Power VS IPI Support: TF Only

OWNERS_ALIASES

@@ -35,6 +35,15 @@ aliases:
     - mandre
     - mdbooth
     - pierreprinetti
+  powervs-approvers:
+    - Prashanth684
+    - clnperez
+    - mkumatag
+  powervs-reviewers:
+    - 23TNC
+    - clnperez
+    - mkumatag
+    - Prashanth684
   vsphere-approvers:
     - dav1x
     - jcpowermac

data/data/powervs/bootstrap/main.tf

@@ -0,0 +1,88 @@
+# TODO(mjturek): network and image data blocks can be in main module
+#                as master and bootstrap will be using the same
+#                network and image. Once we add in master module, make
+#                the move.
+data "ibm_pi_network" "network" {
+  pi_network_name      = var.network_name
+  pi_cloud_instance_id = var.cloud_instance_id
+}
+
+data "ibm_pi_image" "bootstrap_image" {
+  pi_image_name        = var.image_name
+  pi_cloud_instance_id = var.cloud_instance_id
+}
+
+data "ignition_config" "bootstrap" {
+  merge {
+    source = ibms3presign.bootstrap_ignition.presigned_url
+  }
+}
+
+data "ibm_resource_group" "cos_group" {
+  name = var.resource_group
+}
+
+resource "ibm_resource_instance" "cos_instance" {
+  name              = "${var.cluster_id}-cos"
+  resource_group_id = data.ibm_resource_group.cos_group.id
+  service           = "cloud-object-storage"
+  plan              = "standard"
+  location          = var.cos_instance_location
+  tags              = [var.cluster_id]
+}
+
+# Create an IBM COS Bucket to store ignition
+resource "ibm_cos_bucket" "ignition" {
+  bucket_name          = "${var.cluster_id}-bootstrap-ign"
+  resource_instance_id = ibm_resource_instance.cos_instance.id
+  region_location      = var.cos_bucket_location
+  storage_class        = var.cos_storage_class
+}
+
+resource "ibm_resource_key" "cos_service_cred" {
+  name                 = "${var.cluster_id}-cred"
+  role                 = "Reader"
+  resource_instance_id = ibm_resource_instance.cos_instance.id
+  parameters           = { HMAC = true }
+}
+
+resource "ibms3presign" "bootstrap_ignition" {
+  access_key_id     = ibm_resource_key.cos_service_cred.credentials["cos_hmac_keys.access_key_id"]
+  secret_access_key = ibm_resource_key.cos_service_cred.credentials["cos_hmac_keys.secret_access_key"]
+  bucket_name       = "${var.cluster_id}-bootstrap-ign"
+  key               = "bootstrap.ign"
+  region_location   = ibm_cos_bucket.ignition.region_location
+  storage_class     = ibm_cos_bucket.ignition.storage_class
+}
+
+# Place the bootstrap ignition file in the ignition COS bucket
+resource "ibm_cos_bucket_object" "ignition" {
+  bucket_crn      = ibm_cos_bucket.ignition.crn
+  bucket_location = ibm_cos_bucket.ignition.region_location
+  content         = var.ignition
+  key             = "bootstrap.ign"
+}
+
+# Create the bootstrap instance
+resource "ibm_pi_instance" "bootstrap" {
+  pi_memory            = var.memory
+  pi_processors        = var.processors
+  pi_instance_name     = "${var.cluster_id}-bootstrap"
+  pi_proc_type         = var.proc_type
+  pi_image_id          = data.ibm_pi_image.bootstrap_image.id
+  pi_sys_type          = var.sys_type
+  pi_cloud_instance_id = var.cloud_instance_id
+  pi_network_ids       = [data.ibm_pi_network.network.id]
+
+  pi_user_data     = base64encode(data.ignition_config.bootstrap.rendered)
+  pi_key_pair_name = var.key_id
+  pi_health_status = "WARNING"
+}
+
+data "ibm_pi_instance_ip" "bootstrap_ip" {
+  depends_on = [ibm_pi_instance.bootstrap]
+
+  pi_instance_name     = ibm_pi_instance.bootstrap.pi_instance_name
+  pi_network_name      = data.ibm_pi_network.network.pi_network_name
+  pi_cloud_instance_id = var.cloud_instance_id
+}

data/data/powervs/bootstrap/outputs.tf

@@ -0,0 +1,3 @@
+output "bootstrap_ip" {
+  value = data.ibm_pi_instance_ip.bootstrap_ip.ip
+}

data/data/powervs/bootstrap/variables.tf

@@ -0,0 +1,16 @@
+variable "memory" {}
+variable "processors" {}
+variable "ignition" {}
+
+variable "cloud_instance_id" {}
+variable "resource_group" {}
+variable "image_name" {}
+variable "network_name" {}
+variable "proc_type" {}
+variable "sys_type" {}
+variable "cluster_id" {}
+variable "key_id" {}
+
+variable "cos_instance_location" {}
+variable "cos_bucket_location" {}
+variable "cos_storage_class" {}

data/data/powervs/dns/dns.tf

@@ -0,0 +1,31 @@
+data "ibm_cis_domain" "base_domain" {
+  cis_id = var.cis_id
+  domain = var.base_domain
+}
+
+resource "ibm_cis_dns_record" "kubernetes_api" {
+  cis_id    = var.cis_id
+  domain_id = data.ibm_cis_domain.base_domain.id
+  type      = "CNAME"
+  name      = "api.${var.cluster_domain}"
+  content   = var.load_balancer_hostname
+  ttl       = 60
+}
+
+resource "ibm_cis_dns_record" "kubernetes_api_internal" {
+  cis_id    = var.cis_id
+  domain_id = data.ibm_cis_domain.base_domain.id
+  type      = "CNAME"
+  name      = "api-int.${var.cluster_domain}"
+  content   = var.load_balancer_int_hostname
+  ttl       = 60
+}
+
+resource "ibm_cis_dns_record" "apps" {
+  cis_id    = var.cis_id
+  domain_id = data.ibm_cis_domain.base_domain.id
+  type      = "CNAME"
+  name      = "*.apps.${var.cluster_domain}"
+  content   = var.load_balancer_hostname
+  ttl       = 60
+}

data/data/powervs/dns/variables.tf

@@ -0,0 +1,13 @@
+variable "cis_id" {}
+
+variable "base_domain" {}
+
+variable "cluster_domain" {}
+
+variable "load_balancer_hostname" {}
+
+variable "load_balancer_int_hostname" {}
+
+
+
+

data/data/powervs/iaas/power-iaas.tf

@@ -0,0 +1,22 @@
+provider "ibm" {
+  ibmcloud_api_key = var.powervs_api_key
+}
+
+data "ibm_resource_group" "group" {
+  name = var.powervs_resource_group
+}
+
+resource "ibm_resource_instance" "resource_instance" {
+  name              = "${var.cluster_id}-power-iaas"
+  service           = "power-iaas"
+  plan              = "power-virtual-server-group"
+  location          = var.powervs_region
+  tags              = concat(var.service_tags, ["${var.cluster_id}-power-iaas", "${var.cluster_id}"])
+  resource_group_id = data.ibm_resource_group.group.id
+
+  timeouts {
+    create = "10m"
+    update = "10m"
+    delete = "10m"
+  }
+}

data/data/powervs/iaas/variables.tf

@@ -0,0 +1,28 @@
+variable "powervs_api_key" {
+  type        = string
+  description = "IBM Cloud API key associated with user's identity"
+  default     = "<key>"
+}
+
+variable "powervs_resource_group" {
+  type        = string
+  description = "The cloud instance resource group"
+  default     = ""
+}
+
+variable "powervs_region" {
+  type        = string
+  description = "The IBM Cloud region where you want to create the resources"
+  default     = ""
+}
+
+variable "cluster_id" {
+  type    = string
+  default = ""
+}
+
+variable "service_tags" {
+  type        = list(string)
+  description = "A list of tags for our resource instance."
+  default     = []
+}

data/data/powervs/loadbalancer/alb.tf

@@ -0,0 +1,120 @@
+locals {
+  api_servers       = concat([var.bootstrap_ip], var.master_ips)
+  api_servers_count = length(var.master_ips) + 1 # bootstrap + master
+  app_servers       = var.master_ips
+  app_servers_count = length(var.master_ips)
+}
+
+data "ibm_resource_group" "resource_group" {
+  name = var.resource_group
+}
+
+resource "ibm_is_lb" "load_balancer" {
+  name            = "${var.cluster_id}-loadbalancer"
+  resource_group  = data.ibm_resource_group.resource_group.id
+  subnets         = [var.vpc_subnet_id]
+  security_groups = [ibm_is_security_group.ocp_security_group.id]
+  tags            = [var.cluster_id, "${var.cluster_id}-loadbalancer"]
+  type            = "public"
+}
+
+resource "ibm_is_lb" "load_balancer_int" {
+  name            = "${var.cluster_id}-loadbalancer-int"
+  resource_group  = data.ibm_resource_group.resource_group.id
+  subnets         = [var.vpc_subnet_id]
+  security_groups = [ibm_is_security_group.ocp_security_group.id]
+  tags            = [var.cluster_id, "${var.cluster_id}-loadbalancer-int"]
+  type            = "private"
+}
+
+# Using explicit depends_on as otherwise there are issues with updating and adding of pool members
+# Ref: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb_listener
+
+## TODO move this to internal/private LB
+# machine config listener and backend pool
+resource "ibm_is_lb_listener" "machine_config_listener" {
+  lb           = ibm_is_lb.load_balancer_int.id
+  port         = 22623
+  protocol     = "tcp"
+  default_pool = ibm_is_lb_pool.machine_config_pool.id
+}
+resource "ibm_is_lb_pool" "machine_config_pool" {
+  depends_on = [ibm_is_lb.load_balancer_int]
+
+  name           = "machine-config-server"
+  lb             = ibm_is_lb.load_balancer_int.id
+  algorithm      = "round_robin"
+  protocol       = "tcp"
+  health_delay   = 60
+  health_retries = 5
+  health_timeout = 30
+  health_type    = "tcp"
+}
+resource "ibm_is_lb_pool_member" "machine_config_member" {
+  depends_on = [ibm_is_lb_listener.machine_config_listener]
+  count      = local.api_servers_count
+
+  lb             = ibm_is_lb.load_balancer_int.id
+  pool           = ibm_is_lb_pool.machine_config_pool.id
+  port           = 22623
+  target_address = local.api_servers[count.index]
+}
+
+# api listener and backend pool (internal)
+resource "ibm_is_lb_listener" "api_listener_int" {
+  lb           = ibm_is_lb.load_balancer_int.id
+  port         = 6443
+  protocol     = "tcp"
+  default_pool = ibm_is_lb_pool.api_pool_int.id
+}
+resource "ibm_is_lb_pool" "api_pool_int" {
+  depends_on = [ibm_is_lb.load_balancer_int]
+
+  name           = "openshift-api-server"
+  lb             = ibm_is_lb.load_balancer_int.id
+  algorithm      = "round_robin"
+  protocol       = "tcp"
+  health_delay   = 60
+  health_retries = 5
+  health_timeout = 30
+  health_type    = "tcp"
+}
+resource "ibm_is_lb_pool_member" "api_member_int" {
+  depends_on = [ibm_is_lb_listener.api_listener_int, ibm_is_lb_pool_member.machine_config_member]
+  count      = local.api_servers_count
+
+  lb             = ibm_is_lb.load_balancer_int.id
+  pool           = ibm_is_lb_pool.api_pool_int.id
+  port           = 6443
+  target_address = local.api_servers[count.index]
+}
+
+# api listener and backend pool (external)
+resource "ibm_is_lb_listener" "api_listener" {
+  lb           = ibm_is_lb.load_balancer.id
+  port         = 6443
+  protocol     = "tcp"
+  default_pool = ibm_is_lb_pool.api_pool.id
+}
+resource "ibm_is_lb_pool" "api_pool" {
+  depends_on = [ibm_is_lb.load_balancer]
+
+  name           = "openshift-api-server"
+  lb             = ibm_is_lb.load_balancer.id
+  algorithm      = "round_robin"
+  protocol       = "tcp"
+  health_delay   = 60
+  health_retries = 5
+  health_timeout = 30
+  health_type    = "tcp"
+}
+resource "ibm_is_lb_pool_member" "api_member" {
+  depends_on = [ibm_is_lb_listener.api_listener, ibm_is_lb_pool_member.machine_config_member]
+  count      = local.api_servers_count
+
+  lb             = ibm_is_lb.load_balancer.id
+  pool           = ibm_is_lb_pool.api_pool.id
+  port           = 6443
+  target_address = local.api_servers[count.index]
+}
+

data/data/powervs/loadbalancer/outputs.tf

@@ -0,0 +1,7 @@
+output "powervs_lb_hostname" {
+  value = ibm_is_lb.load_balancer.hostname
+}
+
+output "powervs_lb_int_hostname" {
+  value = ibm_is_lb.load_balancer_int.hostname
+}

data/data/powervs/loadbalancer/sg.tf

@@ -0,0 +1,28 @@
+locals {
+  tcp_ports = [22623, 6443]
+}
+data "ibm_is_vpc" "vpc" {
+  name = var.vpc_name
+}
+
+resource "ibm_is_security_group" "ocp_security_group" {
+  name           = "${var.cluster_id}-ocp-sec-group"
+  resource_group = data.ibm_resource_group.resource_group.id
+  vpc            = data.ibm_is_vpc.vpc.id
+  tags           = [var.cluster_id]
+}
+
+resource "ibm_is_security_group_rule" "inbound_ports" {
+  count     = length(local.tcp_ports)
+  group     = ibm_is_security_group.ocp_security_group.id
+  direction = "inbound"
+  tcp {
+    port_min = local.tcp_ports[count.index]
+    port_max = local.tcp_ports[count.index]
+  }
+}
+
+resource "ibm_is_security_group_rule" "outbound_any" {
+  group     = ibm_is_security_group.ocp_security_group.id
+  direction = "outbound"
+}

data/data/powervs/loadbalancer/variables.tf

@@ -0,0 +1,9 @@
+variable "cluster_id" {}
+
+variable "vpc_name" {}
+variable "vpc_subnet_id" {}
+
+variable "bootstrap_ip" {}
+variable "master_ips" {}
+
+variable "resource_group" {}