kubespray/contrib/terraform/exoscale/modules/kubernetes-cluster/main.tf

data "exoscale_template" "os_image" {
  for_each = var.machines

  zone = var.zone
  name = each.value.boot_disk.image_name
}

data "exoscale_compute_instance" "master_nodes" {
  for_each = exoscale_compute_instance.master

  id   = each.value.id
  zone = var.zone
}

data "exoscale_compute_instance" "worker_nodes" {
  for_each = exoscale_compute_instance.worker

  id   = each.value.id
  zone = var.zone
}

resource "exoscale_private_network" "private_network" {
  zone = var.zone
  name = "${var.prefix}-network"

  start_ip = cidrhost(var.private_network_cidr, 1)
  # cidr -1 = Broadcast address
  # cidr -2 = DHCP server address (exoscale specific)
  end_ip  = cidrhost(var.private_network_cidr, -3)
  netmask = cidrnetmask(var.private_network_cidr)
}

resource "exoscale_compute_instance" "master" {
  for_each = {
    for name, machine in var.machines :
    name => machine
    if machine.node_type == "master"
  }

  name               = "${var.prefix}-${each.key}"
  template_id        = data.exoscale_template.os_image[each.key].id
  type               = each.value.size
  disk_size          = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size
  state              = "Running"
  zone               = var.zone
  security_group_ids = [exoscale_security_group.master_sg.id]
  network_interface {
    network_id = exoscale_private_network.private_network.id
  }
  elastic_ip_ids = [exoscale_elastic_ip.control_plane_lb.id]

  user_data = templatefile(
    "${path.module}/templates/cloud-init.tmpl",
    {
      eip_ip_address            = exoscale_elastic_ip.ingress_controller_lb.ip_address
      node_local_partition_size = each.value.boot_disk.node_local_partition_size
      ceph_partition_size       = each.value.boot_disk.ceph_partition_size
      root_partition_size       = each.value.boot_disk.root_partition_size
      node_type                 = "master"
      ssh_public_keys           = var.ssh_public_keys
    }
  )
}

resource "exoscale_compute_instance" "worker" {
  for_each = {
    for name, machine in var.machines :
    name => machine
    if machine.node_type == "worker"
  }

  name               = "${var.prefix}-${each.key}"
  template_id        = data.exoscale_template.os_image[each.key].id
  type               = each.value.size
  disk_size          = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size
  state              = "Running"
  zone               = var.zone
  security_group_ids = [exoscale_security_group.worker_sg.id]
  network_interface {
    network_id = exoscale_private_network.private_network.id
  }
  elastic_ip_ids = [exoscale_elastic_ip.ingress_controller_lb.id]

  user_data = templatefile(
    "${path.module}/templates/cloud-init.tmpl",
    {
      eip_ip_address            = exoscale_elastic_ip.ingress_controller_lb.ip_address
      node_local_partition_size = each.value.boot_disk.node_local_partition_size
      ceph_partition_size       = each.value.boot_disk.ceph_partition_size
      root_partition_size       = each.value.boot_disk.root_partition_size
      node_type                 = "worker"
      ssh_public_keys           = var.ssh_public_keys
    }
  )
}

resource "exoscale_security_group" "master_sg" {
  name        = "${var.prefix}-master-sg"
  description = "Security group for Kubernetes masters"
}

resource "exoscale_security_group_rule" "master_sg_rule_ssh" {
  security_group_id = exoscale_security_group.master_sg.id

  for_each = toset(var.ssh_whitelist)
  # SSH
  type       = "INGRESS"
  start_port = 22
  end_port   = 22
  protocol   = "TCP"
  cidr       = each.value
}

resource "exoscale_security_group_rule" "master_sg_rule_k8s_api" {
  security_group_id = exoscale_security_group.master_sg.id

  for_each = toset(var.api_server_whitelist)
  # Kubernetes API
  type       = "INGRESS"
  start_port = 6443
  end_port   = 6443
  protocol   = "TCP"
  cidr       = each.value
}

resource "exoscale_security_group" "worker_sg" {
  name        = "${var.prefix}-worker-sg"
  description = "security group for kubernetes worker nodes"
}

resource "exoscale_security_group_rule" "worker_sg_rule_ssh" {
  security_group_id = exoscale_security_group.worker_sg.id

  # SSH
  for_each   = toset(var.ssh_whitelist)
  type       = "INGRESS"
  start_port = 22
  end_port   = 22
  protocol   = "TCP"
  cidr       = each.value
}

resource "exoscale_security_group_rule" "worker_sg_rule_http" {
  security_group_id = exoscale_security_group.worker_sg.id

  # HTTP(S)
  for_each   = toset(["80", "443"])
  type       = "INGRESS"
  start_port = each.value
  end_port   = each.value
  protocol   = "TCP"
  cidr       = "0.0.0.0/0"
}


resource "exoscale_security_group_rule" "worker_sg_rule_nodeport" {
  security_group_id = exoscale_security_group.worker_sg.id

  # HTTP(S)
  for_each   = toset(var.nodeport_whitelist)
  type       = "INGRESS"
  start_port = 30000
  end_port   = 32767
  protocol   = "TCP"
  cidr       = each.value
}

resource "exoscale_elastic_ip" "ingress_controller_lb" {
  zone = var.zone
  healthcheck {
    mode         = "http"
    port         = 80
    uri          = "/healthz"
    interval     = 10
    timeout      = 2
    strikes_ok   = 2
    strikes_fail = 3
  }
}

resource "exoscale_elastic_ip" "control_plane_lb" {
  zone = var.zone
  healthcheck {
    mode         = "tcp"
    port         = 6443
    interval     = 10
    timeout      = 2
    strikes_ok   = 2
    strikes_fail = 3
  }
}
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`data "exoscale_template" "os_image" {`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`for_each = var.machines`

			`zone = var.zone`
			`name = each.value.boot_disk.image_name`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`data "exoscale_compute_instance" "master_nodes" {`
			`for_each = exoscale_compute_instance.master`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`id = each.value.id`
			`zone = var.zone`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`data "exoscale_compute_instance" "worker_nodes" {`
			`for_each = exoscale_compute_instance.worker`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`id = each.value.id`
			`zone = var.zone`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_private_network" "private_network" {`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`zone = var.zone`
			`name = "${var.prefix}-network"`

			`start_ip = cidrhost(var.private_network_cidr, 1)`
			`# cidr -1 = Broadcast address`
			`# cidr -2 = DHCP server address (exoscale specific)`
			`end_ip = cidrhost(var.private_network_cidr, -3)`
			`netmask = cidrnetmask(var.private_network_cidr)`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_compute_instance" "master" {`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`for_each = {`
			`for name, machine in var.machines :`
			`name => machine`
			`if machine.node_type == "master"`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`name = "${var.prefix}-${each.key}"`
			`template_id = data.exoscale_template.os_image[each.key].id`
			`type = each.value.size`
			`disk_size = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size`
			`state = "Running"`
			`zone = var.zone`
			`security_group_ids = [exoscale_security_group.master_sg.id]`
			`network_interface {`
			`network_id = exoscale_private_network.private_network.id`
			`}`
			`elastic_ip_ids = [exoscale_elastic_ip.control_plane_lb.id]`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
			`user_data = templatefile(`
			`"${path.module}/templates/cloud-init.tmpl",`
			`{`
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`eip_ip_address = exoscale_elastic_ip.ingress_controller_lb.ip_address`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`node_local_partition_size = each.value.boot_disk.node_local_partition_size`
			`ceph_partition_size = each.value.boot_disk.ceph_partition_size`
			`root_partition_size = each.value.boot_disk.root_partition_size`
			`node_type = "master"`
contrib/terraform/exoscale: Rework SSH public keys (#7242) * contrib/terraform/exoscale: Rework SSH public keys Exoscale has a few limitations with `exoscale_ssh_keypair` resources. Creating several clusters with these scripts may lead to an error like: ``` Error: API error ParamError 431 (InvalidParameterValueException 4350): The key pair "lj-sc-ssh-key" already has this fingerprint ``` This patch reworks handling of SSH public keys. Specifically, we rely on the more cloud-agnostic way of configuring SSH public keys via `cloud-init`. * contrib/terraform/exoscale: terraform fmt * contrib/terraform/exoscale: Add terraform validate * contrib/terraform/exoscale: Inline public SSH keys The Terraform scripts need to install some SSH key, so that Kubespray (i.e., the "Ansible part") can take over. Initially, we pointed the Terraform scripts to `~/.ssh/id_rsa.pub`. This proved to be suboptimal: Operators sharing responbility for a cluster risk unnecessarily replacing resources. Therefore, it has been determined that it's best to inline the public SSH keys. The chosen variable `ssh_public_keys` provides some uniformity with `contrib/azurerm`. * Fix Terraform Exoscale test * Fix Terraform 0.14 test 2021-02-03 23:32:28 +08:00			`ssh_public_keys = var.ssh_public_keys`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`
			`)`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_compute_instance" "worker" {`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`for_each = {`
			`for name, machine in var.machines :`
			`name => machine`
			`if machine.node_type == "worker"`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`name = "${var.prefix}-${each.key}"`
			`template_id = data.exoscale_template.os_image[each.key].id`
			`type = each.value.size`
			`disk_size = each.value.boot_disk.root_partition_size + each.value.boot_disk.node_local_partition_size + each.value.boot_disk.ceph_partition_size`
			`state = "Running"`
			`zone = var.zone`
			`security_group_ids = [exoscale_security_group.worker_sg.id]`
			`network_interface {`
			`network_id = exoscale_private_network.private_network.id`
			`}`
			`elastic_ip_ids = [exoscale_elastic_ip.ingress_controller_lb.id]`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
			`user_data = templatefile(`
			`"${path.module}/templates/cloud-init.tmpl",`
			`{`
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`eip_ip_address = exoscale_elastic_ip.ingress_controller_lb.ip_address`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`node_local_partition_size = each.value.boot_disk.node_local_partition_size`
			`ceph_partition_size = each.value.boot_disk.ceph_partition_size`
			`root_partition_size = each.value.boot_disk.root_partition_size`
			`node_type = "worker"`
contrib/terraform/exoscale: Rework SSH public keys (#7242) * contrib/terraform/exoscale: Rework SSH public keys Exoscale has a few limitations with `exoscale_ssh_keypair` resources. Creating several clusters with these scripts may lead to an error like: ``` Error: API error ParamError 431 (InvalidParameterValueException 4350): The key pair "lj-sc-ssh-key" already has this fingerprint ``` This patch reworks handling of SSH public keys. Specifically, we rely on the more cloud-agnostic way of configuring SSH public keys via `cloud-init`. * contrib/terraform/exoscale: terraform fmt * contrib/terraform/exoscale: Add terraform validate * contrib/terraform/exoscale: Inline public SSH keys The Terraform scripts need to install some SSH key, so that Kubespray (i.e., the "Ansible part") can take over. Initially, we pointed the Terraform scripts to `~/.ssh/id_rsa.pub`. This proved to be suboptimal: Operators sharing responbility for a cluster risk unnecessarily replacing resources. Therefore, it has been determined that it's best to inline the public SSH keys. The chosen variable `ssh_public_keys` provides some uniformity with `contrib/azurerm`. * Fix Terraform Exoscale test * Fix Terraform 0.14 test 2021-02-03 23:32:28 +08:00			`ssh_public_keys = var.ssh_public_keys`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`
			`)`
			`}`

			`resource "exoscale_security_group" "master_sg" {`
			`name = "${var.prefix}-master-sg"`
			`description = "Security group for Kubernetes masters"`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_security_group_rule" "master_sg_rule_ssh" {`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`security_group_id = exoscale_security_group.master_sg.id`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`for_each = toset(var.ssh_whitelist)`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`# SSH`
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`type = "INGRESS"`
			`start_port = 22`
			`end_port = 22`
			`protocol = "TCP"`
			`cidr = each.value`
			`}`

			`resource "exoscale_security_group_rule" "master_sg_rule_k8s_api" {`
			`security_group_id = exoscale_security_group.master_sg.id`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`for_each = toset(var.api_server_whitelist)`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`# Kubernetes API`
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`type = "INGRESS"`
			`start_port = 6443`
			`end_port = 6443`
			`protocol = "TCP"`
			`cidr = each.value`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`

			`resource "exoscale_security_group" "worker_sg" {`
			`name = "${var.prefix}-worker-sg"`
			`description = "security group for kubernetes worker nodes"`
			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_security_group_rule" "worker_sg_rule_ssh" {`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`security_group_id = exoscale_security_group.worker_sg.id`

			`# SSH`
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`for_each = toset(var.ssh_whitelist)`
			`type = "INGRESS"`
			`start_port = 22`
			`end_port = 22`
			`protocol = "TCP"`
			`cidr = each.value`
			`}`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_security_group_rule" "worker_sg_rule_http" {`
			`security_group_id = exoscale_security_group.worker_sg.id`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`# HTTP(S)`
			`for_each = toset(["80", "443"])`
			`type = "INGRESS"`
			`start_port = each.value`
			`end_port = each.value`
			`protocol = "TCP"`
			`cidr = "0.0.0.0/0"`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`


Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_security_group_rule" "worker_sg_rule_nodeport" {`
			`security_group_id = exoscale_security_group.worker_sg.id`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00
Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`# HTTP(S)`
			`for_each = toset(var.nodeport_whitelist)`
			`type = "INGRESS"`
			`start_port = 30000`
			`end_port = 32767`
			`protocol = "TCP"`
			`cidr = each.value`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_elastic_ip" "ingress_controller_lb" {`
			`zone = var.zone`
			`healthcheck {`
			`mode = "http"`
			`port = 80`
			`uri = "/healthz"`
			`interval = 10`
			`timeout = 2`
			`strikes_ok = 2`
			`strikes_fail = 3`
			`}`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`

Convert exoscale tf provider to new version (#10646) This is untested. It passes terraform validate to un-broke the CI. 2023-11-25 00:22:55 +08:00			`resource "exoscale_elastic_ip" "control_plane_lb" {`
			`zone = var.zone`
			`healthcheck {`
			`mode = "tcp"`
			`port = 6443`
			`interval = 10`
			`timeout = 2`
			`strikes_ok = 2`
			`strikes_fail = 3`
			`}`
Added terraform support for Exoscale (#7141) * Added terraform support for Exoscale * Fixed markdown lint error on exoscale terraform 2021-01-23 12:37:39 +08:00			`}`