tf

@@ -6,7 +6,7 @@ output "controlplane_endpoint" {
 
 output "controlplane_endpoint_public" {
   description = "Kubernetes controlplane endpoint public"
-  value       = local.endpoint
+  value       = try(local.endpoint[0], "127.0.0.1")
 }
 
 output "web_endpoint" {

openstack/prepare/auth.tf

@@ -1,4 +1,4 @@
 
 provider "openstack" {
-  cloud = "openstack"
+  cloud = var.clouds
 }

openstack/prepare/network-gw.tf

@@ -82,7 +82,7 @@ resource "openstack_compute_instance_v2" "router" {
   region      = each.key
   name        = "router-${lower(each.key)}"
   image_id    = data.openstack_images_image_v2.debian[each.key].id
-  flavor_name = "d2-2"
+  flavor_name = try(var.capabilities[each.key].peering_type, "d2-2")
   key_pair    = openstack_compute_keypair_v2.keypair[each.key].name
 
   network {

openstack/prepare/network-secgroup.tf

@@ -217,6 +217,15 @@ resource "openstack_networking_secgroup_v2" "router" {
   description = "Security group for router/peering node"
 }
 
+resource "openstack_networking_secgroup_rule_v2" "router_icmp_ipv4" {
+  for_each          = { for idx, name in var.regions : name => idx }
+  region            = each.key
+  security_group_id = openstack_networking_secgroup_v2.router[each.key].id
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+}
+
 resource "openstack_networking_secgroup_rule_v2" "router_ssh_v4" {
   for_each          = { for idx, name in var.regions : name => idx }
   region            = each.key

openstack/prepare/network.tf

@@ -60,21 +60,21 @@ resource "openstack_networking_subnet_v2" "private_v6" {
 }
 
 resource "openstack_networking_subnet_route_v2" "public_v4" {
-  for_each         = { for idx, name in var.regions : name => idx if try(var.capabilities[name].peering, false) }
+  for_each         = { for idx, name in var.regions : name => idx if try(var.capabilities[name].gateway, false) }
   subnet_id        = openstack_networking_subnet_v2.public[each.key].id
   destination_cidr = var.network_cidr
   next_hop         = try(var.capabilities[each.key].gateway, false) ? cidrhost(openstack_networking_subnet_v2.private[each.key].cidr, 2) : cidrhost(openstack_networking_subnet_v2.private[each.key].cidr, 1)
 }
 
 resource "openstack_networking_subnet_route_v2" "private_v4" {
-  for_each         = { for idx, name in var.regions : name => idx if try(var.capabilities[name].peering, false) }
+  for_each         = { for idx, name in var.regions : name => idx if try(var.capabilities[name].gateway, false) }
   subnet_id        = openstack_networking_subnet_v2.private[each.key].id
   destination_cidr = var.network_cidr
   next_hop         = try(var.capabilities[each.key].gateway, false) ? cidrhost(openstack_networking_subnet_v2.private[each.key].cidr, 2) : cidrhost(openstack_networking_subnet_v2.private[each.key].cidr, 1)
 }
 
 resource "openstack_networking_subnet_route_v2" "private_v6" {
-  for_each         = { for idx, name in var.regions : name => idx if try(var.capabilities[name].peering, false) }
+  for_each         = { for idx, name in var.regions : name => idx if try(var.capabilities[name].gateway, false) }
   subnet_id        = openstack_networking_subnet_v2.private_v6[each.key].id
   destination_cidr = local.network_cidr_v6
   next_hop         = cidrhost(openstack_networking_subnet_v2.private_v6[each.key].cidr, 1)

openstack/prepare/variables.tf

@@ -1,4 +1,10 @@
 
+variable "clouds" {
+  type        = string
+  description = "The config section in clouds.yaml"
+  default     = "openstack"
+}
+
 variable "project_id" {
   type        = string
   description = "The project_id of the openstack"
@@ -42,12 +48,14 @@ variable "capabilities" {
   type = map(any)
   default = {
     "GRA7" = {
-      gateway = false
-      peering = false
+      gateway      = false
+      peering      = false
+      peering_type = "d2-2"
     },
     "GRA9" = {
-      gateway = false
-      peering = false
+      gateway      = false
+      peering      = false
+      peering_type = "d2-2"
     },
   }
 }

openstack/templates/controlplane.yaml.tpl

@@ -42,8 +42,11 @@ machine:
     net.core.somaxconn: 65535
     net.core.netdev_max_backlog: 4096
 cluster:
+  id: ${clusterID}
+  secret: ${clusterSecret}
   controlPlane:
     endpoint: https://${apiDomain}:6443
+  clusterName: ${clusterName}
   network:
     dnsDomain: ${domain}
     podSubnets: ${format("%#v",split(",",podSubnets))}

openstack/variables.tf

@@ -1,4 +1,10 @@
 
+variable "clouds" {
+  type        = string
+  description = "The config section in clouds.yaml"
+  default     = "openstack"
+}
+
 data "terraform_remote_state" "prepare" {
   backend = "local"
   config = {
@@ -55,12 +61,12 @@ variable "controlplane" {
   type        = map(any)
   default = {
     "GRA7" = {
-      count         = 0,
-      instance_type = "d2-2",
+      count = 0,
+      type  = "d2-2",
     },
     "GRA9" = {
-      count         = 0,
-      instance_type = "d2-2",
+      count = 0,
+      type  = "d2-2",
     },
   }
 }