diff --git a/inventory/base/hosts.yaml b/inventory/base/hosts.yaml index 64ea1178..5d9b1342 100644 --- a/inventory/base/hosts.yaml +++ b/inventory/base/hosts.yaml @@ -52,3 +52,24 @@ all: ansible_host: 192.168.20.182 zk2.zuul.eco.tsi-dev.otc-service.com: ansible_host: 192.168.20.47 + watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com: + ansible_host: 192.168.204.2 + ansible_user: linux + location: + cloud: "otcinfra-domain3-csm-nl" + region: "eu-nl" + az: "eu-de-01" + watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com: + ansible_host: 192.168.204.3 + ansible_user: linux + location: + cloud: "otcinfra-domain3-csm-nl" + region: "eu-nl" + az: "eu-de-02" + watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com: + ansible_host: 192.168.204.4 + ansible_user: linux + location: + cloud: "otcinfra-domain3-csm-nl" + region: "eu-nl" + az: "eu-de-03" diff --git a/inventory/service/group_vars/cloud-launcher.yaml b/inventory/service/group_vars/cloud-launcher.yaml index e353d9bd..6dda0698 100644 --- a/inventory/service/group_vars/cloud-launcher.yaml +++ b/inventory/service/group_vars/cloud-launcher.yaml @@ -41,6 +41,16 @@ cloud_projects: cloud: "otc-tests-admin" - name: "eu-nl_apimon_probes4" cloud: "otc-tests-admin" + - name: "eu-nl_eco_csm" + cloud: "otc-domain3-admin" + description: "CSM Project" + properties: + parent_id: "66a5482c6f154f98a426ecb33579772d" + - name: "eu-de_eco_csm" + cloud: "otc-domain3-admin" + description: "CSM Project" + properties: + parent_id: "9c5d1a97b49a4715b39ccd0a7e08489c" cloud_user_groups: # Zuul groups @@ -143,6 +153,51 @@ cloud_nets: - name: "apimon-infra-subnet" cidr: "192.168.151.0/24" dns_nameservers: ['100.125.4.25', '8.8.4.4'] + - cloud: "otcinfra-domain3-csm-nl" + router: "VPC_A" + nets: + - name: "vpc_a_csm_net" + subnets: + - name: "csm-subnet" + cidr: "192.168.204.0/24" + dns_nameservers: ['100.125.4.25', '8.8.4.4'] + - cloud: "otcinfra-domain3-csm-nl" + router: "VPC_B" + nets: + - name: "vpc_b_csm_net" + subnets: + - name: "csm-subnet" + cidr: "192.168.205.0/24" + dns_nameservers: ['100.125.4.25', '8.8.4.4'] + - cloud: "otcinfra-domain3-csm-nl" + router: "VPC_C" + nets: + - name: "vpc_b_csm_net" + subnets: + - name: "csm-subnet" + cidr: "192.168.206.0/24" + dns_nameservers: ['100.125.4.25', '8.8.4.4'] + +cloud_security_groups: + - cloud: "otcinfra-domain3-csm-nl" + name: "watcher-sg" + rules: + - protocol: "icmp" + port_range_min: -1 + port_range_max: -1 + remote_ip_prefix: "0.0.0.0/0" + - protocol: "tcp" + port_range_min: 22 + port_range_max: 22 + remote_ip_prefix: "0.0.0.0/0" + - protocol: "tcp" + port_range_min: 80 + port_range_max: 80 + remote_ip_prefix: "0.0.0.0/0" + - protocol: "tcp" + port_range_min: 443 + port_range_max: 443 + remote_ip_prefix: "0.0.0.0/0" cloud_nat_gws: - cloud: "otcinfra-domain3-infra-de" diff --git a/inventory/service/group_vars/csm_watcher.yaml b/inventory/service/group_vars/csm_watcher.yaml new file mode 100644 index 00000000..dd8dd981 --- /dev/null +++ b/inventory/service/group_vars/csm_watcher.yaml @@ -0,0 +1,3 @@ +image: Standard_Debian_10_latest +flavor: s2.medium.2 +volume_size: 10 diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml index c1b8c768..32e20afb 100644 --- a/inventory/service/groups.yaml +++ b/inventory/service/groups.yaml @@ -1,6 +1,7 @@ plugin: yamlgroup groups: - # NOTE(gtema): bridge is present in most groups to be able to manage k8 deployments of the service + # NOTE(gtema): bridge is present in most groups to + # be able to manage k8 deployments of the service # APImon groups: # general APImon values # @@ -19,10 +20,10 @@ groups: apimon-clouds: - bridge.eco.tsi-dev.otc-service.com - scheduler1.apimon.eco.tsi-dev.otc-service.com - #- executor1.apimon.eco.tsi-dev.otc-service.com + # - executor1.apimon.eco.tsi-dev.otc-service.com - executor2.apimon.eco.tsi-dev.otc-service.com - #- executor3.apimon.eco.tsi-dev.otc-service.com - #- executor4.apimon.eco.tsi-dev.otc-service.com + # - executor3.apimon.eco.tsi-dev.otc-service.com + # - executor4.apimon.eco.tsi-dev.otc-service.com - hybrid.apimon.eco.tsi-dev.otc-service.com - preprod.apimon.eco.tsi-dev.otc-service.com @@ -52,7 +53,7 @@ groups: # "production" instance of the apimon apimon-production: - executor1.apimon.eco.tsi-dev.otc-service.com - # - executor2.apimon.eco.tsi-dev.otc-service.com + # - executor2.apimon.eco.tsi-dev.otc-service.com - executor3.apimon.eco.tsi-dev.otc-service.com - executor4.apimon.eco.tsi-dev.otc-service.com - scheduler1.apimon.eco.tsi-dev.otc-service.com @@ -71,10 +72,10 @@ groups: # Where local statsd should be deployed statsd: - scheduler1.apimon.eco.tsi-dev.otc-service.com - #- executor1.apimon.eco.tsi-dev.otc-service.com + # - executor1.apimon.eco.tsi-dev.otc-service.com - executor2.apimon.eco.tsi-dev.otc-service.com - #- executor3.apimon.eco.tsi-dev.otc-service.com - #- executor4.apimon.eco.tsi-dev.otc-service.com + # - executor3.apimon.eco.tsi-dev.otc-service.com + # - executor4.apimon.eco.tsi-dev.otc-service.com - hybrid.apimon.eco.tsi-dev.otc-service.com - preprod.apimon.eco.tsi-dev.otc-service.com @@ -139,6 +140,11 @@ groups: nodepool: - bridge.eco.tsi-dev.otc-service.com + csm_watcher: + - watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com + - watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com + - watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com + disabled: # We can not manage coreos with ansible by default - graphite1.apimon.eco.tsi-dev.otc-service.com @@ -146,3 +152,8 @@ groups: - zk0.zuul.eco.tsi-dev.otc-service.com - zk1.zuul.eco.tsi-dev.otc-service.com - zk2.zuul.eco.tsi-dev.otc-service.com + # Unless we finalize infra hosts management those + # should not be used to provision + - watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com + - watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com + - watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com diff --git a/inventory/service/host_vars/watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com.yaml new file mode 100644 index 00000000..6e9b47cc --- /dev/null +++ b/inventory/service/host_vars/watcher-eu-nl-01.apimon.eco.tsi-dev.otc-service.com.yaml @@ -0,0 +1,6 @@ +security_groups: ["watcher-sg"] +nics: + - address: "192.168.204.2" + network: "vpc_a_csm_net" + + diff --git a/inventory/service/host_vars/watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com.yaml new file mode 100644 index 00000000..3bcc898d --- /dev/null +++ b/inventory/service/host_vars/watcher-eu-nl-02.apimon.eco.tsi-dev.otc-service.com.yaml @@ -0,0 +1,6 @@ +security_groups: ["watcher-sg"] +nics: + - address: "192.168.204.3" + network: "vpc_a_csm_net" + + diff --git a/inventory/service/host_vars/watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com.yaml b/inventory/service/host_vars/watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com.yaml new file mode 100644 index 00000000..06e58136 --- /dev/null +++ b/inventory/service/host_vars/watcher-eu-nl-03.apimon.eco.tsi-dev.otc-service.com.yaml @@ -0,0 +1,7 @@ +volume_size: 10 +security_groups: ["watcher-sg"] +nics: + - fixed_ip: "192.168.204.4" + net-name: "vpc_a_csm_net" + + diff --git a/playbooks/cloud-hosts.yaml b/playbooks/cloud-hosts.yaml new file mode 100644 index 00000000..f1fd205b --- /dev/null +++ b/playbooks/cloud-hosts.yaml @@ -0,0 +1,13 @@ +- hosts: cloud-launcher:!disabled + name: "Manage cloud hosts" + tasks: + - name: Manage OpenStack hosts + include_role: + name: cloud_host + loop: "{{ group['all'] }}" + loop_control: + loop_var: host + when: + - "hostvars[host].location is defined" + + diff --git a/playbooks/cloud-networks.yaml b/playbooks/cloud-networks.yaml index 2be8e73c..25c98b71 100644 --- a/playbooks/cloud-networks.yaml +++ b/playbooks/cloud-networks.yaml @@ -14,3 +14,10 @@ loop: "{{ cloud_nat_gws }}" loop_control: loop_var: natgw + + - name: Manage Security Groups + include_role: + name: cloud_sg + loop: "{{ cloud_security_groups }}" + loop_control: + loop_var: sg diff --git a/playbooks/roles/cloud_host/defaults/main.yaml b/playbooks/roles/cloud_host/defaults/main.yaml new file mode 100644 index 00000000..eac2b8ec --- /dev/null +++ b/playbooks/roles/cloud_host/defaults/main.yaml @@ -0,0 +1 @@ +state: present diff --git a/playbooks/roles/cloud_host/tasks/destroy.yaml b/playbooks/roles/cloud_host/tasks/destroy.yaml new file mode 100644 index 00000000..e8142b4c --- /dev/null +++ b/playbooks/roles/cloud_host/tasks/destroy.yaml @@ -0,0 +1,6 @@ +- name: Destroy instance + openstack.cloud.server: + state: "absent" + cloud: "{{ hostvars[host].location.cloud }}" + name: "{{ hostvars[host].inventory_hostname }}" + delete_fip: true diff --git a/playbooks/roles/cloud_host/tasks/main.yaml b/playbooks/roles/cloud_host/tasks/main.yaml new file mode 100644 index 00000000..a5f29d69 --- /dev/null +++ b/playbooks/roles/cloud_host/tasks/main.yaml @@ -0,0 +1,6 @@ +--- +- include: "provision.yaml" + when: "state != 'absent'" + +- include: "destroy.yaml" + when: "state == 'absent'" diff --git a/playbooks/roles/cloud_host/tasks/provision.yaml b/playbooks/roles/cloud_host/tasks/provision.yaml new file mode 100644 index 00000000..f053277c --- /dev/null +++ b/playbooks/roles/cloud_host/tasks/provision.yaml @@ -0,0 +1,25 @@ +- name: Ensure keypair exists + openstack.cloud.keypair: + state: "present" + cloud: "{{ hostvars[host].location.cloud }}" + name: "otcinfra-bridge" + public_key: "{{ bastion_public_key }}" + +- name: Create a new instance + openstack.cloud.server: + state: "present" + cloud: "{{ hostvars[host].location.cloud }}" + name: "{{ hostvars[host].inventory_hostname }}" + flavor: "{{ hostvars[host].flavor }}" + key_name: "otcinfra-bridge" + availability_zone: "{{ hostvars[host].location.az }}" + region: "{{ hostvars[host].location.region | default(omit) }}" + security_groups: "{{ hostvars[host].security_groups }}" + timeout: 600 + nics: "{{ hostvars[host].nics }}" + boot_from_volume: true + volume_size: "{{ hostvars[host].volume_size | default(omit) }}" + image: "{{ hostvars[host].image }}" + terminate_volume: true + delete_fip: true + auto_ip: "{{ hostvars[host].auto_ip | default(omit) }}" diff --git a/playbooks/roles/cloud_sg/defaults/main.yaml b/playbooks/roles/cloud_sg/defaults/main.yaml new file mode 100644 index 00000000..eac2b8ec --- /dev/null +++ b/playbooks/roles/cloud_sg/defaults/main.yaml @@ -0,0 +1 @@ +state: present diff --git a/playbooks/roles/cloud_sg/tasks/destroy.yaml b/playbooks/roles/cloud_sg/tasks/destroy.yaml new file mode 100644 index 00000000..b4c1c9b8 --- /dev/null +++ b/playbooks/roles/cloud_sg/tasks/destroy.yaml @@ -0,0 +1,4 @@ +- name: Destroy security group + openstack.cloud.security_group: + name: "{{ sg.name }}" + state: "{{ state }}" diff --git a/playbooks/roles/cloud_sg/tasks/main.yaml b/playbooks/roles/cloud_sg/tasks/main.yaml new file mode 100644 index 00000000..a5f29d69 --- /dev/null +++ b/playbooks/roles/cloud_sg/tasks/main.yaml @@ -0,0 +1,6 @@ +--- +- include: "provision.yaml" + when: "state != 'absent'" + +- include: "destroy.yaml" + when: "state == 'absent'" diff --git a/playbooks/roles/cloud_sg/tasks/provision.yaml b/playbooks/roles/cloud_sg/tasks/provision.yaml new file mode 100644 index 00000000..f8df3f25 --- /dev/null +++ b/playbooks/roles/cloud_sg/tasks/provision.yaml @@ -0,0 +1,18 @@ +- name: Create security group + openstack.cloud.security_group: + name: "{{ sg.name }}" + description: "{{ sg.description | default(omit) }}" + register: secur_group + +- name: Add rules + openstack.cloud.security_group_rule: + security_group: "{{ secur_group.secgroup.id }}" + description: "{{ sg.description | default(omit) }}" + protocol: "{{ item.protocol }}" + port_range_min: "{{ item.port_range_min | default(omit) }}" + port_range_max: "{{ item.port_range_max | default(omit) }}" + remote_ip_prefix: "{{ item.remote_ip_prefix | default(omit) }}" + remote_group: "{{ item.remote_group | default(omit) }}" + direction: "{{ item.direction | default(omit) }}" + + loop: "{{ sg.rules }}" diff --git a/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 b/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 index dab4befd..4cd75b68 100644 --- a/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 +++ b/playbooks/templates/clouds/bridge_all_clouds.yaml.j2 @@ -55,6 +55,26 @@ clouds: interface: public identity_api_version: 3 region_name: eu-de + otcinfra-domain3-csm-nl: + profile: otc + auth: + user_domain_name: {{ clouds.otcinfra_domain3.auth.user_domain_name }} + project_name: eu-nl_eco_csm + username: {{ clouds.otcinfra_domain3.auth.username }} + password: "{{ clouds.otcinfra_domain3.auth.password }}" + interface: public + identity_api_version: 3 + region_name: eu-nl + otcinfra-domain3-csm-de: + profile: otc + auth: + user_domain_name: {{ clouds.otcinfra_domain3.auth.user_domain_name }} + project_name: eu-de_eco_csm + username: {{ clouds.otcinfra_domain3.auth.username }} + password: "{{ clouds.otcinfra_domain3.auth.password }}" + interface: public + identity_api_version: 3 + region_name: eu-de # OTC Swift otc-swift: