add watchers under real hosts

Together with that add some additional playbooks and roles to further automate infra provisioning
opentelekomcloud-infra · May 7, 2021 · 7550de3 · 7550de3
1 parent 7550d59
commit 7550de3
Show file tree

Hide file tree

Showing 18 changed files with 224 additions and 8 deletions.
diff --git a/inventory/base/hosts.yaml b/inventory/base/hosts.yaml
@@ -52,3 +52,24 @@ all:
       ansible_host: 192.168.20.182
     zk2.zuul.eco.tsi-dev.otc-service.com:
       ansible_host: 192.168.20.47
+    watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com:
+      ansible_host: 192.168.204.2
+      ansible_user: linux
+      location:
+        cloud: "otcinfra-domain3-csm-nl"
+        region: "eu-nl"
+        az: "eu-de-01"
+    watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com:
+      ansible_host: 192.168.204.3
+      ansible_user: linux
+      location:
+        cloud: "otcinfra-domain3-csm-nl"
+        region: "eu-nl"
+        az: "eu-de-02"
+    watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com:
+      ansible_host: 192.168.204.4
+      ansible_user: linux
+      location:
+        cloud: "otcinfra-domain3-csm-nl"
+        region: "eu-nl"
+        az: "eu-de-03"
diff --git a/inventory/service/group_vars/cloud-launcher.yaml b/inventory/service/group_vars/cloud-launcher.yaml
@@ -41,6 +41,16 @@ cloud_projects:
     cloud: "otc-tests-admin"
   - name: "eu-nl_apimon_probes4"
     cloud: "otc-tests-admin"
+  - name: "eu-nl_eco_csm"
+    cloud: "otc-domain3-admin"
+    description: "CSM Project"
+    properties:
+      parent_id: "66a5482c6f154f98a426ecb33579772d"
+  - name: "eu-de_eco_csm"
+    cloud: "otc-domain3-admin"
+    description: "CSM Project"
+    properties:
+      parent_id: "9c5d1a97b49a4715b39ccd0a7e08489c"
 
 cloud_user_groups:
   # Zuul groups
@@ -143,6 +153,51 @@ cloud_nets:
           - name: "apimon-infra-subnet"
             cidr: "192.168.151.0/24"
             dns_nameservers: ['100.125.4.25', '8.8.4.4']
+  - cloud: "otcinfra-domain3-csm-nl"
+    router: "VPC_A"
+    nets:
+      - name: "vpc_a_csm_net"
+        subnets:
+          - name: "csm-subnet"
+            cidr: "192.168.204.0/24"
+            dns_nameservers: ['100.125.4.25', '8.8.4.4']
+  - cloud: "otcinfra-domain3-csm-nl"
+    router: "VPC_B"
+    nets:
+      - name: "vpc_b_csm_net"
+        subnets:
+          - name: "csm-subnet"
+            cidr: "192.168.205.0/24"
+            dns_nameservers: ['100.125.4.25', '8.8.4.4']
+  - cloud: "otcinfra-domain3-csm-nl"
+    router: "VPC_C"
+    nets:
+      - name: "vpc_b_csm_net"
+        subnets:
+          - name: "csm-subnet"
+            cidr: "192.168.206.0/24"
+            dns_nameservers: ['100.125.4.25', '8.8.4.4']
+
+cloud_security_groups:
+  - cloud: "otcinfra-domain3-csm-nl"
+    name: "watcher-sg"
+    rules:
+      - protocol: "icmp"
+        port_range_min: -1
+        port_range_max: -1
+        remote_ip_prefix: "0.0.0.0/0"
+      - protocol: "tcp"
+        port_range_min: 22
+        port_range_max: 22
+        remote_ip_prefix: "0.0.0.0/0"
+      - protocol: "tcp"
+        port_range_min: 80
+        port_range_max: 80
+        remote_ip_prefix: "0.0.0.0/0"
+      - protocol: "tcp"
+        port_range_min: 443
+        port_range_max: 443
+        remote_ip_prefix: "0.0.0.0/0"
 
 cloud_nat_gws:
   - cloud: "otcinfra-domain3-infra-de"

diff --git a/inventory/service/group_vars/csm_watcher.yaml b/inventory/service/group_vars/csm_watcher.yaml
@@ -0,0 +1,3 @@
+image: Standard_Debian_10_latest
+flavor: s2.medium.2
+volume_size: 10
diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
@@ -1,6 +1,7 @@
 plugin: yamlgroup
 groups:
-  # NOTE(gtema): bridge is present in most groups to be able to manage k8 deployments of the service
+  # NOTE(gtema): bridge is present in most groups to
+  # be able to manage k8 deployments of the service
   # APImon groups:
   # general APImon values
   #
@@ -19,10 +20,10 @@ groups:
   apimon-clouds:
     - bridge.eco.tsi-dev.otc-service.com
     - scheduler1.apimon.eco.tsi-dev.otc-service.com
-      #- executor1.apimon.eco.tsi-dev.otc-service.com
+    # - executor1.apimon.eco.tsi-dev.otc-service.com
     - executor2.apimon.eco.tsi-dev.otc-service.com
-      #- executor3.apimon.eco.tsi-dev.otc-service.com
-      #- executor4.apimon.eco.tsi-dev.otc-service.com
+    # - executor3.apimon.eco.tsi-dev.otc-service.com
+    # - executor4.apimon.eco.tsi-dev.otc-service.com
     - hybrid.apimon.eco.tsi-dev.otc-service.com
     - preprod.apimon.eco.tsi-dev.otc-service.com
 
@@ -52,7 +53,7 @@ groups:
   # "production" instance of the apimon
   apimon-production:
     - executor1.apimon.eco.tsi-dev.otc-service.com
-      #    - executor2.apimon.eco.tsi-dev.otc-service.com
+    # - executor2.apimon.eco.tsi-dev.otc-service.com
     - executor3.apimon.eco.tsi-dev.otc-service.com
     - executor4.apimon.eco.tsi-dev.otc-service.com
     - scheduler1.apimon.eco.tsi-dev.otc-service.com
@@ -71,10 +72,10 @@ groups:
   # Where local statsd should be deployed
   statsd:
     - scheduler1.apimon.eco.tsi-dev.otc-service.com
-      #- executor1.apimon.eco.tsi-dev.otc-service.com
+    # - executor1.apimon.eco.tsi-dev.otc-service.com
     - executor2.apimon.eco.tsi-dev.otc-service.com
-      #- executor3.apimon.eco.tsi-dev.otc-service.com
-      #- executor4.apimon.eco.tsi-dev.otc-service.com
+    # - executor3.apimon.eco.tsi-dev.otc-service.com
+    # - executor4.apimon.eco.tsi-dev.otc-service.com
     - hybrid.apimon.eco.tsi-dev.otc-service.com
     - preprod.apimon.eco.tsi-dev.otc-service.com
 
@@ -139,10 +140,20 @@ groups:
   nodepool:
     - bridge.eco.tsi-dev.otc-service.com
 
+  csm_watcher:
+    - watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com
+    - watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com
+    - watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com
+
   disabled:
     # We can not manage coreos with ansible by default
     - graphite1.apimon.eco.tsi-dev.otc-service.com
     # ZK are not yet managed by SC
     - zk0.zuul.eco.tsi-dev.otc-service.com
     - zk1.zuul.eco.tsi-dev.otc-service.com
     - zk2.zuul.eco.tsi-dev.otc-service.com
+    # Unless we finalize infra hosts management those
+    # should not be used to provision
+    - watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com
+    - watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com
+    - watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com
diff --git a/inventory/service/host_vars/watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com.yaml
@@ -0,0 +1,6 @@
+security_groups: ["watcher-sg"]
+nics:
+  - address: "192.168.204.2"
+    network: "vpc_a_csm_net"
+
+
diff --git a/inventory/service/host_vars/watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com.yaml
@@ -0,0 +1,6 @@
+security_groups: ["watcher-sg"]
+nics:
+  - address: "192.168.204.3"
+    network: "vpc_a_csm_net"
+
+
diff --git a/inventory/service/host_vars/watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com.yaml
@@ -0,0 +1,7 @@
+volume_size: 10
+security_groups: ["watcher-sg"]
+nics:
+  - fixed_ip: "192.168.204.4"
+    net-name: "vpc_a_csm_net"
+
+
diff --git a/playbooks/cloud-hosts.yaml b/playbooks/cloud-hosts.yaml
@@ -0,0 +1,13 @@
+- hosts: cloud-launcher:!disabled
+  name: "Manage cloud hosts"
+  tasks:
+    - name: Manage OpenStack hosts
+      include_role:
+        name: cloud_host
+      loop: "{{ group['all'] }}"
+      loop_control:
+        loop_var: host
+      when:
+        - "hostvars[host].location is defined"
+
+
diff --git a/playbooks/cloud-networks.yaml b/playbooks/cloud-networks.yaml
@@ -14,3 +14,10 @@
       loop: "{{ cloud_nat_gws }}"
       loop_control:
         loop_var: natgw
+
+    - name: Manage Security Groups
+      include_role:
+        name: cloud_sg
+      loop: "{{ cloud_security_groups }}"
+      loop_control:
+        loop_var: sg
diff --git a/playbooks/roles/cloud_host/defaults/main.yaml b/playbooks/roles/cloud_host/defaults/main.yaml
@@ -0,0 +1 @@
+state: present
diff --git a/playbooks/roles/cloud_host/tasks/destroy.yaml b/playbooks/roles/cloud_host/tasks/destroy.yaml
@@ -0,0 +1,6 @@
+- name: Destroy instance
+  openstack.cloud.server:
+    state: "absent"
+    cloud: "{{ hostvars[host].location.cloud }}"
+    name: "{{ hostvars[host].inventory_hostname }}"
+    delete_fip: true
diff --git a/playbooks/roles/cloud_host/tasks/main.yaml b/playbooks/roles/cloud_host/tasks/main.yaml
@@ -0,0 +1,6 @@
+---
+- include: "provision.yaml"
+  when: "state != 'absent'"
+
+- include: "destroy.yaml"
+  when: "state == 'absent'"
diff --git a/playbooks/roles/cloud_host/tasks/provision.yaml b/playbooks/roles/cloud_host/tasks/provision.yaml
@@ -0,0 +1,25 @@
+- name: Ensure keypair exists
+  openstack.cloud.keypair:
+    state: "present"
+    cloud: "{{ hostvars[host].location.cloud }}"
+    name: "otcinfra-bridge"
+    public_key: "{{ bastion_public_key }}"
+
+- name: Create a new instance
+  openstack.cloud.server:
+    state: "present"
+    cloud: "{{ hostvars[host].location.cloud }}"
+    name: "{{ hostvars[host].inventory_hostname }}"
+    flavor: "{{ hostvars[host].flavor }}"
+    key_name: "otcinfra-bridge"
+    availability_zone: "{{ hostvars[host].location.az }}"
+    region: "{{ hostvars[host].location.region | default(omit) }}"
+    security_groups: "{{ hostvars[host].security_groups }}"
+    timeout: 600
+    nics: "{{ hostvars[host].nics }}"
+    boot_from_volume: true
+    volume_size: "{{ hostvars[host].volume_size | default(omit) }}"
+    image: "{{ hostvars[host].image }}"
+    terminate_volume: true
+    delete_fip: true
+    auto_ip: "{{ hostvars[host].auto_ip | default(omit) }}"
diff --git a/playbooks/roles/cloud_sg/defaults/main.yaml b/playbooks/roles/cloud_sg/defaults/main.yaml
@@ -0,0 +1 @@
+state: present
diff --git a/playbooks/roles/cloud_sg/tasks/destroy.yaml b/playbooks/roles/cloud_sg/tasks/destroy.yaml
@@ -0,0 +1,4 @@
+- name: Destroy security group
+  openstack.cloud.security_group:
+    name: "{{ sg.name }}"
+    state: "{{ state }}"
diff --git a/playbooks/roles/cloud_sg/tasks/main.yaml b/playbooks/roles/cloud_sg/tasks/main.yaml
@@ -0,0 +1,6 @@
+---
+- include: "provision.yaml"
+  when: "state != 'absent'"
+
+- include: "destroy.yaml"
+  when: "state == 'absent'"
diff --git a/playbooks/roles/cloud_sg/tasks/provision.yaml b/playbooks/roles/cloud_sg/tasks/provision.yaml
@@ -0,0 +1,18 @@
+- name: Create security group
+  openstack.cloud.security_group:
+    name: "{{ sg.name }}"
+    description: "{{ sg.description | default(omit) }}"
+  register: secur_group
+
+- name: Add rules
+  openstack.cloud.security_group_rule:
+    security_group: "{{ secur_group.secgroup.id }}"
+    description: "{{ sg.description | default(omit) }}"
+    protocol: "{{ item.protocol }}"
+    port_range_min: "{{ item.port_range_min | default(omit) }}"
+    port_range_max: "{{ item.port_range_max | default(omit) }}"
+    remote_ip_prefix: "{{ item.remote_ip_prefix | default(omit) }}"
+    remote_group: "{{ item.remote_group | default(omit) }}"
+    direction: "{{ item.direction | default(omit) }}"
+
+  loop: "{{ sg.rules }}"
diff --git a/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 b/playbooks/templates/clouds/bridge_all_clouds.yaml.j2
@@ -55,6 +55,26 @@ clouds:
     interface: public
     identity_api_version: 3
     region_name: eu-de
+  otcinfra-domain3-csm-nl:
+    profile: otc
+    auth:
+       user_domain_name: {{ clouds.otcinfra_domain3.auth.user_domain_name }}
+       project_name: eu-nl_eco_csm
+       username: {{ clouds.otcinfra_domain3.auth.username }}
+       password: "{{ clouds.otcinfra_domain3.auth.password }}"
+    interface: public
+    identity_api_version: 3
+    region_name: eu-nl
+  otcinfra-domain3-csm-de:
+    profile: otc
+    auth:
+       user_domain_name: {{ clouds.otcinfra_domain3.auth.user_domain_name }}
+       project_name: eu-de_eco_csm
+       username: {{ clouds.otcinfra_domain3.auth.username }}
+       password: "{{ clouds.otcinfra_domain3.auth.password }}"
+    interface: public
+    identity_api_version: 3
+    region_name: eu-de
 
   # OTC Swift
   otc-swift: