diff --git a/openstack-shell-scripts/d4s-preprod/main-network.sh b/openstack-shell-scripts/d4s-preprod/00-main-network.sh similarity index 80% rename from openstack-shell-scripts/d4s-preprod/main-network.sh rename to openstack-shell-scripts/d4s-preprod/00-main-network.sh index 06c1ee4..62ffb8b 100644 --- a/openstack-shell-scripts/d4s-preprod/main-network.sh +++ b/openstack-shell-scripts/d4s-preprod/00-main-network.sh @@ -4,6 +4,6 @@ openstack --os-cloud ${os_infra} zone create --email postmaster@isti.cnr.it ${os_dns_zone}. openstack --os-cloud ${os_infra} network create --description "D4Science Preprod private network (use this as the main network)" --no-share --mtu 8942 --dns-domain ${os_dns_zone}. ${os_infra}-cloud-main -openstack --os-cloud ${os_infra} subnet create --network ${os_infra}-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range ${os_private_network} --allocation-pool start=${os_private_network_prefix}.${os_private_network_start_octet}.5,end=${os_private_network_prefix}.${os_private_network_allocation_end_octet}.255 --gateway ${os_private_gw} --dns-publish-fixed-ip ${os_infra}-cloud-sub +openstack --os-cloud ${os_infra} subnet create --network ${os_infra}-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range ${os_private_network} --allocation-pool start=${os_private_network_prefix}.${os_private_network_start_octet}.101,end=${os_private_network_prefix}.${os_private_network_allocation_end_octet}.255 --gateway ${os_private_gw} --dns-publish-fixed-ip ${os_infra}-cloud-sub openstack --os-cloud ${os_infra} router create --description "D4Science Preprod main router" --external-gateway external-network ${os_infra}-cloud-external-router openstack --os-cloud ${os_infra} router add subnet ${os_infra}-cloud-external-router ${os_infra}-cloud-sub diff --git a/openstack-shell-scripts/d4s-preprod/security-groups.sh b/openstack-shell-scripts/d4s-preprod/10-security-groups.sh similarity index 100% rename from openstack-shell-scripts/d4s-preprod/security-groups.sh rename to openstack-shell-scripts/d4s-preprod/10-security-groups.sh diff --git a/openstack-shell-scripts/d4s-preprod/core-machines.sh b/openstack-shell-scripts/d4s-preprod/20-core-machines.sh similarity index 100% rename from openstack-shell-scripts/d4s-preprod/core-machines.sh rename to openstack-shell-scripts/d4s-preprod/20-core-machines.sh diff --git a/openstack-shell-scripts/d4s-preprod/postgresql.sh b/openstack-shell-scripts/d4s-preprod/30-postgresql.sh similarity index 100% rename from openstack-shell-scripts/d4s-preprod/postgresql.sh rename to openstack-shell-scripts/d4s-preprod/30-postgresql.sh diff --git a/openstack-shell-scripts/d4s-preprod/docker-swarm.sh b/openstack-shell-scripts/d4s-preprod/40-docker-swarm.sh similarity index 99% rename from openstack-shell-scripts/d4s-preprod/docker-swarm.sh rename to openstack-shell-scripts/d4s-preprod/40-docker-swarm.sh index 952dc6b..d2347b3 100644 --- a/openstack-shell-scripts/d4s-preprod/docker-swarm.sh +++ b/openstack-shell-scripts/d4s-preprod/40-docker-swarm.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash . ./variables.sh # diff --git a/openstack-shell-scripts/project-scripts.sh b/openstack-shell-scripts/project-scripts.sh new file mode 100644 index 0000000..b231aee --- /dev/null +++ b/openstack-shell-scripts/project-scripts.sh @@ -0,0 +1,145 @@ +#!/bin/bash + +# S2I2S +openstack --os-cloud ISTI-Cloud zone create --sudo-project-id s2i2s-cloud --email postmaster@isti.cnr.it s2i2s.cloud.isti.cnr.it. +openstack --os-cloud ISTI-Cloud network create --project s2i2s-cloud --no-share --mtu 8942 --dns-domain s2i2s.cloud.isti.cnr.it. --provider-network-type vlan --provider-physical-network datacentre --provider-segment 1001 s2i2s-cloud-main +# *** Network, created by the project manager (IMPORTANTE: aggiungere VLAN e ID) +openstack --os-cloud s2i2s subnet create --network s2i2s-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range 10.100.100.0/22 --gateway 10.100.100.1 --dns-publish-fixed-ip s2i2s-cloud-sub +openstack --os-cloud s2i2s router create --description "S2I2S net main router" --external-gateway external-network s2i2s-cloud-external-router +openstack --os-cloud s2i2s router add subnet s2i2s-cloud-external-router s2i2s-cloud-sub + +# D4Science dev +openstack --os-cloud d4s-dev zone create --email postmaster@isti.cnr.it cloud-dev.d4science.org. +openstack --os-cloud d4s-dev network create --no-share --mtu 8942 --dns-domain cloud-dev.d4science.org. d4s-dev-cloud-main +openstack --os-cloud d4s-dev subnet create --network d4s-dev-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range 10.1.28.0/22 --gateway 10.1.28.1 --dns-publish-fixed-ip d4s-dev-cloud-sub +openstack --os-cloud d4s-dev router create --description "D4S Dev main router" --external-gateway external-network d4s-dev-cloud-external-router +openstack --os-cloud d4s-dev router add subnet d4s-dev-cloud-external-router d4s-dev-cloud-sub + +# D4Science production +openstack --os-cloud d4s-production zone create --email postmaster@isti.cnr.it cloud.d4science.org. +openstack --os-cloud d4s-production network create --description "D4S Production main private network" --no-share --mtu 8942 --dns-domain cloud.d4science.org. d4s-production-cloud-main +openstack --os-cloud d4s-production subnet create --description "D4S Production main subnet" --network d4s-production-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range 10.1.36.0/22 --gateway 10.1.36.1 --dns-publish-fixed-ip d4s-production-cloud-sub +openstack --os-cloud d4s-production router create --description "D4S Production main router" --external-gateway external-network d4s-production-cloud-external-router +openstack --os-cloud d4s-production router add subnet d4s-production-cloud-external-router d4s-production-cloud-sub + +# D-Net +openstack --os-cloud d-net zone create --email postmaster@isti.cnr.it openaire.d4science.org. +openstack --os-cloud d-net network create --description "D-Net main private network" --no-share --mtu 8942 --dns-domain openaire.d4science.org. d-net-cloud-main +openstack --os-cloud d-net subnet create --description "D-Net main subnet" --network d-net-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range 10.1.40.0/22 --gateway 10.1.40.1 --dns-publish-fixed-ip d-net-cloud-sub +openstack --os-cloud d-net router create --description "D-Net main router" --external-gateway external-network d-net-cloud-external-router +openstack --os-cloud d-net router add subnet d-net-cloud-external-router d-net-cloud-sub + + + +# +# +# PRE +# +# +# D4Science pre +# Networking +# +openstack --os-cloud d4s-pre zone create --email postmaster@isti.cnr.it cloud-pre.d4science.org. +openstack --os-cloud d4s-pre network create --description "D4S Pre main private network" --no-share --mtu 8942 --dns-domain cloud-pre.d4science.org. d4s-pre-cloud-main +openstack --os-cloud d4s-pre subnet create --description "D4S Pre main subnet" --network d4s-pre-cloud-main --dhcp --dns-nameserver 146.48.29.97 --dns-nameserver 146.48.29.98 --dns-nameserver 146.48.29.99 --subnet-range 10.1.32.0/22 --gateway 10.1.32.1 --dns-publish-fixed-ip d4s-pre-cloud-sub +openstack --os-cloud d4s-pre router create --description "D4S Pre main router" --external-gateway external-network d4s-pre-cloud-external-router +openstack --os-cloud d4s-pre router add subnet d4s-pre-cloud-external-router d4s-pre-cloud-sub +# +# Part of the security groups +# +# Remove the ingress rules from the default group +# openstack --os-cloud d4s-pre security group show default +rules_to_delete= +rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules default | grep ingress | grep -v protocol | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }') +if [ -n "$rules_to_delete" ] ; then + for r in $(echo $rules_to_delete) ; do + openstack --os-cloud d4s-pre security group rule delete $r + done +fi +openstack --os-cloud d4s-pre security group rule create \ + --description "Allow ICMP" --ingress --protocol icmp \ + --remote-ip 0.0.0.0/0 default +openstack --os-cloud d4s-pre security group rule create \ + --description "Prometheus node exporter" --ingress --protocol icmp \ + --dst-port "9100" \ + --remote-ip 10.1.32.0/22 default + +# SSH access +openstack --os-cloud d4s-pre security group create \ + --description "Access to the SSH Proxy Jump server" \ + "Limited SSH access" +rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited SSH access" | grep egress | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }') +if [ -n "$rules_to_delete" ] ; then + for r in $(echo $rules_to_delete) ; do + openstack --os-cloud d4s-pre security group rule delete $r + done +fi +openstack --os-cloud d4s-pre security group rule create \ + --description "Access from S2I2S vpn 1" --ingress --protocol tcp --dst-port "22" \ + --remote-ip 146.48.28.10/32 "Limited SSH access" +openstack --os-cloud d4s-pre security group rule create \ + --description "Access from S2I2S vpn 2" --ingress --protocol tcp --dst-port "22" \ + --remote-ip 146.48.28.11/32 "Limited SSH access" +openstack --os-cloud d4s-pre security group rule create \ + --description "Access from D4Science VPN 1" --ingress --protocol tcp --dst-port "22" \ + --remote-ip 146.48.122.27/32 "Limited SSH access" +openstack --os-cloud d4s-pre security group rule create \ + --description "Access from D4Science VPN 2" --ingress --protocol tcp --dst-port "22" \ + --remote-ip 146.48.122.49/32 "Limited SSH access" +openstack --os-cloud d4s-pre security group rule create \ + --description "Access from shell.d4science.org" --ingress --protocol tcp --dst-port "22" \ + --remote-ip 146.48.122.95/32 "Limited SSH access" +openstack --os-cloud d4s-pre security group rule create \ + --description "SSH from the InfraScience Network (because masquerade on the Xen hypervisors)" --ingress --protocol tcp --dst-port "22" \ + --remote-ip 146.48.122.0/23 "Limited SSH access" +# Limited HTTPS access +openstack --os-cloud d4s-pre security group create \ + --description "Limited HTTPs and public HTTP. For servers with public IP addresses that can be accessed from our VPN only" \ + "Limited HTTPS access" +rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited HTTPS access" | grep egress | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }') +if [ -n "$rules_to_delete" ] ; then + for r in $(echo $rules_to_delete) ; do + openstack --os-cloud d4s-pre security group rule delete $r + done +fi + +# +# VM shell +# +openstack --os-cloud d4s-pre server create \ + --image Ubuntu-Jammy-22.04 --flavor m2.small --description "SSH Proxy Jump" \ + --key-name adellam-ed25519 \ + --network d4s-pre-cloud-main --hostname pre-shell \ + --user-data $HOME/Projects/infrascience/cloud-vms-data/cloud-init-openstack-ubuntu.sh \ + --boot-from-volume 100 \ + --security-group default --security-group "Limited SSH access" \ + pre-shell +# Security group that involves the shell server +openstack --os-cloud d4s-pre security group \ + rule create --description "HTTPS from the jump proxy" \ + --ingress --protocol tcp --dst-port 443 --remote-ip \ + default +openstack --os-cloud d4s-pre security group \ + rule create --description "HTTP from the jump proxy" \ + --ingress --protocol tcp --dst-port 80 --remote-ip \ + default +openstack --os-cloud d4s-pre security group \ + rule create --description "Tomcat debugging on port 8100 from the jump proxy" \ + --ingress --protocol tcp --dst-port 8100 --remote-ip \ + default + +# VM internal CA +openstack --os-cloud d4s-pre server create \ + --image Ubuntu-Jammy-22.04 --flavor m1.small --description "Internal CA" \ + --key-name adellam-ed25519 --network d4s-pre-cloud-main --hostname internal-ca \ + --user-data $HOME/Projects/infrascience/cloud-vms-data/cloud-init-openstack-ubuntu.sh \ + --boot-from-volume 15 --security-group default \ + internal-ca +# VM prometheus +prometheus m1.large +# Server group anti affinity per HAPROXY +# 2 VM haproxy +haproxy m1.medium +# Octavia service +# Security group per haproxy (servono gli IP privati di octavia) +# diff --git a/openstack-tf/common_variables/external-network-and-resolvers.tf b/openstack-tf/common_variables/external-network-and-resolvers.tf new file mode 100644 index 0000000..8c06fcd --- /dev/null +++ b/openstack-tf/common_variables/external-network-and-resolvers.tf @@ -0,0 +1,11 @@ +#### NEUTRON +variable "external_network" { + type = string + default = "external-network" +} + +variable "resolvers_ip" { + type = list(string) + default = ["146.48.29.97", "146.48.29.98", "146.48.29.99"] +} + diff --git a/openstack-tf/common_variables/terraform-provider.tf b/openstack-tf/common_variables/terraform-provider.tf new file mode 100644 index 0000000..1f2928e --- /dev/null +++ b/openstack-tf/common_variables/terraform-provider.tf @@ -0,0 +1,10 @@ +# Define required providers +terraform { +required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.51.1" + } + } +} diff --git a/openstack-tf/d4s-preprod/project-setup/00-variables.tf b/openstack-tf/d4s-preprod/project-setup/00-variables.tf new file mode 100644 index 0000000..1b6b4b0 --- /dev/null +++ b/openstack-tf/d4s-preprod/project-setup/00-variables.tf @@ -0,0 +1,24 @@ + +# Configure the OpenStack Provider +provider "openstack" { + cloud = "d4s-pre" +} + +variable "dns-zone" { + type = string + default = "cloud-pre.d4science.org." +} + +#### VM parameters +variable "flavor_http" { + type = string + default = "t2.medium" +} + +variable "network_http" { + type = map(string) + default = { + subnet_name = "subnet-http" + cidr = "192.168.1.0/24" + } +}