heat_template_version: 2016-10-14 description: OpenShift cluster parameters: outputs: etcd_names: description: Name of the etcds value: { get_attr: [ etcd, name ] } etcd_ips: description: IPs of the etcds value: { get_attr: [ etcd, private_ip ] } etcd_floating_ips: description: Floating IPs of the etcds value: { get_attr: [ etcd, floating_ip ] } master_names: description: Name of the masters value: { get_attr: [ masters, name ] } master_ips: description: IPs of the masters value: { get_attr: [ masters, private_ip ] } master_floating_ips: description: Floating IPs of the masters value: { get_attr: [ masters, floating_ip ] } node_names: description: Name of the nodes value: { get_attr: [ compute_nodes, name ] } node_ips: description: IPs of the nodes value: { get_attr: [ compute_nodes, private_ip ] } node_floating_ips: description: Floating IPs of the nodes value: { get_attr: [ compute_nodes, floating_ip ] } infra_names: description: Name of the nodes value: { get_attr: [ infra_nodes, name ] } infra_ips: description: IPs of the nodes value: { get_attr: [ infra_nodes, private_ip ] } infra_floating_ips: description: Floating IPs of the nodes value: { get_attr: [ infra_nodes, floating_ip ] } dns_name: description: Name of the DNS value: get_attr: - dns - name dns_floating_ips: description: Floating IPs of the DNS value: { get_attr: [ dns, floating_ip ] } dns_private_ips: description: Private IPs of the DNS value: { get_attr: [ dns, private_ip ] } resources: net: type: OS::Neutron::Net properties: name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} subnet: type: OS::Neutron::Subnet properties: name: str_replace: template: openshift-ansible-cluster_id-subnet params: cluster_id: {{ stack_name }} network: { get_resource: net } cidr: str_replace: template: subnet_24_prefix.0/24 params: subnet_24_prefix: {{ subnet_prefix }} allocation_pools: - start: str_replace: template: subnet_24_prefix.3 params: subnet_24_prefix: {{ subnet_prefix }} end: str_replace: template: subnet_24_prefix.254 params: subnet_24_prefix: {{ subnet_prefix }} dns_nameservers: {% for nameserver in dns_nameservers %} - {{ nameserver }} {% endfor %} router: type: OS::Neutron::Router properties: name: str_replace: template: openshift-ansible-cluster_id-router params: cluster_id: {{ stack_name }} external_gateway_info: network: {{ external_network }} interface: type: OS::Neutron::RouterInterface properties: router_id: { get_resource: router } subnet_id: { get_resource: subnet } # keypair: # type: OS::Nova::KeyPair # properties: # name: # str_replace: # template: openshift-ansible-cluster_id-keypair # params: # cluster_id: {{ stack_name }} # public_key: {{ ssh_public_key }} common-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-common-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Basic ssh/icmp security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: tcp port_range_min: 22 port_range_max: 22 remote_ip_prefix: {{ ssh_ingress_cidr }} {% if use_bastion|bool %} - direction: ingress protocol: tcp port_range_min: 22 port_range_max: 22 remote_ip_prefix: {{ bastion_ingress_cidr }} {% endif %} - direction: ingress protocol: icmp remote_ip_prefix: {{ ssh_ingress_cidr }} {% if openstack_flat_secgrp|default(False)|bool %} flat-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-flat-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: tcp port_range_min: 4001 port_range_max: 4001 - direction: ingress protocol: tcp port_range_min: 8443 port_range_max: 8444 - direction: ingress protocol: tcp port_range_min: 8053 port_range_max: 8053 - direction: ingress protocol: udp port_range_min: 8053 port_range_max: 8053 - direction: ingress protocol: tcp port_range_min: 24224 port_range_max: 24224 - direction: ingress protocol: udp port_range_min: 24224 port_range_max: 24224 - direction: ingress protocol: tcp port_range_min: 2224 port_range_max: 2224 - direction: ingress protocol: udp port_range_min: 5404 port_range_max: 5405 - direction: ingress protocol: tcp port_range_min: 9090 port_range_max: 9090 - direction: ingress protocol: tcp port_range_min: 2379 port_range_max: 2380 remote_mode: remote_group_id - direction: ingress protocol: tcp port_range_min: 10250 port_range_max: 10250 remote_mode: remote_group_id - direction: ingress protocol: udp port_range_min: 10250 port_range_max: 10250 remote_mode: remote_group_id - direction: ingress protocol: tcp port_range_min: 10255 port_range_max: 10255 remote_mode: remote_group_id - direction: ingress protocol: udp port_range_min: 10255 port_range_max: 10255 remote_mode: remote_group_id - direction: ingress protocol: udp port_range_min: 4789 port_range_max: 4789 remote_mode: remote_group_id - direction: ingress protocol: tcp port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: {{ node_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" {% else %} master-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-master-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Security group for cluster_id OpenShift cluster master params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: tcp port_range_min: 4001 port_range_max: 4001 - direction: ingress protocol: tcp port_range_min: 8443 port_range_max: 8444 - direction: ingress protocol: tcp port_range_min: 8053 port_range_max: 8053 - direction: ingress protocol: udp port_range_min: 8053 port_range_max: 8053 - direction: ingress protocol: tcp port_range_min: 24224 port_range_max: 24224 - direction: ingress protocol: udp port_range_min: 24224 port_range_max: 24224 - direction: ingress protocol: tcp port_range_min: 2224 port_range_max: 2224 - direction: ingress protocol: udp port_range_min: 5404 port_range_max: 5405 - direction: ingress protocol: tcp port_range_min: 9090 port_range_max: 9090 etcd-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-etcd-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Security group for cluster_id etcd cluster params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: tcp port_range_min: 2379 port_range_max: 2379 remote_mode: remote_group_id remote_group_id: { get_resource: master-secgrp } - direction: ingress protocol: tcp port_range_min: 2380 port_range_max: 2380 remote_mode: remote_group_id node-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-node-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Security group for cluster_id OpenShift cluster nodes params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: tcp port_range_min: 10250 port_range_max: 10250 remote_mode: remote_group_id - direction: ingress protocol: tcp port_range_min: 10255 port_range_max: 10255 remote_mode: remote_group_id - direction: ingress protocol: udp port_range_min: 10255 port_range_max: 10255 remote_mode: remote_group_id - direction: ingress protocol: udp port_range_min: 4789 port_range_max: 4789 remote_mode: remote_group_id - direction: ingress protocol: tcp port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: {{ node_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" {% endif %} infra-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-infra-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Security group for cluster_id OpenShift infrastructure cluster nodes params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: tcp port_range_min: 80 port_range_max: 80 - direction: ingress protocol: tcp port_range_min: 443 port_range_max: 443 dns-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: template: openshift-ansible-cluster_id-dns-secgrp params: cluster_id: {{ stack_name }} description: str_replace: template: Security group for cluster_id cluster DNS params: cluster_id: {{ stack_name }} rules: - direction: ingress protocol: udp port_range_min: 53 port_range_max: 53 remote_ip_prefix: {{ node_ingress_cidr }} - direction: ingress protocol: udp port_range_min: 53 port_range_max: 53 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" - direction: ingress protocol: tcp port_range_min: 53 port_range_max: 53 remote_ip_prefix: {{ node_ingress_cidr }} - direction: ingress protocol: tcp port_range_min: 53 port_range_max: 53 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" {% if num_masters > 1 or ui_ssh_tunnel|bool %} lb-secgrp: type: OS::Neutron::SecurityGroup properties: name: openshift-ansible-{{ stack_name }}-lb-secgrp description: Security group for {{ stack_name }} cluster Load Balancer rules: - direction: ingress protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} port_range_max: {{ openshift_master_api_port | default(8443) }} remote_ip_prefix: {{ lb_ingress_cidr | default(bastion_ingress_cidr) }} {% if ui_ssh_tunnel|bool %} - direction: ingress protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} port_range_max: {{ openshift_master_api_port | default(8443) }} remote_ip_prefix: {{ ssh_ingress_cidr }} {% endif %} {% if openshift_master_console_port is defined and openshift_master_console_port != openshift_master_api_port %} - direction: ingress protocol: tcp port_range_min: {{ openshift_master_console_port | default(8443) }} port_range_max: {{ openshift_master_console_port | default(8443) }} remote_ip_prefix: {{ lb_ingress_cidr | default(bastion_ingress_cidr) }} {% endif %} {% endif %} etcd: type: OS::Heat::ResourceGroup properties: count: {{ num_etcd }} resource_def: {% if use_bastion|bool %} type: server_nofloating.yaml {% else %} type: server.yaml {% endif %} properties: name: str_replace: template: k8s_type-%index%.cluster_id params: cluster_id: {{ stack_name }} k8s_type: etcd cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: template: k8s_type.cluster_id params: k8s_type: etcds cluster_id: {{ stack_name }} type: etcd image: {{ openstack_etcd_image }} flavor: {{ etcd_flavor }} key_name: {{ ssh_public_key }} net: { get_resource: net } subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} } - { get_resource: common-secgrp } {% if not use_bastion|bool %} floating_network: {{ external_network }} {% endif %} net_name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} volume_size: {{ etcd_volume_size }} depends_on: - interface {% if num_masters > 1 %} loadbalancer: type: OS::Heat::ResourceGroup properties: count: 1 resource_def: type: server.yaml properties: name: str_replace: template: k8s_type-%index%.cluster_id params: cluster_id: {{ stack_name }} k8s_type: lb cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: template: k8s_type.cluster_id params: k8s_type: lb cluster_id: {{ stack_name }} type: lb image: {{ openstack_lb_image }} flavor: {{ lb_flavor }} key_name: {{ ssh_public_key }} net: { get_resource: net } subnet: { get_resource: subnet } secgrp: - { get_resource: lb-secgrp } - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} volume_size: 5 depends_on: - interface {% endif %} masters: type: OS::Heat::ResourceGroup properties: count: {{ num_masters }} resource_def: {% if use_bastion|bool %} type: server_nofloating.yaml {% else %} type: server.yaml {% endif %} properties: name: str_replace: template: k8s_type-%index%.cluster_id params: cluster_id: {{ stack_name }} k8s_type: master cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: template: k8s_type.cluster_id params: k8s_type: masters cluster_id: {{ stack_name }} type: master image: {{ openstack_master_image }} flavor: {{ master_flavor }} key_name: {{ ssh_public_key }} net: { get_resource: net } subnet: { get_resource: subnet } secgrp: {% if openstack_flat_secgrp|default(False)|bool %} - { get_resource: flat-secgrp } {% else %} - { get_resource: master-secgrp } - { get_resource: node-secgrp } {% if num_etcd == 0 %} - { get_resource: etcd-secgrp } {% endif %} {% endif %} - { get_resource: common-secgrp } {% if not use_bastion|bool %} floating_network: {{ external_network }} {% endif %} net_name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} volume_size: {{ master_volume_size }} depends_on: - interface compute_nodes: type: OS::Heat::ResourceGroup properties: count: {{ num_nodes }} removal_policies: - resource_list: {{ nodes_to_remove }} resource_def: {% if use_bastion|bool %} type: server_nofloating.yaml {% else %} type: server.yaml {% endif %} properties: name: str_replace: template: subtype-k8s_type-%index%.cluster_id params: cluster_id: {{ stack_name }} k8s_type: node subtype: app cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: template: k8s_type.cluster_id params: k8s_type: nodes cluster_id: {{ stack_name }} type: node subtype: app node_labels: {% for k, v in openshift_cluster_node_labels.app.iteritems() %} {{ k|e }}: {{ v|e }} {% endfor %} image: {{ openstack_node_image }} flavor: {{ node_flavor }} key_name: {{ ssh_public_key }} net: { get_resource: net } subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } - { get_resource: common-secgrp } {% if not use_bastion|bool %} floating_network: {{ external_network }} {% endif %} net_name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} volume_size: {{ app_volume_size }} depends_on: - interface infra_nodes: type: OS::Heat::ResourceGroup properties: count: {{ num_infra }} resource_def: type: server.yaml properties: name: str_replace: template: subtypek8s_type-%index%.cluster_id params: cluster_id: {{ stack_name }} k8s_type: node subtype: infra cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: template: k8s_type.cluster_id params: k8s_type: infra cluster_id: {{ stack_name }} type: node subtype: infra node_labels: {% for k, v in openshift_cluster_node_labels.infra.iteritems() %} {{ k|e }}: {{ v|e }} {% endfor %} image: {{ openstack_infra_image }} flavor: {{ infra_flavor }} key_name: {{ ssh_public_key }} net: { get_resource: net } subnet: { get_resource: subnet } secgrp: # TODO(bogdando) filter only required node rules into infra-secgrp {% if openstack_flat_secgrp|default(False)|bool %} - { get_resource: flat-secgrp } {% else %} - { get_resource: node-secgrp } {% endif %} {% if ui_ssh_tunnel|bool and num_masters < 2 %} - { get_resource: lb-secgrp } {% endif %} - { get_resource: infra-secgrp } - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} volume_size: {{ infra_volume_size }} depends_on: - interface dns: type: OS::Heat::ResourceGroup properties: count: {{ num_dns }} resource_def: type: server.yaml properties: name: str_replace: template: k8s_type-%index%.cluster_id params: cluster_id: {{ stack_name }} k8s_type: dns cluster_env: {{ public_dns_domain }} cluster_id: {{ stack_name }} group: str_replace: template: k8s_type.cluster_id params: k8s_type: dns cluster_id: {{ stack_name }} type: dns image: {{ openstack_dns_image }} flavor: {{ dns_flavor }} key_name: {{ ssh_public_key }} net: { get_resource: net } subnet: { get_resource: subnet } secgrp: - { get_resource: dns-secgrp } - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: template: openshift-ansible-cluster_id-net params: cluster_id: {{ stack_name }} volume_size: {{ dns_volume_size }} depends_on: - interface