Use internal network (#46)

Signed-off-by: Christian Berendt <[email protected]>
SovereignCloudStack · Oct 2, 2020 · d0dce7d · d0dce7d
1 parent 60565f6
commit d0dce7d
Show file tree

Hide file tree

Showing 9 changed files with 102 additions and 32 deletions.
diff --git a/README.rst b/README.rst
@@ -23,7 +23,7 @@ Usage
 * For access to the web interfaces and API endpoints a tunnel can be created with
   ``make ENVIRONMENT=betacloud tunnel`` (https://github.com/sshuttle/sshuttle must
   be installed)
-* Add ``192.168.16.5 testbed-gx-iam.osism.test`` to your local ``/etc/hosts`` file
+* Add ``192.168.32.9 testbed-gx-iam.osism.test`` to your local ``/etc/hosts`` file
 * It is possible to customize ``testbed-gx-iam.osism.test``, for this purpose add
   ``PARAMS="-var endpoint=somehost.example.com"``
 * It is possible to import an existing floating IP adress
@@ -62,9 +62,9 @@ Name             URL                         Username  Password
 ================ =========================== ========= ================
 ARA              http://192.168.16.5:8120    ara       password
 Cockpit          https://192.168.16.5:8130   dragon    da5pahthaew2Pai2
-Horizon          http://192.168.16.9         admin     password
-Keycloak         http://192.168.16.5:8170    admin     password
-Keystone         http://192.168.16.9:35357   admin     password
-Keystone         http://192.168.16.9:5000    admin     password
+Horizon          http://192.168.32.9         admin     password
+Keycloak         http://192.168.32.9:8170    admin     password
+Keystone         http://192.168.32.9:35357   admin     password
+Keystone         http://192.168.32.9:5000    admin     password
 phpMyAdmin       http://192.168.16.5:8110    root      password
 ================ =========================== ========= ================
diff --git a/environments/configuration.yml b/environments/configuration.yml
@@ -56,7 +56,7 @@ resolvconf_package: ""
 
 hosts_type: template
 hosts_additional_entries:
-  testbed-gx-iam.osism.test: 192.168.16.5
+  testbed-gx-iam.osism.test: 192.168.32.9
 
 ##########################
 # common
@@ -73,13 +73,13 @@ cleanup_services:
 ##########################
 # kolla
 
-kolla_internal_vip_address: 192.168.16.9
+kolla_internal_vip_address: 192.168.32.9
 
 ##########################
 # repository
 
 repository_keys: []
-repository_key_ids: []
+repository_key_ids: {}
 
 repositories:
   - name: "{{ ansible_distribution_release }}"

diff --git a/environments/generic/configuration.yml b/environments/generic/configuration.yml
@@ -7,13 +7,3 @@ dotfiles_repo_version: master
 dotfiles_repo_local_destination: "~/dotfiles"
 dotfiles_files:
   - .tmux.conf
-
-##########################
-# patchman-client
-
-patchman_client_host: "{{ hostvars['testbed-gx-iam-manager.osism.test']['ansible_' + management_interface]['ipv4']['address'] }}"
-
-##########################
-# zabbix-agent
-
-zabbix_agent_server: "{{ hostvars['testbed-gx-iam-manager.osism.test']['ansible_' + management_interface]['ipv4']['address'] }}"
diff --git a/environments/kolla/secrets.yml b/environments/kolla/secrets.yml
@@ -224,4 +224,5 @@ kolla_ssh_key:
 mariadb_backup_database_password: ohgieP4fee3nie4chieSu3ahhaep1pho
 memcache_secret_key: WaXf8YPrZn9mc9VJNUGaMTjsmwaky0olJsmnlkxX
 rabbitmq_cluster_cookie: zdd6geSBXefcI7IoHnP1U1fxtRWS3u5QtnPCvQTT
+rabbitmq_password: gath6Poogie4quei4AcaimeighofeiF9
 redis_master_password: password
diff --git a/inventory/host_vars/testbed-gx-iam-manager.osism.test.yml b/inventory/host_vars/testbed-gx-iam-manager.osism.test.yml
@@ -13,10 +13,10 @@ netbox_inventory_status: Active
 # generic
 
 console_interface: "{{ ansible_local.testbed_network_devices.management }}"
-management_interface: "{{ ansible_local.testbed_network_devices.management }}"
+management_interface: "{{ ansible_local.testbed_network_devices.internal }}"
 
-internal_address: 192.168.16.5
-fluentd_host: 192.168.16.5
+internal_address: 192.168.32.5
+fluentd_host: 192.168.32.5
 
 ##########################################################
 # cockpit
@@ -25,11 +25,6 @@ configure_cockpit_server: yes
 cockpit_host: "{{ hostvars[inventory_hostname]['ansible_' + console_interface]['ipv4']['address'] }}"
 cockpit_ssh_interface: "{{ ansible_local.testbed_network_devices.management }}"
 
-##########################################################
-# netdata
-
-netdata_host_type: server
-
 ##########################################################
 # network
 
@@ -46,7 +41,15 @@ network_interfaces:
     gateway: 192.168.16.1
     mtu: 1450
 
+  - device: "{{ ansible_local.testbed_network_devices.internal }}"
+    auto: true
+    family: inet
+    method: static
+    address: 192.168.32.5
+    netmask: 255.255.240.0
+    mtu: 1450
+
 ##########################################################
 # kolla
 
-network_interface: "{{ ansible_local.testbed_network_devices.management }}"
+network_interface: "{{ ansible_local.testbed_network_devices.internal }}"
diff --git a/terraform/Makefile b/terraform/Makefile
@@ -52,7 +52,7 @@ ssh: .MANAGER_ADDRESS.$(ENVIRONMENT) .id_rsa.$(ENVIRONMENT)
 
 sshuttle: .MANAGER_ADDRESS.$(ENVIRONMENT) .id_rsa.$(ENVIRONMENT)
 	@source ./.MANAGER_ADDRESS.$(ENVIRONMENT); \
-	sshuttle --ssh-cmd "ssh -o StrictHostKeyChecking=no -i .id_rsa.$(ENVIRONMENT) " -r $(SSH_USERNAME)@$$MANAGER_ADDRESS 192.168.16.0/20
+	sshuttle --ssh-cmd "ssh -o StrictHostKeyChecking=no -i .id_rsa.$(ENVIRONMENT) " -r $(SSH_USERNAME)@$$MANAGER_ADDRESS 192.168.16.0/20 192.168.32.0/20
 
 console: .deploy.$(ENVIRONMENT)
 	@$(OPENSTACK) console log show testbed-gx-iam-manager

diff --git a/terraform/files/node.sh b/terraform/files/node.sh
@@ -1,7 +1,12 @@
 #!/usr/bin/env bash
 
+echo "APT::Acquire::Retries \"3\";" > /etc/apt/apt.conf.d/80-retries
+
 echo '* libraries/restart-without-asking boolean true' | debconf-set-selections
 
+apt-get install --yes python3-netifaces
+python3 /root/configure-network-devices.py
+
 chown -R ubuntu:ubuntu /home/ubuntu/.ssh
 
 add-apt-repository --yes ppa:ansible/ansible

diff --git a/terraform/manager.tf b/terraform/manager.tf
@@ -14,9 +14,19 @@ resource "openstack_networking_port_v2" "manager_port_management" {
     ip_address = "192.168.16.5"
     subnet_id  = openstack_networking_subnet_v2.subnet_management.id
   }
+}
+
+resource "openstack_networking_port_v2" "manager_port_internal" {
+  network_id         = openstack_networking_network_v2.net_internal.id
+  security_group_ids = [openstack_compute_secgroup_v2.security_group_internal.id]
+
+  fixed_ip {
+    ip_address = "192.168.32.5"
+    subnet_id  = openstack_networking_subnet_v2.subnet_internal.id
+  }
 
   allowed_address_pairs {
-    ip_address = "192.168.16.9/32"
+    ip_address = "192.168.32.9/32"
   }
 }
 
@@ -33,6 +43,7 @@ resource "openstack_compute_instance_v2" "manager_server" {
   key_pair          = openstack_compute_keypair_v2.key.name
 
   network { port = openstack_networking_port_v2.manager_port_management.id }
+  network { port = openstack_networking_port_v2.manager_port_internal.id }
 
   user_data = <<-EOT
 #cloud-config
@@ -41,6 +52,21 @@ package_upgrade: false
 packages:
   - ifupdown
 write_files:
+  - content: |
+      import subprocess
+      import netifaces
+
+      PORTS = {
+          "${openstack_networking_port_v2.manager_port_internal.mac_address}": "${openstack_networking_port_v2.manager_port_internal.all_fixed_ips[0]}",
+      }
+
+      for interface in netifaces.interfaces():
+          mac_address = netifaces.ifaddresses(interface)[netifaces.AF_LINK][0]['addr']
+          if mac_address in PORTS:
+              subprocess.run("ip addr add %s/20 dev %s" % (PORTS[mac_address], interface), shell=True)
+              subprocess.run("ip link set up dev %s" % interface, shell=True)
+    path: /root/configure-network-devices.py
+    permissions: '0600'
   - content: ${openstack_compute_keypair_v2.key.public_key}
     path: /home/ubuntu/.ssh/id_rsa.pub
     permissions: '0600'

diff --git a/terraform/neutron.tf b/terraform/neutron.tf
@@ -89,6 +89,32 @@ resource "openstack_compute_secgroup_v2" "security_group_management" {
   }
 }
 
+resource "openstack_compute_secgroup_v2" "security_group_internal" {
+  name        = "${var.prefix}-internal"
+  description = "internal security group"
+
+  rule {
+    cidr        = "0.0.0.0/0"
+    ip_protocol = "tcp"
+    from_port   = 1
+    to_port     = 65535
+  }
+
+  rule {
+    cidr        = "0.0.0.0/0"
+    ip_protocol = "udp"
+    from_port   = 1
+    to_port     = 65535
+  }
+
+  rule {
+    cidr        = "0.0.0.0/0"
+    ip_protocol = "icmp"
+    from_port   = -1
+    to_port     = -1
+  }
+}
+
 ############
 # Networks #
 ############
@@ -113,11 +139,11 @@ resource "openstack_networking_subnet_v2" "subnet_management" {
 
 resource "openstack_networking_port_v2" "vip_port" {
   name       = "${var.prefix}-manager"
-  network_id = openstack_networking_network_v2.net_management.id
+  network_id = openstack_networking_network_v2.net_internal.id
 
   fixed_ip {
-    ip_address = "192.168.16.9"
-    subnet_id  = openstack_networking_subnet_v2.subnet_management.id
+    ip_address = "192.168.32.9"
+    subnet_id  = openstack_networking_subnet_v2.subnet_internal.id
   }
 }
 
@@ -135,3 +161,22 @@ resource "openstack_networking_router_interface_v2" "router_interface" {
   router_id = openstack_networking_router_v2.router.id
   subnet_id = openstack_networking_subnet_v2.subnet_management.id
 }
+
+resource "openstack_networking_network_v2" "net_internal" {
+  name                    = "net-${var.prefix}-internal"
+  availability_zone_hints = [var.network_availability_zone]
+}
+
+resource "openstack_networking_subnet_v2" "subnet_internal" {
+  name        = "subnet-${var.prefix}-internal"
+  network_id  = openstack_networking_network_v2.net_internal.id
+  cidr        = "192.168.32.0/20"
+  ip_version  = 4
+  gateway_ip  = null
+  enable_dhcp = false
+
+  allocation_pool {
+    start = "192.168.47.200"
+    end   = "192.168.47.250"
+  }
+}